search cancel

Support of HTTP/2 by ProxySG or Advanced Secure Gateway.

book

Article ID: 174021

calendar_today

Updated On:

Products

Advanced Secure Gateway Software - ASG ProxySG Software - SGOS

Issue/Introduction

HTTP/2 (originally named HTTP/2.0) is a major revision of the HTTP network protocol used by the World Wide Web. The standardization effort was supported by Chrome, Opera, Firefox, Internet Explorer 11, Safari, Amazon Silk, and Edge browsers. Most major browsers had added HTTP/2 support by the end of 2015.

Resolution

Both ProxySG and ASG support HTTP/2 starting with 7.1.1.1 and later. Handling of HTTP/2 for prior releases is as follows:

  • ProxySG or ASG running SGOS 6.7 supports HTTP/2 via downgrading to HTTP/1.1.
  • ProxySG or ASG running SGOS 6.6.3.2 or later supports HTTP/2 via downgrading to HTTP/1.1.
  • ProxySG running SGOS 6.5.8.3 or later supports HTTP/2 via downgrading to HTTP/1.1.

Note: For any issues experienced with HTTP/2 on SGOS releases that do not support it, you can apply a workaround at the browser level or tunnel the requests in question (see below).

 

Workaround

Disable HTTP/2 protocol in your browsers to allow the ProxySG appliance to load the webpage.

  • Chrome:
    • Create a shortcut with the following target in order to disable the HTTP2 flag (location might change depending on the OS):

"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --disable-http2

  • Firefox:
    • In the address bar, enter: about:config
    • In the list of commands, find network.http.spdy.enabled.http2
    • Set network.http.spdy.enabled.http2  to false
  • Internet Explorer:
    • Select Tools > Internet Options > Advanced.
    • Under HTTP settings, clear the Use HTTP/2 check box.

For explicit ProxySG deployments, protocol detection can be used for HTTPS connections so that the HTTP traffic is tunneled through the appliance:

     <proxy>
     url.domain=example.com detect_protocol(none)

Additional Information

HTTP/2 offers improved performance due to its compression of HTTP headers, and multiplexing multiple requests and responses over a single connection. The feature is enabled by default, without the need for additional configuration or policy, and includes the following:

  • HTTP/2-enabled browsers use HTTP/2 when going through the proxy
  • Clients requests use HTTP/2 when making requests to the proxy
  • Proxy uses HTTP/2 when sending requests to upstream hosts
  • Existing policy for inspecting HTTP traffic and sending it to an ICAP service also apply to HTTP/2 requests and
    responses

You can change the above default behavior by configuring settings and policy via the appliance CLI.

Configuring HTTP/2 Settings and Policy
To configure HTTP/2 on the appliance, use the new #(config) http2 commands. Refer to the Command Line Interface Reference for details.