Setting up Http/2 with debian 8.7+Apache 2 + WordPress

Apr 20th, 2017 | By | Category: Linux / Freebsd, wordpress

At the time of this post the version of apache with http2 support is not supported by Debian so you have to go into the testing branch to get it and then configure apache.  This tutorial should take you through that: https://www.shivering-isles.com/http-2-getting-ready-on-debian-with-apache2/ .  Just incase the tutorial ever goes down I’ll mirror it at the end of this post but please go thank the original author, follow him on twitter as he deserves all the credit

Once apache is upgraded you need to go and make sure that wordpress is setup to run on https because http/2 only runs on ssl(because the world needs to be dragged kicking and screaming into a secure era for their own good).  If you are setting up an existing site it’s pretty easy, just make sure that your apache is configured properly as your first step.  I’ve done a post in the past about this which you can find HERE , however this is beyond the scope of this article so I wont’ go into depth about that part of the setup.  Once you’ve confirmed that the server and the domain is setup on https properly just go into your /wp-admin/options-general.php page and change your domain from http to https and you should be set.

Now if you are converting and existing site, that’s where things get fun.  You’ll need to replace all instances of http to https in the WP DB.  I just discovered WP CLI and as my new favorite thing the first thing I’d do is recommend that.  You can see my post on it here: http://blog.netflowdevelopments.com/2017/04/20/wp-cli-just-changed-my-life-admin-wordpress-sites-from-the-command-line/ but once that is installed the command you’ll want to run is: wp search-replace ‘http://new’ ‘https://new’

Another way to do it can be found in this article: https://css-tricks.com/moving-to-https-on-wordpress/

After that I installed this plugin just to be safe: https://en-ca.wordpress.org/plugins/http2-server-push/ although I didn’t notice a change to my sites html so it might not be needed for newer versions of wordpress.

 

Anyways, that should do you, as promised here is a mirror of that amazing article I mentioned above.  It was the only one I could find on the internet that covered this so I want to make sure it’s saved incase anything happens to that blog.

 

HTTP/2 is the newest version of the HTTP protocol and has a lot of improvements including binary headers. I’m currently thrilled by “state of the art”-web-applications, but still running an apache2 web server. Most people agree that nginx is more “state of the art” than apache2 and may be right. But.

The point is: As my server is running debian stable I can’t enable HTTP/2 because in debian jessie the apache2 version is 2.4.10. But HTTP/2 was added in version 2.4.17. Argh.

Now you have three choices:

  1. Compile apache2 yourself which is really annoying and keep it up-to-date. – Much work, less effort. Nothing for me.
  2. Install apache2 and openssl from an “untrusted” repository like in this tutorial. – An untrusted repository? Nothing for me!
  3. Do it like me and install the apache2 package from debian testing

Preparation

First of all check that your apache2 config is correctly for 2.4.10:

sudo apachectl -t  

So if your config is correct you can continue with adding testing to your sources.list and updating your package list.

sudo su -c 'echo "deb http://http.debian.net/debian testing main" > /etc/apt/sources.list.d/testing.list'  
sudo apt-get update  

DON’T RUN apt-get upgrade NOW!

Check the priority of the testing repository:

apt-cache policy apache2  

This should result something like this:

apache2:  
  Installed: 2.4.10-10+deb8u4
  Candidate: 2.4.18-2
  Version table:
     2.4.18-2 0
        500 http://http.debian.net/debian/ testing/main amd64 Packages
        100 /var/lib/dpkg/status
 *** 2.4.10-10+deb8u4 0
        500 http://http.debian.net/debian/ jessie/main amd64 Packages
        500 http://ftp.de.debian.org/debian/ stable/main amd64 Packages
     2.4.10-10+deb8u1 0
        500 http://security.debian.org/ jessie/updates/main amd64 Packages
        500 http://security.debian.org/ stable/updates/main amd64 Packages

The important information is the number at the beginning of each repository line like in this case the 500 in 500 http://security.debian.org/ jessie/updates/main amd64 Packages. This is the repository priority. The highest number for a package matches and will be installed. Because you don’t want to upgrade your whole server to testing you should lower this priority of 500 for the testing repository.

