ADC

HTTP/2 configuration

Note: The HTTP/2 functionality is supported on the Citrix ADC MPX, VPX, and SDX models. In a Citrix ADC VPX appliance, the HTTP/2 functionality is supported from Citrix ADC version 11.0 onwards.

The problem with web application performance is directly related to the trend toward increasing the page size and the number of objects on the webpages. HTTP/1.1 was developed to support smaller webpages, slower Internet connections, and more limited server hardware than are common today. It is not suitable for new technologies such as JavaScript and cascading style sheets (CSS) or new media types such as Flash videos and graphics-rich images. This is because it can request only one resource per connection to the server. The limitation significantly increases the number of round trips, causing longer page-rendering and reduced network performance.

The HTTP/2 protocol addresses these limitations by allowing communication to occur with less data transmitted over the network, and providing the ability to send multiple requests and responses across a single connection. At its core, HTTP/2 addresses the key limitations of HTTP/1.1 by using the underlying network connections more efficiently. It changes the way requests and responses travel over the network.

HTTP/2 is a binary protocol. It is more efficient to parse, more compact on the wire, and most importantly, it is less error-prone, compared to textual protocols like HTTP/1.1. The HTTP/2 protocol uses a binary framing layer that defines the frame type and how HTTP messages are encapsulated and transferred between the client and server. The HTTP/2 functionality supports the use of the CONNECT method to establish a tunnel connection through a single HTTP/2 stream to a remote host.

The HTTP/2 protocol includes many performance-enhancing changes that significantly improve performance, particularly for clients connecting over a mobile network.

The following table lists the major improvements in HTTP/2 over HTTP/1.1:

HTTP/2 features Description
Header Compression HTTP headers have much repetitive information and therefore consume unnecessary bandwidth during data transmission. HTTP/2 reduces bandwidth requirements by compressing the header and minimizing the requirement to transport HTTP headers with every request and response.
Connection Multiplexing Latency can have a huge impact on page load times and the end user experience. Connection multiplexing overcomes this problem by sending multiple requests and responses across a single connection.
Server Push Server push enables the server to proactively push content to the client browser, avoiding round trip delay. This feature caches the responses it thinks the client needs, reduces the number round trips, and improves the page rendering time. Important: The Citrix ADC appliance does not support the server push functionality.
No Head-of-line Blocking Under HTTP 1.1, browsers can download one resource at a time per connection. When a browser has to download a large resource, it blocks all other resources from downloading until the first download is complete. HTTP/2 overcomes this problem with a multiplexing approach. It allows the client browser to download other web components in parallel over the same connection and display them as they become available.
Request Prioritization Not all resources have equal priority when the browser renders a webpage. To accelerate the load time, all modern browsers prioritize requests by type of asset, their location on the page, and even by learned priority from previous visits. With HTTP/1.1, the browser has limited ability to use the priority data, because this protocol does not support multiplexing, and there is no way to communicate request prioritization by the server. The result is unnecessary network latency. HTTP/2 overcomes this problem by allowing the browser to dispatch all requests. The browser can communicate its stream prioritization preference via stream dependencies and weights, enabling the servers to optimize response delivery. Important: The Citrix ADC appliance does not support the request prioritization functionality.

How HTTP/2 works

A Citrix ADC appliance supports HTTP/2 on the client side as well on the server side. On the client side, the Citrix ADC appliance acts as a server that hosts an HTTP/HTTPS virtual server for HTTP/2. On the back-end side, the Citrix ADC acts as a client to the servers that are bound to the virtual server.

Therefore, the Citrix ADC appliance maintains separate connections on the client side as well on the server side. The Citrix ADC appliance has separate HTTP/2 configurations for the client side and the server side.

HTTP/2 for HTTPS (SSL) load balancing configuration

For an HTTPS load balancing configuration, the Citrix ADC appliance uses the TLS ALPN extension (RFC 7301) to determine whether the client/server supports HTTP/2. If it does, the appliance chooses HTTP/2 as the application-layer protocol to transmit data (as described in RFC 7540 - Section 3.3) on the client/server side. The appliance uses the following order of preference when choosing the application-layer protocol through the TLS ALPN extension:

  • HTTP/2 (if enabled in the HTTP profile)
  • SPDY (if enabled in the HTTP profile)
  • HTTP/1.1

HTTP/2 for HTTP load balancing configuration

For an HTTP load balancing configuration, the Citrix ADC appliance uses one of the following methods to start communicating with the client/server using HTTP/2.

