Technical Forum
Ask questions. Discover Answers.
cancel
Showing results for 
Search instead for 
Did you mean: 

http/2 configuration

KaiTT
Nimbostratus
Nimbostratus

Hi All,

We are providing LTM service by configuring BIG-IP as below. (This is not a typical configuration)

암복호화.JPG

 

 

 

 

 

 

 

 

 

 

 

BIG-IP creates two connections.

1) Client <--------------> BIG-IP <-------------> WAF

2) WAF <---------------> BIG-IP <-------------> Leaf

 

We are going to add http/2 configuration in these topologies.

But I found a problem here.

Client Hello for incoming traffic via WAF does not include ALPN.

ALPN.JPG

 

 

 

 

 

 

From BIG-IP point of view, ALPN seems to be missing because Client is WAF.

In this case, even if I add http/2 profile, it is expected to fail due to topology issues.

 

Am I right in understanding?

Is there any other way to do http/2 successfully in this environment?

Thanks.

3 REPLIES 3

chrros95
Altostratus
Altostratus

Hi,

which profile have you attached to your virtual server? Do they both contain a HTTP/2 Client and Server-Profile? Have they enabled HTTP MRF?

From my point of view the setup should work fine if you follow this guide on both VS: https://techdocs.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/big-ip-http2-full-proxy-configu...

 

Hi,

http/2 profile has not been applied yet.

We found something unusual during the review before applying the configuration.

 

2) WAF <---------------> BIG-IP <-------------> Leaf

 

In this flow, the client is WAF.

Client Hello does not include ALPN because it is not a typical web browser.

Is it correct to not be able to use http/2 in an environment where ALPN is not included in Client Hello due to topology singularity?

 

Thanks.

 

I would say that you're correct. From what you describe, the WAF is acting as a reverse proxy. The limitation is on the WAF and not the BIG-IP.

If the WAF cannot proxy the ALPN extension, then you are going to have HTTP/1.1 on connection 2). I'm not sure if there is any way around this. Maybe the WAF software can be upgraded to support this? I'm assuming the WAF is different vendor hardware?