SlideShare a Scribd company logo
1 of 31
Download to read offline
APACHECON North America Sept. 9-12, 2019
HTTP/2, HTTP/3 and SSL/TLSHTTP/2, HTTP/3 and SSL/TLS
State of theState of the ArtArt in Our Serversin Our Servers
Jean-Frederic ClereJean-Frederic Clere
APACHECON North America
What I will coverWhat I will cover
●
HTTP/3
●
HTTP/2
●
HTTP/2 and ALPN
●
Servers
●
Apache HTTPD
●
Tomcat
●
Traffic server
●
Demos
●
Questions?
2
APACHECON North America
Who I amWho I am
Jean-Frederic Clere
Red Hat
Years writing JAVA code and server software
Tomcat committer since 2001
Doing OpenSource since 1999
Cyclist/Runner etc
Lived 15 years in Spain (Barcelona)
Now in Neuchâtel (CH)
3
APACHECON North America
HTTP/3 (March 2018, in progress!)HTTP/3 (March 2018, in progress!)
– Use QUIC / TLS-1.3 / UDP
– To transport HTTP like HTTP/2
– Initial connection TPC + Alt-Svc
●
Response Alt-Svc: h3=":56666":
– problems:
●
UDP ports closed
●
UDP slower than TPC in Kernels
●
Needs extra CPU (?)
– Specifications:
●
Several RFC (6 RFC)
4
APACHECON North America
HTTP/3 implementations:
– Curl (http3-direct and Alt-Svc way)
– Libraries
● ngtcp2
● quiche
– Apache Tomcat: Problem UDP socket API incomplete
– Apache HTTPD: need time probably like http/2
– Traffic Server: planed for the next version (end 2019)
● See ATS proto / curl demo
APACHECON North America
HTTP/3 more info:
– Demo ATS / curl
– Playing browsers:
● test browser
● Interop matrix
● chrome activation
APACHECON North America
Why HTTP/2Why HTTP/2
– HTTP/1.1: June 1999 (RFC 2616)
●
1999:
– 1 page ~ 1kB HTML
●
2019:
– 1 page ~ 3MB HTML + IMAGES + JS + CSS etc
– Protocol:
●
Not adapted / inefficient / etc
7
APACHECON North America
HTTP/2 generalHTTP/2 general
●
HTTP/2:
– Binary
– Frame
– Multiplex
– Based on SPDY
– TLS everywhere:
●
Browers use https and strong ciphers
– No forward proxy
– h2c: Clear text only with reverse proxy (proxy to back-end server)
8
APACHECON North America
HTTP/2 generalHTTP/2 general
●
Two specifications:
– Hypertext Transfer Protocol version 2 - RFC7540
– HPACK - Header Compression for HTTP/2 - RFC7541
●
By the Internet Engineering Task Force
●
ALPN Application-Layer Protocol Negotiation - RFC 7301
9
APACHECON North America
HTTP/2 MultiplexedHTTP/2 Multiplexed
10
Headers
Data
Headers
Headers
Headers Data Data
Headers Data Data
HeadersData
Headers
APACHECON North America
HTTP/2 : moreHTTP/2 : more
●
HTTP headers compression
– ~ 80 % save
●
Request priority
– Both sides
●
Server Push
– Prevent round trip to get element of a page
– Faster / better rendering on browsers.
11
APACHECON North America
HTTP/2 With BrowsersHTTP/2 With Browsers
●
Browser with HTTP/2 and TLS
– FireFox 34
– Chrome 40 (with ALPN before was NPN)
– IE 11
– Opera and Safari 9
●
Stats from docs.trafficserver and ci.trafficserver:
– 80% is over HTTP/2 (data from last year)
●
→ go for it now!
12
APACHECON North America
ALPN Client Hello (Firefox)ALPN Client Hello (Firefox)
13
APACHECON North America
ALPN Server Hello (tomcat)ALPN Server Hello (tomcat)
14
APACHECON North America
RequirementsRequirements
●
OpenSSL for our 3 servers
– At least 1.0.2c
●
Tomcat (8.5 / trunk)
– Tomcat-native (1.2.6 / trunk) or java9
●
Httpd (2.4.17 / trunk)
– HTTP/2 C Library (libnghttp2)
●
TrafficServer (since ATS v5.3.2).
– Nothing except openssl.
15
APACHECON North America
StatusStatus
●
Tomcat (trunk/8.5)
– Full support / released as stable.
– Needs servlet 4.0 (JSR 369) for server PUSH API
– Can't be full JAVA until JDK9 (ALPN support)
●
Httpd (available since 2.4.17)
– Full support (since 2.4.20)
●
TrafficServer (since 5.3.0) (flow control 6.1)
– Priorities (6.2.0) and Server PUSH (7.0.0)
16
APACHECON North America
TC connector server.xmlTC connector server.xml
<Connector
port="8002"
scheme="https"
SSLEnabled="true"
ciphers="TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"
SSLCertificateFile="/home/jfclere/CERTS/newcert.pem"
SSLCertificateKeyFile="/home/jfclere/CERTS/newkey.txt.pem"
protocol="org.apache.coyote.http11.Http11AprProtocol">
<UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol" />
<Connector/>
<Connector port="8003" protocol="HTTP/1.1"
SSLEnabled="true" scheme="https" secure="true"
keystoreFile="conf/.keystore" keystorePass="changeit"
socket.directBuffer="true" socket.directSslBuffer="true">
<UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol" />
</Connector>
APACHECON North America
Tomcat / configurationTomcat / configuration
In bin/setenv.sh:
LD_LIBRARY_PATH=/home/jfclere/tomcat-native/native/.libs
export LD_LIBRARY_PATH
And the libtcnative-1.so linked with openssl-1.0.2c, checking with ldd:
libssl.so.1.0.0 => /home/jfclere/OPENSSL-1.0.2c/lib/libssl.so.1.0.0 (0x00007f6ab147b000)
libcrypto.so.1.0.0 => /home/jfclere/OPENSSL-1.0.2c/lib/libcrypto.so.1.0.0 (0x00007f6ab1028000)
libapr-1.so.0 => /home/jfclere/APR-1.4.x/lib/libapr-1.so.0 (0x00007f6ab0dfa000)
Usually the openssl of recent distribution (fedora 23) will work.
18
APACHECON North America
Tomcat / PerformancesTomcat / Performances
19
4KiB.bin
8KiB.bin
16KiB.bin
32KiB.bin
64KiB.bin
128KiB.bin
256KiB.bin
512KiB.bin
1MiB.bin
0
50000
100000
150000
200000
250000
300000
350000
400000
Concurency 240
coyote_nio_jsse_h1_https
coyote_nio_jsse_h2_https
File Size
Kbytes/second
APACHECON North America
Tomcat / PerformancesTomcat / Performances
20
4KiB
8KiB
16KiB
32KiB
64KiB
128KiB
256KiB
512KiB
1MiB
0
10
20
30
40
50
60
70
80
90
Concurency 240
coyote_nio_jsse_h1_https
coyote_nio_jsse_h2_https
File Size
CPUUsage
APACHECON North America
Tomcat / DemoTomcat / Demo
●
No server push (may be change it: SimpleImagePush)
●
Multiplexing
●
headers compression
●
HTML page:
– That requires a lot (~1000) of (~4Kbytes) images to render.
21
APACHECON North America
TrafficServer / ConfigurationTrafficServer / Configuration
●
records.config
– CONFIG proxy.config.ssl.number.threads INT 0
– CONFIG proxy.config.http.server_ports STRING 8888:ssl
– CONFIG proxy.config.url_remap.pristine_host_hdr INT 1
– CONFIG proxy.config.http2.enabled INT 1
– CONFIG proxy.config.ssl.TLSv1_1 INT 1
– CONFIG proxy.config.ssl.TLSv1_2 INT 1
●
ssl_multicert.config:
– dest_ip=* ssl_cert_name=newcert.pem ssl_key_name=newkey.txt.pem
●
remap.config:
– map / http://127.0.0.1:8080
●
ip_allow.config:
– src_ip=192.168.1.38 action=ip_allow method=ALL
– src_ip=::-ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff action=ip_allow method=ALL
22
APACHECON North America
TrafficServer / DemoTrafficServer / Demo
●
Like tomcat one
●
Uses http/1.1 tomcat nio connector on 8080
as back-end.
23
APACHECON North America
HTTPd / ConfigurationHTTPd / Configuration
●
httpd.conf:
LoadModule h2_module modules/mod_h2.so
Listen 8006
<VirtualHost *:8006>
Protocols h2 http/1.1
ProtocolsHonorOrder on
SSLEngine on
SSLCertificateFile "/home/jfclere/CERTS/newcert.pem"
SSLCertificateKeyFile "/home/jfclere/CERTS/newkey.pem"
SSLCACertificateFile "/etc/pki/CA/cacert.pem"
</VirtualHost>
24
APACHECON North America
HTTPd / PerformancesHTTPd / Performances
25
4KiB.bin
8KiB.bin
16KiB.bin
32KiB.bin
64KiB.bin
128KiB.bin
256KiB.bin
512KiB.bin
1MiB.bin
0
50000
100000
150000
200000
250000
300000
350000
400000
Concurency 240
httpd_h1_https
httpd_h2_https
File Size
KBytes/second
APACHECON North America
HTTPd / PerformancesHTTPd / Performances
26
4KiB 8KiB 16KiB 32KiB 64KiB 128KiB 256KiB 512KiB 1MiB
0
10
20
30
40
50
60
70
80
Concurency 240
httpd_h1_https
httpd_h2_https
File Szie
CPUusage
APACHECON North America
HTTPd / Configuration proxyHTTPd / Configuration proxy
●
httpd.conf:
LoadModule http2_module modules/mod_http2.so
LoadModule proxy_http2_module modules/mod_proxy_http2.so
Listen 8006
<VirtualHost *:8006>
Protocols h2 http/1.1
ProtocolsHonorOrder on
SSLEngine on
…
ProxyPass "/" "h2c://localhost:8003/"
</VirtualHost>
27
APACHECON North America
HTTPd / DemoHTTPd / Demo
●
Like the tomcat one:
– htdocs/http2.html
– htdocs/images/ the images.
28
APACHECON North America
HTTP/2 ready?HTTP/2 ready?
●
Conclusion:
– Using HTTP/2 without PUSH is already good.
– “safer” crypto is good but expensive.
– No need to rewrite application to get the gains.
HTTP/2 : GO FOR IT
29
APACHECON North America
Questions?Questions?
Thank you!Thank you!
●
jfclere@gmail.com
●
users@tomcat.apache.org
●
users@httpd.apache.org
●
users@trafficserver.apache.org
●
https://http2.github.io/
●
Demo generator: https://github.com/jfclere/h2_demos
●
HTTP/3 see curl docs: http3-explained by Daniel
30
THANK YOU
Jean-Frederic Clere
@jfclere
jfclere@gmail.com

