Welcome! Log In Create A New Profile

Advanced

HTTP/2 frames with websocket permessage-deflate option

Posted by Dave Cottlehuber 
Dave Cottlehuber
HTTP/2 frames with websocket permessage-deflate option
April 11, 2018 12:10PM
I've been taking HTTP/2 for a spin, using a phoenix[1] app with websockets. The basic "does it connect" works very well already (thank-you!) but I'm not sure if it's possible to enable per-frame compression within websockets or not -- or even intended?

My use case is to reduce the size of JSON blobs traversing a websocket connection, where a reasonable portion of frames contain almost-identical JSON from one to the next:

http/1.1 backend connection upgraded to websockets
|
| JSON blobs...
|
haproxy
|
| JSON blobs...
|
http/2 frontend to browser (using TLS obviously)

I can see that my endpoints are requesting permessage-deflate option, but that haproxy is not returning that header back to indicate its support for it.

While haproxy has no way of knowing that a particular stream would benefit from compression or not, the application developer *does* know, and I could ensure that compressible websocket requests use a different endpoint, or some form header + acl, to enable that, for example.

Some thoughts:

- in general, I prefer to keep away from compression over TLS because of BREACH and CRIME vulnerability classes
- this long-running websockets connection is particularly interesting for compression however as the compression tables are apparently maintained across sequential frames on the client

Is this something that might come in future releases, or do you feel its better left out due to compression overhead and vulnerability risks?

[1]: http://phoenixframework.org/

$ haproxy -vv
HA-Proxy version 1.8.6 2018/04/05
Copyright 2000-2018 Willy Tarreau <[email protected]>

Build options :
TARGET = freebsd
CPU = generic
CC = cc
CFLAGS = -O2 -pipe -fstack-protector -fno-strict-aliasing -fno-strict-aliasing -Wdeclaration-after-statement -fwrapv -fno-strict-overflow -Wno-address-of-packed-member -Wno-null-dereference -Wno-unused-label -DFREEBSD_PORTS
OPTIONS = USE_GETADDRINFO=1 USE_ZLIB=1 USE_CPU_AFFINITY=1 USE_ACCEPT4=1 USE_REGPARM=1 USE_OPENSSL=1 USE_STATIC_PCRE=1 USE_PCRE_JIT=1

Default settings :
maxconn = 2000, bufsize = 16384, maxrewrite = 1024, maxpollevents = 200

Built with network namespace support.
Built with zlib version : 1.2.11
Running on zlib version : 1.2.11
Compression algorithms supported : identity("identity"), deflate("deflate"), raw-deflate("deflate"), gzip("gzip")
Built with PCRE version : 8.40 2017-01-11
Running on PCRE version : 8.40 2017-01-11
PCRE library supports JIT : yes
Built with multi-threading support.
Encrypted password support via crypt(3): yes
Built with transparent proxy support using: IP_BINDANY IPV6_BINDANY
Built with OpenSSL version : OpenSSL 1.0.2o-freebsd 27 Mar 2018
Running on OpenSSL version : OpenSSL 1.0.2o-freebsd 27 Mar 2018
OpenSSL library supports TLS extensions : yes
OpenSSL library supports SNI : yes
OpenSSL library supports : SSLv3 TLSv1.0 TLSv1.1 TLSv1.2

Available polling systems :
kqueue : pref=300, test result OK
poll : pref=200, test result OK
select : pref=150, test result OK
Total: 3 (3 usable), will use kqueue.

Available filters :
[TRACE] trace
[COMP] compression
[SPOE] spoe
Sorry, only registered users may post in this forum.

Click here to login