TRA Virtual Server HTTP/2 Support

Traffic Routing Agent (TRA) virtual servers (VS) support HTTP/2 as a wrapper protocol for incoming MATRIXX Data Container (MDC) messages. This allows greater interoperability with other components that support HTTP/2. On the protocol level, each request or response MDC message is contained within a single HTTP message.

Requests and responses are paired with an HTTP/2 stream. For example, a single request receives a response over the same HTTP/2 stream. Different requests can use different HTTP/2 streams over the same connection to avoid blocking.

HTTP/2 can be configured to use TCP connections or TLS connections. If TLS is chosen as the transport layer, you must specify a valid set of certificates and keys.

The inbound protocol, where TRA is a server, can use the HTTP/2 protocol, but the outbound protocol, where TRA is a client, is always MDC. TRA accepts HTTP/2 messages, unwraps them, and then sends raw MDC messages out. To support HTTP/2, configure a VS with the http2_mdc protocol. An HTTP/2 client must send an MDC message as the request body. The server then sends an MDC message as the response body.

Optionally, you can configure a response timeout. The timeout is 3 seconds by default. If no response message is received from the downstream connection within the configured duration, the HTTP/2 client receives an error response of 500.

The following configuration excerpt shows configuration for a VS accepting MDC messages over unsecured HTTP/2:

<virtual-servers-options>
    <vsopt name="Http2VsOpt" http2-response-timeout-in-millis="500"/>
</virtual-servers-options>

<virtual-servers>
    <vs name="vsMdcSubDomains" vip="vip-ext" port="4063" downstream-port="4060" protocol="http2_mdc" pool="mdcSubDomains" vsopt="Http2VsOpt"/>
</virtual-servers>

In a secured HTTP/2 configuration, configure the VS as secured, and set the security-allow-any-tcp-traffic and security-require-client-certificate options as shown in the following excerpt:

<virtual-servers-options>
    <vsopt name="SecurityVsOpt"
        security-allow-any-tcp-traffic="true"
        security-require-client-certificate="false"
        http2-response-timeout-in-millis="500"/>
</virtual-servers-options>

<virtual-servers>
        <vs name="vsMdcSubDomains" vip="vip-ext" port="4060" vsopt="SecurityVsOpt" protocol="http2_mdc"
        pool="mdcSubDomains" preferred-fqdn="ThePreferred.abc" fqdn-validate="false" secured="true"/>
</virtual-servers>

Configuration Examples

These configuration excerpts show the minimum working set of configuration files to enable an HTTP/2 VS.

The following tra_config.xml excerpt shows a single node defined on localhost:

<?xml version="1.0"?>
<tm-config>
    <parameters
        network-topology-configuration-file="./tra_config_network_topology.xml"
        node-poll-interval-clock-ticks="4"
        failed-node-timeout-poll-intervals="5"
        udp-connection-idle-timeout-sec="10"
        udp-connection-max-count="64"
        tcp-connection-max-count="256"
        product-name="TRA"
        check-network-interface-interval-sec="4"
        diameter-max-pdu-size="121000"
        mdc-max-pdu-size="120000"
        debug="1"
        lock-process-memory="off"
        />
    <tm-cluster
        p2p-port="7979"
        clock-tick-msec="50"
        min-clock-ticks-in-state="9"
        fence-node-delay-clock-ticks="4"
        fence-node-action="1"
        >
        <nodes>
            <node id="1" mgmt-address="127.0.0.1" p2p-address="127.0.0.1"/>
        </nodes>
    </tm-cluster>
</tm-config>

The following tra_config_network_topology.xml excerpt shows an unsecured VS vsMdc configured with the http2_mdc protocol on port 4060. The secured VS vsMdcSecured is configured with the http2_mdc protocol on port 4061. Both servers forward requests to the same mdcTestPool pool:

<?xml version="1.0"?>
<tm-config>
    <pools>
        <pool name="mdcTestPool" monitor="tcp-connect" balance-method="round-robin" monitor-port="4060">
            <node name="node1" id="1" address="127.0.103.3"/>
        </pool>
    </pools>

    <vip-addresses>
        <vip name="vip-ext" ifName="lo" addrIsFloating="false" address="127.0.0.200" netmask="32"/>
    </vip-addresses>

    <virtual-servers-options>
        <vsopt name="Http2VsOpt" http2-response-timeout-in-millis="500"/>
        <vsopt name="SecurityHttp2VsOpt" security-allow-any-tcp-traffic="true"
            security-require-client-certificate="false" http2-response-timeout-in-millis="500"/>
    </virtual-servers-options>

    <virtual-servers>
        <vs name="vsMdc" vip="vip-ext" port="4060" protocol="http2_mdc" pool="mdcTestPool"
            vsopt="Http2VsOpt"/>
        <vs name="vsMdcSecured" vip="vip-ext" port="4061" vsopt="SecurityHttp2VsOpt" protocol="http2_mdc"
            pool="mdcTestPool" preferred-fqdn="ThePreferred.abc" fqdn-validate="false" secured="true"/>
    </virtual-servers>
</tm-config>