EasyApache 4 HTTP2 Support

Weverton Velludo shared this idea 1 year ago
Completed

Support to mod_http2 to speedup hosted domains access.

http://httpwg.org/specs/rfc7540.html

Moderator note: This was implemented in EasyApache 3 already, so I've adjusted this request to be specifically for EasyApache 4.

Best Answer
photo

Hey all! As Jacob said, this is now in production! This can be easily installed via WHM or on the command line. You can find direction in our documentation here:

https://documentation.cpanel.net/display/EA4/Apache+Module%3A+HTTP2

If you previously installed http-2 from the experimental repo you will need to follow these steps to get the new version, basically the reverse what you did earlier:

  1. # yum remove ea-apache24-mod_http2 ea-nghttp2 ea-libnghttp2
  2. # rm -fv /etc/yum.repos.d/EA4-mod_http2.repo
  3. # yum downgrade 'ea-apache24*'
  4. # yum clean all ; yum install ea-apache24-mod_http2

If you would like, you can also remove the experimental repo from your server, if you aren't using it for anything else:

  1. # yum remove ea4-experimental

CloudLinux doesn't yet fully support this, but hopefully they will publish this to their production repo soon. The changelog hit a snag, but will hopefully be updated soon.

If you have any other questions, feel free to reach out! The forums will be a great place to work together on this.

Comments (86)

photo
4

It appears that mod_spdy was donated to the Apache foundation for inclusion in Apache core for the HTTP2 protocol, which should be released by Apache sometime in 2015. Running mod_spdy requires a custom installation of OpenSSL, which we do not support at this time. We look forward to Apache integrating mod_spdy with the Apache core next year. However at this time, we will unfortunately not be implementing mod_spdy at this time.

photo
5

why we need to start this all over again? Is clearly that once was requested in EA3, we want it in EA4 too. There was no point in marking the old post as completed and closing, since first of all cPanel doesn't want to officially support it in EA3 and is not even started in EA4. Once you release a new version with less features than the last one, is no longer called an upgrade, more likely a downgrade.

photo
3

EasyApache 3 has no support for http2, it only provides a way to personalize the options to compile Apache and you have to set your own compilation of openSSL.

cPanel has taken this post about to EasyApache 4 to close the post for EA3, even it has not been completed.

photo
3

It supports the EA3 but needs many manual settings ...

I believe that could be available as several other modules supported ...

photo
1

First, thank you so much to everyone here for your quick, verbose feedback. I do hear your frustrations, and am glad to see that you're still interested in providing your feedback!

Our biggest hesitation with this is that in order to use HTTP2, you need to have OpenSSL 1.0.2. Taking ownership of, and shipping our own RPM for, OpenSSL is something we cannot consider lightly, and is something that we currently aren't planning to do. We definitely understand that it's something that many of our customers want, but we currently haven't decided to take on that burden. Thanks for your continued attention, and definitely let me know if I can answer any questions!

photo
11

Using a custom installation of OpenSSL just for the entire web server stack would help to solve a lot of issues.

cPanel needs to put more effort into the core services related to serving sites, and less into cPanel/WHM features like SSL stores, external authentication systems, and security analysis.

photo
3

yes just using OpenSSL 1.0.2+ for apache would solve this. That's what I do for CentOS and Nginx's HTTP/2 requirements. But it's source compiled and not rpms. It's why i've stuck with EA3 vs EA4 too

source compiled OpenSSL 1.0.2+ statically just for nginx also allows you more timely openssl related updates that RPM would provide - just look at last few openssl rpm updates especially slow, or will not fix or delay from redhat etc.

It's a fine line between using official OpenSSL rpms and keeping OpenSSL up to date in a more timely manner than rpm repo would provide.

