HTTP/2 - Getting ready on Debian with Apache2
HTTP/2 is the newest version of the HTTP protocol and has a lot of improvements including binary headers. I’m currently thrilled by “state of the art”-web-applications, but still running an apache2 web server. Most people agree that nginx is more “state of the art” than apache2 and may be right. But.
The point is: As my server is running Debian stable I can’t enable HTTP/2 because in Debian jessie the apache2 version is 2.4.10. But HTTP/2 was added in version 2.4.17. Argh.
Now you have three choices:
- Compile apache2 yourself which is really annoying and keep it up-to-date. - Much work, less effort. Nothing for me.
- Install apache2 and openssl from an “untrusted” repository like in this tutorial. - An untrusted repository? Nothing for me!
- Do it like me and install the apache2 package from Debian testing
Preparation
First of all check that your apache2 configuration is correctly for 2.4.10:
sudo apachectl -t
So if your configuration is correct you can continue with adding testing to your sources.list and updating your package list.
sudo su -c 'echo "deb http://http.debian.net/debian testing main" > /etc/apt/sources.list.d/testing.list'
sudo apt-get update
DON’T RUN apt-get upgrade NOW!
Check the priority of the testing repository:
apt-cache policy apache2
This should result something like this:
apache2:
Installed: 2.4.10-10+deb8u4
Candidate: 2.4.18-2
Version table:
2.4.18-2 0
500 http://http.debian.net/debian/ testing/main amd64 Packages
100 /var/lib/dpkg/status
*** 2.4.10-10+deb8u4 0
500 http://http.debian.net/debian/ jessie/main amd64 Packages
500 http://ftp.de.debian.org/debian/ stable/main amd64 Packages
2.4.10-10+deb8u1 0
500 http://security.debian.org/ jessie/updates/main amd64 Packages
500 http://security.debian.org/ stable/updates/main amd64 Packages
The important information is the number at the beginning of each repository line like in this case the 500 in 500 http://security.debian.org/ jessie/updates/main amd64 Packages. This is the repository priority. The highest number for a package matches and will be installed. Because you don’t want to upgrade your whole server to testing you should lower this priority of 500 for the testing repository.
This is done by adding a preference for the repository:
sudo bash -c 'cat >/etc/apt/preferences.d/testing' <<EOF
Package: *
Pin: release a=testing
Pin-Priority: 300
EOF
Now recheck the priority:
apt-cache policy apache2
Your apache2 version should stay the same right now.
apache2:
Installed: 2.4.10-10+deb8u4
Candidate: 2.4.10-10+deb8u4
Version table:
2.4.18-2 0
300 http://http.debian.net/debian/ testing/main amd64 Packages
100 /var/lib/dpkg/status
*** 2.4.10-10+deb8u4 0
500 http://http.debian.net/debian/ jessie/main amd64 Packages
500 http://ftp.de.debian.org/debian/ stable/main amd64 Packages
2.4.10-10+deb8u1 0
500 http://security.debian.org/ jessie/updates/main amd64 Packages
500 http://security.debian.org/ stable/updates/main amd64 Packages
Now your other packages should stay on stable. You can check that by using the command again for another package.
Install apache2 with HTTP/2
After adding the testing repository in a secure way it is time to update apache2. To install the newer apache2 version use the following statement:
sudo apt-get install -y -t testing apache2
Now apache2 from the testing repository is installed. In other words version 2.4.18, which supports HTTP/2.
Configure Apache to use HTTP/2
With the new apache2 version installed you need to enable HTTP/2.
sudo a2enmod http2
sudo apachectl -t && sudo systemctl restart apache2
Now the HTTP2 module is loaded but you still won’t be able to connect using HTTP/2.
If you want to enable HTTP/2 only for ‘some’ virtual hosts you can use the same options in the <VirtualHost>-tag. The following shows how to enable it globally.
sudo bash -c 'cat >/etc/apache2/conf-available/http2.conf' <<EOF
Protocols h2 h2c http/1.1
H2Push on
H2PushPriority * after
H2PushPriority text/css before
H2PushPriority image/jpeg after 32
H2PushPriority image/png after 32
H2PushPriority application/javascript interleaved
SSLProtocol all -SSLv2 -SSLv3
SSLHonorCipherOrder on
SSLCipherSuite 'EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA !RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS'
EOF
sudo a2enconf http2 && sudo apachectl -t && sudo systemctl reload apache2
This creates the /etc/apache2/conf-available/http2.conf file. Important here is the Protocols option which enables HTTP/2 in general. To use HTTP/2 the SSLCipherSuite is also important because HTTP/2 requires TLS1.2 in some browsers.
To improve the load speed of your pages the usage of H2Push is really useful.
Now you can add Link-options to your HTTP header to push content to your clients.
Now all your webpages should be HTTP/2 ready.
Check it with your web browser using the developer tools.
Known issues
If you check your server with HTTP2-Check you’ll still get the message:
HTTP/2 not supported
It’s not completely true. The problem is, that those tests only check the first request and all servers which doesn’t support NPN or ALPN will automatically fallback to HTTP/1.1 But it will add an upgrade header option so every further connect uses HTTP/2.
I’m still searching for a solution to fix that protocol advertisement issue.
A correct check can be found at https://tools.keycdn.com/http2-test
Conclusion
Enabling HTTP/2 on Debian stable using apache2 isn’t as simple as it should be.
By using the Debian testing package however it is possible in a secure and trusted way without much effort.
Hopefully this will help you bringing your web servers to HTTP/2. And don’t forget to use HTTPS where ever you are!
If you like this article or want to share your thoughts feel free to use the comment section down below or message and follow me on Mastodon.
Further links for HTTP/2: