HTTP2 Support and Install – Part 2

Plesk

While 12.5.30 Update #28 and above is aware and capable of using HTTP2 also requires the latest version of nginx. the underlying Operating System must also provide the correct components, as per the Requirements and Compatibility section and above. EG, Plesk 17 on CentOS 6 will NOT work with HTTP2 since OpenSSL is NOT a high enough version. See:

https://support.plesk.com/hc/en-us/articles/115004291214-How-to-enable-HTTP-2-support-for-Nginx
https://docs.plesk.com/en-US/onyx/administrator-guide/web-servers/apache-and-nginx-web-servers-linux/http2-support-in-plesk.76461/
https://docs.plesk.com/en-US/obsidian/administrator-guide/web-servers/apache-and-nginx-web-servers-linux/http2-support-in-plesk.76461/

Notes

• NginX can do NPN with OpenSSL 1.0.1 only. You need EL7.4+ with OpenSSL 1.0.2 to work with both NPN and APN. See NginX blog post in reference section below
• Ubuntu 14.04 LTS : Nginx version 1.4.x provided by Ubuntu does not support HTTP2. Install Nginx from ppa:nginx/stable which provided supported version 1.12.x
• Ubuntu 16.04 LTS accidentally included http2 when it was still experimental, but removed it afterwards, even though the httpd version remains high enough
• Ubuntu 18.04 LTS requires the http2 module be manually enabled
• IUS http24u includes mod_http2
• CentOS 8 has Apache with mod_http2 already compiled
• Unsupported Repositories and ppa:
  Red Hat Software Collections – RHSCL – SCL rh-nginx110 or rh-nginx112 (RHEL 7)
  Red Hat Software Collections – RHSCL – SCL rh-nginx110 (RHEL6)
  Red Hat Software Collections – RHSCL – SCL http24 includes mod_http2
• ondrej
• Supported Repositories

RHEL8/CentOS 8

In RHEL/CentOS 8 when the Apache module is installed it also installs the http2 module and loads by default. Next is just to enable http2 at the vhost. I tested both html and php.

The domain  example.compointed to the local ip via “/etc/hosts”. As you can see from the the below, Apache is responding with “HTTP/1.1”.

before enabling http2

# curl -I -s https://example.com/index.php –insecure |grep HTTP
HTTP/1.1 200 OK
# curl -I -s https://example.com/index.html –insecure |grep HTTP
HTTP/1.1 200 OK

To enable http2 add the line “Protocols h2 http/1.1” to the vhost as below and restart Apache.

Enable http2

<VirtualHost *:443>
Protocols h2 http/1.1
DocumentRoot /var/www/vhost
ServerName example.com
SSLEngine on
SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
SSLCertificateFile /etc/pki/tls/certs/localhost.crt
SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1 +TLSv1.2
# Proxy declaration
<Proxy “unix:/run/php-fpm/www.sock|fcgi://php-fpm”>
# we must declare a parameter in here (doesn’t matter which) or
# it’ll not register the proxy ahead of time
ProxySet disablereuse=off
# Note: If you configure php-fpm to use the “pm = ondemand”
#then use “ProxySet disablereuse=on”
</Proxy>
<FilesMatch \.php$>
SetHandler proxy:fcgi://php-fpm
</FilesMatch>
</VirtualHost>

After enabling http2 you will now notice that Apache is responding with “HTTP/2”

http2 Enabled

# curl -I -s https://example.com/index.php –insecure |grep HTTP
HTTP/2 200
# curl -I -s https://example.com/index.html –insecure |grep HTTP
HTTP/2 200

At the time of testing

Testing performed using the following

# cat /etc/redhat-release
Red Hat Enterprise Linux release 8.2 (Ootpa)
# openssl version
OpenSSL 1.1.1c FIPS 28 May 2019
# php -v
PHP 7.2.24 (cli) (built: Oct 22 2019 08:28:36) ( NTS )
Copyright (c) 1997-2018 The PHP Group
Zend Engine v3.2.0, Copyright (c) 1998-2018 Zend Technologies
# php-fpm -v
PHP 7.2.24 (fpm-fcgi) (built: Oct 22 2019 08:28:36)
Copyright (c) 1997-2018 The PHP Group
Zend Engine v3.2.0, Copyright (c) 1998-2018 Zend Technologies
# httpd -v
Server version: Apache/2.4.37 (Red Hat Enterprise Linux)
Server built: Dec 2 2019 14:15:24

Ubuntu 14.04 LTS

This OS will EOL in April 2019. Neither OpenSSL nor Apache versions are high enough. Don’t do it.

