Making the Web Faster with HTTP 2 Protocol (opens in new tab)

(phpclasses.org)

35 pointsrvavruch13y ago19 comments

19 comments

With all the buzz already surrounding SPDY and the number of existing implementations out there... what are the chances that HTTP-2.0 will simply never get the traction it needs for real applications?

I mean SPDY is here and almost every server can handle it already. (where can != is configured to by default) If google pulls features from HTTP-2.0 into SPDY-1.x in the next couple of months, what would be the benefit of anyone doing HTTP-2.0?

pilif13y ago

It is my understanding that it's very likely that HTTP 2.0 will be SPDY - maybe with some added extensions, but the basis will be SPDY.

A clear case where a working and apparently perfectly well backwards compatible vendor-specific implementation worked so well that it actually might get to be an official standard.

Now if only we could have SSL with name based virtual hosts or much wider use of IPv6 so that SPDY will actually be useful for a wide range of server administrators.

kelnos13y ago

Now if only we could have SSL with name based virtual hosts

We can: it's called SNI (http://en.wikipedia.org/wiki/Server_Name_Indication). Unfortunately browser support isn't quite there; recent versions the major desktop browsers do support it, but e.g. the stock Android browser does not (because Apache HttpClient does not).

aaronblohowiak13y ago

We wouldn't need SSL with name-based virtual hosts if web browsers could use SRV records (and thus connect to different ports, so the server would know which cert to cough up without requiring the name.)

1 more reply

sp33213y ago

HTTP 2.0 has been in the works for a long time. It's picked up again recently, after the HTTP-NG working group disbanded in 1998. The working group will take some features that SPDY has shown to be useful and stable and integrate them into the spec. They are also looking at parts of Microsoft's "Speed and Mobility" protocol.

lolcraft13y ago

I understood the article said that SPDY would be the next version of HTTP 2.0, just standarized and not in control of Google (in theory). Which makes a lot of sense, for both server and browser implementors, and Google. I guess they wouldn't want to be the next Microsoft, not on purpose at least.

josteink13y ago

SPDY is overrated and only has traction because Google decided to make it. So far the data shows that the severely limited gains it provides, it provides at the cost of significant complexity.

I sure as hell could appreciate a new HTTP-standard, which was brought to the field by having professionals (maybe even IETF!) work together and reason about things publically, not just have Google hijack the process, dump shit out, saying "that's what we have implemented. if you want to compete with us, you will have to take this package", and then after the fact release some docs and claim it's open.

You know. SPDY just smells bad wherever you look. I'd like for the new HTTP protocol to be something you can trust

elktea13y ago

> So far the data shows that the severely limited gains it provides, it provides at the cost of significant complexity.

Source?

1 more reply

0xABADC0DA13y ago

> I sure as hell could appreciate a new HTTP-standard, which was brought to the field by having professionals (maybe even IETF!) work together and reason about things publically

This is a good point, for instance the developers of Spdy don't actually compare it to HTTP pipelining. They don't measure the effect of 'head of line blocking', just assuming it is a major problem. They don't consider that the protocol performs worse than HTTP over satellite and similar links. Neither the design choices nor specific details have been vetted or backed up by real deliberations.

There are tons of ways a committee of experts could improve Spdy, but it looks like Google is just going to show up with their draft RFC and demand a rubber stamp.

But this is just typical Google. Even when they do work with committees they show up and for instance say 'add big integers to JavaScript or else' (the 'or else' being Dart).

1 more reply

dmak13y ago

"Another aspect of concern is the implementation of server push of resources that were already cached by the browsers. Mobile applications may also not want to retrieve some resources that the server may assume they want to download. So the criticism is that preemptive server push may end up being an undesirable thing."

Why is it "preemptive"? It seems more like a nonpreemptive push, right?

chime13y ago

> If the user closes the browser tab and no other pages from the same site are opened, the browser may send an explicit request to end the connection, so it does not keep tying the server.

Does this mean keeping a background tab open uses a remote server's resources indefinitely? How can I as the server dev prevent unintentional DDOS?

mtigas13y ago

Haven't looked at the SPDY spec[1] too closely, but I think each side of the SPDY (or underlying TCP) connection would be able to idle-disconnect after a timeout or during a high-load situation. (i.e. to prevent idle connections from consuming ports/file descriptors)

So in the case you quoted, the server would also be able to explicitly tell the browser to start a new connection later. (It's not just a browser-to-server signal.)

Generally, most HTTP 1.1 (keepalive-aware) servers have a default timeout for those "persistent" connections[2][3] so this isn't actually a new problem specific to SPDY.

(Aside: simply consuming leaving open an idle TCP connection for later re-use doesn't necessarily imply that idle users will "DDOS" a server. Depending on the server software and OS, the cost-per-socket is low enough that many idle connections isn't actually a problem until you get to port and file descriptor limits — which, again, is already well-dealt with in plenty of other HTTP/TCP applications by using timeouts at all.)

[1]: http://www.chromium.org/spdy/spdy-protocol [2]: http://wiki.nginx.org/HttpCoreModule#keepalive_timeout [3]: https://httpd.apache.org/docs/2.2/mod/core.html#keepalivetim...

epenn13y ago

I don't currently have any SPDY experience so if there is a "best practice" for this I'm unaware of it. With that said, I would take a two pronged approach. On the server side you could set a timeout on that user's session to reclaim resources after a period of time that you deem reasonable, regardless of whether you've received an explicit "I'm done" from the user's browser. I would hope server's implementing SPDY would also allow a way to explicitly end a connection as well. If so, I would close the connection at the time that user's session expires.

mauriciob13y ago

Maybe close the connection when it hasn't been used for a while?

zafriedman13y ago

I was so close to not opening this because the source is a website with the name 'PHP' in it... but I'm glad I did, nice article.

j / k navigate · click thread line to collapse

19 comments

viraptor13y ago

pilif13y ago

It is my understanding that it's very likely that HTTP 2.0 will be SPDY - maybe with some added extensions, but the basis will be SPDY.

A clear case where a working and apparently perfectly well backwards compatible vendor-specific implementation worked so well that it actually might get to be an official standard.

Now if only we could have SSL with name based virtual hosts or much wider use of IPv6 so that SPDY will actually be useful for a wide range of server administrators.

kelnos13y ago

Now if only we could have SSL with name based virtual hosts

aaronblohowiak13y ago

1 more reply

sp33213y ago

lolcraft13y ago

josteink13y ago

SPDY is overrated and only has traction because Google decided to make it. So far the data shows that the severely limited gains it provides, it provides at the cost of significant complexity.

You know. SPDY just smells bad wherever you look. I'd like for the new HTTP protocol to be something you can trust

elktea13y ago

> So far the data shows that the severely limited gains it provides, it provides at the cost of significant complexity.

Source?

1 more reply

0xABADC0DA13y ago

> I sure as hell could appreciate a new HTTP-standard, which was brought to the field by having professionals (maybe even IETF!) work together and reason about things publically

There are tons of ways a committee of experts could improve Spdy, but it looks like Google is just going to show up with their draft RFC and demand a rubber stamp.

But this is just typical Google. Even when they do work with committees they show up and for instance say 'add big integers to JavaScript or else' (the 'or else' being Dart).

1 more reply

dmak13y ago

Why is it "preemptive"? It seems more like a nonpreemptive push, right?

chime13y ago

> If the user closes the browser tab and no other pages from the same site are opened, the browser may send an explicit request to end the connection, so it does not keep tying the server.

Does this mean keeping a background tab open uses a remote server's resources indefinitely? How can I as the server dev prevent unintentional DDOS?

mtigas13y ago

So in the case you quoted, the server would also be able to explicitly tell the browser to start a new connection later. (It's not just a browser-to-server signal.)

Generally, most HTTP 1.1 (keepalive-aware) servers have a default timeout for those "persistent" connections[2][3] so this isn't actually a new problem specific to SPDY.

[1]: http://www.chromium.org/spdy/spdy-protocol [2]: http://wiki.nginx.org/HttpCoreModule#keepalive_timeout [3]: https://httpd.apache.org/docs/2.2/mod/core.html#keepalivetim...

epenn13y ago

mauriciob13y ago

Maybe close the connection when it hasn't been used for a while?

zafriedman13y ago

I was so close to not opening this because the source is a website with the name 'PHP' in it... but I'm glad I did, nice article.

j / k navigate · click thread line to collapse