More Related Content

What's hot

Apache httpd reverse proxy and Tomcat
Apache httpd reverse proxy and TomcatApache httpd reverse proxy and Tomcat
Apache httpd reverse proxy and TomcatJean-Frederic Clere
 
How to Troubleshoot OpenStack Without Losing Sleep
How to Troubleshoot OpenStack Without Losing SleepHow to Troubleshoot OpenStack Without Losing Sleep
How to Troubleshoot OpenStack Without Losing SleepSadique Puthen
 
Linux Networking Explained
Linux Networking ExplainedLinux Networking Explained
Linux Networking ExplainedThomas Graf
 
Altitude SF 2017: QUIC - A low-latency secure transport for HTTP
Altitude SF 2017: QUIC - A low-latency secure transport for HTTPAltitude SF 2017: QUIC - A low-latency secure transport for HTTP
Altitude SF 2017: QUIC - A low-latency secure transport for HTTPFastly
 
Acus08 Advanced Load Balancing Apache2.2
Acus08 Advanced Load Balancing Apache2.2Acus08 Advanced Load Balancing Apache2.2
Acus08 Advanced Load Balancing Apache2.2Jim Jagielski
 
Improving the ZFS Userland-Kernel API with Channel Programs - BSDCAN 2017 - M...
Improving the ZFS Userland-Kernel API with Channel Programs - BSDCAN 2017 - M...Improving the ZFS Userland-Kernel API with Channel Programs - BSDCAN 2017 - M...
Improving the ZFS Userland-Kernel API with Channel Programs - BSDCAN 2017 - M...Matthew Ahrens
 
