Enabling http/2

Nextcloud version: 21.0.0
Operating system and version: Ubuntu 20.04
Apache or nginx version: Apache 2.4.29
PHP version: Php-fpm 7.4.16

Hi there, I tried to switch to Protocols http/2 but it doesn’t seem to work.

Steps I did:

  1. Followed this instruction to install php-fpm: How to enable HTTP/2 support in Apache - HTTP2.Pro
apachectl stop
apt-get install php7.4-fpm # Install the php-fpm from your PHP repository. This package name depends on the vendor.
a2enmod proxy_fcgi setenvif
a2enconf php7.4-fpm # Again, this depends on your PHP vendor.
a2dismod php7.4 # This disables mod_php.
a2dismod mpm_prefork # This disables the prefork MPM. Only one MPM can run at a time.
a2enmod mpm_event # Enable event MPM. You could also enable mpm_worker.
apachectl start
<VirtualHost *:80>
  Protocols h2 http/1.1
...

Anything to check?

Apache log file doesnt say any related fault. I checked with Mozilla and Chrome but it`s still using http/1.1

Have you activated the http2 Apache mod (a2enmod http2) and restarted Apache?

yep, I did that.

The Guide says something about “cipher configurations” on older TLS versions, but doesn’t go further. How can I check whats needed? I don’t find much information there.
Apache Log says something which is maybe related:

[mpm_event:notice] [pid 5039:tid 140686346587072] AH00489: Apache/2.4.29 (Ubuntu) OpenSSL/1.1.1 configured – resuming normal operations

Protocols h2 http/1.1

Have you added this to the vhost config for SSL/TLS connections as well?

The snippet you provided is for port 80 only, but not for port 443.

This is the normal message when Apache is restarted. Nothing to worry about.

nope, I did not. Which is opening a new topic for me. Didn’t work much on that layer. And exploring a bit, it turned out there is no standard solution.
With some combination of information I got that version running, but still no http/2

<VirtualHost *:80>
  ServerName mysite.com
  RewriteEngine On
  RewriteRule ^/?(.*) https://%{SERVER_NAME}:443/$1 [R,L]
</VirtualHost>

<VirtualHost *:443>
    Protocols h2 h2c http/1.1
    ServerName mysite.com

    DocumentRoot "/var/www/nextcloud"
...

===============

It is not recommended to use HTTP/2 Cleartext (h2c) on the Apache Web Server

because it is not as secure as the encrypted variant (HTTP/2 over TLS).

With h2c, the communication between the client and the server is transmitted in plaintext,

which means it is not encrypted and therefore vulnerable to eavesdropping,

man-in-the-middle attacks, and other security threats.

In contrast, HTTP/2 over TLS (also known as HTTP/2 with HTTPS) uses TLS/SSL encryption

to protect the communication between the client and the server. This ensures that the

data remains confidential and protected from unauthorized access.

HTTP/2 over TLS also provides additional benefits such as HTTP/2 Server Push and HTTP/2

Header Compression, which are not available with h2c. For these reasons,

it is recommended to use HTTPS with HTTP/2 instead of h2c to ensure both the performance benefits and security.

This is a non issue. The HTTP2 configuration does not decide whether you connect via HTTP or HTTPS and it can neither downgrade a HTTPS connection to HTTP nor upgrade a HTTP connection to HTTPS.

If you initiate a plain HTTP connection without h2c configured, then http1.1 will be used. The same applies to HTTPS connections when H2 is not configured. In both cases, the connection remains unencrypted or encrypted, respectively.

However, I agree that you could also simply omit h2c from the config. Afaik, most, if not all, browsers don’t support it anyways.

1 Like