How to implement http2 without ssl in Apache 2.4.18 Server

About

Asked 15/3, 2016 at 7:11 Answered 15/3, 2016 at 11:11

I have made a website with HTTP/2 Protocol which is running on Apache 2.4.18 HTTP Server. Currently I have made the website is SSL Enabled because I read somewhere that HTTP/2 by default requires SSL. I may not require to make my website secure, so I don't want to spend money in buying a SSL Certificate.

Is there a way to implement HTTP2 Protocol without using SSL Configurations ? If yes, what configuration settings should I write in httpd.conf file ? Do I need to change any properties/settings of my Browser - Chrome/Firefox etc ?

Siliceous answered 15/3, 2016 at 7:11 Comment(0)

As far I know, the most web browsers will not use HTTP2 Protocol if you would connect to the web site via HTTP instead of HTTPS.

There are many places where you can get SSL certificate for free, for example, StartSSL, Universal SSL, Let’s Encrypt (see here) and other. The certificate could be not for the long time period and don't have some additional properties like Time-Stamping (like here), but it could be still used. You can still use the certificate for free.

You can read here, for example, the instruction of configuring of HTTP2 in Apache HTTP Server. The most important would be to use the latest version of OpenSSL and the latest version of Apache Server. I'd recommend you to read the article about HTTP2, look the video and the corresponding slides here about making TLS faster and to go through the checklist.

Deipnosophist answered 15/3, 2016 at 11:11 Comment(8)

Why this: "Disable TLS compression on your server."? What's wrong with TLS compression? – Pikeperch 4/4, 2016 at 22:28

@Geremia: There are many reasons. The description of one of the most important you can find here and here. – Deipnosophist 4/4, 2016 at 22:46

Thanks. I'm trying to figure out why after I used this to configure my Apache SSL settings, the wiki page I'm hosting no longer uses HTTP/2. – Pikeperch 4/4, 2016 at 23:36

You are welcome! First of all it's important to know which version of Apache and OpenSSL and on which OS you use and how TLS is configuration. Do you have the server online? Which is its URL? – Deipnosophist 4/4, 2016 at 23:41

I'm using Apache 2.4.18 and OpenSSL 1.0.2g on Linux. Do I need mod_http2, even though Apache 2.4.18 is supposed have HTTP/2 built-in? I get an A+ rating on ssllabs.com for my TLS config, which I configured with the help of this. I'm able to put Protocols h2 http/1.1 in httpd.conf and run apachectl restart without it complaining. So, why don't Curl, Firefox, or Chrome use HTTP/2 when I visit the site? – Pikeperch 5/4, 2016 at 1:36

I've also hardened my HTTP response headers and thus get an A+ rating on securityheaders.io, too. Could've hardening my HTTP response headers messed up HTTP/2? – Pikeperch 5/4, 2016 at 1:46

@Geremia: You didn't posted the URL to your server. Probably you have just the problem with the testing of the results? Do you verified that the web browser local cache are cleared? – Deipnosophist 5/4, 2016 at 4:49

Let us continue this discussion in chat. – Pikeperch 5/4, 2016 at 16:25

Hot tags

Godot Unity Godot Help Programming Godot 4.X GUI GDScript 3D 2D Physics CSharp Godot 3.X VR XR Projects C++

Recommended topics

Hot tags