27 November 2015

Where do we go after Http 1.1 – Http2

by Mihail Stoyanov
Presentation was based on this article

What's the problem with HTTP 1?

We are so used to the web today that we rarely take into account what happens behind the scenes when we open a web page. Take for account the portal of the CNN news agency. The home page contains over 100 pictures and resources besides the page itself. 
  • Using HTTP 1- for each resource a new TCP connection is established, in order to request it. That is 100 TCP connections and over 2 MB of data that needs to be downloaded for a single page. Quite wasteful!
  • Using HTTP 1.1 - we have keep alive there and could send multiple requests for a single TCP connection, but since it is working in a serial manner if that one TCP connection it is slow all the resources would be downloaded slowly
  • In both cases headers are repeated for each request

Here enters HTTP2

HTTP2 begun it's path to becoming a standard as SPDY in 2009. Google then announced it would start working on a way to speed up the web. At that time HTTP has reigned for over 12 years, being standardized in 1997.

HTTP2 defines streams on top of the TCP/IP stack, a form of TCP over TCP. Since they are separate packages if the responses for one of them are slow, the others would still continue to be fetched.

Each stream would have a structure inside it called a frame, the frame types being HEADERS, DATA, SETTINGS and PUSH_PROMISE. A typical conversation between a server and a client could start like that :
  • client would send HEADERS
  • server would respond
  • client will then send DATA
  • etc.
Because of this sequence headers can be reused reducing network traffic.

Who uses this?

Webtide

Dealing with HTTP2

  • Browsers don't really play well with HTTP2 wel yet
  • Headers could give away HTTP2, Chrome has chrome://net-internals/#http2
  • Burp Suite
  • ZAP
  • cURL
  • Wireshark - handles SSL with private key only, browsers support only strong crypto with HTTP2, see perfect forward secrecy

Deploying HTTP2 apps

There is a list of all known implementations of the HTTP2 standard in GitHub.
  •  Tomcat
  • Undertow - limited usage
  •  Jetty
  •  Nginx after version 1.9.5
  •  Apache after version 2.4.17
The presentation was cut off here, but the slides in the beginning of this article contain some interesting hints on how one could play along with the jprime.io web site to test HTTP2.

Overall

Sooner or later HTTP2 is going to phase out all previous implementations of the HTTP protocol. At this point it is still the ground of pioneers, but the adaptation will grow and with it - the necessary tooling and framework support. Java 9 is just one of the upcoming platforms that would include a full fledged HTTP 2 client supported and there are other that already have (as mentioned in the article).

So look out world. HTTP2 is coming.

No comments: