7

I wanted to use HTTP2 with Apache 2.4.16 (probably need to upgrade to 2.4.17) and stumbled across this comment on the official Apache Page.

Warning

This module is experimental. Its behaviors, directives, and defaults are subject to more change from release to release relative to other standard modules. Users are encouraged to consult the "CHANGES" file for potential updates.

On the other hand, many others are making tutorials on how to enable it. So is it safe to use it or should we wait?

Also, can we use HTTP2 in combination with Reverse Proxy?

Tim
  • 30,383
  • 6
  • 47
  • 77
David Garus
  • 73
  • 1
  • 5
  • As of Apache 2.4.26 mod_http2 is no longer experimental. Updated my answer below to reflect this. – Barry Pollard Jun 21 '17 at 10:30
  • See also here for a more up to date information on a related question: https://stackoverflow.com/questions/48974616/what-is-better-with-http-2-apache-vs-nginx – Barry Pollard Jul 12 '18 at 21:41

1 Answers1

8

Update: As of Apache 2.4.26, mod_http2 is no longer considered experimental. Answer below has been updated to reflect this.

Also note that mod_http2_proxy is still considered experimental.

The Experimental Tag is added when functionality is first added and, as the text explains, warns that the implementation, options and APIs may be subject to change. Therefore, if using an Experimental feature, you should carefully read the Changes file when you install any subsequent updates to ensure that you are made aware of any changes you will need to make.

The Experimental tag does not mean that the implementation is unstable. Unstable options will not generally be added directly to the main Apache source tree and instead will be handled as separate installable modules.

Saying that, to use HTTP/2 you will need to upgrade to 2.4.17 at least but really should upgrade to latest (2.4.26 at time of writing) as this module is changing quite a bit, has had a number of bug and performance improvements since launch and has even addressed a number of CVEs (including: 2016-1546, 2016-8740 and 2017-7659). That's not to say it's particularly buggy or dangerous, and there are plenty of other CVEs in Apache (and pretty much all other software) but it means you really should run the latest version.

You will also need to compile against OpenSSL 1.0.2 to work with Chrome and Firefox (as they only allow the newer ALPN protocol and not the older NPN protocol to negotiate the HTTP/2 connection), which may be an extra pain as most package managers don't include this yet. As of 2.4.26 Apache also supports OpenSSL 1.1.

Running newer versions, and compiling from source, rather than from package managers (e.g. yum or APT) does entail some extra effort and discipline (as they will not be as easily installed or patched) which is beyond the scope of your question but is not something to be entered into lightly. This is all assuming you're on Linux. If you're on Windows then you're probably already downloading and installing separately.

Finally to the real crux of your question. In the Apache 2.4.26 release the experimental warning was dropped for the main mod_http2 module, though it's still in place for the newer mod_proxy_http2 module. I've personally been running HTTP/2 on my personal blog site since 2.4.17 and have never had any real problems with it. It seems stable enough to me. Then again I don't get high volumes of traffic and it's not a big deal for me if it goes down. Would I run it against a real production site? Probably not until that experimental warning was removed (2.4.26). Then again, the only way that happens is if people try it out. HTTP/2 is also easy enough to switch off if it does cause problems. Basically it totally depends on your risk appetite. You can read (and subscribe) to the list of known issues at GitHub (https://github.com/icing/mod_h2/issues) and the module author is very responsive and helpful.

Not sure what are you asking about the reverse proxy functionality. Since 2.4.21 Apache introduced mod_proxy_http2 that handles HTTP/2 backends, but I would say that's even less used and tested (still marked experimental). It's also not that useful: the main benefits of HTTP/2 are over high latency networks (i.e. client-to-frontend) rather than over the low latency frontend-to-backend connections. So for now I'd have HTTP/2 on Apache but keep the reverse proxy connection to any backend infrastructure to HTTP/1. And yes this works absolutely fine, if that's what you were asking, though answers to this question claim there may be benefits to speaking HTTP/2 all the way through.

Barry Pollard
  • 4,461
  • 14
  • 26
  • Last paragraph seems wrong. The `mod_proxy_http2` doesn't support HTTP/1.1 backends. The `mod_proxy_http2` is a reverse proxy (aka frontend) for HTTP/2 browsers. The HTTP/1.1 browsers are supported but their requests are translated to HTTP/2 backend. – kubanczyk Jun 21 '17 at 08:48
  • 1
    I'm saying you might not need to use mod_proxy_http2. If you are using Apache as your main entry point to your system and proxying some (or all) requests from Apache to a backend application server, then the biggest benefit for HTTP/2 will be from Browser->Apache (mod_http2) rather than from Apache->App Server (mod_proxy_http2). So for now I'd use mod_http2 to give you HTTP/2 for browsers but stick with mod_proxy_http (HTTP/1.1) for your backend proxied connections from Apache. Understand? – Barry Pollard Jun 21 '17 at 10:12
  • @BarryPollard One reason to enable HTTP/2 between Apache and the app server is to allow the app server to send HTTP/2 `server push` responses to the client. – imgx64 Apr 22 '19 at 11:38
  • Nope @imgx64. Mod_proxy_http2 doesn’t support that (https://github.com/icing/mod_h2/issues/154) and for good reasons - it gets complicated. Much better handled with link headers and possibly 103 responses. – Barry Pollard Apr 22 '19 at 12:33