2

Running Apache/2.4.38 (Unix) OpenSSL/1.0.2k-fips on CentOS 7, PHP 7.2.14, I have installed and enabled http/2 following the guide at https://www.tunetheweb.com/performance/http2/. No errors are reported and the module is loaded but pages remain served over http/1.1.

This is not due to using the prefork mpm (event is used).

This is not a browser cache issue (Chrome dev tools is open and cache disabled; I have also used https://tools.keycdn.com/http2-test).

Server has been restarted multiple times.

The conf files include the following directive multiple times, in the main body and in VirtualHost sections:

Protocols h2 http/1.1

SSL Protocol directive is:

SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1

Error log output (set to debug level):

[Sun Feb 03 08:14:28.563204 2019] [ssl:warn] [pid 15944:tid 140617433143168] AH02292: Init: Name-based SSL virtual hosts only work for clients with TLS server name indication support (RFC 4366)
[Sun Feb 03 08:14:28.563263 2019] [http2:info] [pid 15944:tid 140617433143168] AH03090: mod_http2 (v1.11.4, feats=CHPRIO+SHA256+INVHD+DWINS, nghttp2 1.36.0), initializing...
[Sun Feb 03 08:14:28.567088 2019] [mpm_event:notice] [pid 15944:tid 140617433143168] AH00489: Apache/2.4.38 (Unix) OpenSSL/1.0.2k-fips configured -- resuming normal operations

Output of httpd -V:

Server version: Apache/2.4.38 (Unix)
Server built:   Jan 31 2019 09:55:17
Server's Module Magic Number: 20120211:83
Server loaded:  APR 1.6.5, APR-UTIL 1.6.1
Compiled using: APR 1.6.5, APR-UTIL 1.6.1
Architecture:   64-bit
Server MPM:     event
  threaded:     yes (fixed thread count)
    forked:     yes (variable process count)
Server compiled with....
 -D APR_HAS_SENDFILE
 -D APR_HAS_MMAP
 -D APR_HAVE_IPV6 (IPv4-mapped addresses enabled)
 -D APR_USE_SYSVSEM_SERIALIZE
 -D APR_USE_PTHREAD_SERIALIZE
 -D SINGLE_LISTEN_UNSERIALIZED_ACCEPT
 -D APR_HAS_OTHER_CHILD
 -D AP_HAVE_RELIABLE_PIPED_LOGS
 -D DYNAMIC_MODULE_LIMIT=256
 -D HTTPD_ROOT="/usr/local/apache2"
 -D SUEXEC_BIN="/usr/local/apache2/bin/suexec"
 -D DEFAULT_PIDLOG="logs/httpd.pid"
 -D DEFAULT_SCOREBOARD="logs/apache_runtime_status"
 -D DEFAULT_ERRORLOG="logs/error_log"
 -D AP_TYPES_CONFIG_FILE="conf/mime.types"
 -D SERVER_CONFIG_FILE="conf/httpd.conf"

Output of apachectl -M:

