Add a section on HTTP2 with Apache.

Reviewed by:	bcr, brnrd
Differential Revision:	https://reviews.freebsd.org/D26850

1 files changed, 113 insertions, 0 deletions

diff --git a/en_US.ISO8859-1/books/handbook/network-servers/chapter.xml b/en_US.ISO8859-1/books/handbook/network-servers/chapter.xml
index 2ebcb7710f..77cf17177e 100644
--- a/en_US.ISO8859-1/books/handbook/network-servers/chapter.xml
+++ b/en_US.ISO8859-1/books/handbook/network-servers/chapter.xml
@@ -3724,6 +3724,119 @@ LoadModule ssl_module libexec/apache24/mod_ssl.so</programlisting>
 	  <filename>php.ini-production</filename>. These are starting
 	  points to assist administrators in their deployment.</para>
       </sect3>
+
+      <sect3>
+	<info>
+	  <title>HTTP2 Support</title>
+	</info>
+
+	<para><application>Apache</application> support for
+	  the <acronym>HTTP</acronym>2 protocol is included by default
+	  when installing the port with <command>pkg</command>. The new
+	  version of <acronym>HTTP</acronym> includes many improvements
+	  over the previous version, including utilizing a single
+	  connection to a website, reducing overall roundtrips of
+	  <acronym>TCP</acronym> connections. Also, packet header data
+	  is compressed and <acronym>HTTP</acronym>2 requires
+	  encryption by default.</para>
+
+	<para>When <application>Apache</application> is configured to
+	  only use <acronym>HTTP</acronym>2, web browsers will
+	  require secure, encrypted <acronym>HTTPS</acronym>
+	  connections. When <application>Apache</application> is
+	  configured to use both versions, <acronym>HTTP</acronym>1.1
+	  will be considered a fall back option if any issues
+	  arise during the connection.</para>
+
+	<para>While this change does require administrators to make
+	  changes, they are positive and equate to a more secure
+	  Internet for everyone. The changes are only required for
+	  sites not currently implementing <acronym>SSL</acronym>
+	  and <acronym>TLS</acronym>.</para>
+
+	<note>
+	  <para>This configuration depends on the previous sections,
+	    including <acronym>TLS</acronym> support. It is
+	    recommended those instructions be followed before
+	    continuing with this configuration.</para>
+	</note>
+
+	<para>Start the process by enabling the
+	  <acronym>http</acronym>2 module by uncommenting the line in
+	  <filename>/usr/local/etc/apache24/httpd.conf</filename> and
+	  replace the mpm_prefork module with mpm_event as the former
+	  does not support <acronym>HTTP</acronym>2.</para>
+
+	<programlisting>LoadModule http2_module libexec/apache24/mod_http2.so
+LoadModule mpm_event_module libexec/apache24/mod_mpm_event.so</programlisting>
+
+	<note>
+	  <para>There is a separate
+	    <filename role="port">mod_http2</filename> port that is
+	    available. It exists to deliver security and bug fixes
+	    quicker than the module installed with the bundled
+	    <filename role="port">apache24</filename> port. It is
+	    not required for <acronym>HTTP</acronym>2 support but
+	    is available. When installed, the
+	    <filename>mod_h2.so</filename> should be used in place
+	    of <filename>mod_http2.so</filename> in the
+	    <application>Apache</application> configuration.</para>
+	</note>
+
+	<para>There are two methods to implement <acronym>HTTP</acronym>2
+	  in <application>Apache</application>; one way is globally for
+	  all sites and each VirtualHost running on the system. To enable
+	  <acronym>HTTP</acronym>2 globally, add the following line
+	  under the ServerName directive:</para>
+
+	<programlisting>Protocols h2 http/1.1</programlisting>
+
+	<note>
+	  <para>To enable <acronym>HTTP</acronym>2 over plaintext,
+	    use <acronym>h2</acronym> <acronym>h2c</acronym>
+	    <acronym>http</acronym>/1.1 in the
+	    <filename>httpd.conf</filename>.</para>
+	</note>
+
+	<para>Having the <acronym>h2c</acronym> here will allow
+	  plaintext <acronym>HTTP</acronym>2 data to pass on the
+	  system but is not recommended. In addition, using the
+	  <acronym>http</acronym>/1.1 here will allow fallback
+	  to the <acronym>HTTP</acronym>1.1 version of the protocol
+	  should it be needed by the system.</para>
+
+	<para>To enable <acronym>HTTP</acronym>2 for individual
+	  VirtualHosts, add the same line within the VirtualHost
+	  directive in either <filename>httpd.conf</filename> or
+	  <filename>httpd-ssl.conf</filename>.</para>
+
+	<para>Reload the configuration using the
+	  <command>apachectl</command> <parameter>reload</parameter> command
+	  and test the configuration either by using either of the
+	  following methods after visiting one of the hosted pages:</para>
+
+	<screen>&prompt.root; <userinput>grep "HTTP/2.0" /var/log/httpd-access.log</userinput></screen>
+
+	<para>This should return something similar to the following:</para>
+
+	<programlisting>192.168.1.205 - - [18/Oct/2020:18:34:36 -0400] "GET / HTTP/2.0" 304 -
+192.0.2.205 - - [18/Oct/2020:19:19:57 -0400] "GET / HTTP/2.0" 304 -
+192.0.0.205 - - [18/Oct/2020:19:20:52 -0400] "GET / HTTP/2.0" 304 -
+192.0.2.205 - - [18/Oct/2020:19:23:10 -0400] "GET / HTTP/2.0" 304 -</programlisting>
+
+	<para>The other method is using the web browser's built
+	  in site debugger or <command>tcpdump</command>; however,
+	  using either method is beyond the scope of this
+	  document.</para>
+
+	<para>Support for <acronym>HTTP</acronym>2 reverse
+	  proxy connections by using the
+	  <filename>mod_proxy_http2.so</filename> module. When
+	  configuring the ProxyPass or RewriteRules [P] statements,
+	  they should use h2:// for the connection.</para>
+      </sect3>
+
+
     </sect2>
 
     <sect2>