Applies To:Show Versions
- 14.1.4, 14.1.3, 14.1.2, 14.1.0
Configuring HTTP/2 Full-proxy Support on the BIG-IP System
Overview: HTTP/2 full-proxy configuration
- An HTTP/2 full-proxy configuration works with BIG-IP Local Traffic Manager (LTM) only. The configuration is not supported on any optional BIG-IP modules.
- The OneConnect and HTTP Cache features are not supported.
- The HTTP/2 protocol is incompatible with NTLM protocols.
- For session persistence, only the Cookie persistence method is available.
- In high-availability configurations, connection mirroring is not supported.
- The iRule commandssessionandtableare not supported.
Disable server-side SSL renegotiation
- On the Main tab, click.
- In the Name column, click the name of the relevant Server SSL profile.
- From theConfigurationlist, selectAdvanced.
- For theRenegotiationsetting, clear the check box.
- At the bottom of the screen, clickUpdate.
Create a custom HTTP
profile for HTTP/2 full-proxy configuration
- On the Main tab, click.The HTTP profile list screen opens.
- ClickCreate.The New HTTP Profile screen opens.
- Type a uniqueNamefor the profile.
- From theParent Profilelist, selecthttp.
- Select theCustomcheck box.
- Modify the settings as required for your configuration.
- If you want the BIG-IP system to manage server-side traffic differently from client-side traffic, clickRepeatand create another HTTP profile.
Create a custom HTTP/2 profile
- On the Main tab, click.
- Type aNamefor the profile, such asmy_http2_profile.
- For theParent Profilesetting, retain the default valuehttp2, or select a different profile.This setting specifies the profile that you want to use as the parent profile. Your new profile inherits all settings and values from the parent profile that you select.
- From theSettingslist, you can selectAdvancedto view the advanced settings.This setting is optional, depending on the settings you want to configure.
- On the far-right side of the screen, select theCustomcheck box.
- In theConcurrent Streams Per Connectionfield, retain or change the numeric value.This setting specifies how many concurrent requests are allowed to be outstanding on a single HTTP/2 connection.
- In theConnection Idle Timeoutfield, retain or change the numeric value.This setting specifies the number of seconds that a connection is idle before the connection is eligible for deletion.
- From theInsert Headerlist, retain the default value ofDisabled, or selectEnabled.This setting specifies whether the BIG-IP system should add an HTTP header to the HTTP request to show that the request was received over HTTP/2.
- In theInsert Header Namefield, retain the default value or, if theInsert Headersetting is enabled, change the header name.This setting specifies the name of the header that the BIG-IP system will add to the HTTP request when theInsert Headeris enabled.
- From theEnforce TLS Requirementslist, ensure thatEnabledis selected.Enforcing TLS requirements is required for successful HTTP/2 full-proxy deployment.
- For theActivation Modessetting, retain the default value ofALPN(Application Layer Protocol Negotiation) or selectAlways.This setting specifies the condition that will cause the BIG-IP system to handle an incoming connection as an HTTP/2 connection.
- In theFrame Sizefield, retain the default value of2048, or change the value.This setting specifies the size, in bytes, of the data frames that HTTP/2 will produce.
- In theReceive Windowfield, retain the default numeric value of32, or change the numeric value.This setting specifies, in kilobytes, the size of the receive window for HTTP/2 flow-control.
- In theWrite Sizefield, retain the default numeric value of16384, or change the numeric value.This setting specifies the size, in bytes, of the SSL records that HTTP/2 will produce.
- In theHeader Table Sizefield, retain the default numeric value of4096, or change the numeric value.This setting specifies the table size that the BIG-IP system will use for the compression of headers (unused).
- If you want the BIG-IP system to manage server-side traffic differently from client-side traffic, clickRepeatand create another HTTP/2 profile.
Create a basic server pool to process HTTP/2 traffic
- On the Main tab, click.The Pools list screen opens.
- ClickCreate.The New Pool screen opens.
- In theNamefield, type a name for the pool.Names must begin with a letter, and can contain only letters, numbers, and the underscore (_) character.The pool name is limited to 63 characters.
- Type aDescriptionfield, type a description of the pool.
- For theHealth Monitorssetting, from theAvailablebox, select a health monitor and move it to theActivebox.There are no HTTP/2-specific health monitors available on the BIG-IP system.
- In the Resources area of the screen, from theLoad Balancing Methodlist, retain the default, or select a load balancing method.
- From thePriority Group Activationlist, retain the default value (Disabled) or selectLess thanand type a numeric value.
- Using theNew Memberssetting, add each resource that you want to include in the pool:
- In theNode Namefield, type a name for the node portion of the pool member.
- In theAddressfield, type an IP address.
- In theService Portfield, type a port number, or select a service name from the list.
- If you enabled priority group activation, then in thePriorityfield, type a priority number.
Create a virtual server to manage HTTP/2 traffic
- On the Main tab, click.The Virtual Server List screen opens.
- ClickCreate.The New Virtual Server screen opens.
- In theNamefield, type a unique name for the virtual server.
- For theDestination Address/Masksetting, confirm that theHostbutton is selected, and type the IP address in CIDR format.The supported format is address/prefix, where the prefix length is in bits. For example, an IPv4 address/prefix is10.0.0.1or10.0.0.0/24, and an IPv6 address/prefix isffe1::0020/64or2001:ed8:77b5:2:10:10:100:42/64. When you use an IPv4 address without specifying a prefix, the BIG-IP system automatically uses a/32prefix.The IP address you type must be available and not in the loopback network.
- In theService Portfield, type443or selectHTTPSfrom the list.
- From theHTTP Profile (Client)list, select a previously-created HTTP profile.
- From theHTTP Profile (Server)list, select(Use Client Profile).Alternatively, if you created a separate HTTP profile for managing server-side traffic, select the profile from the list.
- For theSSL Profile (Client)setting, from theAvailablelist, selectclientssl-secure, and move it to theSelectedlist.Theclientssl-secureprofile is pre-configured to disable mid-stream SSL renegotiation, a requirement for an HTTP/2 full-proxy deployment. If you need to apply a custom Client SSL profile instead of theclientssl-secureprofile, ensure that theRenegotiationsetting in the custom profile is disabled.
- For theSSL Profile (Server)setting, from theAvailablelist, select the Server SSL profile that you previously modified to disable mid-stream renegotiation, and move the profile to theSelectedlist.
- From theAccelerationlist, selectAdvanced.
- From theHTTP/2 Profile (Client)list, select the HTTP/2 profile that you previously created.
- From theHTTP/2 Profile (Server)list, select(Use Client Profile), or, if you created a separate HTTP/2 profile for server-side traffic, select the profile from the list.
- For theHTTP MRF Routersetting, select the check box, as shown in this example:
- From theDefault Poollist, select a pool that is configured to serve HTTP/2 traffic.
View statistics for an HTTP/2 full-proxy deployment
- On the Main tab, click
- From theStatstics Typelist, selectVirtual Servers.By default, this displays the list of virtual servers on the BIG-IP system.
- In the Virtual Server column, click the relevant virtual server name.
- Along the top of the screen, click theStatisticsmenu.
- In the Profiles area of the screen, from theSelect Profilelist, select an HTTP/2 profile.