SlideShare ist ein Scribd-Unternehmen logo

HTTP/2, HTTP/3 and SSL/TLS State of the Art in Our Servers

Jean-Frederic Clere
Jean-Frederic Clere

Jean-Frederic Clere presented on HTTP/2, HTTP/3 and SSL/TLS in servers. He discussed the latest developments in HTTP/3 using QUIC and TLS 1.3 over UDP. For HTTP/2, he covered implementations in Apache Tomcat, Apache HTTP Server, and Traffic Server. He demonstrated improved performance of HTTP/2 over HTTP/1.1 and discussed configuration requirements and options for enabling HTTP/2 in each server. The presentation concluded that HTTP/2 is ready for production use without server modifications to realize performance gains.

Software
1 von 31
Downloaden Sie, um offline zu lesen
APACHECON North America Sept. 9-12, 2019 HTTP/2, HTTP/3 and SSL/TLSHTTP/2, HTTP/3 and SSL/TLS State of theState of the ArtArt in Our Serversin Our Servers Jean-Frederic ClereJean-Frederic Clere
APACHECON North America What I will coverWhat I will cover ● HTTP/3 ● HTTP/2 ● HTTP/2 and ALPN ● Servers ● Apache HTTPD ● Tomcat ● Traffic server ● Demos ● Questions? 2
APACHECON North America Who I amWho I am Jean-Frederic Clere Red Hat Years writing JAVA code and server software Tomcat committer since 2001 Doing OpenSource since 1999 Cyclist/Runner etc Lived 15 years in Spain (Barcelona) Now in Neuchâtel (CH) 3
APACHECON North America HTTP/3 (March 2018, in progress!)HTTP/3 (March 2018, in progress!) – Use QUIC / TLS-1.3 / UDP – To transport HTTP like HTTP/2 – Initial connection TPC + Alt-Svc ● Response Alt-Svc: h3=":56666": – problems: ● UDP ports closed ● UDP slower than TPC in Kernels ● Needs extra CPU (?) – Specifications: ● Several RFC (6 RFC) 4
APACHECON North America HTTP/3 implementations: – Curl (http3-direct and Alt-Svc way) – Libraries ● ngtcp2 ● quiche – Apache Tomcat: Problem UDP socket API incomplete – Apache HTTPD: need time probably like http/2 – Traffic Server: planed for the next version (end 2019) ● See ATS proto / curl demo
APACHECON North America HTTP/3 more info: – Demo ATS / curl – Playing browsers: ● test browser ● Interop matrix ● chrome activation
APACHECON North America Why HTTP/2Why HTTP/2 – HTTP/1.1: June 1999 (RFC 2616) ● 1999: – 1 page ~ 1kB HTML ● 2019: – 1 page ~ 3MB HTML + IMAGES + JS + CSS etc – Protocol: ● Not adapted / inefficient / etc 7
APACHECON North America HTTP/2 generalHTTP/2 general ● HTTP/2: – Binary – Frame – Multiplex – Based on SPDY – TLS everywhere: ● Browers use https and strong ciphers – No forward proxy – h2c: Clear text only with reverse proxy (proxy to back-end server) 8
APACHECON North America HTTP/2 generalHTTP/2 general ● Two specifications: – Hypertext Transfer Protocol version 2 - RFC7540 – HPACK - Header Compression for HTTP/2 - RFC7541 ● By the Internet Engineering Task Force ● ALPN Application-Layer Protocol Negotiation - RFC 7301 9
APACHECON North America HTTP/2 MultiplexedHTTP/2 Multiplexed 10 Headers Data Headers Headers Headers Data Data Headers Data Data HeadersData Headers
APACHECON North America HTTP/2 : moreHTTP/2 : more ● HTTP headers compression – ~ 80 % save ● Request priority – Both sides ● Server Push – Prevent round trip to get element of a page – Faster / better rendering on browsers. 11
APACHECON North America HTTP/2 With BrowsersHTTP/2 With Browsers ● Browser with HTTP/2 and TLS – FireFox 34 – Chrome 40 (with ALPN before was NPN) – IE 11 – Opera and Safari 9 ● Stats from docs.trafficserver and ci.trafficserver: – 80% is over HTTP/2 (data from last year) ● → go for it now! 12
APACHECON North America ALPN Client Hello (Firefox)ALPN Client Hello (Firefox) 13
APACHECON North America ALPN Server Hello (tomcat)ALPN Server Hello (tomcat) 14
APACHECON North America RequirementsRequirements ● OpenSSL for our 3 servers – At least 1.0.2c ● Tomcat (8.5 / trunk) – Tomcat-native (1.2.6 / trunk) or java9 ● Httpd (2.4.17 / trunk) – HTTP/2 C Library (libnghttp2) ● TrafficServer (since ATS v5.3.2). – Nothing except openssl. 15
APACHECON North America StatusStatus ● Tomcat (trunk/8.5) – Full support / released as stable. – Needs servlet 4.0 (JSR 369) for server PUSH API – Can't be full JAVA until JDK9 (ALPN support) ● Httpd (available since 2.4.17) – Full support (since 2.4.20) ● TrafficServer (since 5.3.0) (flow control 6.1) – Priorities (6.2.0) and Server PUSH (7.0.0) 16
