Chapter 7. Enabling HTTP/2 for the Red Hat JBoss Web Server

The Hypertext Transfer Protocols are standard methods of transmitting data between applications (such as servers and browsers) over the internet. HTTP/2 improves on HTTP/1.1 by providing enhancements such as:

  • header compression - reducing the size of the header transmitted by omitting implied information, and
  • multiple requests and responses over a single connection - using binary framing to break down response messages, as opposed to textual framing.

Using HTTP/2 with the Red Hat JBoss Web Server:

  • is supported for encrypted connections over TLS (h2).
  • is not supported for unencrypted connections over TCP (h2c).

Prerequisites

  • Root user access (Red Hat Enterprise Linux and Solaris systems), or
  • Administrative access (Windows Server).
  • Red Hat JBoss Web Server 5.0 or higher

  • The following operating system native libraries (provided by jws-application-server-5.0.0-<platform>-<architecture>.zip where available).

    • Tomcat Native, for example: 

      jws-5.0/tomcat/lib/libtcnative-1.so

    • Apache Portable Runtime (APR): 

      jws-5.0/tomcat/lib/libapr-1.so.0.6.3

      Where the APR libraries are provided by jws-application-server-5.0.0-<platform>-<architecture>.zip for Red Hat Enterprise Linux, the libraries will be a symbolic link to: 

      jws-5.0/jbcs-apr-1.6.3/lib64/libapr-1.so.0.6.3

    • OpenSSL, for example: 

      jws-5.0/tomcat/lib/libcrypto.so.1.0.2n
jws-5.0/tomcat/lib/libssl.so.1.0.2n

      Where the OpenSSL libraries are provided by jws-application-server-5.0.0-<platform>-<architecture>.zip for Red Hat Enterprise Linux, the libraries will be symbolic links to: 

      jws-5.0/jbcs-openssl-1.0.2n/openssl/lib64/libcrypto.so.1.0.2n
jws-5.0/jbcs-openssl-1.0.2n/openssl/lib64/libssl.so.1.0.2n

  • A connector that supports the HTTP/2 protocol with SSL enabled. For JBoss Web Server 5.0, the connectors with HTTP/2 protocol support are:

    • The APR Native connector (APR)
    • The NIO connector with JSSE + OpenSSL (JSSE)
    • The NIO2 connector with JSSE + OpenSSL (JSSE)

Procedure

Enable HTTP/2 for a connector:

  1. Add the HTTP/2 upgrade protocol (<UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol" />) to the connector in the server configuration JWS_HOME/tomcat/conf/server.xml.

    For example: 

    <Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
           maxThreads="150" SSLEnabled="true">
    <UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol" />
    <SSLHostConfig>
        <Certificate certificateKeystoreFile="/KeyStore.jks"
                     certificateKeystorePassword="changeit"
                     type="RSA" />
    </SSLHostConfig>
</Connector>

    server.xml contains an example connector definition for the APR protocol with the upgrade protocol to HTTP/2: 

    <Connector port="8443"
           protocol="org.apache.coyote.http11.Http11AprProtocol"
           maxThreads="150" SSLEnabled="true" >
    <UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol" />
    <SSLHostConfig>
        <Certificate certificateKeyFile="conf/localhost-rsa-key.pem"
                     certificateFile="conf/localhost-rsa-cert.pem"
                     certificateChainFile="conf/localhost-rsa-chain.pem"
                     type="RSA" />
    </SSLHostConfig>
</Connector>

  2. Restart the Red Hat JBoss Web Server as the root user, to apply the changed configuration.

    1. For SysV (Red Hat Enterprise Linux 6) users: 

      # service jws5-tomcat restart

    2. For systemd (Red Hat Enterprise Linux 7) users: 

      # systemctl restart jws5-tomcat.service

    3. For Red Hat Enterprise Linux users running Red Hat JBoss Web Server using startup.sh: 

      # JWS_HOME/sbin/shudown.sh
# JWS_HOME/sbin/startup.sh

    4. For Solaris users: 

      # sh JWS_HOME/tomcat/bin/daemon.sh stop
# sh JWS_HOME/tomcat/bin/daemon.sh start

    5. For Windows Server users: 

      # net restart tomcat9

Next Steps

Verify that HTTP/2 is enabled by reviewing the Red Hat JBoss Web Server logs or by using the curl command:

  • Check the console output log (JWS_HOME/tomcat/logs/catalina.out) to verify that the "connector has been configured to support negotiation to [h2]": 

    $ cat JWS_HOME/tomcat/logs/catalina.out | grep 'h2'

06-Apr-2018 04:49:26.201 INFO [main] org.apache.coyote.http11.AbstractHttp11Protocol.configureUpgradeProtocol The ["https-openssl-apr-8443"] connector has been configured to support negotiation to [h2] via ALPN

  • Or verify using curl (for versions of curl that support HTTP2):

    Note

    To check curl for HTTP/2 support: 

    $ curl -V

curl 7.55.1 (x86_64-redhat-linux-gnu) ...
Release-Date: 2017-08-14
Protocols: dict file ftp ftps gopher http https ...
Features: AsynchDNS IDN IPv6 Largefile GSS-API Kerberos SPNEGO NTLM NTLM_WB SSL libz TLS-SRP HTTP2 UnixSockets HTTPS-proxy Metalink PSL

    • For example, when the HTTP/2 protocol is inactive: 

      $ curl -I http://<JBoss_Web_Server>:8080/

HTTP/1.1 200
...

    • But if the HTTP/2 protocol is active, curl returns: 

      $ curl -I https://<JBoss_Web_Server>:8443/

HTTP/2 200
...

      Where <JBoss_Web_Server> is the URI of the modified connector (such as example.com), and the port number is dependent on your configuration.

Additional Resources