From 3a77de831837b5b7c62f92f31c741ca8dd7bbc4c Mon Sep 17 00:00:00 2001
From: Hang Yin <h4x3rotab@gmail.com>
Date: Fri, 27 Mar 2026 08:08:01 +0000
Subject: [PATCH] Fix HTTP/2 ALPN test to use openssl instead of curl
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

curl --http2 reports version 0 when the backend (grpcbin) doesn't
serve a proper HTTP response on GET /. Switch to openssl s_client
-alpn h2 which tests TLS-level ALPN negotiation directly — the
thing we actually care about.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 .../dstack-ingress/scripts/tests/e2e-test.sh  | 28 +++++++------------
 1 file changed, 10 insertions(+), 18 deletions(-)

diff --git a/custom-domain/dstack-ingress/scripts/tests/e2e-test.sh b/custom-domain/dstack-ingress/scripts/tests/e2e-test.sh
index 0983454..7352146 100755
--- a/custom-domain/dstack-ingress/scripts/tests/e2e-test.sh
+++ b/custom-domain/dstack-ingress/scripts/tests/e2e-test.sh
@@ -272,25 +272,17 @@ else
     fail "HTTP/1.1 response doesn't look like whoami"
 fi
 
-# ── HTTP/2 tests (against gRPC backend which supports h2c) ───────────────────
-# Note: with L4 proxy + ALPN h2, the backend MUST support h2c (cleartext HTTP/2).
-# whoami only speaks HTTP/1.1, so we test H2 against grpcbin which is a Go
-# gRPC server and natively supports h2c.
-
-log "Test: HTTP/2 through TCP proxy (via gRPC domain)"
-H2_STATUS=$(do_curl -s -o /dev/null -w '%{http_code}' --http2 "https://${GRPC_DOMAIN}/" 2>/dev/null || echo "000")
-if [ "$H2_STATUS" != "000" ]; then
-    pass "HTTP/2 connection successful (status: $H2_STATUS)"
+# ── HTTP/2 ALPN test ─────────────────────────────────────────────────────────
+# Verify TLS ALPN negotiation at the protocol level using openssl.
+# curl --http2 is unreliable here because grpcbin doesn't serve HTTP on GET /.
+
+log "Test: TLS ALPN negotiates h2 (via gRPC domain)"
+ALPN_PROTO=$(echo | openssl s_client -connect "${DOMAIN_IP}:443" -servername "${GRPC_DOMAIN}" -alpn h2 2>/dev/null \
+    | grep -oP 'ALPN protocol: \K\S+' || echo "")
+if [ "$ALPN_PROTO" = "h2" ]; then
+    pass "TLS ALPN negotiated h2"
 else
-    fail "HTTP/2 connection failed"
-fi
-
-log "Test: HTTP/2 ALPN negotiation"
-H2_VER=$(do_curl -s -o /dev/null -w '%{http_version}' --http2 "https://${GRPC_DOMAIN}/" 2>/dev/null || echo "")
-if [ "$H2_VER" = "2" ]; then
-    pass "HTTP/2 negotiated via ALPN (version: $H2_VER)"
-else
-    fail "HTTP/2 not negotiated (version: $H2_VER)"
+    fail "TLS ALPN expected h2, got: ${ALPN_PROTO:-none}"
 fi
 
 # ── gRPC tests ───────────────────────────────────────────────────────────────