APACHECON North America TC connector server.xmlTC connector server.xml <Connector port="8002" scheme="https" SSLEnabled="true" ciphers="TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256" SSLCertificateFile="/home/jfclere/CERTS/newcert.pem" SSLCertificateKeyFile="/home/jfclere/CERTS/newkey.txt.pem" protocol="org.apache.coyote.http11.Http11AprProtocol"> <UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol" /> <Connector/> <Connector port="8003" protocol="HTTP/1.1" SSLEnabled="true" scheme="https" secure="true" keystoreFile="conf/.keystore" keystorePass="changeit" socket.directBuffer="true" socket.directSslBuffer="true"> <UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol" /> </Connector>
APACHECON North America Tomcat / configurationTomcat / configuration In bin/setenv.sh: LD_LIBRARY_PATH=/home/jfclere/tomcat-native/native/.libs export LD_LIBRARY_PATH And the libtcnative-1.so linked with openssl-1.0.2c, checking with ldd: libssl.so.1.0.0 => /home/jfclere/OPENSSL-1.0.2c/lib/libssl.so.1.0.0 (0x00007f6ab147b000) libcrypto.so.1.0.0 => /home/jfclere/OPENSSL-1.0.2c/lib/libcrypto.so.1.0.0 (0x00007f6ab1028000) libapr-1.so.0 => /home/jfclere/APR-1.4.x/lib/libapr-1.so.0 (0x00007f6ab0dfa000) Usually the openssl of recent distribution (fedora 23) will work. 18
APACHECON North America Tomcat / PerformancesTomcat / Performances 19 4KiB.bin 8KiB.bin 16KiB.bin 32KiB.bin 64KiB.bin 128KiB.bin 256KiB.bin 512KiB.bin 1MiB.bin 0 50000 100000 150000 200000 250000 300000 350000 400000 Concurency 240 coyote_nio_jsse_h1_https coyote_nio_jsse_h2_https File Size Kbytes/second
APACHECON North America Tomcat / PerformancesTomcat / Performances 20 4KiB 8KiB 16KiB 32KiB 64KiB 128KiB 256KiB 512KiB 1MiB 0 10 20 30 40 50 60 70 80 90 Concurency 240 coyote_nio_jsse_h1_https coyote_nio_jsse_h2_https File Size CPUUsage
APACHECON North America Tomcat / DemoTomcat / Demo ● No server push (may be change it: SimpleImagePush) ● Multiplexing ● headers compression ● HTML page: – That requires a lot (~1000) of (~4Kbytes) images to render. 21
APACHECON North America TrafficServer / ConfigurationTrafficServer / Configuration ● records.config – CONFIG proxy.config.ssl.number.threads INT 0 – CONFIG proxy.config.http.server_ports STRING 8888:ssl – CONFIG proxy.config.url_remap.pristine_host_hdr INT 1 – CONFIG proxy.config.http2.enabled INT 1 – CONFIG proxy.config.ssl.TLSv1_1 INT 1 – CONFIG proxy.config.ssl.TLSv1_2 INT 1 ● ssl_multicert.config: – dest_ip=* ssl_cert_name=newcert.pem ssl_key_name=newkey.txt.pem ● remap.config: – map / http://127.0.0.1:8080 ● ip_allow.config: – src_ip=192.168.1.38 action=ip_allow method=ALL – src_ip=::-ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff action=ip_allow method=ALL 22
APACHECON North America TrafficServer / DemoTrafficServer / Demo ● Like tomcat one ● Uses http/1.1 tomcat nio connector on 8080 as back-end. 23
APACHECON North America HTTPd / ConfigurationHTTPd / Configuration ● httpd.conf: LoadModule h2_module modules/mod_h2.so Listen 8006 <VirtualHost *:8006> Protocols h2 http/1.1 ProtocolsHonorOrder on SSLEngine on SSLCertificateFile "/home/jfclere/CERTS/newcert.pem" SSLCertificateKeyFile "/home/jfclere/CERTS/newkey.pem" SSLCACertificateFile "/etc/pki/CA/cacert.pem" </VirtualHost> 24
APACHECON North America HTTPd / PerformancesHTTPd / Performances 25 4KiB.bin 8KiB.bin 16KiB.bin 32KiB.bin 64KiB.bin 128KiB.bin 256KiB.bin 512KiB.bin 1MiB.bin 0 50000 100000 150000 200000 250000 300000 350000 400000 Concurency 240 httpd_h1_https httpd_h2_https File Size KBytes/second
APACHECON North America HTTPd / PerformancesHTTPd / Performances 26 4KiB 8KiB 16KiB 32KiB 64KiB 128KiB 256KiB 512KiB 1MiB 0 10 20 30 40 50 60 70 80 Concurency 240 httpd_h1_https httpd_h2_https File Szie CPUusage
APACHECON North America HTTPd / Configuration proxyHTTPd / Configuration proxy ● httpd.conf: LoadModule http2_module modules/mod_http2.so LoadModule proxy_http2_module modules/mod_proxy_http2.so Listen 8006 <VirtualHost *:8006> Protocols h2 http/1.1 ProtocolsHonorOrder on SSLEngine on … ProxyPass "/" "h2c://localhost:8003/" </VirtualHost> 27
APACHECON North America HTTPd / DemoHTTPd / Demo ● Like the tomcat one: – htdocs/http2.html – htdocs/images/ the images. 28
APACHECON North America HTTP/2 ready?HTTP/2 ready? ● Conclusion: – Using HTTP/2 without PUSH is already good. – “safer” crypto is good but expensive. – No need to rewrite application to get the gains. HTTP/2 : GO FOR IT 29
APACHECON North America Questions?Questions? Thank you!Thank you! ● jfclere@gmail.com ● users@tomcat.apache.org ● users@httpd.apache.org ● users@trafficserver.apache.org ● https://http2.github.io/ ● Demo generator: https://github.com/jfclere/h2_demos ● HTTP/3 see curl docs: http3-explained by Daniel 30
THANK YOU Jean-Frederic Clere @jfclere jfclere@gmail.com

