Enable http/2 for https & Set Keep-Alive header for http #4466
Comments
|
This issue has been mentioned on openHAB Community. There might be relevant details there: https://community.openhab.org/t/openhab-4-3-milestone-discussion/158139/75 |
|
I did some testing with openHAB and HTTP/2 a while ago but it will only work with TLS so you also need a valid (self) signed certificate. I also got h2c (http/2 without TLS) working, however it's not supported by browsers 🙃 . |
|
I am aware of the fact that HTTP/2 needs TLS, openHAB already ships with a valid self-signed certificate. Browsers are putting more and more restrictions on unencrypted connections, take microphone access on the SIP client widget as another example. The described issue can be easily fixed for HTTPS by enabling HTTP/2, for HTTP only it should be fixable or at least improveable by setting the Keep-Alive header. |
|
I've often wondered if it could be a service offered by the OH Foundation through myopenhab.org like this: You would have a way to configure a DNS name that would resolve to your private instance IP like:
and also have a way to retrieve a certificate and private key for this name and set it for your instance instead of the self-signed certificate Then you could use that DNS name instead of your local IP to access your instance over HTTPS and it would work - a secure origin for a local instance. Let's Encrypt do easy wildcard certificates now (others too) so potentially we could issue and sign every certificate for the private.myopenhab.org subdomain. This would mean the foundation becoming a certificate authority (so having to deal with certificate expirations/revocations, renewals, CRLs/OCSP and so on) as well as maintaining a custom DNS server, so, quite the project. |
|
@ghys Why would this be necessary? If I get @florian-h05 correctly, a self-signed certificate (as we have it in place) is sufficient for HTTP/2? |
|
@kaikreuzer a self-signed certificate will never be sufficient until it's trusted by every client that ever accesses the site... |
|
@ghys So far the statements here were only that HTTP/2 requires TLS, but not that it requires a trusted certificate. |
|
FWIW when I wrote the Hue API V2 binding, I had to get the Jetty dependencies for HTTP2 specifically pulled in, since previously OH Core was only pulling in the Jetty HTTP1 modules. |
|
@kaikreuzer yes you're right. Please understand that I wasn't trying to coerce the foundation into doing anything, at this point it was only me and my thoughts 🙂 |
|
If there's an important use case, I wouldn't mind to the foundation to help on it, but I just wasn't sure whether this discussion belongs to this issue here. 😄 |
|
This issue has been mentioned on openHAB Community. There might be relevant details there: https://community.openhab.org/t/openhab-4-3-release-discussion/160888/136 |
|
This issue has been mentioned on openHAB Community. There might be relevant details there: |
|
This issue has been mentioned on openHAB Community. There might be relevant details there: https://community.openhab.org/t/openhab-ui-hangs-until-i-close-another-openhab-browser-tab/161145/5 |
|
I think setting Keep-Alive will probably not solve the issue. HTTP/1 sessions without Keep-Alive are auto-closed after the GET (which auto-frees the session and allows a new one to be created). In other words Keep-Alive won't increase the maximum number of sessions. (Although it will increase the bandwidth and reduce the latency of such sessions). Also I have another doubt: We would only expect to see benefits from HTTP/1 sessions (with Keep-Alive), or HTTP/2 sessions, if the browser can share a single server session across multiple client tabs. To be honest I don't know how browsers handle inter-tab security, but I can imagine that they might sandbox each tab to prevent session sharing across tabs, and thus prevent cross-tab code injection exploits. Or?? |
That might be true.