Note:

In the following method descriptions, client and server are generals terms for an HTTP/2 connection. For example, for a load balancing setup of a Citrix ADC appliance using HTTP/2, the Citrix ADC appliance acts as a server on the client side and acts as a client to the server side.

  • HTTP/2 Upgrade. A client sends an HTTP/1.1 request to a server. The request includes an upgrade header, which asks the server for upgrading the connection to HTTP/2. If the server supports HTTP/2, the server accepts the upgrade request and notifies it in its response. The client and the server start communicating using HTTP/2 after the client receives the upgrade confirmation response.

  • Direct HTTP/2. A client directly starts communicating to a server in HTTP/2 instead of using the HTTP/2 upgrade method. If the server does not support HTTP/2 or is not configured to directly accept HTTP/2 requests, it drops the HTTP/2 packets from the client. This method is helpful if the admin of the client device already knows that the server supports HTTP/2.

  • Direct HTTP/2 using Alternative Service (ALT-SVC). A server advertises that it supports HTTP/2 to a client by including an Alternative Service (ALT-SVC) field in its HTTP/1.1 response. If the client is configured to understand the ALT-SVC field, the client and the server start directly communicating using HTTP/2 after the client receives the response.

The Citrix ADC appliance provides configurable options in an HTTP profile for the HTTP/2 methods. These HTTP/2 options can be applied to the client side as well to the server side of an HTTPS or HTTP load balancing setup. For more information for HTTP/2 methods and options, refer to the HTTP/2 options PDF.

Before you Begin

Before you begin configuring HTTP/2 on a Citrix ADC appliance, note the following points:

  • The Citrix ADC appliance supports HTTP/2 on the client side as well on the server side.
  • The Citrix ADC appliance does not support the HTTP/2 server push functionality.
  • The Citrix ADC appliance does not support the HTTP/2 request prioritization functionality.
  • The Citrix ADC appliance does not support HTTP/2 SSL renegotiation for HTTPS load balancing setups.
  • The Citrix ADC appliance does not support HTTP/2 NTLM authentication.
  • With HTTP/2 enabled, connection multiplexing disabled (like USIP enabled) and one to one mapping of client and server TCP connections, close events such as FIN, reset (RST) are forwarded from the client or server connection to the linked peer connection.

Configuring HTTP/2

Configuring HTTP/2 for a load balancing setup (HTTPS or HTTP) consists of the following tasks:

  • Enable HTTP/2 and set optional HTTP/2 parameters in an HTTP Profile. Enable HTTP/2 in an HTTP profile. When you only enable HTTP/2 in an HTTP profile, the Citrix ADC appliance uses only the upgrade method (for HTTP) or TLS ALPN method (for HTTPS) for communicating in HTTP/2.

    For the Citrix ADC appliance to use the direct HTTP/2 method, Direct HTTP/2 option must be enabled in the HTTP profile. For the Citrix ADC appliance to use the direct HTTP/2 using the alternative service method, the Alternative Service (altsvc) option must be enabled in the HTTP profile.

  • Bind the HTTP profile to a virtual server or a service. Bind the HTTP profile to a virtual server to configure HTTP/2 for the client side of the load balancing setup. Bind the HTTP profile to a service to configure HTTP2 for the server side of the load balancing setup.

Note:

Citrix recommends binding separate HTTP profiles for the client side and the server side.

  • Enable the global parameter for HTTP/2 server side support. Enable the HTTP/2 Service Side (HTTP2Serverside) global HTTP parameter for enabling the HTTP/2 support on the server side of all the load balancing setups that has HTTP/2 configured.

    HTTP/2 does not work on the server side of any load balancing setups if HTTP/2 Service Side is disabled even if the HTTP/2 is enabled on the HTTP profile bound to the related load balancing services.