Empfohlen

From a cluster to the Cloud
From a cluster to the CloudFrom a cluster to the Cloud
From a cluster to the Cloud
Jean-Frederic Clere
 
TomcatCon: from a cluster to the cloud
TomcatCon: from a cluster to the cloudTomcatCon: from a cluster to the cloud
TomcatCon: from a cluster to the cloud
Jean-Frederic Clere
 
Apache Httpd and TLS certificates validations
Apache Httpd and TLS certificates validationsApache Httpd and TLS certificates validations
Apache Httpd and TLS certificates validations
Jean-Frederic Clere
 
Tomcat from a cluster to the cloud on RP3
Tomcat from a cluster to the cloud on RP3Tomcat from a cluster to the cloud on RP3
Tomcat from a cluster to the cloud on RP3
Jean-Frederic Clere
 
Introduction to Haproxy
Introduction to HaproxyIntroduction to Haproxy
Introduction to Haproxy
Shaopeng He
 
Anatomy of neutron from the eagle eyes of troubelshoorters
Anatomy of neutron from the eagle eyes of troubelshoortersAnatomy of neutron from the eagle eyes of troubelshoorters
Anatomy of neutron from the eagle eyes of troubelshoorters
Sadique Puthen
 
How happy they became with H2O/mruby and the future of HTTP
How happy they became with H2O/mruby and the future of HTTPHow happy they became with H2O/mruby and the future of HTTP
How happy they became with H2O/mruby and the future of HTTP
Ichito Nagata
 
Troubleshooting containerized triple o deployment
Troubleshooting containerized triple o deploymentTroubleshooting containerized triple o deployment
Troubleshooting containerized triple o deployment
Sadique Puthen
 

Empfohlen

From a cluster to the Cloud
From a cluster to the CloudFrom a cluster to the Cloud
From a cluster to the Cloud
Jean-Frederic Clere
 
TomcatCon: from a cluster to the cloud
TomcatCon: from a cluster to the cloudTomcatCon: from a cluster to the cloud
TomcatCon: from a cluster to the cloud
Jean-Frederic Clere
 
Apache Httpd and TLS certificates validations
Apache Httpd and TLS certificates validationsApache Httpd and TLS certificates validations
Apache Httpd and TLS certificates validations
Jean-Frederic Clere
 
Tomcat from a cluster to the cloud on RP3
Tomcat from a cluster to the cloud on RP3Tomcat from a cluster to the cloud on RP3
Tomcat from a cluster to the cloud on RP3
Jean-Frederic Clere
 
Introduction to Haproxy
Introduction to HaproxyIntroduction to Haproxy
Introduction to Haproxy
Shaopeng He
 
Anatomy of neutron from the eagle eyes of troubelshoorters
Anatomy of neutron from the eagle eyes of troubelshoortersAnatomy of neutron from the eagle eyes of troubelshoorters
Anatomy of neutron from the eagle eyes of troubelshoorters
Sadique Puthen
 
How happy they became with H2O/mruby and the future of HTTP
How happy they became with H2O/mruby and the future of HTTPHow happy they became with H2O/mruby and the future of HTTP
How happy they became with H2O/mruby and the future of HTTP
Ichito Nagata
 
Troubleshooting containerized triple o deployment
Troubleshooting containerized triple o deploymentTroubleshooting containerized triple o deployment
Troubleshooting containerized triple o deployment
Sadique Puthen
 
Apache httpd reverse proxy and Tomcat
Apache httpd reverse proxy and TomcatApache httpd reverse proxy and Tomcat
Apache httpd reverse proxy and Tomcat
Jean-Frederic Clere
 
How to Troubleshoot OpenStack Without Losing Sleep
How to Troubleshoot OpenStack Without Losing SleepHow to Troubleshoot OpenStack Without Losing Sleep
How to Troubleshoot OpenStack Without Losing Sleep
Sadique Puthen
 
Linux Networking Explained
Linux Networking ExplainedLinux Networking Explained
Linux Networking Explained
Thomas Graf
 
Altitude SF 2017: QUIC - A low-latency secure transport for HTTP
Altitude SF 2017: QUIC - A low-latency secure transport for HTTPAltitude SF 2017: QUIC - A low-latency secure transport for HTTP
Altitude SF 2017: QUIC - A low-latency secure transport for HTTP
Fastly
 
Acus08 Advanced Load Balancing Apache2.2
Acus08 Advanced Load Balancing Apache2.2Acus08 Advanced Load Balancing Apache2.2
Acus08 Advanced Load Balancing Apache2.2
Jim Jagielski
 
Improving the ZFS Userland-Kernel API with Channel Programs - BSDCAN 2017 - M...
Improving the ZFS Userland-Kernel API with Channel Programs - BSDCAN 2017 - M...Improving the ZFS Userland-Kernel API with Channel Programs - BSDCAN 2017 - M...
Improving the ZFS Userland-Kernel API with Channel Programs - BSDCAN 2017 - M...
Matthew Ahrens
 
Neutron Network Namespaces and IPtables--A Technical Deep Dive
Neutron Network Namespaces and IPtables--A Technical Deep DiveNeutron Network Namespaces and IPtables--A Technical Deep Dive
Neutron Network Namespaces and IPtables--A Technical Deep Dive
Mirantis
 
Snaps on open suse
Snaps on open suseSnaps on open suse
Snaps on open suse
Zygmunt Krynicki
 
debugging openstack neutron /w openvswitch
debugging openstack neutron /w openvswitchdebugging openstack neutron /w openvswitch
debugging openstack neutron /w openvswitch
어형 이
 
Load Balancing MySQL with HAProxy - Slides
Load Balancing MySQL with HAProxy - SlidesLoad Balancing MySQL with HAProxy - Slides
Load Balancing MySQL with HAProxy - Slides
Severalnines
 
Understanding docker networking
Understanding docker networkingUnderstanding docker networking
Understanding docker networking
Lorenzo Fontana
 
Nomad + Flatcar: a harmonious marriage of lightweights
Nomad + Flatcar: a harmonious marriage of lightweightsNomad + Flatcar: a harmonious marriage of lightweights
Nomad + Flatcar: a harmonious marriage of lightweights
Iago López Galeiras
 
IPTABLES Introduction
IPTABLES IntroductionIPTABLES Introduction
IPTABLES Introduction
HungWei Chiu
 
SREConEurope15 - The evolution of the DHCP infrastructure at Facebook
SREConEurope15 - The evolution of the DHCP infrastructure at FacebookSREConEurope15 - The evolution of the DHCP infrastructure at Facebook
SREConEurope15 - The evolution of the DHCP infrastructure at Facebook
Angelo Failla
 
iptables 101- bottom-up
iptables 101- bottom-upiptables 101- bottom-up
iptables 101- bottom-up
HungWei Chiu
 
青云CoreOS虚拟机部署kubernetes
青云CoreOS虚拟机部署kubernetes 青云CoreOS虚拟机部署kubernetes
青云CoreOS虚拟机部署kubernetes
Zhichao Liang
 
Commication Framework in OpenStack
Commication Framework in OpenStackCommication Framework in OpenStack
Commication Framework in OpenStack
Sean Chang
 
LF_OVS_17_OvS manipulation with Go at DigitalOcean
LF_OVS_17_OvS manipulation with Go at DigitalOceanLF_OVS_17_OvS manipulation with Go at DigitalOcean
LF_OVS_17_OvS manipulation with Go at DigitalOcean
LF_OpenvSwitch
 
Web scale infrastructures with kubernetes and flannel
Web scale infrastructures with kubernetes and flannelWeb scale infrastructures with kubernetes and flannel
Web scale infrastructures with kubernetes and flannel
purpleocean
 
03_clere-HTTP2 HTTP3 the State of the Art in Our Servers.pdf
03_clere-HTTP2 HTTP3 the State of the Art in Our Servers.pdf03_clere-HTTP2 HTTP3 the State of the Art in Our Servers.pdf
03_clere-HTTP2 HTTP3 the State of the Art in Our Servers.pdf
Jean-Frederic Clere
 
HTTP/2 and SSL/TLS state of art in ASF servers
HTTP/2 and SSL/TLS state of art in ASF serversHTTP/2 and SSL/TLS state of art in ASF servers
HTTP/2 and SSL/TLS state of art in ASF servers
Jean-Frederic Clere
 
HTTP/2 Introduction
HTTP/2 IntroductionHTTP/2 Introduction
HTTP/2 Introduction
Walter Liu
 

Weitere ähnliche Inhalte

Was ist angesagt?

Altitude SF 2017: QUIC - A low-latency secure transport for HTTP
Altitude SF 2017: QUIC - A low-latency secure transport for HTTPAltitude SF 2017: QUIC - A low-latency secure transport for HTTP
Altitude SF 2017: QUIC - A low-latency secure transport for HTTP
Fastly
 
debugging openstack neutron /w openvswitch
debugging openstack neutron /w openvswitchdebugging openstack neutron /w openvswitch
debugging openstack neutron /w openvswitch
어형 이
 
Nomad + Flatcar: a harmonious marriage of lightweights
Nomad + Flatcar: a harmonious marriage of lightweightsNomad + Flatcar: a harmonious marriage of lightweights
Nomad + Flatcar: a harmonious marriage of lightweights
Iago López Galeiras
 
Web scale infrastructures with kubernetes and flannel
Web scale infrastructures with kubernetes and flannelWeb scale infrastructures with kubernetes and flannel
Web scale infrastructures with kubernetes and flannel
purpleocean
 

Was ist angesagt? (19)

Apache httpd reverse proxy and Tomcat
Apache httpd reverse proxy and TomcatApache httpd reverse proxy and Tomcat
Apache httpd reverse proxy and Tomcat
 
How to Troubleshoot OpenStack Without Losing Sleep
How to Troubleshoot OpenStack Without Losing SleepHow to Troubleshoot OpenStack Without Losing Sleep
How to Troubleshoot OpenStack Without Losing Sleep
 
Linux Networking Explained
Linux Networking ExplainedLinux Networking Explained
Linux Networking Explained
 
Altitude SF 2017: QUIC - A low-latency secure transport for HTTP
Altitude SF 2017: QUIC - A low-latency secure transport for HTTPAltitude SF 2017: QUIC - A low-latency secure transport for HTTP
Altitude SF 2017: QUIC - A low-latency secure transport for HTTP
 
Acus08 Advanced Load Balancing Apache2.2
Acus08 Advanced Load Balancing Apache2.2Acus08 Advanced Load Balancing Apache2.2
Acus08 Advanced Load Balancing Apache2.2
 
Improving the ZFS Userland-Kernel API with Channel Programs - BSDCAN 2017 - M...
Improving the ZFS Userland-Kernel API with Channel Programs - BSDCAN 2017 - M...Improving the ZFS Userland-Kernel API with Channel Programs - BSDCAN 2017 - M...
Improving the ZFS Userland-Kernel API with Channel Programs - BSDCAN 2017 - M...
 
