Join Log in
Score:0
qlangiul avatar Server

Apache - http/2 enabled but still feeding http/1.1 on requests

mq flag
qlangiul

Apache/2.4.34 (Red Hat) OpenSSL/1.0.2k-fips on CentOS 7, PHP 7.4.33, I have installed and enabled http/2 following the guide at How to enable http/2 from a Centos Package/yum?. No errors are reported and the module is loaded but pages remain served over http/1.1.

I have moved from prefork mpm to event, so this is not the issue.

This is not a browser cache issue.

Apache has been restarted multiple times.

The conf files include:

Protocols h2 http/1.1

SSL Protocol directive is:

SSLProtocol all -SSLv2 -SSLv3

Output of httpd -V:

Server version: Apache/2.4.34 (Red Hat)
Server built:   Oct 11 2022 12:56:44
Server's Module Magic Number: 20120211:79
Server loaded:  APR 1.4.8, APR-UTIL 1.5.2
Compiled using: APR 1.4.8, APR-UTIL 1.5.2
Architecture:   64-bit
Server MPM:     event
  threaded:     yes (fixed thread count)
    forked:     yes (variable process count)
Server compiled with....
 -D APR_HAS_SENDFILE
 -D APR_HAS_MMAP
 -D APR_HAVE_IPV6 (IPv4-mapped addresses enabled)
 -D APR_USE_SYSVSEM_SERIALIZE
 -D APR_USE_PTHREAD_SERIALIZE
 -D SINGLE_LISTEN_UNSERIALIZED_ACCEPT
 -D APR_HAS_OTHER_CHILD
 -D AP_HAVE_RELIABLE_PIPED_LOGS
 -D DYNAMIC_MODULE_LIMIT=256
 -D HTTPD_ROOT="/opt/rh/httpd24/root/etc/httpd"
 -D SUEXEC_BIN="/opt/rh/httpd24/root/usr/sbin/suexec"
 -D DEFAULT_PIDLOG="run/httpd.pid"
 -D DEFAULT_SCOREBOARD="logs/apache_runtime_status"
 -D DEFAULT_ERRORLOG="logs/error_log"
 -D AP_TYPES_CONFIG_FILE="conf/mime.types"
 -D SERVER_CONFIG_FILE="conf/httpd.conf"

apachectl -M:

 core_module (static)
 so_module (static)
 http_module (static)
 access_compat_module (shared)
 actions_module (shared)
 alias_module (shared)
 allowmethods_module (shared)
 auth_basic_module (shared)
 auth_digest_module (shared)
 authn_anon_module (shared)
 authn_core_module (shared)
 authn_dbd_module (shared)
 authn_dbm_module (shared)
 authn_file_module (shared)
 authn_socache_module (shared)
 authz_core_module (shared)
 authz_dbd_module (shared)
 authz_dbm_module (shared)
 authz_groupfile_module (shared)
 authz_host_module (shared)
 authz_owner_module (shared)
 authz_user_module (shared)
 autoindex_module (shared)
 cache_module (shared)
 cache_disk_module (shared)
 cache_socache_module (shared)
 data_module (shared)
 dbd_module (shared)
 deflate_module (shared)
 dir_module (shared)
 dumpio_module (shared)
 echo_module (shared)
 env_module (shared)
 expires_module (shared)
 ext_filter_module (shared)
 filter_module (shared)
 headers_module (shared)
 http2_module (shared)
 include_module (shared)
 info_module (shared)
 log_config_module (shared)
 logio_module (shared)
 macro_module (shared)
 mime_magic_module (shared)
 mime_module (shared)
 negotiation_module (shared)
 remoteip_module (shared)
 reqtimeout_module (shared)
 request_module (shared)
 rewrite_module (shared)
 setenvif_module (shared)
 slotmem_plain_module (shared)
 slotmem_shm_module (shared)
 socache_dbm_module (shared)
 socache_memcache_module (shared)
 socache_shmcb_module (shared)
 status_module (shared)
 substitute_module (shared)
 suexec_module (shared)
 unique_id_module (shared)
 unixd_module (shared)
 userdir_module (shared)
 version_module (shared)
 vhost_alias_module (shared)
 watchdog_module (shared)
 dav_module (shared)
 dav_fs_module (shared)
 dav_lock_module (shared)
 lua_module (shared)
 mpm_event_module (shared)
 proxy_module (shared)
 lbmethod_bybusyness_module (shared)
 lbmethod_byrequests_module (shared)
 lbmethod_bytraffic_module (shared)
 lbmethod_heartbeat_module (shared)
 proxy_ajp_module (shared)
 proxy_balancer_module (shared)
 proxy_connect_module (shared)
 proxy_express_module (shared)
 proxy_fcgi_module (shared)
 proxy_fdpass_module (shared)
 proxy_ftp_module (shared)
 proxy_http_module (shared)
 proxy_hcheck_module (shared)
 proxy_scgi_module (shared)
 proxy_uwsgi_module (shared)
 proxy_wstunnel_module (shared)
 ssl_module (shared)
 systemd_module (shared)
 php7_module (shared)