Neutron Network Namespaces and IPtables--A Technical Deep Dive
Neutron Network Namespaces and IPtables--A Technical Deep DiveNeutron Network Namespaces and IPtables--A Technical Deep Dive
Neutron Network Namespaces and IPtables--A Technical Deep DiveMirantis
 
debugging openstack neutron /w openvswitch
debugging openstack neutron /w openvswitchdebugging openstack neutron /w openvswitch
debugging openstack neutron /w openvswitch어형 이
 
Load Balancing MySQL with HAProxy - Slides
Load Balancing MySQL with HAProxy - SlidesLoad Balancing MySQL with HAProxy - Slides
Load Balancing MySQL with HAProxy - SlidesSeveralnines
 
Understanding docker networking
Understanding docker networkingUnderstanding docker networking
Understanding docker networkingLorenzo Fontana
 
Nomad + Flatcar: a harmonious marriage of lightweights
Nomad + Flatcar: a harmonious marriage of lightweightsNomad + Flatcar: a harmonious marriage of lightweights
Nomad + Flatcar: a harmonious marriage of lightweightsIago López Galeiras
 
IPTABLES Introduction
IPTABLES IntroductionIPTABLES Introduction
IPTABLES IntroductionHungWei Chiu
 
SREConEurope15 - The evolution of the DHCP infrastructure at Facebook
SREConEurope15 - The evolution of the DHCP infrastructure at FacebookSREConEurope15 - The evolution of the DHCP infrastructure at Facebook
SREConEurope15 - The evolution of the DHCP infrastructure at FacebookAngelo Failla
 
iptables 101- bottom-up
iptables 101- bottom-upiptables 101- bottom-up
iptables 101- bottom-upHungWei Chiu
 
青云CoreOS虚拟机部署kubernetes
青云CoreOS虚拟机部署kubernetes 青云CoreOS虚拟机部署kubernetes
青云CoreOS虚拟机部署kubernetes Zhichao Liang
 
Commication Framework in OpenStack
Commication Framework in OpenStackCommication Framework in OpenStack
Commication Framework in OpenStackSean Chang
 
LF_OVS_17_OvS manipulation with Go at DigitalOcean
LF_OVS_17_OvS manipulation with Go at DigitalOceanLF_OVS_17_OvS manipulation with Go at DigitalOcean
LF_OVS_17_OvS manipulation with Go at DigitalOceanLF_OpenvSwitch
 
Web scale infrastructures with kubernetes and flannel
Web scale infrastructures with kubernetes and flannelWeb scale infrastructures with kubernetes and flannel
Web scale infrastructures with kubernetes and flannelpurpleocean
 

What's hot (19)

Apache httpd reverse proxy and Tomcat
Apache httpd reverse proxy and TomcatApache httpd reverse proxy and Tomcat
Apache httpd reverse proxy and Tomcat
 
How to Troubleshoot OpenStack Without Losing Sleep
How to Troubleshoot OpenStack Without Losing SleepHow to Troubleshoot OpenStack Without Losing Sleep
How to Troubleshoot OpenStack Without Losing Sleep
 
Linux Networking Explained
Linux Networking ExplainedLinux Networking Explained
Linux Networking Explained
 
Altitude SF 2017: QUIC - A low-latency secure transport for HTTP
Altitude SF 2017: QUIC - A low-latency secure transport for HTTPAltitude SF 2017: QUIC - A low-latency secure transport for HTTP
Altitude SF 2017: QUIC - A low-latency secure transport for HTTP
 
Acus08 Advanced Load Balancing Apache2.2
Acus08 Advanced Load Balancing Apache2.2Acus08 Advanced Load Balancing Apache2.2
Acus08 Advanced Load Balancing Apache2.2
 
Improving the ZFS Userland-Kernel API with Channel Programs - BSDCAN 2017 - M...
Improving the ZFS Userland-Kernel API with Channel Programs - BSDCAN 2017 - M...Improving the ZFS Userland-Kernel API with Channel Programs - BSDCAN 2017 - M...
Improving the ZFS Userland-Kernel API with Channel Programs - BSDCAN 2017 - M...
 
Neutron Network Namespaces and IPtables--A Technical Deep Dive
Neutron Network Namespaces and IPtables--A Technical Deep DiveNeutron Network Namespaces and IPtables--A Technical Deep Dive
Neutron Network Namespaces and IPtables--A Technical Deep Dive
 
Snaps on open suse
Snaps on open suseSnaps on open suse
Snaps on open suse
 
debugging openstack neutron /w openvswitch
debugging openstack neutron /w openvswitchdebugging openstack neutron /w openvswitch
debugging openstack neutron /w openvswitch
 
Load Balancing MySQL with HAProxy - Slides
Load Balancing MySQL with HAProxy - SlidesLoad Balancing MySQL with HAProxy - Slides
Load Balancing MySQL with HAProxy - Slides
 
Understanding docker networking
Understanding docker networkingUnderstanding docker networking
Understanding docker networking
 
Nomad + Flatcar: a harmonious marriage of lightweights
Nomad + Flatcar: a harmonious marriage of lightweightsNomad + Flatcar: a harmonious marriage of lightweights
Nomad + Flatcar: a harmonious marriage of lightweights
 
IPTABLES Introduction
IPTABLES IntroductionIPTABLES Introduction
IPTABLES Introduction
 
SREConEurope15 - The evolution of the DHCP infrastructure at Facebook
SREConEurope15 - The evolution of the DHCP infrastructure at FacebookSREConEurope15 - The evolution of the DHCP infrastructure at Facebook
SREConEurope15 - The evolution of the DHCP infrastructure at Facebook
 
iptables 101- bottom-up
iptables 101- bottom-upiptables 101- bottom-up
iptables 101- bottom-up
 
青云CoreOS虚拟机部署kubernetes
青云CoreOS虚拟机部署kubernetes 青云CoreOS虚拟机部署kubernetes
青云CoreOS虚拟机部署kubernetes
 
Commication Framework in OpenStack
Commication Framework in OpenStackCommication Framework in OpenStack
Commication Framework in OpenStack
 
LF_OVS_17_OvS manipulation with Go at DigitalOcean
LF_OVS_17_OvS manipulation with Go at DigitalOceanLF_OVS_17_OvS manipulation with Go at DigitalOcean
LF_OVS_17_OvS manipulation with Go at DigitalOcean
 
Web scale infrastructures with kubernetes and flannel
Web scale infrastructures with kubernetes and flannelWeb scale infrastructures with kubernetes and flannel
Web scale infrastructures with kubernetes and flannel
 

Similar to HTTP/2, HTTP/3 and SSL/TLS State of the Art in Our Servers

03_clere-HTTP2 HTTP3 the State of the Art in Our Servers.pdf
03_clere-HTTP2 HTTP3 the State of the Art in Our Servers.pdf03_clere-HTTP2 HTTP3 the State of the Art in Our Servers.pdf
03_clere-HTTP2 HTTP3 the State of the Art in Our Servers.pdfJean-Frederic Clere
 
HTTP/2 and SSL/TLS state of art in ASF servers
HTTP/2 and SSL/TLS state of art in ASF serversHTTP/2 and SSL/TLS state of art in ASF servers
HTTP/2 and SSL/TLS state of art in ASF serversJean-Frederic Clere
 
HTTP/2 Introduction
HTTP/2 IntroductionHTTP/2 Introduction
HTTP/2 IntroductionWalter Liu
 
Ethernet summit 2011_toe
Ethernet summit 2011_toeEthernet summit 2011_toe
Ethernet summit 2011_toeintilop
 
Primer to Browser Netwroking
Primer to Browser NetwrokingPrimer to Browser Netwroking
Primer to Browser NetwrokingShuya Osaki
 
Kernel Recipes 2014 - NDIV: a low overhead network traffic diverter
Kernel Recipes 2014 - NDIV: a low overhead network traffic diverterKernel Recipes 2014 - NDIV: a low overhead network traffic diverter
Kernel Recipes 2014 - NDIV: a low overhead network traffic diverterAnne Nicolas
 
Introduction to HTTP/2
Introduction to HTTP/2Introduction to HTTP/2
Introduction to HTTP/2Ido Flatow
 
HTTP2 and gRPC
HTTP2 and gRPCHTTP2 and gRPC
HTTP2 and gRPCGuo Jing
 
Linux kernel TLS и HTTPS / Александр Крижановский (Tempesta Technologies)
Linux kernel TLS и HTTPS / Александр Крижановский (Tempesta Technologies)Linux kernel TLS и HTTPS / Александр Крижановский (Tempesta Technologies)
Linux kernel TLS и HTTPS / Александр Крижановский (Tempesta Technologies)Ontico
 
Linux HTTPS/TCP/IP Stack for the Fast and Secure Web
Linux HTTPS/TCP/IP Stack for the Fast and Secure WebLinux HTTPS/TCP/IP Stack for the Fast and Secure Web
Linux HTTPS/TCP/IP Stack for the Fast and Secure WebAll Things Open
 
Optimizing Servers for High-Throughput and Low-Latency at Dropbox
Optimizing Servers for High-Throughput and Low-Latency at DropboxOptimizing Servers for High-Throughput and Low-Latency at Dropbox
Optimizing Servers for High-Throughput and Low-Latency at DropboxScyllaDB
 
Linux Kernel vs DPDK: HTTP Performance Showdown
Linux Kernel vs DPDK: HTTP Performance ShowdownLinux Kernel vs DPDK: HTTP Performance Showdown
Linux Kernel vs DPDK: HTTP Performance ShowdownScyllaDB
 
CAPI and OpenCAPI Hardware acceleration enablement
CAPI and OpenCAPI Hardware acceleration enablementCAPI and OpenCAPI Hardware acceleration enablement
CAPI and OpenCAPI Hardware acceleration enablementGanesan Narayanasamy
 
Automating linux network performance testing
Automating linux network performance testingAutomating linux network performance testing
Automating linux network performance testingAntonio Ojea Garcia
 
FPC for the Masses - CoRIIN 2018
FPC for the Masses - CoRIIN 2018FPC for the Masses - CoRIIN 2018
FPC for the Masses - CoRIIN 2018Xavier Mertens
 

Similar to HTTP/2, HTTP/3 and SSL/TLS State of the Art in Our Servers (20)

03_clere-HTTP2 HTTP3 the State of the Art in Our Servers.pdf
03_clere-HTTP2 HTTP3 the State of the Art in Our Servers.pdf03_clere-HTTP2 HTTP3 the State of the Art in Our Servers.pdf
03_clere-HTTP2 HTTP3 the State of the Art in Our Servers.pdf
 
HTTP/2 and SSL/TLS state of art in ASF servers
HTTP/2 and SSL/TLS state of art in ASF serversHTTP/2 and SSL/TLS state of art in ASF servers
HTTP/2 and SSL/TLS state of art in ASF servers
 
HTTP/2 Introduction
HTTP/2 IntroductionHTTP/2 Introduction
HTTP/2 Introduction
 
Tomcat openssl
Tomcat opensslTomcat openssl
Tomcat openssl
 
Ethernet summit 2011_toe
Ethernet summit 2011_toeEthernet summit 2011_toe
Ethernet summit 2011_toe
 
Tomcat next
Tomcat nextTomcat next
Tomcat next
 
Tomcat next
Tomcat nextTomcat next
Tomcat next
 
Tomcat openssl
Tomcat opensslTomcat openssl
Tomcat openssl
 
Primer to Browser Netwroking
Primer to Browser NetwrokingPrimer to Browser Netwroking
Primer to Browser Netwroking
 
Kernel Recipes 2014 - NDIV: a low overhead network traffic diverter
Kernel Recipes 2014 - NDIV: a low overhead network traffic diverterKernel Recipes 2014 - NDIV: a low overhead network traffic diverter
Kernel Recipes 2014 - NDIV: a low overhead network traffic diverter
 
Introduction to HTTP/2
Introduction to HTTP/2Introduction to HTTP/2
Introduction to HTTP/2
 
HTTP2 and gRPC
HTTP2 and gRPCHTTP2 and gRPC
HTTP2 and gRPC
 
Linux kernel TLS и HTTPS / Александр Крижановский (Tempesta Technologies)
Linux kernel TLS и HTTPS / Александр Крижановский (Tempesta Technologies)Linux kernel TLS и HTTPS / Александр Крижановский (Tempesta Technologies)
Linux kernel TLS и HTTPS / Александр Крижановский (Tempesta Technologies)
 
Linux HTTPS/TCP/IP Stack for the Fast and Secure Web
Linux HTTPS/TCP/IP Stack for the Fast and Secure WebLinux HTTPS/TCP/IP Stack for the Fast and Secure Web
Linux HTTPS/TCP/IP Stack for the Fast and Secure Web
 
