private support for your internal/customer projects ... custom extensions and distributions ... versioned snapshots for indefinite support ... scalability guidance for your apps and Ajax/Comet projects ... development services for sponsored feature development
Table of Contents
Jetty supports both a client and a server implementation for the HTTP/2 protocol as defined by RFC 7540.
The requirements for running HTTP/2 are JDK 8 or greater, and typically also ALPN support (see Chapter 15, Application Layer Protocol Negotiation (ALPN)).
A server deployed over TLS (SSL) normally advertises the HTTP/2 protocol via the TLS extension Application Layer Protocol Negotiation (ALPN).
To use HTTP/2 in Jetty via a TLS connector you need to add the ALPN boot jar in the boot classpath. This is done automatically when using the Jetty distribution’s start.jar module system, but must be configured directly otherwise.
In mid-2019, there were a number of CVEs were issued warning against vulnerable HTTP/2 implementations. These CVEs (CVE-2019-9511 thru CVE-2019-9518) generally centered around attackers manipulating and flooding HTTP/2 servers and creating a denial of service (DOS). These vulnerabilities were patched with Jetty 9.4.21.
As a result of these CVEs, Jetty introduced a new, configurable denial of service (DOS) protection feature in Jetty 9.4.22.
Jetty’s HTTP/2 implementation now features a new Rate Control parameter,
jetty.http2.rateControl.maxEventsPerSecond, that defaults to 20 events per second, per connection for all pings, bad frames, settings frames, priority changes etc.
The Jetty HTTP/2 implementation consists of the following sub-projects (each producing a jar file):
http2-common: Contains the HTTP/2 API and a partial implementation shared across other modules.
http2-hpack: Contains the HTTP/2 HPACK implementation for HTTP header compression.
http2-server: Provides the server-side implementation of HTTP/2.
http2-client: Provides the implementation of HTTP/2 client with a low level HTTP/2 API, dealing with HTTP/2 streams, frames, etc.
http2-http-client-transport: Provides the implementation of the HTTP/2 transport for
HttpClient(see Chapter 22, HTTP Client). Applications can use the higher level API provided by
HttpClientto send HTTP requests and receive HTTP responses, and the HTTP/2 transport will take care of converting them in HTTP/2 format (see also this blog entry).