As a web hosting cpanel and LAMP solution, you can't afford to have lengthy delays for security fixes that are delayed in OpenSSL rpm repo sourced vs being able to compile from direct source the latest release.

cpanel should allow Apache to support either system OpenSSL 1.0.1e usage or statically compile against own OpenSSL 1.0.2+. Flexibility allows cpanel's Apache to meet the changing needs at the time more quickly.

photo
2

We deployed a while back http2 on our Nginx reverse proxies which were running CentOS 6 by statically compiling OpenSSL 1.0.2. It works really well and doesn't force us to upgrade to a newer distribution. Maybe cPanel can do something like this?

photo
1

There are certainly a host of possible ways we might implement this. If we get closer to actually doing it, we'll definitely let everyone know here!

photo
6

Hey all! No further updates yet, but I did realize that there was an old mod_spdy request that was not merged in here. We wanted to merge them together in order to get a more accurate count of people asking for HTTP/2 support. I will post here as soon as there is an update to provide!

For anyone looking for a bit of backstory: https://developers.googleblog.com/2014/06/modspdy-is-now-apache-project.html

photo
1

This site is so poorly coded I can't tell if my post was sent of not using mobile.

Anyways. Enabling h2 without Chacha20/Poly1305 forces android to keep AES-NI libraries loaded the entire time your site is open in a tab. This drains Android batteries at a MUCH higher rate.

If you can't figure out how to get us back to EasyApache 3, where we can do this stuff ourselves, I'm moving all my customers to your competitors. EasyApache4 is SEVENTY PERCENT slower at serving websites than we had EA3 running.

photo
1

Howdy!

Thanks for the heads up, I'm adding this patch in now.

I'd like to work with you to see if we can figure out what's going on that's causing your systems to be slower. Mind emailing me?

Thanks!

Edit: I've patched and updated builds. If you have the above installed, a yum update should pull down the changes. I really appreciate your feedback!

photo
1

My main problem is the fact that I've had to choose between sites that wreck people's batteries, or not having h2.

For business customers who have employees that have to login to their sites from their phones a lot, draining their batteries isn't really an option.

I have an extra box sitting around at moment with absolutely no paying customers on it (I planned on attempting exactly what you are doing next week). I'll test this on it later tonight. Now that I have customers using the multi-php I'm going to have to pay extra attention to how it affects that though.

TBH I'm not overly a huge fan of this RPM system. It's only a matter of time before people start playing with it and borking their entire install force overwriting system files.

photo
1

Not to mention doing this RPM build is a WHOLE lot more involved than unzipping a file somewhere and telling EA what options you want it to pass.

Grab Source RPM

Extract

Apply Patches

Resource

Build RPM

Check for dependencies

Apply RPM

.... It used to be unzip a tar to a certain place and add some text to a file.... Maybe run a yum command.

It basically feels like the things we've been paying you for got deleted so it could be easier for cPanel devs and you've dumped the extra work on us, because let's be honest. cPanel hasn't been the greatest here lately. We won't even be able to install SSL certificates into accounts on cPanel without CAA records later this year and no one at cPanel even had a clue about it until it was mentioned in a feature request. Wasn't even on the radar to be looked into adding at the time according to staff.

Seems as if you guys want to make things easier for yourselves no matter what repercussions it has to the customers.

The fact that people are building web server rpms and adding them to repos that don't even know about the current common pitfalls of building a web server from hand kind of shakes my confidence in what's going on there at cPanel.

photo
4

@wired420: @cPanelJacob clearly wrote it is all SUPER EXPERIMENTAL. It is not the finished product, it is just a feature for testing. Don't get me wrong but a few hundreds people have starred this issue and you are now flooding their mailboxes with your complaints about things rather unrelated to HTTP/2. Regards,

photo
1

Hey everyone! Comments were locked overnight. Please do keep the conversation specific to *this* request, and take any other conversation you want to have to the forums or to a personal email conversation.

photo
1

@cPanelJacob

Thanks for the 'howto'. We tried this out on one our our productions servers running Centos 6 and it works great so far with no errors encountered. Our other servers run CloudLinux 6/7 with mod_lsapi is that module likely to cause a problem with HTTP2 ?

photo
2

Hi Chris,

I'm glad to hear it! This is a *very* experimental setup. It's so experimental that I'm keeping it on my personal OpenSuse account until we can get it through our QA & security team. Unfortunately, CloudLinux will most likely not ship these packages until we get them into our EA4 mainline repo, which could be a while. I'll work on getting these into our EA4-experimental repositories this week.

