Chapter 5. Enabling HTTP/2 for the JBoss Core Services HTTP Server

The Hypertext Transfer Protocols are standard methods of transmitting data between applications (such as servers and browsers) over the internet. HTTP/2 improves on HTTP/1.1 by providing enhancements such as:

  • header compression - reducing the size of the header transmitted by omitting implied information, and
  • multiple requests and responses over a single connection - using binary framing to break down response messages, as opposed to textual framing.

Using HTTP/2 with the Red Hat JBoss Core Services Apache HTTP Server:

  • is supported for encrypted connections using Transport Layer Security (TLS) (SSLEnabled="true"), indicated by the h2 keyword when enabled.
  • is not supported for unencrypted connections using the Transmission Control Protocol (TCP) indicated by the h2c keyword when enabled.
Note

HTTP/2 is not available for web servers using the Multi-Processing Module prefork modules/mod_mpm_prefork.so

Prerequisites

  • Root user access (Red Hat Enterprise Linux and Solaris systems)
  • Administrative access (Windows Server)
  • Red Hat JBoss Core Services Apache HTTP Server 2.4.23 or higher

  • Modules required:

    • ssl_module modules/mod_ssl.so
    • http2_module modules/mod_http2.so

Procedure

Enable HTTP/2 for a Apache HTTP Server:

  1. Add the http2_module to HTTP_HOME/conf.modules.d/00-base.conf: 

    ...
LoadModule http2_module modules/mod_http2.so

  2. Add the h2 protocol in HTTP_HOME/conf/httpd.conf.

    • To enable HTTP/2 support for a virtual host, add the h2 protocol to the virtual host configuration,

    • To enable HTTP/2 support for all server connections, add the h2 protocol to the 'Main' server configuration section of httpd.conf.

      For example: 

      <IfModule http2_module>
    Protocols h2 http/1.1
    ProtocolsHonorOrder on
</IfModule>

  3. Update the Secure Socket Layer (SSL) configuration in HTTP_HOME/conf.d/ssl.conf.

    1. Ensure the SSLEngine directive is set to enabled (the SSL Engine is enabled by default): 

      SSLEngine on

    2. Update the SSLProtocol directive to disable the SSLv2 and SSLv3 protocols, forcing connections to use the Transport Layer Security (TLS) Protocols: 

      SSLProtocol all -SSLv2 -SSLv3

    3. Update the SSLCipherSuite directive to specify which SSL ciphers can with the Apache HTTP Server.

      For example: 

      SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK
      Note

      For information on the SSL module and the supported directives, see: Apache HTTP Server Documentation Version 2.4 - Modules: Apache Module mod_ssl.

  4. Restart the Red Hat JBoss Core Services Apache HTTP Server as the root user, to apply the changed configuration.

    1. For SysV (Red Hat Enterprise Linux 6) users: 

      # service jbcs-httpd24-httpd restart

    2. For systemd (Red Hat Enterprise Linux 7) users: 

      # systemctl restart jbcs-httpd24-httpd.service

    3. For Red Hat Enterprise Linux users running Red Hat JBoss Core Services using apachectl: 

      # HTTP_HOME/sbin/apachectl restart

    4. For Solaris users: 

      # HTTP_HOME/sbin/apachectl restart

    5. For Windows Server users: 

      # net restart Apache2.4

Next Steps

Verify that HTTP/2 is enabled by reviewing the Apache HTTP Server logs or by using the curl command:

  • Access the server from a browser or using curl, then check the SSL/TLS access or request logs (HTTP_HOME/logs/ssl_access_log or HTTP_HOME/logs/ssl_access_log) to verify that the connection is configured to support HTTP/2: 

    $ grep 'HTTP/2' HTTP_HOME/logs/ssl_request_log

[26/Apr/2018:06:44:45 +0000] 172.17.0.1 TLSv1.2 AES128-SHA "HEAD /html-single/index.html HTTP/2" -

$ grep 'HTTP/2' HTTP_HOME/logs/ssl_access_log

172.17.0.1 - - [26/Apr/2018:06:44:45 +0000] "HEAD /html-single/index.html HTTP/2" 200 -

  • Or verify using curl (for versions of curl that support HTTP2):

    Note

    The curl package provided with Red Hat Enterprise Linux 7 or earlier does not support HTTP/2. To check curl for HTTP/2 support: 

    $ curl -V

curl 7.55.1 (x86_64-redhat-linux-gnu) ...
Release-Date: 2017-08-14
Protocols: dict file ftp ftps gopher http https ...
Features: AsynchDNS IDN IPv6 Largefile GSS-API Kerberos SPNEGO NTLM NTLM_WB SSL libz TLS-SRP HTTP2 UnixSockets HTTPS-proxy Metalink PSL

    • For example, when the HTTP/2 protocol is inactive: 

      $ curl -I http://<JBCS_httpd_server>:80/<test.html>

HTTP/1.1 200
...

    • But if the HTTP/2 protocol is active, curl returns: 

      $ curl -I https://<JBCS_httpd_server>:443/<test.html>

HTTP/2 200
...

    • Where:

      • <JBCS_httpd_server> is the URI of the server (such as example.com),
      • the port number is dependent on your configuration,
      • <test.html> is any html page for testing the configuration (not provided), and

Additional Resources