Manual Chapter : Configuring HTTP2 Full-proxy Support on the BIG-IP System

Applies To:

Show Versions Show Versions

BIG-IP LTM

  • 14.1.0
Manual Chapter

Configuring HTTP/2 Full-proxy Support on the BIG-IP System

Overview: HTTP/2 full-proxy configuration

When your application server infrastructure is composed of HTTP/2-enabled servers, you can take advantage of the HTTP/2 acceleration features that the BIG-IP system provides. Most importantly, the BIG-IP system includes full-proxy support for the HTTP/2 protocol. This means that the BIG-IP system can process HTTP/2 requests and responses on both the client and server sides of the BIG-IP system.

The HTTP/2 full-proxy architecture provides greater network efficiency by allowing the BIG-IP system to transport multiple simultaneous, bi-directional streams of messages between the client and server. This is accomplished through the use of the BIG-IP system’s message-routing proxy, instead of the traditional connection-oriented TCP proxy.

This figure shows an example of the Acceleration area of the New Virtual Server screen, where you configure some key settings for successful HTTP/2 full-proxy operation.

Configuration summary

To configure HTTP/2 full-proxy support on the BIG-IP system, you can use the BIG-IP Configuration utility.

This illustration shows the tasks required to deploy an HTTP/2 full-proxy configuration. Note that you do not need to create a custom Client SSL profile because when you create the virtual server, you will be assigning an existing profile named clientssl-secure to it.

Important: When you create the virtual server, make sure that you enable the HTTP MRF Router option. This is necessary for successful HTTP/2 full-proxy deployment.

Configuration constraints

There are a few BIG-IP system constraints that you'll want to be aware of before deploying an HTTP/2 full-proxy configuration:

  • An HTTP/2 full-proxy configuration works with BIG-IP Local Traffic Manager (LTM) only. The configuration is not supported on any optional BIG-IP modules.
  • The OneConnect and HTTP Cache features are not supported.
  • The HTTP/2 protocol is incompatible with NTLM protocols.
  • For session persistence, only the Cookie persistence method is available.
  • In high-availability configurations, connection mirroring is not supported.
  • The iRule commands session and table are not supported.

Disable server-side SSL renegotiation

Before starting this task, make sure that you have created a Server SSL profile on the BIG-IP system for securing HTTP/2 application traffic. You do not need to create a Client SSL profile because a profile named clientssl-secure already exists on the system.
On the server-side SSL profile, you must actively disable renegotiation, as this setting is enabled by default. When you disable renegotiation, the BIG-IP system either terminates the connection on mid-stream renegotiation or ignores the renegotiation request, depending on the system configuration. This is essential for proper HTTP/2 full-proxy operation when you are using SSL to secure application traffic (recommended).
Note: For the client-side, the Reneogtiation setting is already disabled by default in profile clientssl-secure.
  1. On the Main tab, click Local Traffic > Profiles > SSL > Server .
  2. In the Name column, click the name of the relevant Server SSL profile.
  3. From the Configuration list, select Advanced.
  4. For the Renegotiation setting, clear the check box.
  5. At the bottom of the screen, click Update.
After you complete this task, mid-stream SSL renegotiation is disabled for the HTTP/2 full-proxy deployment.

Create a custom HTTP profile for HTTP/2 full-proxy configuration

Part of configuring an HTTP/2 full-proxy configuration on the BIG-IP system is to first create a standard HTTP profile. An HTTP profile defines the way that you want the BIG-IP system to manage HTTP traffic.

Note: For the most expedient HTTP/2 full-proxy configuration, you can create a single HTTP profile that the BIG-IP system will apply to both client-side and server-side HTTP traffic. Alternatively, if you want the BIG-IP system to manage client-side and server-side traffic in different ways, you can create two separate HTTP profiles and configure the settings differently in each profile.
  1. On the Main tab, click Local Traffic > Profiles > Services > HTTP .
    The HTTP profile list screen opens.
  2. Click Create.
    The New HTTP Profile screen opens.
  3. Type a unique Name for the profile.
  4. From the Parent Profile list, select http.
  5. Select the Custom check box.
  6. Modify the settings as required for your configuration.
  7. If you want the BIG-IP system to manage server-side traffic differently from client-side traffic, click Repeat and create another HTTP profile.
  8. Click Finished.
Any custom HTTP profile that you have created now appears on the HTTP profile list screen and is ready for you to assign to a virtual server.

