0

I am trying to enable HTTP/2 in Apache 2.4.38, but I am failing to do so. All requests are still being served using HTTP/1.1 according to the Lighthouse tests in the browser. I am using the official HTTP/2 guide for apache, but it's not working for my case. My SSL apache conf file is as follows:

LoadModule http2_module modules/mod_http2.so
<IfModule mod_ssl.c>
<VirtualHost *:443>

    ServerName mywebsite.com
    ServerAdmin webmaster@localhost
    DocumentRoot /var/www/html

    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log combined

ServerName quizzane.servehttp.com
SSLCertificateFile /etc/letsencrypt/live/quizzane.servehttp.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/quizzane.servehttp.com/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
Protocols h2
</VirtualHost>
</IfModule>

This file is used when encryption is active on my site (on port 443). This is always used, as I have automatic redirection to port 443 setup (successfully). I have done the usual a2enmod http2 to enable the HTTP/2 mod and loaded the extension as shown in the SSL conf file. As for logs, I can't find the folder, so if someone would be so kind as to point me in the direction of the apache log folder, would be much appreciated (${APACHE_LOG_DIR} is non-existent). I am also using Certbot for SSL/TLS and no other external libraries as far as I am aware. When trying to use curl using curl -v --http2 on my site, the server does seem to accept HTTP/2, but the server with the client eventually decide to use HTTP/1.1 shown by the below lines:

...
* ALPN, offering h2
* ALPN, offering http/1.1
...
* ALPN, server accepted to use http/1.1

I haven't found any other posts that covered this issue.

Antonios P.
  • 1
  • Note that you can (and are usually recommended ) to use absolute paths for your logs files to get more predictable behavior, but `${APACHE_LOG_DIR}` is usually a `logs` sub directory relative to your [`ServerRoot`](https://httpd.apache.org/docs/2.4/mod/core.html#serverroot) which most Linux packagers link to /var/log/httpd or similar – Bob Oct 12 '20 at 13:46

1 Answers1

0

Note that you’re including additional TLS settings and Apache will sometimes do some counter intuitive merging when repeating directives

   Include /etc/letsencrypt/options-ssl-apache.conf
   Protocols h2

so protocols directive in the VirtualHost specific section may not be taking effect. (Check/post the included options)

Also if you’re running multiple TLS VirtualHosts : it is valid syntax to specify TLS/SSL directives on a per VirtualHost basis, but some can only be different when each of those TLS virtual hosts runs on different ip-address and/or port ; otherwise the TLS settings from the first VirtualHost apply to all VirtualHosts on that same ip-address / port combination.

Because without SNI Apache will not receive a Host header until after a secure connection is negotiated. But that Host header is needed to select which ciphers/protocols to allow.
A catch-22.
Since once a connection is established it will be too late to require different protocols/ ciphers for the additional Virtual Hosts Apache silently uses the first TLS VirtualHost as the default for TLS settings.

By including a common Include in all TLS hosts you make that implicit behavior for name based TLS VirtualHosts more explicit.

Bob
  • 5,335
  • 5
  • 24
  • SNI should be enabled in later versions of *mod_ssl*. I only have one TLS VirtualHost. All redirects to the default port 80 are redirected to 443. I'm still unsure of what to do. – Antonios P. Oct 14 '20 at 15:22