I use Cloudflare tunnels and a custom domain to access Home Assistant OS. I was checking out the Cloudflare WAF and wondered what would happen if I blocked all HTTP/1 traffic. I figure my domain is strictly for homelab tinkering, I use relatively modern devices, maybe I don’t want/need the older and less secure protocols. What’s the worst that could happen?
I create the rule in the WAF and leave it for a day. When I come back, I see around 3,600 items in the Events log (I usually only expect around 100 from bot challenges).
Uh oh.
Looking closer, I see the User Agent matches the iOS HA app on an iPhone. I live with my server so I rarely connect to HA with Cloudflare, but my partner doesn’t. I then open the app myself on cellular, confirming the new WAF rule is blocking the app from connecting to HA. What interested me though was that the traffic consisted of HTTP/1.1 GET requests to my host at the path /api/websocket. For reference, we have the 2023.7 build of the HA app on iOS 17.0.3.
The real question I have stems from the method of connection that was being made. Does the app need to be using HTTP/1.1? Wouldn’t it be better to be using HTTP/3? I know that a large portion of the web still uses HTTP/1.1 and 1.2, but I’d like to use the latest HTTP spec to connect to my server.
Does anybody have any ideas as to why I’m seeing this? Is there an explicit reason for using HTTP/1.1, or is it just old code that still works perfectly so nobody’s bothered to change it? I wouldn’t know where to start, but maybe this is just a pull request away from somebody who knows and cares enough to change it.
I believe there is no such thing as HTTP 1.2 ( there is a 2.0 however)
Yes HTTP 1.1 is old code that still works perfectly, And 1 of the so called “benefits” of 3.0 is ALL connections is encrypted( over UDP ) …
HTTPS is however still “valid”( used by about 85% of the worlds websites ) and delivers the same functionality ( Over TCP )
That HTTP 3.0 still is not so widely spread, is maybe partly because the Companies have to "Install this on their Servers, and addapt them to the “added” fucktionalaty which 3.0 “offers”
That not many uses HTTP 2.0 ( 35% of all Websites) might be do to the fact that it doesn’t ADD “useful” functions/features, for Companies/Common-use-case purposes
So what is your “Use-Case” for wanting HTTP 3.0, with it’s known " Drawbacks !, and continuing Bug fixes ! " ( Workload for Hosting/Server/Webser-APP Owners ) ?
No it’s not " just a" pull request away, and hardly never will become, partly as HA is mend to work in a Local environment, The “internal” traffic/communication should be fairly secured, as well as we are still not anywhere near the “internal/external traffic” as i.e Companies Like Google, Amazon, Microsoft. , have with/in their server-parks around the world
So the “potential” benefits with HTTP 3.0 is doubtfully, and not anything common( vast majority ) users will ever notice or benefits from in their HA-Server
Cool! I don’t have any need for HTTP/3, nor do I have a problem with the current protocol in use. I was just curious about the nuances of why or how to support it in general. Networking is a crazy beast to understand, and I’ve only ever had the focus for basic understanding. I appreciate your insight and answer! 