I have downloaded the latest version of Apache 2.5-DEV from its repository. Next, I have installed and compiled this version using the following script (developed by me): https://github.com/jgm1986/Apache_mod_h2/blob/master/apache.sh On Apache "httpd.conf" file, I have uncommented the following module line: LoadModule h2_module modules/mod_h2.so And I have added these lines to my virtual host file: Protocols h2c http/1.1 ProtocolsHonorOrder on I have tested this Apache configuration using nghttp2 client (on localhost). The most interesting is that I can use h2c on "direct mode" (this mode is only for development purposes). The problem occurs when I try to use HTTP/2 on clear mode (h2c) using "upgrade" from HTTP/1.1. Apache continues using HTTP/1.1. These lines are the NGHTTP2 output: --------------------------------------------------------------------------- src/nghttp -uvs http://127.0.0.1:80 [ 0.000] Connected [ 0.000] HTTP Upgrade request GET / HTTP/1.1 Host: 127.0.0.1 Connection: Upgrade, HTTP2-Settings Upgrade: h2c HTTP2-Settings: AAMAAABkAAQAAP__ Accept: */* User-Agent: nghttp2/1.3.2 [ 0.001] HTTP Upgrade response HTTP/1.1 200 OK --------------------------------------------------------------------------- Can someone help me to check if it could be an Apache 2.5-DEV bug? Thanks. PS: My computer uses: Linux 3.16.0-49-generic #65~14.04.1-Ubuntu SMP Wed Sep 9 10:03:23 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux
Not sure to follow here. The request is HTTP/1.1, and so is to be the response. That's after the connection is upgraded that HTTP/2.0 starts, Am I missing something?
(In reply to Yann Ylavic from comment #1) > Not sure to follow here. > The request is HTTP/1.1, and so is to be the response. > That's after the connection is upgraded that HTTP/2.0 starts, Am I missing > something? Thanks for your answer. Probably I have not explained myself clearly... sorry. I'm trying to make this situation: https://tools.ietf.org/html/rfc7540#section-3.2 http/1.1 ---> (upgrade h2c) ---> http/2 The response from Apache should be the following: HTTP/1.1 101 Switching Protocols Connection: Upgrade Upgrade: h2c [ HTTP/2 connection ... At the moment, Apache only sends me the following response: [ 0.001] HTTP Upgrade response HTTP/1.1 200 OK It means that Apache does not support HTTP/2 on Clear Text (h2c). Then I'm not sure if I'm doing something wrong during my Apache installation/configuration or if it could be a bug. In reference to the support ticket place, I think that this is the correct place to put this post. According to Apache docummentation, "mod_h2" is a new Apache module for HTTP/2 support. http://httpd.apache.org/docs/trunk/mod/mod_h2.html Then if you think that this post should not be here, please, show me the correct place to publish it. Thanks!
Oups, sorry for the noise. Is nghttp2 installed too (--with-nghttp2)? Can you please attach your config.log file?
Created attachment 33131 [details] Apache config.log.
(In reply to Yann Ylavic from comment #3) > Oups, sorry for the noise. > > Is nghttp2 installed too (--with-nghttp2)? > Can you please attach your config.log file? No problem! ;) I have attached the config.log file to this message. Thanks for your help!
Can you try with "--enable-http2" for configure and "LoadModule http2_module modules/mod_http2.so" for httpd.conf?
H2Direct is on for cleartext, this is not a developer mode, see rfc 7540 Section 3.4. As H2Direct needs to be checked *before* the first request is seen, it does only work in servers, not vhosts on cleartext. Documentation/checks need to be added. Something must prevent the Upgrade from happening on your site, maybe a bug triggered by your config? I see the Upgrade performed on my test server from httpd/trunk.
