ADC

HTTP/2 configuration

Note:

  • The HTTP/2 functionality is supported on NetScaler MPX, VPX, and SDX.

  • The HTTP/2 functionality is not supported on NetScaler Gateway.

The problem with web application performance is directly related to the trend toward increasing the page size and the number of objects on the webpages. HTTP/1.1 was developed to support smaller webpages, slower Internet connections, and more limited server hardware than are common today. It is not suitable for new technologies such as JavaScript and cascading style sheets (CSS) or new media types such as Flash videos and graphics-rich images. This is because it can request only one resource per connection to the server. The limitation significantly increases the number of round trips, causing longer page-rendering and reduced network performance.

The HTTP/2 protocol addresses these limitations by allowing communication to occur with less data transmitted over the network, and providing the ability to send multiple requests and responses across a single connection. At its core, HTTP/2 addresses the key limitations of HTTP/1.1 by using the underlying network connections more efficiently. It changes the way requests and responses travel over the network.

HTTP/2 is a binary protocol. It is more efficient to parse, more compact on the wire, and most importantly, it is less error-prone, compared to textual protocols like HTTP/1.1. The HTTP/2 protocol uses a binary framing layer that defines the frame type and how HTTP messages are encapsulated and transferred between the client and server. The HTTP/2 functionality supports the use of the CONNECT method to establish a tunnel connection through a single HTTP/2 stream to a remote host.

The HTTP/2 protocol includes many performance-enhancing changes that significantly improve performance, particularly for clients connecting over a mobile network.

The following table lists the major improvements in HTTP/2 over HTTP/1.1:

HTTP/2 features Description
Header Compression HTTP headers have much repetitive information and therefore consume unnecessary bandwidth during data transmission. HTTP/2 reduces bandwidth requirements by compressing the header and minimizing the requirement to transport HTTP headers with every request and response.
Connection Multiplexing Latency can have a huge impact on page load times and the end user experience. Connection multiplexing overcomes this problem by sending multiple requests and responses across a single connection.
Server Push Server push enables the server to proactively push content to the client browser, avoiding round-trip delay. This feature caches the responses that it thinks the client needs, reduces the number round trips, and improves the page rendering time. Important: The NetScaler appliance does not support the server push functionality.
No Head-of-line Blocking Under HTTP 1.1, browsers can download one resource at a time per connection. When a browser has to download a large resource, it blocks all other resources from downloading until the first download is complete. HTTP/2 overcomes this problem with a multiplexing approach. It allows the client browser to download other web components in parallel over the same connection and display them as they become available.
Request Prioritization Not all resources have equal priority when the browser renders a webpage. To accelerate the load time, all modern browsers prioritize requests by type of asset, their location on the page, and even by learned priority from previous visits. With HTTP/1.1, the browser has limited ability to use the priority data, because this protocol does not support multiplexing, and there is no way to communicate request prioritization by the server. The result is unnecessary network latency. HTTP/2 overcomes this problem by allowing the browser to dispatch all requests. The browser can communicate its stream prioritization preference via stream dependencies and weights, enabling the servers to optimize response delivery. Important: The NetScaler appliance does not support the request prioritization functionality.

How HTTP/2 works

A NetScaler appliance supports HTTP/2 on the client side as well on the server side. On the client side, the NetScaler appliance acts as a server that hosts an HTTP/HTTPS virtual server for HTTP/2. On the back-end side, the NetScaler acts as a client to the servers that are bound to the virtual server.

Therefore, the NetScaler appliance maintains separate connections on the client side as well on the server side. The NetScaler appliance has separate HTTP/2 configurations for the client side and the server side.

HTTP/2 for HTTPS (SSL) load balancing configuration

For an HTTPS load balancing configuration, the NetScaler appliance uses the TLS ALPN extension (RFC 7301) to determine whether the client/server supports HTTP/2. If it does, the appliance chooses HTTP/2 as the application-layer protocol to transmit data (as described in RFC 7540 - Section 3.3) on the client/server side. The appliance uses the following order of preference when choosing the application-layer protocol through the TLS ALPN extension:

  • HTTP/2 (if enabled in the HTTP profile)
  • HTTP/1.1

HTTP/2 for HTTP load balancing configuration

For an HTTP load balancing configuration, the NetScaler appliance uses one of the following methods to start communicating with the client/server using HTTP/2.

