SlideShare uma empresa Scribd logo

HTTP/2, HTTP/3 and SSL/TLS State of the Art in Our Servers

Jean-Frederic Clere
Jean-Frederic Clere

Jean-Frederic Clere presented on HTTP/2, HTTP/3 and SSL/TLS in servers. He discussed the latest developments in HTTP/3 using QUIC and TLS 1.3 over UDP. For HTTP/2, he covered implementations in Apache Tomcat, Apache HTTP Server, and Traffic Server. He demonstrated improved performance of HTTP/2 over HTTP/1.1 and discussed configuration requirements and options for enabling HTTP/2 in each server. The presentation concluded that HTTP/2 is ready for production use without server modifications to realize performance gains.

Software
1 de 31
Baixar para ler offline
APACHECON North America Sept. 9-12, 2019 HTTP/2, HTTP/3 and SSL/TLSHTTP/2, HTTP/3 and SSL/TLS State of theState of the ArtArt in Our Serversin Our Servers Jean-Frederic ClereJean-Frederic Clere
APACHECON North America What I will coverWhat I will cover ● HTTP/3 ● HTTP/2 ● HTTP/2 and ALPN ● Servers ● Apache HTTPD ● Tomcat ● Traffic server ● Demos ● Questions? 2
APACHECON North America Who I amWho I am Jean-Frederic Clere Red Hat Years writing JAVA code and server software Tomcat committer since 2001 Doing OpenSource since 1999 Cyclist/Runner etc Lived 15 years in Spain (Barcelona) Now in Neuchâtel (CH) 3
APACHECON North America HTTP/3 (March 2018, in progress!)HTTP/3 (March 2018, in progress!) – Use QUIC / TLS-1.3 / UDP – To transport HTTP like HTTP/2 – Initial connection TPC + Alt-Svc ● Response Alt-Svc: h3=":56666": – problems: ● UDP ports closed ● UDP slower than TPC in Kernels ● Needs extra CPU (?) – Specifications: ● Several RFC (6 RFC) 4
APACHECON North America HTTP/3 implementations: – Curl (http3-direct and Alt-Svc way) – Libraries ● ngtcp2 ● quiche – Apache Tomcat: Problem UDP socket API incomplete – Apache HTTPD: need time probably like http/2 – Traffic Server: planed for the next version (end 2019) ● See ATS proto / curl demo
APACHECON North America HTTP/3 more info: – Demo ATS / curl – Playing browsers: ● test browser ● Interop matrix ● chrome activation
APACHECON North America Why HTTP/2Why HTTP/2 – HTTP/1.1: June 1999 (RFC 2616) ● 1999: – 1 page ~ 1kB HTML ● 2019: – 1 page ~ 3MB HTML + IMAGES + JS + CSS etc – Protocol: ● Not adapted / inefficient / etc 7
APACHECON North America HTTP/2 generalHTTP/2 general ● HTTP/2: – Binary – Frame – Multiplex – Based on SPDY – TLS everywhere: ● Browers use https and strong ciphers – No forward proxy – h2c: Clear text only with reverse proxy (proxy to back-end server) 8
APACHECON North America HTTP/2 generalHTTP/2 general ● Two specifications: – Hypertext Transfer Protocol version 2 - RFC7540 – HPACK - Header Compression for HTTP/2 - RFC7541 ● By the Internet Engineering Task Force ● ALPN Application-Layer Protocol Negotiation - RFC 7301 9
APACHECON North America HTTP/2 MultiplexedHTTP/2 Multiplexed 10 Headers Data Headers Headers Headers Data Data Headers Data Data HeadersData Headers
APACHECON North America HTTP/2 : moreHTTP/2 : more ● HTTP headers compression – ~ 80 % save ● Request priority – Both sides ● Server Push – Prevent round trip to get element of a page – Faster / better rendering on browsers. 11
APACHECON North America HTTP/2 With BrowsersHTTP/2 With Browsers ● Browser with HTTP/2 and TLS – FireFox 34 – Chrome 40 (with ALPN before was NPN) – IE 11 – Opera and Safari 9 ● Stats from docs.trafficserver and ci.trafficserver: – 80% is over HTTP/2 (data from last year) ● → go for it now! 12
APACHECON North America ALPN Client Hello (Firefox)ALPN Client Hello (Firefox) 13
APACHECON North America ALPN Server Hello (tomcat)ALPN Server Hello (tomcat) 14
APACHECON North America RequirementsRequirements ● OpenSSL for our 3 servers – At least 1.0.2c ● Tomcat (8.5 / trunk) – Tomcat-native (1.2.6 / trunk) or java9 ● Httpd (2.4.17 / trunk) – HTTP/2 C Library (libnghttp2) ● TrafficServer (since ATS v5.3.2). – Nothing except openssl. 15
APACHECON North America StatusStatus ● Tomcat (trunk/8.5) – Full support / released as stable. – Needs servlet 4.0 (JSR 369) for server PUSH API – Can't be full JAVA until JDK9 (ALPN support) ● Httpd (available since 2.4.17) – Full support (since 2.4.20) ● TrafficServer (since 5.3.0) (flow control 6.1) – Priorities (6.2.0) and Server PUSH (7.0.0) 16
APACHECON North America TC connector server.xmlTC connector server.xml <Connector port="8002" scheme="https" SSLEnabled="true" ciphers="TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256" SSLCertificateFile="/home/jfclere/CERTS/newcert.pem" SSLCertificateKeyFile="/home/jfclere/CERTS/newkey.txt.pem" protocol="org.apache.coyote.http11.Http11AprProtocol"> <UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol" /> <Connector/> <Connector port="8003" protocol="HTTP/1.1" SSLEnabled="true" scheme="https" secure="true" keystoreFile="conf/.keystore" keystorePass="changeit" socket.directBuffer="true" socket.directSslBuffer="true"> <UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol" /> </Connector>
APACHECON North America Tomcat / configurationTomcat / configuration In bin/setenv.sh: LD_LIBRARY_PATH=/home/jfclere/tomcat-native/native/.libs export LD_LIBRARY_PATH And the libtcnative-1.so linked with openssl-1.0.2c, checking with ldd: libssl.so.1.0.0 => /home/jfclere/OPENSSL-1.0.2c/lib/libssl.so.1.0.0 (0x00007f6ab147b000) libcrypto.so.1.0.0 => /home/jfclere/OPENSSL-1.0.2c/lib/libcrypto.so.1.0.0 (0x00007f6ab1028000) libapr-1.so.0 => /home/jfclere/APR-1.4.x/lib/libapr-1.so.0 (0x00007f6ab0dfa000) Usually the openssl of recent distribution (fedora 23) will work. 18
APACHECON North America Tomcat / PerformancesTomcat / Performances 19 4KiB.bin 8KiB.bin 16KiB.bin 32KiB.bin 64KiB.bin 128KiB.bin 256KiB.bin 512KiB.bin 1MiB.bin 0 50000 100000 150000 200000 250000 300000 350000 400000 Concurency 240 coyote_nio_jsse_h1_https coyote_nio_jsse_h2_https File Size Kbytes/second
APACHECON North America Tomcat / PerformancesTomcat / Performances 20 4KiB 8KiB 16KiB 32KiB 64KiB 128KiB 256KiB 512KiB 1MiB 0 10 20 30 40 50 60 70 80 90 Concurency 240 coyote_nio_jsse_h1_https coyote_nio_jsse_h2_https File Size CPUUsage
APACHECON North America Tomcat / DemoTomcat / Demo ● No server push (may be change it: SimpleImagePush) ● Multiplexing ● headers compression ● HTML page: – That requires a lot (~1000) of (~4Kbytes) images to render. 21
APACHECON North America TrafficServer / ConfigurationTrafficServer / Configuration ● records.config – CONFIG proxy.config.ssl.number.threads INT 0 – CONFIG proxy.config.http.server_ports STRING 8888:ssl – CONFIG proxy.config.url_remap.pristine_host_hdr INT 1 – CONFIG proxy.config.http2.enabled INT 1 – CONFIG proxy.config.ssl.TLSv1_1 INT 1 – CONFIG proxy.config.ssl.TLSv1_2 INT 1 ● ssl_multicert.config: – dest_ip=* ssl_cert_name=newcert.pem ssl_key_name=newkey.txt.pem ● remap.config: – map / http://127.0.0.1:8080 ● ip_allow.config: – src_ip=192.168.1.38 action=ip_allow method=ALL – src_ip=::-ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff action=ip_allow method=ALL 22
APACHECON North America TrafficServer / DemoTrafficServer / Demo ● Like tomcat one ● Uses http/1.1 tomcat nio connector on 8080 as back-end. 23
APACHECON North America HTTPd / ConfigurationHTTPd / Configuration ● httpd.conf: LoadModule h2_module modules/mod_h2.so Listen 8006 <VirtualHost *:8006> Protocols h2 http/1.1 ProtocolsHonorOrder on SSLEngine on SSLCertificateFile "/home/jfclere/CERTS/newcert.pem" SSLCertificateKeyFile "/home/jfclere/CERTS/newkey.pem" SSLCACertificateFile "/etc/pki/CA/cacert.pem" </VirtualHost> 24
APACHECON North America HTTPd / PerformancesHTTPd / Performances 25 4KiB.bin 8KiB.bin 16KiB.bin 32KiB.bin 64KiB.bin 128KiB.bin 256KiB.bin 512KiB.bin 1MiB.bin 0 50000 100000 150000 200000 250000 300000 350000 400000 Concurency 240 httpd_h1_https httpd_h2_https File Size KBytes/second
APACHECON North America HTTPd / PerformancesHTTPd / Performances 26 4KiB 8KiB 16KiB 32KiB 64KiB 128KiB 256KiB 512KiB 1MiB 0 10 20 30 40 50 60 70 80 Concurency 240 httpd_h1_https httpd_h2_https File Szie CPUusage
APACHECON North America HTTPd / Configuration proxyHTTPd / Configuration proxy ● httpd.conf: LoadModule http2_module modules/mod_http2.so LoadModule proxy_http2_module modules/mod_proxy_http2.so Listen 8006 <VirtualHost *:8006> Protocols h2 http/1.1 ProtocolsHonorOrder on SSLEngine on … ProxyPass "/" "h2c://localhost:8003/" </VirtualHost> 27
APACHECON North America HTTPd / DemoHTTPd / Demo ● Like the tomcat one: – htdocs/http2.html – htdocs/images/ the images. 28
APACHECON North America HTTP/2 ready?HTTP/2 ready? ● Conclusion: – Using HTTP/2 without PUSH is already good. – “safer” crypto is good but expensive. – No need to rewrite application to get the gains. HTTP/2 : GO FOR IT 29
APACHECON North America Questions?Questions? Thank you!Thank you! ● jfclere@gmail.com ● users@tomcat.apache.org ● users@httpd.apache.org ● users@trafficserver.apache.org ● https://http2.github.io/ ● Demo generator: https://github.com/jfclere/h2_demos ● HTTP/3 see curl docs: http3-explained by Daniel 30
THANK YOU Jean-Frederic Clere @jfclere jfclere@gmail.com