(In reply to Yann Ylavic from comment #6) > Can you try with "--enable-http2" for configure and "LoadModule http2_module > modules/mod_http2.so" for httpd.conf? I have compiled and installed using "--enable-http2" on ./configure. I have modified it on my Apache installation script: https://github.com/jgm1986/Apache_mod_h2/blob/master/apache.sh The changes on Apache httpd.conf file that you mentioned: "LoadModule http2_module modules/mod_http2.so" isn't correct. The correct line should be the following: "LoadModule h2_module modules/mod_h2.so" The module with "mod_http2.so" name does't exists (at least I can't found it...). Thanks for your help! PS: Now I'll write Stefan in a new response ;)
(In reply to Stefan Eissing from comment #7) > H2Direct is on for cleartext, this is not a developer mode, see rfc 7540 > Section 3.4. As H2Direct needs to be checked *before* the first request is > seen, it does only work in servers, not vhosts on cleartext. > Documentation/checks need to be added. > > Something must prevent the Upgrade from happening on your site, maybe a bug > triggered by your config? I see the Upgrade performed on my test server from > httpd/trunk. Hi Stefan! Yes, you're right, the h2c direct is on rfc... I was wrong... I have changed the "httpd.conf" according your indications. Now the "H2Direct on" is on it! and the "httpd-vhosts.conf" contains: <VirtualHost *:80> ... Protocols h2c http/1.1 ProtocolsHonorOrder on H2AltSvc h2=:443 </VirtualHost> <VirtualHost *:443> ... Protocols h2c http/1.1 ProtocolsHonorOrder on H2AltSvc h2c=:80 </VirtualHost> I can confirm you that now HTTP/2 Cleart text is working correctly on port 80 (upgrade and direct mode). One more time, thanks you Stefan! But..., the HTTP/2 over port 443 doesn't works... Maybe I forgot enable or install some plugin... could you check if the directives for the virtualhost on port 443 are correct for HTTP/2 (h2)? Thanks!
I'm sorry, I mean: <VirtualHost *:443> ... Protocols h2 http/1.1 ProtocolsHonorOrder on H2AltSvc h2c=:80 </VirtualHost> Cheers,
Was just about to tell you that "h2" is needed for TLS connections. Looks good. One reason that TLS negotiation of HTTP/2 might not work is that ALPN support is missing in the linked openssl. In doubt, set LogLevel ssl:debug LogLevel core:debug and try a TLS connection. The log should give some information if ALPN was triggered and what protocol was negotiated.
(In reply to Stefan Eissing from comment #11) > Was just about to tell you that "h2" is needed for TLS connections. > > Looks good. One reason that TLS negotiation of HTTP/2 might not work is that > ALPN support is missing in the linked openssl. In doubt, set > > LogLevel ssl:debug > LogLevel core:debug > > and try a TLS connection. The log should give some information if ALPN was > triggered and what protocol was negotiated. It seems that ALPN is not enabled... There are any tutorial about how I can enable it?
Maybe I can try a correct answer here :p (In reply to Javier Gusano Martinez from comment #12) > > It seems that ALPN is not enabled... There are any tutorial about how I can > enable it? OpenSSL > 1.0.2(a) is required.
(In reply to Yann Ylavic from comment #13) > Maybe I can try a correct answer here :p > > (In reply to Javier Gusano Martinez from comment #12) > > > > It seems that ALPN is not enabled... There are any tutorial about how I can > > enable it? > > OpenSSL > 1.0.2(a) is required. OK, thanks! I have uninstalled openssl 1.0.1 from my system. Next, I have downloaded and installed openssl on /usr directory: OpenSSL 1.0.2d 9 Jul 2015 I used the following commands: wget https://www.openssl.org/source/openssl-1.0.2d.tar.gz tar xfv openssl-1.0.2d.tar.gz cd openssl-1.0.2d/ sudo aptitude remove openssl libssl-dev ./config --prefix=/usr make make test sudo make install Now I suppose that Apache should be recompile and install using the following parameters. Isn't it?: ./configure --with-included-apr --prefix=/home/sysadmin/apache2.5 --enable-ssl --enable-so --enable-h2 --enable-http2 --with-nghttp2=/home/sysadmin/Apache_mod_h2/downloads/nghttp2-1.3.2/lib/.libs/libnghttp2.so.14
What I use is something like: ./configure --prefix=/opt/apache-trunk --enable-mpms-shared=all --with-included-apr --with-crypto --enable-ssl --enable-maintainer-mode --with-ssl=/opt/apache-trunk --enable-h2 --with-nghttp2=/opt/apache-trunk/ which for you might translate to ./configure --prefix=/opt/apache-trunk --enable-mpms-shared=all --with-crypto --enable-ssl --with-ssl=/usr --enable-h2 --with-nghttp2=/home/sysadmin/Apache_mod_h2/downloads/nghttp2-1.3.2/lib/.libs/libnghttp2.so.14 Of course, you might not need the enable-moms-shared=all if you know what you want.
