RFC 9110 — HTTP Semantics. RFC 9112 — HTTP/1.1 syntax (the
message-framing/Content-Length/chunked rules).
RFC 9113 — HTTP/2. Read §4 (frames), §5 (streams/multiplexing),
§6 (frame types), §6.9 (flow control), §6.8 (GOAWAY).
RFC 7541 — HPACK. The static + dynamic table model.
RFC 9114 — HTTP/3. RFC 9000 — QUIC transport. RFC 9204 —
QPACK. RFC 9001 — QUIC + TLS 1.3.
gRPC over HTTP/2 — the wire spec.
https://github.com/grpc/grpc/blob/master/doc/PROTOCOL-HTTP2.md
Go stdlib net/http2 (golang.org/x/net/http2) — a clean, readable
h2 implementation: frame.go, hpack/, the flow-control accounting.
This lab's parser is a teaching subset of it.
nghttp2 (C) — the reference h2/h3 library; nghttp/h2load tools.
Envoy's http_connection_manager and codecs — production L7 parsing
quic-go (Go) and Cloudflare quiche (Rust) — readable QUIC/h3.
PortSwigger, HTTP request smuggling — the canonical CL.TE/TE.CL
writeups. https://portswigger.net/web-security/request-smuggling
Cloudflare / Fastly blogs on HTTP/2 and HTTP/3 at the edge,
0-RTT replay risk, and QUIC connection migration.
High Performance Browser Networking (Ilya Grigorik) — free online;
the best single explanation of h1/h2/QUIC tradeoffs.
https://hpbn.co/
gRPC blog, gRPC Load Balancing — why L4 LB breaks h2/gRPC and the
options (look-aside LB, proxyless, MAX_CONNECTION_AGE).
curl --http2 -v, curl --http3 -v — see the protocol negotiation.
nghttp -v, h2load — h2 client + load tester with frame traces.
grpcurl — call gRPC services from the shell.
Wireshark with TLS keylog (SSLKEYLOGFILE) — decode h2/h3 frames.
Upstream: gw-01 (the byte stream this lab terminates).
Downstream: gw-03 (filters over parsed requests), gw-04 (h2 to
origin), gw-05 (the WebSocket upgrade path), gw-06 (per-request
retries/hedging + gRPC status classification), gw-08 (Envoy's codec).