Hi together,
I’m struggling since a while on enabling HTTP/2.
I have read HTTP/2, yes or no?.
I have enabled http2 with a2enmod http2
So my /etc/apache2/conf-available/http2.conf and I have run a2enconf http2
IfModule http2_module>
Protocols h2 h2c http/1.1
H2Push on
H2PushPriority * after
H2PushPriority text/css before
H2PushPriority image/jpeg after 32
H2PushPriority image/png after 32
H2PushPriority application/javascript interleaved
SSLProtocol all -SSLv2 -SSLv3
SSLHonorCipherOrder on
SSLCipherSuite 'EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA !RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS'
</IfModule>
And the /etc/apache2/sites-enabled/001-domain.com-le-ssl.conf
<IfModule mod_ssl.c>
<VirtualHost _default_:443>
ServerAdmin arne92@gmail.com
ServerName domain.com
# Header always add Strict-Transport-Security "max-age=15768000; includeSubDomains; preload"
DocumentRoot /var/www/nextcloud
Protocols h2 http/1.1
H2Direct on
ErrorLog ${APACHE_LOG_DIR}/001_error.log
CustomLog ${APACHE_LOG_DIR}/001_access.log combined
SSLEngine on
SSLCertificateFile /etc/letsencrypt/live/domain.com-0001/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/domain.com-0001/privkey.pem
<FilesMatch "\.(cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars
</FilesMatch>
<Directory /var/www/nextcloud>
Options Indexes FollowSymLinks MultiViews
AllowOverride All
Require all granted
SetEnv MOD_X_SENDFILE_ENABLED 1
LimitRequestBody 0
XSendFile On
XSendFilePath /owncloud_data
<IfModule mod_dav.c>
Dav off
</IfModule>
Satisfy Any
SSLRenegBufferSize 10486000
</Directory>
BrowserMatch "MSIE [2-6]" nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0
# MSIE 7 and newer should be able to use keepalive
BrowserMatch "MSIE [17-9]" \
ssl-unclean-shutdown
# Intermediate configuration, tweak to your needs
SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK
SSLProtocol All -SSLv2 -SSLv3
SSLHonorCipherOrder on
SSLOptions +StrictRequire
ProxyPass /http-bind/ http://localhost:5280/http-bind/
ProxyPassReverse /http-bind/ http://localhost:5280/http-bind/
Redirect permanent /sharelatex https://sharelatex.domain.com/
<Location /webrtc>
ProxyPass http://127.0.0.1:8080/webrtc
ProxyPassReverse /webrtc
</Location>
<Location /webrtc/ws>
ProxyPass ws://127.0.0.1:8080/webrtc/ws
</Location>
ProxyVia On
ProxyPreserveHost On
RequestHeader set X-Forwarded-Proto 'https' env=HTTPS
php_flag output_buffering off
# This is also to prevent high memory usage
php_flag always_populate_raw_post_data off
# This is almost a given, but magic quotes is *still* on on some
# linux distributions
php_flag magic_quotes_gpc off
# SabreDAV is not compatible with mbstring function overloading
php_flag mbstring.func_overload off
# Solr
ProxyPass /solr/ http://localhost:8983/solr/
ProxyPassReverse /solr/ http://localhost:8983/solr/
<Location /solr>
AuthType Basic
AuthName "solr"
AuthUserFile /etc/apache2/htpasswd-solr
Require valid-user
</Location>
</VirtualHost>
</IfModule>
So I think http/2 should be enabled and working but the browser console and Curl is saying:
* Rebuilt URL to: https://domain.com/
* Trying 192.168.0.57...
* TCP_NODELAY set
* Connected to domain.com (192.168.0.57) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* TLSv1.2 (OUT), TLS header, Certificate Status (22):
} [5 bytes data]
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
} [512 bytes data]
* TLSv1.2 (IN), TLS handshake, Server hello (2):
{ [113 bytes data]
* TLSv1.2 (IN), TLS handshake, Certificate (11):
{ [2722 bytes data]
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
{ [589 bytes data]
* TLSv1.2 (IN), TLS handshake, Server finished (14):
{ [4 bytes data]
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
} [70 bytes data]
* TLSv1.2 (OUT), TLS change cipher, Client hello (1):
} [1 bytes data]
* TLSv1.2 (OUT), TLS handshake, Finished (20):
} [16 bytes data]
* TLSv1.2 (IN), TLS change cipher, Client hello (1):
{ [1 bytes data]
* TLSv1.2 (IN), TLS handshake, Finished (20):
{ [16 bytes data]
* SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
* ALPN, server accepted to use http/1.1
* Server certificate:
* subject: CN=domain.com
* start date: Aug 8 21:03:00 2017 GMT
* expire date: Nov 6 21:03:00 2017 GMT
* subjectAltName: host "domain.com" matched cert's "domain.com"
* issuer: C=US; O=Let's Encrypt; CN=Let's Encrypt Authority X3
* SSL certificate verify ok.
} [5 bytes data]
> GET / HTTP/1.1
> Host: domain.com
> User-Agent: curl/7.54.1
> Accept: */*
>
{ [5 bytes data]
< HTTP/1.1 302 Found
< Date: Mon, 21 Aug 2017 07:27:16 GMT
< Server: Apache/2.4.27 (Debian)
< Upgrade: h2
< Connection: Upgrade
< Set-Cookie: oc93z1rhfmbp=0eh06ob303o5jr2ejdo488hpp6; path=/; HttpOnly
< Expires: Thu, 19 Nov 1981 08:52:00 GMT
< Cache-Control: no-store, no-cache, must-revalidate
< Pragma: no-cache
< Set-Cookie: oc_sessionPassphrase=IJdJYT28vxdIbOcgDh7hEvt9eARx6Sikek8zQWR9iaRLrOGoFsgTpDx2Tr44bfVXK%2F4dQTeTKv38x10lvV1gSzSi8znsGRHsR2T3B%2BX3ElOrLzr0O5WOLqKp33UwkxTE; path=/; secure; HttpOnly
< Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-eval' 'nonce-L3NldndFaWhVaVhVbTNWeFc1aFRNL0J2RTlqR2hhRjJUNmh1YkpMTlFPYz06bHBDZStRcjJHMENPMERvWkNjaGljcmNxSjZpeXlvb2hMc29jQ3ZXQktOOD0='; style-src 'self' 'unsafe-inline'; frame-src *; img-src * data: blob:; font-src 'self' data:; media-src *; connect-src *; object-src 'none'; base-uri 'self';
< X-Frame-Options: SAMEORIGIN
< Set-Cookie: __Host-nc_sameSiteCookielax=true; path=/; httponly;secure; expires=Fri, 31-Dec-2100 23:59:59 GMT; SameSite=lax
< Set-Cookie: __Host-nc_sameSiteCookiestrict=true; path=/; httponly;secure; expires=Fri, 31-Dec-2100 23:59:59 GMT; SameSite=strict
< Location: https://domain.com/login
< X-Content-Type-Options: nosniff
< X-XSS-Protection: 1; mode=block
< X-Robots-Tag: none
< X-Download-Options: noopen
< X-Permitted-Cross-Domain-Policies: none
< Content-Length: 0
< Content-Type: text/html; charset=UTF-8
<
* Connection #0 to host domain.com left intact
So if someone has an idea what could be going wrong, or where I could get more debug information please let me know.