2018-04-04
Lightman Wang
In 1989, Sir Timothy John Berners-Lee invented the HTTP protocol on a NeXTcube workstation with 25 MHz CPU and several MBs of RAM. The protocol worked on networks with port connection speeds of 10 Mbits. Today, however, we have dramatically faster CPUs and thousands of MBs of RAM, but the main WWW protocol is still only HTTP/1.1. It was last updated in 1992, so why are we still using it?
While other protocols have been updated over the years (FTP became SFTP; POP3 evolved to IMAP; and telnet became SSH), HTTP/1.1 has not changed and has developed a lot of issues with speed, security, and user-friendliness as a result.
In 2015, however, the Internet Engineering Task Force (IETF) released HTTP/2, the second major version of the most useful internet protocol, HTTP. Here’s a look at why it’s good, why it’s not so good, and some ways you can get started using it today.
Google was the first to investigate issues with HTTP/1.1. At the time, they were spending millions of dollars a year to support their data centers, and the HTTP/1.1 protocol simply cost too much in terms of CPU resources and internet connection capacity. They developed SPDY as an experimental alternative to HTTP/1.1—a protocol designed for better security and improved page load times that would be the precursor to HTTP/2.
What are some pros to using HTTP/2?
Here’s a diagram showing what browsers currently support HTTP/2:
First of all, there really isn’t an alternative available today that’s superior to HTTP/2. Browsers refused to support SPDY in favor of HTTP/2, with only Mozilla Firefox still supporting SPDY. But, as an IT pro, you should still know the protocol’s weak points. Some experts believe that these issues may be fixed in the future with the release of the “HTTP/3” protocol, but for now, these are a few of the cons.
Most experts around the world expected a lot of new features in the HTTP/2 protocol, but these were not included in the final version. The main reason is simple: HTTP/2 must maintain backward compatibility with the old HTTP/1.1, by using the same POST and GET requests, codes of status (200, 301, 404, and 500), etc. Also, several new features like compression page headers are vulnerable for BREACH and CRIME attacks.
Encryption may guard you from those types of threats, but disputes inside the team of HTTP/2 developers led to a decision to “leave encryption as is in HTTP/1.1.” This means that owners of a website may still choose a lower level of security, potentially putting users at risk. Developers of browsers can “fix” this issue in a way—currently, they turn on HTTP/2 only if SSL/TLS protocols are available.
This may not sound too bad, but the reality is that cookies may be stolen or tampered with by hackers. This means that hackers can gain access to your email, social networks, and other websites that contain your personal data, even without passwords. This is called a cross-site scripting (XSS) attack.
Experts hoped that cookies would be replaced with new technologies, but so far they have not.
If you’re a client-side user, all you need to do is update your browser to the newest version. Most browsers support HTTP/2.
If you’re a server-side user, the process of upgrading to HTTP/2 is little bit more complicated.
Here’s a quick guide for the most popular server OS and webserver: Apache running Ubuntu 14.04. Other configurations may require more steps and must be done by skilled Devops engineers (like Microsoft IIS). For Apache, HTTP/2 just requires installation of a module that can be easily enabled for any website.
First, install Apache version 2.4.17 or higher on your server. The installation of the HTTP/2 module for Apache takes just three steps:
1. Add repository:
sudo add-apt-repository ppa:ondrej/apache2
2. Now, update Apache2 from this repository to get the latest modules:
sudo apt-get upgrade apache2
3. Enable HTTP/2 protocol as a module for Apache:
sudo a2enmod http2
Now we must enable HTTP/2 for your virtual host. Open a .conf file for your virtual host. You’ll see something like this one:
<VirtualHost 192.168.1.1:443>
SSLEngine on
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP
SSLCertificateFile /etc/ssl/star.example.com.crt
SSLCertificateKeyFile /etc/ssl/star.example.com.key
ServerName "one.example.com"
DocumentRoot "/var/www/html/one"
Protocols h2 http/1.1
CustomLog "/var/log/httpd/one-access.log" combined
ErrorLog "/var/log/httpd/one-error.log"
<Directory /var/www/html>
AllowOverride none
Order Allow,Deny
Allow from all
</Directory>
</VirtualHost>
Add this line somewhere in the VirtualHost section: Protocols h2 http/1.1
Save this, close the file, and don’t forget to restart the Apache2 service:
service apache2 restart
If you’ve done all of this correctly, the HTTP/2 protocol will start working.