Recomendados

From a cluster to the Cloud
From a cluster to the CloudFrom a cluster to the Cloud
From a cluster to the CloudJean-Frederic Clere
 
TomcatCon: from a cluster to the cloud
TomcatCon: from a cluster to the cloudTomcatCon: from a cluster to the cloud
TomcatCon: from a cluster to the cloudJean-Frederic Clere
 
Apache Httpd and TLS certificates validations
Apache Httpd and TLS certificates validationsApache Httpd and TLS certificates validations
Apache Httpd and TLS certificates validationsJean-Frederic Clere
 
Tomcat from a cluster to the cloud on RP3
Tomcat from a cluster to the cloud on RP3Tomcat from a cluster to the cloud on RP3
Tomcat from a cluster to the cloud on RP3Jean-Frederic Clere
 
Introduction to Haproxy
Introduction to HaproxyIntroduction to Haproxy
Introduction to HaproxyShaopeng He
 
Anatomy of neutron from the eagle eyes of troubelshoorters
Anatomy of neutron from the eagle eyes of troubelshoortersAnatomy of neutron from the eagle eyes of troubelshoorters
Anatomy of neutron from the eagle eyes of troubelshoortersSadique Puthen
 
How happy they became with H2O/mruby and the future of HTTP
How happy they became with H2O/mruby and the future of HTTPHow happy they became with H2O/mruby and the future of HTTP
How happy they became with H2O/mruby and the future of HTTPIchito Nagata
 
Troubleshooting containerized triple o deployment
Troubleshooting containerized triple o deploymentTroubleshooting containerized triple o deployment
Troubleshooting containerized triple o deploymentSadique Puthen
 

Recomendados

From a cluster to the Cloud
From a cluster to the CloudFrom a cluster to the Cloud
From a cluster to the CloudJean-Frederic Clere
 
TomcatCon: from a cluster to the cloud
TomcatCon: from a cluster to the cloudTomcatCon: from a cluster to the cloud
TomcatCon: from a cluster to the cloudJean-Frederic Clere
 
Apache Httpd and TLS certificates validations
Apache Httpd and TLS certificates validationsApache Httpd and TLS certificates validations
Apache Httpd and TLS certificates validationsJean-Frederic Clere
 
Tomcat from a cluster to the cloud on RP3
Tomcat from a cluster to the cloud on RP3Tomcat from a cluster to the cloud on RP3
Tomcat from a cluster to the cloud on RP3Jean-Frederic Clere
 
Introduction to Haproxy
Introduction to HaproxyIntroduction to Haproxy
Introduction to HaproxyShaopeng He
 
Anatomy of neutron from the eagle eyes of troubelshoorters
Anatomy of neutron from the eagle eyes of troubelshoortersAnatomy of neutron from the eagle eyes of troubelshoorters
Anatomy of neutron from the eagle eyes of troubelshoortersSadique Puthen
 
How happy they became with H2O/mruby and the future of HTTP
How happy they became with H2O/mruby and the future of HTTPHow happy they became with H2O/mruby and the future of HTTP
How happy they became with H2O/mruby and the future of HTTPIchito Nagata
 
Troubleshooting containerized triple o deployment
Troubleshooting containerized triple o deploymentTroubleshooting containerized triple o deployment
Troubleshooting containerized triple o deploymentSadique Puthen
 
Apache httpd reverse proxy and Tomcat
Apache httpd reverse proxy and TomcatApache httpd reverse proxy and Tomcat
Apache httpd reverse proxy and TomcatJean-Frederic Clere
 
How to Troubleshoot OpenStack Without Losing Sleep
How to Troubleshoot OpenStack Without Losing SleepHow to Troubleshoot OpenStack Without Losing Sleep
How to Troubleshoot OpenStack Without Losing SleepSadique Puthen
 
Linux Networking Explained
Linux Networking ExplainedLinux Networking Explained
Linux Networking ExplainedThomas Graf
 
Altitude SF 2017: QUIC - A low-latency secure transport for HTTP
Altitude SF 2017: QUIC - A low-latency secure transport for HTTPAltitude SF 2017: QUIC - A low-latency secure transport for HTTP
Altitude SF 2017: QUIC - A low-latency secure transport for HTTPFastly
 
Acus08 Advanced Load Balancing Apache2.2
Acus08 Advanced Load Balancing Apache2.2Acus08 Advanced Load Balancing Apache2.2
Acus08 Advanced Load Balancing Apache2.2Jim Jagielski
 
Improving the ZFS Userland-Kernel API with Channel Programs - BSDCAN 2017 - M...
Improving the ZFS Userland-Kernel API with Channel Programs - BSDCAN 2017 - M...Improving the ZFS Userland-Kernel API with Channel Programs - BSDCAN 2017 - M...
Improving the ZFS Userland-Kernel API with Channel Programs - BSDCAN 2017 - M...Matthew Ahrens
 
Neutron Network Namespaces and IPtables--A Technical Deep Dive
Neutron Network Namespaces and IPtables--A Technical Deep DiveNeutron Network Namespaces and IPtables--A Technical Deep Dive
Neutron Network Namespaces and IPtables--A Technical Deep DiveMirantis
 
Snaps on open suse
Snaps on open suseSnaps on open suse
Snaps on open suseZygmunt Krynicki
 
debugging openstack neutron /w openvswitch
debugging openstack neutron /w openvswitchdebugging openstack neutron /w openvswitch
debugging openstack neutron /w openvswitch어형 이
 
Load Balancing MySQL with HAProxy - Slides
Load Balancing MySQL with HAProxy - SlidesLoad Balancing MySQL with HAProxy - Slides
Load Balancing MySQL with HAProxy - SlidesSeveralnines
 
Understanding docker networking
Understanding docker networkingUnderstanding docker networking
Understanding docker networkingLorenzo Fontana
 
Nomad + Flatcar: a harmonious marriage of lightweights
Nomad + Flatcar: a harmonious marriage of lightweightsNomad + Flatcar: a harmonious marriage of lightweights
Nomad + Flatcar: a harmonious marriage of lightweightsIago López Galeiras
 
IPTABLES Introduction
IPTABLES IntroductionIPTABLES Introduction
IPTABLES IntroductionHungWei Chiu
 
SREConEurope15 - The evolution of the DHCP infrastructure at Facebook
SREConEurope15 - The evolution of the DHCP infrastructure at FacebookSREConEurope15 - The evolution of the DHCP infrastructure at Facebook
SREConEurope15 - The evolution of the DHCP infrastructure at FacebookAngelo Failla
 
iptables 101- bottom-up
iptables 101- bottom-upiptables 101- bottom-up
iptables 101- bottom-upHungWei Chiu
 
青云CoreOS虚拟机部署kubernetes
青云CoreOS虚拟机部署kubernetes 青云CoreOS虚拟机部署kubernetes
青云CoreOS虚拟机部署kubernetes Zhichao Liang
 
Commication Framework in OpenStack
Commication Framework in OpenStackCommication Framework in OpenStack
Commication Framework in OpenStackSean Chang
 
LF_OVS_17_OvS manipulation with Go at DigitalOcean
LF_OVS_17_OvS manipulation with Go at DigitalOceanLF_OVS_17_OvS manipulation with Go at DigitalOcean
LF_OVS_17_OvS manipulation with Go at DigitalOceanLF_OpenvSwitch
 
Web scale infrastructures with kubernetes and flannel
Web scale infrastructures with kubernetes and flannelWeb scale infrastructures with kubernetes and flannel
Web scale infrastructures with kubernetes and flannelpurpleocean
 
03_clere-HTTP2 HTTP3 the State of the Art in Our Servers.pdf
03_clere-HTTP2 HTTP3 the State of the Art in Our Servers.pdf03_clere-HTTP2 HTTP3 the State of the Art in Our Servers.pdf
03_clere-HTTP2 HTTP3 the State of the Art in Our Servers.pdfJean-Frederic Clere
 
HTTP/2 and SSL/TLS state of art in ASF servers
HTTP/2 and SSL/TLS state of art in ASF serversHTTP/2 and SSL/TLS state of art in ASF servers
HTTP/2 and SSL/TLS state of art in ASF serversJean-Frederic Clere
 
HTTP/2 Introduction
HTTP/2 IntroductionHTTP/2 Introduction
HTTP/2 IntroductionWalter Liu
 

Mais conteúdo relacionado

Mais procurados

Apache httpd reverse proxy and Tomcat
Apache httpd reverse proxy and TomcatApache httpd reverse proxy and Tomcat
Apache httpd reverse proxy and TomcatJean-Frederic Clere
 
How to Troubleshoot OpenStack Without Losing Sleep
How to Troubleshoot OpenStack Without Losing SleepHow to Troubleshoot OpenStack Without Losing Sleep
How to Troubleshoot OpenStack Without Losing SleepSadique Puthen
 
Linux Networking Explained
Linux Networking ExplainedLinux Networking Explained
Linux Networking ExplainedThomas Graf
 
Altitude SF 2017: QUIC - A low-latency secure transport for HTTP
Altitude SF 2017: QUIC - A low-latency secure transport for HTTPAltitude SF 2017: QUIC - A low-latency secure transport for HTTP
Altitude SF 2017: QUIC - A low-latency secure transport for HTTPFastly
 
Acus08 Advanced Load Balancing Apache2.2
Acus08 Advanced Load Balancing Apache2.2Acus08 Advanced Load Balancing Apache2.2
Acus08 Advanced Load Balancing Apache2.2Jim Jagielski
 
Improving the ZFS Userland-Kernel API with Channel Programs - BSDCAN 2017 - M...
Improving the ZFS Userland-Kernel API with Channel Programs - BSDCAN 2017 - M...Improving the ZFS Userland-Kernel API with Channel Programs - BSDCAN 2017 - M...
Improving the ZFS Userland-Kernel API with Channel Programs - BSDCAN 2017 - M...Matthew Ahrens
 
Neutron Network Namespaces and IPtables--A Technical Deep Dive
Neutron Network Namespaces and IPtables--A Technical Deep DiveNeutron Network Namespaces and IPtables--A Technical Deep Dive
Neutron Network Namespaces and IPtables--A Technical Deep DiveMirantis
 
debugging openstack neutron /w openvswitch
debugging openstack neutron /w openvswitchdebugging openstack neutron /w openvswitch
debugging openstack neutron /w openvswitch어형 이
 
Load Balancing MySQL with HAProxy - Slides
Load Balancing MySQL with HAProxy - SlidesLoad Balancing MySQL with HAProxy - Slides
Load Balancing MySQL with HAProxy - SlidesSeveralnines
 
Understanding docker networking
Understanding docker networkingUnderstanding docker networking
Understanding docker networkingLorenzo Fontana
 
Nomad + Flatcar: a harmonious marriage of lightweights
Nomad + Flatcar: a harmonious marriage of lightweightsNomad + Flatcar: a harmonious marriage of lightweights
Nomad + Flatcar: a harmonious marriage of lightweightsIago López Galeiras
 
IPTABLES Introduction
IPTABLES IntroductionIPTABLES Introduction
IPTABLES IntroductionHungWei Chiu
 
