Apache - 已启用 http/2,但仍使用 http/1.1

Apache - 已启用 http/2,但仍使用 http/1.1

在 CentOS 7、PHP 7.2.14 上运行 Apache/2.4.38 (Unix) OpenSSL/1.0.2k-fips,我已按照以下指南安装并启用了 http/2https://www.tunetheweb.com/performance/http2/。没有报告任何错误并且模块已加载但页面仍然通过 http/1.1 提供服务。

这不是由于使用 prefork mpm(使用了事件)。

这不是浏览器缓存问题(Chrome 开发工具已打开并且缓存已禁用;我也使用过https://tools.keycdn.com/http2-test)。

服务器已重启多次。

conf 文件在主体和 VirtualHost 部分多次包含以下指令:

Protocols h2 http/1.1

SSL 协议指令为:

SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1

错误日志输出(设置为调试级别):

[Sun Feb 03 08:14:28.563204 2019] [ssl:warn] [pid 15944:tid 140617433143168] AH02292: Init: Name-based SSL virtual hosts only work for clients with TLS server name indication support (RFC 4366)
[Sun Feb 03 08:14:28.563263 2019] [http2:info] [pid 15944:tid 140617433143168] AH03090: mod_http2 (v1.11.4, feats=CHPRIO+SHA256+INVHD+DWINS, nghttp2 1.36.0), initializing...
[Sun Feb 03 08:14:28.567088 2019] [mpm_event:notice] [pid 15944:tid 140617433143168] AH00489: Apache/2.4.38 (Unix) OpenSSL/1.0.2k-fips configured -- resuming normal operations

httpd -V 的输出:

Server version: Apache/2.4.38 (Unix)
Server built:   Jan 31 2019 09:55:17
Server's Module Magic Number: 20120211:83
Server loaded:  APR 1.6.5, APR-UTIL 1.6.1
Compiled using: APR 1.6.5, APR-UTIL 1.6.1
Architecture:   64-bit
Server MPM:     event
  threaded:     yes (fixed thread count)
    forked:     yes (variable process count)
Server compiled with....
 -D APR_HAS_SENDFILE
 -D APR_HAS_MMAP
 -D APR_HAVE_IPV6 (IPv4-mapped addresses enabled)
 -D APR_USE_SYSVSEM_SERIALIZE
 -D APR_USE_PTHREAD_SERIALIZE
 -D SINGLE_LISTEN_UNSERIALIZED_ACCEPT
 -D APR_HAS_OTHER_CHILD
 -D AP_HAVE_RELIABLE_PIPED_LOGS
 -D DYNAMIC_MODULE_LIMIT=256
 -D HTTPD_ROOT="/usr/local/apache2"
 -D SUEXEC_BIN="/usr/local/apache2/bin/suexec"
 -D DEFAULT_PIDLOG="logs/httpd.pid"
 -D DEFAULT_SCOREBOARD="logs/apache_runtime_status"
 -D DEFAULT_ERRORLOG="logs/error_log"
 -D AP_TYPES_CONFIG_FILE="conf/mime.types"
 -D SERVER_CONFIG_FILE="conf/httpd.conf"

apachectl -M 的输出:

Loaded Modules:
 core_module (static)
 so_module (static)
 http_module (static)
 mpm_event_module (static)
 xsendfile_module (shared)
 access_compat_module (shared)
 actions_module (shared)
 alias_module (shared)
 allowmethods_module (shared)
 auth_basic_module (shared)
 auth_digest_module (shared)
 authn_anon_module (shared)
 authn_core_module (shared)
 authn_dbd_module (shared)
 authn_dbm_module (shared)
 authn_file_module (shared)
 authn_socache_module (shared)
 authz_core_module (shared)
 authz_dbd_module (shared)
 authz_dbm_module (shared)
 authz_groupfile_module (shared)
 authz_host_module (shared)
 authz_owner_module (shared)
 authz_user_module (shared)
 autoindex_module (shared)
 cache_module (shared)
 cache_disk_module (shared)
 data_module (shared)
 dbd_module (shared)
 deflate_module (shared)
 dir_module (shared)
 dumpio_module (shared)
 echo_module (shared)
 env_module (shared)
 expires_module (shared)
 ext_filter_module (shared)
 filter_module (shared)
 headers_module (shared)
 include_module (shared)
 info_module (shared)
 log_config_module (shared)
 logio_module (shared)
 mime_magic_module (shared)
 mime_module (shared)
 negotiation_module (shared)
 remoteip_module (shared)
 reqtimeout_module (shared)
 rewrite_module (shared)
 setenvif_module (shared)
 slotmem_plain_module (shared)
 slotmem_shm_module (shared)
 socache_dbm_module (shared)
 socache_memcache_module (shared)
 socache_shmcb_module (shared)
 status_module (shared)
 substitute_module (shared)
 suexec_module (shared)
 unique_id_module (shared)
 unixd_module (shared)
 userdir_module (shared)
 version_module (shared)
 vhost_alias_module (shared)
 dav_module (shared)
 dav_fs_module (shared)
 dav_lock_module (shared)
 http2_module (shared)
 lua_module (shared)
 proxy_module (shared)
 lbmethod_bybusyness_module (shared)
 lbmethod_byrequests_module (shared)
 lbmethod_bytraffic_module (shared)
 lbmethod_heartbeat_module (shared)
 proxy_ajp_module (shared)
 proxy_balancer_module (shared)
 proxy_connect_module (shared)
 proxy_express_module (shared)
 proxy_fcgi_module (shared)
 proxy_fdpass_module (shared)
 proxy_ftp_module (shared)
 proxy_http_module (shared)
 proxy_scgi_module (shared)
 proxy_wstunnel_module (shared)
 ssl_module (shared)
 systemd_module (shared)
 cgid_module (shared)

从 phpinfo() 中提取的屏幕截图:

php信息

如有任何想法我将不胜感激。

答案1

从 Apache 方面看,一切似乎都设置得很好,并且可以看到您在 HTTP 标头中返回了升级建议。我只能建议您在 Apache 前面放置其他东西(例如 LoadBalancer?),它执行 SSL 终止而不使用 ALPN,从而阻止 HTTP/2。

测试这个的最简单方法是从你的服务器运行以下命令:

openssl s_client -alpn h2 -connect 127.0.0.1:443 -status

并查看连接到本地主机时是否支持 ALPN。

如果是,请再次尝试使用您的域,看看连接到您的域时是否不支持 ALPN。这表明负载平衡器或类似设备位于您的 Apache 实例前面并终止 SSL,并且它不支持 ALPN。

答案2

谢谢巴里·波拉德让我走上正轨,这是一个 ALPN 问题。我们没有负载平衡器,但需要将 SSL 作为静态库(而不是共享模块)编译到 Apache 中才能支持 ALPN。重新编译 Apache 后,我现在有了 http/2

相关内容