Using HTTP/2 has fixed the issue for me, and others confirmed that as well. So we at least need to get HTTP/2 running. |
|
@wborn Since you said you already had HTTP/2 running. Can you please try to get it running again? I failed doing so. |
It seems to me that OH WebUI code could be improved so that instead of opening multiple SSE pipelines, it could cache and recycle a single pipeline instead. This is not a suggestion instead of HTTP/2 but rather a suggestion for an additional improvement. |
|
The UI needs at least two SSE connections in parallel. I think we need a different approach there ... what if the UI kills its SSE connections when it is not the active tab anymore? @ghys WDYT as well? |
|
PS this article may help with the jetty.xml config for enabling HTTP2 https://www.baeldung.com/jetty-http-2#configureHttp2JettyXml |
This could work at least for the "state updates" SSE (used in pages and widgets) where the work flow is such that you would ultimately get an initial message with the current states of the items you specified to track. For the general "events" SSE you would (currently) need to update the objects with the regular REST API when the tab is brought into the foreground again, and then get updates through SSE. |
|
@florian-h05 I can get HTTP/2 working, but not on the same port as HTTPS, only on 8444 (instead of 8443). What issues do you encounter? I added two sections to and lowered the start-level of |
That did the trick, now HTTP/2 works for me, thanks! |
|
How can I configure the start-level of that bundle so that I don't have to set it through the shell? |
|
Perhaps unrelated to the ongoing discussion/solution of using TLS with HTTP/2, but do we know why this issue seems to have gotten worse in 4.3? In 4.2 I always had three active tabs running without issues, but I immediately ran into issues after upgrading to 4.3. I'm wondering if there is something else at play that also might need to be looked into. |
|
4.2 normally hold 1-2 SSE connections: 1 SSE connection for tracking Item states, and for listening to the event bus when relevant (e.g. when viewing the rules list). 4.3 always enables that last SSE connection to listen to Item changes to reload the semantic model if required, so you end up with 2-3 SSE connections. |
Related to #2584 and openhab/openhab-core#4466. This avoids that the global SSE connection is always established, and therefore reduces problems with the max parallel HTTP connections limitation. The global SSE connection is now only established if the web audio sink or the command Item are enabled. Whilst this change potentially makes the UI not reload the model automatically on change, practically the now removed mechanism might haven't been really useful at all because the model is already reloaded on Main UI start, and if SSE was not connected the moment an Item changed the mechanism did not trigger. Signed-off-by: Florian Hotze <[email protected]>
Related to #2584 and openhab/openhab-core#4466. This avoids that the global SSE connection is always established, and therefore reduces problems with the max parallel HTTP connections limitation. The global SSE connection is now only established if the web audio sink or the command Item are enabled. Whilst this change potentially makes the UI not reload the model automatically on change, practically the now removed mechanism might haven't been really useful at all because the model is already reloaded on Main UI start, and if SSE was not connected the moment an Item changed the mechanism did not trigger. Signed-off-by: Florian Hotze <[email protected]> (cherry picked from commit 5d7f35a)
You can add this to the top of the openhab-tp |
|
It either does not work or I am not able to correctly build distro with my core changes ... I am still getting: |
|
Okay, got it working now - my mistake, wasn't able to build distro properly local. |
|
An update: With HTTP/2 enabled now, remaining issue is plain HTTP. Unfortunately will the Keep-Alice not help, after some investigation I noticed we are running into the max parallel connections limit because of the UI‘s SSE subscriptions. Unfortunately openHAB Cloud doesn’t support WS yet, but as I anyway would start slowly with switching to WS and provide a option to switch manually, I could imagine using WS for local connections only at the moment. |
There is a PR that i have long neglected to review (its rather large) to implement this, so that should help quite a bit.
Yeah, hopefully our version includes this and its a one liner to enable. |
When having multiple tabs of Main UI opened, the UI often fails to send HTTP requests to the server because the browser does not execute the requests.
This is because we are running into the max parallel HTTP connections limit.
To fix this issue, we need to keep alive HTTP connections for http and/or enable http/2 for https.
Enabling http/2 for https also brings other benefits, and http/2 is supported by all major browser for several years now (see https://caniuse.com/http2).
This fix seems to work as I have never experienced the above problems with my production instance running behing nginx where I use http/2 and https.
See https://community.openhab.org/t/openhab-4-3-milestone-discussion/158139/75?u=florian-h05, https://www.geeksforgeeks.org/what-are-max-parallel-http-connections-in-a-browser/ and https://www.baeldung.com/jetty-http-2 for more details.
Unfortunately I do not really know how Jetty dependencies are added to openHAB and I am not really confident in configuring Jetty through the XML in openhab-distro, so I need some help.
@J-N-K Since you already added WebSocket and Gzip to Jetty, may I ask for your help here?
The text was updated successfully, but these errors were encountered: