Overcome HTTP/2 Complexities with Zscaler

What is HTTP/2?

The Hypertext Transfer Protocol (HTTP) forms the foundation of nearly all web-based communication, enabling computers and servers to exchange information seamlessly. Whenever a user visits a website, their browser relies on HTTP to request the necessary data – such as text, images, and formatting – that transforms a server's response into what the user sees displayed. HTTP/1.1 marked a significant step in the protocol’s evolution and continues to be widely utilized today, though it has limitations that modern web demands exposed over time. In response to these shortcomings, HTTP/2 was launched. And it has emerged as the communications backbone for a vast segment of the modern internet, delivering significant advancements over its predecessor with faster page loads, lower latency, and multiplexed connections.

Zscaler and HTTP/2: Pioneering Modern Internet Protocol 

When it comes to cloud security, at Zscaler we strongly believe the journey doesn’t end at innovation; it is an ongoing commitment to our customers’ operational success. We strive not just to lead technologically, but also to ensure that real-world deployments yield seamless user experiences. Our evolution with HTTP/2 exemplifies this ongoing pledge.

Zscaler has supported HTTP/2 traffic across our cloud service edges for several years, enabling customers to leverage its performance and efficiency without compromising on security inspection or threat prevention.

Real-World Challenges: No Two Cloud Environments Are Alike

While HTTP/2 brings consistency to how browsers and applications communicate, every customer’s cloud environment and use case is unique. We regularly encounter new and sometimes unexpected challenges - especially as cloud service providers implement subtle differences or custom limitations.

Our engineering and support teams work diligently not just to stay ahead of these issues, but to actively partner with customers to resolve them. A recent case involving HTTP/2 underscores this ethos.

The Scenario: Uncovering the Impact of Connection Limits in the Cloud

One of our customers, with ~40,000 employees, was running a web application hosted on a major cloud service provider. Unknown to the customer (and to us initially), this provider’s HTTP/2 infrastructure imposed a limit of 60,000 transactions within a single HTTP/2 connection. Once this limit was reached, the cloud service would initiate a streamlined connection shutdown, sending a “GOAWAY” frame as defined in RFC 7540, section 6.8 to notify connected clients of the imminent closure.

What is a GOAWAY Frame?
The GOAWAY frame is an important mechanism in the HTTP/2 protocol. It signals that one endpoint (in this case, the server in the cloud) is no longer accepting new streams on a connection and intends to close it, while providing the client with time to wrap up existing requests gracefully.

The Challenge: Handling GOAWAY for Seamless User Experience

In practice, this rate limiting presented nuanced challenges at the Zscaler Service Edge:

• Relaying GOAWAY Properly: Initially, our system did not forward the GOAWAY frame received from the cloud provider back to the originating client. This omission disrupted the HTTP/2 protocol’s graceful shutdown semantics and confused client applications or browsers.
• Managing In-Flight Requests: There was a narrow window between when Zscaler received the GOAWAY signal from the server and when it was relayed (or not relayed) to the client. During this brief interval, any new client requests arriving at the Service Edge could not be serviced fully, leading to incomplete page loads, interruptions, and a degraded user experience.

Customer Commitment in Action: Collaborating for a Solution

Upon discovering the issue, our engineering and customer success teams sprang into action, working closely with the customer to thoroughly debug the environment:

1. We identified that forwarding the GOAWAY frame to the client was critical for ensuring that browsers and applications could reopen new HTTP/2 connections as needed.
2. We enhanced our protocol handling - guaranteeing that any outstanding requests from the client at that critical juncture were either completed (when possible) or failed gracefully, allowing the client to recover seamlessly.

Through rigorous testing and close collaboration, we iterated on our HTTP/2 edge stack until we achieved the desired result: connections now close transparently, outstanding requests are handled or retried, and end users remain unaffected by the underlying protocol mechanics.

The Result: Uncompromising Security, Seamless Experience

Today, Zscaler not only inspects HTTP/2 traffic thoroughly and securely, but also delivers a smooth, uninterrupted user experience, even when facing edge cases introduced by third-party infrastructure. Our platform now gracefully and completely services GOAWAY frames and the scenarios they create, ensuring that cloud applications run without hiccups and that security never comes at the expense of usability.

Final Thoughts: Customer Success, Innovation, and Reliability

This experience reflects a core Zscaler belief: the best technology is only as good as the customer experience it delivers. By rapidly adapting to the realities of HTTP/2 protocol limits and cloud provider quirks, we reinforced our commitment to our customers’ mission-critical operations.

As we continue innovating for the modern internet, Zscaler will always put customers first - proactively ensuring both security and seamless access, no matter how the technology landscape evolves.

If you’d like to learn more about Zscaler’s HTTP/2 support or have questions about optimizing cloud application performance and security, reach out to us or explore our technical documentation for in-depth guidance.