mod_h2

Ez!

• Look at mod_spdy
• Take nghttp2, test with curl
• Optimize a bit...

Jan - July 2015

mod_spdy

• C/C++ hybrid SPDY engine
• Apache httpd 2.2 pluggable
• Solved many plumbing details

Pioneered by Matthew Steele and Bryan McQuade!

nghttp2 + curl

• The Reference Implementations
• C, high Quality
• Well Documented
• Excellent Support

Many Thanks to Tatsuhiro Tsujikawa and Daniel Stenberg!

mod_h2

• Completely C, written from scratch
• Dependency: nghttp2 only
• github.com/icing/mod_h2
• Part of Apache now

Donated by GSMA and greenbytes in July

Optimize a bit

Evolution of mod_h2 performance.

Challenges

• Processing Models
• Resource Management
• Parameter Variations

Processing Models

Processing a h2 connection is vastly different in terms of (Connection/Request/Thread).

• 1-1-1 (http/1)
• 1-n-m (h2)

In h2, 1 connection has n ongoing request, worked on by m threads.

Existing runtimes are optimized for 1-1-1

Resource Management

Not new, but different.

• File Handles
• Threads, Locking
• Scheduling

Server manage resources/connection. h2 adds two order of magnitude.

Keeping file handles open reduces buffer copies.

Connection fairness vs. priority handling.

Variations

Many parameters in play, what to optimize for?

max streams, window sizes, priorities, processing modules, worker capacities, buffer sizes...

Observations

• A Wave
• Miracle Preforker
• More Force

Ultimately: Cycles/Request

A Wave

Requesting different resource sizes.

1 Gbps ethernet, Core i5 2010 server.

Miracle Preforker

Best: mpm_prefork + 1 worker

But best in what exactly?

More Force

Transfer of 10 MB resources

Measured on localhost: buffer copies, encryption.

Compliance

• Missing
• Configure
• Clients
• Futures

"You're off the edge of the map, mate. Here there be monsters."

Missing

• Server Push (Link Header?)
• Priority Worker Assignment
• OpSec http vs. https safety

How do YOU do it?

Configure

RFC 7540 compliance configured, not coded.

• Upgrades on any HTTP/1 request
• Direct on any connection start
• Ciphers unchecked when negotiating

SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK

Clients

• Tests with curl, Protocol::HTTP2, nghttp,
• Firefox, Chrome, Edge, iOS9
• All working well, slight differences
• Ciphers, priorities and h2c support
• UX of "insufficient security" sucks!

New game: 421 ping pong!

Futures

• Release in 2.4.x
• Tighter Integration, less Cycles
• Reshaping a HTTP/2 library
• Timely Standard Extensions

Sponsoring Needed!