SREConEurope15 - The evolution of the DHCP infrastructure at Facebook
SREConEurope15 - The evolution of the DHCP infrastructure at FacebookSREConEurope15 - The evolution of the DHCP infrastructure at Facebook
SREConEurope15 - The evolution of the DHCP infrastructure at FacebookAngelo Failla
 
iptables 101- bottom-up
iptables 101- bottom-upiptables 101- bottom-up
iptables 101- bottom-upHungWei Chiu
 
青云CoreOS虚拟机部署kubernetes
青云CoreOS虚拟机部署kubernetes 青云CoreOS虚拟机部署kubernetes
青云CoreOS虚拟机部署kubernetes Zhichao Liang
 
Commication Framework in OpenStack
Commication Framework in OpenStackCommication Framework in OpenStack
Commication Framework in OpenStackSean Chang
 
LF_OVS_17_OvS manipulation with Go at DigitalOcean
LF_OVS_17_OvS manipulation with Go at DigitalOceanLF_OVS_17_OvS manipulation with Go at DigitalOcean
LF_OVS_17_OvS manipulation with Go at DigitalOceanLF_OpenvSwitch
 
Web scale infrastructures with kubernetes and flannel
Web scale infrastructures with kubernetes and flannelWeb scale infrastructures with kubernetes and flannel
Web scale infrastructures with kubernetes and flannelpurpleocean
 

Mais procurados (19)

Apache httpd reverse proxy and Tomcat
Apache httpd reverse proxy and TomcatApache httpd reverse proxy and Tomcat
Apache httpd reverse proxy and Tomcat
 
How to Troubleshoot OpenStack Without Losing Sleep
How to Troubleshoot OpenStack Without Losing SleepHow to Troubleshoot OpenStack Without Losing Sleep
How to Troubleshoot OpenStack Without Losing Sleep
 
Linux Networking Explained
Linux Networking ExplainedLinux Networking Explained
Linux Networking Explained
 
Altitude SF 2017: QUIC - A low-latency secure transport for HTTP
Altitude SF 2017: QUIC - A low-latency secure transport for HTTPAltitude SF 2017: QUIC - A low-latency secure transport for HTTP
Altitude SF 2017: QUIC - A low-latency secure transport for HTTP
 
Acus08 Advanced Load Balancing Apache2.2
Acus08 Advanced Load Balancing Apache2.2Acus08 Advanced Load Balancing Apache2.2
Acus08 Advanced Load Balancing Apache2.2
 
Improving the ZFS Userland-Kernel API with Channel Programs - BSDCAN 2017 - M...
Improving the ZFS Userland-Kernel API with Channel Programs - BSDCAN 2017 - M...Improving the ZFS Userland-Kernel API with Channel Programs - BSDCAN 2017 - M...
Improving the ZFS Userland-Kernel API with Channel Programs - BSDCAN 2017 - M...
 
Neutron Network Namespaces and IPtables--A Technical Deep Dive
Neutron Network Namespaces and IPtables--A Technical Deep DiveNeutron Network Namespaces and IPtables--A Technical Deep Dive
Neutron Network Namespaces and IPtables--A Technical Deep Dive
 
Snaps on open suse
Snaps on open suseSnaps on open suse
Snaps on open suse
 
debugging openstack neutron /w openvswitch
debugging openstack neutron /w openvswitchdebugging openstack neutron /w openvswitch
debugging openstack neutron /w openvswitch
 
Load Balancing MySQL with HAProxy - Slides
Load Balancing MySQL with HAProxy - SlidesLoad Balancing MySQL with HAProxy - Slides
Load Balancing MySQL with HAProxy - Slides
 
Understanding docker networking
Understanding docker networkingUnderstanding docker networking
Understanding docker networking
 
Nomad + Flatcar: a harmonious marriage of lightweights
Nomad + Flatcar: a harmonious marriage of lightweightsNomad + Flatcar: a harmonious marriage of lightweights
Nomad + Flatcar: a harmonious marriage of lightweights
 
IPTABLES Introduction
IPTABLES IntroductionIPTABLES Introduction
IPTABLES Introduction
 
SREConEurope15 - The evolution of the DHCP infrastructure at Facebook
SREConEurope15 - The evolution of the DHCP infrastructure at FacebookSREConEurope15 - The evolution of the DHCP infrastructure at Facebook
SREConEurope15 - The evolution of the DHCP infrastructure at Facebook
 
iptables 101- bottom-up
iptables 101- bottom-upiptables 101- bottom-up
iptables 101- bottom-up
 
青云CoreOS虚拟机部署kubernetes
青云CoreOS虚拟机部署kubernetes 青云CoreOS虚拟机部署kubernetes
青云CoreOS虚拟机部署kubernetes
 
Commication Framework in OpenStack
Commication Framework in OpenStackCommication Framework in OpenStack
Commication Framework in OpenStack
 
LF_OVS_17_OvS manipulation with Go at DigitalOcean
LF_OVS_17_OvS manipulation with Go at DigitalOceanLF_OVS_17_OvS manipulation with Go at DigitalOcean
LF_OVS_17_OvS manipulation with Go at DigitalOcean
 
Web scale infrastructures with kubernetes and flannel
Web scale infrastructures with kubernetes and flannelWeb scale infrastructures with kubernetes and flannel
Web scale infrastructures with kubernetes and flannel
 

Semelhante a HTTP/2, HTTP/3 and SSL/TLS State of the Art in Our Servers

03_clere-HTTP2 HTTP3 the State of the Art in Our Servers.pdf
03_clere-HTTP2 HTTP3 the State of the Art in Our Servers.pdf03_clere-HTTP2 HTTP3 the State of the Art in Our Servers.pdf
03_clere-HTTP2 HTTP3 the State of the Art in Our Servers.pdfJean-Frederic Clere
 
HTTP/2 and SSL/TLS state of art in ASF servers
HTTP/2 and SSL/TLS state of art in ASF serversHTTP/2 and SSL/TLS state of art in ASF servers
HTTP/2 and SSL/TLS state of art in ASF serversJean-Frederic Clere
 
HTTP/2 Introduction
HTTP/2 IntroductionHTTP/2 Introduction
HTTP/2 IntroductionWalter Liu
 
Ethernet summit 2011_toe
Ethernet summit 2011_toeEthernet summit 2011_toe
Ethernet summit 2011_toeintilop
 
Primer to Browser Netwroking
Primer to Browser NetwrokingPrimer to Browser Netwroking
Primer to Browser NetwrokingShuya Osaki
 
Kernel Recipes 2014 - NDIV: a low overhead network traffic diverter
Kernel Recipes 2014 - NDIV: a low overhead network traffic diverterKernel Recipes 2014 - NDIV: a low overhead network traffic diverter
Kernel Recipes 2014 - NDIV: a low overhead network traffic diverterAnne Nicolas
 
Introduction to HTTP/2
Introduction to HTTP/2Introduction to HTTP/2
Introduction to HTTP/2Ido Flatow
 
HTTP2 and gRPC
HTTP2 and gRPCHTTP2 and gRPC
HTTP2 and gRPCGuo Jing
 
Linux kernel TLS и HTTPS / Александр Крижановский (Tempesta Technologies)
Linux kernel TLS и HTTPS / Александр Крижановский (Tempesta Technologies)Linux kernel TLS и HTTPS / Александр Крижановский (Tempesta Technologies)
Linux kernel TLS и HTTPS / Александр Крижановский (Tempesta Technologies)Ontico
 
Linux HTTPS/TCP/IP Stack for the Fast and Secure Web
Linux HTTPS/TCP/IP Stack for the Fast and Secure WebLinux HTTPS/TCP/IP Stack for the Fast and Secure Web
Linux HTTPS/TCP/IP Stack for the Fast and Secure WebAll Things Open
 
