For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

JustCooLpOOLe's avatar
JustCooLpOOLe
Icon for Cirrocumulus rankCirrocumulus
Jun 06, 2019
Solved

HTTP/2.0 Server-Side Traffic

Hi,   As I understand it now, the HTTP/2 profile is only for client-side traffic and that any traffic sent back to the server is sent using HTTP/1.1. Does this still hold true? If so, is anyone...
application delivery
LTM
  • Leonardo_Souza's avatar
    Leonardo_Souza
    Jun 06, 2019

    https://support.f5.com/csp/article/K04412053

    "In BIG-IP 11.6.0, F5 introduces HTTP/2 protocol support as defined in RFC7540 for processing client-side HTTP/2 traffic. The support for server-side HTTP/2 traffic processing is introduced in BIG-IP 14.1.0; the webacceleration and OneConnect profiles are not supported in HTTP/2 full proxy mode in this version. In BIG-IP 15.0.0, F5 introduces the support for webacceleration profile in HTTP/2 full proxy mode."

Leonardo_Souza's avatar
Leonardo_Souza
Icon for Cirrocumulus rankCirrocumulus
Feb 21, 2021

Think about HTTP/2 profile like any other profile, let's say severssl profile.

You could have servers doing SSL, but in a failed scenario send people to a static sorry page without SSL.

In that case, before redirecting to that new server, you remove the serverssl profile.

 

In theory, the same idea could be applied to HTTP/2, so in the iRule/LTM Policy you remove the HTTP/2 profile before sending traffic to the server.

I said in theory because I haven't tested it.

However, this bug proves it should work:

https://cdn.f5.com/product/bugtracker/ID869553.html

 

The bad news is the bug above, and that I could not find that opiton using LTM Policy.

You could open a ticket with F5 support to see if there is any engineering hotfix for that because it applies to all the latest versions.