How to enable HTTP/2 support in Apache
Last updated: 12 Jul 2017
2.4.17 introduced HTTP/2 support. If your server is running Apache version below this version, you need to upgrade Apache to the latest version first.
mod_http2module is rather new, but is finally marked stable. There have been multiple reported security vulnerabilities in 2016 and 2017. 1.
mod_http2module that comes with Apache versions prior to 2.4.26 are insecure. Please make sure to use Apache version 2.4.26 or later.
Depending on the server operating system, you may be able to download the compiled latest version.
You can either compile Apache yourself, or download compiled Windows binaries.
Ubuntu / Debain
As of now, Debian Jessie default package sources only has Apache
2.4.10. Ubuntu versions upto
15.10 also only contains that Apache version. If you are not using Ubuntu 16.04 or later, you will
need to add a third party package source with the recent Apache version. Follow the following instructions only
if you are using Debain Jessie or Ubuntu trusty or older.
apt-get apt-get install software-properties-common python-software-properties add-apt-repository ppa:ondrej/apache2 apt-get updateThis will install some utilities (if not installed already) that helps us add an external PPA. Secondly, we add the ondrej/apache2 PPA which contains the latest Apache2 builds. Third, we updates your systems package informaion.
apt-get install apache2 apachectl -vThis is to upgrade your existing Apache2 version to the latest version. After updating, the
apachectl -vcommand will reveal your upgraded Apache version. This will be
2.4.25or later. Do not continue without making sure the version is
CentOS / RHELBoth CentOS and RHEL default repositories come with Apache versions around
2.4.6. Apache official web site has information about building the latest Apache server.
Enable HTTP/2 moduleApache's HTTP/2 support comes from the
mod_http2module. Enable it from:
a2enmod http2 apachectl restart
Add HTTP/2 SupportWe highly recommend you enable HTTPS support for your web site first. Most web browser simply do not support HTTP/2 over plain text. Besides, there are no excuses to not use HTTPS anymore. HTTP/2 can enabled site-by-site basis. Locate your web site's Apache virtual host configuration file, add the following right after the opening
Protocols h2 http/1.1Overall, your configuration file should look something like this:
<VirtualHost *:443> Protocols h2 http/1.1 ServerAdmin email@example.com ServerName your-awesome-site.com ... </VirtualHost>After the changes, don't forget to reload/restart Apache.
Push resourcesApache supports HTTP/2 Push feature as well. After enabling Apache HTTP/2, you can add push support simply by setting HTTP
Linkheaders. You can emit them from either/both the Apache configuration file, or from your application.
Link: </assets/styles.css>;rel=preload, </assets/scripts.css>; rel=preloadAbove is an example header that would trigger Apache to push the
/assets/scripts.sccfiles. Refer to your application code on how to emit HTTP headers. If you would like to make Apache add these headers, you can do so like this, using the
<Location /index.htmll> Header add Link "</assets/styles.css>;rel=preload, </assets/scripts.css>; rel=preload" Header add Link "</assets/image.jpg>;rel=preload" </Location>Above example demonstrates Apache configuration that sets 2
Linkheaders (you can have as many as you need). Supported browsers will decide to preload these resources if necessary.
Apache 2.4.27, HTTP/2 not supported in preforkStarting from Apache 2.4.27, the Apache MPM (Multi-Processing Module)
preforkno longer supports HTTP/2. This will be indicated in your Apache error log as follows:
To fix this, select a different MPM:
worker. We highly recommend you to use the
If you are using PHP, it is likely that PHP is integrated to Apache via the
mod_phpmodule, which requires the
preforkMPM. If you switch out from
preformMPM, you will need to use PHP as
FastCGI. To switch to
php-fpm, you can do as folllwing. Please note that this assumes you have PHP installed from ondrej/php repository on Ubuntu. The PHP package names could be different in other repositories. Change package name and
apt-getcommands to match your PHP vendor and package manager.
apachectl stop apt-get install php7.1-fpm # Install the php-fpm from your PHP repository. This package name depends on the vendor. a2enmod proxy_fcgi setenvif a2enconf php7.1-fpm # Again, this depends on your PHP vendor. a2dismod php7.1 # This disables mod_php. a2dismod mpm_prefork # This disables the prefork MPM. Only one MPM can run at a time. a2enmod mpm_event # Enable event MPM. You could also enable mpm_worker. apachectl start
mod_http2-related security vulnerabilities are as follows.