HTTP/2 support with BitNinja WAF 2.0
The version of bitninja-ssl-termination 1.1.0, which is practically a HAProxy (1.8.9), can handle HTTP2 connections. It will be installed automatically by BitNinja (v 1.20.10) and it will reconfigure the configs for HTTP/2.
It only affects the HTTPS connections. HTTP2 over TLS (h2) is supported by all of the modern browsers.
HTTP/2 compared to HTTP/1.1 is far more powerful, it can broadcast requests and answers in parallel, so the browser needs to open only 1 connection to the server instead of 6-8. This connection is far more harder to kill compared to HTTP/1.1 Keep-Alive. So the former method when we have noticed a bad IP our system, interrupted the connection and redirected it to our CAPTCHA page had to be forgotten.
Now with the help of HAProxy, we chose a different backend solution when an IP gets greylisted or resolved.
And good news, some bugs due to the interruption of HTTP/1.1 Keep-Alive before, have been fixed during this development. Also, it happened sometimes that the browser loaded a page with no content on it – because of the interruption of HTTP/1.1 Keep-Alive. Now it’s all good.
This protocol is tad bit more expensive, than HTTP/1.1. If we are talking about only one connection with a static content, HTTP/1.1 is recommended with Keep-Alive, but when we are talking about a normal website, when there are 10-40 static files, in those cases HTTP/2 is more the way to go.
Our test environment for the case was:
- Intel Core i7 7700HQ (8 core)
- 4GB RAM
- Basic apache2
With one static (apache2 default) welcome page, load time on HTTPS was 70000 requests/min. After we have enabled the HAProxy without WAF it has raised to 86000 requests/min. With WAF enabled, it has decrased to 56000 requests/min (As you know, WAF doesn’t scan jpg, js and other similar static files, so this case doesn’t cover every sceniario).
How to enjoy http2 support?
All you have to do is enable SSL and our WAF module and you are ready to go.