Chapter 6. Enabling HTTP/2 for the JBCS Apache HTTP Server

The Hypertext Transfer Protocols (HTTP) are standard methods of transmitting data between applications, such as servers and browsers, over the internet. The Apache HTTP Server supports the use of HTTP/2 for encrypted connections that are using Transport Layer Security (TLS), which is indicated by the h2 keyword when enabled.

HTTP/2 improves on HTTP/1.1 by providing the following enhancements:

  • Header compression omits implied information to reduce the size of the header that is transmitted.
  • Multiple requests and responses over a single connection use binary framing rather than textual framing to break down response messages.
Note

The Apache HTTP Server does not support the use of HTTP/2 for unencrypted connections that are using the Transmission Control Protocol (TCP), which is indicated by the h2c keyword when enabled.

HTTP/2 is not available for web servers that are using the Multi-Processing Module (MPM) pre-fork (modules/mod_mpm_prefork.so).

6.1. Prerequisites

  • You have root user access on Red Hat Enterprise Linux.
  • You have administrative access on Windows Server.
  • You have installed Red Hat JBoss Core Services Apache HTTP Server 2.4.23 or later.
  • You have installed the SSL module (modules/mod_ssl.so).

    If you need to install the SSL module, enter the following command:

    yum install mod_ssl
  • You have installed the HTTP/2 module (modules/mod_http2.so).

    If you need to install the HTTP/2 module, enter the following command:

    yum install mod_http2
Note

Red Hat Enterprise Linux 6 is no longer supported and subsequently was removed from the documentation.

6.2. Enabling HTTP/2 for the Apache HTTP Server

You can enable HTTP/2 for the Apache HTTP Server by updating configuration file settings in the HTTP_HOME directory.

Procedure

  1. To add the http2_module to the configuration:

    1. Open the HTTP_HOME/conf.modules.d/00-base.conf file.
    2. Enter the following line:

      ...
      LoadModule http2_module modules/mod_http2.so
  2. To add the h2 protocol to the configuration:

    1. Open the HTTP_HOME/conf/httpd.conf file.
    2. If you want to enable HTTP/2 support for a virtual host, add the h2 protocol to the virtual host configuration.

      Alternatively, if you want to enable HTTP/2 support for all server connections, add the h2 protocol to the main server configuration section.

      For example:

      <IfModule http2_module>
          Protocols h2 http/1.1
          ProtocolsHonorOrder on
      </IfModule>
  3. To update the Secure Socket Layer (SSL) configuration:

    1. Open the HTTP_HOME/conf.d/ssl.conf file:
    2. Ensure the SSLEngine directive is set to enabled. The SSL Engine is enabled by default.

      SSLEngine on
    3. Update the SSLProtocol directive to disable the SSLv2 and SSLv3 protocols. This forces connections to use the Transport Layer Security (TLS) Protocols.

      SSLProtocol all -SSLv2 -SSLv3
    4. Update the SSLCipherSuite directive to specify which SSL ciphers can be used with the Apache HTTP Server.

      For example:

      SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK
      Note

      For more information about the SSL module and the supported directives, see Apache HTTP Server Documentation Version 2.4 - Modules: Apache Module mod_ssl.

  4. To restart the Red Hat JBoss Core Services Apache HTTP Server, and apply the changed configuration, perform one of the following steps as the root user:

    • If you want to use systemd to start the Apache HTTP Server on Red Hat Enterprise Linux, enter the following command:

      # systemctl restart jbcs-httpd24-httpd.service
    • If you want to use apachectl to start Red Hat JBoss Core Services on Red Hat Enterprise Linux, enter the following command:

      # HTTP_HOME/sbin/apachectl restart
    • If you want to start the Apache HTTP Server on Windows Server, enter the following command:

      # net restart Apache2.4

Additional resources

6.3. Viewing Apache HTTP Server logs to verify that HTTP/2 is enabled

You can view the Apache HTTP Server access log or request log to verify that HTTP/2 is enabled.

Prerequisites

Procedure

  1. Access the server from a browser or by using the curl command-line tool.
  2. To check the SSL/TLS request log, enter the following command:

    $ grep 'HTTP/2'  HTTP_HOME/logs/ssl_request_log
  3. To check the SSL/TLS access log, enter the following command:

    $ grep 'HTTP/2'  HTTP_HOME/logs/ssl_access_log

Verification

  1. If HTTP/2 is enabled, the grep 'HTTP/2' HTTP_HOME/logs/ssl_request_log command produces the following type of output:

    [26/Apr/2018:06:44:45 +0000] 172.17.0.1 TLSv1.2 AES128-SHA "HEAD /html-single/index.html HTTP/2" -
  2. If HTTP/2 is enabled, the grep 'HTTP/2' HTTP_HOME/logs/ssl_access_log command produces the following type of output:

    172.17.0.1 - - [26/Apr/2018:06:44:45 +0000] "HEAD /html-single/index.html HTTP/2" 200 -

6.4. Using the curl command to verify that HTTP/2 is enabled

You can use the curl command-line tool to verify that HTTP/2 is enabled.

Note

The curl package that is provided with Red Hat Enterprise Linux 7 or earlier does not support HTTP/2.

Prerequisites

  • You have enabled HTTP/2.
  • You are using a version of curl that supports HTTP2.

    To check that you are using a version of curl that supports HTTP/2, enter the following command:

    $ curl -V

    This command produces the following type of output:

    curl 7.55.1 (x86_64-redhat-linux-gnu) ...
    Release-Date: 2017-08-14
    Protocols: dict file ftp ftps gopher http https ...
    Features: AsynchDNS IDN IPv6 Largefile GSS-API Kerberos SPNEGO NTLM NTLM_WB SSL libz TLS-SRP HTTP2 UnixSockets HTTPS-proxy Metalink PSL

Procedure

  1. To check that the HTTP/2 protocol is active, enter the following command:

    $ curl -I https://<JBCS_httpd_server>:<port>/<test.html>
    Note

    In the preceding example, replace <JBCS_httpd_server> with the URI of the server, such as example.com, and replace <test.html> with any HTML file that you want to use to test the configuration. An example HTML test page is not provided. The port number is dependent on your configuration.

Verification

  • If the HTTP/2 protocol is active, the curl command produces the following output:

    HTTP/2 200

    Otherwise, if the HTTP/2 protocol is inactive, the curl command produces the following output:

    HTTP/1.1 200

6.5. Additional resources (or Next steps)