Citrix ADC Command Line procedures:

To enable HTTP/2 and set HTTP/2 parameters by using the Citrix ADC command line

  • To enable HTTP/2 and set HTTP/2 parameters while adding an HTTP profile, at the command prompt, type:

add ns httpProfile <name> - http2 ( ENABLED | DISABLED ) [-http2Direct ( ENABLED | DISABLED )] [-altsvc ( ENABLED | DISABLED )] show ns httpProfile <name>

  • To enable HTTP/2 and set HTTP/2 parameters while modifying an HTTP profile, at the command prompt, type:

set ns httpProfile <name> -http2 ( ENABLED | DISABLED ) [-http2Direct ( ENABLED | DISABLED)] [-altsvc (ENABLED | DISABLED )] show ns httpProfile <name>

To bind the HTTP profile to a virtual server by using the Citrix ADC command line

At the command prompt, type:

set lb vserver <name> - httpProfileName <string> show lb vserver <name>

To bind the HTTP profile to a load balancing service by using the Citrix ADC command line

At the command prompt, type:

set service <name> -httpProfileName <string> show service <name>

To enable HTTP/2 support globally on the server side by using the Citrix ADC command line

At the command prompt, type:

set ns httpParam -HTTP2Serverside( ENABLED | DISABLED ) show ns httpParam

To enable HTTP/2 and set HTTP/2 parameters by using the Citrix ADC GUI

  1. Navigate to System > Profiles, and click HTTP Profiles tab.
  2. Enable HTTP/2 while adding an HTTP profile or modifying an existing HTTP profile.

To bind the HTTP profile to a virtual server by using the Citrix ADC GUI

  1. Navigate to Traffic Management > Load Balancing > Virtual Servers, and open the virtual server.
  2. In Advanced Settings, click + HTTP Profile to bind the created HTTP profile to the virtual server.

To bind the HTTP profile to a load balancing service by using the Citrix ADC GUI

  1. Navigate to Traffic Management > Load Balancing > Service, and open the service.
  2. In Advanced Settings, click + HTTP Profile to bind the created HTTP profile to the service.

To enable HTTP/2 support globally on the server side by using the GUI

Navigate to System > Settings, click Change HTTP parameters and enable HTTP/2 Server Side.

Sample configurations

In the following sample configuration, HTTP/2 and direct HTTP/2 is enabled on HTTP profile HTTP-PROFILE-HTTP2-CLIENT-SIDE. The profile is bound to virtual server LB-VS-1.

set ns httpProfile HTTP-PROFILE-HTTP2-CLIENT-SIDE -http2 enabled -http2Direct enabled
Done

set lb vserver LB-VS-1 -httpProfileName HTTP-PROFILE-HTTP2-CLIENT-SIDE

Done
<!--NeedCopy-->

In the following sample configuration, HTTP/2 and alternative service (ALT-SVC) is enabled on HTTP profile HTTP-PROFILE-HTTP2-SERVER-SIDE. The profile is bound to service LB-SERVICE-1.

set ns httpparam -HTTP2Serverside ENABLED
Done

set ns httpProfile HTTP-PROFILE-HTTP2-SERVER-SIDE -http2 ENABLED -altsvc ENABLED
Done

set service LB-SERVICE-1 -httpProfileName HTTP-PROFILE-HTTP2-SERVER-SIDE
Done
<!--NeedCopy-->

Configure HTTP/2 initial connection window size

As per RFC 7540, the flow-control window for HTTP2 stream and connection must be set to 64 K (65535) octets, and any change made to this value must be communicated to the peer. The ADC appliance communicates the change in flow-control window size as follows:

  • Using the SETTINGS frame for the stream.
  • Using the WINDOW_UPDATE frame for the connection.

In an HTTP profile, you must configure the http2InitialWindowSize parameter to set the initial window size at the stream level. Because of an internal system error, the ADC appliance initializes the flow-control window for the connection also. When there is a change in the configured flow-control window for the stream, the ADC appliance communicates to the peer using the SETTINGS frame. But the ADC appliance fails to communicate the change in flow-control window for the connection using the WINDOW_UPDATE frame. This leads to a connection freeze.

To overcome the issue, the http2InitialConnWindowSize parameter (in bytes) is now added to control the flow-control window for connection. By using separate configurable parameters, you can now enable the appliance to send updates for changed window size at both stream and connection levels.

Configure the HTTP/2 initial connection window size parameter by using the CLI

At the command prompt, type:

set http profile p1 -http2InitialConnWindowSize 8290
Initial window size for stream level flow control, in bytes.
Default value: 65535
Minimum value: 8192
Maximum value: 20971520
<!--NeedCopy-->
HTTP/2 configuration