Create a custom HTTP/2 profile

Part of creating an HTTP/2 full-proxy configuration is to create an HTTP/2 profile that you can use for both client-side and server-side application traffic. When you assign the profile to a virtual server, the BIG-IP system applies the settings in the profile to the traffic.

Note: For the most expedient HTTP/2 full-proxy configuration, you can create a single HTTP/2 profile that the BIG-IP system will apply to both client-side and server-side HTTP/2 traffic. Alternatively, if you want the BIG-IP system to manage client-side and server-side traffic in different ways, you can create two separate HTTP/2 profiles and configure the settings differently in each profile.
  1. On the Main tab, click Local Traffic > Profiles > Services > HTTP/2 .
  2. Click Create.
  3. Type a Name for the profile, such as my_http2_profile.
  4. For the Parent Profile setting, retain the default value http2, or select a different profile.
    This setting specifies the profile that you want to use as the parent profile. Your new profile inherits all settings and values from the parent profile that you select.
  5. From the Settings list, you can select Advanced to view the advanced settings.
    This setting is optional, depending on the settings you want to configure.
  6. On the far-right side of the screen, select the Custom check box.
  7. In the Concurrent Streams Per Connection field, retain or change the numeric value.
    This setting specifies how many concurrent requests are allowed to be outstanding on a single HTTP/2 connection.
  8. In the Connection Idle Timeout field, retain or change the numeric value.
    This setting specifies the number of seconds that a connection is idle before the connection is eligible for deletion.
  9. From the Insert Header list, retain the default value of Disabled, or select Enabled.
    This setting specifies whether the BIG-IP system should add an HTTP header to the HTTP request to show that the request was received over HTTP/2.
  10. In the Insert Header Name field, retain the default value or, if the Insert Header setting is enabled, change the header name.
    This setting specifies the name of the header that the BIG-IP system will add to the HTTP request when the Insert Header is enabled.
  11. From the Enforce TLS Requirements list, ensure that Enabled is selected.
    Important: Enforcing TLS requirements is required for successful HTTP/2 full-proxy deployment.
  12. For the Activation Modes setting, retain the default value of ALPN (Application Layer Protocol Negotiation) or select Always.
    This setting specifies the condition that will cause the BIG-IP system to handle an incoming connection as an HTTP/2 connection.
  13. In the Frame Size field, retain the default value of 2048, or change the value.
    This setting specifies the size, in bytes, of the data frames that HTTP/2 will produce.
  14. In the Receive Window field, retain the default numeric value of 32, or change the numeric value.
    This setting specifies, in kilobytes, the size of the receive window for HTTP/2 flow-control.
  15. In the Write Size field, retain the default numeric value of 16384, or change the numeric value.
    This setting specifies the size, in bytes, of the SSL records that HTTP/2 will produce.
  16. In the Header Table Size field, retain the default numeric value of 4096, or change the numeric value.
    This setting specifies the table size that the BIG-IP system will use for the compression of headers (unused).
  17. If you want the BIG-IP system to manage server-side traffic differently from client-side traffic, click Repeat and create another HTTP/2 profile.
  18. Click Finished.
Any custom HTTP/2 profile that you have created now appears on the HTTP/2 profile list screen and is ready for you to assign to a virtual server.

Create a basic server pool to process HTTP/2 traffic

You can create a pool of application servers enabled for processing HTTP/2 traffic. After creating the server pool, you must assign the pool to a virtual server.