Loaded Modules:
 core_module (static)
 so_module (static)
 http_module (static)
 mpm_event_module (static)
 xsendfile_module (shared)
 access_compat_module (shared)
 actions_module (shared)
 alias_module (shared)
 allowmethods_module (shared)
 auth_basic_module (shared)
 auth_digest_module (shared)
 authn_anon_module (shared)
 authn_core_module (shared)
 authn_dbd_module (shared)
 authn_dbm_module (shared)
 authn_file_module (shared)
 authn_socache_module (shared)
 authz_core_module (shared)
 authz_dbd_module (shared)
 authz_dbm_module (shared)
 authz_groupfile_module (shared)
 authz_host_module (shared)
 authz_owner_module (shared)
 authz_user_module (shared)
 autoindex_module (shared)
 cache_module (shared)
 cache_disk_module (shared)
 data_module (shared)
 dbd_module (shared)
 deflate_module (shared)
 dir_module (shared)
 dumpio_module (shared)
 echo_module (shared)
 env_module (shared)
 expires_module (shared)
 ext_filter_module (shared)
 filter_module (shared)
 headers_module (shared)
 include_module (shared)
 info_module (shared)
 log_config_module (shared)
 logio_module (shared)
 mime_magic_module (shared)
 mime_module (shared)
 negotiation_module (shared)
 remoteip_module (shared)
 reqtimeout_module (shared)
 rewrite_module (shared)
 setenvif_module (shared)
 slotmem_plain_module (shared)
 slotmem_shm_module (shared)
 socache_dbm_module (shared)
 socache_memcache_module (shared)
 socache_shmcb_module (shared)
 status_module (shared)
 substitute_module (shared)
 suexec_module (shared)
 unique_id_module (shared)
 unixd_module (shared)
 userdir_module (shared)
 version_module (shared)
 vhost_alias_module (shared)
 dav_module (shared)
 dav_fs_module (shared)
 dav_lock_module (shared)
 http2_module (shared)
 lua_module (shared)
 proxy_module (shared)
 lbmethod_bybusyness_module (shared)
 lbmethod_byrequests_module (shared)
 lbmethod_bytraffic_module (shared)
 lbmethod_heartbeat_module (shared)
 proxy_ajp_module (shared)
 proxy_balancer_module (shared)
 proxy_connect_module (shared)
 proxy_express_module (shared)
 proxy_fcgi_module (shared)
 proxy_fdpass_module (shared)
 proxy_ftp_module (shared)
 proxy_http_module (shared)
 proxy_scgi_module (shared)
 proxy_wstunnel_module (shared)
 ssl_module (shared)
 systemd_module (shared)
 cgid_module (shared)

Screenshot of extract from phpinfo():

phpinfo

Would appreciate any further ideas.

Pete Coward
  • 51
  • 1
  • 5
  • Exactly how are you testing HTTP/2 support? – Michael Hampton Feb 03 '19 at 14:50
  • I am testing using Chrome Dev tools, Network panel, and also the test tool at https://tools.keycdn.com/http2-test – Pete Coward Feb 04 '19 at 09:27
  • Setup looks fine to me. What does the tools.keycdn.com output say? – Barry Pollard Feb 04 '19 at 16:41
  • Also can you give your `SSLCipherSuite` setting and apps a screenshot of the Security tab in Chrome Developer tools? – Barry Pollard Feb 04 '19 at 16:46
  • screenshot of the Security tab in Chrome Developer tools: https://drive.google.com/file/d/1HBz128Wn5ZNbUjBGfdIQuCL41YcmgdYh/view?usp=sharing – Pete Coward Feb 05 '19 at 07:51
  • tools.keycdn.com output: https://drive.google.com/file/d/1qpWR0Z-qAsqYFv4ZhlRuXm-RdF3XfMe5/view?usp=sharing – Pete Coward Feb 05 '19 at 07:54
  • SSLCipherSuite setting: SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-GCM-SHA256:AES256+EDH:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4 – Pete Coward Feb 05 '19 at 07:56
  • openssl version OpenSSL 1.0.2k-fips 26 Jan 2017 – Pete Coward Feb 05 '19 at 07:57

2 Answers2

1

Everything seems to be setup fine from Apache side and can see you are returning the Upgrade suggestion in your HTTP Headers. I can only suggest you have something else in front of Apache (like a LoadBalancer?) which is doing SSL termination without ALPN and so preventing HTTP/2.

The easiest way to test this would be to run the following from your server:

openssl s_client -alpn h2 -connect 127.0.0.1:443 -status

And see if ALPN is supported when connecting to localhost.

If so try it again with your domain and see if ALPN is not supported when connecting to your domain. Which suggests a load balancer or the like is sitting in front of your instance of Apache and terminating SSL and it does not support ALPN.

Barry Pollard
  • 4,591
  • 15
  • 26
1

Thanks to Barry Pollard for putting me on the right track, it was an ALPN issue. We have no load balancer but ssl needs to be compiled into Apache as a static library not a shared module to support ALPN. Having re-compiled Apache I now have http/2

Pete Coward
  • 51
  • 1
  • 5