HTTP/2 - Getting ready on Debian with Apache2

HTTP/2 is the newest version of the HTTP protocol and has a lot of improvements including binary headers. I'm currently thrilled by "state of the art"-web-applications, but still running an apache2 web server. Most people agree that nginx is more "state of the art" than apache2 and may be right. But.

The point is: As my server is running debian stable I can't enable HTTP/2 because in debian jessie the apache2 version is 2.4.10. But HTTP/2 was added in version 2.4.17. Argh.

Now you have three choices:

  1. Compile apache2 yourself which is really annoying and keep it up-to-date. - Much work, less effort. Nothing for me.
  2. Install apache2 and openssl from an "untrusted" repository like in this tutorial. - An untrusted repository? Nothing for me!
  3. Do it like me and install the apache2 package from debian testing

Preparation

First of all check that your apache2 config is correctly for 2.4.10:

sudo apachectl -t  

So if your config is correct you can continue with adding testing to your sources.list and updating your package list.

sudo su -c 'echo "deb http://http.debian.net/debian testing main" > /etc/apt/sources.list.d/testing.list'  
sudo apt-get update  

DON'T RUN apt-get upgrade NOW!

Check the priority of the testing repository:

apt-cache policy apache2  

This should result something like this:

apache2:  
  Installed: 2.4.10-10+deb8u4
  Candidate: 2.4.18-2
  Version table:
     2.4.18-2 0
        500 http://http.debian.net/debian/ testing/main amd64 Packages
        100 /var/lib/dpkg/status
 *** 2.4.10-10+deb8u4 0
        500 http://http.debian.net/debian/ jessie/main amd64 Packages
        500 http://ftp.de.debian.org/debian/ stable/main amd64 Packages
     2.4.10-10+deb8u1 0
        500 http://security.debian.org/ jessie/updates/main amd64 Packages
        500 http://security.debian.org/ stable/updates/main amd64 Packages

The important information is the number at the beginning of each repository line like in this case the 500 in 500 http://security.debian.org/ jessie/updates/main amd64 Packages. This is the repository priority. The highest number for a package matches and will be installed. Because you don't want to upgrade your whole server to testing you should lower this priority of 500 for the testing repository.

This is done by adding a preference for the repository:

sudo bash -c 'cat >/etc/apt/preferences.d/testing' <<EOF  
Package: *  
Pin: release a=testing  
Pin-Priority: 300  
EOF  

Now recheck the priority:

apt-cache policy apache2  

Your apache2 version should stay the same right now.

apache2:  
  Installed: 2.4.10-10+deb8u4
  Candidate: 2.4.10-10+deb8u4
  Version table:
     2.4.18-2 0
        300 http://http.debian.net/debian/ testing/main amd64 Packages
        100 /var/lib/dpkg/status
 *** 2.4.10-10+deb8u4 0
        500 http://http.debian.net/debian/ jessie/main amd64 Packages
        500 http://ftp.de.debian.org/debian/ stable/main amd64 Packages
     2.4.10-10+deb8u1 0
        500 http://security.debian.org/ jessie/updates/main amd64 Packages
        500 http://security.debian.org/ stable/updates/main amd64 Packages

Now your other packages should stay on stable. You can check that by using the command again for another package.

Install apache2 with HTTP/2

After adding the testing repository in a secure way it is time to update apache2. To install the newer apache2 version use the following statement:

sudo apt-get install -y -t testing apache2  

Now apache2 from the testing repository is installed. In other words version 2.4.18, which supports HTTP/2.

Configure Apache to use HTTP/2

With the new apache2 version installed you need to enable HTTP/2.

sudo a2enmod http2  
sudo apachectl -t && sudo systemctl restart apache2  

Now the HTTP2 module is loaded but you still won't be able to connect using HTTP/2.

If you want to enable HTTP/2 only for 'some' virtual hosts you can use the same options in the <VirtualHost>-tag. The following shows how to enable it globally.

sudo bash -c 'cat >/etc/apache2/conf-available/http2.conf' <<EOF  
Protocols h2 h2c http/1.1

H2Push          on  
H2PushPriority  *                       after  
H2PushPriority  text/css                before  
H2PushPriority  image/jpeg              after   32  
H2PushPriority  image/png               after   32  
H2PushPriority  application/javascript  interleaved

SSLProtocol all -SSLv2 -SSLv3  
SSLHonorCipherOrder on  
SSLCipherSuite 'EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA !RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS'

EOF

sudo a2enconf http2 && sudo apachectl -t && sudo systemctl reload apache2  

This creates the /etc/apache2/conf-available/http2.conf file. Important here is the Protocols option which enables HTTP/2 in general. To use HTTP/2 the SSLCipherSuite is also important because HTTP/2 requires TLS1.2 in some browsers.

To improve the load speed of your pages the usage of H2Push is really useful.

Now you can add Link-options to your HTTP header to push content to your clients.

Now all your webpages should be HTTP/2 ready.

Check it with your webbrowser using the developer tools.

Known issues

If you check your server with SPDY-Check or HTTP2-Check you'll still get the message:

HTTP/2 not supported  

It's not completely true. The problem is, that those tests only check the first request and all servers which doesn't support NPN or ALPN will automatically fallback to HTTP/1.1 But it will add an upgrade header option so every further connect uses HTTP/2.

I'm still searching for a solution to fix that protocol advertisement issue.

A correct check can be found at https://tools.keycdn.com/http2-test

Conclusion

Enabling HTTP/2 on debian stable using apache2 isn't as simple as it should be.

By using the debian testing package however it is possible in a secure and trusted way without much effort.

Hopefully this will help you bringing your webservers to HTTP/2. And don't forget to use HTTPS where ever you are!

If you like this article or want to share your thoughts feel free to use the comment section down below or message and follow me on Twitter.


Further links for HTTP/2:

×

Stay in touch

By follow me on Twitter, follow RSS or sign up for my newsletter.