NimbostratusRecently got a requirement from my client to enable http2.0 on few of the VIP.
Can someone help me to understand the concept of http2.0 & how it works in loadbalancer.
Does loadbalancer support to connecet HTTP2.0 server? and the client is HTTP2.0/http1.1 .
Hi,
for a detailled explanation of the the http/2 concept I would recommend to lookup the RFC or Wikipedia for a short summary. F5 has implemented a proxy functionality for http/2 which comes with the LTM feature set. No add-on modules required.
The http/2 protocol runs via encrypted connections only. Using Perfect Forward Secrecy (PFS) based on EC-DHE or DHE is mandatory. Your related client-ssl profile needs to have renegotiation disabled (it´s default in the "clientssl-secure" client-ssl profile to be used as a parent).
A virtual server in standard mode can handle both http/1.x and http/2 traffic. It´s required to have a proper client-ssl profile, a http profile and an http/2 (section "Acceleration") enabled. Now both types of clients may connect. Your virtual server statistics profile section will provide details on the usage of protocols.
Your BIG-IP device acts as a proxy in this case. Serverside connections will be established via http/1.x only. The concurrect http/2 streams on clientside will be demultiplexed into multiple serverside connections. That´s why divergent client- and serverside connection counts/rates can be expected. Due to current issues with Safari browsers it might be necessary to increase the number of streams to 100 in your customized http/2 profile.
Starting using http/2 may require to lookup your currently assigned iRules. It turned out, that variables initiated under CLIENT_ACCEPTED may not be available in upper layer events like HTTP_REQUEST. This results in TCL errors and connection resets and will require changing your iRule scripts.
That´s why it is highly recommended to test http/2 in a staging environment thoroughly with a range of clients (browsers) before activating it in production.
Cheers & good luck, Stephan
There is one more thing to notice when using http/2 on a virtual server. The "peer" option seems to be broken in tcpdump allowing you to filter traffic on clientside and still capture the associated traffic on serverside.
(That´s interesting in environments with SNAT applied.)
Cheers, Stephan
