How-to: Enable HTTP/2 in Apache/Nginx/cURL

I am running in a similar problem, since updating to Apache 2.4.25.

After a while HTTPS sites stop working, Chrome reports a ERR_SPDY_PROTOCOL_ERROR. Firefox gives a generic SSL error.

I don't quite follow ikkeben's posts, I think they are pointing at an OpenSSL issue.
I don't believe it to be an OpenSSL issue, I have been running 1.0.2e for almost a year with HTTP2 and haven't had any issues until the update to Apache 2.4.25.
I ran through the HTTP/2 commands in this thread to compile everything again is case there was mismatch somewhere.

If I compile Apache without the ""--enable-http2" " bit then it seems to work fine without the SSL sites stopping working.

If anyone has HTTP/2 and Apache 2.4.25 working without issues, I would happy to know how you did it :) In the mean time I think I will look to downgrade Apache to Apache/2.4.23 and see if that resolves the issue.

Sorry thats Dutch-German ;)

I only means i don't know:

So it could be so far i know now somewhere:
OPENSSL
HTTP2 modifications from here.
Custombuild2 / DA
GUI Custombuild2 Martynas.
Apache 2.4.25 Update.
Ofcourse me myself and I ;)

Sure it is a combination of one of more of them. ( Which i don't know)

ONly httpd reload give problem at our VPS, with httpd restart then it seems working correctly, so i made some changes at the directadmin conf saying gracefull-restart=0 then less problems while less httpd reloads. ;).

So i pointed also to this script maybe after the Apache 2.4.25 updates it should with HTTP2 don't httpd reloads sofar this is not solved.
http://files.directadmin.com/services/custombuild/httpd_2

Sorry to have this topic in more threads i realy don't know which one it should be or is responsable for this prob.

this was the update:
Executing /usr/local/directadmin/plugins/custombuild/admin/build apache..Downloading httpd-2.4.25.tar.gz...
--2016-12-21 14:02:43-- http://files6.directadmin.com/services/custombuild/httpd-2.4.25.tar.gz
Resolving files6.directadmin.com (files6.directadmin.com)... 2001:16e8:1:c:62:148:174:106, 62.148.174.106
Connecting to files6.directadmin.com (files6.directadmin.com)|2001:16e8:1:c:62:148:174:106|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 8460433 (8.1M) [application/x-gzip]
Saving to: '/usr/local/directadmin/custombuild/httpd-2.4.25.tar.gz'

this warning:
Configuring httpd-2.4.25
aclocal: warning: autoconf input should be named 'configure.ac', not 'configure.in'
acinclude.m4:607: warning: underquoted definition of APACHE_CHECK_SYSTEMD

These parts in apache update:
checking whether to enable mod_ssl... checking dependencies
checking for OpenSSL... checking for user-provided OpenSSL base directory... /usr/local/lib_http2
adding "-I/usr/local/lib_http2/include" to CPPFLAGS
setting MOD_CFLAGS to "-I/usr/local/lib_http2/include "
setting ab_CFLAGS to "-I/usr/local/lib_http2/include "
adding "-L/usr/local/lib_http2/lib" to LDFLAGS
setting MOD_LDFLAGS to "-L/usr/local/lib_http2/lib "
checking for OpenSSL version >= 0.9.8a... OK
adding "-lssl" to MOD_LDFLAGS
adding "-lcrypto" to MOD_LDFLAGS
adding "-ldl" to MOD_LDFLAGS
adding "-lrt" to MOD_LDFLAGS
adding "-lcrypt" to MOD_LDFLAGS
adding "-lpthread" to MOD_LDFLAGS
adding "-lssl" to LIBS
adding "-lcrypto" to LIBS
adding "-ldl" to LIBS
adding "-lrt" to LIBS
adding "-lcrypt" to LIBS
adding "-lpthread" to LIBS
forcing ab_LDFLAGS to "-L/usr/local/lib_http2/lib -lssl -lcrypto -ldl -lrt -lcrypt -lpthread"
checking openssl/engine.h usability... yes
checking openssl/engine.h presence... yes
checking for openssl/engine.h... yes
checking for SSLeay_version... yes
checking for SSL_CTX_new... yes
checking for ENGINE_init... yes
checking for ENGINE_load_builtin_engines... yes
checking for RAND_egd... yes
yes
checking whether to enable mod_ssl... static
adding "$(MOD_SSL_LDADD)" to AP_LIBS
adding "-I$(top_srcdir)/modules/ssl" to INCLUDES


..
checking whether to enable mod_http2... checking dependencies
checking for OpenSSL... (cached) yes
setting MOD_LDFLAGS to "-L/usr/local/lib_http2/lib -lssl -lcrypto -ldl -lrt -lcrypt -lpthread"
setting MOD_CFLAGS to "-I/usr/local/lib_http2/include "
setting MOD_CPPFLAGS to "-DH2_OPENSSL"
checking for nghttp2... checking for user-provided nghttp2 base directory... none
checking for pkg-config along ... checking for nghttp2 version >= 1.2.1... OK
adding "-lnghttp2" to MOD_LDFLAGS
adding "-lnghttp2" to LIBS
adding "-lrt" to LIBS
adding "-lcrypt" to LIBS
adding "-lpthread" to LIBS
adding "-ldl" to LIBS
checking nghttp2/nghttp2.h usability... yes
checking nghttp2/nghttp2.h presence... yes
checking for nghttp2/nghttp2.h... yes
checking for nghttp2_session_server_new2... yes
checking for nghttp2_stream_get_weight... yes
checking for nghttp2_session_change_stream_priority... yes
adding "-DH2_NG2_CHANGE_PRIO" to MOD_CPPFLAGS
checking for nghttp2_session_callbacks_set_on_invalid_header_callback... yes
adding "-DH2_NG2_INVALID_HEADER_CB" to MOD_CPPFLAGS
yes
checking whether to enable mod_http2... static
adding "$(MOD_HTTP2_LDADD)" to AP_LIBS
checking whether to enable mod_proxy_http2... no

so ssl and http2 and nghttp2 are all touched by Apache update to http://www.apache.org/dist/httpd/CHANGES_2.4.25

make[3]: Leaving directory `/usr/local/directadmin/custombuild/httpd-2.4.25/modules/slotmem'
make[2]: Leaving directory `/usr/local/directadmin/custombuild/httpd-2.4.25/modules/slotmem'
Making all in ssl
make[2]: Entering directory `/usr/local/directadmin/custombuild/httpd-2.4.25/modules/ssl'
make[3]: Entering directory `/usr/local/directadmin/custombuild/httpd-2.4.25/modules/ssl'



...

make[3]: Leaving directory `/usr/local/directadmin/custombuild/httpd-2.4.25/modules/ssl'
make[2]: Leaving directory `/usr/local/directadmin/custombuild/httpd-2.4.25/modules/ssl'
Making all in http2
make[2]: Entering directory `/usr/local/directadmin/custombuild/httpd-2.4.25/modules/http2'
make[3]: Entering directory `/usr/local/directadmin/custombuild/httpd-2.4.25/modules/http2'
/usr/local/directadmin/custombuild/httpd-2.4.25/srclib/apr/libtool --silent --mode=compile gcc -std=gnu99 -I/usr/local/lib_http2/include -pthread -I/usr/local/include -DH2_OPENSSL -DH2_NG2_CHANGE_PRIO -DH2_NG2_INVALID_HEADER_CB -DLINUX -D_REENTRANT -D_GNU_SOURCE -I. -I/usr/local/directadmin/custombuild/httpd-2.4.25/os/unix -I/usr/local/directadmin/custombuild/httpd-2.4.25/include -I/usr/local/directadmin/custombuild/httpd-2.4.25/srclib/apr/include -I/usr/local/directadmin/custombuild/httpd-2.4.25/srclib/apr-util/include -I/usr/local/directadmin/custombuild/httpd-2.4.25/srclib/apr-util/xml/expat/lib -I/usr/local/include -I/usr/local/directadmin/custombuild/httpd-2.4.25/modules/aaa -I/usr/local/directadmin/custombuild/httpd-2.4.25/modules/cache -I/usr/local/directadmin/custombuild/httpd-2.4.25/modules/core -I/usr/local/directadmin/custombuild/httpd-2.4.25/modules/database -I/usr/local/directadmin/custombuild/httpd-2.4.25/modules/filters -I/usr/local/directadmin/custombuild/httpd-2.4.25/modules/ldap -I/usr/local/directadmin/custombuild/httpd-2.4.25/modules/loggers -I/usr/local/directadmin/custombuild/httpd-2.4.25/modules/lua -I/usr/local/directadmin/custombuild/httpd-2.4.25/modules/proxy -I/usr/local/directadmin/custombuild/httpd-2.4.25/modules/session -I/usr/local/directadmin/custombuild/httpd-2.4.25/modules/ssl -I/usr/local/directadmin/custombuild/httpd-2.4.25/modules/test -I/usr/local/directadmin/custombuild/httpd-2.4.25/server -I/usr/local/directadmin/custombuild/httpd-2.4.25/modules/arch/unix -I/usr/local/directadmin/custombuild/httpd-2.4.25/modules/dav/main -I/usr/local/directadmin/custombuild/httpd-2.4.25/modules/generators -I/usr/local/directadmin/custombuild/httpd-2.4.25/modules/mappers -prefer-non-pic -static -c mod_http2.c && touch mod_http2.lo
/usr


..
/usr/local/directadmin/custombuild/httpd-2.4.25/srclib/apr/libtool --silent --mode=link gcc -std=gnu99 -I/usr/local/lib_http2/include -pthread -I/usr/local/include -static -L/usr/local/lib_http2/lib -lssl -lcrypto -ldl -lrt -lcrypt -lpthread -lnghttp2 -L/usr/local/lib -o libmod_http2.la mod_http2.lo h2_alt_svc.lo h2_bucket_beam.lo h2_bucket_eoc.lo h2_bucket_eos.lo h2_config.lo h2_conn.lo h2_conn_io.lo h2_ctx.lo h2_filter.lo h2_from_h1.lo h2_h2.lo h2_headers.lo h2_mplx.lo h2_ngn_shed.lo h2_push.lo h2_request.lo h2_session.lo h2_stream.lo h2_switch.lo h2_task.lo h2_util.lo h2_worker.lo h2_workers.lo
make[3]: Leaving directory `/usr/local/directadmin/custombuild/httpd-2.4.25/modules/http2'
make[2]: Leaving directory `/usr/local/directadmin/custombuild/httpd-2.4.25/modules/http2'
Making all in proxy/balancers

....


Restoring certificate and key, and turning on httpd for DirectAdmins's check.
Checking to ensure /etc/httpd/conf/ssl.crt/server.ca is set.
Enabling httpd in systemd...
Checking to ensure /etc/httpd/conf/ssl.crt/server.ca is set.

...

---------------------------------------------------------------------
chmod 755 /usr/lib/apache/mod_htscanner2.so
[activating module `htscanner' in /etc/httpd/conf/httpd.conf]
mod_htscanner2 has been installed successfully.
Restarting apache.Done!
 
Last edited:
I suspect while at our vps the reloads ( gracefull restarts ) are the problem. Not the httpd restarts thes are done correct and give no probs. ( While ALso manual httpd reload is causing problems)

This is in Changelog apache 2.4.25 update > http://www.apache.org/dist/httpd/CHANGES_2.4.25

*) mod_http2: handling graceful shutdown gracefully, e.g. handling existing
streams to the end. [Stefan Eissing]


So maybe.... a kind of BUg / Combo Bug here somewhere
With this one:
So i pointed also to this script maybe after the Apache 2.4.25 updates it should with HTTP2 don't httpd reloads sofar this is not solved.
http://files.directadmin.com/services/custombuild/httpd_2

Update apache 2.4.23 had also some probs before with a older version of this script now maybe...?? > ;)
http://forum.directadmin.com/showthread.php?t=53446&p=275755#post275755
 
Last edited:
It's most likely that your OpenSSL does not support ALPN extension, that's why it's difficult to get HTTP/2 running with Apache. Please follow these steps to get HTTP/2 enabled with Apache:
1) Install OpenSSL, with ALPN support:
Code:
wget ftp://ftp.openssl.org/source/openssl-1.0.2j.tar.gz
tar xzf openssl-1.0.2j.tar.gz
cd openssl-1.0.2j
./config --prefix=/usr/local/lib_http2 no-ssl2 no-ssl3 zlib-dynamic -fPIC
make depend
make install


Hi,

I just want to install HTTP/2 on my Apache DA server. But I see that version 1.1.0c is available of OpenSSL.
Is it better to just install version 1.1.0c instead of your mentioned 1.0.2j?

And do I need to use php-FPM to run it correct? This because we use a lot of .htaccess rules.

Thanks!
 
Last edited:
I suspect while at our vps the reloads ( gracefull restarts ) are the problem. Not the httpd restarts thes are done correct and give no probs. ( While ALso manual httpd reload is causing problems)

This is in Changelog apache 2.4.25 update > http://www.apache.org/dist/httpd/CHANGES_2.4.25

*) mod_http2: handling graceful shutdown gracefully, e.g. handling existing
streams to the end. [Stefan Eissing]


So maybe.... a kind of BUg / Combo Bug here somewhere
With this one:
So i pointed also to this script maybe after the Apache 2.4.25 updates it should with HTTP2 don't httpd reloads sofar this is not solved.
http://files.directadmin.com/services/custombuild/httpd_2

Update apache 2.4.23 had also some probs before with a older version of this script now maybe...?? > ;)
http://forum.directadmin.com/showthread.php?t=53446&p=275755#post275755

Someone?

Maybe this is causing it
https://www.apachehaus.com/forum/in...e31a693aec1462589c&topic=1398.msg3628#msg3628

Hoping this update helps ? no the update to http://forum.directadmin.com/showthread.php?t=54227 doesn't resolved the httpd reload issue with HTTP2 here

http://forum.directadmin.com/showthread.php?t=54227
> https://github.com/icing/mod_h2/issues/126
 
Last edited:
Downgrading to 2.4.23 worked for me, been stable for a few days now.

Code:
cd /usr/local/directadmin/custombuild

#create custom_versions.txt
# Add "apache2.4:2.4.23:"
echo "apache2.4:2.4.23:" >> custom_versions.txt


./build apache

You will need to remove it later if you want to upgrade to a newer Apache version.
 
Downgrading to 2.4.23 worked for me, been stable for a few days now.

Code:
cd /usr/local/directadmin/custombuild

#create custom_versions.txt
# Add "apache2.4:2.4.23:"
echo "apache2.4:2.4.23:" >> custom_versions.txt


./build apache

You will need to remove it later if you want to upgrade to a newer Apache version.
Thanks Yes but this is not so good while the Apache Update 2.4.25 has also some security fixes! ;)
 
True, It is more of short term fix and to get the new year out of way.

The mod_http2 bug might be worth a look, I will check my vhosts for "+Indexes" on the sites which I know failed.
 
True, It is more of short term fix and to get the new year out of way.

The mod_http2 bug might be worth a look, I will check my vhosts for "+Indexes" on the sites which I know failed.

results?

See here https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x/CHANGES changlog v2..4.26 that is calling i think also this issue.


Changes with Apache 2.4.26

*) mod_http2: fix for possible page fault when stream is resumed during
session shutdown. [sidney-j-r-m (github)]

*) mod_http2: fix for h2 session ignoring new responses while already
open streams continue to have data available. [Stefan Eissing]

*) mod_http2: adding support for MergeTrailers directive. [Stefan Eissing]

*) mod_http2: limiting DATA frame sizes by TLS record sizes in use on the
connection. Flushing outgoing frames earlier. [Stefan Eissing]

*) mod_http2: cleanup beamer registry on server reload, Fixes PR60510.
[Pavel Mateja <[email protected]>, Stefan Eissing]

*) mod_ext_filter: Don't interfere with "error buckets" issued by other
modules. PR60375. [Eric Covener, Lubos Uhliarik]

*) mod_http2: fixes https://github.com/icing/mod_h2/issues/126 e.g. beam
bucket lifetime handling when data is sent over temporary pools.
[Stefan Eissing]
 
I'm also curious what is causing the problem, and when it will be fixed.
Just rolled apache back to 2.4.23 and everything works again.
 
I'm also curious what is causing the problem, and when it will be fixed.
Just rolled apache back to 2.4.23 and everything works again.

Several fixes are made in Apache 2.4.26!

So is this one and a lot more with http2 ..
Changes with Apache 2.4.26

*) mod_http2: regression fix on PR 59348, on graceful restart, ongoing
streams are finished normally before the final GOAWAY is sent.
[Stefan Eissing, <slavko gmail.com>]

Wen fix/update is available i don't know, or DA is providing a FIX in the meantime with the updates/info's out of the svn ??
https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x/CHANGES
Why i ask this is while version update 2.4.25 have also some security fixes that the version doesn't 2.4.23 have!?
 
Last edited:
I'm also curious what is causing the problem, and when it will be fixed.
Just rolled apache back to 2.4.23 and everything works again.
What is the cleanest way to do this until a structural fix is out? I'm experiencing the same issues since recent upgrades, regrettably I updated nghttp and Apache simultaneously (from 2.4.23) so no further information on which of the 2 is causing it why.

A hard "service httpd restart" seems to fix it properly for now, so simply cronning that after the daily 6:25am sighups could also do the job for now possibly.

[edit] Downgrade procedure documented at https://help.directadmin.com/item.php?id=275 for those Googling it here, just put "apache2.4:2.4.23:" in custom_versions.txt
 
Last edited:
FreeBSD 11 here. Trying to build curl per this guide gives an error:

root@srv2:/usr/local/directadmin/custombuild # ./build curl
Found /usr/local/directadmin/custombuild/curl-7.52.1.tar.gz
Extracting ...
Done.
Configuring curl-7.52.1...
checking whether to enable maintainer-specific portions of Makefiles... no
checking whether make supports nested variables... yes
checking whether to enable debug build options... no
checking whether to enable compiler optimizer... (assumed) yes
checking whether to enable strict compiler warnings... no
checking whether to enable compiler warnings as errors... no
checking whether to enable curl debug memory tracking... no
checking whether to enable hiding of library internal symbols... yes
checking whether to enable c-ares for DNS lookups... no
checking whether to disable dependency on -lrt... (assumed no)
checking for path separator... :
checking for sed... /usr/bin/sed
checking for grep... /usr/bin/grep
checking for egrep... /usr/bin/grep -E
checking for ar... /usr/bin/ar
checking for a BSD-compatible install... /usr/bin/install -c
checking for gcc... gcc48
checking whether the C compiler works... no
configure: error: in `/usr/local/directadmin/custombuild/curl-7.52.1':
configure: error: C compiler cannot create executables
See `config.log' for more details

*** There was an error while trying to configure cURL.

From the config.log:

...
CONFIGURE_OPTIONS='" '\''--with-nghttp2=/usr/local'\'' '\''--with-ssl=/usr/local/lib_http2'\'' '\''CC=gcc48'\'' '\''LIBS=-ldl'\'' '\''CPP=cpp48'\''"'
...

Without the custom/configure.curl it compiles fine.
 
Last edited:
I guess you can disregard the above. It seems that my curl has http2 support by default without the mod in this thread:

root@srv2:/ # curl --http2 -I https://nghttp2.org/
HTTP/2 200
date: Fri, 10 Feb 2017 22:09:40 GMT
content-type: text/html
last-modified: Wed, 25 Jan 2017 12:22:17 GMT
etag: "58889879-19e1"
accept-ranges: bytes
content-length: 6625
x-backend-header-rtt: 0.001175
strict-transport-security: max-age=31536000
server: nghttpx nghttp2/1.20.0-DEV
via: 2 nghttpx
x-frame-options: SAMEORIGIN
x-xss-protection: 1; mode=block
x-content-type-options: nosniff
 
For Nginx_Apache:
Code:
cd /usr/local/directadmin/custombuild[FONT=Menlo]
[/FONT]mkdir -p custom/nginx_reverse
cp -p configure/nginx_reverse/configure.nginx custom/nginx_reverse/configure.nginx
Build Nginx with statically linked OpenSSL library:
1) Edit configure.nginx which was copied to custom/ folder
2) Add "--with-openssl=/usr/local/src/openssl-1.0.2k" and "--with-http_v2_module" flags
3) Run "./build nginx"
4) Execute:
Code:
cd /usr/local/directadmin/data/templates/
cp -fp nginx_server_secure.conf custom/nginx_server_secure.conf
cp -fp nginx_server_secure_sub.conf custom/nginx_server_secure_sub.conf
perl -pi -e 's#listen \|IP\|:\|PORT_443\| ssl#listen |IP|:|PORT_443| ssl http2#g' custom/nginx_server_secure.conf custom/nginx_server_secure_sub.conf
cd /usr/local/directadmin/custombuild
./build rewrite_confs

My server has LAN_IP and IPv6, but with that config, only the public IP has "http2":

Code:
server
{
	listen 52.15.47.5:443 ssl http2;
	listen 172.31.7.38:443 ssl;
        listen [2600:1f16:5a8:d800:679b:4039:5a5e:98b8]:443 ssl;
        ....
}
how to add http2 to LAN IP and v6 IP
 
Hello,

I follow #1 post to step ./build apache and stuck to this error

Thank you.

/usr/local/directadmin/custombuild/httpd-2.4.25/srclib/apr-util/libaprutil-1.la /usr/local/directadmin/custombu ild/httpd-2.4.25/srclib/apr-util/xml/expat/libexpat.la -liconv /usr/local/directadmin/custombuild/httpd-2.4.25/srclib/apr/libap r-1.la -lrt -lcrypt -lpthread -lm
ab.o: In function `ssl_state_cb':
ab.c:(.text+0x5bd): undefined reference to `SSL_state'
ab.o: In function `ssl_print_info':
ab.c:(.text+0xaa8): undefined reference to `sk_num'
ab.c:(.text+0xacb): undefined reference to `sk_value'
ab.o: In function `test':
ab.c:(.text+0x4dda): undefined reference to `SSL_state'
ab.o: In function `main':
ab.c:(.text+0x5af6): undefined reference to `SSLv23_client_method'
ab.c:(.text+0x6332): undefined reference to `SSLv23_client_method'
ab.c:(.text+0x65e9): undefined reference to `SSL_load_error_strings'
ab.c:(.text+0x65ee): undefined reference to `SSL_library_init'
collect2: ld returned 1 exit status
make[2]: *** [ab] Error 1
make[2]: Leaving directory `/usr/local/directadmin/custombuild/httpd-2.4.25/support'
make[1]: *** [all-recursive] Error 1
make[1]: Leaving directory `/usr/local/directadmin/custombuild/httpd-2.4.25/support'
make: *** [all-recursive] Error 1

*** The make has failed, would you like to try to make again? (y,n):
 
Unable to get Http2 working

Hey followed your instructions and compiled http2 module for Nginx, nginx_apache and also apache. Its says htpp2 module is installed but its not working on the website. I don't understand where is the problem. but please check my website and let me know.
https://server.cloud82.net/

Please let me know how to overcome this problem.

Sudhan
 
Hey followed your instructions and compiled http2 module for Nginx, nginx_apache and also apache. Its says htpp2 module is installed but its not working on the website. I don't understand where is the problem. but please check my website and let me know.
https://server.cloud82.net/

Please let me know how to overcome this problem.

Sudhan

This test is saying HTTP2 is OK ;)
https://tools.keycdn.com/http2-test
HTTP/2 Test Result server.cloud82.net
Yeah! server.cloud82.net supports HTTP/2.0.
 
Back
Top