photo
1

Great news Jacob :-)

As long as it will work with mod_lsapi at the end we are very happy! :-)

photo
1

3) Put this text into a new file '/etc/apache2/conf.d/http2.conf'

Can do adding automatically without manually file edit?

photo
3

This will be done when we officially release http2 support. We want to ensure the protocols work for most people on setup before we enable it by default.

photo
1

Any idea when the release date is...?

photo
1

We don't have an anticipated release date at this time, but as soon as we do we'll update here!

photo
3

Howdy!

We've moved this RPM to the EA4-experimental repository. If you've installed the version before this that was on my personal OpenSuse account (the comment which I have now deleted), please follow the instructions below:

  1. # yum remove ea-apache24-mod_http2 ea-nghttp2 ea-libnghttp2
  2. # rm -fv /etc/yum.repos.d/EA4-mod_http2.repo
  3. # yum downgrade 'ea-apache24*'
  4. # yum install ea4-experimental
  5. # yum clean all ; yum install ea-apache24-mod_http2

If all went well, you should be back with http2 running. If you got RPM dependency issues with Apache, you'll probably need to downgrade 'ea-apache24*' again.

For users who are just catching up, you can install and test HTTP2 by running:

  1. # yum install ea4-experimental
  2. # yum install ea-apache24-mod_http2

Place this .conf file down in '/etc/apache2/conf.d/http2.conf'

  1. <IfModule http2_module>
  2. LogLevel http2:info
  3. Protocols h2 h2c http/1.1
  4. </IfModule>

Restart Apache

  1. /scripts/restartsrv_httpd

Please note, there was a brief period where it didn't link properly. A 'yum update' should pull down the latest changes. Please provide feedback and let us know how it goes!

photo
1

Removed earlier version and installed latest, all working great and noticed some websites do now load faster!

proper job! :)

photo
1

Seem I get a broken link to pull the ea-apache24-mod_http2



On cCentos 7x

photo
1

Just wanted to update this post for anyone having issues with Mod_Security

White listing rule 960034 in /etc/apache2/conf.d/userdata/ssl/2_4/USER/modsec.conf

[Mon Mar 20 20:40:54.551880 2017] [:error] [pid 30929:tid 139631531427584] [client XXXX] ModSecurity: Access denied with code 403 (phase 2). Match of "within %{tx.allowed_http_versions}" against "REQUEST_PROTOCOL" required. [file

"/etc/apache2/conf.d/modsec_vendor_configs/OWASP/rules/REQUEST-20-PROTOCOL-ENFORCEMENT.conf"] [line "412"] [id "960034"] [rev "2"] [msg "HTTP protocol version is not allowed by policy"] [data "HTTP/2.0"] [severity "CRITICAL"] [ver "OWASP

_CRS/3.0.0"] [maturity "9"] [accuracy "9"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-protocol"] [tag "OWASP_CRS/POLICY/PROTOCOL_NOT_ALLOWED"] [tag "WASCTC/WASC-21"] [tag "OWASP_TOP_10/A6"] [tag "

PCI/6.5.10"] [hostname "http://www.mydomain.com"]; [uri "/"] [unique_id "AAAAAI6zHdKoX-RUuoY7zgAAAAE"]

photo
1

I have just tested. http2 is running smoothly without any issue :)

photo
1

Hello!



No idea why following step given I get this error

Error: Package: ea-apache24-2.4.25-8.9.2.cpanel.x86_64 (EA4-experimental)
Requires: links
You could try using --skip-broken to work around the problem
You could try running: rpm -Va --nofiles --nodigest

photo
1

Hello,

I habe got the same problem.

I tried it with skip-broken, but this doesn't helped either.

