Enhancement #516
closed
Test HTTP2 support for Apache
100%
Description
In Strech mod_http2 will be available.
Doc: https://httpd.apache.org/docs/2.4/mod/mod_http2.html
Seems pretty straightforward, but the resource consumption may be a problem.
Updated by Marc Dequènes almost 7 years ago
- Status changed from New to In Progress
- Assignee set to Marc Dequènes
- % Done changed from 0 to 30
I've been testing HTTP2 on Elwing which was recently upgraded to Debian Stretch.
Interesting reading: https://bagder.gitbooks.io/http2-explained/content/en/
Howto I followed: https://icing.github.io/mod_h2/howto.html
So the interesting thing is theTLS ciphers are restricted and if the server even propose one in the blacklist the connection will fail. So having strong ciphers is not enough, you must not have inappropriate ciphers. This said, our current list of ciphers are not deemed acceptable, so I resorted to this one:
SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK
I think one of the major problem is the PSK variants were not explicitely removed. I also removed old protocols as recommended:
SSLProtocol All -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
I decided not to activate h2c because we want to push for HTTPS, and it seems several browser vendors decided to not implement support for it anyway.
Elwing has HTTP2 activated server-wide with this simple line:
Protocols h2 http/1.1
At the moment all vhosts seem to work fine.
The http2-status handler to get more HTTP2-specific status does not work (404) while it is supposed to be in 2.4.19 (but loading and logs do not give any error).
Updated by Marc Dequènes almost 7 years ago
- % Done changed from 30 to 40
Upgraded Thorfinn on HTTP2 successfully. Weechat is working fine from the Android app.
Updated by Marc Dequènes almost 7 years ago
- % Done changed from 40 to 60
Upgraded Orfeo on HTTP2 successfully.
Updated by Marc Dequènes almost 7 years ago
- % Done changed from 60 to 80
Upgraded Toushirou on HTTP2 successfully.
We've been hit by Debian#850947 on these vhosts:- repository.duckcorp.org
- sources.duckcorp.org
It was not a big deal because APT does not use (yet) HTTP2, but I forced the protocols on these vhosts to exclude h2 and it works fine.
Updated by Marc Dequènes almost 7 years ago
All webservers are proposing HTTP2 now. No other problematic vhost was found.
Updated by Marc Dequènes almost 7 years ago
- Status changed from In Progress to Resolved
- % Done changed from 80 to 100