Jetty Logo
Version: 9.4.24-SNAPSHOT
Contact the core Jetty developers at www.webtide.com

private support for your internal/customer projects ... custom extensions and distributions ... versioned snapshots for indefinite support ... scalability guidance for your apps and Ajax/Comet projects ... development services for sponsored feature development

Chapter 16. HTTP/2

Table of Contents

Introducing HTTP/2
Enabling HTTP/2
Configuring HTTP/2
Configuring HTTP/2 Push
Configuring HAProxy and Jetty

Introducing HTTP/2

Jetty supports both a client and a server implementation for the HTTP/2 protocol as defined by RFC 7540.

The requirements for running HTTP/2 are JDK 8 or greater, and typically also ALPN support (see Chapter 15, Application Layer Protocol Negotiation (ALPN)).

A server deployed over TLS (SSL) normally advertises the HTTP/2 protocol via the TLS extension Application Layer Protocol Negotiation (ALPN).

Note

To use HTTP/2 in Jetty via a TLS connector you need to add the ALPN boot jar in the boot classpath. This is done automatically when using the Jetty distribution’s start.jar module system, but must be configured directly otherwise.

Jetty HTTP/2 Security Update

In mid-2019, there were a number of CVEs were issued warning against vulnerable HTTP/2 implementations. These CVEs (CVE-2019-9511 thru CVE-2019-9518) generally centered around attackers manipulating and flooding HTTP/2 servers and creating a denial of service (DOS). These vulnerabilities were patched with Jetty 9.4.21.

As a result of these CVEs, Jetty introduced a new, configurable denial of service (DOS) protection feature in Jetty 9.4.22.

Jetty’s HTTP/2 implementation now features a new Rate Control parameter, jetty.http2.rateControl.maxEventsPerSecond, that defaults to 20 events per second, per connection for all pings, bad frames, settings frames, priority changes etc.

Jetty HTTP/2 Sub Projects

The Jetty HTTP/2 implementation consists of the following sub-projects (each producing a jar file):

  1. http2-common: Contains the HTTP/2 API and a partial implementation shared across other modules.
  2. http2-hpack: Contains the HTTP/2 HPACK implementation for HTTP header compression.
  3. http2-server: Provides the server-side implementation of HTTP/2.
  4. http2-client: Provides the implementation of HTTP/2 client with a low level HTTP/2 API, dealing with HTTP/2 streams, frames, etc.
  5. http2-http-client-transport: Provides the implementation of the HTTP/2 transport for HttpClient (see Chapter 22, HTTP Client). Applications can use the higher level API provided by HttpClient to send HTTP requests and receive HTTP responses, and the HTTP/2 transport will take care of converting them in HTTP/2 format (see also this blog entry).

See an error or something missing? Contribute to this documentation at Github!(Generated: 2019-11-25)