HTTP/2 - Enable H2 protocol

[NiccoMlt]

Closes #410 and, along with #409, closes #181
Closes #506

[hamadodene]

@NiccoMlt Take a look on this issue #506
I also get this error:

Oct 28, 2024 9:20:55 AM org.carapaceproxy.core.ListeningChannel map
SEVERE: Error booting certificate for SNI hostname cara17test.xxx.it, on listener NetworkListenerConfiguration[host=0.0.0.0, port=4089, ssl=true, sslCiphers=, defaultCertificate=*, sslProtocols=[TLSv1.3], soBacklog=128, keepAlive=true, keepAliveIdle=300, keepAliveInterval=60, keepAliveCount=8, maxKeepAliveRequests=10, forwardedStrategy=IF_TRUSTED, trustedIps=[127.0.0.1], protocols=[H2], group=DefaultChannelGroup(name: group-0x2, size: 0)]

The certificato of domain cara17test.xxx.it is available. I don't have the full stack. I will try to debug it later

[hamadodene]

@NiccoMlt Reactor Netty 1.1.24 has been released with the fix for the issue we requested: https://github.com/reactor/reactor-netty/releases/tag/v1.1.24
After integrating the fix, could you please check my issue here as well: #506
Perhaps now we can move forward and finalize this PR.

[NiccoMlt]

Sure

[NiccoMlt]

Left a couple of comments to help review @hamadodene @dmercuriali

[NiccoMlt]

The modifications here come from the HostPort introduction and the NetworkListenerConfiguration transformation from a mutable class to a record.

This is a small building block in the larger plan to migrate to an immutable configuration, because right now it is a pain to track modifications for refreshes.

This was easy and was already done in the later months, so I kept it

[NiccoMlt]

Listeners was pretty much rewritten from the ground up a couple of times in the later months, but I tried to strip most modifications and keep it simple.

ListeningChannel nested class made it hard to track the flow of the setup of the channel and was externalized. More aggressive refactors were tried but dropped. We still need to find a way to wrap the "concept of channel" inside of it, while keeping the common setup into Listeners.

[NiccoMlt]

The behaviour wasn't changed much here: the SSL context setup was moved from reactor.netty.http.server.HttpServer#doOnChannelInit to reactor.netty.http.server.HttpServer#secure(java.util.function.Consumer<? super reactor.netty.tcp.SslProvider.SslContextSpec>).

This poses one major change: SslContexts are loaded once, and then the listener needs to be restarted to pick up changes into the certificate. Hooks are already in place to take care of that, we only added a check on changes on the certs in addition to listener confs.

[NiccoMlt]

This class is not actually new but moved out of Listeners to track clearly the dependencies.
This class handles SSL contexts build, taking care of OCSP stapling (which is now done through a handlerConfigurator.

This class keeps some problems, that were not evident when it was a nested, non-static, class.
For example, different listeners will load pretty much the same certificates but with their own SSL ciphers and protocols. This might lead to tricky behaviors.
This was mitigated by not actually sharing the certs, but leads to duplication, and I think that these settings should simply be moved from listerners to certs.

[NiccoMlt]

This is pretty much a glorified lambda that actually does the stapling.
The original beahviour (which I note that comes from the netty example and adjusted for ReactorNetty) was not changed in this PR, I think.

[NiccoMlt]

Now we enable HTTP/2 by default with SSL, or HTTP/2 with cleartext if without

[NiccoMlt]

This was rewritten to debug a problem in the past, then merged to a refactor that was introduced with one of the previous PR.
Refactors were done and were kept.