Debian, Apache and HTTP/2 – Important Info !

By | 2016-02-11

Deliver your websites with Apache and HTTP/2


IMPORTANT INFO !

I’ve backported apache 2.4.25, but it now depends on openssl from debian backports. The reason for this step back is this bug 828236. So you have to add the debian-backports repo in your system:

echo 'deb http://ftp.debian.org/debian jessie-backports main' >>  /etc/apt/sources.list.d/debian-backports.list

and install/update the openssl packages from there:

apt-get install libssl1.0.0 -t jessie-backports

Your system is now ready for the apache 2.4.25. The new apache2 packages will be available on monday 13.02.2017 2 PM UTC.


The Apache HTTP Server Project has included support for HTTP/2 since version 2.4.17. The actual stable Debian release Jessie comes with apache 2.4.10, so I’ve backported the latest apache2 from sid.

Caution: Apache 2.4.17+ is a stable release, but the package around this original tarball is from the SID branch. Use at your own risk !

The HTTP/2 part is brand new in Apache HTTP Server. Some thinks are new and different, but this page is served with HTTP/2. 🙂 I’ve testet an running this on different Webservers with static content, PHP sites and acting as reverse proxy. Everthing works fine.

Update: With the new Apache 2.4.20, there are a lot of improvements in HTTP/2. See the full documentation.

If you want to use this packages, then include my repro:

deb http://www.d7031.de/debian jessie-experimental main

HINT: HTTP/2 depends on openssl >=1.0.2, so the library package will be also installed !

Enable the new Protocol

load the module:

a2enmod http2

You can enable HTTP/2 per Virtualhost or global like me and change the apache2.conf.  

HTTP/2 is a binary protocol. The module logio does not work with this binary format, so change the default logging option %O to %b or %B (see also).

HTTP/2 has also a feature pushing content to reduce the round trips.

--- /etc/apache2/apache2.conf.orig      2015-12-22 07:32:09.880199756 +0100
+++ /etc/apache2/apache2.conf   2015-12-22 07:33:12.704641138 +0100
@@ -204,11 +204,14 @@
 # Use mod_remoteip instead.
 #
 LogFormat "%v:%p %h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" vhost_combined
-LogFormat "%h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" combined
+LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
 LogFormat "%h %l %u %t \"%r\" %>s %O" common
 LogFormat "%{Referer}i -> %U" referer
 LogFormat "%{User-agent}i" agent

+# enable http2 for http and https
+Protocols h2 h2c http/1.1
+
+# configure push
+H2Push          on
+H2PushPriority  *                       after
+H2PushPriority  text/css                before
+H2PushPriority  image/jpeg              after   32
+H2PushPriority  image/png               after   32
+H2PushPriority  application/javascript  interleaved

You can debug the the new module with the appropriate loglevel:

LogLevel info mod_http2.c:debug

My configured ciphers

SSLProtocol all -SSLv2 -SSLv3
SSLHonorCipherOrder on
SSLCipherSuite 'EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA !RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS'

Test you connection

Another point with the binary format is that telnet no longer work to test a website. But you can use nghttp2-clientThis is also included in my repro. So you can check your HTTP/2 connectivity:

nghttp -ans https://www.d7031.de/

Future

I’ll backport all the new packages form SID in this repro.

List of packages in this repro

  • apache2
  • apache2-bin
  • apache2-data
  • apache2-dbg
  • apache2-dev
  • apache2-doc
  • apache2-suexec-custom
  • apache2-suexec-pristine
  • apache2-utils
  • d7031-archive-keyring
  • libnghttp2-14
  • libnghttp2-dev
  • libnghttp2-doc
  • libspdylay-dbg
  • libspdylay-dev
  • libspdylay-utils
  • libspdylay7
  • libssl-dev
  • libssl-doc
  • libssl1.0.2
  • libssl1.0.2-dbg
  • nghttp2
  • nghttp2-client
  • nghttp2-proxy
  • nghttp2-server
  • openssl
  • python-alabaster
  • python3-alabaster

Tom

23 thoughts on “Debian, Apache and HTTP/2 – Important Info !

  1. Pingback: Plesk 12.5: HTTP/2 unter Apache 2.4 - KA Mediendesign Blog

  2. Marc

    W: GPG error: http://www.d7031.de jessie-experimental InRelease: The following signatures couldn’t be verified because the public key is not available: NO_PUBKEY

    Reply
    1. mdevil

      apt-key adv –keyserver keyserver.ubuntu.com –recv-keys 9EB5E8A3DF17D0B3
      will help you

      Reply
    1. Tom Post author

      Thanks for the hint. openssl and apache are now up to date.

      Tom

      Reply
  3. Martin

    Hello Tom,

    are you willing to contribute your work as official jessie-backports packages? Would be a great thing to have these packages in jessie-backports.

    Cheers,
    Martin

    Reply
    1. Tom Post author

      Hello Martin,

      I’ll think about it and contact the maintainers.

      regards

      Tom

      Reply
  4. Florian R.

    Hello,

    thanks for your tutorial and work!

    One question regarding update from Apache 2.4.10 to 2.4.23 – Is your latest version 2.4.23 or 2.4.20?

    Best regards.

    Reply
  5. CWendt

    Nice! Thanks.
    You can check the http/2 support from here as well: https://http2.pro/
    Be sure to watch out for security fixes. mod_http2 recently had not one, not two, but three vulnerabilities.

    Reply
    1. Tom Post author

      What kind of architecture do you use ? i386?

      regards

      Tom

      Reply
  6. Mathias

    Thanks for your work on this!

    Do you know when the official Debian Jessie repos will include Apache 2.4.17+? Is there a bug # we can track for updates?

    Reply
    1. Tom Post author

      Hello Mathias,

      jessie has 2.4.10 with bugfixes. I hope I can integrate my work into backports, but I’m a very busy at the moment. So I’m not able to make the backports as soon as possible in case of security fixes comes out, but it is one my roadmap.

      Tom

      Reply
  7. Viktor Szépe

    …the form swallowed apache config tags 🙁

    LocationMatch “^/.+\.php(/.+)?$”
    ProxyPassMatch “unix:///run/php5-fpm-${SITE_USER}.sock|fcgi://localhost${DOCUMENT_ROOT}”
    /LocationMatch

    Reply
  8. Roger

    I am using apache2-mpm-itk and installed apache2 2.4.27 from testing using this howto: https://www.shivering-isles.com/http-2-getting-ready-on-debian-with-apache2/
    Apache runs fine but as soon as I try to enable http/2 (in VirtualHost) the website starts loading forever. No errors or warnings in the logs. There is also no message in the logs saying http2 is loaded (after enabling http2:info logging).

    Your backport seems to be an alternative, but will it work with Apache2-mpm-itk ?

    Thanks,
    Roger

    Reply
    1. Tom Post author

      Hi Roger,

      I can make this backport now and in the future, but I’ve no testsystem for this module.

      regards

      Tom

      Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

1 + 8 =