How to use HTTP/2 and SSL with MeiliSearch

For those willing to use HTTP/2, please be aware that it is only possible if your server is configured with SSL certificate.

Therefore, you will see how to launch a MeiliSearch server with SSL. This tutorial gives a short introduction to do it locally, but you can as well do the same thing on a remote server.

First of all, you need the binary of MeiliSearch, or you can also use docker. In the latter case, it is necessary to pass the parameters using environment variables and the SSL certificates via a volume.

A tool to generate SSL certificates is also required. In this How To, you will use mkcertHow to use HTTP/2 and SSL with MeiliSearch - 图1 (opens new window). However, if on a remote server, you can also use certbot or certificates signed by a Certificate Authority.

Then, use curl to do requests. It is a simple way to specify that you want to send HTTP/2 requests by using the --http2 option.

Try to use HTTP/2 without SSL

Start by running the binary.

  1. ./meilisearch

And then, send a request.

  1. curl -kvs --http2 --request GET 'http://localhost:7700/indexes'

You will get the following answer from the server:

  1. * Trying ::1...
  2. * TCP_NODELAY set
  3. * Connection failed
  4. * connect to ::1 port 7700 failed: Connection refused
  5. * Trying 127.0.0.1...
  6. * TCP_NODELAY set
  7. * Connected to localhost (127.0.0.1) port 7700 (#0)
  8. > GET /indexes HTTP/1.1
  9. > Host: localhost:7700
  10. > User-Agent: curl/7.64.1
  11. > Accept: */*
  12. > Connection: Upgrade, HTTP2-Settings
  13. > Upgrade: h2c
  14. > HTTP2-Settings: AAMAAABkAARAAAAAAAIAAAAA
  15. >
  16. < HTTP/1.1 200 OK
  17. < content-length: 2
  18. < content-type: application/json
  19. < date: Fri, 17 Jul 2020 11:01:02 GMT
  20. <
  21. * Connection #0 to host localhost left intact
  22. []* Closing connection 0

You can see on line > Connection: Upgrade, HTTP2-Settings that the server tries to upgrade to HTTP/2, but is unsuccessful.
The answer < HTTP/1.1 200 OK indicates that the server still uses HTTP/1.

Try to use HTTP/2 with SSL

This time, start by generating the SSL certificates. mkcert creates two files: 127.0.0.1.pem and 127.0.0.1-key.pem.

  1. mkcert '127.0.0.1'

Then, use the certificate and the key to configure MeiliSearch with SSL.

  1. ./meilisearch --ssl-cert-path ./127.0.0.1.pem --ssl-key-path ./127.0.0.1-key.pem

Next, make the same request as above but change http:// to https://.

  1. curl -kvs --http2 --request GET 'https://localhost:7700/indexes'

You will get the following answer from the server:

  1. * Trying ::1...
  2. * TCP_NODELAY set
  3. * Connection failed
  4. * connect to ::1 port 7700 failed: Connection refused
  5. * Trying 127.0.0.1...
  6. * TCP_NODELAY set
  7. * Connected to localhost (127.0.0.1) port 7700 (#0)
  8. * ALPN, offering h2
  9. * ALPN, offering http/1.1
  10. * successfully set certificate verify locations:
  11. * CAfile: /etc/ssl/cert.pem
  12. CApath: none
  13. * TLSv1.2 (OUT), TLS handshake, Client hello (1):
  14. * TLSv1.2 (IN), TLS handshake, Server hello (2):
  15. * TLSv1.2 (IN), TLS handshake, Certificate (11):
  16. * TLSv1.2 (IN), TLS handshake, Server key exchange (12):
  17. * TLSv1.2 (IN), TLS handshake, Server finished (14):
  18. * TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
  19. * TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
  20. * TLSv1.2 (OUT), TLS handshake, Finished (20):
  21. * TLSv1.2 (IN), TLS change cipher, Change cipher spec (1):
  22. * TLSv1.2 (IN), TLS handshake, Finished (20):
  23. * SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
  24. * ALPN, server accepted to use h2
  25. * Server certificate:
  26. * subject: O=mkcert development certificate; OU=quentindequelen@s-iMac (Quentin de Quelen)
  27. * start date: Jun 1 00:00:00 2019 GMT
  28. * expire date: Jul 17 10:38:53 2030 GMT
  29. * issuer: O=mkcert development CA; OU=quentindequelen@s-iMac (Quentin de Quelen); CN=mkcert quentindequelen@s-iMac (Quentin de Quelen)
  30. * SSL certificate verify result: unable to get local issuer certificate (20), continuing anyway.
  31. * Using HTTP2, server supports multi-use
  32. * Connection state changed (HTTP/2 confirmed)
  33. * Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
  34. * Using Stream ID: 1 (easy handle 0x7ff601009200)
  35. > GET /indexes HTTP/2
  36. > Host: localhost:7700
  37. > User-Agent: curl/7.64.1
  38. > Accept: */*
  39. >
  40. * Connection state changed (MAX_CONCURRENT_STREAMS == 4294967295)!
  41. < HTTP/2 200
  42. < content-length: 2
  43. < content-type: application/json
  44. < date: Fri, 17 Jul 2020 11:06:27 GMT
  45. <
  46. * Connection #0 to host localhost left intact
  47. []* Closing connection 0

You can see that the server now supports HTTP/2.

  1. * Using HTTP2, server supports multi-use
  2. * Connection state changed (HTTP/2 confirmed)

The server successfully receives HTTP/2 requests.

  1. < HTTP/2 200