How-to: Enable HTTP/2 in Apache/Nginx/cURL

I also have it running for a longer time now, so not knowing what are causing probs in CENTOS . ( at our DA box all is running OK)

Maybe because i did install openssl 1.0 1u this way so system : opensssl -v is giving this version.
http://forum.directadmin.com/showthread.php?t=54756&p=280853#post280853

https://help.poralix.com/articles/error-building-curl-7.54.0-on-directadmin-with-openssl-1.0.2
Let's get it fixed!

This is how you can fix it: you should upgrade the basic version the package to the latest available OpenSSL 1.0.1u or even newer OpenSSL 1.0.2 or OpenSSL 1.1.0.

Here are instructions on how to update it to the latest OpenSSL 1.0.1:
 
Last edited:
PHP is running with php-fpm. The following log shows that regular http is still being used:
redacted - - [02/Sep/2017:10:35:44 +0100] "GET / HTTP/1.1" 200 739 "-" "Mozilla/5.0 (X11; CrOS x86_64 9592.85.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.112 Safari/537.36"

I have Custombuild 2.0 running with php-fpm, so prefork shouldn't be running by default then anymore. See the following:

[root@server]# httpd -V
Server version: Apache/2.4.27 (Unix)
Server built: Sep 2 2017 11:09:38
Server's Module Magic Number: 20120211:68
Server loaded: APR 1.6.2, APR-UTIL 1.6.0
Compiled using: APR 1.6.2, APR-UTIL 1.6.0
Architecture: 64-bit
Server MPM: event
threaded: yes (fixed thread count)
forked: yes (variable process count)
Server compiled with....
-D APR_HAS_SENDFILE
-D APR_HAS_MMAP
-D APR_HAVE_IPV6 (IPv4-mapped addresses enabled)
-D APR_USE_SYSVSEM_SERIALIZE
-D APR_USE_PTHREAD_SERIALIZE
-D SINGLE_LISTEN_UNSERIALIZED_ACCEPT
-D APR_HAS_OTHER_CHILD
-D AP_HAVE_RELIABLE_PIPED_LOGS
-D DYNAMIC_MODULE_LIMIT=256
-D HTTPD_ROOT="/etc/httpd"
-D HAVE_SYSTEMD
-D SUEXEC_BIN="/usr/sbin/suexec"
-D DEFAULT_PIDLOG="/var/logs/httpd.pid"
-D DEFAULT_SCOREBOARD="logs/apache_runtime_status"
-D DEFAULT_ERRORLOG="logs/error_log"
-D AP_TYPES_CONFIG_FILE="conf/mime.types"
-D SERVER_CONFIG_FILE="conf/httpd.conf"

I have the same result so maybe try as in my post 1 post up to get a later system openssl version,
( here HTTP2 is up and running! with redhat relase Centos 7.3.1611 Core only Apache ( no NINGX)
Latest Custombuild 2 DA

and have this:

Edit custom/ap2/configure.apache, find:
Code:

"--with-ssl=/usr" \

Replace with:
Code:

"--enable-http2" \
"--enable-ssl-staticlib-deps" \
"--with-ssl=/usr/local/lib_http2" \
 
Last edited:
For everybody that is on CentOS, I would think it is better to wait. Because RedHat 7.4 is already released, and therefor soon CentOS 7.4 will come. And in 7.4 there is default support for ALPN https://ma.ttias.be/centos-7-4-ship-tls-1-2-alpn/

http://forum.directadmin.com/showthread.php?t=54756&p=280889#post280889
By the way Red Hat Enterprise Linux 7 and its derivatives including CentOS 7 will have OpenSSL 1.0.2 as a base version. It will allow to serve HTTP/2 traffic an easier way.

Release version: 7.4
Expected to be released on November 2017.

Really good news, isn't it!

Related:
- https://bugzilla.redhat.com/show_bug.cgi?id=1276310
- https://access.redhat.com/articles/3078
 
@ikkeben, I don't think we need to wait to november. RedHat 7.4 was released a month ago, so it should only be a matter of a week or two until CentOS 7.4 also is released.
 
I have the same result so maybe try as in my post 1 post up to get a later system openssl version,
( here HTTP2 is up and running! with redhat relase Centos 7.3.1611 Core only Apache ( no NINGX)
Latest Custombuild 2 DA

and have this:
Thanks for your response. I'm afraid that has already been done. The original tutorial was followed (and also the one on Vultr to double check). OpenSSL version 1.1.0f was installed, like the OP described. CentOS is also fully up-to-date (7.3), Custombuild 2.0, Apache and everything else that Custombuild 2.0 finds with doing a ./build update.

Also the code replacements in custom/ap2/configure.apache have been done. Like I said, the tutorial was fully followed in the written order.

Is there anything else to try?
 
Last edited:
Thanks for your response. I'm afraid that has already been done. The original tutorial was followed (and also the one on Vultr to double check). OpenSSL version 1.1.0f was installed, like the OP described. CentOS is also fully up-to-date (7.3), Custombuild 2.0, Apache and everything else that Custombuild 2.0 finds with doing a ./build update.

