Centos – Apache – http/2 enabled but still using http/1.1

Running Apache/2.4.38 (Unix) OpenSSL/1.0.2k-fips on CentOS 7, PHP 7.2.14, I have installed and enabled http/2 following the guide at https://www.tunetheweb.com/performance/http2/. No errors are reported and the module is loaded but pages remain served over http/1.1.

This is not due to using the prefork mpm (event is used).

This is not a browser cache issue (Chrome dev tools is open and cache disabled; I have also used https://tools.keycdn.com/http2-test).

Server has been restarted multiple times.

The conf files include the following directive multiple times, in the main body and in VirtualHost sections:

Protocols h2 http/1.1

SSL Protocol directive is:

SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1

Error log output (set to debug level):

[Sun Feb 03 08:14:28.563204 2019] [ssl:warn] [pid 15944:tid 140617433143168] AH02292: Init: Name-based SSL virtual hosts only work for clients with TLS server name indication support (RFC 4366)
[Sun Feb 03 08:14:28.563263 2019] [http2:info] [pid 15944:tid 140617433143168] AH03090: mod_http2 (v1.11.4, feats=CHPRIO+SHA256+INVHD+DWINS, nghttp2 1.36.0), initializing...
[Sun Feb 03 08:14:28.567088 2019] [mpm_event:notice] [pid 15944:tid 140617433143168] AH00489: Apache/2.4.38 (Unix) OpenSSL/1.0.2k-fips configured -- resuming normal operations

Output of httpd -V:

Server version: Apache/2.4.38 (Unix)
Server built:   Jan 31 2019 09:55:17
Server's Module Magic Number: 20120211:83
Server loaded:  APR 1.6.5, APR-UTIL 1.6.1
Compiled using: APR 1.6.5, APR-UTIL 1.6.1
Architecture:   64-bit
Server MPM:     event
  threaded:     yes (fixed thread count)
    forked:     yes (variable process count)
Server compiled with....
 -D APR_HAS_SENDFILE
 -D APR_HAS_MMAP
 -D APR_HAVE_IPV6 (IPv4-mapped addresses enabled)
 -D APR_USE_SYSVSEM_SERIALIZE
 -D APR_USE_PTHREAD_SERIALIZE
 -D SINGLE_LISTEN_UNSERIALIZED_ACCEPT
 -D APR_HAS_OTHER_CHILD
 -D AP_HAVE_RELIABLE_PIPED_LOGS
 -D DYNAMIC_MODULE_LIMIT=256
 -D HTTPD_ROOT="/usr/local/apache2"
 -D SUEXEC_BIN="/usr/local/apache2/bin/suexec"
 -D DEFAULT_PIDLOG="logs/httpd.pid"
 -D DEFAULT_SCOREBOARD="logs/apache_runtime_status"
 -D DEFAULT_ERRORLOG="logs/error_log"
 -D AP_TYPES_CONFIG_FILE="conf/mime.types"
 -D SERVER_CONFIG_FILE="conf/httpd.conf"

Output of apachectl -M:

Loaded Modules:
 core_module (static)
 so_module (static)
 http_module (static)
 mpm_event_module (static)
 xsendfile_module (shared)
 access_compat_module (shared)
 actions_module (shared)
 alias_module (shared)
 allowmethods_module (shared)
 auth_basic_module (shared)
 auth_digest_module (shared)
 authn_anon_module (shared)
 authn_core_module (shared)
 authn_dbd_module (shared)
 authn_dbm_module (shared)
 authn_file_module (shared)
 authn_socache_module (shared)
 authz_core_module (shared)
 authz_dbd_module (shared)
 authz_dbm_module (shared)
 authz_groupfile_module (shared)
 authz_host_module (shared)
 authz_owner_module (shared)
 authz_user_module (shared)
 autoindex_module (shared)
 cache_module (shared)
 cache_disk_module (shared)
 data_module (shared)
 dbd_module (shared)
 deflate_module (shared)
 dir_module (shared)
 dumpio_module (shared)
 echo_module (shared)
 env_module (shared)
 expires_module (shared)
 ext_filter_module (shared)
 filter_module (shared)
 headers_module (shared)
 include_module (shared)
 info_module (shared)
 log_config_module (shared)
 logio_module (shared)
 mime_magic_module (shared)
 mime_module (shared)
 negotiation_module (shared)
 remoteip_module (shared)
 reqtimeout_module (shared)
 rewrite_module (shared)
 setenvif_module (shared)
 slotmem_plain_module (shared)
 slotmem_shm_module (shared)
 socache_dbm_module (shared)
 socache_memcache_module (shared)
 socache_shmcb_module (shared)
 status_module (shared)
 substitute_module (shared)
 suexec_module (shared)
 unique_id_module (shared)
 unixd_module (shared)
 userdir_module (shared)
 version_module (shared)
 vhost_alias_module (shared)
 dav_module (shared)
 dav_fs_module (shared)
 dav_lock_module (shared)
 http2_module (shared)
 lua_module (shared)
 proxy_module (shared)
 lbmethod_bybusyness_module (shared)
 lbmethod_byrequests_module (shared)
 lbmethod_bytraffic_module (shared)
 lbmethod_heartbeat_module (shared)
 proxy_ajp_module (shared)
 proxy_balancer_module (shared)
 proxy_connect_module (shared)
 proxy_express_module (shared)
 proxy_fcgi_module (shared)
 proxy_fdpass_module (shared)
 proxy_ftp_module (shared)
 proxy_http_module (shared)
 proxy_scgi_module (shared)
 proxy_wstunnel_module (shared)
 ssl_module (shared)
 systemd_module (shared)
 cgid_module (shared)

Screenshot of extract from phpinfo():

phpinfo

Would appreciate any further ideas.

Best Answer

Everything seems to be setup fine from Apache side and can see you are returning the Upgrade suggestion in your HTTP Headers. I can only suggest you have something else in front of Apache (like a LoadBalancer?) which is doing SSL termination without ALPN and so preventing HTTP/2.

The easiest way to test this would be to run the following from your server:

openssl s_client -alpn h2 -connect 127.0.0.1:443 -status

And see if ALPN is supported when connecting to localhost.

If so try it again with your domain and see if ALPN is not supported when connecting to your domain. Which suggests a load balancer or the like is sitting in front of your instance of Apache and terminating SSL and it does not support ALPN.

Best Answer

Related Solutions

HTTP/2 on CentOS 7 on Apache with PHP7

HTTP/2 not enabled on a configured Apache 2.4.38 web server

Related Topic