Note

In the following method descriptions, client and server are general terms for an HTTP/2 connection. For example, for a load balancing setup of a NetScaler appliance using HTTP/2, the NetScaler appliance acts as a server on the client side and acts as a client to the server side.

  • HTTP/2 Upgrade. A client sends an HTTP/1.1 request to a server. The request includes an upgrade header, which asks the server to upgrade the connection to HTTP/2. If the server supports HTTP/2, the server accepts the upgrade request and notifies it in its response. The client and the server start communicating using HTTP/2 after the client receives the upgrade confirmation response.

  • Direct HTTP/2. A client directly starts communicating to a server in HTTP/2 instead of using the HTTP/2 upgrade method. If the server does not support HTTP/2 or is not configured to directly accept HTTP/2 requests, it drops the HTTP/2 packets from the client. This method is helpful if the admin of the client device already knows that the server supports HTTP/2.

  • Direct HTTP/2 using Alternative Service (ALT-SVC). A server advertises that it supports HTTP/2 to a client by including an Alternative Service (ALT-SVC) field in its HTTP/1.1 response. If the client is configured to understand the ALT-SVC field, the client and the server start directly communicating using HTTP/2 after the client receives the response.

The NetScaler appliance provides configurable options in an HTTP profile for the HTTP/2 methods. These HTTP/2 options can be applied to the client side as well to the server side of an HTTPS or HTTP load balancing setup. For more information for HTTP/2 methods and options, refer to the HTTP/2 options PDF.

Before you Begin

Before you begin configuring HTTP/2 on a NetScaler appliance, note the following points:

  • The NetScaler appliance supports HTTP/2 on the client side as well on the server side.
  • The NetScaler appliance does not support the HTTP/2 server push functionality.
  • The NetScaler appliance does not support the HTTP/2 request prioritization functionality.
  • The NetScaler appliance does not support HTTP/2 SSL renegotiation for HTTPS load balancing setups.
  • The NetScaler appliance does not support HTTP/2 NTLM authentication.
  • With HTTP/2 enabled, connection multiplexing disabled (like USIP enabled) and one to one mapping of client and server TCP connections, close events such as FIN, reset (RST) are forwarded from the client or server connection to the linked peer connection.

Configuring HTTP/2

Configuring HTTP/2 for a load balancing setup (HTTPS or HTTP) consists of the following tasks:

  • Enable HTTP/2 and set optional HTTP/2 parameters in an HTTP Profile. Enable HTTP/2 in an HTTP profile. When you only enable HTTP/2 in an HTTP profile, the NetScaler appliance uses only the upgrade method (for HTTP) or TLS ALPN method (for HTTPS) for communicating in HTTP/2.

    For the NetScaler appliance to use the direct HTTP/2 method, the Direct HTTP/2 option must be enabled in the HTTP profile. For the NetScaler appliance to use the direct HTTP/2 using the alternative service method, the Alternative Service (altsvc) option must be enabled in the HTTP profile.

  • Bind the HTTP profile to a virtual server or a service. Bind the HTTP profile to a virtual server to configure HTTP/2 for the client side of the load balancing setup. Bind the HTTP profile to a service to configure HTTP2 for the server side of the load balancing setup.

Note

Citrix recommends binding separate HTTP profiles for the client side and the server side.

  • Enable the global parameter for HTTP/2 server side support. Enable the HTTP/2 Service Side (HTTP2Serverside) global HTTP parameter for enabling the HTTP/2 support on the server side of all the load balancing setups that has HTTP/2 configured.

    HTTP/2 does not work on the server side of any load balancing setups if HTTP/2 Service Side is disabled even if the HTTP/2 is enabled on the HTTP profile bound to the related load balancing services.

