
Announcing HTTP/2 support for all Azure CDN customers - okket
https://azure.microsoft.com/en-us/blog/announcing-http-2-support-for-all-azure-cdn-customers/
======
MichaelGG
Azure has 3 CDN products from what I can tell. They have semi-overlapping
feature sets, though I guess now HTTP/2 is taken care of. We were using one of
them and experienced frequent timeouts. Switching to another fixed it. They
don't explain why they have these different products in the first place,
either.

~~~
theflagbug
That's what I really don't like about Azure. They seem to have multiple
differently named services that seem to basically do the same thing (Azure
Service Bus/Azure Storage Queues is one example that comes to my mind)

Also, the Azure Portal is ridiculously bad and slow.

~~~
m_fayer
Azure storage queues are basically "queues lite" while the service bus is more
full featured, think rabbitmq.

And the portal does indeed suck. The cli, on the other hand, is top notch.

~~~
theflagbug
Yup, but this took me way too long to figure out.

Sadly this goes for a lot of Azure services and all the enterprise-buzzword
laden documentation doesn't make that easier

~~~
m_fayer
You should look at the various official blogs around Azure, they're much more
down-to-earth and buzzword free than the formal docs.

------
martinknafve
When Verizon enabled this they forgot to test with Firefox ESR. So they
disabled enough ciphers that Firefox ESR could no longer connect to their
servers. We reported it to them and they rolled back and disabled HTTP2 the
next day. Guess they finished testing now.

------
tracker1
No mention of HTTPS, but don't all the current browsers, iirc require HTTPS
for HTTP/2 support? Which would be the bigger boost, if they allocated certs
(similar to letsencrypt) for the azure cdn. Or do they just require a cert
setup for http2 support?

~~~
slau
HTTP/2 doesn't work without HTTPS.

The standard technically allows non-TLS HTTP/2, but most clients, and I'm
guessing, servers, don't support non-TLS HTTP/2\. nginx, for example, doesn't
support non-TLS HTTP/2.

~~~
Nullabillity
Nginx certainly supports unencrypted HTTP/2\. I'm using it for my personal
website to have Haproxy as a separate TLS terminator. Mainly so that my cert
renewal scripts still work if there isn't an old cert available.

~~~
slau
I tried this a couple of days ago as I set up a new server, and when I enabled
HTTP/2 on non TLS server blocks, my clients would just try to download a
binary blob instead of showing the page I expected.

I fixed it after reading the following:
[http://serverfault.com/a/792857](http://serverfault.com/a/792857).

I admit I didn't look into it any further. Apologies if I spread wrong
information.

~~~
Nullabillity
That's a client issue, not an Nginx issue. Try accessing it through an stunnel
tunnel, for example.

That said, AFAIK, the protocol negotiation works at the TLS level, so non-TLS
servers need to listen on different ports for 1.1 and 2 if you want both.

------
ehsankia
How does this compare to other CDNs, and to Amazon, Google's offering? I
thought HTTP/2 support became standard quite a while back.

~~~
kuschku
Amazon added it only recently for some properties – CloudFront was the latest,
last September [1]

And Google has had it since forever [2]

That said, while HTTP/2 is now out, IPv6 is still a sad story, especially with
AWS.

    
    
        ________
    

[1] "New – HTTP/2 Support for Amazon CloudFront"
[https://aws.amazon.com/blogs/aws/new-http2-support-for-
cloud...](https://aws.amazon.com/blogs/aws/new-http2-support-for-cloudfront/)

[2] "Full Speed Ahead with HTTP/2 on Google Cloud Platform",
[https://cloudplatform.googleblog.com/2015/10/Full-Speed-
Ahea...](https://cloudplatform.googleblog.com/2015/10/Full-Speed-Ahead-with-
HTTP2-on-Google-Cloud-Platform.html)

We’re not breaking any news here, because Google Cloud Platform support for
SPDY has been enabled for many years, and support for its successor (HTTP/2)
was enabled earlier this year.

~~~
wfunction
> That said, while HTTP/2 is now out, IPv6 is still a sad story, especially
> with AWS.

The problem I see with IPv6 is that it very much encourages a unique, even
static address for each device on your network, which is a privacy and
security hole that NAT addresses for IPv4. So I'm not exactly dying to use it
if I can avoid it.

~~~
blibble
> The problem I see with IPv6 is that it very much encourages a unique, even
> static address for each device on your network

this is what ipv6 privacy addresses[1] are for! they are on by default on
Windows, for Linux you need change a sysctl

[1]:
[https://en.wikipedia.org/wiki/IPv6#Privacy](https://en.wikipedia.org/wiki/IPv6#Privacy)

~~~
johncolanduoni
They're the default on OS X as well for recent versions

------
ejcx
It's interesting that http2 server push is not supported. Any reason why?
Server push is a weird feature but very useful and popular.

~~~
throwasehasdwi
Probably because it requires sockets to be kept open. Makes it a lot easier to
DDOS the server (because you need to maintain HTTP + TCP state), especially at
CDN traffic levels.

Too bad IPV4 NAT has made open ports on client machines nearly impossible,
otherwise maintaining this connection would not be required.

~~~
chucke
> Probably because it requires sockets to be kept open.

HTTP2 requires kept-open sockets, not server push. HTTP1.1 already supports
keep-alive sockets btw, and CDNs have survived that DDoS attack :)

------
darkhorn
Does HTTP/2 support client side certificates?

~~~
charonn0
I think that's handled separately during the connection phase.

------
rodionos
Totally unrelated, but when is Microsoft going to rename Azure into something
else. The range of pronunciations, even in the U.S., is so broad.

