Enabled HTTP/2 Support in apache2 v2.4.25 on Debian 9.13 but Tests Show No Support for HTTP/2

Question

I am trying to configure HTTP/2 support but something is going wrong

My server is a google compute engine vm running Debian 9.13 (stretch) server version Apache/2.4.25 with SSL certs configured using OpenSSL. When I run openssl version it reports version 1.1.1g. When running phpinfo(); it reports OpenSSL/1.0.2u. PHP version 7.4.11 and phpinfo(); also reports...

SSL_VERSION_INTERFACE  ->  mod_ssl/2.4.25
SSL_VERSION_LIBRARY  ->  OpenSSL/1.0.2u
SSL_PROTOCOL  ->  TLSv1.2

I followed the instructions here to "Enable HTTP/2 module in Apache" and "Enable HTTP/2 in your Apache virtual host" and also here. After doing so, when I run the command apache2ctl -M | grep http2 it returns http2_module (shared) which signals HTTP/2 Support is enabled. But it isn't in production.

Here is the line used in my apache2 virtual hosts configuration file /etc/apache2/sites-available/default-ssl.conf

<VirtualHost _default_:443>
    Protocols h2 h2c http/1.1
    ...

Here is the verbose connection information when using curl -vso http2_debug.log --http2 https://pharealty.com/ command which does successfully download the page.

*   Trying 35.236.101.224...
* TCP_NODELAY set
* Connected to pharealty.com (35.236.101.224) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: /etc/ssl/certs
* TLSv1.2 (OUT), TLS header, Certificate Status (22):
} [5 bytes data]
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
} [512 bytes data]
* TLSv1.2 (IN), TLS handshake, Server hello (2):
{ [109 bytes data]
* TLSv1.2 (IN), TLS handshake, Certificate (11):
{ [4036 bytes data]
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
{ [333 bytes data]
* TLSv1.2 (IN), TLS handshake, Server finished (14):
{ [4 bytes data]
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
} [70 bytes data]
* TLSv1.2 (OUT), TLS change cipher, Client hello (1):
} [1 bytes data]
* TLSv1.2 (OUT), TLS handshake, Finished (20):
} [16 bytes data]
* TLSv1.2 (IN), TLS change cipher, Client hello (1):
{ [1 bytes data]
* TLSv1.2 (IN), TLS handshake, Finished (20):
{ [16 bytes data]
* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
* ALPN, server accepted to use http/1.1
* Server certificate:
*  subject: CN=pharealty.com
*  start date: Jul 10 01:53:04 2021 GMT
*  expire date: Oct  8 01:53:03 2021 GMT
*  subjectAltName: host "pharealty.com" matched cert's "pharealty.com"
*  issuer: C=US; O=Let's Encrypt; CN=R3
*  SSL certificate verify ok.
} [5 bytes data]
> GET / HTTP/1.1
> Host: pharealty.com
> User-Agent: curl/7.52.1
> Accept: */*
>
{ [5 bytes data]
< HTTP/1.1 200 OK
< Date: Wed, 08 Sep 2021 17:20:21 GMT
< Server: Apache
< Upgrade: h2,h2c
< Connection: Upgrade
< Set-Cookie: PHPSESSID=1mv9jqka4n7c7fb6qmtavfsgue; path=/
< Expires: Thu, 19 Nov 1981 08:52:00 GMT
< Cache-Control: no-store, no-cache, must-revalidate
< Pragma: no-cache
< X-Pingback: https://pharealty.com/xmlrpc.php
< Link: <https://pharealty.com/wp-json/>; rel="https://api.w.org/"
< Link: <https://pharealty.com/wp-json/wp/v2/pages/48>; rel="alternate"; type="application/json"
< Link: <https://pharealty.com/>; rel=shortlink
< Set-Cookie: phaLandingPage=%2F; expires=Tue, 08-Mar-2022 17:20:21 GMT; Max-Age=15638400; path=/
< Vary: Accept-Encoding
< Transfer-Encoding: chunked
< Content-Type: text/html; charset=UTF-8
<
{ [7 bytes data]
* Curl_http_done: called premature == 0
* Connection #0 to host pharealty.com left intact

It looks like it is working perfectly at first then later reverts to HTTP/1.1

As far as I can tell I've got a new enough version of OpenSSL. And although this page that I mentioned previously highly recommends a version of apache higher than 2.4.25, I have been unable to update apache to anything other than 2.4.25.

