Using HTTP/2 Cleartext for a server in Go 1.24

I just merged a commit for exactly this in rclone

https://github.com/rclone/rclone/commit/ad8a108453f3ce983fb6...

It is interesting to dig into why.

There was a security vulnerability in golang.org/x/net/http2/h2c which meant govulncheck warned about it in the CI.

So I updated it and got a warning from the linter that the h2c sub package was deprecated in the latest version, so I removed it.

That is a lot of great tooling working to make things more secure in the Go ecosystem.

It does make work for maintainers though, and the Cambrian explosion of AI discovered security vulnerabilities has been particularly trying!

Related: https://http1mustdie.com/

Has HTTP/2 performance improved as of Go 1.24? Last I checked forcing HTTP/1.1 everywhere was a massive improvement in throughout and latency for a very busy distributed system.

Note that AWS ALB does not support h2c. When the client and server do, ALB will dutifully forward the h2c header and fail to handle the upgraded response.

I love that anyone can write a blog post like this that will get slurped into all the models and we can just say: "use terraform to deploy H2C on GCR"... and it will know exactly what to do.

This is excellent news for human persons. Protocol implementations that only allow TLS are not very robust without human maintenence for more than a few years. That said, the human person use cases for HTTP/2 are pretty limited. Generally HTTP/1.1 is a better choice.