Neutron Network Namespaces and IPtables--A Technical Deep Dive
Neutron Network Namespaces and IPtables--A Technical Deep DiveNeutron Network Namespaces and IPtables--A Technical Deep Dive
Neutron Network Namespaces and IPtables--A Technical Deep Dive
 
Snaps on open suse
Snaps on open suseSnaps on open suse
Snaps on open suse
 
debugging openstack neutron /w openvswitch
debugging openstack neutron /w openvswitchdebugging openstack neutron /w openvswitch
debugging openstack neutron /w openvswitch
 
Load Balancing MySQL with HAProxy - Slides
Load Balancing MySQL with HAProxy - SlidesLoad Balancing MySQL with HAProxy - Slides
Load Balancing MySQL with HAProxy - Slides
 
Understanding docker networking
Understanding docker networkingUnderstanding docker networking
Understanding docker networking
 
Nomad + Flatcar: a harmonious marriage of lightweights
Nomad + Flatcar: a harmonious marriage of lightweightsNomad + Flatcar: a harmonious marriage of lightweights
Nomad + Flatcar: a harmonious marriage of lightweights
 
IPTABLES Introduction
IPTABLES IntroductionIPTABLES Introduction
IPTABLES Introduction
 
SREConEurope15 - The evolution of the DHCP infrastructure at Facebook
SREConEurope15 - The evolution of the DHCP infrastructure at FacebookSREConEurope15 - The evolution of the DHCP infrastructure at Facebook
SREConEurope15 - The evolution of the DHCP infrastructure at Facebook
 
iptables 101- bottom-up
iptables 101- bottom-upiptables 101- bottom-up
iptables 101- bottom-up
 
青云CoreOS虚拟机部署kubernetes
青云CoreOS虚拟机部署kubernetes 青云CoreOS虚拟机部署kubernetes
青云CoreOS虚拟机部署kubernetes
 
Commication Framework in OpenStack
Commication Framework in OpenStackCommication Framework in OpenStack
Commication Framework in OpenStack
 
LF_OVS_17_OvS manipulation with Go at DigitalOcean
LF_OVS_17_OvS manipulation with Go at DigitalOceanLF_OVS_17_OvS manipulation with Go at DigitalOcean
LF_OVS_17_OvS manipulation with Go at DigitalOcean
 
Web scale infrastructures with kubernetes and flannel
Web scale infrastructures with kubernetes and flannelWeb scale infrastructures with kubernetes and flannel
Web scale infrastructures with kubernetes and flannel
 

Ähnlich wie HTTP/2, HTTP/3 and SSL/TLS State of the Art in Our Servers

Linux kernel TLS и HTTPS / Александр Крижановский (Tempesta Technologies)
Linux kernel TLS и HTTPS / Александр Крижановский (Tempesta Technologies)Linux kernel TLS и HTTPS / Александр Крижановский (Tempesta Technologies)
Linux kernel TLS и HTTPS / Александр Крижановский (Tempesta Technologies)
Ontico
 
Optimizing Servers for High-Throughput and Low-Latency at Dropbox
Optimizing Servers for High-Throughput and Low-Latency at DropboxOptimizing Servers for High-Throughput and Low-Latency at Dropbox
Optimizing Servers for High-Throughput and Low-Latency at Dropbox
ScyllaDB
 

Ähnlich wie HTTP/2, HTTP/3 and SSL/TLS State of the Art in Our Servers (20)

03_clere-HTTP2 HTTP3 the State of the Art in Our Servers.pdf
03_clere-HTTP2 HTTP3 the State of the Art in Our Servers.pdf03_clere-HTTP2 HTTP3 the State of the Art in Our Servers.pdf
03_clere-HTTP2 HTTP3 the State of the Art in Our Servers.pdf
 
HTTP/2 and SSL/TLS state of art in ASF servers
HTTP/2 and SSL/TLS state of art in ASF serversHTTP/2 and SSL/TLS state of art in ASF servers
HTTP/2 and SSL/TLS state of art in ASF servers
 
HTTP/2 Introduction
HTTP/2 IntroductionHTTP/2 Introduction
HTTP/2 Introduction
 
Tomcat openssl
Tomcat opensslTomcat openssl
Tomcat openssl
 
Ethernet summit 2011_toe
Ethernet summit 2011_toeEthernet summit 2011_toe
Ethernet summit 2011_toe
 
Tomcat next
Tomcat nextTomcat next
Tomcat next
 
Tomcat next
Tomcat nextTomcat next
Tomcat next
 
Tomcat openssl
Tomcat opensslTomcat openssl
Tomcat openssl
 
Primer to Browser Netwroking
Primer to Browser NetwrokingPrimer to Browser Netwroking
Primer to Browser Netwroking
 
Kernel Recipes 2014 - NDIV: a low overhead network traffic diverter
Kernel Recipes 2014 - NDIV: a low overhead network traffic diverterKernel Recipes 2014 - NDIV: a low overhead network traffic diverter
Kernel Recipes 2014 - NDIV: a low overhead network traffic diverter
 
Introduction to HTTP/2
Introduction to HTTP/2Introduction to HTTP/2
Introduction to HTTP/2
 