Ubuntu 16.04 LTS

OpenSSL is a high enough version, but the included Apache version does not include http2 functionality (though it was once accidentally included,  before being removed since Ubuntu doesn’t want to support “experimental” technology in LTS releases).

There is a PPA that supplies a version of Apache that does include http2, but this is akin to custom compiled software. Rackspace should never do this for a customer.

Apache 2 PPA

sudo apt install software-properties-common
sudo add-apt-repository ppa:ondrej/apache2
sudo apt update
sudo apt install apache2

Ubuntu 18.04 LTS

The mpm module (prefork.c) is not supported by mod_http2. So have to figure out how to use mpm worker or
event… which means php7.2 will need to use something like php-fpm.

Before http2

# curl -I -s https://example.com/index.php –insecure |grep HTTP
HTTP/1.1 200 OK
# curl -I -s https://example.com/index.html –insecure |grep HTTP
HTTP/1.1 200 OK

Enable HTTP2 on Ubuntu 18.04 LTS

# Install:
apt-get update
apt-get install php7.2-fpm
a2enmod proxy_fcgi setenvif
a2enconf php7.2-fpm
a2dismod php7.2
a2dismod mpm_prefork
a2enmod mpm_event
# Update config to use TLS1.2:
vim /etc/apache2/mods-enabled/ssl.conf
SSLProtocol -all TLSv1.2
# Enable module
a2enmod http2
systemctl restart apache2
vim /etc/apache2/sites-enabled/example.com.conf

<VirtualHost *:443>
Protocols h2 http/1.1
…
# Restart Apache
apachectl restart

After enabling http2 you will now notice that Apache is responding with “HTTP/2”

Verify http2

# curl -I -s https://example.com/index.html –insecure |grep HTTP
HTTP/2 200
# curl -I -s https://example.com/index.php –insecure |grep HTTP
HTTP/2 200

Ubuntu 20.04 LTS

The following is the check to verify if http2 is already enable. The domain  example.com pointed to the local ip via “/etc/hosts”. As you can see from the the below, Apache is responding with “HTTP/1.1”.

Before http2

# curl -I -s https://example.com/index.php –insecure |grep HTTP
HTTP/1.1 200 OK
# curl -I -s https://example.com/index.html –insecure |grep HTTP
HTTP/1.1 200 OK

set TLS to TLSv1.2

set TLSV1.2

# Update config to use TLS1.2:
vim /etc/apache2/mods-enabled/ssl.conf
SSLProtocol -all TLSv1.2

Enable the following modules

Enable module

a2enmod actions alias proxy_fcgi setenvif http2

Add the line “Protocols h2 http/1.1” to the vhost configuration to enable it for the domain, as in the following example. Afterwards you need to restart Apache

Enable http2

<VirtualHost *:443>
Protocols h2 http/1.1
DocumentRoot /var/www/vhost
ServerName example.com
SSLEngine on
SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key
SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem
# Proxy declaration
<FilesMatch \.php$>
SetHandler “proxy:unix:/var/run/php/php7.4-fpm.sock|fcgi://localhost”
</FilesMatch>
</VirtualHost>

After enabling http2 you will now notice that Apache is responding with “HTTP/2”

Verify http2

# curl -I -s https://example.com/index.html –insecure |grep HTTP
HTTP/2 200
# curl -I -s https://example.com/index.php –insecure |grep HTTP
HTTP/2 200

Nginx

HTTP2 is available by default and is fully supported on servers running Nginx. Nginx has had HTTP2 support built in as of Nginx 1.9.5.

The table below outlines which packages support HTTP2 on Nginx:

Verify that http2 has been compiled in nginx

Verify module

# strings /usr/sbin/nginx | grep _module | grep -v configure| sort | grep ^ngx_http_v2_module
ngx_http_v2_module
ngx_http_v2_module

Enable HTTP2 on Nginx is as simple as modifying an existing Nginx vhost to enable HTTP2 as shown below:

[root@web01 ~]# vim /etc/nginx/sites-enabled/example.com.conf
…
server {
listen 443 ssl http2;
server_name example.com www.example.com;
…
[root@web01 ~]# nginx -t
[root@web01 ~]# service nginx restart

After enabling http2 you will now notice that Nginx is responding with “HTTP/2”

# curl -IL https://www.example.com –insecure
HTTP/2 200 <—
server: nginx/1.14.0 (Ubuntu)

 

Notes

• NginX can do NPN with OpenSSL 1.0.1 only. You need EL7.4+ with OpenSSL 1.0.2 to work with both NPN and APN. See NginX blog post in reference section below
• Ubuntu 16.04 LTS accidentally included http2 when it was still experimental, but removed it afterwards, even though the httpd version remains high enough
• Ubuntu 18.04 LTS requires the http2 module be manually enabled
• IUS http24u includes mod_http2
• CentOS 8 has Apache with mod_http2 already compiled
• Unsupported Repositories and ppa:
  Red Hat Software Collections – RHSCL – SCL rh-nginx110 or rh-nginx112 (RHEL 7)
  Red Hat Software Collections – RHSCL – SCL rh-nginx110 (RHEL6)
  Red Hat Software Collections – RHSCL – SCL http24 includes mod_http2
• ondrej
• Supported Repositories

CentOs 7

Os version

[centos@ip-172-31-35-171 ~]$ cat /etc/centos-release
CentOS Linux release 7.7.1908 (Core)
[root@ip-172-31-35-171 ~]# cat /etc/os-release
NAME=”CentOS Linux”
VERSION=”7 (Core)”
ID=”centos”
ID_LIKE=”rhel fedora”
VERSION_ID=”7″
PRETTY_NAME=”CentOS Linux 7 (Core)”
ANSI_COLOR=”0;31″
CPE_NAME=”cpe:/o:centos:centos:7″
HOME_URL=”https://www.centos.org/”
BUG_REPORT_URL=”https://bugs.centos.org/”
CENTOS_MANTISBT_PROJECT=”CentOS-7″
CENTOS_MANTISBT_PROJECT_VERSION=”7″
REDHAT_SUPPORT_PRODUCT=”centos”
REDHAT_SUPPORT_PRODUCT_VERSION=”7″
[root@ip-172-31-35-171 ~]# curl http://169.254.169.254/latest/meta-data/ami-id
ami-0affd4508a5d2481b
[root@ip-172-31-35-171 ~]# uname -a
Linux ip-172-31-35-171.ec2.internal 3.10.0-1062.12.1.el7.x86_64 #1 SMP Tue Feb 4 23:02:59 UTC 2020 x86_64
x86_64 x86_64 GNU/Linux

Install ius and epel repo for Http, no need to install mod_ssl

Installation

[root@ip-172-31-35-171 ~]# yum install https://repo.ius.io/ius-release-el7.rpm https://dl.fedoraproject.org
/pub/epel/epel-release-latest-7.noarch.rpm
Loaded plugins: fastestmirror
ius-release-el7.
rpm
| 8.2 kB 00:00:00
Examining /var/tmp/yum-root-_8DKj9/ius-release-el7.rpm: ius-release-2-1.el7.ius.noarch
Marking /var/tmp/yum-root-_8DKj9/ius-release-el7.rpm to be installed
:
:
[root@ip-172-31-35-171 ~]# yum install yum-utils
Loaded plugins: fastestmirror
Loading mirror speeds from
cached hostfile
:
:
[root@ip-172-31-35-171 ~]# yum install httpd24u php74-cli.x86_64
php74-fpm-httpd.noarch httpd24u-mod_ssl.x86_64
Loaded plugins: fastestmirror
:
:

Enable http2 on http and https.

Configuration

[root@ip-172-31-35-171 ~]# echo “Protocols h2 http/1.1” >> /etc/httpd/conf.d/ssl.conf
[root@ip-172-31-35-171 ~]# echo “Protocols h2 http/1.1” >> /etc/httpd/conf/httpd.conf
#Only to avoid noisy 404 error
[root@ip-172-31-35-171 ~]# touch /var/www/html/test.html

Start services

[root@ip-172-31-35-171 ~]# systemctl enable php-fpm
Created symlink from /etc/systemd/system/multi-user.target.wants/php-fpm.service to /usr/lib/systemd/system
/php-fpm.service.
[root@ip-172-31-35-171 ~]# systemctl enable httpd
Created symlink from /etc/systemd/system/multi-user.target.wants/httpd.service to /usr/lib/systemd/system
/httpd.service.
[root@ip-172-31-35-171 ~]# systemctl start httpd
[root@ip-172-31-35-171 ~]# systemctl start php-fpm

To validate http2 is working, output should have include: “Upgrade: h2”

Test

[root@ip-172-31-35-171 ~]# curl -I -s http://127.0.0.1/test.html | egrep ‘Upgrade|HTTP’
HTTP/1.1 200 OK
Upgrade: h2
Connection: Upgrade
[root@ip-172-31-35-171 ~]# curl -I -s https://127.0.0.1/test.html –insecure | egrep ‘Upgrade|HTTP’
HTTP/1.1 200 OK
Upgrade: h2
Connection: Upgrade

See below the version used at testing

Versions used

[centos@ip-172-31-35-171 ~]$ openssl version
OpenSSL 1.0.2k-fips 26 Jan 2017
[root@ip-172-31-35-171 ~]# httpd -V
Server version: Apache/2.4.43 (IUS)
Server built: Aug 6 2020 00:43:47
Server’s Module Magic Number: 20120211:92
Server loaded: APR 1.5.2, APR-UTIL 1.5.4
Compiled using: APR 1.5.2, APR-UTIL 1.5.4
Architecture: 64-bit
Server MPM: event <<<<== NOTE: It must be EVENT due to Http2 (threading, prefork does not support http2)
threaded: yes (fixed thread count)
forked: yes (variable process count)

Server compiled with….
-D APR_HAS_SENDFILE
-D APR_HAS_MMAP
-D APR_HAVE_IPV6 (IPv4-mapped addresses enabled)
-D APR_USE_SYSVSEM_SERIALIZE
-D APR_USE_PTHREAD_SERIALIZE
-D SINGLE_LISTEN_UNSERIALIZED_ACCEPT
-D APR_HAS_OTHER_CHILD
-D AP_HAVE_RELIABLE_PIPED_LOGS
-D DYNAMIC_MODULE_LIMIT=256
-D HTTPD_ROOT=”/etc/httpd”
-D SUEXEC_BIN=”/usr/sbin/suexec”
-D DEFAULT_PIDLOG=”/run/httpd/httpd.pid”
-D DEFAULT_SCOREBOARD=”logs/apache_runtime_status”
-D DEFAULT_ERRORLOG=”logs/error_log”
-D AP_TYPES_CONFIG_FILE=”conf/mime.types”
-D SERVER_CONFIG_FILE=”conf/httpd.conf”

[centos@ip-172-31-35-171 ~]$ php -v
PHP (cli) (built: Aug 7 2020 13:39:18) ( NTS )
Copyright (c) The PHP Group
Zend Engine v3.4.0, Copyright (c) Zend Technologies
[centos@ip-172-31-35-171 ~]$ php-fpm -v
PHP 7.4.9 (fpm-fcgi) (built: Aug 7 2020 13:42:44)
Copyright (c) The PHP Group
Zend Engine v3.4.0, Copyright (c) Zend Technologies

CentOs 8

Os version

[root@ip-172-31-19-113 ~]# cat /etc/centos-release
CentOS Linux release 8.2.2004 (Core)
[root@ip-172-31-19-113 ~]# cat /etc/os-release
NAME=”CentOS Linux”
VERSION=”8 (Core)”
ID=”centos”
ID_LIKE=”rhel fedora”
VERSION_ID=”8″
PLATFORM_ID=”platform:el8″
PRETTY_NAME=”CentOS Linux 8 (Core)”
ANSI_COLOR=”0;31″
CPE_NAME=”cpe:/o:centos:centos:8″
HOME_URL=”https://www.centos.org/”
BUG_REPORT_URL=”https://bugs.centos.org/”
CENTOS_MANTISBT_PROJECT=”CentOS-8″
CENTOS_MANTISBT_PROJECT_VERSION=”8″
REDHAT_SUPPORT_PRODUCT=”centos”
REDHAT_SUPPORT_PRODUCT_VERSION=”8″
[root@ip-172-31-19-113 ~]# curl http://169.254.169.254/latest/meta-data/ami-id
ami-06a9702289b96b261
[root@ip-172-31-19-113 ~]# uname -a
Linux ip-172-31-19-113.ec2.internal 4.18.0-193.6.3.el8_2.x86_64 #1 SMP Wed Jun 10 11:09:32 UTC 2020 x86_64
x86_64 x86_64 GNU/Linux

Installation

[root@ip-172-31-19-113 ~]# yum install httpd.x86_64 php.x86_64 php-cli.x86_64 php-fpm.x86_64 mod_ssl
Last metadata expiration check: 0:02:44 ago on Tue 15 Sep 2020 05:42:01 PM UTC.
Dependencies resolved.

Package                                                     Architecture
Version
Repository                                                 Size

Configuration

[root@ip-172-31-19-113 ~]# echo “Protocols h2 http/1.1” >> /etc/httpd/conf/httpd.conf
[root@ip-172-31-19-113 ~]#
#Only to avoid noisy 404 error
[root@ip-172-31-19-113 ~]# touch /var/www/html/test.html

Start services

[root@ip-172-31-19-113 ~]# systemctl enable httpd
Created symlink /etc/systemd/system/multi-user.target.wants/httpd.service /usr/lib/systemd/system/httpd.
service.
[root@ip-172-31-19-113 ~]# systemctl enable php-fpm
Created symlink /etc/systemd/system/multi-user.target.wants/php-fpm.service /usr/lib/systemd/system/php-fpm.
service.
[root@ip-172-31-19-113 ~]# systemctl start httpd
[root@ip-172-31-19-113 ~]# systemctl start php-fpm

