Site not serving on HTTP2 protocols

Operating system: Ubuntu
OS version: 18.04

I want to run my site over HTTP2 protocols. To that end, I enabled http2 module from Webmin > Servers > Apache Servers > Global Configuration > Configure Apache Modules. Also switched from mpm_prefork to mpm_event.

The site is using SSL certificate acquired from Letsencrypt.

Next I made sure the PHP is running in FPM mode and added the following in the config for SSL website (443)

Protocols h2 http1.1

But I can see the protocol used in Chrom Devtools is still http1.1. What am I missing?

Make sure to restart apache2 after the changes. Did you directly added the line into the vhost file?
Is your apache2 version at least 2.4.17 or higher? The openssl version should be at least 1.0.2 too.
Not sure about this one, but from what I remember you need to run at least TLS 1.2 (with modern ciphers) or higher.

I added the option via Services > Configure SSL Website.

Apache is 2.4.29
OpenSSL is 1.1.1

What do I check for TLS 1.2? Although I think it would be recent enough.

You can specify that in the configuration which version is used.
A general overview:

For some more specifics:

I’ve tested the SSL and its serving on TLS 1.3 and 1.2 is also available. I don’t think that’s the issue. Any other ideas?

Please do a check with this tool: HTTP/2 Test - Verify HTTP/2 Support | KeyCDN Tools .
Did you restart apache after the changes? Where did you place the code line exactly?

The test says

HTTP/2 protocol is not supported.
ALPN extension is not supported.

I have restarted apache several times now.

I placed the code through Virtualmin: Services > Configure SSL Website at the top line. It says the file being edited is /etc/apache2/sites-available/mywebsite.com.conf

The code should be

Protocols h2 http/1.1

and not

Protocols h2 http1.1

Do the following and run these commands:

sudo a2enmod ssl
sudo a2enmod http2

And please do quote the output here.

Also the “Protocols h2 http/1.1” code line needs to be within the VirtualHost area:

<VirtualHost *IP*:443> </VirtualHost>

I had a typo in the post, but its correct in the file. I’m pasting the entire website.com.conf file

<VirtualHost my.ip:80>
SuexecUserGroup "#1113" "#1025"
ServerName website.com
ServerAlias www.website.com
ServerAlias mail.website.com
ServerAlias webmail.website.com
ServerAlias admin.website.com
DocumentRoot /home/website/public_html
ErrorLog /var/log/virtualmin/website.com_error_log
CustomLog /var/log/virtualmin/website.com_access_log combined
ScriptAlias /cgi-bin/ /home/website/cgi-bin/
DirectoryIndex index.html index.htm index.php index.php4 index.php5
<Directory /home/website/public_html>
Options -Indexes +IncludesNOEXEC +SymLinksIfOwnerMatch 
allow from all
AllowOverride All Options=ExecCGI,Includes,IncludesNOEXEC,Indexes,MultiViews,SymLinksIfOwnerMatch
Require all granted
</Directory>
<Directory /home/website/cgi-bin>
allow from all
AllowOverride All Options=ExecCGI,Includes,IncludesNOEXEC,Indexes,MultiViews,SymLinksIfOwnerMatch
Require all granted
</Directory>
RewriteEngine on
RewriteCond %{HTTP_HOST} =webmail.website.com
RewriteRule ^(?!/.well-known)(.*) https://website.com:20000/ [R]
RewriteCond %{HTTP_HOST} =admin.website.com
RewriteRule ^(?!/.well-known)(.*) https://website.com:10000/ [R]
RemoveHandler .php
RemoveHandler .php7.2
php_admin_value engine Off
<FilesMatch \.php$>
SetHandler proxy:fcgi://localhost:8003
</FilesMatch>
RedirectMatch ^/(?!.well-known)(.*)$ https://website.com/$1
php_value memory_limit 32M
php_value upload_max_filesize 8M
php_value display_errors On
</VirtualHost>
<VirtualHost my.ip:443>
Protocols h2 http/1.1
SuexecUserGroup "#1113" "#1025"
ServerName website.com
ServerAlias www.website.com
ServerAlias mail.website.com
ServerAlias webmail.website.com
ServerAlias admin.website.com
DocumentRoot /home/website/public_html
ErrorLog /var/log/virtualmin/website.com_error_log
CustomLog /var/log/virtualmin/website.com_access_log combined
ScriptAlias /cgi-bin/ /home/website/cgi-bin/
DirectoryIndex index.html index.htm index.php index.php4 index.php5
<Directory /home/website/public_html>
Options -Indexes +IncludesNOEXEC +SymLinksIfOwnerMatch 
allow from all
AllowOverride All Options=ExecCGI,Includes,IncludesNOEXEC,Indexes,MultiViews,SymLinksIfOwnerMatch
Require all granted
</Directory>
<Directory /home/website/cgi-bin>
allow from all
AllowOverride All Options=ExecCGI,Includes,IncludesNOEXEC,Indexes,MultiViews,SymLinksIfOwnerMatch
Require all granted
</Directory>
RewriteEngine on
RewriteCond %{HTTP_HOST} =webmail.website.com
RewriteRule ^(?!/.well-known)(.*) https://website.com:20000/ [R]
RewriteCond %{HTTP_HOST} =admin.website.com
RewriteRule ^(?!/.well-known)(.*) https://website.com:10000/ [R]
RemoveHandler .php
RemoveHandler .php7.2
php_admin_value engine Off
<FilesMatch \.php$>
SetHandler proxy:fcgi://localhost:8003
</FilesMatch>
SSLEngine on
SSLCertificateFile /home/website/ssl.cert
SSLCertificateKeyFile /home/website/ssl.key
SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
SSLCACertificateFile /home/website/ssl.ca
php_value memory_limit 32M
php_value upload_max_filesize 8M
php_value display_errors On
</VirtualHost>

