I'm trying to get h2 (HTTP/2) to work on my webserver. Installed Apache 2.4.20 via the "ondrej" repository. I tested on a Debian 8 and Ubuntu 14.04 server, but I keep running into the same problems. I have OpenSSL 1.0.2 and SSL vhosts running.
The strange thing is that the upgrade headers (Connection: upgrade and Upgrade: h2) are sent. When I do some external server testing I get the responses that h2 is running properly with ALPN support. But the problem is the browsers I tested on (Chrome and FireFox on Win7) won't upgrade to h2.
One thing which I noticed which is missing is the HTTP/2-Settings header, but I can't find anything in any Apache documentation to implement this or force Apache to send this header.
Sadly I couldn't test with cUrl, since the servers I have access to don't support any version which has HTTP/2 support.
My SSL vhost settings:
Protocols h2 http/1.1
SSLEngine On
SSLCACertificateFile xxxxxxxx
SSLProtocol all -SSLv2 -SSLv3
SSLCompression Off
SSLHonorCipherOrder On
SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA RSA+AES RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS !RC4 !AES128"
Header always set Strict-Transport-Security "max-age=15552000;includeSubDomains"
SSLCertificateFile xxxxxxxx
SSLCertificateKeyFile xxxxxxxx
I'm running Apache with the prefork module instead of with workers.
Who can tell me what's wrong?
In the end I got it to work. It was a matter of changing the "SSLChiperSuite" to this string:
SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-A$
The old one had - so to speak - an option which blocked http2. My SSL test rating is still A+ btw.
You cannot upgrade to the h2
protocol.
The HTTP/1.1 upgrade mechanism is something that is initiated by clients.
If I understood you correctly, and you're trying to send the Upgrade
and the HTTP2-Settings
headers from server to client, then that does not make sense. Clients send those headers, not the server.
Furthermore, while the HTTP/2 protocol itself allows for clear-text communication via a HTTP/1.1 upgrade to h2c
(note the c
at the end of the protocol name), browser vendors have not implemented this mechanism and only use the HTTP/2 protocol after ALPN negotiation.
In summary:
h2c
), but only with non-browser clients such as nghttp. This is explained here.Upgrade
and HTTP2-Settings
headers, not the server.h2
). This means that you cannot have clear-text HTTP/2 between a browser and a server.If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With