Note: Each pool member should be an HTTP/2-capable web server.
  1. On the Main tab, click Local Traffic > Pools .
    The Pools list screen opens.
  2. Click Create.
    The New Pool screen opens.
  3. In the Name field, type a name for the pool.
    Names must begin with a letter, and can contain only letters, numbers, and the underscore (_) character.
    Important: The pool name is limited to 63 characters.
  4. Type a Description field, type a description of the pool.
  5. For the Health Monitors setting, from the Available box, select a health monitor and move it to the Active box.
    There are no HTTP/2-specific health monitors available on the BIG-IP system.
  6. In the Resources area of the screen, from the Load Balancing Method list, retain the default, or select a load balancing method.
  7. From the Priority Group Activation list, retain the default value (Disabled) or select Less than and type a numeric value.
  8. Using the New Members setting, add each resource that you want to include in the pool:
    1. In the Node Name field, type a name for the node portion of the pool member.
    2. In the Address field, type an IP address.
    3. In the Service Port field, type a port number, or select a service name from the list.
    4. If you enabled priority group activation, then in the Priority field, type a priority number.
    5. Click Add.
  9. Click Finished.

Create a virtual server to manage HTTP/2 traffic

Before you begin this task, make sure that mid-stream renegotiation is disabled on the relevant Client SSL and Server SSL profiles.

You must create a virtual server to listen for HTTP/2 traffic, apply profiles and policies, and send the traffic to a pool of application servers that are HTTP/2-enabled.

Important: Do not use the HTTP/2 protocol with NTLM protocols, as they are incompatible.
  1. On the Main tab, click Local Traffic > Virtual Servers .
    The Virtual Server List screen opens.
  2. Click Create.
    The New Virtual Server screen opens.
  3. In the Name field, type a unique name for the virtual server.
  4. For the Destination Address/Mask setting, confirm that the Host button is selected, and type the IP address in CIDR format.
    The supported format is address/prefix, where the prefix length is in bits. For example, an IPv4 address/prefix is 10.0.0.1 or 10.0.0.0/24, and an IPv6 address/prefix is ffe1::0020/64 or 2001:ed8:77b5:2:10:10:100:42/64. When you use an IPv4 address without specifying a prefix, the BIG-IP system automatically uses a /32 prefix.
    Note: The IP address you type must be available and not in the loopback network.
  5. In the Service Port field, type 443 or select HTTPS from the list.
  6. From the HTTP Profile (Client) list, select a previously-created HTTP profile.
  7. From the HTTP Profile (Server) list, select (Use Client Profile).
    Note: Alternatively, if you created a separate HTTP profile for managing server-side traffic, select the profile from the list.
  8. For the SSL Profile (Client) setting, from the Available list, select clientssl-secure, and move it to the Selected list.
    Important: The clientssl-secure profile is pre-configured to disable mid-stream SSL renegotiation, a requirement for an HTTP/2 full-proxy deployment. If you need to apply a custom Client SSL profile instead of the clientssl-secure profile, ensure that the Renegotiation setting in the custom profile is disabled.
  9. For the SSL Profile (Server) setting, from the Available list, select the Server SSL profile that you previously modified to disable mid-stream renegotiation, and move the profile to the Selected list.
  10. From the Acceleration list, select Advanced.
  11. From the HTTP/2 Profile (Client) list, select the HTTP/2 profile that you previously created.
  12. From the HTTP/2 Profile (Server) list, select (Use Client Profile), or, if you created a separate HTTP/2 profile for server-side traffic, select the profile from the list.
  13. For the HTTP MRF Router setting, select the check box, as shown in this example:
  14. From the Default Pool list, select a pool that is configured to serve HTTP/2 traffic.
  15. Click Finished.
The HTTP/2 virtual server is now ready to listen for HTTP/2 traffic and send the traffic to the assigned server pool.

View statistics for an HTTP/2 full-proxy deployment

You can view statistics for either client-side or server-side HTTP/2 traffic.

  1. On the Main tab, click Statistics > Module Statistics > Local Traffic
  2. From the Statstics Type list, select Virtual Servers.
    By default, this displays the list of virtual servers on the BIG-IP system.
  3. In the Virtual Server column, click the relevant virtual server name.
  4. Along the top of the screen, click the Statistics menu.
  5. In the Profiles area of the screen, from the Select Profile list, select an HTTP/2 profile.
After you perform this task, the BIG-IP system displays statistics pertaining to the traffic associated with the HTTP/2 profile you selected.