Preface

Last week, I went back to my hometown for a few days to celebrate the Chinese New Year, so I didn’t have much time to write articles (actually, I have 2 articles in progress, but they are stuck in the middle and need time to research and experiment), so this week’s content can be written in a short but necessary article to highlight the key knowledge points: 2 communication protocols of Cloudflare Tunnel"QUIC (default) and HTTP/2".

Introduction to Cloudflare Tunnel Communication Protocol

QUIC Protocol

(1) Introduction

QUIC (Quick UDP Internet Connections) is a protocol developed by Google and later became an IETF standard. UDP Build,designed to improve the transmission efficiency of modern networks.

(2) Characteristics

• Low latency connections: Supports 0-RTT and 1-RTT handshakes, and the connection establishment speed is extremely fast.

• Integrated encryption: QUIC natively integrates TLS 1.3, each transmission is encrypted to improve security.

• Multiplexing：Each stream is independent and not affected by other streams, which solves the "head of line blocking" problem in TCP.

• Efficiently deal with packet loss: QUIC only retransmits lost packets without affecting other streams.

• Connection Migration: QUIC can maintain connections when IP or network switches (for example, switching from Wi-Fi to mobile network).

(3) Advantages

• Faster performance: It performs particularly well in high-latency and high-packet-loss environments.

• More flexible adaptation: Suitable for dynamic and complex network conditions.

HTTP/2 Protocol

(1) Introduction

HTTP/2 is based on TCP The protocol is an improved version of HTTP/1.1, focusing on optimizing Web performance.

(2) Characteristics

• Multiplexing: Supports multiple requests and responses sharing one TCP connection.

• Header Compression: Reduces the size of requests and responses.

• Priority Control: Supports assigning higher priority to important resources.

(3) Limitations

• Head of Line Blocking: Since HTTP/2 relies on TCP, once a single packet is lost, the entire TCP connection will be blocked.

• Slow connection establishment: TCP requires three handshakes, plus a TLS handshake, and the initial connection takes a long time.

• Poor connection mobility: Cannot maintain connection when IP or network changes like QUIC.

Why Cloudflare Tunnel uses QUIC by default

Cloudflare Tunnel chooses QUIC as the default communication protocol instead of HTTP/2, mainly based on the following reasons:

1. Quickly establish a connection

QUIC support 0-RTT or 1-RTT handshakeCompared with HTTP/2's multi-stage TCP+TLS handshake, it significantly reduces latency and improves user experience.

2. Better anti-packet loss capability

QUIC avoids head-of-line blocking through stream-level packet loss recovery, while HTTP/2 relies on TCP, and packet loss will block the entire connection, resulting in performance degradation.

3. Adaptability to dynamic environments

QUIC's connection migration capability allows clients to maintain connections when IP or network switches, making it suitable for modern mobile and multi-network environments.

4. Integrated security

QUIC natively supports TLS 1.3, which provides higher security and lower encryption overhead, simplifying the integration of the transport layer and the security layer.

5. Meet high performance requirements

Cloudflare Tunnel needs to provide users with high throughput, low latency, and high reliability connections, and QUIC is superior to HTTP/2 in these aspects.

Summarize

• QUIC It is the default protocol for Cloudflare Tunnel because of its advantages of fast connection, efficient packet loss handling, dynamic adaptability, and higher security.

• HTTP/2 Although it also supports multiplexing and header compression, its TCP-based limitations make it perform worse than QUIC in highly dynamic and complex network environments.

From the above description, we can see that in a normal network environment, it is very wise for Cloudflare Tunnel to use QUIC as the communication protocol by default. However, what about in an abnormal network environment?

Advantages of HTTP/2

In abnormal network environments, QUIC's conspicuous nature (based on UDP/443) may make it easy to be interfered with or even blocked, while HTTP/2 is based on TCP/443, with stronger traffic concealment, and is more suitable for dealing with strict network restrictions. Therefore, Cloudflare Tunnel uses HTTP/2 in these scenarios, which can significantly improve the concealment and availability of the connection, making it a reliable choice in complex network environments.

