Securing Apache - Debian/Ubuntu
Step 3c - Enabling HTTP 1.1 & HTTP 2 (H2) Protocols
Enabling HTTP/1.1 & HTTP 2/(H2) Protocols
HTTP 2 (H2) has many wonderful benefits compared to HTTP 1.0/1.1. H2 has by default Distributed Denial of Service (DDoS) protection, better overall security, options, and so forth. H2 allows us to use H2 with Application-Layer Protocol Negotiation (ALPN) which drops our latency to pretty much zero for requests. Mobile devices are also upping the ante for security by supporting H2. We should use it whenever possible and pretty much every modern browser supports it.
Enabling HTTP/2 on your server has an impact for resource consumption and if you have a busy site; you may need to carefully consider the implications. The first noticeable difference enabling HTTP/2 is the additional threads started on your server. The reason is HTTP/2 gives all requests it receives its own Worker Threads for processing, collecting the results and streaming those results out to the client.
H2 explained more in depth and the Akamai test shows the speed difference between HTTP/1.1 and HTTP/2. People still think encryption kills performance! This is an older myth that needs to die a painful death! Straight HTTP is slower than HTTPS! Despite the warnings, we have not had problems or complaints with H2. Test to see if H2 is enabled
Make changes to the Apache Website config file by adding the sections in blue to the file
nano /etc/apache2/sites-available/EXAMPLE_com_ssl.conf <IfModule mod_ssl.c>
<VirtualHost *:443>
ServerAdmin host@EXAMPLE.com
ServerName EXAMPLE.com
ServerAlias www.EXAMPLE.com
DocumentRoot /var/www/html/EXAMPLE
DirectoryIndex index.html
LogLevel info ssl:warn
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
H2Direct on
Protocols h2 http/1.1
SSLEngine on
SSLCertificateFile /etc/apache2/ssl/www_EXAMPLE_com.crt
..............................
</VirtualHost>
</IfModule>
Close and exit the file
ctrl + o (Save)ctrl + x (Exit)
Restart Apache
systemctl restart apache2If you are going to use PHP
ProxyPassMatch directives are evaluated first, prior to the FilesMatch configuration being run. We are seeking to have granular control over our headers and behaviors of PHP. ProxyPass will forward the request and FileMatch will handle the request is the best way I can describe the difference!
ProxyPassMatch ^/(.*\.php(/.*)?)$ fcgi://127.0.0.1:9000/var/www/html/EXAMPLE/$1
Using ProxyPassMatch removes your ability to deny/allow access to PHP files. Not to mention you lose the ability to manipulate the server PHP requests. If you are passing PHP requests to an FPM daemon, you'd want to use FilesMatch + SetHandler instead of ProxyPassMatch.
<FilesMatch \.php$>
SetHandler proxy:fcgi://127.0.0.1:9000/var/www/html/EXAMPLE/$1
</FilesMatch>
Lets make sure our Repositories are in order:
sudo add-apt-repository -y ppa:ondrej/apache2sudo add-apt-repository -y ppa:ondrej/php7Make changes for PHP to the Apache Website config file by adding the sections in blue to the file
nano /etc/apache2/sites-available/EXAMPLE_com_ssl.conf <IfModule mod_ssl.c>
<VirtualHost *:443>
ServerAdmin host@EXAMPLE.com
ServerName EXAMPLE.com
ServerAlias www.EXAMPLE.com
DocumentRoot /var/www/html/EXAMPLE
DirectoryIndex index.html
LogLevel info ssl:warn
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
H2Direct on
Protocols h2 http/1.1
<FilesMatch \.php$>
SetHandler proxy:fcgi://127.0.0.1:9000/var/www/html/EXAMPLE/$1
</FilesMatch>
SSLEngine on
..............................
</VirtualHost>
</IfModule>
Close and exit the file
ctrl + o (Save)ctrl + x (Exit)
Restart Apache
systemctl restart apache2Zombie HTTP2 Test Results
We are surprised at how many large sites do not have HTTP/2 deployed.
