Manual Chapter :
Configuring HTTP/2 Full-proxy Support on the BIG-IP System
Applies To:
Show Versions
BIG-IP LTM
- 14.1.5, 14.1.4, 14.1.3, 14.1.2, 14.1.0
Configuring HTTP/2 Full-proxy Support on the BIG-IP System
Overview: HTTP/2 full-proxy configuration
When your application server infrastructure is composed of HTTP/2-enabled
servers, you can take advantage of the HTTP/2 acceleration features that the BIG-IP
system provides. Most importantly, the BIG-IP system includes full-proxy support for the
HTTP/2 protocol. This means that the BIG-IP system can process HTTP/2 requests and
responses on both the client and server sides of the BIG-IP system.
The HTTP/2 full-proxy architecture provides greater network efficiency by
allowing the BIG-IP system to transport multiple simultaneous, bi-directional streams of
messages between the client and server. This is accomplished through the use of the
BIG-IP system’s message-routing proxy, instead of the traditional connection-oriented
TCP proxy.
This figure shows an example of the Acceleration area of the New Virtual
Server screen, where you configure some key settings for successful HTTP/2 full-proxy
operation.

Configuration summary
To configure HTTP/2 full-proxy support on the BIG-IP system, you can
use the BIG-IP Configuration utility.
This illustration shows the tasks required to deploy an HTTP/2 full-proxy
configuration. Note that you do not need to create a custom Client SSL profile because
when you create the virtual server, you will be assigning an existing profile named
clientssl-secure
to
it.When you create the virtual server, make sure that
you enable the
HTTP MRF Router
option. This is necessary for successful HTTP/2 full-proxy deployment. 
Configuration constraints
There are a few BIG-IP system constraints that you'll want to be aware of
before deploying an HTTP/2 full-proxy configuration:
- An HTTP/2 full-proxy configuration works with BIG-IP Local Traffic Manager (LTM) only. The configuration is not supported on any optional BIG-IP modules.
- The OneConnect and HTTP Cache features are not supported.
- The HTTP/2 protocol is incompatible with NTLM protocols.
- For session persistence, only the Cookie persistence method is available.
- In high-availability configurations, connection mirroring is not supported.
- The iRule commandssessionandtableare not supported.
- The Virtual Desktop Infrastructure (VDI) is not supported in HTTP/2 environment. Do not attach both HTTP/2 profile and VDI profile together in the virtual server.
Disable server-side SSL renegotiation
Before starting this task, make sure that you have
created a Server SSL profile on the BIG-IP system for securing HTTP/2 application
traffic. You do not need to create a Client SSL profile because a profile named
clientssl-secure
already exists on the system.On the server-side SSL profile, you must actively disable renegotiation, as
this setting is enabled by default. When you disable renegotiation, the BIG-IP
system either terminates the connection on mid-stream renegotiation or ignores the
renegotiation request, depending on the system configuration. This is essential for
proper HTTP/2 full-proxy operation when you are using SSL to secure application
traffic (recommended).
For the client-side, the
Reneogtiation
setting is already disabled by default
in profile clientssl-secure
.- On the Main tab, click.
- In the Name column, click the name of the relevant Server SSL profile.
- From theConfigurationlist, selectAdvanced.
- For theRenegotiationsetting, clear the check box.
- At the bottom of the screen, clickUpdate.
After you complete this task, mid-stream SSL
renegotiation is disabled for the HTTP/2 full-proxy deployment.
Create a custom HTTP
profile for HTTP/2 full-proxy configuration
Part of configuring an HTTP/2 full-proxy configuration on the BIG-IP system is to first
create a standard HTTP profile. An HTTP profile defines the way that you want the BIG-IP
system to manage HTTP traffic.
For the most expedient HTTP/2
full-proxy configuration, you can create a single HTTP profile that the BIG-IP
system will apply to both client-side and server-side HTTP traffic. Alternatively,
if you want the BIG-IP system to manage client-side and server-side traffic in
different ways, you can create two separate HTTP profiles and configure the settings
differently in each profile.
- On the Main tab, click.The HTTP profile list screen opens.
- ClickCreate.The New HTTP Profile screen opens.