(In reply to Stefan Eissing from comment #15) > What I use is something like: > > ./configure --prefix=/opt/apache-trunk --enable-mpms-shared=all > --with-included-apr --with-crypto --enable-ssl --enable-maintainer-mode > --with-ssl=/opt/apache-trunk --enable-h2 --with-nghttp2=/opt/apache-trunk/ > > which for you might translate to > > ./configure --prefix=/opt/apache-trunk --enable-mpms-shared=all > --with-crypto --enable-ssl --with-ssl=/usr --enable-h2 > --with-nghttp2=/home/sysadmin/Apache_mod_h2/downloads/nghttp2-1.3.2/lib/. > libs/libnghttp2.so.14 > > Of course, you might not need the enable-moms-shared=all if you know what > you want. I think that I have followed your instructions but It doesn't works for me... I have published on the installation repository (https://github.com/jgm1986/Apache_mod_h2) the steps for the installation (inside apache.sh script file). On the other hand, I have published the following two Apache config files: - httpd.conf - httpd-vhosts.conf This is the cURL output: $ curl --http2 -v https://127.0.0.1:443 * Rebuilt URL to: https://127.0.0.1:443/ * Trying 127.0.0.1... * Connected to 127.0.0.1 (127.0.0.1) port 443 (#0) * Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH * successfully set certificate verify locations: * CAfile: /etc/ssl/certs/ca-certificates.crt CApath: none * TLSv1.2 (OUT), TLS handshake, Client hello (1): * TLSv1.2 (IN), TLS handshake, Server hello (2): * TLSv1.2 (IN), TLS handshake, Certificate (11): * TLSv1.2 (IN), TLS handshake, Server key exchange (12): * TLSv1.2 (IN), TLS handshake, Server finished (14): * TLSv1.2 (OUT), TLS handshake, Client key exchange (16): * TLSv1.2 (OUT), TLS change cipher, Client hello (1): * TLSv1.2 (OUT), TLS handshake, Finished (20): * TLSv1.2 (IN), TLS change cipher, Client hello (1): * TLSv1.2 (IN), TLS handshake, Finished (20): * SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256 * Server certificate: * subject: C=ES; ST=Madrid; L=Madrid; O=Telefonica Investigacion y Desarrollo; CN=*.bluevia.com * start date: 2014-10-06 00:00:00 GMT * expire date: 2016-01-05 23:59:59 GMT * SSL: certificate subject name '*.bluevia.com' does not match target host name '127.0.0.1' * Closing connection 0 * TLSv1.2 (OUT), TLS alert, Client hello (1): As you can see, ALPN is not present... -_-' Thanks for your help!
What does > curl -V say? It should list the openssl version.
"curl -V" is used for "verbose" cURL mode. I only can see the supported ciphers but nothing shows NPN or ALPN. I don't know if my answer resolve your question.
Capital 'V' is for Version. Your system's curl is probably compiled with your (now removed) system's openssl.
(In reply to Yann Ylavic from comment #19) > Capital 'V' is for Version. > Your system's curl is probably compiled with your (now removed) system's > openssl. I have tried to download and install cURL with the last version of OpenSSL, but unfortunately.... it continues using 1.0.1.f. Maybe the problem is that my Apache installation is using this old version of OpenSSL. curl 7.44.0 (x86_64-unknown-linux-gnu) libcurl/7.44.0 OpenSSL/1.0.1f zlib/1.2.8 libssh2/1.4.3 nghttp2/1.3.2 Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3 pop3s rtsp scp sftp smb smbs smtp smtps telnet tftp Features: IPv6 Largefile NTLM NTLM_WB SSL libz TLS-SRP HTTP2 UnixSockets I'm triying to install Apache but using this option on ./configure: --with-ssl=/usr/local/ssl I'll tell you if it works...
IMHO, you shouldn't replace your system's libs like this, and may want to set/export LD_LIBRARY_PATH="/path/to/openssl-1.0.2-or-more/lib" at runtime for httpd and curl, or alternatively use "configure 'LDFLAGS=-Wl,-rpath,/path/to/openssl-1.0.2-or-more/lib' ..." at build time (with gcc/elf) for both too.