To validate http2 is working, output should have include line: “Http/2” on https

Test

root@ip-172-31-19-113 ~]# curl -I -s http://127.0.0.1/test.html | egrep ‘Upgrade|HTTP’
HTTP/1.1 200 OK
Upgrade: h2
Connection: Upgrade
[root@ip-172-31-19-113 ~]# curl -I -s https://127.0.0.1/test.html –insecure | grep HTTP
HTTP/2 200

See below the version used while testing

Version used

[root@ip-172-31-19-113 ~]# openssl version
OpenSSL 1.1.1c FIPS 28 May 2019

[root@ip-172-31-19-113 ~]# httpd -V
Server version: Apache/2.4.37 (centos)
Server built: Jun 8 2020 20:14:33
Server’s Module Magic Number: 20120211:83
Server loaded: APR 1.6.3, APR-UTIL 1.6.1
Compiled using: APR 1.6.3, APR-UTIL 1.6.1
Architecture: 64-bit
Server MPM: event <<<<== NOTE: It must be EVENT due to Http2 (threading, prefork does not support http2)
threaded: yes (fixed thread count)
forked: yes (variable process count)

Server compiled with….
-D APR_HAS_SENDFILE
-D APR_HAS_MMAP
-D APR_HAVE_IPV6 (IPv4-mapped addresses enabled)
-D APR_USE_SYSVSEM_SERIALIZE
-D APR_USE_PTHREAD_SERIALIZE
-D SINGLE_LISTEN_UNSERIALIZED_ACCEPT
-D APR_HAS_OTHER_CHILD
-D AP_HAVE_RELIABLE_PIPED_LOGS
-D DYNAMIC_MODULE_LIMIT=256
-D HTTPD_ROOT=”/etc/httpd”
-D SUEXEC_BIN=”/usr/sbin/suexec”
-D DEFAULT_PIDLOG=”run/httpd.pid”
-D DEFAULT_SCOREBOARD=”logs/apache_runtime_status”
-D DEFAULT_ERRORLOG=”logs/error_log”
-D AP_TYPES_CONFIG_FILE=”conf/mime.types”
-D SERVER_CONFIG_FILE=”conf/httpd.conf”

[root@ip-172-31-19-113 ~]# php-fpm -v
PHP 7.2.24 (fpm-fcgi) (built: Oct 22 2019 08:28:36)
Copyright (c) 1997-2018 The PHP Group
Zend Engine v3.2.0, Copyright (c) 1998-2018 Zend Technologies
[root@ip-172-31-19-113 ~]# php -v
PHP 7.2.24 (cli) (built: Oct 22 2019 08:28:36) ( NTS )
Copyright (c) 1997-2018 The PHP Group
Zend Engine v3.2.0, Copyright (c) 1998-2018 Zend Technologies

Ubuntu 18.04

Os version

root@ip-172-31-49-86:~# curl http://169.254.169.254/latest/meta-data/ami-id
ami-09c5258a58aeabe14
root@ip-172-31-49-86:~# cat /etc/os-release
NAME=”Ubuntu”
VERSION=”18.04.5 LTS (Bionic Beaver)”
ID=ubuntu
ID_LIKE=debian
PRETTY_NAME=”Ubuntu 18.04.5 LTS”
VERSION_ID=”18.04″
HOME_URL=”https://www.ubuntu.com/”
SUPPORT_URL=”https://help.ubuntu.com/”
BUG_REPORT_URL=”https://bugs.launchpad.net/ubuntu/”
PRIVACY_POLICY_URL=”https://www.ubuntu.com/legal/terms-and-policies/privacy-policy”
VERSION_CODENAME=bionic
UBUNTU_CODENAME=bionic
root@ip-172-31-49-86:~# uname -a
Linux ip-172-31-49-86 5.3.0-1035-aws #37-Ubuntu SMP Sun Sep 6 01:17:09 UTC 2020 x86_64 x86_64 x86_64 GNU
/Linux

Installation

root@ip-172-31-49-86:~# apt update
Hit:1 http://us-east-1.ec2.archive.ubuntu.com/ubuntu bionic InRelease
Get:2 http://us-east-1.ec2.archive.ubuntu.com/ubuntu bionic-updates InRelease [88.7 kB]
:\:
root@ip-172-31-49-86:~# apt install apache2 php7.2-fpm
Reading package lists… Done
Building dependency tree
Reading state information… Done
:
:
root@ip-172-31-49-86:~# a2enmod proxy_fcgi http2 ssl
Considering dependency proxy for proxy_fcgi:
Enabling module proxy.
root@ip-172-31-49-86:~# a2enconf php7.2-fpm
Enabling conf php7.2-fpm.
To activate the new configuration, you need to run:
systemctl reload apache2

