daily system administration

Linux, Debian and the rest
any questions or comments: Tom@d7031.de

Debian, Apache and HTTP/2 – Important Info !

Deliver your websites with Apache and HTTP/2


I’ve backported apache 2.4.25, but it now depends on openssl from debian backports. The reason for this step back is this bug 828236. So you have to add the debian-backports repo in your system:

echo 'deb http://ftp.debian.org/debian jessie-backports main' >>  /etc/apt/sources.list.d/debian-backports.list

and install/update the openssl packages from there:

apt-get install libssl1.0.0 -t jessie-backports

Your system is now ready for the apache 2.4.25. The new apache2 packages will be available on monday 13.02.2017 2 PM UTC.

The Apache HTTP Server Project has included support for HTTP/2 since version 2.4.17. The actual stable Debian release Jessie comes with apache 2.4.10, so I’ve backported the latest apache2 from sid.

Caution: Apache 2.4.17+ is a stable release, but the package around this original tarball is from the SID branch. Use at your own risk !

The HTTP/2 part is brand new in Apache HTTP Server. Some thinks are new and different, but this page is served with HTTP/2. 🙂 I’ve testet an running this on different Webservers with static content, PHP sites and acting as reverse proxy. Everthing works fine.

Update: With the new Apache 2.4.20, there are a lot of improvements in HTTP/2. See the full documentation.

If you want to use this packages, then include my repro:

deb http://www.d7031.de/debian jessie-experimental main

HINT: HTTP/2 depends on openssl >=1.0.2, so the library package will be also installed !

Enable the new Protocol

load the module:

a2enmod http2

You can enable HTTP/2 per Virtualhost or global like me and change the apache2.conf.  

HTTP/2 is a binary protocol. The module logio does not work with this binary format, so change the default logging option %O to %b or %B (see also).

HTTP/2 has also a feature pushing content to reduce the round trips.

--- /etc/apache2/apache2.conf.orig      2015-12-22 07:32:09.880199756 +0100
+++ /etc/apache2/apache2.conf   2015-12-22 07:33:12.704641138 +0100
@@ -204,11 +204,14 @@
 # Use mod_remoteip instead.
 LogFormat "%v:%p %h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" vhost_combined
-LogFormat "%h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" combined
+LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
 LogFormat "%h %l %u %t \"%r\" %>s %O" common
 LogFormat "%{Referer}i -> %U" referer
 LogFormat "%{User-agent}i" agent

+# enable http2 for http and https
+Protocols h2 h2c http/1.1
+# configure push
+H2Push          on
+H2PushPriority  *                       after
+H2PushPriority  text/css                before
+H2PushPriority  image/jpeg              after   32
+H2PushPriority  image/png               after   32
+H2PushPriority  application/javascript  interleaved

You can debug the the new module with the appropriate loglevel:

LogLevel info mod_http2.c:debug

My configured ciphers

SSLProtocol all -SSLv2 -SSLv3
SSLHonorCipherOrder on

Test you connection

Another point with the binary format is that _telnet no longer work to test a website. But you can use nghttp2-client_This is also included in my repro. So you can check your HTTP/2 connectivity:

nghttp -ans https://www.d7031.de/


I’ll backport all the new packages form SID in this repro.

List of packages in this repro

  • apache2
  • apache2-bin
  • apache2-data
  • apache2-dbg
  • apache2-dev
  • apache2-doc
  • apache2-suexec-custom
  • apache2-suexec-pristine
  • apache2-utils
  • d7031-archive-keyring
  • libnghttp2-14
  • libnghttp2-dev
  • libnghttp2-doc
  • libspdylay-dbg
  • libspdylay-dev
  • libspdylay-utils
  • libspdylay7
  • libssl-dev
  • libssl-doc
  • libssl1.0.2
  • libssl1.0.2-dbg
  • nghttp2
  • nghttp2-client
  • nghttp2-proxy
  • nghttp2-server
  • openssl
  • python-alabaster
  • python3-alabaster
  • Tom