This is the output:

  1. yum install ea-apache24-mod_http2 --skip-broken
  2. Loaded plugins: fastestmirror, rhnplugin, tsflags, universal-hooks
  3. This system is receiving updates from CLN.
  4. Loading mirror speeds from cached hostfile
  5. * EA4: 198.245.49.52
  6. * EA4-experimental: 198.245.49.52
  7. * cloudlinux-x86_64-server-7: de-proxy.cl-mirror.net
  8. * epel: mirrors.n-ix.net
  9. Resolving Dependencies
  10. --> Running transaction check
  11. ---> Package ea-apache24-mod_http2.x86_64 0:2.4.25-8.9.2.cpanel will be installed
  12. --> Processing Dependency: ea-apache24 = 2.4.25-8.9.2.cpanel for package: ea-apache24-mod_http2-2.4.25-8.9.2.cpanel.x86_64
  13. --> Processing Dependency: ea-nghttp2 for package: ea-apache24-mod_http2-2.4.25-8.9.2.cpanel.x86_64
  14. --> Processing Dependency: ea-libnghttp2 for package: ea-apache24-mod_http2-2.4.25-8.9.2.cpanel.x86_64
  15. --> Processing Dependency: libnghttp2.so.14()(64bit) for package: ea-apache24-mod_http2-2.4.25-8.9.2.cpanel.x86_64
  16. --> Running transaction check
  17. ---> Package ea-apache24-mod_http2.x86_64 0:2.4.25-8.9.2.cpanel will be installed
  18. --> Processing Dependency: ea-apache24 = 2.4.25-8.9.2.cpanel for package: ea-apache24-mod_http2-2.4.25-8.9.2.cpanel.x86_64
  19. ---> Package ea-libnghttp2.x86_64 0:1.20.0-.2.1.cpanel will be installed
  20. ---> Package ea-nghttp2.x86_64 0:1.20.0-.2.1.cpanel will be installed
  21. EA4-experimental/7/x86_64/filelists_db | 121 kB 00:00:00
  22. Packages skipped because of dependency problems:
  23. ea-apache24-mod_http2-2.4.25-8.9.2.cpanel.x86_64 from EA4-experimental
  24. ea-libnghttp2-1.20.0-.2.1.cpanel.x86_64 from EA4-experimental
  25. ea-nghttp2-1.20.0-.2.1.cpanel.x86_64 from EA4-experimental

photo
1

You have to wait for CloudLinux to release their EA4 packages. They're already working on it.

photo
2

  1. This system is receiving updates from CLN.

These files aren't available on CLN yet.

photo
1

I have tested it and so far so good, seems to be working just fine.

The only issue I found is on Apache Status page, instead of showing to were the request was made I get some status info, is this normal?

Instead of GET /some/page.html

I have idle, streams: 0/3/3/0/0 (open/recv/resp/push/rst)

photo
3

Yes we get that too, including "local goaway" whatever that means...

photo
1

Work fine on non-cloudlinux install !

photo
2

Nice to see we are getting closer to http/2. Any idea when this will move from experimental to general availability ?

photo
2

Nothing definite, but what we've got right now it's solid enough to go to general availability yet. If things stay on track internally it'll go to production within 2-4 months. Let me know if you have any other questions!

photo
1

Hi Benny, Jacob !

Thank you for this feature, it's work really fine :-)a9b11668f1e93d7d19a97eac7180a65a

photo
1

works great :d and hope be included on cpanel 64 when comes GA.

photo
1

Tried it from CL7 EA4 experimental repo yesterday and it seems to work fine.

photo
2

Great to see all reports on HTTP2 working just fine! Hope it can leave experimental stage soon!

photo
1

I can confirm that this is now also working on CloudLinux as well.

https://www.cloudlinux.com/cloudlinux-os-blog/entry/beta-ea-apache24-updated

photo
1

As of today when loading up the module; the following error occurs.

  1. yum install ea-apache24-mod_http2
  2. Loaded plugins: universal-hooks
  3. Resolving Dependencies
  4. --> Running transaction check
  5. ---> Package ea-apache24-mod_http2.x86_64 0:2.4.25-8.9.2.cpanel will be installed
  6. --> Processing Dependency: ea-apache24 = 2.4.25-8.9.2.cpanel for package: ea-apache24-mod_http2-2.4.25-8.9.2.cpanel.x86_64
  7. --> Finished Dependency Resolution
  8. You could try using --skip-broken to work around the problem
  9. You could try running: rpm -Va --nofiles --nodigest
  10. ---
  11. Error: Package: ea-apache24-mod_http2-2.4.25-8.9.2.cpanel.x86_64 (EA4-experimental)
  12. Requires: ea-apache24 = 2.4.25-8.9.2.cpanel
  13. Installed: ea-apache24-2.4.25-9.9.1.cpanel.x86_64 (@EA4)

photo
3

I'm rebuilding the http2 package now with the latest Apache changes. I hope to have this published to the experimental repository shortly. I'll update here when that's done.

photo
2

This has been completed, you can install http2 again.

photo
2

@cPanelJacob can you share this changes?

photo
7

As a heads up, we are working now to bring this module into our production repositories. We'll update this when we've completed our work.

photo
1

Awesome!

photo
1

Great thanks

photo
1

great! we are waiting for putting it as a production feature :-)

photo
1

Great news indeed! ....but is there a firmer ETA for this, Jacob? ..as I saw a reply to a comment on your Facebook page last week that seemed to indicate that this is still some THREE months away from being moved into the production repo i.e. it won't be available before September! :(

photo
2

What Mark said... are you able to give an ETA for this?

photo
2

Good News. Anyone know what the ballpark time for getting something from Experimental to Production is?

photo
1

This is fantastic news! Thank you!

photo
1

When will it be in production? In the next update of version 64 or 66?

photo
2

Will this module update also and OpenSSL to OpenSSL 1.0.2 k ?

photo
2

Apache 2.4.26 could be released next week and includes a ton of HTTP2 changes, improvements and fixes.

http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/STATUS?view=markup&sortby=date

* Assuming "T&R" is abbreviated for test & release

photo
3

Good morning,

We hope to have this in our production tiers within the month. We have a scheduled release next week for PHP updates, but unfortunately these changes won't make it in time for that release.

We will be building nghttp2 and the mod_ssl w/http2 module statically against a newer version of OpenSSL. This package, while it will be on our mirrors, won't be needed as we're building it statically.

Thanks for your excitement! We are pretty psyched as well :D

photo
1

Excellent you rock!

photo
1

Amazing, keep the good work up!!

photo
2

Woohoooo!! Can't wait till the end of the month!!

photo
1

The universe begins to line up to fit all the pieces. Thanks Jacob and Benny for taking the initiative: DFor cloudlinux, updates are gradually starting

"The new updated Alt-PHP packages with HTTP/2 support are available for download from our production repository."

https://www.cloudlinux.com/cloudlinux-os-blog/entry/alt-php-with-http-2-support-updated

photo
1

Hi Jaime,

Our server is running EA4 and the php would be ea-php packages. You're talking about alt-php packages from cloudlinux but apparently, HTTP/2 support for EA4 is still listed under feature request, right? So we have to wait until a cPanel update rolls out for this? Do you have an estimated date for this?

Best regards,

Florence - RaDiance Conseil.

photo
1

Improved http/2 support released in Apache 2.4.26 the 19th of June. http/2 is no longer marked experimental and alot of other bug fixed for mod_http2.

I'm sure you guys are building the new version as I type this, right? :D

http://www.apache.org/dist/httpd/Announcement2.4.html

http://www.apache.org/dist/httpd/CHANGES_2.4.26

photo
1

Sorry, I missed your question! We won’t be upgrading to Apache 2.4.26 due to an Apache bug. We posted about it on the cPanel forums: https://forums.cpanel.net/threads/apache-2-4-26.603859/

photo
9

Good news everyone! We're aiming to move this to production on July 11th. I'll let you know if anything that changes!

photo
1

Excellent

photo
1

I'll admit I haven't looked a whole lot into http/2 yet, but I see a post above saying ONLY https is allowed with it. Can you confirm this? Will we be forced to have all connections as https if we choose to use this?

photo
1

morrow95 - Straight from the wikipedia page:Although the standard itself does not require usage of encryption, most client implementations (Firefox, Chrome, Safari, Opera, IE, Edge) have stated that they will only support HTTP/2 over TLS, which makes encryption de facto mandatory.

photo
1

... so the browsers are essentially going to deny access to a site through http? No fall back of any kind on either side?

photo
2

Not. If you site have a SSL certificate, the browser load http/2 with ssl support, if dont, only load http, no more.

photo
1

Okay, so there are two conflicting answers here - which is correct?

photo
1

Browsers won't be denying access. If the site has an SSL/TLS certificate then HTTP/2 ( if installed correctly ) will work.

If no certificate then HTTP/1 will be used.

photo
1

Google uses HTTPS as a ranking signal, so websites with HTTPS will rank higher. With Comodo / Let's Encrypt out of the box in CPanel why are you not using HTTPS?

For HTTP/2 in most browsers you need HTTPS, if you don't have HTTPS the site will be served as HTTP/1.1

photo
4

Hey all! This conversation has gotten pretty far away from the details of our implementation of this feature. When we push this to production I'll make sure all of your questions are answered. In the meantime, if you'd like to have further discussion about this feature, feel free to open a thread on the cPanel forums! It's a great place for conversation.

photo
5

Hiya! Unfortunately we had to delay our release today due to some build system issues. We're on track to hit the release tomorrow, so we should have mod_http2 out then. Thanks for your patience!

photo
1

What's the latest on the release? If anything, PHP 5.6.31 should be released immediately ahead of the HTTP2 update as it contains security fixes.

photo
2

Just noticed YUM pulled in PHP 5.6.31 last night along with updates for Apache 2 and HTTP2, but the changelog remains out of date. Is the new HTTP2 support now live then?

photo
2

If this drops the same week as the Game of Thrones premier I'm not sure I'll be able to handle the excitement. HTTP/2 is coming.

photo
3

83eb1f57003790abfb9072812aa9fa08

photo
6

ea-apache24-mod_http2 has been published to the production repository and is available for installation.

photo
2

Yuhuuu !! thanks !!, its install by yum install ea-apache24-mod_http2 ?? or by EasyApache 4 in WHM ? :D

photo
1

Thank you! How long does it usually take to update the change log?

photo
3

Hello, can you tell us please how will we install it if we installed the pre release before?

photo
5

Hey all! As Jacob said, this is now in production! This can be easily installed via WHM or on the command line. You can find direction in our documentation here:

https://documentation.cpanel.net/display/EA4/Apache+Module%3A+HTTP2

If you previously installed http-2 from the experimental repo you will need to follow these steps to get the new version, basically the reverse what you did earlier:

  1. # yum remove ea-apache24-mod_http2 ea-nghttp2 ea-libnghttp2
  2. # rm -fv /etc/yum.repos.d/EA4-mod_http2.repo
  3. # yum downgrade 'ea-apache24*'
  4. # yum clean all ; yum install ea-apache24-mod_http2

If you would like, you can also remove the experimental repo from your server, if you aren't using it for anything else:

  1. # yum remove ea4-experimental

CloudLinux doesn't yet fully support this, but hopefully they will publish this to their production repo soon. The changelog hit a snag, but will hopefully be updated soon.

If you have any other questions, feel free to reach out! The forums will be a great place to work together on this.

photo
3

Hey folk! I don't typically share bug-type-updates after the fact here, but I wanted to let y'all know about something that came up with the update to 2.4.27. We found overnight that prefork is not compatible with HTTP/2. From the Apache mailing list:

  1. In 2.4.26 I changed the (undocumented) default from 1 to 4 h2 workers, which brought us to the issue I linked. The easy fix is 'H2MaxWorkers 1' in the config and you have the pre-2.4.26 behaviour.
  2. Regardless of the discussion if the change in 2.4.26 was reasonable or not: it is not possible to map the prefork single-thread requirement on to HTTP/2. Not going to work. One long running request, one websocket opened, and your browser will stall.
  3. This is not a bug, it is the collision of the processing models.

There's a thread over on the cPanel forums for discussion:

https://forums.cpanel.net/threads/prefork-and-http2.605799/

Comments have been locked on this page!