Optimizing Servers for High-Throughput and Low-Latency at Dropbox
Optimizing Servers for High-Throughput and Low-Latency at DropboxOptimizing Servers for High-Throughput and Low-Latency at Dropbox
Optimizing Servers for High-Throughput and Low-Latency at DropboxScyllaDB
 
Linux Kernel vs DPDK: HTTP Performance Showdown
Linux Kernel vs DPDK: HTTP Performance ShowdownLinux Kernel vs DPDK: HTTP Performance Showdown
Linux Kernel vs DPDK: HTTP Performance ShowdownScyllaDB
 
CAPI and OpenCAPI Hardware acceleration enablement
CAPI and OpenCAPI Hardware acceleration enablementCAPI and OpenCAPI Hardware acceleration enablement
CAPI and OpenCAPI Hardware acceleration enablementGanesan Narayanasamy
 
Automating linux network performance testing
Automating linux network performance testingAutomating linux network performance testing
Automating linux network performance testingAntonio Ojea Garcia
 
FPC for the Masses - CoRIIN 2018
FPC for the Masses - CoRIIN 2018FPC for the Masses - CoRIIN 2018
FPC for the Masses - CoRIIN 2018Xavier Mertens
 

Semelhante a HTTP/2, HTTP/3 and SSL/TLS State of the Art in Our Servers (20)

03_clere-HTTP2 HTTP3 the State of the Art in Our Servers.pdf
03_clere-HTTP2 HTTP3 the State of the Art in Our Servers.pdf03_clere-HTTP2 HTTP3 the State of the Art in Our Servers.pdf
03_clere-HTTP2 HTTP3 the State of the Art in Our Servers.pdf
 
HTTP/2 and SSL/TLS state of art in ASF servers
HTTP/2 and SSL/TLS state of art in ASF serversHTTP/2 and SSL/TLS state of art in ASF servers
HTTP/2 and SSL/TLS state of art in ASF servers
 
HTTP/2 Introduction
HTTP/2 IntroductionHTTP/2 Introduction
HTTP/2 Introduction
 
Tomcat openssl
Tomcat opensslTomcat openssl
Tomcat openssl
 
Ethernet summit 2011_toe
Ethernet summit 2011_toeEthernet summit 2011_toe
Ethernet summit 2011_toe
 
Tomcat next
Tomcat nextTomcat next
Tomcat next
 
Tomcat next
Tomcat nextTomcat next
Tomcat next
 
Tomcat openssl
Tomcat opensslTomcat openssl
Tomcat openssl
 
Primer to Browser Netwroking
Primer to Browser NetwrokingPrimer to Browser Netwroking
Primer to Browser Netwroking
 
Kernel Recipes 2014 - NDIV: a low overhead network traffic diverter
Kernel Recipes 2014 - NDIV: a low overhead network traffic diverterKernel Recipes 2014 - NDIV: a low overhead network traffic diverter
Kernel Recipes 2014 - NDIV: a low overhead network traffic diverter
 
Introduction to HTTP/2
Introduction to HTTP/2Introduction to HTTP/2
Introduction to HTTP/2
 
HTTP2 and gRPC
HTTP2 and gRPCHTTP2 and gRPC
HTTP2 and gRPC
 
Linux kernel TLS и HTTPS / Александр Крижановский (Tempesta Technologies)
Linux kernel TLS и HTTPS / Александр Крижановский (Tempesta Technologies)Linux kernel TLS и HTTPS / Александр Крижановский (Tempesta Technologies)
Linux kernel TLS и HTTPS / Александр Крижановский (Tempesta Technologies)
 
Linux HTTPS/TCP/IP Stack for the Fast and Secure Web
Linux HTTPS/TCP/IP Stack for the Fast and Secure WebLinux HTTPS/TCP/IP Stack for the Fast and Secure Web
Linux HTTPS/TCP/IP Stack for the Fast and Secure Web
 
Optimizing Servers for High-Throughput and Low-Latency at Dropbox
Optimizing Servers for High-Throughput and Low-Latency at DropboxOptimizing Servers for High-Throughput and Low-Latency at Dropbox
Optimizing Servers for High-Throughput and Low-Latency at Dropbox
 
Linux Kernel vs DPDK: HTTP Performance Showdown
Linux Kernel vs DPDK: HTTP Performance ShowdownLinux Kernel vs DPDK: HTTP Performance Showdown
Linux Kernel vs DPDK: HTTP Performance Showdown
 
CAPI and OpenCAPI Hardware acceleration enablement
CAPI and OpenCAPI Hardware acceleration enablementCAPI and OpenCAPI Hardware acceleration enablement
CAPI and OpenCAPI Hardware acceleration enablement
 
Automating linux network performance testing
Automating linux network performance testingAutomating linux network performance testing
Automating linux network performance testing
 
FPC for the Masses - CoRIIN 2018
FPC for the Masses - CoRIIN 2018FPC for the Masses - CoRIIN 2018
FPC for the Masses - CoRIIN 2018
 
Http2
Http2Http2
Http2
 

Mais de Jean-Frederic Clere

03_clere_Proxing to tomcat with httpd.pdf
03_clere_Proxing to tomcat with httpd.pdf03_clere_Proxing to tomcat with httpd.pdf
03_clere_Proxing to tomcat with httpd.pdfJean-Frederic Clere
 
01_clere_Having fun with a solar panel, camera and raspberry. How with a few ...
01_clere_Having fun with a solar panel, camera and raspberry. How with a few ...01_clere_Having fun with a solar panel, camera and raspberry. How with a few ...
01_clere_Having fun with a solar panel, camera and raspberry. How with a few ...Jean-Frederic Clere
 
Apache httpd and TLS/SSL certificates validation
Apache httpd and TLS/SSL certificates validationApache httpd and TLS/SSL certificates validation
Apache httpd and TLS/SSL certificates validationJean-Frederic Clere
 
Having fun with Raspberry(s) and Apache projects
Having fun with Raspberry(s) and Apache projectsHaving fun with Raspberry(s) and Apache projects
Having fun with Raspberry(s) and Apache projectsJean-Frederic Clere
 
Having fun with Raspberry and Apache projects
Having fun with Raspberry and Apache projectsHaving fun with Raspberry and Apache projects
Having fun with Raspberry and Apache projectsJean-Frederic Clere
 

Mais de Jean-Frederic Clere (9)

Panama.pdf
Panama.pdfPanama.pdf
Panama.pdf
 
03_clere_Proxing to tomcat with httpd.pdf
03_clere_Proxing to tomcat with httpd.pdf03_clere_Proxing to tomcat with httpd.pdf
03_clere_Proxing to tomcat with httpd.pdf
 
01_clere_Having fun with a solar panel, camera and raspberry. How with a few ...
01_clere_Having fun with a solar panel, camera and raspberry. How with a few ...01_clere_Having fun with a solar panel, camera and raspberry. How with a few ...
01_clere_Having fun with a solar panel, camera and raspberry. How with a few ...
 
Cloud RPI4 tomcat ARM64
Cloud RPI4 tomcat ARM64Cloud RPI4 tomcat ARM64
Cloud RPI4 tomcat ARM64
 
Apache httpd and TLS/SSL certificates validation
Apache httpd and TLS/SSL certificates validationApache httpd and TLS/SSL certificates validation
Apache httpd and TLS/SSL certificates validation
 
Juggva cloud
Juggva cloudJuggva cloud
Juggva cloud
 
Having fun with Raspberry(s) and Apache projects
Having fun with Raspberry(s) and Apache projectsHaving fun with Raspberry(s) and Apache projects
Having fun with Raspberry(s) and Apache projects
 
Having fun with Raspberry and Apache projects
Having fun with Raspberry and Apache projectsHaving fun with Raspberry and Apache projects
Having fun with Raspberry and Apache projects
 
Native 1.2.8
Native 1.2.8Native 1.2.8
Native 1.2.8
 

Último

Best Angular 17 Classroom & Online training - Naresh IT
Best Angular 17 Classroom & Online training - Naresh ITBest Angular 17 Classroom & Online training - Naresh IT
Best Angular 17 Classroom & Online training - Naresh ITmanoharjgpsolutions
 
Effectively Troubleshoot 9 Types of OutOfMemoryError
Effectively Troubleshoot 9 Types of OutOfMemoryErrorEffectively Troubleshoot 9 Types of OutOfMemoryError
Effectively Troubleshoot 9 Types of OutOfMemoryErrorTier1 app
 
Salesforce Implementation Services PPT By ABSYZ
Salesforce Implementation Services PPT By ABSYZSalesforce Implementation Services PPT By ABSYZ
Salesforce Implementation Services PPT By ABSYZABSYZ Inc
 
SAM Training Session - How to use EXCEL ?
SAM Training Session - How to use EXCEL ?SAM Training Session - How to use EXCEL ?
SAM Training Session - How to use EXCEL ?Alexandre Beguel
 
Real-time Tracking and Monitoring with Cargo Cloud Solutions.pptx
Real-time Tracking and Monitoring with Cargo Cloud Solutions.pptxReal-time Tracking and Monitoring with Cargo Cloud Solutions.pptx
Real-time Tracking and Monitoring with Cargo Cloud Solutions.pptxRTS corp
 
VictoriaMetrics Q1 Meet Up '24 - Community & News Update
VictoriaMetrics Q1 Meet Up '24 - Community & News UpdateVictoriaMetrics Q1 Meet Up '24 - Community & News Update
VictoriaMetrics Q1 Meet Up '24 - Community & News UpdateVictoriaMetrics
 
Powering Real-Time Decisions with Continuous Data Streams
Powering Real-Time Decisions with Continuous Data StreamsPowering Real-Time Decisions with Continuous Data Streams
Powering Real-Time Decisions with Continuous Data StreamsSafe Software
 
UI5ers live - Custom Controls wrapping 3rd-party libs.pptx
UI5ers live - Custom Controls wrapping 3rd-party libs.pptxUI5ers live - Custom Controls wrapping 3rd-party libs.pptx
UI5ers live - Custom Controls wrapping 3rd-party libs.pptxAndreas Kunz
 
Precise and Complete Requirements? An Elusive Goal
Precise and Complete Requirements? An Elusive GoalPrecise and Complete Requirements? An Elusive Goal
Precise and Complete Requirements? An Elusive GoalLionel Briand
 
Keeping your build tool updated in a multi repository world
Keeping your build tool updated in a multi repository worldKeeping your build tool updated in a multi repository world
Keeping your build tool updated in a multi repository worldRoberto Pérez Alcolea
 
The Role of IoT and Sensor Technology in Cargo Cloud Solutions.pptx
The Role of IoT and Sensor Technology in Cargo Cloud Solutions.pptxThe Role of IoT and Sensor Technology in Cargo Cloud Solutions.pptx
The Role of IoT and Sensor Technology in Cargo Cloud Solutions.pptxRTS corp
 
Zer0con 2024 final share short version.pdf
Zer0con 2024 final share short version.pdfZer0con 2024 final share short version.pdf
Zer0con 2024 final share short version.pdfmaor17
 
Amazon Bedrock in Action - presentation of the Bedrock's capabilities
Amazon Bedrock in Action - presentation of the Bedrock's capabilitiesAmazon Bedrock in Action - presentation of the Bedrock's capabilities
Amazon Bedrock in Action - presentation of the Bedrock's capabilitiesKrzysztofKkol1
 
Machine Learning Software Engineering Patterns and Their Engineering
Machine Learning Software Engineering Patterns and Their EngineeringMachine Learning Software Engineering Patterns and Their Engineering
Machine Learning Software Engineering Patterns and Their EngineeringHironori Washizaki
 
What’s New in VictoriaMetrics: Q1 2024 Updates
What’s New in VictoriaMetrics: Q1 2024 UpdatesWhat’s New in VictoriaMetrics: Q1 2024 Updates
What’s New in VictoriaMetrics: Q1 2024 UpdatesVictoriaMetrics
 
OpenChain Education Work Group Monthly Meeting - 2024-04-10 - Full Recording
OpenChain Education Work Group Monthly Meeting - 2024-04-10 - Full RecordingOpenChain Education Work Group Monthly Meeting - 2024-04-10 - Full Recording
OpenChain Education Work Group Monthly Meeting - 2024-04-10 - Full RecordingShane Coughlan
 
GraphSummit Madrid - Product Vision and Roadmap - Luis Salvador Neo4j
GraphSummit Madrid - Product Vision and Roadmap - Luis Salvador Neo4jGraphSummit Madrid - Product Vision and Roadmap - Luis Salvador Neo4j
GraphSummit Madrid - Product Vision and Roadmap - Luis Salvador Neo4jNeo4j
 
Understanding Flamingo - DeepMind's VLM Architecture
Understanding Flamingo - DeepMind's VLM ArchitectureUnderstanding Flamingo - DeepMind's VLM Architecture
Understanding Flamingo - DeepMind's VLM Architecturerahul_net
 
2024 DevNexus Patterns for Resiliency: Shuffle shards
2024 DevNexus Patterns for Resiliency: Shuffle shards2024 DevNexus Patterns for Resiliency: Shuffle shards
2024 DevNexus Patterns for Resiliency: Shuffle shardsChristopher Curtin
 
JavaLand 2024 - Going serverless with Quarkus GraalVM native images and AWS L...
JavaLand 2024 - Going serverless with Quarkus GraalVM native images and AWS L...JavaLand 2024 - Going serverless with Quarkus GraalVM native images and AWS L...
JavaLand 2024 - Going serverless with Quarkus GraalVM native images and AWS L...Bert Jan Schrijver
 

Último (20)

Best Angular 17 Classroom & Online training - Naresh IT
Best Angular 17 Classroom & Online training - Naresh ITBest Angular 17 Classroom & Online training - Naresh IT
Best Angular 17 Classroom & Online training - Naresh IT
 
Effectively Troubleshoot 9 Types of OutOfMemoryError
Effectively Troubleshoot 9 Types of OutOfMemoryErrorEffectively Troubleshoot 9 Types of OutOfMemoryError
Effectively Troubleshoot 9 Types of OutOfMemoryError
 
Salesforce Implementation Services PPT By ABSYZ
Salesforce Implementation Services PPT By ABSYZSalesforce Implementation Services PPT By ABSYZ
Salesforce Implementation Services PPT By ABSYZ
 
SAM Training Session - How to use EXCEL ?
SAM Training Session - How to use EXCEL ?SAM Training Session - How to use EXCEL ?
SAM Training Session - How to use EXCEL ?
 
