All Products
Search

This Product

    Alibaba Cloud Service Mesh:Disable HTTP/2 on an HTTPS-enabled ingress gateway

    Document Center

    Alibaba Cloud Service Mesh:Disable HTTP/2 on an HTTPS-enabled ingress gateway

    Last Updated:Mar 11, 2026

    By default, an ASM ingress gateway with HTTPS enabled advertises both HTTP/2 (h2) and HTTP/1.1 through Application-Layer Protocol Negotiation (ALPN). Modern clients prefer HTTP/2 when the server offers it. If your client is incompatible with HTTP/2 and you cannot fix the issue on the client side, disable HTTP/2 on the ingress gateway so that only HTTP/1.1 is negotiated.

    How it works

    During a TLS handshake, the ingress gateway sends an ALPN list to the client. By default, this list contains h2 and http/1.1, and the client selects HTTP/2 when both are available.

    To disable HTTP/2, set httpsHttp2Disabled: true in the Istio ProxyConfig for the gateway (applied through the proxy.istio.io/config pod annotation). This removes h2 from the ALPN list so that the gateway advertises only http/1.1, and all HTTPS connections fall back to HTTP/1.1.

    Note

    This setting applies only to HTTPS listeners. Plaintext HTTP listeners are not affected.

    Prerequisites

    Before you begin, ensure that you have:

    Verify the default ALPN behavior

    Before making changes, confirm that the ingress gateway currently negotiates HTTP/2 over HTTPS.

    Run the following curl command. Replace <ingress-gateway-ip> with the IP address of your ingress gateway.

    curl -kv -H "Host:b.aliyun.com" \
  --resolve b.aliyun.com:443:<ingress-gateway-ip> \
  https://b.aliyun.com/status/418

    In the output, look for the ALPN negotiation lines:

    * ALPN, offering h2
* ALPN, offering http/1.1
* ALPN, server accepted to use h2

    The gateway advertises both h2 and http/1.1, and the client selects h2 (HTTP/2) by default.

    Disable HTTP/2 for HTTPS connections

    1. Log on to the ASM console.

    2. In the left-side navigation pane, choose Service Mesh > Mesh Management.

    3. On the Mesh Management page, click the name of the target ASM instance.

    4. In the left-side navigation pane, choose ASM Gateways > Ingress Gateway.

    5. On the Ingress Gateway page, find the target gateway and click YAML in the Actions column.

    6. In the Edit dialog box, add the following podAnnotations block under the spec field. This annotation passes the httpsHttp2Disabled option to the Envoy proxy configuration:

      podAnnotations:
    proxy.istio.io/config: |
      httpsHttp2Disabled: true
      FieldDescriptionDefault
      httpsHttp2DisabledRemoves h2 from the ALPN list on HTTPS listeners when set to true.false (HTTP/2 enabled)

    7. Click OK.

    Warning

    This change causes the ingress gateway pods to restart. Existing connections are terminated during the restart. Apply this change during a maintenance window or when traffic disruption is acceptable.

    Verify that HTTP/2 is disabled

    After the gateway pods restart, run the same curl command to verify the change:

    curl -kv -H "Host:b.aliyun.com" \
  --resolve b.aliyun.com:443:<ingress-gateway-ip> \
  https://b.aliyun.com/status/418

    The ALPN negotiation lines should now show only HTTP/1.1:

    * ALPN, offering h2
* ALPN, offering http/1.1
* ALPN, server accepted to use http/1.1

    The client still offers h2 and http/1.1, but the server accepts only http/1.1. HTTP/2 is disabled on the ingress gateway.

    What to do next

    • To re-enable HTTP/2, remove the podAnnotations block or set httpsHttp2Disabled to false, and then save the gateway YAML. The gateway pods restart and resume advertising h2 in the ALPN list.

    • For more about ingress gateway HTTPS configuration, see Use an ingress gateway to enable HTTPS.