Deliver your websites with Apache and HTTP/2

IMPORTANT INFO !

I’ve backported apache 2.4.25, but it now depends on openssl from debian backports. The reason for this step back is this bug 828236. So you have to add the debian-backports repo in your system:

echo 'deb http://ftp.debian.org/debian jessie-backports main' >>  /etc/apt/sources.list.d/debian-backports.list

and install/update the openssl packages from there:

apt-get install libssl1.0.0 -t jessie-backports

Your system is now ready for the apache 2.4.25. The new apache2 packages will be available on monday 13.02.2017 2 PM UTC.

The Apache HTTP Server Project has included support for HTTP/2 since version 2.4.17. The actual stable Debian release Jessie comes with apache 2.4.10, so I’ve backported the latest apache2 from sid.

Caution: Apache 2.4.17+ is a stable release, but the package around this original tarball is from the SID branch. Use at your own risk !

The HTTP/2 part is brand new in Apache HTTP Server. Some thinks are new and different, but this page is served with HTTP/2. 🙂 I’ve testet an running this on different Webservers with static content, PHP sites and acting as reverse proxy. Everthing works fine.

Update: With the new Apache 2.4.20, there are a lot of improvements in HTTP/2. See the full documentation.

If you want to use this packages, then include my repro:

deb http://www.d7031.de/debian jessie-experimental main

HINT: HTTP/2 depends on openssl >=1.0.2, so the library package will be also installed !

Enable the new Protocol

load the module:

a2enmod http2

You can enable HTTP/2 per Virtualhost or global like me and change the apache2.conf.  

HTTP/2 is a binary protocol. The module logio does not work with this binary format, so change the default logging option %O to %b or %B (see also).

HTTP/2 has also a feature pushing content to reduce the round trips.

--- /etc/apache2/apache2.conf.orig      2015-12-22 07:32:09.880199756 +0100
+++ /etc/apache2/apache2.conf   2015-12-22 07:33:12.704641138 +0100
@@ -204,11 +204,14 @@
 # Use mod_remoteip instead.
 #
 LogFormat "%v:%p %h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" vhost_combined
-LogFormat "%h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" combined
+LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
 LogFormat "%h %l %u %t \"%r\" %>s %O" common
 LogFormat "%{Referer}i -> %U" referer
 LogFormat "%{User-agent}i" agent

+# enable http2 for http and https
+Protocols h2 h2c http/1.1
+
+# configure push
+H2Push          on
+H2PushPriority  *                       after
+H2PushPriority  text/css                before
+H2PushPriority  image/jpeg              after   32
+H2PushPriority  image/png               after   32
+H2PushPriority  application/javascript  interleaved

You can debug the the new module with the appropriate loglevel:

LogLevel info mod_http2.c:debug

My configured ciphers

SSLProtocol all -SSLv2 -SSLv3
SSLHonorCipherOrder on
SSLCipherSuite 'EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA !RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS'

Test you connection

Another point with the binary format is that _telnet no longer work to test a website. But you can use nghttp2-client_. This is also included in my repro. So you can check your HTTP/2 connectivity:

nghttp -ans https://www.d7031.de/

Future

I’ll backport all the new packages form SID in this repro.

List of packages in this repro

Tom