Limitations of QUIC in abnormal network environments

1. QUIC is easy to identify and interfere with

• QUIC is based on UDP/443, rather than the traditional TCP/443. This makes its traffic pattern significantly different from traditional HTTPS traffic and easily identified by DPI (deep packet inspection) devices.

• Some operators or firewalls may restrict UDP traffic, or limit or even block QUIC traffic, resulting in unstable transmission.

2. Low penetration of UDP traffic

• Although the UDP protocol is technically excellent, it is not as common as TCP in actual deployment. This makes QUIC traffic more conspicuous and easily marked as abnormal in a closed environment.

3. QUIC’s limited availability

• If UDP/443 is blocked, QUIC will not work properly and may cause dropped connections.

The hidden advantage of HTTP/2

In the above environment, HTTP/2, as a protocol based on TCP/443, can effectively mask traffic characteristics and improve availability:

1. Concealment based on TCP/443

• HTTP/2 usage TCP/443, which is the standard port for HTTPS, and the traffic pattern is almost the same as traditional HTTPS traffic.

• It is more difficult for deep packet inspection devices to distinguish HTTP/2 from regular HTTPS traffic, which effectively reduces the risk of being identified and interfered with.

2. High compatibility

• TCP is the mainstream protocol for network communications, with high availability and throughput rates for traffic around the world.

• HTTP/2 can work properly in any network environment that supports HTTPS without being restricted by specific network policies.

3. Resistance to interference

• Even if there is jitter, speed limiting or packet loss in the network, TCP's reliability mechanism can ensure data integrity and guarantee a stable connection.

• Compared to QUIC, which may fail completely due to UDP limitations, HTTP/2's transmission is more robust.

4. Deployment maturity

• HTTP/2 relies on years of TCP technology accumulation. Its deployment and tuning are more mature globally and suitable for use in complex network environments.

Therefore, in abnormal network environments, Cloudflare Tunnel uses HTTP/2 as the communication protocol, which is more secure and reliable.

Additional knowledge: HTTP/2 and long connection applications

Persistent connections are unstable when using QUIC

When using Cloudflare Tunnel, choosing different communication protocols (QUIC or HTTP/2) will directly affect the stability of persistent connections, especially when it comes to complex network environments or specific application scenarios. I have seen many articles talking about the instability of persistent connection applications (such as gRPC) when using the default QUIC as the communication protocol. This is because although the QUIC protocol is designed to support persistent connections, persistent connections may be interrupted in specific scenarios. The reasons are analyzed as follows:

(1) Network interference and blocking

• QUIC is based on UDP/443, and many network environments (especially firewalls or corporate networks) have strict restrictions or priority blocking for UDP traffic. For connections that need to be maintained for a long time, this interference will cause frequent disconnection.

(2) Connection interruption caused by network switching

• Although QUIC supports connection migration (such as switching from Wi-Fi to mobile networks), in some network environments, switching may cause increased latency or brief connection interruptions, affecting the stability of long connections.

(3) Adaptation issues between application protocols and QUIC

• Certain applications that require stable long connections (such as WebSocket and real-time communication) may be more sensitive to delays or interruptions, and the characteristics of QUIC may not be well adapted to these requirements.

(4) The reliability of QUIC depends on the stability of UDP

• If the network packet loss rate is high, the connectionless nature of UDP may cause the performance of QUIC long connections to degrade.

Improving persistent connections with HTTP/2

HTTP/2 is based on TCP/443Its design is naturally suitable for scenarios that require a stable connection for a long time. Setting the http2 connection function can make the long connection more stable. The reasons are analyzed as follows:

(1) TCP reliability

• TCP is a connection-oriented protocol that provides data packet transmission confirmation and retransmission mechanisms. In the event of packet loss or network jitter, TCP can more reliably guarantee data transmission and maintain the stability of long connections.

(2) Advantages of HTTP/2 multiplexing

• HTTP/2 supports the transmission of multiple streams simultaneously on a single TCP connection, which means that application layer long connections can maintain multiple communications on a single connection, avoiding the risk of TCP connection exhaustion.