HTTP2 and gRPC
HTTP2 and gRPCHTTP2 and gRPC
HTTP2 and gRPC
 
Linux kernel TLS и HTTPS / Александр Крижановский (Tempesta Technologies)
Linux kernel TLS и HTTPS / Александр Крижановский (Tempesta Technologies)Linux kernel TLS и HTTPS / Александр Крижановский (Tempesta Technologies)
Linux kernel TLS и HTTPS / Александр Крижановский (Tempesta Technologies)
 
Linux HTTPS/TCP/IP Stack for the Fast and Secure Web
Linux HTTPS/TCP/IP Stack for the Fast and Secure WebLinux HTTPS/TCP/IP Stack for the Fast and Secure Web
Linux HTTPS/TCP/IP Stack for the Fast and Secure Web
 
Optimizing Servers for High-Throughput and Low-Latency at Dropbox
Optimizing Servers for High-Throughput and Low-Latency at DropboxOptimizing Servers for High-Throughput and Low-Latency at Dropbox
Optimizing Servers for High-Throughput and Low-Latency at Dropbox
 
Linux Kernel vs DPDK: HTTP Performance Showdown
Linux Kernel vs DPDK: HTTP Performance ShowdownLinux Kernel vs DPDK: HTTP Performance Showdown
Linux Kernel vs DPDK: HTTP Performance Showdown
 
CAPI and OpenCAPI Hardware acceleration enablement
CAPI and OpenCAPI Hardware acceleration enablementCAPI and OpenCAPI Hardware acceleration enablement
CAPI and OpenCAPI Hardware acceleration enablement
 
Automating linux network performance testing
Automating linux network performance testingAutomating linux network performance testing
Automating linux network performance testing
 
FPC for the Masses - CoRIIN 2018
FPC for the Masses - CoRIIN 2018FPC for the Masses - CoRIIN 2018
FPC for the Masses - CoRIIN 2018
 
Http2
Http2Http2
Http2
 

Mehr von Jean-Frederic Clere

Mehr von Jean-Frederic Clere (9)

Panama.pdf
Panama.pdfPanama.pdf
Panama.pdf
 
03_clere_Proxing to tomcat with httpd.pdf
03_clere_Proxing to tomcat with httpd.pdf03_clere_Proxing to tomcat with httpd.pdf
03_clere_Proxing to tomcat with httpd.pdf
 
01_clere_Having fun with a solar panel, camera and raspberry. How with a few ...
01_clere_Having fun with a solar panel, camera and raspberry. How with a few ...01_clere_Having fun with a solar panel, camera and raspberry. How with a few ...
01_clere_Having fun with a solar panel, camera and raspberry. How with a few ...
 
Cloud RPI4 tomcat ARM64
Cloud RPI4 tomcat ARM64Cloud RPI4 tomcat ARM64
Cloud RPI4 tomcat ARM64
 
Apache httpd and TLS/SSL certificates validation
Apache httpd and TLS/SSL certificates validationApache httpd and TLS/SSL certificates validation
Apache httpd and TLS/SSL certificates validation
 
Juggva cloud
Juggva cloudJuggva cloud
Juggva cloud
 
Having fun with Raspberry(s) and Apache projects
Having fun with Raspberry(s) and Apache projectsHaving fun with Raspberry(s) and Apache projects
Having fun with Raspberry(s) and Apache projects
 
Having fun with Raspberry and Apache projects
Having fun with Raspberry and Apache projectsHaving fun with Raspberry and Apache projects
Having fun with Raspberry and Apache projects
 
Native 1.2.8
Native 1.2.8Native 1.2.8
Native 1.2.8
 

Kürzlich hochgeladen

call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
Delhi Call girls
 
Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS LiveVip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
Call Girls In Delhi Whatsup 9873940964 Enjoy Unlimited Pleasure
 
CALL ON ➥8923113531 🔝Call Girls Badshah Nagar Lucknow best Female service
CALL ON ➥8923113531 🔝Call Girls Badshah Nagar Lucknow best Female serviceCALL ON ➥8923113531 🔝Call Girls Badshah Nagar Lucknow best Female service
CALL ON ➥8923113531 🔝Call Girls Badshah Nagar Lucknow best Female service
anilsa9823
 
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️
anilsa9823
 
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICECHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
9953056974 Low Rate Call Girls In Saket, Delhi NCR
 
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
Health
 

Kürzlich hochgeladen (20)

Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
 
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
 
Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS LiveVip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
 
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
 
CALL ON ➥8923113531 🔝Call Girls Badshah Nagar Lucknow best Female service
CALL ON ➥8923113531 🔝Call Girls Badshah Nagar Lucknow best Female serviceCALL ON ➥8923113531 🔝Call Girls Badshah Nagar Lucknow best Female service
CALL ON ➥8923113531 🔝Call Girls Badshah Nagar Lucknow best Female service
 
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AI
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AISyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AI
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AI
 
Hand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptxHand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptx
 
A Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docxA Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docx
 
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdfLearn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
 
Microsoft AI Transformation Partner Playbook.pdf
Microsoft AI Transformation Partner Playbook.pdfMicrosoft AI Transformation Partner Playbook.pdf
Microsoft AI Transformation Partner Playbook.pdf
 
Optimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTVOptimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTV
 
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️
 
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
 
The Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdfThe Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdf
 
Unlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language ModelsUnlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language Models
 
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICECHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
 
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
 
Software Quality Assurance Interview Questions
Software Quality Assurance Interview QuestionsSoftware Quality Assurance Interview Questions
Software Quality Assurance Interview Questions
 
