14 March 2017, 12:36

If I want Hiawatha to have a future, I know that HTTP/2 support is a must-have. Implementing HTTP/2 on my own is simply too much work, so that's no option. Some time ago, I came across nghttp2. But for some reason, I never took the time to look at it properly. A few weeks ago, someone mentioned it at my weblog. Realizing that using an HTTP/2 library is the only way to, I decided to give nghttp2 a try.

I've given the nghttp2 source code a quick look and haven't seen any crazy stuff. I've already updated the Hiawatha build system (thanks Sander!) to include nghttp2 as a library, just like mbed TLS. That means you can compile Hiawatha with the shipped libraries or the ones already present on your system. Next step is to actually use the library in Hiawatha and do some serious testing. Did I say serious testing? I meant some real serious testing. Because, although Hiawatha must have HTTP/2 support to be of any meaning in the future and nghttp2 seems to be the only option, that doesn't mean that I will allow nghttp2 to jeopardize Hiawatha's security. No matter what, you will get what you can expect: the most secure web server available.

Although there is a lot of nghttp2 documentation, I personally think there is room for improvement. After reading it for the first time, it raised a lot of questions. So, when you're excited about this news, don't expect the actual HTTP/2 support in Hiawatha very soon. But no worries, HTTP/1.x will do just fine for quite some time.

14 March 2017, 14:41
Hi Hugo,

Just wanted to say thank you for all the hard work you do on Hiawatha!
Ron Jones
14 March 2017, 14:52
That is outstanding news. Better good than fast is a wise move I think. I am a big fan of Hiawatha.
Stavros Kapageridis
14 March 2017, 18:41
Thank you Hugo, for all these years that you provide this awesome web server. I am happy to read that Hiawatha will keep it's promise, to be our number one choice.
14 March 2017, 23:59
Yay! Thanks a lot for your hardwork, this is great news!
15 March 2017, 06:37
Just wanted to add my thanks to for all the hard work you are doing. Thank you Hugo!
15 March 2017, 08:10
So great news that there is a library that can be used. And even better news that you give it a try. Thank you, Hugo.
16 March 2017, 13:31
Thanks a lot!
13 April 2017, 21:51
good to know Hiawatha will survive to http2 this is a must and very good news
13 May 2017, 08:10
HTTP/1.1 with TLS1.2, persistent connections ("Keep-Alive") and pipelining would have brought the same advantages as in HTTP/2, but w/o the massive complexity and security concerns of the latter, like a web client requiring the web server how and in what order to send an infinite number of files. Above all, such an external library has to be constantly under review to avoid security bugs.

But even HTTP/2 does not have enforced encryption, and HTTP/1.1 Pipelining is switched off by default in Firefox and (cite from Chromium web site:) "has been removed from Chrome, as there are known crashing bugs and known front-of-queue blocking issues." The single connection of HTTP/2 is also a major disadvantage compared to multiple Keep-Alive connections of HTTP/1.1: if it stalls, all web site requests will subsequently fail.

So I think right now it is better to stick to HTTP/1.1.