Real-time Tracking and Monitoring with Cargo Cloud Solutions.pptx
Real-time Tracking and Monitoring with Cargo Cloud Solutions.pptxReal-time Tracking and Monitoring with Cargo Cloud Solutions.pptx
Real-time Tracking and Monitoring with Cargo Cloud Solutions.pptx
 
VictoriaMetrics Q1 Meet Up '24 - Community & News Update
VictoriaMetrics Q1 Meet Up '24 - Community & News UpdateVictoriaMetrics Q1 Meet Up '24 - Community & News Update
VictoriaMetrics Q1 Meet Up '24 - Community & News Update
 
Powering Real-Time Decisions with Continuous Data Streams
Powering Real-Time Decisions with Continuous Data StreamsPowering Real-Time Decisions with Continuous Data Streams
Powering Real-Time Decisions with Continuous Data Streams
 
UI5ers live - Custom Controls wrapping 3rd-party libs.pptx
UI5ers live - Custom Controls wrapping 3rd-party libs.pptxUI5ers live - Custom Controls wrapping 3rd-party libs.pptx
UI5ers live - Custom Controls wrapping 3rd-party libs.pptx
 
Precise and Complete Requirements? An Elusive Goal
Precise and Complete Requirements? An Elusive GoalPrecise and Complete Requirements? An Elusive Goal
Precise and Complete Requirements? An Elusive Goal
 
Keeping your build tool updated in a multi repository world
Keeping your build tool updated in a multi repository worldKeeping your build tool updated in a multi repository world
Keeping your build tool updated in a multi repository world
 
The Role of IoT and Sensor Technology in Cargo Cloud Solutions.pptx
The Role of IoT and Sensor Technology in Cargo Cloud Solutions.pptxThe Role of IoT and Sensor Technology in Cargo Cloud Solutions.pptx
The Role of IoT and Sensor Technology in Cargo Cloud Solutions.pptx
 
Zer0con 2024 final share short version.pdf
Zer0con 2024 final share short version.pdfZer0con 2024 final share short version.pdf
Zer0con 2024 final share short version.pdf
 
Amazon Bedrock in Action - presentation of the Bedrock's capabilities
Amazon Bedrock in Action - presentation of the Bedrock's capabilitiesAmazon Bedrock in Action - presentation of the Bedrock's capabilities
Amazon Bedrock in Action - presentation of the Bedrock's capabilities
 
Machine Learning Software Engineering Patterns and Their Engineering
Machine Learning Software Engineering Patterns and Their EngineeringMachine Learning Software Engineering Patterns and Their Engineering
Machine Learning Software Engineering Patterns and Their Engineering
 
What’s New in VictoriaMetrics: Q1 2024 Updates
What’s New in VictoriaMetrics: Q1 2024 UpdatesWhat’s New in VictoriaMetrics: Q1 2024 Updates
What’s New in VictoriaMetrics: Q1 2024 Updates
 
OpenChain Education Work Group Monthly Meeting - 2024-04-10 - Full Recording
OpenChain Education Work Group Monthly Meeting - 2024-04-10 - Full RecordingOpenChain Education Work Group Monthly Meeting - 2024-04-10 - Full Recording
OpenChain Education Work Group Monthly Meeting - 2024-04-10 - Full Recording
 
GraphSummit Madrid - Product Vision and Roadmap - Luis Salvador Neo4j
GraphSummit Madrid - Product Vision and Roadmap - Luis Salvador Neo4jGraphSummit Madrid - Product Vision and Roadmap - Luis Salvador Neo4j
GraphSummit Madrid - Product Vision and Roadmap - Luis Salvador Neo4j
 
Understanding Flamingo - DeepMind's VLM Architecture
Understanding Flamingo - DeepMind's VLM ArchitectureUnderstanding Flamingo - DeepMind's VLM Architecture
Understanding Flamingo - DeepMind's VLM Architecture
 
2024 DevNexus Patterns for Resiliency: Shuffle shards
2024 DevNexus Patterns for Resiliency: Shuffle shards2024 DevNexus Patterns for Resiliency: Shuffle shards
2024 DevNexus Patterns for Resiliency: Shuffle shards
 
JavaLand 2024 - Going serverless with Quarkus GraalVM native images and AWS L...
JavaLand 2024 - Going serverless with Quarkus GraalVM native images and AWS L...JavaLand 2024 - Going serverless with Quarkus GraalVM native images and AWS L...
JavaLand 2024 - Going serverless with Quarkus GraalVM native images and AWS L...
 