Diamond Application Development Crafting Solutions with Precision
Diamond Application Development Crafting Solutions with PrecisionDiamond Application Development Crafting Solutions with Precision
Diamond Application Development Crafting Solutions with Precision
 
5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdf5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdf
 

HTTP/2, HTTP/3 and SSL/TLS State of the Art in Our Servers

  • 1. APACHECON North America Sept. 9-12, 2019 HTTP/2, HTTP/3 and SSL/TLSHTTP/2, HTTP/3 and SSL/TLS State of theState of the ArtArt in Our Serversin Our Servers Jean-Frederic ClereJean-Frederic Clere
  • 2. APACHECON North America What I will coverWhat I will cover ● HTTP/3 ● HTTP/2 ● HTTP/2 and ALPN ● Servers ● Apache HTTPD ● Tomcat ● Traffic server ● Demos ● Questions? 2
  • 3. APACHECON North America Who I amWho I am Jean-Frederic Clere Red Hat Years writing JAVA code and server software Tomcat committer since 2001 Doing OpenSource since 1999 Cyclist/Runner etc Lived 15 years in Spain (Barcelona) Now in Neuchâtel (CH) 3
  • 4. APACHECON North America HTTP/3 (March 2018, in progress!)HTTP/3 (March 2018, in progress!) – Use QUIC / TLS-1.3 / UDP – To transport HTTP like HTTP/2 – Initial connection TPC + Alt-Svc ● Response Alt-Svc: h3=":56666": – problems: ● UDP ports closed ● UDP slower than TPC in Kernels ● Needs extra CPU (?) – Specifications: ● Several RFC (6 RFC) 4
  • 5. APACHECON North America HTTP/3 implementations: – Curl (http3-direct and Alt-Svc way) – Libraries ● ngtcp2 ● quiche – Apache Tomcat: Problem UDP socket API incomplete – Apache HTTPD: need time probably like http/2 – Traffic Server: planed for the next version (end 2019) ● See ATS proto / curl demo
  • 6. APACHECON North America HTTP/3 more info: – Demo ATS / curl – Playing browsers: ● test browser ● Interop matrix ● chrome activation
  • 7. APACHECON North America Why HTTP/2Why HTTP/2 – HTTP/1.1: June 1999 (RFC 2616) ● 1999: – 1 page ~ 1kB HTML ● 2019: – 1 page ~ 3MB HTML + IMAGES + JS + CSS etc – Protocol: ● Not adapted / inefficient / etc 7
  • 8. APACHECON North America HTTP/2 generalHTTP/2 general ● HTTP/2: – Binary – Frame – Multiplex – Based on SPDY – TLS everywhere: ● Browers use https and strong ciphers – No forward proxy – h2c: Clear text only with reverse proxy (proxy to back-end server) 8
  • 9. APACHECON North America HTTP/2 generalHTTP/2 general ● Two specifications: – Hypertext Transfer Protocol version 2 - RFC7540 – HPACK - Header Compression for HTTP/2 - RFC7541 ● By the Internet Engineering Task Force ● ALPN Application-Layer Protocol Negotiation - RFC 7301 9
  • 10. APACHECON North America HTTP/2 MultiplexedHTTP/2 Multiplexed 10 Headers Data Headers Headers Headers Data Data Headers Data Data HeadersData Headers
  • 11. APACHECON North America HTTP/2 : moreHTTP/2 : more ● HTTP headers compression – ~ 80 % save ● Request priority – Both sides ● Server Push – Prevent round trip to get element of a page – Faster / better rendering on browsers. 11
  • 12. APACHECON North America HTTP/2 With BrowsersHTTP/2 With Browsers ● Browser with HTTP/2 and TLS – FireFox 34 – Chrome 40 (with ALPN before was NPN) – IE 11 – Opera and Safari 9 ● Stats from docs.trafficserver and ci.trafficserver: – 80% is over HTTP/2 (data from last year) ● → go for it now! 12
  • 13. APACHECON North America ALPN Client Hello (Firefox)ALPN Client Hello (Firefox) 13
  • 14. APACHECON North America ALPN Server Hello (tomcat)ALPN Server Hello (tomcat) 14
  • 15. APACHECON North America RequirementsRequirements ● OpenSSL for our 3 servers – At least 1.0.2c ● Tomcat (8.5 / trunk) – Tomcat-native (1.2.6 / trunk) or java9 ● Httpd (2.4.17 / trunk) – HTTP/2 C Library (libnghttp2) ● TrafficServer (since ATS v5.3.2). – Nothing except openssl. 15
  • 16. APACHECON North America StatusStatus ● Tomcat (trunk/8.5) – Full support / released as stable. – Needs servlet 4.0 (JSR 369) for server PUSH API – Can't be full JAVA until JDK9 (ALPN support) ● Httpd (available since 2.4.17) – Full support (since 2.4.20) ● TrafficServer (since 5.3.0) (flow control 6.1) – Priorities (6.2.0) and Server PUSH (7.0.0) 16
