From owner-svn-doc-head@freebsd.org Sun Oct 25 02:49:33 2020 Return-Path: Delivered-To: svn-doc-head@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id ECD1243FBB7; Sun, 25 Oct 2020 02:49:33 +0000 (UTC) (envelope-from trhodes@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4CJj9T5xcLz4SkM; Sun, 25 Oct 2020 02:49:33 +0000 (UTC) (envelope-from trhodes@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id AF4D6224FA; Sun, 25 Oct 2020 02:49:33 +0000 (UTC) (envelope-from trhodes@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id 09P2nXHO083529; Sun, 25 Oct 2020 02:49:33 GMT (envelope-from trhodes@FreeBSD.org) Received: (from trhodes@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id 09P2nXAK083528; Sun, 25 Oct 2020 02:49:33 GMT (envelope-from trhodes@FreeBSD.org) Message-Id: <202010250249.09P2nXAK083528@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: trhodes set sender to trhodes@FreeBSD.org using -f From: Tom Rhodes Date: Sun, 25 Oct 2020 02:49:33 +0000 (UTC) To: doc-committers@freebsd.org, svn-doc-all@freebsd.org, svn-doc-head@freebsd.org Subject: svn commit: r54630 - head/en_US.ISO8859-1/books/handbook/network-servers X-SVN-Group: doc-head X-SVN-Commit-Author: trhodes X-SVN-Commit-Paths: head/en_US.ISO8859-1/books/handbook/network-servers X-SVN-Commit-Revision: 54630 X-SVN-Commit-Repository: doc MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-doc-head@freebsd.org X-Mailman-Version: 2.1.33 Precedence: list List-Id: SVN commit messages for the doc tree for head List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 25 Oct 2020 02:49:34 -0000 Author: trhodes Date: Sun Oct 25 02:49:33 2020 New Revision: 54630 URL: https://svnweb.freebsd.org/changeset/doc/54630 Log: Add a section on HTTP2 with Apache. Reviewed by: bcr, brnrd Differential Revision: https://reviews.freebsd.org/D26850 Modified: head/en_US.ISO8859-1/books/handbook/network-servers/chapter.xml Modified: head/en_US.ISO8859-1/books/handbook/network-servers/chapter.xml ============================================================================== --- head/en_US.ISO8859-1/books/handbook/network-servers/chapter.xml Sat Oct 24 00:51:37 2020 (r54629) +++ head/en_US.ISO8859-1/books/handbook/network-servers/chapter.xml Sun Oct 25 02:49:33 2020 (r54630) @@ -3724,6 +3724,119 @@ LoadModule ssl_module libexec/apache24/mod_ssl.sophp.ini-production. These are starting points to assist administrators in their deployment. + + + + HTTP2 Support + + + Apache support for + the HTTP2 protocol is included by default + when installing the port with pkg. The new + version of HTTP includes many improvements + over the previous version, including utilizing a single + connection to a website, reducing overall roundtrips of + TCP connections. Also, packet header data + is compressed and HTTP2 requires + encryption by default. + + When Apache is configured to + only use HTTP2, web browsers will + require secure, encrypted HTTPS + connections. When Apache is + configured to use both versions, HTTP1.1 + will be considered a fall back option if any issues + arise during the connection. + + While this change does require administrators to make + changes, they are positive and equate to a more secure + Internet for everyone. The changes are only required for + sites not currently implementing SSL + and TLS. + + + This configuration depends on the previous sections, + including TLS support. It is + recommended those instructions be followed before + continuing with this configuration. + + + Start the process by enabling the + http2 module by uncommenting the line in + /usr/local/etc/apache24/httpd.conf and + replace the mpm_prefork module with mpm_event as the former + does not support HTTP2. + + LoadModule http2_module libexec/apache24/mod_http2.so +LoadModule mpm_event_module libexec/apache24/mod_mpm_event.so + + + There is a separate + mod_http2 port that is + available. It exists to deliver security and bug fixes + quicker than the module installed with the bundled + apache24 port. It is + not required for HTTP2 support but + is available. When installed, the + mod_h2.so should be used in place + of mod_http2.so in the + Apache configuration. + + + There are two methods to implement HTTP2 + in Apache; one way is globally for + all sites and each VirtualHost running on the system. To enable + HTTP2 globally, add the following line + under the ServerName directive: + + Protocols h2 http/1.1 + + + To enable HTTP2 over plaintext, + use h2 h2c + http/1.1 in the + httpd.conf. + + + Having the h2c here will allow + plaintext HTTP2 data to pass on the + system but is not recommended. In addition, using the + http/1.1 here will allow fallback + to the HTTP1.1 version of the protocol + should it be needed by the system. + + To enable HTTP2 for individual + VirtualHosts, add the same line within the VirtualHost + directive in either httpd.conf or + httpd-ssl.conf. + + Reload the configuration using the + apachectl reload command + and test the configuration either by using either of the + following methods after visiting one of the hosted pages: + + &prompt.root; grep "HTTP/2.0" /var/log/httpd-access.log + + This should return something similar to the following: + + 192.168.1.205 - - [18/Oct/2020:18:34:36 -0400] "GET / HTTP/2.0" 304 - +192.0.2.205 - - [18/Oct/2020:19:19:57 -0400] "GET / HTTP/2.0" 304 - +192.0.0.205 - - [18/Oct/2020:19:20:52 -0400] "GET / HTTP/2.0" 304 - +192.0.2.205 - - [18/Oct/2020:19:23:10 -0400] "GET / HTTP/2.0" 304 - + + The other method is using the web browser's built + in site debugger or tcpdump; however, + using either method is beyond the scope of this + document. + + Support for HTTP2 reverse + proxy connections by using the + mod_proxy_http2.so module. When + configuring the ProxyPass or RewriteRules [P] statements, + they should use h2:// for the connection. + + +