HTTP/2, HTTP/3 and SSL/TLS State of the Art in Our Servers

  • 1. APACHECON North America Sept. 9-12, 2019 HTTP/2, HTTP/3 and SSL/TLSHTTP/2, HTTP/3 and SSL/TLS State of theState of the ArtArt in Our Serversin Our Servers Jean-Frederic ClereJean-Frederic Clere
  • 2. APACHECON North America What I will coverWhat I will cover ● HTTP/3 ● HTTP/2 ● HTTP/2 and ALPN ● Servers ● Apache HTTPD ● Tomcat ● Traffic server ● Demos ● Questions? 2
  • 3. APACHECON North America Who I amWho I am Jean-Frederic Clere Red Hat Years writing JAVA code and server software Tomcat committer since 2001 Doing OpenSource since 1999 Cyclist/Runner etc Lived 15 years in Spain (Barcelona) Now in Neuchâtel (CH) 3
  • 4. APACHECON North America HTTP/3 (March 2018, in progress!)HTTP/3 (March 2018, in progress!) – Use QUIC / TLS-1.3 / UDP – To transport HTTP like HTTP/2 – Initial connection TPC + Alt-Svc ● Response Alt-Svc: h3=":56666": – problems: ● UDP ports closed ● UDP slower than TPC in Kernels ● Needs extra CPU (?) – Specifications: ● Several RFC (6 RFC) 4
  • 5. APACHECON North America HTTP/3 implementations: – Curl (http3-direct and Alt-Svc way) – Libraries ● ngtcp2 ● quiche – Apache Tomcat: Problem UDP socket API incomplete – Apache HTTPD: need time probably like http/2 – Traffic Server: planed for the next version (end 2019) ● See ATS proto / curl demo
  • 6. APACHECON North America HTTP/3 more info: – Demo ATS / curl – Playing browsers: ● test browser ● Interop matrix ● chrome activation
  • 7. APACHECON North America Why HTTP/2Why HTTP/2 – HTTP/1.1: June 1999 (RFC 2616) ● 1999: – 1 page ~ 1kB HTML ● 2019: – 1 page ~ 3MB HTML + IMAGES + JS + CSS etc – Protocol: ● Not adapted / inefficient / etc 7
  • 8. APACHECON North America HTTP/2 generalHTTP/2 general ● HTTP/2: – Binary – Frame – Multiplex – Based on SPDY – TLS everywhere: ● Browers use https and strong ciphers – No forward proxy – h2c: Clear text only with reverse proxy (proxy to back-end server) 8
  • 9. APACHECON North America HTTP/2 generalHTTP/2 general ● Two specifications: – Hypertext Transfer Protocol version 2 - RFC7540 – HPACK - Header Compression for HTTP/2 - RFC7541 ● By the Internet Engineering Task Force ● ALPN Application-Layer Protocol Negotiation - RFC 7301 9
  • 10. APACHECON North America HTTP/2 MultiplexedHTTP/2 Multiplexed 10 Headers Data Headers Headers Headers Data Data Headers Data Data HeadersData Headers
  • 11. APACHECON North America HTTP/2 : moreHTTP/2 : more ● HTTP headers compression – ~ 80 % save ● Request priority – Both sides ● Server Push – Prevent round trip to get element of a page – Faster / better rendering on browsers. 11
  • 12. APACHECON North America HTTP/2 With BrowsersHTTP/2 With Browsers ● Browser with HTTP/2 and TLS – FireFox 34 – Chrome 40 (with ALPN before was NPN) – IE 11 – Opera and Safari 9 ● Stats from docs.trafficserver and ci.trafficserver: – 80% is over HTTP/2 (data from last year) ● → go for it now! 12
  • 13. APACHECON North America ALPN Client Hello (Firefox)ALPN Client Hello (Firefox) 13
  • 14. APACHECON North America ALPN Server Hello (tomcat)ALPN Server Hello (tomcat) 14
  • 15. APACHECON North America RequirementsRequirements ● OpenSSL for our 3 servers – At least 1.0.2c ● Tomcat (8.5 / trunk) – Tomcat-native (1.2.6 / trunk) or java9 ● Httpd (2.4.17 / trunk) – HTTP/2 C Library (libnghttp2) ● TrafficServer (since ATS v5.3.2). – Nothing except openssl. 15
  • 16. APACHECON North America StatusStatus ● Tomcat (trunk/8.5) – Full support / released as stable. – Needs servlet 4.0 (JSR 369) for server PUSH API – Can't be full JAVA until JDK9 (ALPN support) ● Httpd (available since 2.4.17) – Full support (since 2.4.20) ● TrafficServer (since 5.3.0) (flow control 6.1) – Priorities (6.2.0) and Server PUSH (7.0.0) 16
  • 17. APACHECON North America TC connector server.xmlTC connector server.xml <Connector port="8002" scheme="https" SSLEnabled="true" ciphers="TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256" SSLCertificateFile="/home/jfclere/CERTS/newcert.pem" SSLCertificateKeyFile="/home/jfclere/CERTS/newkey.txt.pem" protocol="org.apache.coyote.http11.Http11AprProtocol"> <UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol" /> <Connector/> <Connector port="8003" protocol="HTTP/1.1" SSLEnabled="true" scheme="https" secure="true" keystoreFile="conf/.keystore" keystorePass="changeit" socket.directBuffer="true" socket.directSslBuffer="true"> <UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol" /> </Connector>
  • 18. APACHECON North America Tomcat / configurationTomcat / configuration In bin/setenv.sh: LD_LIBRARY_PATH=/home/jfclere/tomcat-native/native/.libs export LD_LIBRARY_PATH And the libtcnative-1.so linked with openssl-1.0.2c, checking with ldd: libssl.so.1.0.0 => /home/jfclere/OPENSSL-1.0.2c/lib/libssl.so.1.0.0 (0x00007f6ab147b000) libcrypto.so.1.0.0 => /home/jfclere/OPENSSL-1.0.2c/lib/libcrypto.so.1.0.0 (0x00007f6ab1028000) libapr-1.so.0 => /home/jfclere/APR-1.4.x/lib/libapr-1.so.0 (0x00007f6ab0dfa000) Usually the openssl of recent distribution (fedora 23) will work. 18
  • 19. APACHECON North America Tomcat / PerformancesTomcat / Performances 19 4KiB.bin 8KiB.bin 16KiB.bin 32KiB.bin 64KiB.bin 128KiB.bin 256KiB.bin 512KiB.bin 1MiB.bin 0 50000 100000 150000 200000 250000 300000 350000 400000 Concurency 240 coyote_nio_jsse_h1_https coyote_nio_jsse_h2_https File Size Kbytes/second
  • 20. APACHECON North America Tomcat / PerformancesTomcat / Performances 20 4KiB 8KiB 16KiB 32KiB 64KiB 128KiB 256KiB 512KiB 1MiB 0 10 20 30 40 50 60 70 80 90 Concurency 240 coyote_nio_jsse_h1_https coyote_nio_jsse_h2_https File Size CPUUsage
  • 21. APACHECON North America Tomcat / DemoTomcat / Demo ● No server push (may be change it: SimpleImagePush) ● Multiplexing ● headers compression ● HTML page: – That requires a lot (~1000) of (~4Kbytes) images to render. 21
  • 22. APACHECON North America TrafficServer / ConfigurationTrafficServer / Configuration ● records.config – CONFIG proxy.config.ssl.number.threads INT 0 – CONFIG proxy.config.http.server_ports STRING 8888:ssl – CONFIG proxy.config.url_remap.pristine_host_hdr INT 1 – CONFIG proxy.config.http2.enabled INT 1 – CONFIG proxy.config.ssl.TLSv1_1 INT 1 – CONFIG proxy.config.ssl.TLSv1_2 INT 1 ● ssl_multicert.config: – dest_ip=* ssl_cert_name=newcert.pem ssl_key_name=newkey.txt.pem ● remap.config: – map / http://127.0.0.1:8080 ● ip_allow.config: – src_ip=192.168.1.38 action=ip_allow method=ALL – src_ip=::-ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff action=ip_allow method=ALL 22
  • 23. APACHECON North America TrafficServer / DemoTrafficServer / Demo ● Like tomcat one ● Uses http/1.1 tomcat nio connector on 8080 as back-end. 23
  • 24. APACHECON North America HTTPd / ConfigurationHTTPd / Configuration ● httpd.conf: LoadModule h2_module modules/mod_h2.so Listen 8006 <VirtualHost *:8006> Protocols h2 http/1.1 ProtocolsHonorOrder on SSLEngine on SSLCertificateFile "/home/jfclere/CERTS/newcert.pem" SSLCertificateKeyFile "/home/jfclere/CERTS/newkey.pem" SSLCACertificateFile "/etc/pki/CA/cacert.pem" </VirtualHost> 24
  • 25. APACHECON North America HTTPd / PerformancesHTTPd / Performances 25 4KiB.bin 8KiB.bin 16KiB.bin 32KiB.bin 64KiB.bin 128KiB.bin 256KiB.bin 512KiB.bin 1MiB.bin 0 50000 100000 150000 200000 250000 300000 350000 400000 Concurency 240 httpd_h1_https httpd_h2_https File Size KBytes/second
  • 26. APACHECON North America HTTPd / PerformancesHTTPd / Performances 26 4KiB 8KiB 16KiB 32KiB 64KiB 128KiB 256KiB 512KiB 1MiB 0 10 20 30 40 50 60 70 80 Concurency 240 httpd_h1_https httpd_h2_https File Szie CPUusage
  • 27. APACHECON North America HTTPd / Configuration proxyHTTPd / Configuration proxy ● httpd.conf: LoadModule http2_module modules/mod_http2.so LoadModule proxy_http2_module modules/mod_proxy_http2.so Listen 8006 <VirtualHost *:8006> Protocols h2 http/1.1 ProtocolsHonorOrder on SSLEngine on … ProxyPass "/" "h2c://localhost:8003/" </VirtualHost> 27
  • 28. APACHECON North America HTTPd / DemoHTTPd / Demo ● Like the tomcat one: – htdocs/http2.html – htdocs/images/ the images. 28
  • 29. APACHECON North America HTTP/2 ready?HTTP/2 ready? ● Conclusion: – Using HTTP/2 without PUSH is already good. – “safer” crypto is good but expensive. – No need to rewrite application to get the gains. HTTP/2 : GO FOR IT 29
  • 30. APACHECON North America Questions?Questions? Thank you!Thank you! ● jfclere@gmail.com ● users@tomcat.apache.org ● users@httpd.apache.org ● users@trafficserver.apache.org ● https://http2.github.io/ ● Demo generator: https://github.com/jfclere/h2_demos ● HTTP/3 see curl docs: http3-explained by Daniel 30