Configuration

echo “Protocols h2 h2c http/1.1” >> /etc/apache2/apache2.conf
#Only to avoid noisy 404 error
root@ip-172-31-49-86:~# touch /var/www/html/test.html
root@ip-172-31-49-86:~# vim /etc/apache2/mods-enabled/ssl.conf
SSLProtocol -all TLSv1.2
#Create virtualhost because it’s not enabled by default
root@ip-172-31-49-86:~# vim /etc/apache2/sites-enabled/001-default.conf
<VirtualHost *:443>
Protocols h2 http/1.1
DocumentRoot /var/www/html
SSLEngine on
SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key
SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem
</VirtualHost>

Start services

root@ip-172-31-49-86:~# systemctl restart apache2
root@ip-172-31-49-86:~# systemctl restart php7.2-fpm.service

To validate http2 is working, output should have include: “Upgrade: h2” on https

Test

root@ip-172-31-49-86:~# curl -I -s https://127.0.0.1/test.html –insecure | grep HTTP
HTTP/2 200
root@ip-172-31-49-86:~# curl -I -s http://127.0.0.1/test.html | egrep ‘Upgrade|HTTP’
HTTP/1.1 200 OK
Upgrade: h2,h2c
Connection: Upgrade

See below the version used at testing

Versions used

root@ip-172-31-49-86:~# php -v
PHP 7.2.24-0ubuntu0.18.04.6 (cli) (built: May 26 2020 13:09:11) ( NTS )
Copyright (c) 1997-2018 The PHP Group
Zend Engine v3.2.0, Copyright (c) 1998-2018 Zend Technologies
with Zend OPcache v7.2.24-0ubuntu0.18.04.6, Copyright (c) 1999-2018, by Zend Technologies
root@ip-172-31-49-86:~# php-fpm7.2 -v
PHP 7.2.24-0ubuntu0.18.04.6 (fpm-fcgi) (built: May 26 2020 13:09:11)
Copyright (c) 1997-2018 The PHP Group
Zend Engine v3.2.0, Copyright (c) 1998-2018 Zend Technologies
with Zend OPcache v7.2.24-0ubuntu0.18.04.6, Copyright (c) 1999-2018, by Zend Technologies
root@ip-172-31-49-86:~# apache2ctl -V
Server version: Apache/2.4.29 (Ubuntu)
Server built: 2020-08-12T21:33:25
Server’s Module Magic Number: 20120211:68
Server loaded: APR 1.6.3, APR-UTIL 1.6.1
Compiled using: APR 1.6.3, APR-UTIL 1.6.1
Architecture: 64-bit
Server MPM: event <<<<== NOTE: It must be EVENT due to Http2 (threading, prefork does not support http2)
threaded: yes (fixed thread count)
forked: yes (variable process count)

Server compiled with….
-D APR_HAS_SENDFILE
-D APR_HAS_MMAP
-D APR_HAVE_IPV6 (IPv4-mapped addresses enabled)
-D APR_USE_SYSVSEM_SERIALIZE
-D APR_USE_PTHREAD_SERIALIZE
-D SINGLE_LISTEN_UNSERIALIZED_ACCEPT
-D APR_HAS_OTHER_CHILD
-D AP_HAVE_RELIABLE_PIPED_LOGS
-D DYNAMIC_MODULE_LIMIT=256
-D HTTPD_ROOT=”/etc/apache2″
-D SUEXEC_BIN=”/usr/lib/apache2/suexec”
-D DEFAULT_PIDLOG=”/var/run/apache2.pid”
-D DEFAULT_SCOREBOARD=”logs/apache_runtime_status”
-D DEFAULT_ERRORLOG=”logs/error_log”
-D AP_TYPES_CONFIG_FILE=”mime.types”
-D SERVER_CONFIG_FILE=”apache2.conf”

root@ip-172-31-49-86:~# openssl version
OpenSSL 1.1.1 11 Sep 2018

Ubuntu 20.04

Os version

root@ip-172-31-52-116:~# curl http://169.254.169.254/latest/meta-data/ami-id
ami-028682ebf96de01e1

root@ip-172-31-52-116:~# cat /etc/os-release
NAME=”Ubuntu”
VERSION=”20.04.1 LTS (Focal Fossa)”
ID=ubuntu
ID_LIKE=debian
PRETTY_NAME=”Ubuntu 20.04.1 LTS”
VERSION_ID=”20.04″
HOME_URL=”https://www.ubuntu.com/”
SUPPORT_URL=”https://help.ubuntu.com/”
BUG_REPORT_URL=”https://bugs.launchpad.net/ubuntu/”
PRIVACY_POLICY_URL=”https://www.ubuntu.com/legal/terms-and-policies/privacy-policy”
VERSION_CODENAME=focal
UBUNTU_CODENAME=focal
root@ip-172-31-52-116:~# uname -a
Linux ip-172-31-52-116 5.4.0-1024-aws #24-Ubuntu SMP Sat Sep 5 06:19:55 UTC 2020 x86_64 x86_64 x86_64 GNU
/Linux

