http2.0 on the VIP

Hi,

 

for a detailled explanation of the the http/2 concept I would recommend to lookup the RFC or Wikipedia for a short summary. F5 has implemented a proxy functionality for http/2 which comes with the LTM feature set. No add-on modules required.

 

The http/2 protocol runs via encrypted connections only. Using Perfect Forward Secrecy (PFS) based on EC-DHE or DHE is mandatory. Your related client-ssl profile needs to have renegotiation disabled (it´s default in the "clientssl-secure" client-ssl profile to be used as a parent).

 

A virtual server in standard mode can handle both http/1.x and http/2 traffic. It´s required to have a proper client-ssl profile, a http profile and an http/2 (section "Acceleration") enabled. Now both types of clients may connect. Your virtual server statistics profile section will provide details on the usage of protocols.

 

Your BIG-IP device acts as a proxy in this case. Serverside connections will be established via http/1.x only. The concurrect http/2 streams on clientside will be demultiplexed into multiple serverside connections. That´s why divergent client- and serverside connection counts/rates can be expected. Due to current issues with Safari browsers it might be necessary to increase the number of streams to 100 in your customized http/2 profile.

 

Starting using http/2 may require to lookup your currently assigned iRules. It turned out, that variables initiated under CLIENT_ACCEPTED may not be available in upper layer events like HTTP_REQUEST. This results in TCL errors and connection resets and will require changing your iRule scripts.

 

That´s why it is highly recommended to test http/2 in a staging environment thoroughly with a range of clients (browsers) before activating it in production.

 

Cheers & good luck, Stephan