Date: Sun, 25 Oct 2020 02:49:33 +0000 (UTC) From: Tom Rhodes <trhodes@FreeBSD.org> To: doc-committers@freebsd.org, svn-doc-all@freebsd.org, svn-doc-head@freebsd.org Subject: svn commit: r54630 - head/en_US.ISO8859-1/books/handbook/network-servers Message-ID: <202010250249.09P2nXAK083528@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: trhodes Date: Sun Oct 25 02:49:33 2020 New Revision: 54630 URL: https://svnweb.freebsd.org/changeset/doc/54630 Log: Add a section on HTTP2 with Apache. Reviewed by: bcr, brnrd Differential Revision: https://reviews.freebsd.org/D26850 Modified: head/en_US.ISO8859-1/books/handbook/network-servers/chapter.xml Modified: head/en_US.ISO8859-1/books/handbook/network-servers/chapter.xml ============================================================================== --- head/en_US.ISO8859-1/books/handbook/network-servers/chapter.xml Sat Oct 24 00:51:37 2020 (r54629) +++ head/en_US.ISO8859-1/books/handbook/network-servers/chapter.xml Sun Oct 25 02:49:33 2020 (r54630) @@ -3724,6 +3724,119 @@ LoadModule ssl_module libexec/apache24/mod_ssl.so</pro <filename>php.ini-production</filename>. These are starting points to assist administrators in their deployment.</para> </sect3> + + <sect3> + <info> + <title>HTTP2 Support</title> + </info> + + <para><application>Apache</application> support for + the <acronym>HTTP</acronym>2 protocol is included by default + when installing the port with <command>pkg</command>. The new + version of <acronym>HTTP</acronym> includes many improvements + over the previous version, including utilizing a single + connection to a website, reducing overall roundtrips of + <acronym>TCP</acronym> connections. Also, packet header data + is compressed and <acronym>HTTP</acronym>2 requires + encryption by default.</para> + + <para>When <application>Apache</application> is configured to + only use <acronym>HTTP</acronym>2, web browsers will + require secure, encrypted <acronym>HTTPS</acronym> + connections. When <application>Apache</application> is + configured to use both versions, <acronym>HTTP</acronym>1.1 + will be considered a fall back option if any issues + arise during the connection.</para> + + <para>While this change does require administrators to make + changes, they are positive and equate to a more secure + Internet for everyone. The changes are only required for + sites not currently implementing <acronym>SSL</acronym> + and <acronym>TLS</acronym>.</para> + + <note> + <para>This configuration depends on the previous sections, + including <acronym>TLS</acronym> support. It is + recommended those instructions be followed before + continuing with this configuration.</para> + </note> + + <para>Start the process by enabling the + <acronym>http</acronym>2 module by uncommenting the line in + <filename>/usr/local/etc/apache24/httpd.conf</filename> and + replace the mpm_prefork module with mpm_event as the former + does not support <acronym>HTTP</acronym>2.</para> + + <programlisting>LoadModule http2_module libexec/apache24/mod_http2.so +LoadModule mpm_event_module libexec/apache24/mod_mpm_event.so</programlisting> + + <note> + <para>There is a separate + <filename role="port">mod_http2</filename> port that is + available. It exists to deliver security and bug fixes + quicker than the module installed with the bundled + <filename role="port">apache24</filename> port. It is + not required for <acronym>HTTP</acronym>2 support but + is available. When installed, the + <filename>mod_h2.so</filename> should be used in place + of <filename>mod_http2.so</filename> in the + <application>Apache</application> configuration.</para> + </note> + + <para>There are two methods to implement <acronym>HTTP</acronym>2 + in <application>Apache</application>; one way is globally for + all sites and each VirtualHost running on the system. To enable + <acronym>HTTP</acronym>2 globally, add the following line + under the ServerName directive:</para> + + <programlisting>Protocols h2 http/1.1</programlisting> + + <note> + <para>To enable <acronym>HTTP</acronym>2 over plaintext, + use <acronym>h2</acronym> <acronym>h2c</acronym> + <acronym>http</acronym>/1.1 in the + <filename>httpd.conf</filename>.</para> + </note> + + <para>Having the <acronym>h2c</acronym> here will allow + plaintext <acronym>HTTP</acronym>2 data to pass on the + system but is not recommended. In addition, using the + <acronym>http</acronym>/1.1 here will allow fallback + to the <acronym>HTTP</acronym>1.1 version of the protocol + should it be needed by the system.</para> + + <para>To enable <acronym>HTTP</acronym>2 for individual + VirtualHosts, add the same line within the VirtualHost + directive in either <filename>httpd.conf</filename> or + <filename>httpd-ssl.conf</filename>.</para> + + <para>Reload the configuration using the + <command>apachectl</command> <parameter>reload</parameter> command + and test the configuration either by using either of the + following methods after visiting one of the hosted pages:</para> + + <screen>&prompt.root; <userinput>grep "HTTP/2.0" /var/log/httpd-access.log</userinput></screen> + + <para>This should return something similar to the following:</para> + + <programlisting>192.168.1.205 - - [18/Oct/2020:18:34:36 -0400] "GET / HTTP/2.0" 304 - +192.0.2.205 - - [18/Oct/2020:19:19:57 -0400] "GET / HTTP/2.0" 304 - +192.0.0.205 - - [18/Oct/2020:19:20:52 -0400] "GET / HTTP/2.0" 304 - +192.0.2.205 - - [18/Oct/2020:19:23:10 -0400] "GET / HTTP/2.0" 304 -</programlisting> + + <para>The other method is using the web browser's built + in site debugger or <command>tcpdump</command>; however, + using either method is beyond the scope of this + document.</para> + + <para>Support for <acronym>HTTP</acronym>2 reverse + proxy connections by using the + <filename>mod_proxy_http2.so</filename> module. When + configuring the ProxyPass or RewriteRules [P] statements, + they should use h2:// for the connection.</para> + </sect3> + + </sect2> <sect2>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202010250249.09P2nXAK083528>