Enable http/2 for https & Set Keep-Alive header for http #4466
Comments
|
This issue has been mentioned on openHAB Community. There might be relevant details there: https://community.openhab.org/t/openhab-4-3-milestone-discussion/158139/75 |
|
I did some testing with openHAB and HTTP/2 a while ago but it will only work with TLS so you also need a valid (self) signed certificate. I also got h2c (http/2 without TLS) working, however it's not supported by browsers 🙃 . |
|
I am aware of the fact that HTTP/2 needs TLS, openHAB already ships with a valid self-signed certificate. Browsers are putting more and more restrictions on unencrypted connections, take microphone access on the SIP client widget as another example. The described issue can be easily fixed for HTTPS by enabling HTTP/2, for HTTP only it should be fixable or at least improveable by setting the Keep-Alive header. |
|
I've often wondered if it could be a service offered by the OH Foundation through myopenhab.org like this: You would have a way to configure a DNS name that would resolve to your private instance IP like:
and also have a way to retrieve a certificate and private key for this name and set it for your instance instead of the self-signed certificate Then you could use that DNS name instead of your local IP to access your instance over HTTPS and it would work - a secure origin for a local instance. Let's Encrypt do easy wildcard certificates now (others too) so potentially we could issue and sign every certificate for the private.myopenhab.org subdomain. This would mean the foundation becoming a certificate authority (so having to deal with certificate expirations/revocations, renewals, CRLs/OCSP and so on) as well as maintaining a custom DNS server, so, quite the project. |
|
@ghys Why would this be necessary? If I get @florian-h05 correctly, a self-signed certificate (as we have it in place) is sufficient for HTTP/2? |
|
@kaikreuzer a self-signed certificate will never be sufficient until it's trusted by every client that ever accesses the site... |
|
@ghys So far the statements here were only that HTTP/2 requires TLS, but not that it requires a trusted certificate. |
|
FWIW when I wrote the Hue API V2 binding, I had to get the Jetty dependencies for HTTP2 specifically pulled in, since previously OH Core was only pulling in the Jetty HTTP1 modules. |
|
@kaikreuzer yes you're right. Please understand that I wasn't trying to coerce the foundation into doing anything, at this point it was only me and my thoughts 🙂 |
|
If there's an important use case, I wouldn't mind to the foundation to help on it, but I just wasn't sure whether this discussion belongs to this issue here. 😄 |
When having multiple tabs of Main UI opened, the UI often fails to send HTTP requests to the server because the browser does not execute the requests.
This is because we are running into the max parallel HTTP connections limit.
To fix this issue, we need to keep alive HTTP connections for http and/or enable http/2 for https.
Enabling http/2 for https also brings other benefits, and http/2 is supported by all major browser for several years now (see https://caniuse.com/http2).
This fix seems to work as I have never experienced the above problems with my production instance running behing nginx where I use http/2 and https.
See https://community.openhab.org/t/openhab-4-3-milestone-discussion/158139/75?u=florian-h05, https://www.geeksforgeeks.org/what-are-max-parallel-http-connections-in-a-browser/ and https://www.baeldung.com/jetty-http-2 for more details.
Unfortunately I do not really know how Jetty dependencies are added to openHAB and I am not really confident in configuring Jetty through the XML in openhab-distro, so I need some help.
@J-N-K Since you already added WebSocket and Gzip to Jetty, may I ask for your help here?
The text was updated successfully, but these errors were encountered: