Project

General

Profile

Enhancement #516

Test HTTP2 support for Apache

Added by Marc Dequènes about 2 years ago. Updated almost 2 years ago.

Status:
Resolved
Priority:
Low
Category:
Service :: Web
Start date:
2017-03-03
Due date:
% Done:

100%

Patch Available:
Confirmed:
No
Branch:
Entity:
DuckCorp
Security:
Help Needed:

Description

In Strech mod_http2 will be available.

Doc: https://httpd.apache.org/docs/2.4/mod/mod_http2.html

Seems pretty straightforward, but the resource consumption may be a problem.

History

#1 Updated by Marc Dequènes almost 2 years ago

  • Status changed from New to In Progress
  • Assignee set to Marc Dequènes
  • % Done changed from 0 to 30

I've been testing HTTP2 on Elwing which was recently upgraded to Debian Stretch.

Interesting reading: https://bagder.gitbooks.io/http2-explained/content/en/

Howto I followed: https://icing.github.io/mod_h2/howto.html

So the interesting thing is theTLS ciphers are restricted and if the server even propose one in the blacklist the connection will fail. So having strong ciphers is not enough, you must not have inappropriate ciphers. This said, our current list of ciphers are not deemed acceptable, so I resorted to this one:

SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK

I think one of the major problem is the PSK variants were not explicitely removed. I also removed old protocols as recommended:

SSLProtocol All -SSLv2 -SSLv3 -TLSv1 -TLSv1.1

I decided not to activate h2c because we want to push for HTTPS, and it seems several browser vendors decided to not implement support for it anyway.

Elwing has HTTP2 activated server-wide with this simple line:

Protocols h2 http/1.1

At the moment all vhosts seem to work fine.

The http2-status handler to get more HTTP2-specific status does not work (404) while it is supposed to be in 2.4.19 (but loading and logs do not give any error).

#2 Updated by Marc Dequènes almost 2 years ago

  • % Done changed from 30 to 40

Upgraded Thorfinn on HTTP2 successfully. Weechat is working fine from the Android app.

#3 Updated by Marc Dequènes almost 2 years ago

  • % Done changed from 40 to 60

Upgraded Orfeo on HTTP2 successfully.

#4 Updated by Marc Dequènes almost 2 years ago

  • % Done changed from 60 to 80

Upgraded Toushirou on HTTP2 successfully.

We've been hit by Debian#850947 on these vhosts:
  • repository.duckcorp.org
  • sources.duckcorp.org

It was not a big deal because APT does not use (yet) HTTP2, but I forced the protocols on these vhosts to exclude h2 and it works fine.

#5 Updated by Marc Dequènes almost 2 years ago

All webservers are proposing HTTP2 now. No other problematic vhost was found.

#6 Updated by Marc Dequènes almost 2 years ago

  • Status changed from In Progress to Resolved
  • % Done changed from 80 to 100

Also available in: Atom PDF