Optimizing Servers for High-Throughput and Low-Latency at Dropbox
Optimizing Servers for High-Throughput and Low-Latency at DropboxOptimizing Servers for High-Throughput and Low-Latency at Dropbox
Optimizing Servers for High-Throughput and Low-Latency at Dropbox
 
Linux Kernel vs DPDK: HTTP Performance Showdown
Linux Kernel vs DPDK: HTTP Performance ShowdownLinux Kernel vs DPDK: HTTP Performance Showdown
Linux Kernel vs DPDK: HTTP Performance Showdown
 
CAPI and OpenCAPI Hardware acceleration enablement
CAPI and OpenCAPI Hardware acceleration enablementCAPI and OpenCAPI Hardware acceleration enablement
CAPI and OpenCAPI Hardware acceleration enablement
 
Automating linux network performance testing
Automating linux network performance testingAutomating linux network performance testing
Automating linux network performance testing
 
FPC for the Masses - CoRIIN 2018
FPC for the Masses - CoRIIN 2018FPC for the Masses - CoRIIN 2018
FPC for the Masses - CoRIIN 2018
 
Http2
Http2Http2
Http2
 

More from Jean-Frederic Clere

03_clere_Proxing to tomcat with httpd.pdf
03_clere_Proxing to tomcat with httpd.pdf03_clere_Proxing to tomcat with httpd.pdf
03_clere_Proxing to tomcat with httpd.pdfJean-Frederic Clere
 
01_clere_Having fun with a solar panel, camera and raspberry. How with a few ...
01_clere_Having fun with a solar panel, camera and raspberry. How with a few ...01_clere_Having fun with a solar panel, camera and raspberry. How with a few ...
01_clere_Having fun with a solar panel, camera and raspberry. How with a few ...Jean-Frederic Clere
 
Apache httpd and TLS/SSL certificates validation
Apache httpd and TLS/SSL certificates validationApache httpd and TLS/SSL certificates validation
Apache httpd and TLS/SSL certificates validationJean-Frederic Clere
 
Having fun with Raspberry(s) and Apache projects
Having fun with Raspberry(s) and Apache projectsHaving fun with Raspberry(s) and Apache projects
Having fun with Raspberry(s) and Apache projectsJean-Frederic Clere
 
Having fun with Raspberry and Apache projects
Having fun with Raspberry and Apache projectsHaving fun with Raspberry and Apache projects
Having fun with Raspberry and Apache projectsJean-Frederic Clere
 

More from Jean-Frederic Clere (9)

Panama.pdf
Panama.pdfPanama.pdf
Panama.pdf
 
03_clere_Proxing to tomcat with httpd.pdf
03_clere_Proxing to tomcat with httpd.pdf03_clere_Proxing to tomcat with httpd.pdf
03_clere_Proxing to tomcat with httpd.pdf
 
01_clere_Having fun with a solar panel, camera and raspberry. How with a few ...
01_clere_Having fun with a solar panel, camera and raspberry. How with a few ...01_clere_Having fun with a solar panel, camera and raspberry. How with a few ...
01_clere_Having fun with a solar panel, camera and raspberry. How with a few ...
 
Cloud RPI4 tomcat ARM64
Cloud RPI4 tomcat ARM64Cloud RPI4 tomcat ARM64
Cloud RPI4 tomcat ARM64
 
Apache httpd and TLS/SSL certificates validation
Apache httpd and TLS/SSL certificates validationApache httpd and TLS/SSL certificates validation
Apache httpd and TLS/SSL certificates validation
 
Juggva cloud
Juggva cloudJuggva cloud
Juggva cloud
 
Having fun with Raspberry(s) and Apache projects
Having fun with Raspberry(s) and Apache projectsHaving fun with Raspberry(s) and Apache projects
Having fun with Raspberry(s) and Apache projects
 
Having fun with Raspberry and Apache projects
Having fun with Raspberry and Apache projectsHaving fun with Raspberry and Apache projects
Having fun with Raspberry and Apache projects
 
Native 1.2.8
Native 1.2.8Native 1.2.8
Native 1.2.8
 

Recently uploaded

Precise and Complete Requirements? An Elusive Goal
Precise and Complete Requirements? An Elusive GoalPrecise and Complete Requirements? An Elusive Goal
Precise and Complete Requirements? An Elusive GoalLionel Briand
 
英国UN学位证,北安普顿大学毕业证书1:1制作
英国UN学位证,北安普顿大学毕业证书1:1制作英国UN学位证,北安普顿大学毕业证书1:1制作
英国UN学位证,北安普顿大学毕业证书1:1制作qr0udbr0
 
GOING AOT WITH GRAALVM – DEVOXX GREECE.pdf
GOING AOT WITH GRAALVM – DEVOXX GREECE.pdfGOING AOT WITH GRAALVM – DEVOXX GREECE.pdf
GOING AOT WITH GRAALVM – DEVOXX GREECE.pdfAlina Yurenko
 
React Server Component in Next.js by Hanief Utama
React Server Component in Next.js by Hanief UtamaReact Server Component in Next.js by Hanief Utama
React Server Component in Next.js by Hanief UtamaHanief Utama
 
Open Source Summit NA 2024: Open Source Cloud Costs - OpenCost's Impact on En...
Open Source Summit NA 2024: Open Source Cloud Costs - OpenCost's Impact on En...Open Source Summit NA 2024: Open Source Cloud Costs - OpenCost's Impact on En...
Open Source Summit NA 2024: Open Source Cloud Costs - OpenCost's Impact on En...Matt Ray
 
Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024
Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024
Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024StefanoLambiase
 
Software Project Health Check: Best Practices and Techniques for Your Product...
Software Project Health Check: Best Practices and Techniques for Your Product...Software Project Health Check: Best Practices and Techniques for Your Product...
Software Project Health Check: Best Practices and Techniques for Your Product...Velvetech LLC
 
Real-time Tracking and Monitoring with Cargo Cloud Solutions.pptx
Real-time Tracking and Monitoring with Cargo Cloud Solutions.pptxReal-time Tracking and Monitoring with Cargo Cloud Solutions.pptx
Real-time Tracking and Monitoring with Cargo Cloud Solutions.pptxRTS corp
 
Cyber security and its impact on E commerce
Cyber security and its impact on E commerceCyber security and its impact on E commerce
Cyber security and its impact on E commercemanigoyal112
 
