Does forward proxying of HTTP/2 request/response supported in latest ATS release 10.2.0?

[khchoy]

Anyone tried forward proxying with HTTP/2 traffic with latest release 10.2.0 ? If yes, please share your configuration please. Thanks.

[khchoy]

In the release notes, (What’s New in ATS v10.x) -> (Plugins) section, it mentioned "Support for HTTP/2 on origin server connections has been added. This is disabled by default. For more details check proxy.config.ssl.client.alpn_protocols"

When click on the link, the proxy.config.ssl.client.alpn_protocols configuration option "h2" mentioned that "Traffic Server only advertises HTTP/2 support. Thus, the origin will either negotiate HTTP/2 or fail the handshake. (HTTP/2 to origin is currently not supported by Traffic Server.)"

Why given the configuration option "h2" but HTTP/2 to origin still not supported by Traffic Server?

[bneradt]

When click on the link, the proxy.config.ssl.client.alpn_protocols configuration option "h2" mentioned that "Traffic Server only advertises HTTP/2 support. Thus, the origin will either negotiate HTTP/2 or fail the handshake. (HTTP/2 to origin is currently not supported by Traffic Server.)"

Why given the configuration option "h2" but HTTP/2 to origin still not supported by Traffic Server?

Thank you for pointing this out. This is a documentation issue: this ALPN feature was added before HTTP/2 to origin was supported, so that statement just needs to be removed now. HTTP/2 to origin is now supported by Traffic Server. Fixing with #12190.

[bneradt]

Anyone tried forward proxying with HTTP/2 traffic with latest release 10.2.0 ? If yes, please share your configuration please. Thanks.

@khchoy : we use HTTP/2 to origin with ATS as a reverse proxy. Setting proxy.config.ssl.client.alpn_protocols should be all you need to start using HTTP/2 to origin.

CONFIG proxy.config.ssl.client.alpn_protocols STRING h2,http/1.1

For diagnostic purposes, adding o_http_version="%<sqpv>" to your logging.yaml config is helpful. This will add the origin server protocol to your transaction logs so you can verify easily whether HTTP/2 to origin is being used and for which origin servers.

Here are some tweaks to various configurations we have used to optimize HTTP/2 to origin traffic. Some of these might be specific to the traffic we are proxying, but I'll record it here in case it's helpful:

• Set the incoming flow control policy to 1. The default window size is 65535 and with many concurrent active streams the default was over-throttling the post body setting and causing timeouts. CONFIG proxy.config.http2.flow_control.policy_in INT 1
• Set the outgoing flow control policy to 2. This allows the outgoing window size to adjust dynamically with the number of concurrent streams. CONFIG proxy.config.http2.flow_control.policy_out INT 2
• Reduced the concurrent stream count. The default is 100. For very active streams, a lower number seemed to work better. CONFIG proxy.config.http2.max_concurrent_streams_in INT 40
• With the window sufficiently opened up, the following may not be necessary. The throttling logic was triggering and closing the connection because the window update were too small compared to the default value of 2560.00 CONFIG proxy.config.http2.min_avg_window_update FLOAT 2.0
• By default the proxy.config.http2.active_timeout_in is 0 (disabled). Keep it that or set it to a large value, otherwise long-lived active sessions will be disabled.
• For similar reasons, ensure that proxy.config.net.default_inactivity_timeout is kept large as well.

[shinrich]

@khchoy we use ATS as a forward proxy .We have started allowing H2 forward proxy, but we have not exercised it very hard yet. Let me look through my notes to see what other changes we had to make.

[khchoy]

Anyone tried forward proxying with HTTP/2 traffic with latest release 10.2.0 ? If yes, please share your configuration please. Thanks.

@khchoy : we use HTTP/2 to origin with ATS as a reverse proxy. Setting proxy.config.ssl.client.alpn_protocols should be all you need to start using HTTP/2 to origin.

CONFIG proxy.config.ssl.client.alpn_protocols STRING h2,http/1.1

For diagnostic purposes, adding o_http_version="%<sqpv>" to your logging.yaml config is helpful. This will add the origin server protocol to your transaction logs so you can verify easily whether HTTP/2 to origin is being used and for which origin servers.

Here are some tweaks to various configurations we have used to optimize HTTP/2 to origin traffic. Some of these might be specific to the traffic we are proxying, but I'll record it here in case it's helpful:

• Set the incoming flow control policy to 1. The default window size is 65535 and with many concurrent active streams the default was over-throttling the post body setting and causing timeouts. CONFIG proxy.config.http2.flow_control.policy_in INT 1
• Set the outgoing flow control policy to 2. This allows the outgoing window size to adjust dynamically with the number of concurrent streams. CONFIG proxy.config.http2.flow_control.policy_out INT 2
• Reduced the concurrent stream count. The default is 100. For very active streams, a lower number seemed to work better. CONFIG proxy.config.http2.max_concurrent_streams_in INT 40
• With the window sufficiently opened up, the following may not be necessary. The throttling logic was triggering and closing the connection because the window update were too small compared to the default value of 2560.00 CONFIG proxy.config.http2.min_avg_window_update FLOAT 2.0
• By default the proxy.config.http2.active_timeout_in is 0 (disabled). Keep it that or set it to a large value, otherwise long-lived active sessions will be disabled.
• For similar reasons, ensure that proxy.config.net.default_inactivity_timeout is kept large as well.

Hi @bneradt I wanna configure ATS as HTTP/2 Forward Proxy server. Does it having the same given settings as above?