Also the code replacements in custom/ap2/configure.apache have been done. Like I said, the tutorial was fully followed in the written order.

Is there anything else to try?


Did you try the symlink?
 
Thanks for your response. I'm afraid that has already been done. The original tutorial was followed (and also the one on Vultr to double check). OpenSSL version 1.1.0f was installed, like the OP described. CentOS is also fully up-to-date (7.3), Custombuild 2.0, Apache and everything else that Custombuild 2.0 finds with doing a ./build update.

Also the code replacements in custom/ap2/configure.apache have been done. Like I said, the tutorial was fully followed in the written order.

Is there anything else to try?
openssl version... gives at your box?

If not the 1.0.1u then try this also
http://forum.directadmin.com/showthread.php?t=52590&page=6&p=283180#post283180

Because i have that done, not for the error but for the curlupdate probs., you never know.. ;)

oyea f is not the latest version so take a look at newer versin then the .f same procedure only newer package!!!!!! ( i doný know wich version for now but could be k


nono i have done with this i think
openssl-1.0.2l.tar.gz the before version was the .k of that sorry see newest versions ftp://ftp.openssl.org/source/ the 1.1 have some more things you should taken care of i believed reading somewhere!
 
Last edited:
Centos 7 1708 released

Since Centos 7 1708 is now released, what are the steps for enabling http/2 on directadmin with nginx_apache?
Any workarounds that need to be applied?
 
You don't need to do any of the steps with CentOS7.4. "./build apache" or "./build nginx" will enable HTTP/2 by default, if it detects OpenSSL 1.0.2 or higher installed on the system.
 
You don't need to do any of the steps with CentOS7.4. "./build apache" or "./build nginx" will enable HTTP/2 by default, if it detects OpenSSL 1.0.2 or higher installed on the system.
Thank you for your reply. Is php-fpm still required? After building Apache, the following shows at the end of the installation process:
Apache 2.4.27 and higher will not negotiate http2 with mpm_prefork. Please do not use mod_php or disable http2 in the directadmin.conf
 
You don't need to do any of the steps with CentOS7.4. "./build apache" or "./build nginx" will enable HTTP/2 by default, if it detects OpenSSL 1.0.2 or higher installed on the system.

But at https://www.directadmin.com/features.php?id=1884 it says: "Requires: http2=1 in the directadmin.conf."

Can you please confirm it still is needed to have http2=1 in directadmin.conf, and that it still is needed to have pre-release of DirectAdmin 1.515?
 
Thank you for your reply. Is php-fpm still required? After building Apache, the following shows at the end of the installation process:
Apache 2.4.27 and higher will not negotiate http2 with mpm_prefork. Please do not use mod_php or disable http2 in the directadmin.conf

Apache MPM event is requered, and you don't get MPM event when you use mod_php. The message you see after recompiling Apache is also mentioned in the latest Apache announcement at https://www.apache.org/dist/httpd/Announcement2.4.html
 
Thank you for your reply. Is php-fpm still required? After building Apache, the following shows at the end of the installation process:
Apache 2.4.27 and higher will not negotiate http2 with mpm_prefork. Please do not use mod_php or disable http2 in the directadmin.conf

HTTP2 will not work with Prefork. That's not DA limitation but Apache one. You must switch to event mode (use php-fpm).
 
But at https://www.directadmin.com/features.php?id=1884 it says: "Requires: http2=1 in the directadmin.conf."

Can you please confirm it still is needed to have http2=1 in directadmin.conf, and that it still is needed to have pre-release of DirectAdmin 1.515?

CustomBuild sets http2=1 automatically if it detects that OpenSSL supports ALPN extension. So, there is no need to do it. If you'd like to permanently disable http2 on your system, http2=0 needs to be set in directadmin.conf. If you already have http2=0 in directadmin.conf, CustomBuild will not change it's value. I hope it's clear :)
 
CustomBuild sets http2=1 automatically if it detects that OpenSSL supports ALPN extension. So, there is no need to do it. If you'd like to permanently disable http2 on your system, http2=0 needs to be set in directadmin.conf. If you already have http2=0 in directadmin.conf, CustomBuild will not change it's value. I hope it's clear :)

Thank you for the information! The only thing that is not clear for me now, is if DirectAdmin pre-release 1.515 is needed to get HTTP/2 work correct? Will HTTP/2 work correct already in current DirectAdmin version 1.514? The reason it is not clear to me is because of this guide https://www.directadmin.com/features.php?id=1884 seems to indicate it is only available in the next release 1.515?
 
Ah, yes, DA 1.515 has template changes for nginx_server*.conf to enable http2 there. However, it fully works with Apache and DA 1.514.
 
ALPN is not supported

Updated Centos to 1708

set http2=1 in directadmin.conf
rebuilt nginx_apache

KeyCDN HTTP/2 test results are:
"does not support HTTP/2.0. Supported protocols: http/1.1"
"ALPN is not supported"

Openssl version is 1.0.2k

am I missing a step?
 
Back
Top