https://tools.keycdn.com/http2-test:

HTTP/2 protocol is not supported.
ALPN extension is not supported.

updated with virtual hosts

<VirtualHost _default_:443>
    DocumentRoot "/var/www/html"
    ServerName ###
    ServerAlias www ###
    Protocols h2 h2c http/1.1
    ErrorLog logs/ssl_error_log
    TransferLog logs/ssl_access_log
    LogLevel warn
    SSLEngine on
    SSLProtocol all -SSLv2 -SSLv3
    SSLCipherSuite HIGH:3DES:!aNULL:!MD5:!SEED:!IDEA
    Include /etc/letsencrypt/options-ssl-apache.conf
    SSLCertificateFile /etc/letsencrypt/live/###.ro/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/###/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/###/chain.pem
</VirtualHost>
258
0 + 9
kh flag
JohnLBevan
Regarding `Protocols h2 http/1.1`, is that in the general configuration, or under a specific virtual host? Is it being overridden with settings against your virtual host? (e.g. https://httpd.apache.org/docs/2.4/howto/http2.html#basic-config)
0
Reply
kh flag
JohnLBevan
Also - are you using HTTPS? If not you should also include `h2c` (i.e. `Protocols h2 h2c http/1.1`) as it seems `h2` is http/2 over TLS, whilst `h2c` is http/2 over TCP (i.e. a non-secure transport layer).
0
Reply
kh flag
JohnLBevan
Is there anything between your web server and the internet (reverse proxy / load balancer / firewall / etc)? If so, potentially that may also need config changed to support `http/2`.
0
Reply
qlangiul avatar
mq flag
qlangiul
I've updated the protocols to `Protocols h2 h2c http/1.1` and they are under a specific virtual host.
1
Reply
kh flag
JohnLBevan
What does your `virtualhost` look like - i.e. are you specifying any IP/Port/ServerName/ServerAlias values? Are you serving content over HTTP or HTTPS? If HTTPS, do you have a valid cert with a SAN list covering all relevant domains? Can you access the site in the browser (i.e. irrespective of http/1.1 vs http/2).
0
Reply
qlangiul avatar
mq flag
qlangiul
I've updated the question with virtulhost file. The website is accesible form browser with http/1.1
0
Reply
kh flag
JohnLBevan
From what you've shared above, all looks fine with your config. I don't know much about CentOS, but found this - https://serverfault.com/a/1098826/137255 - any help?
0
Reply
qlangiul avatar
mq flag
qlangiul
I've tried what's written on that answer. I'll check if there's something in reverse proxy / load balancer / firewall. I'll update when i've found somehing.
1
Reply
qlangiul avatar
mq flag
qlangiul
Everthin seemed fine, but it didn’t work so I’ve given up. I will try a newer version or CentOS or maybe try on Ubuntu. Thanks for the ideas!
1
Reply
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.