How-to: Enable HTTP/2 in Apache/Nginx/cURL

smtalk

smtalk

Administrator
Staff member
Joined
Aug 22, 2006
Messages
10,162
Location
LT, EU
NOTE: Do not follow this on CentOS 7.4, Debian 9, FreeBSD 11. If your OpenSSL already supports ALPN extension, CustomBuild will enable it by default on your OS!

It's most likely that your OpenSSL does not support ALPN extension, that's why it's difficult to get HTTP/2 running with Apache. Please follow these steps to get HTTP/2 enabled with Apache:
1) Install OpenSSL, with ALPN support:
Code: 
wget https://www.openssl.org/source/old/1.0.2/openssl-1.0.2u.tar.gz
tar xzf openssl-1.0.2u.tar.gz
cd openssl-1.0.2u
./config --prefix=/usr/local/lib_http2 no-ssl2 no-ssl3 zlib-dynamic -fPIC
make depend
make install

2) Install nghttp2:
Code: 
cd /usr/local/directadmin/custombuild
./build update
./build nghttp2

3) Enable http2 in Apache:
Code: 
cd /usr/local/directadmin/custombuild
mkdir -p custom/ap2
cp -p configure/ap2/configure.apache custom/ap2/configure.apache

Edit custom/ap2/configure.apache, find:
Code: 
    "--with-ssl=/usr" \

Replace with:
Code: 
    "--enable-http2" \
    "--enable-ssl-staticlib-deps" \
    "--with-ssl=/usr/local/lib_http2" \

Re-install apache:
Code: 
./build apache

4) Configure Apache to run http2:
Code: 
echo 'ProtocolsHonorOrder On' >> /etc/httpd/conf/extra/httpd-includes.conf
echo 'Protocols h2 h2c http/1.1' >> /etc/httpd/conf/extra/httpd-includes.conf

Update SSL Ciphers in /etc/httpd/conf/extra/httpd-ssl.conf:
Code: 
cd /usr/local/directadmin/custombuild
./build rewrite_confs

Restart apache now :) It's recommended to run PHP in PHP-FPM mode, so that PHP wouldn't be installed as a module of Apache (otherwise you might have openssl library conflict, if PHP is compiled as apache module and uses the old (OS) version of openssl).

To enable HTTP/2 in cURL, add the following code to /usr/local/directadmin/custombuild/custom/curl/configure.curl:
Code: 
#!/bin/sh
perl -pi -e 's|CURL_CHECK_PKGCONFIG\(zlib\)|#CURL_CHECK_PKGCONFIG(zlib)|g' configure.ac
LIBS="-ldl" ./configure --with-nghttp2=/usr/local --with-ssl=/usr/local/lib_http2

And execute:
Code: 
cd /usr/local/directadmin/custombuild
chmod 700 custom/curl/configure.curl
./build curl

To enable HTTP/2 in Nginx:
Code: 
cd /usr/local/src/
wget ftp://ftp.openssl.org/source/openssl-1.1.1k.tar.gz
tar xzf openssl-1.1.1k.tar.gz

For standalone Nginx:
Code: 
cd /usr/local/directadmin/custombuild
mkdir -p custom/nginx
cp -p configure/nginx/configure.nginx custom/nginx/configure.nginx

For Nginx_Apache:
Code: 
cd /usr/local/directadmin/custombuild
mkdir -p custom/nginx_reverse
cp -p configure/nginx_reverse/configure.nginx custom/nginx_reverse/configure.nginx
Build Nginx with statically linked OpenSSL library:
1) Edit configure.nginx which was copied to custom/ folder
2) Add "--with-openssl=/usr/local/src/openssl-1.1.1k" and "--with-http_v2_module" flags
3) Run "./build nginx"
4) Execute:
Code: 
cd /usr/local/directadmin/data/templates/
cp -fp nginx_server_secure.conf custom/nginx_server_secure.conf
cp -fp nginx_server_secure_sub.conf custom/nginx_server_secure_sub.conf
perl -pi -e 's#listen \|IP\|:\|PORT_443\| ssl#listen |IP|:|PORT_443| ssl http2#g' custom/nginx_server_secure.conf custom/nginx_server_secure_sub.conf
cd /usr/local/directadmin/custombuild
./build rewrite_confs
 
Last edited:
Tested and works.

On FreeBSD 9, simply use openssl, nghttp2 and spdylay from ports and use "-with-ssl=/usr/local/lib"

To test, load Chrome, hit F12, go to the Network tab, right-click on the headers, add "protocol" and refresh the page
 
Strange. I do everything and everything goes ok. But.. When i test it i hot information that protocol it's 1.1 not h2.
CentOS
I got apache 2.4.18
and i got loaded (i don't know why) libssl
# ldd /usr/local/bin/php | grep ssl
libssl.so.10 => /usr/lib64/libssl.so.10 (0x00007f886ee7c000)
 
Last edited:
You're checking PHP binary. The how-to is for Apache, so check:
Code: 
ldd /usr/sbin/httpd | grep ssl
 
I got the same:
# ldd /usr/sbin/httpd | grep ssl
libssl.so.10 => /usr/lib64/libssl.so.10 (0x00007fa624cd1000)

And it's don't load http/2. Just http 1.1
 
That's why, for some reason your apache uses openssl from /usr/lib64. Probably you did not remove "--with-ssl=/usr" from configure.apache.
 
Offcorse i did it.. I replace it with:
"--enable-http2" \
"--enable-ssl-staticlib-deps" \
"--with-ssl=/usr/local/lib_http2" \
 
Please post the output of:
Code: 
ls -l /usr/local/lib_http2
./build used_configs
 
Hi. Thanks @smtalk for help. I don't know but the system don't compile for me lib_http2. Now everything working!
 
hi smtalk I follow all the steps. there is no problem when installing Openssl ver openssl-1.0.1r and apache v 2.4.18. What kind of work was going to be a problem
 
Getting http/2 and php in mod_php to work (using openssl 1.0.2)

Here is how I got the mod_php to work with http/2:

Following scrupul0us's experience (from thread: http://forum.directadmin.com/showthread.php?t=52133&page=3&p=270371, php compilation errors, versions indiscrepancies in phpinfo() and instability), I tried to compile the new version of openssl as a shared library (and to use that shared library only in apache and mod_php)

Here are the changes from the original procedure:

Building the openssl 1.0.2, and creating a shared library:
Using the command

Code: 
./config --openssldir=/usr/local/lib_http2 zlib-dynamic shared
Note that this command is different, then the suggested config command.
It includes the "shared"" argument and it does not have the flags -no-ssl2 and -no-ssl3.
(see openssl documentation https://wiki.openssl.org/index.php/C...d_Installation),

These protocols (sslv2 and 3) should be removed, but it seems that mod_ssl requires at least sslv3 and I did have the instability issue as scrupul0us described without these flags (but it requires further testing, I haven't tested it it with -no-ssl2 only).

Once the compilation of openssl 1.0.2 completed, the created shared libraries has been copied to /usr/local/lib

Code: 
cp /usr/local/lib_http2/lib/libcrypto.so.1.0.0 /usr/local/lib
cp /usr/local/lib_http2/lib/libssl.so.1.0.0    /usr/local/lib
Now the custom configuration files for compiling apache at the locations, should be created (or modified)

custom/ap/configure.apache
and
custom/ap/configure.php55 (your version might vary)

Replace in custom/ap/configure.apache the phrase

Code: 
 "--with-ssl=/usr" \
with:

Code: 
 "--enable-http2" \
 "--with-ssl=/usr/local/lib_http2" \
(The flag --enable-ssl-staticlib-deps as used in the original guide has been removed, since we are using the shared libraries and not static libraries)

and in the php custom configuration:
replace the original

Code: 
--with-openssl \
with the following:

Code: 
 --with-openssl=/usr/local/lib_http2 \
 --with-openssl-dir=/usr/local/lib_http2 \
(I am not sure whether the second line is required --with-openssl-dir=/usr/local/lib_http2, a line --with-open-ssl-dir does not exist in the original confiure.apache in custombuild)

now used custombuild to build php and apache

./build php
./build apache

(and doing all the other steps in the original guide, except with the changes described here)

Now there is no discrepancy in phpinfo() output:

openssl

OpenSSL support enabled
OpenSSL Library Version OpenSSL 1.0.2f 28 Jan 2016
OpenSSL Header Version OpenSSL 1.0.2f 28 Jan 2016

Without copying the .so.1.0.0 files to /usr/local/lib, an error would appear that says that libssl.so.1.0.1 cannot be found (this can be resolved using other ways such as executing setting the environment variable PHP_RPATHS to include the new library path /usr/local/lib_http2/lib before executing custombuild's./build php).

(it seems that copying these shared library files to /usr/local/lib does not affect the system's openssl e.g. some other package will use this new openssl instead of the old but stable operaing system openssl)
 
Hello SMTALK

I run server:
PHP 5.5 with mod_php
opache
zend
webserver - apache 2.4 (last)
mod_ruid2

can i use this guide?
 
Last edited:
davidd1 said:
I run server:
PHP 5.5 with mod_php
opache
zend
webserver - apache 2.4 (last)
mod_ruid2

can i use this guide?
Click to expand...

The method I described in reply #11 worked for me with exactly the same setup: php5.5 with mod_php, opcache, zend, apache 2.4.18, mod_ruid2
 
I think you should build in CustomBuild 2.0
./build_http2 (Or something like that)
 
dolphi said:
The method I described in reply #11 worked for me with exactly the same setup: php5.5 with mod_php, opcache, zend, apache 2.4.18, mod_ruid2
Click to expand...

Can't you just update your server to the latest openssl version and then recompile PHP via directadmin?

And if that doesn't work, can't you force directadmin to use openssl 1.0.2+ when it compiles PHP?
 
smtalk said:
Please post the output of:
Code: 
ls -l /usr/local/lib_http2
./build used_configs
Click to expand...
It still show http1.1

Below is detail which i did.
how to enable http/2? did i miss something?
Code: 
cd /usr/local/src/
wget ftp://ftp.openssl.org/source/openssl-1.0.2g.tar.gz
tar xzf openssl-1.0.2g.tar.gz

cd /usr/local/directadmin/custombuild
mkdir -p custom/nginx_reverse
cp -p configure/nginx_reverse/configure.nginx custom/nginx_reverse/configure.nginx

Then, i did this:
1) Edit configure.nginx which was copied to custom/ folder
2) Add "--with-openssl=/usr/local/src/openssl-1.0.2g" flag
3) Run "./build nginx" 

below result of configure.nginx in custom folder.
=================================
#!/bin/sh
./configure \
        "--user=nginx" \
        "--group=nginx" \
        "--prefix=/usr" \
        "--sbin-path=/usr/sbin" \
        "--conf-path=/etc/nginx/nginx.conf" \
        "--pid-path=/var/run/nginx.pid" \
        "--http-log-path=/var/log/nginx/access_log" \
        "--error-log-path=/var/log/nginx/error_log" \
        "--with-ipv6" \
        "--without-mail_imap_module" \
        "--without-mail_smtp_module" \
        "--with-http_ssl_module" \
        "--with-http_realip_module" \
        "--with-http_stub_status_module" \
        "--with-http_gzip_static_module" \
        "--with-http_dav_module" \
        "--with-cc-opt='-D FD_SETSIZE=32768'" \
        "--with-openssl=/usr/local/src/openssl-1.0.2g"

================================
 
Ok i must overseeing something it was the apache version

while:
gives latest version apache v2.4.12

updating with
https://help.directadmin.com/item.php?id=1

or build update plugin script stays with apache v2.4.12 because of custom_versions. i changed that.

you need for this http/2 manual howto here

the :
ProtocolsHonorOrder
but error:
Invalid command 'ProtocolsHonorOrder', perhaps misspelled or defined by a module not included in the server configuration

https://httpd.apache.org/docs/trunk/mod/core.html

You need minimal apache v2..4.17 Is here the cause of this error.

Therefore the custom_versions updaten to newer apache

That did it is ok now!
 
Last edited:
While gzip is not supported in http/2 please ad howto brotli compression apache?

Brotli compression is supported in http/2
https://github.com/google/brotli/

So a idee to ad manual / howto here in this thread, to install google's brotli support in apache apache directadmin custombuild.?
https://www.keycdn.com/support/brotli-compression/

Some partly here but not the howto for directadmin boxes apache part:
https://lyncd.com/2015/11/brotli-support-apache/

Also you can check/test your aplied http 2 support here:

https://tools.keycdn.com/http2-test
 
Last edited:
im getting this error

/usr/local/directadmin/custombuild/custom/nginx/configure.nginx: line 20: --with-openssl=/usr/local/src/openssl-1.0.2h: No such file or directory
 
You must log in or register to reply here.
Back
Top