  • 17. APACHECON North America TC connector server.xmlTC connector server.xml <Connector port="8002" scheme="https" SSLEnabled="true" ciphers="TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256" SSLCertificateFile="/home/jfclere/CERTS/newcert.pem" SSLCertificateKeyFile="/home/jfclere/CERTS/newkey.txt.pem" protocol="org.apache.coyote.http11.Http11AprProtocol"> <UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol" /> <Connector/> <Connector port="8003" protocol="HTTP/1.1" SSLEnabled="true" scheme="https" secure="true" keystoreFile="conf/.keystore" keystorePass="changeit" socket.directBuffer="true" socket.directSslBuffer="true"> <UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol" /> </Connector>
  • 18. APACHECON North America Tomcat / configurationTomcat / configuration In bin/setenv.sh: LD_LIBRARY_PATH=/home/jfclere/tomcat-native/native/.libs export LD_LIBRARY_PATH And the libtcnative-1.so linked with openssl-1.0.2c, checking with ldd: libssl.so.1.0.0 => /home/jfclere/OPENSSL-1.0.2c/lib/libssl.so.1.0.0 (0x00007f6ab147b000) libcrypto.so.1.0.0 => /home/jfclere/OPENSSL-1.0.2c/lib/libcrypto.so.1.0.0 (0x00007f6ab1028000) libapr-1.so.0 => /home/jfclere/APR-1.4.x/lib/libapr-1.so.0 (0x00007f6ab0dfa000) Usually the openssl of recent distribution (fedora 23) will work. 18
  • 19. APACHECON North America Tomcat / PerformancesTomcat / Performances 19 4KiB.bin 8KiB.bin 16KiB.bin 32KiB.bin 64KiB.bin 128KiB.bin 256KiB.bin 512KiB.bin 1MiB.bin 0 50000 100000 150000 200000 250000 300000 350000 400000 Concurency 240 coyote_nio_jsse_h1_https coyote_nio_jsse_h2_https File Size Kbytes/second
  • 20. APACHECON North America Tomcat / PerformancesTomcat / Performances 20 4KiB 8KiB 16KiB 32KiB 64KiB 128KiB 256KiB 512KiB 1MiB 0 10 20 30 40 50 60 70 80 90 Concurency 240 coyote_nio_jsse_h1_https coyote_nio_jsse_h2_https File Size CPUUsage
  • 21. APACHECON North America Tomcat / DemoTomcat / Demo ● No server push (may be change it: SimpleImagePush) ● Multiplexing ● headers compression ● HTML page: – That requires a lot (~1000) of (~4Kbytes) images to render. 21
  • 22. APACHECON North America TrafficServer / ConfigurationTrafficServer / Configuration ● records.config – CONFIG proxy.config.ssl.number.threads INT 0 – CONFIG proxy.config.http.server_ports STRING 8888:ssl – CONFIG proxy.config.url_remap.pristine_host_hdr INT 1 – CONFIG proxy.config.http2.enabled INT 1 – CONFIG proxy.config.ssl.TLSv1_1 INT 1 – CONFIG proxy.config.ssl.TLSv1_2 INT 1 ● ssl_multicert.config: – dest_ip=* ssl_cert_name=newcert.pem ssl_key_name=newkey.txt.pem ● remap.config: – map / http://127.0.0.1:8080 ● ip_allow.config: – src_ip=192.168.1.38 action=ip_allow method=ALL – src_ip=::-ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff action=ip_allow method=ALL 22
  • 23. APACHECON North America TrafficServer / DemoTrafficServer / Demo ● Like tomcat one ● Uses http/1.1 tomcat nio connector on 8080 as back-end. 23
  • 24. APACHECON North America HTTPd / ConfigurationHTTPd / Configuration ● httpd.conf: LoadModule h2_module modules/mod_h2.so Listen 8006 <VirtualHost *:8006> Protocols h2 http/1.1 ProtocolsHonorOrder on SSLEngine on SSLCertificateFile "/home/jfclere/CERTS/newcert.pem" SSLCertificateKeyFile "/home/jfclere/CERTS/newkey.pem" SSLCACertificateFile "/etc/pki/CA/cacert.pem" </VirtualHost> 24
  • 25. APACHECON North America HTTPd / PerformancesHTTPd / Performances 25 4KiB.bin 8KiB.bin 16KiB.bin 32KiB.bin 64KiB.bin 128KiB.bin 256KiB.bin 512KiB.bin 1MiB.bin 0 50000 100000 150000 200000 250000 300000 350000 400000 Concurency 240 httpd_h1_https httpd_h2_https File Size KBytes/second
  • 26. APACHECON North America HTTPd / PerformancesHTTPd / Performances 26 4KiB 8KiB 16KiB 32KiB 64KiB 128KiB 256KiB 512KiB 1MiB 0 10 20 30 40 50 60 70 80 Concurency 240 httpd_h1_https httpd_h2_https File Szie CPUusage
  • 27. APACHECON North America HTTPd / Configuration proxyHTTPd / Configuration proxy ● httpd.conf: LoadModule http2_module modules/mod_http2.so LoadModule proxy_http2_module modules/mod_proxy_http2.so Listen 8006 <VirtualHost *:8006> Protocols h2 http/1.1 ProtocolsHonorOrder on SSLEngine on … ProxyPass "/" "h2c://localhost:8003/" </VirtualHost> 27
  • 28. APACHECON North America HTTPd / DemoHTTPd / Demo ● Like the tomcat one: – htdocs/http2.html – htdocs/images/ the images. 28
  • 29. APACHECON North America HTTP/2 ready?HTTP/2 ready? ● Conclusion: – Using HTTP/2 without PUSH is already good. – “safer” crypto is good but expensive. – No need to rewrite application to get the gains. HTTP/2 : GO FOR IT 29
  • 30. APACHECON North America Questions?Questions? Thank you!Thank you! ● jfclere@gmail.com ● users@tomcat.apache.org ● users@httpd.apache.org ● users@trafficserver.apache.org ● https://http2.github.io/ ● Demo generator: https://github.com/jfclere/h2_demos ● HTTP/3 see curl docs: http3-explained by Daniel 30