(3) The role of enabling http2 connection

• When you enable the http2 connection feature in Cloudflare Tunnel, the server and client can explicitly negotiate to use the HTTP/2 protocol. This brings the following benefits:

• Application layer optimization: Applications that support long connections (such as WebSocket, gRPC, etc.) can work more efficiently on the streaming features of HTTP/2.

• Less handshake overhead: Compared with HTTP/1.1, each long connection only requires one handshake, reducing protocol-level latency.

• Keep the connection more stable: Even in a network environment with packet loss or slight interference, TCP's retransmission mechanism and HTTP/2's multiplexing feature together ensure the continuity of the connection.

(4) Synergy between TLS and HTTP/2

• The HTTP/2 protocol requires encrypted communication (TLS) and is implemented via ALPN (Application Layer Protocol Negotiation) Explicitly specify the use of HTTP/2 protocol. This negotiation mechanism can effectively avoid the instability caused by protocol switching. Therefore, in scenarios where stable long connections are required, switching to HTTP/2 and correctly configuring Cloudflare Tunnel is a better choice (mainly enabling the http2 connection option, see the practical part below for specific configuration).

Configure Cloudflare Tunnel to use HTTP/2 protocol

Debian (Red Hat) deployment configuration

Go to zero trust–>Network–>Tunnel, and then select the tunnel corresponding to the connector you want to deploy on Debian. Take my tunnel "aliyuncloud" as an example, and click "Configure" under the three vertical dots on the far right to enter the overview interface:

Use a text editing tool to edit the configuration file. Take vim as an example:

vim /etc/systemd/system/cloudflared.service

Then add "--protocol http2" at the end of the "ExecStart=" line, save and exit, as shown below:

Finally, use the following commands to reload systemd and restart the cloudflared service:

systemctl daemon-reload systemctl restart cloudflared

You can also use the following command to view the log:

journalctl -u cloudflared -f

Normally you should see http2 related content, such as: "Connected to Cloudflare edge using HTTP/2".

Note: If Cloudflare Tunnel has been installed before, simply edit the configuration file, save it, and restart the cloudflared service.

Docker deployment configuration

Then add "--protocol http2" to the end of the command and run it:

docker run cloudflare/cloudflared:latest tunnel --no-autoupdate run --token your token --protocol http2

Win and Mac

To change the protocol of Cloudflare Tunnel on Windows and Mac to http2, you need to modify the "config.yml" file. The contents of the yml file are as follows:

tunnel: credentials-file: /path/to/credentials.json ingress: - hostname: example.com service: https://localhost:8080 originRequest: http2: true # Enable HTTP/2 - service: http_status:404

in:
• tunnel is your Tunnel ID.
• credentials-file is the path to the credentials file generated at login.
• http2: true is used to enable HTTP/2 protocol.

Then use the following command:

cloudflared tunnel --config /path/to/config.yml run

Note: I have not actually verified this part of the content, I just collected it because I really don’t want to install cloudflared on Mac and Windows~.

Optimizing long connections

In Cloudflare Tunnel, configure the Public Hostname and select the HTTPS service type to further optimize the HTTP/2 persistent connection experience:

Public Hostname provides global accessibility

• Public Hostname is the entry point provided by Cloudflare, ensuring that the tunnel can route the optimal path globally, improving service availability even in complex networks.

Select HTTPS for the service type

• HTTPS forces encryption of all communications, which, combined with the multiplexing provided by HTTP/2, makes the connection more efficient and stable.

Combination http2 connection Function

• Explicitly enabling HTTP/2 allows applications that require long connections (such as real-time communication services and continuous data streams) to remain stable under complex network conditions.

The specific operation is as follows:

Summarize

In fact, I originally wanted to add the command for switching the default protocol to http2 directly to the previous article about Cloudflare Tunnel deployment, but then I thought that although this operation is very simple, it is important enough to write a separate article about it: because I believe that many friends who use Cloudflare Tunnel may not know this knowledge point.

In addition: For personal bloggers who use Cloudflare Tunnel to publish sites in China, I recommend that you use http2 as much as possible in the future (even if the default QUIC protocol currently works properly). After all, you know~.