Here’s what I get from enabling the modules you asked

[root@primary ~]# sudo a2enmod ssl 
Considering dependency setenvif for ssl: Module setenvif already enabled 
Considering dependency mime for ssl: Module mime already enabled 
Considering dependency socache_shmcb for ssl: Module socache_shmcb already enabled Module ssl already enabled 
[root@primary ~]# sudo a2enmod http2 
Module http2 already enabled

Hmm, that should be good actually.
You can try to add command into the general apache2 config (at the bottom is just fine). Don’t forget to restart apache after that.
Can you check in webmin -> servers -> apache -> global configuration -> configure modules .
If http2 is marked and enabled and same goes for ssl.

Are you sure you disabled mod_php and mpm_prefork? And did you restart php after the changes?

This is so annoying. Everything seems right yet it doesn’t work. Here’s a screenshot of the modules page.

apache-edit-mods-cgi-2020-12-22-20_00_581922×1911 699 KB

That looks good too. Are you sure about the php changes like I asked?
Which php version are shown if you re-check the virtualmin configuration:
Controllpanel / Dashboard -> virtualmin tab -> server configuration/settings -> re-check configuration .
Not sure about the exact names right now, but that should be it.
Please do tell us the php versions and which are enabled and used (please be specific if possible).

I have restarted php and apache several times. Here are the relevant results from Re-check configuration

Your system has 7.78 GiB of memory, which is at or above the Virtualmin recommended minimum of 256 MiB.

Mail server Postfix is installed and configured.

Postfix can support per-domain outgoing IP addresses, but is not currently configured to do so. This can be setup in the [Postfix Mailserver](https://glowingstonewebsites.com:10000/postfix/dependent.cgi) module.

Apache is installed.

The following PHP versions are available : 7.2.24 (/usr/bin/php-cgi7.2), 7.2 (mod_php)

The following PHP execution modes are available : mod_php cgi fcgid fpm

The following PHP-FPM versions are available on this system : 7.2.3 (php7.2-fpm)

Apache is configured to host SSL websites.

You should just remove mod_php. It’s not very good in terms of performance and stability.
Does the website in question is actually using fpm or is it still using mod_php?

There are many websites on the server. To remove mod_php I’ll have to make sure none of them are using it. I might do that in the future.

Here’s ascreenshot of Server Configuration > Website Options

2020-12-23925×170 19.7 KB

In your main Apache config, what do the lines for SSLProtocol and SSLCipherSuite look like? If you have a stew of ciphers that are too loose, too strict or just don’t blend well together, TLS could indeed be a problem. See if Mozilla’s SSL Configuration Generator agrees with your setup.

You seem to have all the right ingredients so I’m short on advice except for what @DrCarsonBeckett has already suggested, which is pretty much how http/2 works for me running Apache 2.4.37 and OpenSSL 1.1.1 on CentOS…

With mod_http2 loaded, mod_php disabled, the prefork MPM replaced by worker or event, and PHP-FPM running server-wide – a single Protocols h2 h2c http/1.1 statement at the bottom of Apache’s main config file (rather than wrapped in every <VirtualHost>) is all that was needed.

The only thing, which should be active with the screenshots and information you gave, is to make sure that the http2 module is loaded:

LoadModule http2_module modules/mod_http2.so

Please make sure to specifically enable TLS 1.2 and 1.3 if wanted.
And please do list the ciphers which you use.

Edit: Please do make sure to disable mod_php completely. It is a good possibility that it interferes here.

Oh my god it worked. After disabling mod_php. It was a mind numbing task switching all domains on the server to php-fpm but it was worth it. Thank you @DrCarsonBeckett

Thanks for pointing out the ciphers thing as well. They need to be updated as well.

Glad it works now!
If possible @Vipul.K , select the answer you helped the most as the solutuon for this topic.

This topic was automatically closed 4 days after the last reply. New replies are no longer allowed.