NetScaler SSL VIP configured for HTTP2 uses HTTP/1.1 despite enabling HTTP/2 on the VIP

NetScaler SSL VIP configured for HTTP2 uses HTTP/1.1 despite enabling HTTP/2 on the VIP

book

Article ID: CTX225300

calendar_today

Updated On:

Description

You see that your SSL VIP is using HTTP/1.1 despite having configured HTTP/2.
You confirm using Developer tools:

  1. Press F12 in Chrome/Firefox
  2. Choose the Network Tab.
  3.  Load / Refresh the HTTPS page.
  4. In Firefox, click one of the items that has loaded in the list. In Chrome, right-click the column headers and ensure Protocol is checked.
  5. In Firefox, you will see the Protocol on the side so long as the Headers tab is selected. In Chrome you will see the HTTP version in the Protocol column. Note in the examples below, we see that Yahoo is successfully utilizing HTTP/2.
    User-added imageUser-added image
NOTE: HTTP2 is currently only implemented with SSL (HTTPS) and there are no browsers that support for HTTP/2 for insecure HTTP.

Resolution

Below are the items that must be configured properly on the Vserver for HTTP/2 to work.

1. HTTP/2 must be enabled in the Profile and set on the Vserver.

Using CLI
  1. Enable Globally:
    set ns httpProfile nshttp_default_profile -http2 enabled
  2. Enable with a new Profile where the name of the HTTP profile is "nshttp_http2":
    add ns httpprofile nshttp_http2 -http2 enabled
  3. Bind the Global or New profile to your Vserver, in this case the Vserver is named TestVserver and I bind the new HTTP Profile created above:
    set lb vserver TestVserver -httpprofileName nshttp_http2
Using GUI
  1. Navigate to System->Profiles->HTTP Profiles and click Add.
  2. Enter the Name of the Profile.
  3. Check HTTP/2
  4. Click Create.
    User-added image
  5. Now Edit your Vserver.
  6. If Profiles is not shown, click it under Advanced Settings.
    User-added image
  7. Click the Pencil at the upper right section of Profiles to edit them.
  8. Under HTTP Profile, select the newly created/modified HTTP Profile.
  9. Click Ok.
 

2. TLS 1.2 must be enabled on the Vserver

Using CLI
Run this command:
set ssl vserver testVserver -tls12 enabled
 
Using GUI
  1. Edit your Vserver
  2. If SSL Parameters is not shown, click it under Advanced Settings
  3. Click the Edit Pencil at the top right of SSL Parameters.
  4. Check TLSv12
  5. Click Ok
    User-added image
 

3. Some Ciphers do not support HTTP/2 so Bind the Default Cipher group to the Vserver.

Using CLI
bind ssl vserver testVserver -cipherName Default
 
Using GUI
  1. Edit your Vserver
  2. If SSL Ciphers is not shown, click it under Advanced Settings
  3. Click the Pencil at the top right of SSL Ciphers to edit them.
  4. Remove all ciphers, then add the DEFAULT cipher group.
  5. Click Ok
    User-added image
 

4. ECC curves must be bound to the Vserver

Using CLI
bind ssl vserver testVserver -ecccurvename ALL
 
Using GUI
  1. Edit your Vserver
  2. If ECC Curve is not shown, click it under Advanced Settings
  3. Click the > at the right of ECC Curves.
  4. Select ALL and click Select.
    User-added image
 
Note: If you are using a CS VIP, then HTTP/2 needs to be enabled on the CS VIP, not the LB Vserver the CS VIP points to. Also, it's Ok if the LB Vserver has a HTTP service group.

Problem Cause

HTTP/2 requires specific Ciphers. These Ciphers can only be used when the NetScaler is properly configured. This configuration involves TLS1.2, ECC Curves, Proper Ciphers, and HTTP/2 being enabled in the Vserver's HTTP Profile.

Issue/Introduction

What to look for when you have configured HTTP/2 on an SSL LB or CS VIP but it continues to use HTTP/1.1

Additional Information

http://docs.citrix.com/en-us/netscaler/11/system/http-configurations/configuring-http2.html
 
Powered by Wolken Software