Forum Discussion

KaiTT's avatar
KaiTT
Icon for Nimbostratus rankNimbostratus
Apr 20, 2023

http/2 configuration

Hi All,

We are providing LTM service by configuring BIG-IP as below. (This is not a typical configuration)

 

 

 

 

 

 

 

 

 

 

 

BIG-IP creates two connections.

1) Client <--------------> BIG-IP <-------------> WAF

2) WAF <---------------> BIG-IP <-------------> Leaf

 

We are going to add http/2 configuration in these topologies.

But I found a problem here.

Client Hello for incoming traffic via WAF does not include ALPN.

 

 

 

 

 

 

From BIG-IP point of view, ALPN seems to be missing because Client is WAF.

In this case, even if I add http/2 profile, it is expected to fail due to topology issues.

 

Am I right in understanding?

Is there any other way to do http/2 successfully in this environment?

Thanks.

application delivery

3 Replies

Sort By
    • KaiTT's avatar
      KaiTT
      Icon for Nimbostratus rankNimbostratus
      Apr 20, 2023

      Hi,

      http/2 profile has not been applied yet.

      We found something unusual during the review before applying the configuration.

       

      2) WAF <---------------> BIG-IP <-------------> Leaf

       

      In this flow, the client is WAF.

      Client Hello does not include ALPN because it is not a typical web browser.

      Is it correct to not be able to use http/2 in an environment where ALPN is not included in Client Hello due to topology singularity?

       

      Thanks.

       

      • Michael_Saleem's avatar
        Michael_Saleem
        Icon for MVP rankMVP
        Apr 20, 2023

        I would say that you're correct. From what you describe, the WAF is acting as a reverse proxy. The limitation is on the WAF and not the BIG-IP.

        If the WAF cannot proxy the ALPN extension, then you are going to have HTTP/1.1 on connection 2). I'm not sure if there is any way around this. Maybe the WAF software can be upgraded to support this? I'm assuming the WAF is different vendor hardware?