Forum Discussion
http/2 configuration
Hi All,
We are providing LTM service by configuring BIG-IP as below. (This is not a typical configuration)
BIG-IP creates two connections.
1) Client <--------------> BIG-IP <-------------> WAF
2) WAF <---------------> BIG-IP <-------------> Leaf
We are going to add http/2 configuration in these topologies.
But I found a problem here.
Client Hello for incoming traffic via WAF does not include ALPN.
From BIG-IP point of view, ALPN seems to be missing because Client is WAF.
In this case, even if I add http/2 profile, it is expected to fail due to topology issues.
Am I right in understanding?
Is there any other way to do http/2 successfully in this environment?
Thanks.
- chrros95Altostratus
Hi,
which profile have you attached to your virtual server? Do they both contain a HTTP/2 Client and Server-Profile? Have they enabled HTTP MRF?
From my point of view the setup should work fine if you follow this guide on both VS: https://techdocs.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/big-ip-http2-full-proxy-configuration-14-1-0/01.html
- KaiTTNimbostratus
Hi,
http/2 profile has not been applied yet.
We found something unusual during the review before applying the configuration.
2) WAF <---------------> BIG-IP <-------------> Leaf
In this flow, the client is WAF.
Client Hello does not include ALPN because it is not a typical web browser.
Is it correct to not be able to use http/2 in an environment where ALPN is not included in Client Hello due to topology singularity?
Thanks.
I would say that you're correct. From what you describe, the WAF is acting as a reverse proxy. The limitation is on the WAF and not the BIG-IP.
If the WAF cannot proxy the ALPN extension, then you are going to have HTTP/1.1 on connection 2). I'm not sure if there is any way around this. Maybe the WAF software can be upgraded to support this? I'm assuming the WAF is different vendor hardware?
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com