- Type a uniqueNamefor the profile.
- From theParent Profilelist, selecthttp.
- Select theCustomcheck box.
- Modify the settings as required for your configuration.
- If you want the BIG-IP system to manage server-side traffic differently from client-side traffic, clickRepeatand create another HTTP profile.
- ClickFinished.
Any
custom HTTP profile that you have created now appears on the HTTP profile list screen and is ready for you to assign to a virtual server.
Create a custom HTTP/2 profile
Part of creating an HTTP/2 full-proxy configuration is to create an
HTTP/2 profile that you can use for both client-side and server-side application
traffic. When you assign the profile to a virtual server, the BIG-IP system applies the
settings in the profile to the traffic.
For the most expedient HTTP/2 full-proxy configuration, you can create a single
HTTP/2 profile that the BIG-IP system will apply to both client-side and server-side
HTTP/2 traffic. Alternatively, if you want the BIG-IP system to manage client-side and
server-side traffic in different ways, you can create two separate HTTP/2 profiles and
configure the settings differently in each profile.
- On the Main tab, click.
- ClickCreate.
- Type aNamefor the profile, such asmy_http2_profile.
- For theParent Profilesetting, retain the default valuehttp2, or select a different profile.This setting specifies the profile that you want to use as the parent profile. Your new profile inherits all settings and values from the parent profile that you select.
- From theSettingslist, you can selectAdvancedto view the advanced settings.This setting is optional, depending on the settings you want to configure.
- On the far-right side of the screen, select theCustomcheck box.
- In theConcurrent Streams Per Connectionfield, retain or change the numeric value.This setting specifies how many concurrent requests are allowed to be outstanding on a single HTTP/2 connection.
- In theConnection Idle Timeoutfield, retain or change the numeric value.This setting specifies the number of seconds that a connection is idle before the connection is eligible for deletion.
- From theInsert Headerlist, retain the default value ofDisabled, or selectEnabled.This setting specifies whether the BIG-IP system should add an HTTP header to the HTTP request to show that the request was received over HTTP/2.
- In theInsert Header Namefield, retain the default value or, if theInsert Headersetting is enabled, change the header name.This setting specifies the name of the header that the BIG-IP system will add to the HTTP request when theInsert Headeris enabled.
- From theEnforce TLS Requirementslist, ensure thatEnabledis selected.Enforcing TLS requirements is required for successful HTTP/2 full-proxy deployment.
- For theActivation Modessetting, retain the default value ofALPN(Application Layer Protocol Negotiation) or selectAlways.This setting specifies the condition that will cause the BIG-IP system to handle an incoming connection as an HTTP/2 connection.
- In theFrame Sizefield, retain the default value of2048, or change the value.This setting specifies the size, in bytes, of the data frames that HTTP/2 will produce.
- In theReceive Windowfield, retain the default numeric value of32, or change the numeric value.This setting specifies, in kilobytes, the size of the receive window for HTTP/2 flow-control.
- In theWrite Sizefield, retain the default numeric value of16384, or change the numeric value.This setting specifies the size, in bytes, of the SSL records that HTTP/2 will produce.
- In theHeader Table Sizefield, retain the default numeric value of4096, or change the numeric value.This setting specifies the table size that the BIG-IP system will use for the compression of headers (unused).
- If you want the BIG-IP system to manage server-side traffic differently from client-side traffic, clickRepeatand create another HTTP/2 profile.
- ClickFinished.
Any custom HTTP/2 profile that you have created now
appears on the HTTP/2 profile list screen and is ready for you to assign to a virtual
server.
Create a basic server pool to process HTTP/2 traffic
You can create a pool of application servers
enabled for processing HTTP/2 traffic. After creating the server pool, you must assign
the pool to a virtual server.
Each pool member should be an HTTP/2-capable web server.
- On the Main tab, click.The Pools list screen opens.
- ClickCreate.The New Pool screen opens.
- In theNamefield, type a name for the pool.Names must begin with a letter, and can contain only letters, numbers, and the underscore (_) character.The pool name is limited to 63 characters.
- Type aDescriptionfield, type a description of the pool.