(In reply to Yann Ylavic from comment #19) > Capital 'V' is for Version. > Your system's curl is probably compiled with your (now removed) system's > openssl. Now it looks that cURL is using right version of Openssl 1.0.2: $ curl -V curl 7.44.0 (x86_64-unknown-linux-gnu) libcurl/7.44.0 OpenSSL/1.0.2d zlib/1.2.8 nghttp2/1.3.2 Protocols: dict file ftp ftps gopher http https imap imaps pop3 pop3s rtsp smb smbs smtp smtps telnet tftp Features: IPv6 Largefile NTLM NTLM_WB SSL libz TLS-SRP HTTP2 UnixSockets But Apache continues without http2 suport when I use https:// curl -v --http2 https://localhost:443 * Rebuilt URL to: https://localhost:443/ * Trying 127.0.0.1... * Connected to localhost (127.0.0.1) port 443 (#0) * Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH * successfully set certificate verify locations: * CAfile: /etc/ssl/certs/ca-certificates.crt CApath: none * TLSv1.2 (OUT), TLS Unknown, Certificate Status (22): * TLSv1.2 (OUT), TLS handshake, Client hello (1): * TLSv1.2 (IN), TLS handshake, Server hello (2): * TLSv1.2 (IN), TLS handshake, Certificate (11): * TLSv1.2 (IN), TLS handshake, Server key exchange (12): * TLSv1.2 (IN), TLS handshake, Server finished (14): * TLSv1.2 (OUT), TLS handshake, Client key exchange (16): * TLSv1.2 (OUT), TLS change cipher, Client hello (1): * TLSv1.2 (OUT), TLS handshake, Finished (20): * TLSv1.2 (IN), TLS change cipher, Client hello (1): * TLSv1.2 (IN), TLS handshake, Finished (20): * SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256 * Server certificate: * subject: C=ES; ST=Madrid; L=Madrid; O=Telefonica Investigacion y Desarrollo; CN=*.bluevia.com * start date: 2014-10-06 00:00:00 GMT * expire date: 2016-01-05 23:59:59 GMT * subjectAltName does not match localhost * SSL: no alternative certificate subject name matches target host name 'localhost' * Closing connection 0 * TLSv1.2 (OUT), TLS alert, Client hello (1): curl: (51) SSL: no alternative certificate subject name matches target host name 'localhost' Some idea about what's happening here? :S
(In reply to Stefan Eissing from comment #11) > Was just about to tell you that "h2" is needed for TLS connections. > > Looks good. One reason that TLS negotiation of HTTP/2 might not work is that > ALPN support is missing in the linked openssl. In doubt, set > > LogLevel ssl:debug > LogLevel core:debug > > and try a TLS connection. The log should give some information if ALPN was > triggered and what protocol was negotiated. Hi Stefan Now Apache is using OpenSSL 1.0.2d: curl -v --http2 http://localhost * Rebuilt URL to: http://localhost/ * Trying 127.0.0.1... * Connected to localhost (127.0.0.1) port 80 (#0) > GET / HTTP/1.1 > Host: localhost > User-Agent: curl/7.44.0 > Accept: */* > Connection: Upgrade, HTTP2-Settings > Upgrade: h2c > HTTP2-Settings: AAMAAABkAAQAAP__ > < HTTP/1.1 101 Switching Protocols < Upgrade: h2c < Connection: Upgrade * Received 101 * Using HTTP2, server supports multi-use * Connection state changed (HTTP/2 confirmed) * Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=27 * http2_recv: 16384 bytes buffer at 0xeb0cf0 (stream 1) * http2_recv: returns 289 for stream 1 < HTTP/2.0 200 < date:Wed, 30 Sep 2015 11:45:30 GMT < server:Apache/2.5.0-dev (Unix) OpenSSL/1.0.2d PHP/5.6.13 < last-modified:Wed, 30 Sep 2015 10:02:27 GMT < etag:"2d-520f4071f7f05" < accept-ranges:bytes < content-length:45 < content-type:text/html But continues without HTTP2 support when I use https:// Inside error log file I have found this: [Wed Sep 30 10:16:32.942716 2015] [mpm_event:notice] [pid 14226:tid 140086991066944] AH00489: Apache/2.5.0-dev (Unix) PHP/5.6.13 configured -- resuming normal operations [Wed Sep 30 10:16:32.942779 2015] [core:notice] [pid 14226:tid 140086991066944] AH00094: Command line: '/home/sysadmin/apache2.5/bin/httpd' [Wed Sep 30 10:24:27.603303 2015] [mpm_event:notice] [pid 14226:tid 140086991066944] AH00494: SIGHUP received. Attempting to restart AH00534: httpd: Configuration error: The MPM