NetScaler Command Line procedures:

To enable HTTP/2 and set HTTP/2 parameters by using the NetScaler command line

  • To enable HTTP/2 and set HTTP/2 parameters while adding an HTTP profile, at the command prompt, type:

add ns httpProfile <name> - http2 ( ENABLED | DISABLED ) [-http2Direct ( ENABLED | DISABLED )] [-altsvc ( ENABLED | DISABLED )] show ns httpProfile <name>

  • To enable HTTP/2 and set HTTP/2 parameters while modifying an HTTP profile, at the command prompt, type:

set ns httpProfile <name> -http2 ( ENABLED | DISABLED ) [-http2Direct ( ENABLED | DISABLED)] [-altsvc (ENABLED | DISABLED )] show ns httpProfile <name>

To bind the HTTP profile to a virtual server by using the NetScaler command line

At the command prompt, type:

set lb vserver <name> - httpProfileName <string> show lb vserver <name>

To bind the HTTP profile to a load balancing service by using the NetScaler command line

At the command prompt, type:

set service <name> -httpProfileName <string> show service <name>

To enable HTTP/2 support globally on the server side by using the NetScaler command line

At the command prompt, type:

set ns httpParam -HTTP2Serverside( ENABLED | DISABLED ) show ns httpParam

To enable HTTP/2 and set HTTP/2 parameters by using the NetScaler GUI

  1. Navigate to System > Profiles, and click the HTTP Profiles tab.
  2. Enable HTTP/2 while adding an HTTP profile or modifying an existing HTTP profile.

To bind the HTTP profile to a virtual server by using the NetScaler GUI

  1. Navigate to Traffic Management > Load Balancing > Virtual Servers, and open the virtual server.
  2. In Advanced Settings, click + HTTP Profile to bind the created HTTP profile to the virtual server.

To bind the HTTP profile to a load balancing service by using the NetScaler GUI

  1. Navigate to Traffic Management > Load Balancing > Service, and open the service.
  2. In Advanced Settings, click + HTTP Profile to bind the created HTTP profile to the service.

To enable HTTP/2 support globally on the server side by using the GUI

Navigate to System > Settings, click Change HTTP parameters, and enable HTTP/2 Server Side.

Sample configurations

In the following sample configuration, HTTP/2 and direct HTTP/2 are enabled on HTTP profile HTTP-PROFILE-HTTP2-CLIENT-SIDE. The profile is bound to virtual server LB-VS-1.

set ns httpProfile HTTP-PROFILE-HTTP2-CLIENT-SIDE -http2 enabled -http2Direct enabled
Done

set lb vserver LB-VS-1 -httpProfileName HTTP-PROFILE-HTTP2-CLIENT-SIDE

Done
<!--NeedCopy-->

In the following sample configuration, HTTP/2 and alternative service (ALT-SVC) is enabled on HTTP profile HTTP-PROFILE-HTTP2-SERVER-SIDE. The profile is bound to service LB-SERVICE-1.

set ns httpparam -HTTP2Serverside ENABLED
Done

set ns httpProfile HTTP-PROFILE-HTTP2-SERVER-SIDE -http2 ENABLED -altsvc ENABLED
Done

set service LB-SERVICE-1 -httpProfileName HTTP-PROFILE-HTTP2-SERVER-SIDE
Done
<!--NeedCopy-->

Configure HTTP/2 initial connection window size

As per RFC 7540, the flow-control window for HTTP2 stream and connection must be set to 64 K (65535) octets, and any change made to this value must be communicated to the peer. The ADC appliance communicates the change in flow-control window size as follows:

  • Using the SETTINGS frame for the stream.
  • Using the WINDOW_UPDATE frame for the connection.

In an HTTP profile, you must configure the http2InitialWindowSize parameter to set the initial window size at the stream level. Because of an internal system error, the ADC appliance initializes the flow-control window for the connection also. When there is a change in the configured flow-control window for the stream, the ADC appliance communicates to the peer using the SETTINGS frame. But the ADC appliance fails to communicate the change in flow-control window for the connection using the WINDOW_UPDATE frame. This leads to a connection freeze.

