My Profile Photo

Sheogorath's Blog

HTTP/2 - Getting ready on Debian with Apache2


HTTP/2 is the newest version of the HTTP protocol and has a lot of improvements including binary headers. I’m currently thrilled by “state of the art”-web-applications, but still running an apache2 web server. Most people agree that nginx is more “state of the art” than apache2 and may be right. But.

The point is: As my server is running Debian stable I can’t enable HTTP/2 because in Debian jessie the apache2 version is 2.4.10. But HTTP/2 was added in version 2.4.17. Argh.

Now you have three choices:

  1. Compile apache2 yourself which is really annoying and keep it up-to-date. - Much work, less effort. Nothing for me.
  2. Install apache2 and openssl from an “untrusted” repository like in this tutorial. - An untrusted repository? Nothing for me!
  3. Do it like me and install the apache2 package from Debian testing


First of all check that your apache2 configuration is correctly for 2.4.10:

sudo apachectl -t

So if your configuration is correct you can continue with adding testing to your sources.list and updating your package list.

sudo su -c 'echo "deb testing main" > /etc/apt/sources.list.d/testing.list'
sudo apt-get update

DON’T RUN apt-get upgrade NOW!

Check the priority of the testing repository:

apt-cache policy apache2

This should result something like this:

  Installed: 2.4.10-10+deb8u4
  Candidate: 2.4.18-2
  Version table:
     2.4.18-2 0
        500 testing/main amd64 Packages
        100 /var/lib/dpkg/status
 *** 2.4.10-10+deb8u4 0
        500 jessie/main amd64 Packages
        500 stable/main amd64 Packages
     2.4.10-10+deb8u1 0
        500 jessie/updates/main amd64 Packages
        500 stable/updates/main amd64 Packages

The important information is the number at the beginning of each repository line like in this case the 500 in 500 jessie/updates/main amd64 Packages. This is the repository priority. The highest number for a package matches and will be installed. Because you don’t want to upgrade your whole server to testing you should lower this priority of 500 for the testing repository.

This is done by adding a preference for the repository:

sudo bash -c 'cat >/etc/apt/preferences.d/testing' <<EOF
Package: *
Pin: release a=testing
Pin-Priority: 300

Now recheck the priority:

apt-cache policy apache2

Your apache2 version should stay the same right now.

  Installed: 2.4.10-10+deb8u4
  Candidate: 2.4.10-10+deb8u4
  Version table:
     2.4.18-2 0
        300 testing/main amd64 Packages
        100 /var/lib/dpkg/status
 *** 2.4.10-10+deb8u4 0
        500 jessie/main amd64 Packages
        500 stable/main amd64 Packages
     2.4.10-10+deb8u1 0
        500 jessie/updates/main amd64 Packages
        500 stable/updates/main amd64 Packages

Now your other packages should stay on stable. You can check that by using the command again for another package.

Install apache2 with HTTP/2

After adding the testing repository in a secure way it is time to update apache2. To install the newer apache2 version use the following statement:

sudo apt-get install -y -t testing apache2

Now apache2 from the testing repository is installed. In other words version 2.4.18, which supports HTTP/2.

Configure Apache to use HTTP/2

With the new apache2 version installed you need to enable HTTP/2.

sudo a2enmod http2
sudo apachectl -t && sudo systemctl restart apache2

Now the HTTP2 module is loaded but you still won’t be able to connect using HTTP/2.

If you want to enable HTTP/2 only for ‘some’ virtual hosts you can use the same options in the <VirtualHost>-tag. The following shows how to enable it globally.

sudo bash -c 'cat >/etc/apache2/conf-available/http2.conf' <<EOF
Protocols h2 h2c http/1.1

H2Push          on
H2PushPriority  *                       after
H2PushPriority  text/css                before
H2PushPriority  image/jpeg              after   32
H2PushPriority  image/png               after   32
H2PushPriority  application/javascript  interleaved

SSLProtocol all -SSLv2 -SSLv3
SSLHonorCipherOrder on


sudo a2enconf http2 && sudo apachectl -t && sudo systemctl reload apache2

This creates the /etc/apache2/conf-available/http2.conf file. Important here is the Protocols option which enables HTTP/2 in general. To use HTTP/2 the SSLCipherSuite is also important because HTTP/2 requires TLS1.2 in some browsers.

To improve the load speed of your pages the usage of H2Push is really useful.

Now you can add Link-options to your HTTP header to push content to your clients.

Now all your webpages should be HTTP/2 ready.

Check it with your web browser using the developer tools.

Known issues

If you check your server with HTTP2-Check you’ll still get the message:

HTTP/2 not supported

It’s not completely true. The problem is, that those tests only check the first request and all servers which doesn’t support NPN or ALPN will automatically fallback to HTTP/1.1 But it will add an upgrade header option so every further connect uses HTTP/2.

I’m still searching for a solution to fix that protocol advertisement issue.

A correct check can be found at


Enabling HTTP/2 on Debian stable using apache2 isn’t as simple as it should be.

By using the Debian testing package however it is possible in a secure and trusted way without much effort.

Hopefully this will help you bringing your web servers to HTTP/2. And don’t forget to use HTTPS where ever you are!

If you like this article or want to share your thoughts feel free to use the comment section down below or message and follow me on Mastodon.

Further links for HTTP/2: