iRule sideband using HTTP/2
All examples I have seen with iRules using 'connect' to generate a sideband connection use HTTP/1.0 or HTTP/1.1
I am wondering if anyone has examples of, or knows how iRule sideband connections can be made using HTTP/2?
I expect this to cause problems because HTTP/2 content is binary encoded which the iRule would then have to handle.
To use SSL the normal approach is to call a helper VS from the iRule - so iRule to helper VS is local to LTM and unencrypted, then helper VS to remote server (pool member) is encrypted. So the in built F5 VS profile setup is taking care of the work for SSL. If there was a way to have HTTP/1.1 on the clientside and HTTP/2 on the serverside of such a helper VS that would do a similar task for HTTP, but as far as I can see the options are either to have HTTP/2 on both sides, or the clientside HTTP/2 and the serverside HTTP/1.1
You would indeed use a helper VIP here to do a sideband call. The trick is, the HTTP2 profiles require client and server SSL and client and server HTTP2 profiles. But you can get around that.
- Configure your helper VIP accordingly
- HTTP profile
- Client SSL profile with Renegotiation disabled
- Server SSL profile with Regenotiation disabled
- HTTP2 client profile (under Acceleration)
- HTTP2 server profile
- VLAN: listening on none
- Pool to resource
- Add the following iRule to the help VIP:
when CLIENT_ACCEPTED { SSL::disable clientside HTTP2::disable }
So then traffic should come to the VIP unencrypted, the iRule will disable clientside SSL and HTTP2, then encrypt with HTTP2 to the server.
- Configure your helper VIP accordingly