To overcome the issue, the http2InitialConnWindowSize parameter (in bytes) is now added to control the flow-control window for connection. By using separate configurable parameters, you can now enable the appliance to send updates for changed window size at both stream and connection levels.

Configure the HTTP/2 initial connection window size parameter by using the CLI

At the command prompt, type:

set http profile p1 -http2InitialConnWindowSize 8290
Initial window size for stream level flow control, in bytes.
Default value: 65535
Minimum value: 8192
Maximum value: 20971520
<!--NeedCopy-->

Note: When HTTP/2 is enabled, Citrix recommends you to disable TCP Dynamic Receive Buffering parameter in the TCP profile.

WebSocket over HTTP/2 configuration

The NetScaler appliance supports WebSocket connections over HTTP/2. You can enable the WebSocket connections using a CLI or GUI interface. The WebSocket HTTP/2 connection can be multiplexed.

Configure the WebSocket connections over HTTP/2 by using the CLI

By default, the WebSocket Connections parameter is disabled. You can enable the WebSocket connections using the CLI interface.

Enable Frontend HTTP/2 WebSocket connections:

At the command prompt, type:

For SSL configuration:


add httpprofile <http_profile_name> -http2 enabled -websocket enabled

<!--NeedCopy-->

For Plain text configuration:


add httpprofile <http_profile_name> -http2 enabled -http2direct enabled -websocket enabled

<!--NeedCopy-->

Enable Backend HTTP/2 WebSocket connections:

At the command prompt, type:

For SSL configuration:

add httpprofile <http_profile_name> -http2 enabled
set httpparam -http2serverside ON
<!--NeedCopy-->

For Plain text configuration:

add httpprofile <http_profile_name> -http2 enabled -http2direct enabled
set httpparam -http2serverside ON
<!--NeedCopy-->

Configure the WebSocket connections over HTTP/2 by using the GUI

You can use the following procedure to enable the WebSocket connections using the GUI interface.

Edit the existing Profiles:

  1. Navigate to System>Profiles>HTTP Profiles.
  2. Select the required profile from the Profiles and click Edit.
  3. In the Configure HTTP Profile, enable HTTP2 or DirectHTTP2 checkboxes.
  4. Enable the WebSocket connections by selecting the Enable WebSocket connections checkbox.

Add new Profiles:

  1. Navigate to System>Profiles>HTTP Profiles.
  2. You can add a new HTTP2 profile by clicking Add.
  3. In the Create HTTP Profile, enable HTTP2 or DirectHTTP2 checkboxes.
  4. Select the Enable WebSocket Connections checkbox.

The following table describes the WebSocket connection behavior when the back end multiplexing is disabled:

HTTP packet version WebSocket in HTTP profile Request action Back-end HTTP/1.1 Back-end HTTP/2
HTTP/1.1 Disabled dropped NA NA
HTTP/1.1 Enabled HTTP/1.1 Each HTTP/1.1 connection is mapped to a dedicated HTTP/1.1 connection on the back end Dedicated HTTP/2 connection on the back end for each HTTP/1.1 connection
HTTP/2 Enabled HTTP/2 Each stream on the front end is mapped to a dedicated HTTP/1.1 connection All front end streams can be mapped to a single HTTP/2 connection or a maximum of three HTTP/2 connections on the back end.
HTTP/2 Disabled dropped NA NA

The following table describes the WebSocket connection behavior when the back end multiplexing is enabled:

HTTP packet version WebSocket in HTTP profile Request action Back-end HTTP/1.1 Back-end HTTP/2
HTTP/1.1 Disabled dropped NA NA
HTTP/1.1 Enabled HTTP/1.1 Each HTTP/1.1 connection is mapped to a dedicated HTTP/1.1 connection on the back end Multiple Http/1.1 clients can be multiplexed to a single HTTP/2 connection or multiple HTTP/2 connections
HTTP/2 Enabled HTTP/2 Each stream on the front end is mapped to a dedicated HTTP/1.1 connection All front end streams can be mapped to a single HTTP/2 connection or multiple HTTP/2 connections on the back end
HTTP/2 Disabled dropped NA NA
HTTP/2 configuration