20-Apr-2023 05:12
Hi All,
We are providing LTM service by configuring BIG-IP as below. (This is not a typical configuration)
BIG-IP creates two connections.
1) Client <--------------> BIG-IP <-------------> WAF
2) WAF <---------------> BIG-IP <-------------> Leaf
We are going to add http/2 configuration in these topologies.
But I found a problem here.
Client Hello for incoming traffic via WAF does not include ALPN.
From BIG-IP point of view, ALPN seems to be missing because Client is WAF.
In this case, even if I add http/2 profile, it is expected to fail due to topology issues.
Am I right in understanding?
Is there any other way to do http/2 successfully in this environment?
Thanks.
20-Apr-2023 06:59
Hi,
which profile have you attached to your virtual server? Do they both contain a HTTP/2 Client and Server-Profile? Have they enabled HTTP MRF?
From my point of view the setup should work fine if you follow this guide on both VS: https://techdocs.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/big-ip-http2-full-proxy-configu...
20-Apr-2023 07:38
Hi,
http/2 profile has not been applied yet.
We found something unusual during the review before applying the configuration.
2) WAF <---------------> BIG-IP <-------------> Leaf
In this flow, the client is WAF.
Client Hello does not include ALPN because it is not a typical web browser.
Is it correct to not be able to use http/2 in an environment where ALPN is not included in Client Hello due to topology singularity?
Thanks.
20-Apr-2023 12:12
I would say that you're correct. From what you describe, the WAF is acting as a reverse proxy. The limitation is on the WAF and not the BIG-IP.
If the WAF cannot proxy the ALPN extension, then you are going to have HTTP/1.1 on connection 2). I'm not sure if there is any way around this. Maybe the WAF software can be upgraded to support this? I'm assuming the WAF is different vendor hardware?