cancel
Showing results for 
Search instead for 
Did you mean: 
Login & Join the DevCentral Connects Group to watch the Recorded LiveStream (May 12) on Basic iControl Security - show notes included.

Introduction

Activation modes specifies how the BIG-IP system negotiates HTTP/2 protocol:0151T000002dmmyQAA.png

TMSH equivalent:0151T000002dlb7QAA.png

In this article I go slightly deeper to explain how BIG-IP negotiates HTTP/2 connection with client peers.

Traditionally, HTTP2 can be negotiated within an HTTP1.1 connection or via TLS extension Application Layer Protocol Negotiation (ALPN).

Currently, the only supported method on BIG-IP is ALPN. There is another option on BIG-IP named always.

Application Layer Protocol Negotiation (ALPN)

ALPN requires client-ssl profile applied to the Virtual Server:

0151T000002dlbLQAQ.png

In ALPN, client goes through TLS handshake with BIG-IP and both inform each other about the L7 protocol they want to negotiate in application_layer_protocol_negotiation extension on Wireshark as seen below:

0151T000002dlbMQAQ.png

When TLS handshake is finished you should see HTTP2 messages as long as traffic is decrypted because HTTP/2 requires TLS.

Always

Always is just for debugging purposes and not for production as this makes BIG-IP exchange HTTP/2 messages without the need for TLS.

In capture below, BIG-IP exchanges HTTP/2 messages with client immediately after TCP handshake, i.e. no TLS required like this:

0151T000002dmn3QAA.png

When I say without the need for TLS, do not confuse with HTTP/1.1 UPGRADE.

In a subsequent capture, I experimentally sent an HTTP1/1 with Upgrade: h2c header using nghttp tool from my client machine (nghttp http://10.199.3.44) that signals we want to "talk" HTTP2 to BIG-IP and here's what happens:

0151T000002dmmzQAA.png

But BIG-IP replied with SETTINGS (HTTP2 message) and GOAWAY which are HTTP2 messages:

0151T000002dlbVQAQ.png

If BIG-IP supported the UPGRADE from HTTP/1.1 to HTTP/2, it should have responded with HTTP1.1 101 (Switching Protocols) message instead and not HTTP/2 SETTINGS directly as seen above.

This also confirms BIG-IP doesn't support upgrade from HTTP/1.1 to HTTP/2.

Good bye and Thank you F5, my team and the whole community!

I'd like to take this opportunity to say that I'm leaving F5 for a new challenge but I'm not leaving F5 community. I'm truly grateful to be part of this vibrant community and I'd like to thank the whole of F5 and DevCentral community members for making DevCentral great. However, a special thank you goes to my team mates Jason Rahm, John Wagnon, Leslie Hubertus, Lief Zimmerman, Chase Abbott, Peter Silva and my manager Tony Hynes. I learnt a lot from you, had lots of fun in our in-person meetings and will be always grateful for that. You'll be truly missed. I won't be posting articles but will still be in the forums so feel free to drop me a message.

Version history
Last update:
‎11-Jun-2020 00:27
Updated by:
Contributors