What could prevent me to activate http2 with apache?

Question

I have read a lot of documentation about http2, and it seems safe to enable. But I need to be 100% sure that I will not have any regression, or at least to know what regression can occur.

What could prevent me to enable http2 on my production apache server? What configuration must I double check? What new behavior might cause me trouble?

Answer 1

This is a very opinion based question, and not a great format for Stack Overflow which is intended to provide factual based answers. It also totally depends on your environment of which you have given very little detail.

However I've an interest in this, and don't mind spending a little time answering as best I can.

These are things you should consider:

• For a start you will need to upgrade Apache to a version that supports HTTP/2. Ideally you should upgrade to the latest version (2.4.29 at the time of writing) as there have been a number of changes in the HTTP/2 code since this was first launched in 2.4.17 and stopped being marked as "experimental" in 2.4.26. How easy that is depends on your environment but packaged versions (eg through yum on RHEL and Centos) are often not the latest version and stepping outside the safety of a packaged environment, to building from source, or a third party repo is not a step to be taken lightly. See also this question for more information on whether you should use mod_http2 (yes in my opinion).

• You need to consider what version of Apache you are coming from and what changes (if any) you need to make with the upgrade. Many people are still using 2.2 and the upgrade to 2.4 requires some changes . If already on an earlier version of 2.4 then this should be less of an issue but there are still some changes that may affect you. 2.2 is end of life though so this is something you will need to do sooner or later.

• HTTP/2 requires HTTPS to work from all the browsers so if your site is not already on this, then this can be a bit of an upgrade. However the web is moving to HTTPS so again, if not already on this, then it is something you will need to do sooner or later.

• HTTP/2 requires OpenSSL 1.0.2 or above to have ALPN support to negotiate HTTP/2. Again many Linux distributions do not include this, and even those that do have this (eg RHEL/Centos 7.4) do not build Apache against this version. So again you may need to look at building from source or an alternative repo (see points about this above).

• HTTP/2 requires good HTTPS config (eg GCM ciphers) which will be available thanks to OpenSSL 1.0.2 but may require reviewing your SSL/TLS config to configure these. The SSLLabs Server Test Tool is your best option to review this.

• Do you use websockets? They are currently not compatible with HTTP/2 so you need to stay on HTTP/1.1 if using them. There are currently plans in place to add WebSockets to HTTP/2 but they are still in discussion phase.

• You should be aware that HTTP/2 forces lowercase HTTP Header Names. Traditionally HTTP Headers Names have always been case insensitive, but not every implementation implements this correctly and some depend on case sensitivity.

• HTTP/2 responses still send the response code (200, 404) but omit the status text ("OK", "Not Found"). Again this should not affect most, properly coded, applications but if you depend on this response message then you may need to do some work to fix this.

• HTTP/2 is designed to work with a single connection. If you currently shard your assets of different domains then it may attempt to coalesce them back into one connection , which should work seamlessly but can cause some issues if HTTP/2 is not available over all your sharded domains.

These last 3 points come from the excellent BBC write up of the issues they experienced when moving to HTTP/2 .

The above are all points to consider on how to upgrade to allow you to enable HTTP/2. It's a bit painful at the moment to be honest on most standard Linux distributions but hopefully will get easier as newer versions become more common.

However, once you have that in place, and can upgrade to HTTP/2 you then need to decide if you want to upgrade .

On the whole HTTP/2 has been designed to be backwards compatible so should be a seamless upgrade. Those clients that can will talk HTTP/2, those that can't will continue to talk HTTP/1.1 (which you should leave configured for the foreseeable future).

However HTTP/2 is still relatively new in the tech world and there may be implementation issues at the client or server side. Saying that it's been out for 2 years now, my experience of it is very positive and not seen many issues but, as with any upgrade, you should test, test, test before upgrading and monitor afterwards. Most of the issues I've seen have been obscure issues where HTTP/2 is not as performant as it should be, rather than show stopping issues, and most people without as deep an interest as I have for example, would struggle to notice them. 20% of web traffic is using HTTP/2 so it is a proven technology, and it is heavily based on SPDY which has been used by a number of sites, servers and clients without major issues for the last number of years.

You should also consider the benefits of HTTP/2. In my opinion most websites should see a good speed improvement (maybe 20%), but this is not guaranteed, will depend on the individual site and the connection visitors and using. Certain bandwidth bound sites may even see a slow down. However you need to set realistic expectations and understand where your performance bottlenecks are which will then help understand if (and by how much) HTTP/2 will help. It is not a magic fix for poorly performing websites.

Other points to consider after you upgrade:

• Do you optimise for HTTP/2 and if so when? Will that impact those visitors that are still on HTTP/1.1? See this answer for more detail on that.
• Do you use HTTP/2 to any back end servers or terminate HTTP/2 at the web server (like many do for HTTPS) and speak HTTP/1.1 to any back end application servers? This requires the use of mod_proxy_http2 which is still marked as experimental and has had less usage and oversite that the main mod_http2 module. I would advise against this for now unless you have a good reason to use this. Many back end application servers will also not support HTTP/2 without doing a similar upgrade as above anyway.
• Do you use new features like HTTP/2 push? This is still an emerging technology and needs careful thought , and may be best left until cache digests is standardised.

At the end of the day no one but you can be "100% sure" that you will not have issues and it is up to you to test this to give yourself the confidence. And obviously the more information and understanding you have of HTTP/2 the more prepared you will be to understand the impact and any issues.