HTTP2 connection coalescing and concurrent multiplexing for virtual server load balancing NEW
HTTP2 connection coalescing and concurrent multiplexing allows multiple HTTP2 requests to share the same TLS connection when the destination IP is the same.
To configure the load balanced virtual server:
config firewall vip edit <name> set type server-load-balance set server-type {http | https} set http-multiplex {enable | disable} set http-multiplex-ttl <integer> set http-multiplex-max-request <integer> set http-supported-max-version {http1 | http2} next end
http-multiplex {enable | disable} |
Enable/disable HTTP multiplexing. |
http-multiplex-ttl <integer> |
Set the time-to-live for idle connections to servers (in seconds, 0 - 2147483647, default = 15). |
http-multiplex-max-request <integer> |
Set the maximum number of requests that the multiplex server can handle before disconnecting (0 - 2147483647, default = 0). |
http-supported-max-version {http1 | http2} |
Set the maximum supported HTTP version:
|
Example
In this example, multiple clients submit requests in HTTP2. The requests hit the VIP address, and then FortiProxy opens a session between itself (172.16.200.6) and the server (172.16.200.99). The coalescing occurs in this session as the multiple streams share the same TLS session to connect to the same destination server.
To configure connection coalescing and concurrent multiplexing with virtual server load balancing:
-
Configure the virtual server:
config firewall vip edit "vip-test" set type server-load-balance set extip 10.1.100.222 set extintf "port2" set server-type https set extport 443 config realservers edit 1 set ip 172.16.200.99 set port 443 next end set http-multiplex enable set ssl-mode full set ssl-certificate "Fortinet_SSL" next end
-
Configure the firewall policy:
config firewall policy edit 1 set srcintf "port2" set dstintf "port3" set action accept set srcaddr "all" set dstaddr "vip-test" set schedule "always" set service "ALL" set utm-status enable set inspection-mode proxy set ssl-ssh-profile "deep-inspection-clone" set av-profile "av" set logtraffic all set nat enable next end
-
Get the clients to access the VIP address (10.1.100.222). The FortiProxy shares the first TLS connection with second TLS connection.
-
Verify the sniffer packet capture on the FortiProxy server side. There is one client hello.
-
Disable HTTP multiplexing:
config firewall vip edit "vip-test" config realservers edit 1 set type ip set ip 172.16.200.99 set port 443 next end set http-multiplex disable next end
-
Verify the sniffer packet capture. This time, the FortiProxy does reuse the TLS connection, so there are two client hellos sent to the real server.