How to submit a standout Adobe Champion Application
How to submit a standout Adobe Champion ApplicationHow to submit a standout Adobe Champion Application
How to submit a standout Adobe Champion ApplicationBradBedford3
 
Tech Tuesday - Mastering Time Management Unlock the Power of OnePlan's Timesh...
Tech Tuesday - Mastering Time Management Unlock the Power of OnePlan's Timesh...Tech Tuesday - Mastering Time Management Unlock the Power of OnePlan's Timesh...
Tech Tuesday - Mastering Time Management Unlock the Power of OnePlan's Timesh...OnePlan Solutions
 
Cloud Data Center Network Construction - IEEE
Cloud Data Center Network Construction - IEEECloud Data Center Network Construction - IEEE
Cloud Data Center Network Construction - IEEEVICTOR MAESTRE RAMIREZ
 
Innovate and Collaborate- Harnessing the Power of Open Source Software.pdf
Innovate and Collaborate- Harnessing the Power of Open Source Software.pdfInnovate and Collaborate- Harnessing the Power of Open Source Software.pdf
Innovate and Collaborate- Harnessing the Power of Open Source Software.pdfYashikaSharma391629
 
What is Advanced Excel and what are some best practices for designing and cre...
What is Advanced Excel and what are some best practices for designing and cre...What is Advanced Excel and what are some best practices for designing and cre...
What is Advanced Excel and what are some best practices for designing and cre...Technogeeks
 
Sending Calendar Invites on SES and Calendarsnack.pdf
Sending Calendar Invites on SES and Calendarsnack.pdfSending Calendar Invites on SES and Calendarsnack.pdf
Sending Calendar Invites on SES and Calendarsnack.pdf31events.com
 
Global Identity Enrolment and Verification Pro Solution - Cizo Technology Ser...
Global Identity Enrolment and Verification Pro Solution - Cizo Technology Ser...Global Identity Enrolment and Verification Pro Solution - Cizo Technology Ser...
Global Identity Enrolment and Verification Pro Solution - Cizo Technology Ser...Cizo Technology Services
 
Implementing Zero Trust strategy with Azure
Implementing Zero Trust strategy with AzureImplementing Zero Trust strategy with Azure
Implementing Zero Trust strategy with AzureDinusha Kumarasiri
 
Taming Distributed Systems: Key Insights from Wix's Large-Scale Experience - ...
Taming Distributed Systems: Key Insights from Wix's Large-Scale Experience - ...Taming Distributed Systems: Key Insights from Wix's Large-Scale Experience - ...
Taming Distributed Systems: Key Insights from Wix's Large-Scale Experience - ...Natan Silnitsky
 
VK Business Profile - provides IT solutions and Web Development
VK Business Profile - provides IT solutions and Web DevelopmentVK Business Profile - provides IT solutions and Web Development
VK Business Profile - provides IT solutions and Web Developmentvyaparkranti
 
Catch the Wave: SAP Event-Driven and Data Streaming for the Intelligence Ente...
Catch the Wave: SAP Event-Driven and Data Streaming for the Intelligence Ente...Catch the Wave: SAP Event-Driven and Data Streaming for the Intelligence Ente...
Catch the Wave: SAP Event-Driven and Data Streaming for the Intelligence Ente...confluent
 

Recently uploaded (20)

Precise and Complete Requirements? An Elusive Goal
Precise and Complete Requirements? An Elusive GoalPrecise and Complete Requirements? An Elusive Goal
Precise and Complete Requirements? An Elusive Goal
 
英国UN学位证,北安普顿大学毕业证书1:1制作
英国UN学位证,北安普顿大学毕业证书1:1制作英国UN学位证,北安普顿大学毕业证书1:1制作
英国UN学位证,北安普顿大学毕业证书1:1制作
 
GOING AOT WITH GRAALVM – DEVOXX GREECE.pdf
GOING AOT WITH GRAALVM – DEVOXX GREECE.pdfGOING AOT WITH GRAALVM – DEVOXX GREECE.pdf
GOING AOT WITH GRAALVM – DEVOXX GREECE.pdf
 
React Server Component in Next.js by Hanief Utama
React Server Component in Next.js by Hanief UtamaReact Server Component in Next.js by Hanief Utama
React Server Component in Next.js by Hanief Utama
 
Open Source Summit NA 2024: Open Source Cloud Costs - OpenCost's Impact on En...
Open Source Summit NA 2024: Open Source Cloud Costs - OpenCost's Impact on En...Open Source Summit NA 2024: Open Source Cloud Costs - OpenCost's Impact on En...
Open Source Summit NA 2024: Open Source Cloud Costs - OpenCost's Impact on En...
 
Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024
Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024
Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024
 
Software Project Health Check: Best Practices and Techniques for Your Product...
Software Project Health Check: Best Practices and Techniques for Your Product...Software Project Health Check: Best Practices and Techniques for Your Product...
Software Project Health Check: Best Practices and Techniques for Your Product...
 
Real-time Tracking and Monitoring with Cargo Cloud Solutions.pptx
Real-time Tracking and Monitoring with Cargo Cloud Solutions.pptxReal-time Tracking and Monitoring with Cargo Cloud Solutions.pptx
Real-time Tracking and Monitoring with Cargo Cloud Solutions.pptx
 
Cyber security and its impact on E commerce
Cyber security and its impact on E commerceCyber security and its impact on E commerce
Cyber security and its impact on E commerce
 
How to submit a standout Adobe Champion Application
How to submit a standout Adobe Champion ApplicationHow to submit a standout Adobe Champion Application
How to submit a standout Adobe Champion Application
 
Tech Tuesday - Mastering Time Management Unlock the Power of OnePlan's Timesh...
Tech Tuesday - Mastering Time Management Unlock the Power of OnePlan's Timesh...Tech Tuesday - Mastering Time Management Unlock the Power of OnePlan's Timesh...
Tech Tuesday - Mastering Time Management Unlock the Power of OnePlan's Timesh...
 
Cloud Data Center Network Construction - IEEE
Cloud Data Center Network Construction - IEEECloud Data Center Network Construction - IEEE
Cloud Data Center Network Construction - IEEE
 
Innovate and Collaborate- Harnessing the Power of Open Source Software.pdf
Innovate and Collaborate- Harnessing the Power of Open Source Software.pdfInnovate and Collaborate- Harnessing the Power of Open Source Software.pdf
Innovate and Collaborate- Harnessing the Power of Open Source Software.pdf
 
What is Advanced Excel and what are some best practices for designing and cre...
What is Advanced Excel and what are some best practices for designing and cre...What is Advanced Excel and what are some best practices for designing and cre...
What is Advanced Excel and what are some best practices for designing and cre...
 
