Chapter 7. Enabling HTTP/2 for the Red Hat JBoss Web Server
The Hypertext Transfer Protocols are standard methods of transmitting data between applications (such as servers and browsers) over the internet. HTTP/2 improves on HTTP/1.1 by providing enhancements such as:
- header compression - reducing the size of the header transmitted by omitting implied information, and
- multiple requests and responses over a single connection - using binary framing to break down response messages, as opposed to textual framing.
Using HTTP/2 with the Red Hat JBoss Web Server:
-
is supported for encrypted connections over TLS (
h2
). -
is not supported for unencrypted connections over TCP (
h2c
).
Prerequisites
- Root user access (Red Hat Enterprise Linux and Solaris systems), or
- Administrative access (Windows Server).
- Red Hat JBoss Web Server 5.0 or higher
The following operating system native libraries (provided by
jws-application-server-5.0.0-<platform>-<architecture>.zip
where available).Tomcat Native, for example:
jws-5.0/tomcat/lib/libtcnative-1.so
Apache Portable Runtime (APR):
jws-5.0/tomcat/lib/libapr-1.so.0.6.3
Where the APR libraries are provided by
jws-application-server-5.0.0-<platform>-<architecture>.zip
for Red Hat Enterprise Linux, the libraries will be a symbolic link to:jws-5.0/jbcs-apr-1.6.3/lib64/libapr-1.so.0.6.3
OpenSSL, for example:
jws-5.0/tomcat/lib/libcrypto.so.1.0.2n jws-5.0/tomcat/lib/libssl.so.1.0.2n
Where the OpenSSL libraries are provided by
jws-application-server-5.0.0-<platform>-<architecture>.zip
for Red Hat Enterprise Linux, the libraries will be symbolic links to:jws-5.0/jbcs-openssl-1.0.2n/openssl/lib64/libcrypto.so.1.0.2n jws-5.0/jbcs-openssl-1.0.2n/openssl/lib64/libssl.so.1.0.2n
A connector that supports the HTTP/2 protocol with SSL enabled. For JBoss Web Server 5.0, the connectors with HTTP/2 protocol support are:
- The APR Native connector (APR)
- The NIO connector with JSSE + OpenSSL (JSSE)
- The NIO2 connector with JSSE + OpenSSL (JSSE)
Procedure
Enable HTTP/2 for a connector:
Add the HTTP/2 upgrade protocol (
<UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol" />
) to the connector in the server configurationJWS_HOME/tomcat/conf/server.xml
.For example:
<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol" maxThreads="150" SSLEnabled="true"> <UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol" /> <SSLHostConfig> <Certificate certificateKeystoreFile="/KeyStore.jks" certificateKeystorePassword="changeit" type="RSA" /> </SSLHostConfig> </Connector>
server.xml
contains an example connector definition for the APR protocol with the upgrade protocol to HTTP/2:<Connector port="8443" protocol="org.apache.coyote.http11.Http11AprProtocol" maxThreads="150" SSLEnabled="true" > <UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol" /> <SSLHostConfig> <Certificate certificateKeyFile="conf/localhost-rsa-key.pem" certificateFile="conf/localhost-rsa-cert.pem" certificateChainFile="conf/localhost-rsa-chain.pem" type="RSA" /> </SSLHostConfig> </Connector>
Restart the Red Hat JBoss Web Server as the root user, to apply the changed configuration.
For SysV (Red Hat Enterprise Linux 6) users:
# service jws5-tomcat restart
For systemd (Red Hat Enterprise Linux 7) users:
# systemctl restart jws5-tomcat.service
For Red Hat Enterprise Linux users running Red Hat JBoss Web Server using
startup.sh
:# JWS_HOME/sbin/shudown.sh # JWS_HOME/sbin/startup.sh
For Solaris users:
# sh JWS_HOME/tomcat/bin/daemon.sh stop # sh JWS_HOME/tomcat/bin/daemon.sh start
For Windows Server users:
# net restart tomcat9
Next Steps
Verify that HTTP/2 is enabled by reviewing the Red Hat JBoss Web Server logs or by using the curl
command:
Check the console output log (
JWS_HOME/tomcat/logs/catalina.out
) to verify that the "connector has been configured to support negotiation to [h2]":$ cat JWS_HOME/tomcat/logs/catalina.out | grep 'h2' 06-Apr-2018 04:49:26.201 INFO [main] org.apache.coyote.http11.AbstractHttp11Protocol.configureUpgradeProtocol The ["https-openssl-apr-8443"] connector has been configured to support negotiation to [h2] via ALPN
Or verify using
curl
(for versions ofcurl
that supportHTTP2
):NoteTo check
curl
for HTTP/2 support:$ curl -V curl 7.55.1 (x86_64-redhat-linux-gnu) ... Release-Date: 2017-08-14 Protocols: dict file ftp ftps gopher http https ... Features: AsynchDNS IDN IPv6 Largefile GSS-API Kerberos SPNEGO NTLM NTLM_WB SSL libz TLS-SRP HTTP2 UnixSockets HTTPS-proxy Metalink PSL
For example, when the HTTP/2 protocol is inactive:
$ curl -I http://<JBoss_Web_Server>:8080/ HTTP/1.1 200 ...
But if the HTTP/2 protocol is active,
curl
returns:$ curl -I https://<JBoss_Web_Server>:8443/ HTTP/2 200 ...
Where <JBoss_Web_Server> is the URI of the modified connector (such as
example.com
), and the port number is dependent on your configuration.
Additional Resources
- For additional information on using HTTP/2, see: Apache Tomcat 9 Configuration Reference: The HTTP Connector - HTTP/2 Support.
- For information on the HTTP/2 Upgrade Protocol and the supported attributes, see: Apache Tomcat 9 Configuration Reference: The HTTP2 Upgrade Protocol.
- The proposed internet standard for HTTP/2: IETF: RFC 7540 - Hypertext Transfer Protocol Version 2 (HTTP/2)