Settings when configuring http/2 for the client side only
We have used the http/2 settings at https://my.f5.com/manage/s/article/K04412053 and our flow is user mobile devices to BIG-IP is http/2. BIG-IP translates http/2 to http/1.1 then sends it to our back-end servers. 1. We have seen lot of Client connection closed error messages after turning on http/2 and trying to trace if any http/2 settings need to be changed from the default http/2 settings at https://my.f5.com/manage/s/article/K04412053 ? 2. How does BIG-IP translate http/2(received from user mobile devices) to http/1.1 and how can we check those settings to tweak them? 3. Anything else we should check for?gRPC load balancing with F5 and nginx
I've a requirement of using gRPC through F5 using nginx at the server level which will convert port 80 to gRPC port (50001). Flow would be like: Client will hit F5 over port 443 which invariably will forward the request to nginx over port 80 which will convert it again over designated port of gRPC (50001). I enabled HTTP2 settings in F5 but application is not responding. Is there any specific setting which i need to do for gRPC at F5 level? nginx is already configured to forward request over port 80 to http2.
how to use h2c recv/recv-disable pool members
Hello, everyone. I want to check the pool member status by utilizing the monitor for HTTP/2(h2c) which is recv/recv-disable. EAV only checks State Up/Down. The Monitor-Up (Enabled/Disabled) option is not available on EAV. I tried to implement it with i-rule, but I'm having a hard time because I'm not familiar with Tcl. Is there any way to use recv/recv-disable monitor for h2c? Any way is fine, so please give me a guide me. Thank you.
HTTP2 Profile for one domain on Virtual Server
Hello, I have a Virtual Server which uses TCP/443 Port for HTTPS Protocol. This Virtual Server have a lot of SSL Profile (Certificates) for many domains. And my client want to use HTTP/2 Protocol. But for test he want apply HTTP/2 only for once domain. If i apply HTTP2 Profile to Virtual Server then the error appears, since “TLS Renegotiation” don't disabled at All SSL Profile. Do i can switch on HTTP/2 only at one domain in this Virtual Server?Are the HTTP/2 profile defaults sound?
The current default for theHTTP/2 profile has a Concurrent Streams Per Connection default of 10. This seems a bit conservative. IETF recommended that this value being no smaller than 100, so as to not unnecessarily limit parallelism https://tools.ietf.org/html/rfc7540#section-6.5.2 Also, NGINX for example has a default of 128 for while Citrix Netscaler has 100 as default maximum number of concurrent HTTP/2 streams in a connection. So, should we tune this value up from 10 to say 100? What effects will that have on the appliance? Also, should we then also tune any of the other default params for better performance?Can the F5 Mitigate the HTTP/2 vulnerabilities?
Hi, We are considering implementing HTTP/2 in our environment at the moment. In August a number of DoS vulnerabilities were identified in HTTP/2. If we make the change for HTTP/2 on the F5, does the F5 do anything to mitigate the risk? https://nakedsecurity.sophos.com/2019/08/19/netflix-finds-multiple-http2-dos-flaws/ Are there ASM signatures that protect against these issues? If so, what about protection on APM if we add HTTP/2 there? Any information would be appreciated.Will changing to HTTP/2 impact ASM policies?
Hi All, We currently have a large number of ASM policies in place and have recently resumed discussions on enabling HTTP/2 on the F5s. Since HTTP/2 operates quite differently to HTTP/1.1 will the change have any impact on the existing ASM policies? eg. WIll they continue to detect malicious requests, illegal characters etc? Thank you.