Citrix Netscaler and support for next generation web traffic protocols like SPDY & HTTP/2

Now with the ever growing pace of internet traffic, we are being faced with one challenge, an old protocol which is over 15 years old now and is now way any shape to continue in this race, and yes the one I am talking about is the HTTP protocol.

Now over the years, Google has done a great job trying to improve this way of communication with its own protocol called SPDY which uses prioritizing and multiplexing and with transmission headers are sent using GZIP or Deflate. You can read more about SPDY here –> https://www.chromium.org/spdy/spdy-protocol/spdy-protocol-draft3 

Now on the other hand you have the HTTP/2 protocol which the IEFT has worked one, which Google said will replace their own SPDY protocol (http://blog.chromium.org/2015/02/hello-http2-goodbye-spdy-http-is_9.html

You can read more about the RFC on HTTP/2 protocol here –> https://tools.ietf.org/html/rfc7540 but in essence its the same thing as SPDY, since the initial draft of HTTP/2 was based upon SPDY. Another thing that is important to note that communucation with HTTP2 is based upon a binary format since this is much easier to compress, while tradisional HTTP1.1 is upon human readable text. The people over at HTTP Watch did a comparision between tradisional HTTP, HTTP2 and SPDY https://blog.httpwatch.com/2015/01/16/a-simple-performance-comparison-of-https-spdy-and-http2/ and we can see that these new protocols works alot more efficient.

So what else is needed ? We need a web server that supports HTTP/2 or SPDY and we need web clients that support these protocols.

As we can see most web servers are already supported HTTP/2 https://en.wikipedia.org/wiki/HTTP/2#HTTP.2FHTTPS_servers Windows coming with in in Windows Server 2016 and the new version of IIS, and most web browsers support HTTP/2 as well, such as Chrome, Opera, Firefox, Internet Explorer and lastly Microsoft Edge

But for instance Firefox only supports HTTP/2 using TLS 1.2 https://wiki.mozilla.org/Networking/http2 meaning that even if the Netscaler can use HTTP2 over HTTP it will not work with most of the web browsers.

image

So how do I test that this stuff works ? the simplest thing is to download an addon to Chrome which is called HTTP/2 and SPDY indicator, which basically shows which sites are enabled for HTTP/2 and SPDY and so on.(This extension is available for FireFox as well)

So whenever we are on a site which has HTTP/2 enabled the icon will appear as such

image

We can also look at the interal table within Chrome by typing chrome://net-internals/#spdy in the address bar.

If this does not work on your chrome version you need to enable SPDY4/HTTP2 within Chrome which can be done using the chrome://flags/#enable-spdy4 flag.

In regards to setting this up on the Netscaler we have to create or alter a HTTP profile, and note this is only available from version 11 and upwards.

image

And choose enable under the checkbox for HTTP/2, if SPDY is also enabled the following preference is done when communicating with a vServer that has the HTTP profile bound

  • HTTP/2 (if enabled in the HTTP profile)
  • SPDY (if enabled in the HTTP profile)
  • HTTP/1.1

Now in most cases the backend servers are still using HTTP/1.1 In that case the Netscaler works as a proxy and decodes the traffic from the clients to HTTP 1.1 data and restrasmits the data to the backend servers.

It is however important to note that running HTTP/2 on VPX is not supported and hence the clients will fall back to SPDY which is supported on a VPX.

However there are some requirements that are worth noticing on VPX for SPDY as well:

Troubleshooting for SPDY

If SPDY sessions are not enabled even after performing the required steps, check the following conditions.

  • If the client is using a Chrome browser, SPDY might not work in some scenarios because Chrome sometimes does not initiate TLS handshake.
  • If there is a forward-proxy between the client and the NetScaler appliance, and the forward-proxy doesn’t support SPDY, SPDY sessions might not be enabled.
  • NetScaler does not support NPN over TLS 1.1/1.2. To use SPDY, the client should disable TLS1.1/1.2 in the browser.
  • Similarly, if the client wants to use SPDY, SSL2/3 must be disabled on the browser.

#http2, #netscaler, #protocols, #spdy, #web