Nginx is a popular and very fast webserver that works especially well with static content (like .css, .js, or .jpg files). Google promised a 40 to 50 percent increase in speed with the SPDY (HTTP/2) protocol. But in 2014, the Russian company Yandex tested this by experimenting with the SPDY protocol for their Yandex Mail service along with the Nginx webserver, and the result wasn’t too impressive:
The picture above illustrates results of the experiment. Yandex was very interested in improving the download speed of static content (.js, .png, .css, etc.). The calculated percentile (80%) and median (average speed of download) show that the download speed was still relatively poor.
File load time was reduced by just 0.6 percent (and they checked it twice). So, this shows that using Nginx with HTTP/2 is not effective because this webserver is already very fast. Also, Nginx prioritizes server resources: for an inactive HTTP 10,000 to maintain 10,000 connections, it only needs 2.5 MB of RAM. SPDY as an early version of HTTP/2 was designed as a module for Apache that fixed specific issues, but currently it’s not effective for other webservers.
What SPDY does do well on Nginx is to reduce the number of TCP connections to servers and save some cost (processing power) by using a smaller CPU load.
Here’s a guide for Google Chrome users:
Open Developer Tools and click on the Network tab.
1. Open Developer Tools and click on the Network tab.
2. Now, right click on the header of the table and select the Protocol column to add it.
3. Do not close the Developer Tools, and refresh the page.
Upgrading to HTTP/2 is not just a task reserved for big projects. It’s also not as simple as just installing a module and turning it on. There are too many unclear aspects of its compatibility and other unpredictable results. If your target is mobile users, HTTP/2 will help you decrease page load times, but be careful with the Opera Mini browser.
Some experts like Poul-Henning Kamp, a member of the FreeBSD team and author of the popular Varnish cache, were not impressed with HTTP/2.
On the other side of the debate, Daniel Stenberg is a member of the Httpbis team where HTTP/2 was developed and the author of the cURL library. He initiated an http2-explained document project on Github and asked the community to help him translate it into other languages.
Whether you decide to start using HTTP/2 or not is definitely your own choice as the website owner, but it’s the future.
编程入门班·Python+Web开发入门 第20期
2024/12/11 08:30 (Sydney)
AWS入门一日训练营第二期(布里斯班)
2024/12/14 00:30 (Sydney)
Web全栈班25期暑假特别班(NodeJS+AI)
2024/12/15 08:30 (Sydney)
地址
Level 10b, 144 Edward Street, Brisbane CBD(Headquarter)Level 2, 171 La Trobe St, Melbourne VIC 3000四川省成都市武侯区桂溪街道天府大道中段500号D5东方希望天祥广场B座45A13号Business Hub, 155 Waymouth St, Adelaide SA 5000Disclaimer
JR Academy acknowledges Traditional Owners of Country throughout Australia and recognises the continuing connection to lands, waters and communities. We pay our respect to Aboriginal and Torres Strait Islander cultures; and to Elders past and present. Aboriginal and Torres Strait Islander peoples should be aware that this website may contain images or names of people who have since passed away.
匠人学院网站上的所有内容,包括课程材料、徽标和匠人学院网站上提供的信息,均受澳大利亚政府知识产权法的保护。严禁未经授权使用、销售、分发、复制或修改。违规行为可能会导致法律诉讼。通过访问我们的网站,您同意尊重我们的知识产权。 JR Academy Pty Ltd 保留所有权利,包括专利、商标和版权。任何侵权行为都将受到法律追究。查看用户协议
© 2017-2024 JR Academy Pty Ltd. All rights reserved.
ABN 26621887572