For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

JustCooLpOOLe's avatar
JustCooLpOOLe
Icon for Cirrocumulus rankCirrocumulus
Jun 06, 2019
Solved

HTTP/2.0 Server-Side Traffic

Hi,

 

As I understand it now, the HTTP/2 profile is only for client-side traffic and that any traffic sent back to the server is sent using HTTP/1.1. Does this still hold true? If so, is anyone aware of when the F5 will be able to communicate over HTTP/2.0 to the pool members? Is there a workaround?

 

Our developers are starting to explore this as an option and right now they are ok with just client-side but I'm sure they would like to implement it on the server-side so thought I would throw this out there.

application delivery
LTM
  • Leonardo_Souza's avatar
    Leonardo_Souza
    Jun 06, 2019

    https://support.f5.com/csp/article/K04412053

    "In BIG-IP 11.6.0, F5 introduces HTTP/2 protocol support as defined in RFC7540 for processing client-side HTTP/2 traffic. The support for server-side HTTP/2 traffic processing is introduced in BIG-IP 14.1.0; the webacceleration and OneConnect profiles are not supported in HTTP/2 full proxy mode in this version. In BIG-IP 15.0.0, F5 introduces the support for webacceleration profile in HTTP/2 full proxy mode."

5 Replies

  • Leonardo_Souza's avatar
    Leonardo_Souza
    Icon for Cirrocumulus rankCirrocumulus
    Jun 06, 2019

    https://support.f5.com/csp/article/K04412053

    "In BIG-IP 11.6.0, F5 introduces HTTP/2 protocol support as defined in RFC7540 for processing client-side HTTP/2 traffic. The support for server-side HTTP/2 traffic processing is introduced in BIG-IP 14.1.0; the webacceleration and OneConnect profiles are not supported in HTTP/2 full proxy mode in this version. In BIG-IP 15.0.0, F5 introduces the support for webacceleration profile in HTTP/2 full proxy mode."

  • bradhanson's avatar
    bradhanson
    Icon for Altocumulus rankAltocumulus
    Feb 19, 2021

    Question related to this. If server-side is set for HTTP/2 but it goes to a server that is HTTP/1,1.1 does it negotiate to the HTTP/1,1.1?

    We have a virtual server that would have servers behind it with HTTP/2 but an iRule/Policy is in place for 'exceptions' where it changes the server pool to other servers that are not supporting HTTP/2.

    Thanks!!

    • bradhanson's avatar
      bradhanson
      Icon for Altocumulus rankAltocumulus
      Feb 25, 2021

      Answer my own question after some testing. Yes, it will negotiate and connect to servers that aren't supporting HTTP/2. So I can have a mixed set of servers behind the virtual server some supporting HTTP/2 and others not and it connects successfully.

      I have to note how simple and apparently 'transparent' this is.

  • Leonardo_Souza's avatar
    Leonardo_Souza
    Icon for Cirrocumulus rankCirrocumulus
    Feb 21, 2021

    Think about HTTP/2 profile like any other profile, let's say severssl profile.

    You could have servers doing SSL, but in a failed scenario send people to a static sorry page without SSL.

    In that case, before redirecting to that new server, you remove the serverssl profile.

     

    In theory, the same idea could be applied to HTTP/2, so in the iRule/LTM Policy you remove the HTTP/2 profile before sending traffic to the server.

    I said in theory because I haven't tested it.

    However, this bug proves it should work:

    https://cdn.f5.com/product/bugtracker/ID869553.html

     

    The bad news is the bug above, and that I could not find that opiton using LTM Policy.

    You could open a ticket with F5 support to see if there is any engineering hotfix for that because it applies to all the latest versions.