- For theHealth Monitorssetting, from theAvailablebox, select a health monitor and move it to theActivebox.There are no HTTP/2-specific health monitors available on the BIG-IP system.
- In the Resources area of the screen, from theLoad Balancing Methodlist, retain the default, or select a load balancing method.
- From thePriority Group Activationlist, retain the default value (Disabled) or selectLess thanand type a numeric value.
- Using theNew Memberssetting, add each resource that you want to include in the pool:
- In theNode Namefield, type a name for the node portion of the pool member.
- In theAddressfield, type an IP address.
- In theService Portfield, type a port number, or select a service name from the list.
- If you enabled priority group activation, then in thePriorityfield, type a priority number.
- ClickAdd.
- ClickFinished.
Create a virtual server to manage HTTP/2 traffic
Before you begin this task, make sure that mid-stream renegotiation is disabled on the relevant Client SSL and Server SSL profiles.
You must create a virtual server to listen for HTTP/2 traffic, apply profiles and policies, and send the traffic to a pool of application servers that are HTTP/2-enabled.
Do not use the HTTP/2 protocol with NTLM protocols, as they are incompatible.
The BIG-IP does not support Virtual Desktop Infrastructure (VDI) in HTTP/2 environment. Do not attach both HTTP/2 profile and VDI profile together in the virtual server, a virtual server configured with both HTTP/2 profile and VDI profile can result in
ERR_HTTP2_PROTOCOL_ERROR
.- On the Main tab, click.The Virtual Server List screen opens.
- ClickCreate.The New Virtual Server screen opens.
- In theNamefield, type a unique name for the virtual server.
- For theDestination Address/Masksetting, confirm that theHostbutton is selected, and type the IP address in CIDR format.The supported format is address/prefix, where the prefix length is in bits. For example, an IPv4 address/prefix is10.0.0.1or10.0.0.0/24, and an IPv6 address/prefix isffe1::0020/64or2001:ed8:77b5:2:10:10:100:42/64. When you use an IPv4 address without specifying a prefix, the BIG-IP system automatically uses a/32prefix.The IP address you type must be available and not in the loopback network.
- In theService Portfield, type443or selectHTTPSfrom the list.
- From theHTTP Profile (Client)list, select a previously-created HTTP profile.
- From theHTTP Profile (Server)list, select(Use Client Profile).Alternatively, if you created a separate HTTP profile for managing server-side traffic, select the profile from the list.
- For theSSL Profile (Client)setting, from theAvailablelist, selectclientssl-secure, and move it to theSelectedlist.Theclientssl-secureprofile is pre-configured to disable mid-stream SSL renegotiation, a requirement for an HTTP/2 full-proxy deployment. If you need to apply a custom Client SSL profile instead of theclientssl-secureprofile, ensure that theRenegotiationsetting in the custom profile is disabled.
- For theSSL Profile (Server)setting, from theAvailablelist, select the Server SSL profile that you previously modified to disable mid-stream renegotiation, and move the profile to theSelectedlist.
- From theAccelerationlist, selectAdvanced.
- From theHTTP/2 Profile (Client)list, select the HTTP/2 profile that you previously created.
- From theHTTP/2 Profile (Server)list, select(Use Client Profile), or, if you created a separate HTTP/2 profile for server-side traffic, select the profile from the list.
- For theHTTP MRF Routersetting, select the check box, as shown in this example:
- From theDefault Poollist, select a pool that is configured to serve HTTP/2 traffic.
- ClickFinished.
The HTTP/2 virtual server is now ready to listen for HTTP/2 traffic and send the traffic to the assigned server pool.
View statistics for an HTTP/2 full-proxy deployment
You can view statistics for either client-side or server-side HTTP/2 traffic.
- On the Main tab, click
- From theStatstics Typelist, selectVirtual Servers.By default, this displays the list of virtual servers on the BIG-IP system.
- In the Virtual Server column, click the relevant virtual server name.
- Along the top of the screen, click theStatisticsmenu.
- In the Profiles area of the screen, from theSelect Profilelist, select an HTTP/2 profile.
After you perform this task, the BIG-IP system
displays statistics pertaining to the traffic associated with the HTTP/2 profile you
selected.