在 Apache 2.4 中启用 http/2 不起作用 [英] Enabling http/2 in Apache 2.4 does not work

问题描述

我们正在尝试在 Apache 2.4 上启用 http/2，但没有成功.服务器操作系统为FreeBSD 11.2，OpenSSL版本为1.0.2o.

We are trying to enable http/2 on Apache 2.4, but with no success. The server OS is FreeBSD 11.2, and the OpenSSL version is 1.0.2o.

我们拥有真实有效的 SSL 证书，在 Qualys SSL 服务器测试中评级为 A+.

We have a real and valid SSL Certificate with the rating A+ at Qualys SSL Server Test.

日志文件中没有错误，服务器重新启动没有任何问题或错误.使用 https://访问网站有效，但浏览器总是降级为 http/1.1.

No errors in log files, the server restarts without no problems or errors. Access website with https:// works, but browser always downgrades to http/1.1.

我们的虚拟部分有这个:

We have this in our virtual section:

<Directory />
    Require         all granted
    AllowOverride   All
    SSLOptions      +StdEnvVars
</Directory>

<FilesMatch "\.(cgi|shtml|phtml|php)$">
    SSLOptions      +StdEnvVars
</FilesMatch>

H2Direct on
Protocols h2 h2c http/1.1

Options                    None
SSLEngine                  On
SSLHonorCipherOrder        On
SSLSessionTickets          Off
SSLCompression             Off
SSLCipherSuite             "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH"
SSLProtocol                All -SSLv2 -SSLv3 -TLSv1 -TLSv1.1

SSLCertificateFile          "/usr/local/www/apache24/certs/server.crt"
SSLCertificateKeyFile       "/usr/local/www/apache24/certs/server.key"
SSLCertificateChainFile     "/usr/local/www/apache24/certs/intermediate.crt"

Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"
Header always set X-Frame-Options DENY
Header always set X-Content-Type-Options nosniff

---更新---

root@srv04:/usr/home/user # httpd -V
Server version: Apache/2.4.35 (FreeBSD)
Server built:   unknown
Server's Module Magic Number: 20120211:82
Server loaded:  APR 1.6.3, APR-UTIL 1.6.1
Compiled using: APR 1.6.3, APR-UTIL 1.6.1
Architecture:   64-bit
Server MPM:     prefork
threaded:     no
forked:     yes (variable process count)
Server compiled with....
-D APR_HAS_SENDFILE
-D APR_HAS_MMAP
-D APR_HAVE_IPV6 (IPv4-mapped addresses disabled)
-D APR_USE_FLOCK_SERIALIZE
-D APR_USE_PTHREAD_SERIALIZE
-D SINGLE_LISTEN_UNSERIALIZED_ACCEPT
-D APR_HAS_OTHER_CHILD
-D AP_HAVE_RELIABLE_PIPED_LOGS
-D DYNAMIC_MODULE_LIMIT=256
-D HTTPD_ROOT="/usr/local"
-D SUEXEC_BIN="/usr/local/bin/suexec"
-D DEFAULT_PIDLOG="/var/run/httpd.pid"
-D DEFAULT_SCOREBOARD="/var/run/apache_runtime_status"
-D DEFAULT_ERRORLOG="/var/log/httpd-error.log"
-D AP_TYPES_CONFIG_FILE="etc/apache24/mime.types"
-D SERVER_CONFIG_FILE="etc/apache24/httpd.conf"

---来自 QUALSYS 的 ALPN---

---ALPN FROM QUALSYS---

ALPN    Yes   http/1.1

---铬---

Chrome 49 / XP SP3 RSA 2048 (SHA256) TLS 1.2 > http/1.1     TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 ECDH secp256r1  FS
Chrome 69 / Win 7 R RSA 2048 (SHA256) TLS 1.2 > http/1.1    TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 ECDH secp256r1  FS
Chrome 70 / Win 10 RSA 2048 (SHA256) TLS 1.2 > http/1.1     TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 ECDH secp256r1  FS

推荐答案

Apache 不支持带有 prefork MPM 的 HTTP/2.这是在 2.4.27 中添加的:

Apache does not support HTTP/2 with prefork MPM. This was added in 2.4.27:

*) 兼容性:mod_http2:在使用 Prefork 时禁用并给出警告.服务器将继续运行，但将不再协商 HTTP/2.[斯蒂芬·艾辛]

*) COMPATIBILITY: mod_http2: Disable and give warning when using Prefork. The server will continue to run, but HTTP/2 will no longer be negotiated. [Stefan Eissing]

Prefork MPM 基本上与 HTTP/2 的实现方式不兼容.重新启动后，您的错误日志中应该有一个警告告诉您这一点.

The Prefork MPM is basically incompatible with the way HTTP/2 is implemented. There should be a warning in your error logs after restart telling you this.

Prefork 也是一个很旧的 MPM，它很慢，所以那些想要 HTTP/2 的站点可能无论如何都不应该使用它.只有在运行非线程安全的 PHP 应用程序时才应该真正使用它(线程安全的应用程序应该移动到 Event MPM 和 php-fm(这基本上是 Nginx 的运行方式，因为它不提供 prefork 等效项).不幸的是，它也是许多 Apache 安装的默认设置(以防万一人们使用线程不安全的 PHP 应用程序?)，而且通常你除非下载并重新编译，否则无法更改.

Prefork is also a very old MPM that is slow, so those sites that want HTTP/2 probably shouldn't be using it anyway. It should only really be used if you are running non-threadsafe PHP applications (threadsafe ones should move to Event MPM and php-fm (which is basically how Nginx runs as it does not offer a prefork equivalent). Unfortunately it is also the default on many Apache installs (just i case people use thread-unsafe PHP applications?), and often you cannot change it without downloading and recompiling it.

有关 MPM 的更多信息，请访问:https://serverfault.com/questions/383526/how-do-i-select-which-apache-mpm-to-use

More info on MPMs here: https://serverfault.com/questions/383526/how-do-i-select-which-apache-mpm-to-use

这篇关于在 Apache 2.4 中启用 http/2 不起作用的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！