HTTP 2.0 and NodeJS

• Why HTTP 2.0?
• TCP refresher
• SPDY and HTTP 2.0
• New features
• Protocol negotation
• Server push demo

• Use persistent TCP connections
• Pipelining troublesome, so not used
• Multiple connections for parallelism
• Resource sharding for more parallelism
• Inlining and image spriting for fewer round trips

• An experimental protocol from Google, created in 2009
• The starting point for IETF's HTTP 2.0 standardisation work
• Not an acronym
• Keeps all existing HTTP status codes and headers
• Binary!

Browsers:
Chrome (desktop, iOS, Android), Firefox, Opera, IE 11+ (on Win8+), Amazon Silk

Websites:
Google, Facebook, Twitter, and more.

Application servers/platforms:
Apache (mod_spdy), Nginx, Ruby, Python, NodeJS, Java (Jetty and Netty)

Networking tools:
F5, Wireshark, cURL (in progress)

• Reduce end-user perceived latency
• Minimise deployment complexity: Don't require changes to existing network infrastructure
• Avoid the need for web site and web application creators to make changes
• Improve web security

• Multiplex requests over a single TCP connection: Overcome TCP slow start
• Header compression: Reduce bandwidth usage
• Request prioritisation: Important resources arrive first
• Server push: Reduce number of round trips
• Run everything over TLS*
• No changes to methods, status codes, headers, or standard ports (80, 443)

• Why? Lots of mostly repeated header content in every request and response
• Initial spec used zlib but then CRIME came along
• CRIME (Compression Ratio Info-leak Made Easy): compression and encryption don't mix well
• Inject different plaintext and observe change in compressed size
• Now using HPACK, this has slowed implementation effort

• Send resources to browsers unsolicited
• By the time the browser has parsed the HTML/JS and wants to request the resource, it's already in the browser cache

if (request.url === '/index.html' && response.push) {
  var stream = response.push('/jquery.js', {'Content-Type': 'text/javascript'}, 
  fs.createReadStream('/jquery.js').pipe(stream);
}

• NPN: Next Protocol Negotiation (SPDY)
• ALPN: Application Layer Protocol Negotiation (HTTP 2.0)
• These are TLS extensions
• Upgrade handshake for HTTP 2.0 over non-TLS connection
• Allows SPDY/HTTP 2.0 to run on the same ports as HTTP(S)

• Protocol identification headers
• NPN vs ALPN for negotiating HTTP 1.1 vs 2.0 vs SPDY
• HTTP 2.0 supports plaintext mode via 'Upgrade' handshake*

• SPDY support available for Connect-based applications via node-spdy
• Automated server push Express middleware via spdy-referrer-push
• HTTP 2.0 support available via node-http2
• BUT ALPN support will not be available until OpenSSL has stabilised its implementation. Or use a forked version of NodeJS.

• M. Belshe: More Bandwidth Doesn’t Matter (Much)
• IETF Draft: Hypertext Transfer Protocol version 2.0
• M. Nottingham: Opportunistic Encryption for HTTP URIs
• NodeJS SPDY module and NodeJS HTTP 2.0 module
• ExpressJS middleware for automatic server push:
  npm spdy-referrer-push (Shameless plug)
• Jetty's SPDY modules
• C. Strom: The SPDY Book (Very dated now)