cannot be changed during restart. [Wed Sep 30 10:25:27.885133 2015] [ssl:warn] [pid 14497] AH01873: Init: Session Cache is not configured [hint: SSLSessionCache] [Wed Sep 30 10:25:27.889499 2015] [core:warn] [pid 14497] AH00098: pid file /home/sysadmin/apache2.5/logs/httpd.pid overwritten -- Unclean shutdown of previous Apache run? [Wed Sep 30 10:25:27.890866 2015] [mpm_prefork:notice] [pid 14497] AH00163: Apache/2.5.0-dev (Unix) OpenSSL/1.0.1f PHP/5.6.13 configured -- resuming normal operations [Wed Sep 30 10:25:27.890900 2015] [core:notice] [pid 14497] AH00094: Command line: '/home/sysadmin/apache2.5/bin/httpd' [Wed Sep 30 10:32:06.312202 2015] [mpm_prefork:notice] [pid 14497] AH00169: caught SIGTERM, shutting down [Wed Sep 30 11:22:14.503739 2015] [ssl:warn] [pid 26718] AH01873: Init: Session Cache is not configured [hint: SSLSessionCache] [Wed Sep 30 11:22:14.508693 2015] [mpm_prefork:notice] [pid 26718] AH00163: Apache/2.5.0-dev (Unix) OpenSSL/1.0.2d PHP/5.6.13 configured -- resuming normal operations [Wed Sep 30 11:22:14.508727 2015] [core:notice] [pid 26718] AH00094: Command line: '/home/sysadmin/apache2.5/bin/httpd' [Wed Sep 30 11:31:42.169607 2015] [mpm_prefork:notice] [pid 26718] AH00169: caught SIGTERM, shutting down [Wed Sep 30 11:35:09.698121 2015] [ssl:warn] [pid 11518] AH01873: Init: Session Cache is not configured [hint: SSLSessionCache] [Wed Sep 30 11:35:09.704063 2015] [mpm_prefork:notice] [pid 11518] AH00163: Apache/2.5.0-dev (Unix) OpenSSL/1.0.2d PHP/5.6.13 configured -- resuming normal operations [Wed Sep 30 11:35:09.704096 2015] [core:notice] [pid 11518] AH00094: Command line: '/home/sysadmin/apache2.5/bin/httpd' [Wed Sep 30 11:44:32.406140 2015] [mpm_prefork:notice] [pid 11518] AH00173: SIGHUP received. Attempting to restart [Wed Sep 30 11:44:32.417233 2015] [ssl:warn] [pid 11518] AH01873: Init: Session Cache is not configured [hint: SSLSessionCache] [Wed Sep 30 11:44:32.417248 2015] [ssl:info] [pid 11518] AH01887: Init: Initializing (virtual) servers for SSL [Wed Sep 30 11:44:32.418064 2015] [ssl:info] [pid 11518] AH01876: mod_ssl/2.5.0-dev compiled against Server: Apache/2.5.0-dev, Library: OpenSSL/1.0.1f [Wed Sep 30 11:44:32.422386 2015] [mpm_prefork:notice] [pid 11518] AH00163: Apache/2.5.0-dev (Unix) OpenSSL/1.0.2d PHP/5.6.13 configured -- resuming normal operations [Wed Sep 30 11:44:32.422406 2015] [core:notice] [pid 11518] AH00094: Command line: '/home/sysadmin/apache2.5/bin/httpd' [Wed Sep 30 11:44:32.422410 2015] [core:debug] [pid 11518] log.c(1497): AH02639: Using SO_REUSEPORT: yes (1) It looks that Apache is using OpenSSL 1.0.1f library... I don't understand why...
Finally I have fixed the problems! Thanks Stefan & Yann for your help. The solution to this problem is inside this script: https://github.com/jgm1986/Apache_mod_h2/blob/master/apache.sh Maybe it could be helpfull for someone in a future. Cheers, Javier Gusano Martínez
Why not to land it in version 2.4.x ? Still not supported in httpd 2.4.18.
It doesn't work on httpd 2.4.18. And https://github.com/apache/httpd there aren't such a branch as 2.5.
(In reply to Binyamin from comment #26) > It doesn't work on httpd 2.4.18. > And https://github.com/apache/httpd there aren't such a branch as 2.5. I use the Apache 2.5 version only for testing prupose. The 2.5 is de develop brunch. You can get it using SVN: svn checkout http://svn.apache.org/repos/asf/httpd/httpd/trunk httpd-trunk
Javier, why not to land this fix in 2.4.X? I expect httpd 2.5 even doesn't have ETA.
(In reply to Binyamin from comment #28) > Javier, why not to land this fix in 2.4.X? > I expect httpd 2.5 even doesn't have ETA. Because initially the https://github.com/jgm1986/Apache_mod_h2 project was designed to test early version of "mod_h2" module (only available on 2.5-dev). Today, this module has been included on Apache by default but, I don't have free time to update the installation script on my repository and test it on Ubuntu. However, it's a pending task.