Installation

root@ip-172-31-52-116:~# apt install php7.4-fpm apache2
Reading package lists… Done
Building dependency tree
:
:
root@ip-172-31-52-116:~# a2enmod proxy_fcgi setenvif ssl http2
Considering dependency proxy for proxy_fcgi:
:

:

Configuration

root@ip-172-31-52-116:~# echo “Protocols h2 h2c http/1.1” >> /etc/apache2/apache2.conf
#Create virtualhost because it’s not enabled by default
root@ip-172-31-52-116:~# vim /etc/apache2/sites-enabled/001-default.conf

<VirtualHost *:443>
Protocols h2 http/1.1
DocumentRoot /var/www/html
SSLEngine on
SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key
SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem
</VirtualHost>

#Only to avoid noisy 404 error
root@ip-172-31-52-116:~# touch /var/www/html/test.html

Start services

root@ip-172-31-52-116:~# systemctl restart apache2.service
root@ip-172-31-52-116:~# systemctl restart php7.4-fpm.service

To validate http2 is working, output should have include line: “HTTP/2 200” on https

Test

root@ip-172-31-52-116:~# curl -I -s http://127.0.0.1/test.html | egrep ‘Upgrade|HTTP’
HTTP/1.1 200 OK
Upgrade: h2,h2c
Connection: Upgrade
root@ip-172-31-52-116:~# curl -I -s https://127.0.0.1/test.html –insecure | grep HTTP
HTTP/2 200

See below the version used at testing

Versions used

root@ip-172-31-52-116:~# php -v
PHP 7.4.3 (cli) (built: May 26 2020 12:24:22) ( NTS )
Copyright (c) The PHP Group
Zend Engine v3.4.0, Copyright (c) Zend Technologies
with Zend OPcache v7.4.3, Copyright (c), by Zend Technologies
root@ip-172-31-52-116:~# php-fpm7.4 -v
PHP 7.4.3 (fpm-fcgi) (built: May 26 2020 12:24:22)
Copyright (c) The PHP Group
Zend Engine v3.4.0, Copyright (c) Zend Technologies
with Zend OPcache v7.4.3, Copyright (c), by Zend Technologies
root@ip-172-31-52-116:~# apache2ctl -V
Server version: Apache/2.4.41 (Ubuntu)
Server built: 2020-08-12T19:46:17
Server’s Module Magic Number: 20120211:88
Server loaded: APR 1.6.5, APR-UTIL 1.6.1
Compiled using: APR 1.6.5, APR-UTIL 1.6.1
Architecture: 64-bit
Server MPM: event <<<<== NOTE: It must be EVENT due to Http2 (threading, prefork does not support http2)
threaded: yes (fixed thread count)
forked: yes (variable process count)

Server compiled with….
-D APR_HAS_SENDFILE
-D APR_HAS_MMAP
-D APR_HAVE_IPV6 (IPv4-mapped addresses enabled)
-D APR_USE_SYSVSEM_SERIALIZE
-D APR_USE_PTHREAD_SERIALIZE
-D SINGLE_LISTEN_UNSERIALIZED_ACCEPT
-D APR_HAS_OTHER_CHILD
-D AP_HAVE_RELIABLE_PIPED_LOGS
-D DYNAMIC_MODULE_LIMIT=256
-D HTTPD_ROOT=”/etc/apache2″
-D SUEXEC_BIN=”/usr/lib/apache2/suexec”
-D DEFAULT_PIDLOG=”/var/run/apache2.pid”
-D DEFAULT_SCOREBOARD=”logs/apache_runtime_status”
-D DEFAULT_ERRORLOG=”logs/error_log”
-D AP_TYPES_CONFIG_FILE=”mime.types”
-D SERVER_CONFIG_FILE=”apache2.conf”

root@ip-172-31-52-116:~# openssl version
OpenSSL 1.1.1f 31 Mar 2020

AWS Linux 2

In AWS Linux 2 when Apache is installed the http2 module is also installed and loaded by default. Next is just to enable http2 at the vhost. I tested  both html and php.

before enabling http2

# curl -I -s https://example.com/index.php –insecure |grep HTTP
HTTP/1.1 200 OK

# curl -I -s https://example.com/index.html –insecure |grep HTTP
HTTP/1.1 200 OK

To enable http2 add the line “Protocols h2 http/1.1” to the vhost as below and restart Apache.

enable http2

<VirtualHost *:443>
Protocols h2 http/1.1
DocumentRoot /var/www/vhost
ServerName example.com
SSLEngine on
SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
SSLCertificateFile /etc/pki/tls/certs/localhost.crt
SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1 +TLSv1.2
# Proxy declaration
<Proxy “unix:/run/php-fpm/www.sock|fcgi://php-fpm”>
# we must declare a parameter in here (doesn’t matter which) or
# it’ll not register the proxy ahead of time
ProxySet disablereuse=off
# Note: If you configure php-fpm to use the “pm = ondemand”
#then use “ProxySet disablereuse=on”
</Proxy>
<FilesMatch \.php$>
SetHandler proxy:fcgi://php-fpm
</FilesMatch>
</VirtualHost>

At time of testing

Os version

# curl http://169.254.169.254/latest/meta-data/ami-id
ami-09558250a3419e7d0
# cat /etc/os-release
NAME=”Amazon Linux”
VERSION=”2″
ID=”amzn”
ID_LIKE=”centos rhel fedora”
VERSION_ID=”2″
PRETTY_NAME=”Amazon Linux 2″
ANSI_COLOR=”0;33″
CPE_NAME=”cpe:2.3:o:amazon:amazon_linux:2″
HOME_URL=”https://amazonlinux.com/”
[root@ip-172-31-5-124 ~]# httpd -M |grep http2
http2_module (shared)
proxy_http2_module (shared)
# php -v
PHP 5.4.16 (cli) (built: Oct 31 2019 18:34:05)
Copyright (c) 1997-2013 The PHP Group
Zend Engine v2.4.0, Copyright (c) 1998-2013 Zend Technologies
# php-fpm -v
PHP 5.4.16 (fpm-fcgi) (built: Oct 31 2019 18:36:56)
Copyright (c) 1997-2013 The PHP Group
Zend Engine v2.4.0, Copyright (c) 1998-2013 Zend Technologies
# openssl version
OpenSSL 1.0.2k-fips 26 Jan 2017

Verify http2

http2 verify

# curl -I -s https://example.com/index.html –insecure |grep HTTP
HTTP/2 200
# curl -I -s https://example.com/index.php –insecure |grep HTTP
HTTP/2 200

Nginx

HTTP2 is available by default and is fully supported on servers running Nginx. Nginx has had HTTP2 support built in as of Nginx 1.9.5.

The table below outlines which packages support HTTP2 on Nginx

 

Verify the module

# strings /usr/sbin/nginx | grep _module | grep -v configure| sort | grep ^ngx_http_v2_module
ngx_http_v2_module
ngx_http_v2_module

Enable HTTP2 on Nginx is as simple as modifying an existing Nginx vhost to enable HTTP2 as shown below:

enable http2

# vim /etc/nginx/sites-enabled/example.com.conf
…
server {
listen 443 ssl http2;
server_name example.com www.example.com;
…

After enabling http2 you will now notice that Nginx is responding with “HTTP/2”

verify http2

# curl -IL https://www.example.com –insecure
HTTP/2 200 <—

AWS Linux 2

HTTP2 is available by default and is fully supported on servers running Nginx. You need to enable the repository. Then install nginx. nginx1

install nginx

# amazon-linux-extras list | grep nginx
38 nginx1 available [ =stable ]
# amazon-linux-extras enable nginx1
# amazon-linux-extras list | grep nginx
38 nginx1=latest enabled [ =stable ]

Verify http2

# strings /usr/sbin/nginx | grep _module | grep -v configure| sort | grep ^ngx_http_v2_module
ngx_http_v2_module
ngx_http_v2_module

Enable HTTP2 on Nginx is as simple as modifying an existing Nginx vhost to enable HTTP2 as shown below:

Enable http2

server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name example.com www.example.com;
…

Verify http2

# curl -I -s https://example.com/index.html –insecure |grep HTTP
HTTP/2 200
# curl -I -s https://example.com/index.php –insecure |grep HTTP
HTTP/2 200

Other useful docs

HTTP/2

References

• Redhat releases
• Does RHEL/RHSCL Apache httpd include support for HTTP/2.0 protocol?
• How to Enable HTTP/2 protocol in Apache?
• https://www.nginx.com/blog/supporting-http2-google-chrome-users/
• https://http2.github.io/
• https://httpwg.org/specs/rfc7540.html
• https://httpwg.org/specs/rfc7541.html
• https://httpd.apache.org/docs/2.4/howto/http2.htm