Fortinet white logo
Fortinet white logo

Administration Guide

HTTP2 connection coalescing and concurrent multiplexing for virtual server load balancing

HTTP2 connection coalescing and concurrent multiplexing for virtual server load balancing

HTTP2 connection coalescing and concurrent multiplexing allows multiple HTTP2 requests to share the same TLS connection when the destination IP is the same.

To configure the load balanced virtual server:
config firewall vip
    edit <name>
        set type server-load-balance 
        set server-type {http | https}
        set http-multiplex {enable | disable}
        set http-multiplex-ttl <integer>
        set http-multiplex-max-request <integer>
        set http-supported-max-version {http1 | http2}
    next
end

http-multiplex {enable | disable}

Enable/disable HTTP multiplexing.

http-multiplex-ttl <integer>

Set the time-to-live for idle connections to servers (in seconds, 0 - 2147483647, default = 15).

http-multiplex-max-request <integer>

Set the maximum number of requests that the multiplex server can handle before disconnecting (0 - 2147483647, default = 0).

http-supported-max-version {http1 | http2}

Set the maximum supported HTTP version:

  • http1: support HTTP 1.1 and HTTP1.
  • http2: support HTTP2, HTTP 1.1, and HTTP1 (default).

Example

In this example, multiple clients submit requests in HTTP2. The requests hit the VIP address, and then FortiProxy opens a session between itself (172.16.200.6) and the server (172.16.200.99). The coalescing occurs in this session as the multiple streams share the same TLS session to connect to the same destination server.

To configure connection coalescing and concurrent multiplexing with virtual server load balancing:
  1. Configure the virtual server:

    config firewall vip
        edit "vip-test"
            set type server-load-balance
            set extip 10.1.100.222
            set extintf "port2"
            set server-type https
            set extport 443
            config realservers
                edit 1
                    set ip 172.16.200.99
                    set port 443
                next
            end
            set http-multiplex enable
            set ssl-mode full
            set ssl-certificate "Fortinet_SSL"
        next
    end
  2. Configure the firewall policy:

    config firewall policy
        edit 1
            set srcintf "port2"
            set dstintf "port3"
            set action accept
            set srcaddr "all"
            set dstaddr "vip-test"
            set schedule "always"
            set service "ALL"
            set utm-status enable
            set inspection-mode proxy
            set ssl-ssh-profile "deep-inspection-clone"
            set av-profile "av"
            set logtraffic all
            set nat enable
        next
    end
    
  3. Get the clients to access the VIP address (10.1.100.222). The FortiProxy shares the first TLS connection with second TLS connection.

  4. Verify the sniffer packet capture on the FortiProxy server side. There is one client hello.

  5. Disable HTTP multiplexing:

    config firewall vip
        edit "vip-test"
            config realservers
                edit 1
                    set type ip
                    set ip 172.16.200.99
                    set port 443
                next
            end
            set http-multiplex disable
        next
    end
  6. Verify the sniffer packet capture. This time, the FortiProxy does reuse the TLS connection, so there are two client hellos sent to the real server.

HTTP2 connection coalescing and concurrent multiplexing for virtual server load balancing

HTTP2 connection coalescing and concurrent multiplexing for virtual server load balancing

HTTP2 connection coalescing and concurrent multiplexing allows multiple HTTP2 requests to share the same TLS connection when the destination IP is the same.

To configure the load balanced virtual server:
config firewall vip
    edit <name>
        set type server-load-balance 
        set server-type {http | https}
        set http-multiplex {enable | disable}
        set http-multiplex-ttl <integer>
        set http-multiplex-max-request <integer>
        set http-supported-max-version {http1 | http2}
    next
end

http-multiplex {enable | disable}

Enable/disable HTTP multiplexing.

http-multiplex-ttl <integer>

Set the time-to-live for idle connections to servers (in seconds, 0 - 2147483647, default = 15).

http-multiplex-max-request <integer>

Set the maximum number of requests that the multiplex server can handle before disconnecting (0 - 2147483647, default = 0).

http-supported-max-version {http1 | http2}

Set the maximum supported HTTP version:

  • http1: support HTTP 1.1 and HTTP1.
  • http2: support HTTP2, HTTP 1.1, and HTTP1 (default).

Example

In this example, multiple clients submit requests in HTTP2. The requests hit the VIP address, and then FortiProxy opens a session between itself (172.16.200.6) and the server (172.16.200.99). The coalescing occurs in this session as the multiple streams share the same TLS session to connect to the same destination server.

To configure connection coalescing and concurrent multiplexing with virtual server load balancing:
  1. Configure the virtual server:

    config firewall vip
        edit "vip-test"
            set type server-load-balance
            set extip 10.1.100.222
            set extintf "port2"
            set server-type https
            set extport 443
            config realservers
                edit 1
                    set ip 172.16.200.99
                    set port 443
                next
            end
            set http-multiplex enable
            set ssl-mode full
            set ssl-certificate "Fortinet_SSL"
        next
    end
  2. Configure the firewall policy:

    config firewall policy
        edit 1
            set srcintf "port2"
            set dstintf "port3"
            set action accept
            set srcaddr "all"
            set dstaddr "vip-test"
            set schedule "always"
            set service "ALL"
            set utm-status enable
            set inspection-mode proxy
            set ssl-ssh-profile "deep-inspection-clone"
            set av-profile "av"
            set logtraffic all
            set nat enable
        next
    end
    
  3. Get the clients to access the VIP address (10.1.100.222). The FortiProxy shares the first TLS connection with second TLS connection.

  4. Verify the sniffer packet capture on the FortiProxy server side. There is one client hello.

  5. Disable HTTP multiplexing:

    config firewall vip
        edit "vip-test"
            config realservers
                edit 1
                    set type ip
                    set ip 172.16.200.99
                    set port 443
                next
            end
            set http-multiplex disable
        next
    end
  6. Verify the sniffer packet capture. This time, the FortiProxy does reuse the TLS connection, so there are two client hellos sent to the real server.