Add this behavior to support secure HTTP/3 connections between requesting clients and the Akamai edge.
This behavior is currently in beta and is only available to select customers. Talk to your account team to see if you can participate in the beta program.
HTTP/3 retains the HTTP/1.1 and HTTP/2 concepts, but it moves away from the traditional transmission control protocol (TCP) transport layer. Instead, HTTP/3 uses the IETF QUIC protocol that handles streams by itself. This supports improved performance and a faster connection setup.
HTTP/3 support requires a secure (HTTPS) connection between the requesting client and the Akamai edge. You need to create a Domain Validation (DV), Organization Validation (OV), or a third-party certificate and assign it to a property hostname in your property. It needs to be configured to support the following:
Default certificates and VIP-deployed certificates aren’t supported with the beta release. You need to manually create a certificate using Akamai’s Certificate Provisioning System (CPS) and apply it to your edge hostname, either in Property Manager or the Edge Hostname editor.
SNI-only. You apply it during the select network settings phase when creating a new certificate. This option is default enabled in a new Standard TLS certificate, but it can be toggled for Enhanced TLS. Ensure it’s enabled. If you don’t see it when setting up your certificate, you may need to have it added to your contract. Reach out to your Akamai account team for help.
Transport layer security (TLS) 1.3. If you select Standard TLS or Enhanced TLS when creating a new certificate, this is automatically applied.
You can take a look at a current certificate to make sure it can support HTTP/3.
In Akamai Control Center, select ☰ > Certificates.
Locate the applicable certificate. In the Actions column, select … > View and Edit Certificate.
Review the Select Network Settings options and ensure that SNI-only is On. If it isn't, you need to create a new certificate. These options can’t be modified.
Return to the landing page.
If you’re limited on the number of certificates you can create, and this certificate isn’t active in a property hostname, select … > Delete to remove the certificate.
Click … > View and Edit Deployment settings for the certificate.
In the SNI Advanced Configuration panel, click Edit.
In the TLS Protocol Versions options, ensure that either of the following options are selected:
- Enable all TLS versions.
- Disable specific TLS versions. If you enable this, select each version you want left out, but ensure that TLS 1.3 is deselected.
If you made a change here, click Submit. If you didn't need to change anything, click Cancel.
Add the behavior and set the Enable slider to On. You can add it to these rules in your property:
You can only have one instance of the HTTP/3 Support behavior in your property.
- The Default Rule. All requests processed by this property will support HTTP/3 for transfer.
- A custom rule. You can add it in a custom rule, but you need to use specific match criteria:
Include one or more hostnames that have been set up to use a compatible certificate, as discussed above. All requests that use the hostnames will use HTTP/3 for transfer.
Hostname and Percentage of Clients
Include one or more hostnames that have been set up to use a compatible certificate, as discussed above. Then, set a percentage of the HTTP/3 requests that should be honored. This is considered a temporary implementation. For example, you could initially use these match criteria to limit HTTP/3 traffic to test it, or if you're looking to slowly roll out support. Then, you could progressively edit your property to increase this percentage.
Consider the following points when adding HTTP/3 support:
Keep HTTP/2. If you want to accept HTTP/2 requests, the HTTP/2 Support behavior needs to be in your property. HTTP/3 Support does not replace HTTP/2.
HTTP/3 supports connection reuse. This lets a requesting client use an open connection for any domain included in your certificate, even if that domain points to a different origin. Most browsers will perform a DNS query to ensure there's an overlap in the domain's IP before using the connection. If you’re using multiple certificates—specifically both Standard TLS and Enhanced TLS—don't include the same domain across them. If you do, an HTTP request to the domain that requires Enhanced TLS could be resolved using the less secure Standard TLS certificate, and vice-versa.
As a best practice, you shouldn’t use the same domain across multiple certificates, regardless if you’re using HTTP/3. This same issue can occur with HTTP/2 Support, which uses connection reuse as well.
HTTP/3 traffic in other domains in the certificate. If a requesting client doesn’t respect
Alt-Svcheaders and tries HTTP/3 without the HTTP/3 behavior, an HTTP/3 connection will still be opened if the certificate used in the request has QUIC enabled. This will change after beta, when HTTP/3 connections will only be possible for domains if the HTTP/3 behavior is enabled in your property.
Adaptive Acceleration's Automatic Server Push isn't supported with HTTP/3. Chromium-based browsers have dropped support for the Server Push functionality that's used by the Adaptive Acceleration feature in an Akamai Ion property. If the connecting protocol is HTTP/3, Adaptive Acceleration will automatically preload the resources (.css, and .js) rather than pushing them. So, there's nothing you need to do. However, when you add the HTTP/3 Support behavior to an Ion property that uses Adaptive Acceleration, you'll see a warning message that discusses this.
The QUIC Support behavior isn’t supported. If you have this behavior in your property, you’ll see a warning message. This combination will be deprecated soon. Talk to your account representative about your options, including adding the HTTP/3 Support behavior to your property.
The HTTP/3 Support behavior isn't currently compatible with some security products. If you're using any of these, you can't include the HTTP/3 behavior in your property:
- Account Protector.
- Bot Manager Premier. By default, Bot Manager Premier uses TLS fingerprinting when detecting keys, and a TLS fingerprint isn't generated for HTTP/3 traffic. Talk to your Akamai account team about a workaround for this to participate in the Beta.
Updated 2 months ago