Red Hat Training

A Red Hat training course is available for Red Hat JBoss Core Services

Chapter 5. Enabling HTTP/2 for the JBoss Core Services HTTP Server

The Hypertext Transfer Protocols are standard methods of transmitting data between applications (such as servers and browsers) over the internet. HTTP/2 improves on HTTP/1.1 by providing enhancements such as:

  • header compression - reducing the size of the header transmitted by omitting implied information, and
  • multiple requests and responses over a single connection - using binary framing to break down response messages, as opposed to textual framing.

Using HTTP/2 with the Red Hat JBoss Core Services Apache HTTP Server:

  • is supported for encrypted connections using Transport Layer Security (TLS) (SSLEnabled="true"), indicated by the h2 keyword when enabled.
  • is not supported for unencrypted connections using the Transmission Control Protocol (TCP) indicated by the h2c keyword when enabled.
Note

HTTP/2 is not available for web servers using the Multi-Processing Module prefork modules/mod_mpm_prefork.so

Prerequisites

  • Root user access (Red Hat Enterprise Linux and Solaris systems)
  • Administrative access (Windows Server)
  • Red Hat JBoss Core Services Apache HTTP Server 2.4.23 or higher
  • Modules required:

    • ssl_module modules/mod_ssl.so
    • http2_module modules/mod_http2.so

Procedure

Enable HTTP/2 for a Apache HTTP Server:

  1. Add the http2_module to HTTP_HOME/conf.modules.d/00-base.conf:

    ...
    LoadModule http2_module modules/mod_http2.so
  2. Add the h2 protocol in HTTP_HOME/conf/httpd.conf.

    • To enable HTTP/2 support for a virtual host, add the h2 protocol to the virtual host configuration,
    • To enable HTTP/2 support for all server connections, add the h2 protocol to the 'Main' server configuration section of httpd.conf.

      For example:

      <IfModule http2_module>
          Protocols h2 http/1.1
          ProtocolsHonorOrder on
      </IfModule>
  3. Update the Secure Socket Layer (SSL) configuration in HTTP_HOME/conf.d/ssl.conf.

    1. Ensure the SSLEngine directive is set to enabled (the SSL Engine is enabled by default):

      SSLEngine on
    2. Update the SSLProtocol directive to disable the SSLv2 and SSLv3 protocols, forcing connections to use the Transport Layer Security (TLS) Protocols:

      SSLProtocol all -SSLv2 -SSLv3
    3. Update the SSLCipherSuite directive to specify which SSL ciphers can with the Apache HTTP Server.

      For example:

      SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK
      Note

      For information on the SSL module and the supported directives, see: Apache HTTP Server Documentation Version 2.4 - Modules: Apache Module mod_ssl.

  4. Restart the Red Hat JBoss Core Services Apache HTTP Server as the root user, to apply the changed configuration.

    1. For SysV (Red Hat Enterprise Linux 6) users:

      # service jbcs-httpd24-httpd restart
    2. For systemd (Red Hat Enterprise Linux 7) users:

      # systemctl restart jbcs-httpd24-httpd.service
    3. For Red Hat Enterprise Linux users running Red Hat JBoss Core Services using apachectl:

      # HTTP_HOME/sbin/apachectl restart
    4. For Solaris users:

      # HTTP_HOME/sbin/apachectl restart
    5. For Windows Server users:

      # net restart Apache2.4

Next Steps

Verify that HTTP/2 is enabled by reviewing the Apache HTTP Server logs or by using the curl command:

  • Access the server from a browser or using curl, then check the SSL/TLS access or request logs (HTTP_HOME/logs/ssl_access_log or HTTP_HOME/logs/ssl_access_log) to verify that the connection is configured to support HTTP/2:

    $ grep 'HTTP/2' HTTP_HOME/logs/ssl_request_log
    
    [26/Apr/2018:06:44:45 +0000] 172.17.0.1 TLSv1.2 AES128-SHA "HEAD /html-single/index.html HTTP/2" -
    
    $ grep 'HTTP/2' HTTP_HOME/logs/ssl_access_log
    
    172.17.0.1 - - [26/Apr/2018:06:44:45 +0000] "HEAD /html-single/index.html HTTP/2" 200 -
  • Or verify using curl (for versions of curl that support HTTP2):

    Note

    The curl package provided with Red Hat Enterprise Linux 7 or earlier does not support HTTP/2. To check curl for HTTP/2 support:

    $ curl -V
    
    curl 7.55.1 (x86_64-redhat-linux-gnu) ...
    Release-Date: 2017-08-14
    Protocols: dict file ftp ftps gopher http https ...
    Features: AsynchDNS IDN IPv6 Largefile GSS-API Kerberos SPNEGO NTLM NTLM_WB SSL libz TLS-SRP HTTP2 UnixSockets HTTPS-proxy Metalink PSL
    • For example, when the HTTP/2 protocol is inactive:

      $ curl -I http://<JBCS_httpd_server>:80/<test.html>
      
      HTTP/1.1 200
      ...
    • But if the HTTP/2 protocol is active, curl returns:

      $ curl -I https://<JBCS_httpd_server>:443/<test.html>
      
      HTTP/2 200
      ...
    • Where:

      • <JBCS_httpd_server> is the URI of the server (such as example.com),
      • the port number is dependent on your configuration,
      • <test.html> is any html page for testing the configuration (not provided), and

Additional Resources