Do I need to setup a new SSL certificate after making the switch? Is the version of apache what's causing the issues?

I've tested the site on several http/2 test websites and it fails every time.

Please upgrade urgently your server, Stretch is OOS - did you enabled it in gernally or only on a specific host? default does not mean its working for all in gernally. — djdomi, Sep 09 '21 at 14:21
Additional updatE: verify your situation: https://www.howtoforge.com/how-to-enable-http-2-in-apache/ — djdomi, Sep 09 '21 at 14:26
@djdomi yeah, I can't believe I haven't upgraded the OS. Managed to keep everything else up to date except that, jeez. I am upgrading to Debain 10 buster. Should I edit the configuration to use the asterisk instead? I can't remember how or why it currently is set to ```_default_```. — hyjinx, Sep 09 '21 at 17:59
I would first update, then upgrade and also add the protocol header also the the vhost — djdomi, Sep 09 '21 at 18:16
@djdomi after upgrading to Debian 10 buster and following the steps in the link you provided I was able to get everything to work. I was trying to get it work with Debian 10 and PHP 7.4 but I couldn't. Using PHP 7.3 did work because php7.3-fpm is available. But after rolling back to 7.3 from 7.4 I had to install all the PHP extensions again. The commands to disable PHP, enable PHP-FPM, disable mpm_prefork, and enable mpm_event, are what made the difference in finding my solution. If you post your comment as an answer, I'll flag it as the answer and get you the points. — hyjinx, Sep 10 '21 at 07:36
I did it, please update the question in case you have still an issue, and yes you might have to install required modules for each version of php separately you may want to see [my github site script](https://raw.githubusercontent.com/djdomi/php-install/master/run.sh) to install all common modules — djdomi, Sep 10 '21 at 16:34

djdomi · Accepted Answer · 2021-09-10T16:38:04.433

Upgrade to a Supported OS

You used Debian Stretch, which main Support is IMHO already EOL. (End of Life)
The Security-Patches remain available until 2022-06-30.

Change the Apache Handling Module

sudo a2dismod mpm_prefork
sudo a2enmod mpm_event

Enable SSL & http2 Module

sudo a2enmod ssl  
sudo a2enmod http2

Enable http2 support global or via vhost

Add to Apache2.conf:

Protocols h2 http/1.1

Or Edit the vhost and add Protocols h2 http/1.1

<VirtualHost *:443>
  ServerName example.com
  ServerAlias www.example.com
  DocumentRoot /var/www/public_html/example.com
  SSLEngine on
  SSLCertificateKeyFile /path/to/private.pem
  SSLCertificateFile /path/to/cert.pem
  SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
  Protocols h2 http/1.1 #add this here
</VirtualHost>

Remind to reload the Apache Server.

sudo systemctl restart apache2

to fetch all php versions you might take a look into my bash script

https://raw.githubusercontent.com/djdomi/php-install/master/run.sh

Reference

Regarding this guide

Yep. Updating Debian and then running through the steps again was the trick. I had been using PHP 7.4 but couldn't keep using it because there was no php7.4-fpm module to enable after disabling php7.4. So I reverted to PHP 7.3 and the switch to HTTP/2 was completed. The only thing that remained was to install all the PHP 7.3 extensions I was missing. All test sites are now testing positive for HTTP/2. And mobile page speed score jumped 12 points on Google Page Speed Insights after HTTP/2. Thanks for your help. I can't believe I didn't think to update the OS. — hyjinx, Sep 10 '21 at 21:24
php7. 4-fpm should be available after running my script, for sure, even I think php8 also — djdomi, Sep 11 '21 at 10:40