Sending Calendar Invites on SES and Calendarsnack.pdf
Sending Calendar Invites on SES and Calendarsnack.pdfSending Calendar Invites on SES and Calendarsnack.pdf
Sending Calendar Invites on SES and Calendarsnack.pdf
 
Global Identity Enrolment and Verification Pro Solution - Cizo Technology Ser...
Global Identity Enrolment and Verification Pro Solution - Cizo Technology Ser...Global Identity Enrolment and Verification Pro Solution - Cizo Technology Ser...
Global Identity Enrolment and Verification Pro Solution - Cizo Technology Ser...
 
Implementing Zero Trust strategy with Azure
Implementing Zero Trust strategy with AzureImplementing Zero Trust strategy with Azure
Implementing Zero Trust strategy with Azure
 
Taming Distributed Systems: Key Insights from Wix's Large-Scale Experience - ...
Taming Distributed Systems: Key Insights from Wix's Large-Scale Experience - ...Taming Distributed Systems: Key Insights from Wix's Large-Scale Experience - ...
Taming Distributed Systems: Key Insights from Wix's Large-Scale Experience - ...
 
VK Business Profile - provides IT solutions and Web Development
VK Business Profile - provides IT solutions and Web DevelopmentVK Business Profile - provides IT solutions and Web Development
VK Business Profile - provides IT solutions and Web Development
 
Catch the Wave: SAP Event-Driven and Data Streaming for the Intelligence Ente...
Catch the Wave: SAP Event-Driven and Data Streaming for the Intelligence Ente...Catch the Wave: SAP Event-Driven and Data Streaming for the Intelligence Ente...
Catch the Wave: SAP Event-Driven and Data Streaming for the Intelligence Ente...
 

HTTP/2, HTTP/3 and SSL/TLS State of the Art in Our Servers

  • 1. APACHECON North America Sept. 9-12, 2019 HTTP/2, HTTP/3 and SSL/TLSHTTP/2, HTTP/3 and SSL/TLS State of theState of the ArtArt in Our Serversin Our Servers Jean-Frederic ClereJean-Frederic Clere
  • 2. APACHECON North America What I will coverWhat I will cover ● HTTP/3 ● HTTP/2 ● HTTP/2 and ALPN ● Servers ● Apache HTTPD ● Tomcat ● Traffic server ● Demos ● Questions? 2
  • 3. APACHECON North America Who I amWho I am Jean-Frederic Clere Red Hat Years writing JAVA code and server software Tomcat committer since 2001 Doing OpenSource since 1999 Cyclist/Runner etc Lived 15 years in Spain (Barcelona) Now in Neuchâtel (CH) 3
  • 4. APACHECON North America HTTP/3 (March 2018, in progress!)HTTP/3 (March 2018, in progress!) – Use QUIC / TLS-1.3 / UDP – To transport HTTP like HTTP/2 – Initial connection TPC + Alt-Svc ● Response Alt-Svc: h3=":56666": – problems: ● UDP ports closed ● UDP slower than TPC in Kernels ● Needs extra CPU (?) – Specifications: ● Several RFC (6 RFC) 4
  • 5. APACHECON North America HTTP/3 implementations: – Curl (http3-direct and Alt-Svc way) – Libraries ● ngtcp2 ● quiche – Apache Tomcat: Problem UDP socket API incomplete – Apache HTTPD: need time probably like http/2 – Traffic Server: planed for the next version (end 2019) ● See ATS proto / curl demo
  • 6. APACHECON North America HTTP/3 more info: – Demo ATS / curl – Playing browsers: ● test browser ● Interop matrix ● chrome activation
  • 7. APACHECON North America Why HTTP/2Why HTTP/2 – HTTP/1.1: June 1999 (RFC 2616) ● 1999: – 1 page ~ 1kB HTML ● 2019: – 1 page ~ 3MB HTML + IMAGES + JS + CSS etc – Protocol: ● Not adapted / inefficient / etc 7
  • 8. APACHECON North America HTTP/2 generalHTTP/2 general ● HTTP/2: – Binary – Frame – Multiplex – Based on SPDY – TLS everywhere: ● Browers use https and strong ciphers – No forward proxy – h2c: Clear text only with reverse proxy (proxy to back-end server) 8
  • 9. APACHECON North America HTTP/2 generalHTTP/2 general ● Two specifications: – Hypertext Transfer Protocol version 2 - RFC7540 – HPACK - Header Compression for HTTP/2 - RFC7541 ● By the Internet Engineering Task Force ● ALPN Application-Layer Protocol Negotiation - RFC 7301 9
  • 10. APACHECON North America HTTP/2 MultiplexedHTTP/2 Multiplexed 10 Headers Data Headers Headers Headers Data Data Headers Data Data HeadersData Headers
  • 11. APACHECON North America HTTP/2 : moreHTTP/2 : more ● HTTP headers compression – ~ 80 % save ● Request priority – Both sides ● Server Push – Prevent round trip to get element of a page – Faster / better rendering on browsers. 11
  • 12. APACHECON North America HTTP/2 With BrowsersHTTP/2 With Browsers ● Browser with HTTP/2 and TLS – FireFox 34 – Chrome 40 (with ALPN before was NPN) – IE 11 – Opera and Safari 9 ● Stats from docs.trafficserver and ci.trafficserver: – 80% is over HTTP/2 (data from last year) ● → go for it now! 12
  • 13. APACHECON North America ALPN Client Hello (Firefox)ALPN Client Hello (Firefox) 13
  • 14. APACHECON North America ALPN Server Hello (tomcat)ALPN Server Hello (tomcat) 14
  • 15. APACHECON North America RequirementsRequirements ● OpenSSL for our 3 servers – At least 1.0.2c ● Tomcat (8.5 / trunk) – Tomcat-native (1.2.6 / trunk) or java9 ● Httpd (2.4.17 / trunk) – HTTP/2 C Library (libnghttp2) ● TrafficServer (since ATS v5.3.2). – Nothing except openssl. 15
  • 16. APACHECON North America StatusStatus ● Tomcat (trunk/8.5) – Full support / released as stable. – Needs servlet 4.0 (JSR 369) for server PUSH API – Can't be full JAVA until JDK9 (ALPN support) ● Httpd (available since 2.4.17) – Full support (since 2.4.20) ● TrafficServer (since 5.3.0) (flow control 6.1) – Priorities (6.2.0) and Server PUSH (7.0.0) 16
  • 17. APACHECON North America TC connector server.xmlTC connector server.xml <Connector port="8002" scheme="https" SSLEnabled="true" ciphers="TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256" SSLCertificateFile="/home/jfclere/CERTS/newcert.pem" SSLCertificateKeyFile="/home/jfclere/CERTS/newkey.txt.pem" protocol="org.apache.coyote.http11.Http11AprProtocol"> <UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol" /> <Connector/> <Connector port="8003" protocol="HTTP/1.1" SSLEnabled="true" scheme="https" secure="true" keystoreFile="conf/.keystore" keystorePass="changeit" socket.directBuffer="true" socket.directSslBuffer="true"> <UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol" /> </Connector>
  • 18. APACHECON North America Tomcat / configurationTomcat / configuration In bin/setenv.sh: LD_LIBRARY_PATH=/home/jfclere/tomcat-native/native/.libs export LD_LIBRARY_PATH And the libtcnative-1.so linked with openssl-1.0.2c, checking with ldd: libssl.so.1.0.0 => /home/jfclere/OPENSSL-1.0.2c/lib/libssl.so.1.0.0 (0x00007f6ab147b000) libcrypto.so.1.0.0 => /home/jfclere/OPENSSL-1.0.2c/lib/libcrypto.so.1.0.0 (0x00007f6ab1028000) libapr-1.so.0 => /home/jfclere/APR-1.4.x/lib/libapr-1.so.0 (0x00007f6ab0dfa000) Usually the openssl of recent distribution (fedora 23) will work. 18
  • 19. APACHECON North America Tomcat / PerformancesTomcat / Performances 19 4KiB.bin 8KiB.bin 16KiB.bin 32KiB.bin 64KiB.bin 128KiB.bin 256KiB.bin 512KiB.bin 1MiB.bin 0 50000 100000 150000 200000 250000 300000 350000 400000 Concurency 240 coyote_nio_jsse_h1_https coyote_nio_jsse_h2_https File Size Kbytes/second
  • 20. APACHECON North America Tomcat / PerformancesTomcat / Performances 20 4KiB 8KiB 16KiB 32KiB 64KiB 128KiB 256KiB 512KiB 1MiB 0 10 20 30 40 50 60 70 80 90 Concurency 240 coyote_nio_jsse_h1_https coyote_nio_jsse_h2_https File Size CPUUsage
  • 21. APACHECON North America Tomcat / DemoTomcat / Demo ● No server push (may be change it: SimpleImagePush) ● Multiplexing ● headers compression ● HTML page: – That requires a lot (~1000) of (~4Kbytes) images to render. 21
  • 22. APACHECON North America TrafficServer / ConfigurationTrafficServer / Configuration ● records.config – CONFIG proxy.config.ssl.number.threads INT 0 – CONFIG proxy.config.http.server_ports STRING 8888:ssl – CONFIG proxy.config.url_remap.pristine_host_hdr INT 1 – CONFIG proxy.config.http2.enabled INT 1 – CONFIG proxy.config.ssl.TLSv1_1 INT 1 – CONFIG proxy.config.ssl.TLSv1_2 INT 1 ● ssl_multicert.config: – dest_ip=* ssl_cert_name=newcert.pem ssl_key_name=newkey.txt.pem ● remap.config: – map / http://127.0.0.1:8080 ● ip_allow.config: – src_ip=192.168.1.38 action=ip_allow method=ALL – src_ip=::-ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff action=ip_allow method=ALL 22
  • 23. APACHECON North America TrafficServer / DemoTrafficServer / Demo ● Like tomcat one ● Uses http/1.1 tomcat nio connector on 8080 as back-end. 23
  • 24. APACHECON North America HTTPd / ConfigurationHTTPd / Configuration ● httpd.conf: LoadModule h2_module modules/mod_h2.so Listen 8006 <VirtualHost *:8006> Protocols h2 http/1.1 ProtocolsHonorOrder on SSLEngine on SSLCertificateFile "/home/jfclere/CERTS/newcert.pem" SSLCertificateKeyFile "/home/jfclere/CERTS/newkey.pem" SSLCACertificateFile "/etc/pki/CA/cacert.pem" </VirtualHost> 24
  • 25. APACHECON North America HTTPd / PerformancesHTTPd / Performances 25 4KiB.bin 8KiB.bin 16KiB.bin 32KiB.bin 64KiB.bin 128KiB.bin 256KiB.bin 512KiB.bin 1MiB.bin 0 50000 100000 150000 200000 250000 300000 350000 400000 Concurency 240 httpd_h1_https httpd_h2_https File Size KBytes/second
  • 26. APACHECON North America HTTPd / PerformancesHTTPd / Performances 26 4KiB 8KiB 16KiB 32KiB 64KiB 128KiB 256KiB 512KiB 1MiB 0 10 20 30 40 50 60 70 80 Concurency 240 httpd_h1_https httpd_h2_https File Szie CPUusage
  • 27. APACHECON North America HTTPd / Configuration proxyHTTPd / Configuration proxy ● httpd.conf: LoadModule http2_module modules/mod_http2.so LoadModule proxy_http2_module modules/mod_proxy_http2.so Listen 8006 <VirtualHost *:8006> Protocols h2 http/1.1 ProtocolsHonorOrder on SSLEngine on … ProxyPass "/" "h2c://localhost:8003/" </VirtualHost> 27
  • 28. APACHECON North America HTTPd / DemoHTTPd / Demo ● Like the tomcat one: – htdocs/http2.html – htdocs/images/ the images. 28
  • 29. APACHECON North America HTTP/2 ready?HTTP/2 ready? ● Conclusion: – Using HTTP/2 without PUSH is already good. – “safer” crypto is good but expensive. – No need to rewrite application to get the gains. HTTP/2 : GO FOR IT 29
  • 30. APACHECON North America Questions?Questions? Thank you!Thank you! ● jfclere@gmail.com ● users@tomcat.apache.org ● users@httpd.apache.org ● users@trafficserver.apache.org ● https://http2.github.io/ ● Demo generator: https://github.com/jfclere/h2_demos ● HTTP/3 see curl docs: http3-explained by Daniel 30