I've been taking HTTP/2 for a spin, using a phoenix[1] app with websockets. The basic "does it connect" works very well already (thank-you!) but I'm not sure if it's possible to enable per-frame compression within websockets or not -- or even intended?
My use case is to reduce the size of JSON blobs traversing a websocket connection, where a reasonable portion of frames contain almost-identical JSON from one to the next: http/1.1 backend connection upgraded to websockets | | JSON blobs... | haproxy | | JSON blobs... | http/2 frontend to browser (using TLS obviously) I can see that my endpoints are requesting permessage-deflate option, but that haproxy is not returning that header back to indicate its support for it. While haproxy has no way of knowing that a particular stream would benefit from compression or not, the application developer *does* know, and I could ensure that compressible websocket requests use a different endpoint, or some form header + acl, to enable that, for example. Some thoughts: - in general, I prefer to keep away from compression over TLS because of BREACH and CRIME vulnerability classes - this long-running websockets connection is particularly interesting for compression however as the compression tables are apparently maintained across sequential frames on the client Is this something that might come in future releases, or do you feel its better left out due to compression overhead and vulnerability risks? [1]: http://phoenixframework.org/ $ haproxy -vv HA-Proxy version 1.8.6 2018/04/05 Copyright 2000-2018 Willy Tarreau <wi...@haproxy.org> Build options : TARGET = freebsd CPU = generic CC = cc CFLAGS = -O2 -pipe -fstack-protector -fno-strict-aliasing -fno-strict-aliasing -Wdeclaration-after-statement -fwrapv -fno-strict-overflow -Wno-address-of-packed-member -Wno-null-dereference -Wno-unused-label -DFREEBSD_PORTS OPTIONS = USE_GETADDRINFO=1 USE_ZLIB=1 USE_CPU_AFFINITY=1 USE_ACCEPT4=1 USE_REGPARM=1 USE_OPENSSL=1 USE_STATIC_PCRE=1 USE_PCRE_JIT=1 Default settings : maxconn = 2000, bufsize = 16384, maxrewrite = 1024, maxpollevents = 200 Built with network namespace support. Built with zlib version : 1.2.11 Running on zlib version : 1.2.11 Compression algorithms supported : identity("identity"), deflate("deflate"), raw-deflate("deflate"), gzip("gzip") Built with PCRE version : 8.40 2017-01-11 Running on PCRE version : 8.40 2017-01-11 PCRE library supports JIT : yes Built with multi-threading support. Encrypted password support via crypt(3): yes Built with transparent proxy support using: IP_BINDANY IPV6_BINDANY Built with OpenSSL version : OpenSSL 1.0.2o-freebsd 27 Mar 2018 Running on OpenSSL version : OpenSSL 1.0.2o-freebsd 27 Mar 2018 OpenSSL library supports TLS extensions : yes OpenSSL library supports SNI : yes OpenSSL library supports : SSLv3 TLSv1.0 TLSv1.1 TLSv1.2 Available polling systems : kqueue : pref=300, test result OK poll : pref=200, test result OK select : pref=150, test result OK Total: 3 (3 usable), will use kqueue. Available filters : [TRACE] trace [COMP] compression [SPOE] spoe