This is done by adding a preference for the repository:

sudo bash -c 'cat >/etc/apt/preferences.d/testing' <<EOF  
Package: *  
Pin: release a=testing  
Pin-Priority: 300  
EOF  

Now recheck the priority:

apt-cache policy apache2  

Your apache2 version should stay the same right now.

apache2:  
  Installed: 2.4.10-10+deb8u4
  Candidate: 2.4.10-10+deb8u4
  Version table:
     2.4.18-2 0
        300 http://http.debian.net/debian/ testing/main amd64 Packages
        100 /var/lib/dpkg/status
 *** 2.4.10-10+deb8u4 0
        500 http://http.debian.net/debian/ jessie/main amd64 Packages
        500 http://ftp.de.debian.org/debian/ stable/main amd64 Packages
     2.4.10-10+deb8u1 0
        500 http://security.debian.org/ jessie/updates/main amd64 Packages
        500 http://security.debian.org/ stable/updates/main amd64 Packages

Now your other packages should stay on stable. You can check that by using the command again for another package.

Install apache2 with HTTP/2

After adding the testing repository in a secure way it is time to update apache2. To install the newer apache2 version use the following statement:

sudo apt-get install -y -t testing apache2  

Now apache2 from the testing repository is installed. In other words version 2.4.18, which supports HTTP/2.

Configure Apache to use HTTP/2

With the new apache2 version installed you need to enable HTTP/2.

sudo a2enmod http2  
sudo apachectl -t && sudo systemctl restart apache2  

Now the HTTP2 module is loaded but you still won’t be able to connect using HTTP/2.

If you want to enable HTTP/2 only for ‘some’ virtual hosts you can use the same options in the <VirtualHost>-tag. The following shows how to enable it globally.

sudo bash -c 'cat >/etc/apache2/conf-available/http2.conf' <<EOF  
Protocols h2 h2c http/1.1

H2Push          on  
H2PushPriority  *                       after  
H2PushPriority  text/css                before  
H2PushPriority  image/jpeg              after   32  
H2PushPriority  image/png               after   32  
H2PushPriority  application/javascript  interleaved

SSLProtocol all -SSLv2 -SSLv3  
SSLHonorCipherOrder on  
SSLCipherSuite 'EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA !RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS'

EOF

sudo a2enconf http2 && sudo apachectl -t && sudo systemctl reload apache2  

This creates the /etc/apache2/conf-available/http2.conf file. Important here is the Protocols option which enables HTTP/2 in general. To use HTTP/2 the SSLCipherSuite is also important because HTTP/2 requires TLS1.2 in some browsers.

To improve the load speed of your pages the usage of H2Push is really useful.

Now you can add Link-options to your HTTP header to push content to your clients.

Now all your webpages should be HTTP/2 ready.

Check it with your webbrowser using the developer tools.

Known issues

If you check your server with SPDY-Check or HTTP2-Check you’ll still get the message:

HTTP/2 not supported  

It’s not completely true. The problem is, that those tests only check the first request and all servers which doesn’t support NPN or ALPN will automatically fallback to HTTP/1.1 But it will add an upgrade header option so every further connect uses HTTP/2.

I’m still searching for a solution to fix that protocol advertisement issue.

A correct check can be found at https://tools.keycdn.com/http2-test

Conclusion

Enabling HTTP/2 on debian stable using apache2 isn’t as simple as it should be.

By using the debian testing package however it is possible in a secure and trusted way without much effort.

Hopefully this will help you bringing your webservers to HTTP/2. And don’t forget to use HTTPS where ever you are!

If you like this article or want to share your thoughts feel free to use the comment section down below or message and follow me on Twitter.

Tags: , , ,

Leave a Comment