Securing Apache - Debian/Ubuntu

Step 3c - Enabling HTTP 1.1 & HTTP 2 (H2) Protocols

Enabling HTTP/1.1 & HTTP 2/(H2) Protocols

HTTP 2 (H2) has many wonderful benefits compared to HTTP 1.0/1.1. H2 has by default Distributed Denial of Service (DDoS) protection, better overall security, options, and so forth. H2 allows us to use Application-Layer Protocol Negotiation (ALPN) which drops our latency to pretty much zero for requests. Mobile devices are also upping the ante for security by supporting H2. We should use it whenever possible and pretty much every modern browser supports it.

Enabling HTTP/2 on your server has an impact for resource consumption and if you have a busy site; you may need to carefully consider the implications. The first noticeable difference enabling HTTP/2 is the additional threads started on your server. The reason is HTTP/2 gives all requests it receives its own Worker Threads for processing, collecting the results and streaming those results out to the client.

H2 explained more in depth and the Akamai test shows the speed difference between HTTP/1.1 and HTTP/2. People still think encryption kills performance! This is an older myth that needs to die a painful death! Straight HTTP is slower than HTTPS! Despite the warnings, we have not had problems or complaints with H2. Test to see if H2 is enabled

Make changes to the Apache Website config file by adding the sections in blue to the file

nano /etc/apache2/sites-available/EXAMPLE_com_ssl.conf

<IfModule mod_ssl.c>
    <VirtualHost *:443>
        ServerAdmin host@EXAMPLE.com
        ServerName EXAMPLE.com
        ServerAlias www.EXAMPLE.com
        DocumentRoot /var/www/html/EXAMPLE
        DirectoryIndex index.html
        LogLevel info ssl:warn
        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined
        H2Direct on
        Protocols h2 http/1.1
        SSLEngine on
        SSLCertificateFile        /etc/apache2/ssl/www_EXAMPLE_com.crt
        ..............................
    </VirtualHost>
</IfModule>

Close and exit the file

ctrl + o   (Save)
ctrl + x   (Exit)

Restart Apache

systemctl restart apache2
If you are going to use PHP

ProxyPassMatch directives are evaluated first, prior to the FilesMatch configuration being run. We are seeking to have granular control over our headers and behaviors of PHP. ProxyPass will forward the request and FileMatch will handle the request is the best way I can describe the difference!

ProxyPassMatch ^/(.*\.php(/.*)?)$ fcgi://127.0.0.1:9000/var/www/html/EXAMPLE/$1

Using ProxyPassMatch removes your ability to deny/allow access to PHP files. Not to mention you lose the ability to manipulate the server PHP requests. If you are passing PHP requests to an FPM daemon, you'd want to use FilesMatch + SetHandler instead of ProxyPassMatch.

<FilesMatch \.php$>
SetHandler proxy:fcgi://127.0.0.1:9000/var/www/html/EXAMPLE/$1
</FilesMatch>

Lets make sure our Repositories are in order:

sudo add-apt-repository -y ppa:ondrej/apache2
sudo add-apt-repository -y ppa:ondrej/php7

Make changes for PHP to the Apache Website config file by adding the sections in blue to the file

nano /etc/apache2/sites-available/EXAMPLE_com_ssl.conf

<IfModule mod_ssl.c>
    <VirtualHost *:443>
        ServerAdmin host@EXAMPLE.com
        ServerName EXAMPLE.com
        ServerAlias www.EXAMPLE.com
        DocumentRoot /var/www/html/EXAMPLE
        DirectoryIndex index.html
        LogLevel info ssl:warn
        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined
        H2Direct on
        Protocols h2 http/1.1
           <FilesMatch \.php$>
           SetHandler proxy:fcgi://127.0.0.1:9000/var/www/html/EXAMPLE/$1
           </FilesMatch>
        SSLEngine on
        ..............................
    </VirtualHost>
</IfModule>

Close and exit the file

ctrl + o   (Save)
ctrl + x   (Exit)

Restart Apache

systemctl restart apache2

Zombie HTTP2 Test Results

Zombie H2 Test Results

We are surprised at how many large sites do not have HTTP/2 deployed.

Other Sites H2 Test Results

* Test performed June 2019 - Image source keycdn.com