# Apache HTTP2 doesn't load page



## Nathaniel (Feb 3, 2017)

Hi.
Trying to test HTTP2 on my server v.10.3, but no luck and don't know how to debug and what to do.

```
curl 7.52.1 (amd64-portbld-freebsd10.3) libcurl/7.52.1 OpenSSL/1.0.2k zlib/1.2.8 libidn2/0.16 nghttp2/1.19.0
Protocols: dict file ftp ftps gopher http https imap imaps pop3 pop3s rtsp smtp smtps telnet tftp
Features: AsynchDNS IDN IPv6 Largefile NTLM NTLM_WB SSL libz TLS-SRP HTTP2 UnixSockets HTTPS-proxy

http2 module loaded

 [http2:info] [pid 1161] AH03090: mod_http2 (v1.8.3, feats=CHPRIO+SHA256+INVHD, nghttp2 1.19.0), initializing...
[mpm_prefork:notice] [pid 1161] AH00163: Apache/2.4.25 (FreeBSD) OpenSSL/1.0.2k mpm-itk/2.4.7-03 mod_perl/2.0.10 Perl/v5.24.1 configure
```
Page doesn't load in browser/ Curl test:

```
curl -v --http2 https://host.net
* Rebuilt URL to: https://host.net/
*   Trying xx.xx.xx.xx...
* TCP_NODELAY set
* Connected to host.net (xx.xx.xx.xx) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:mad:STRENGTH
* successfully set certificate verify locations:
*   CAfile: /usr/local/share/certs/ca-root-nss.crt
  CApath: none
* TLSv1.2 (OUT), TLS header, Certificate Status (22):
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Client hello (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS change cipher, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
* ALPN, server accepted to use h2
* Server certificate:
*  subject: CN=host.net
*  start date: Jan 30 11:17:00 2017 GMT
*  expire date: Apr 30 11:17:00 2017 GMT
*  subjectAltName: host "host.net" matched cert's "host.net"
*  issuer: C=US; O=Let's Encrypt; CN=Let's Encrypt Authority X3
*  SSL certificate verify ok.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x80287c000)
> GET / HTTP/1.1
> Host: host.net
> User-Agent: curl/7.52.1
> Accept: */*
>
* Connection state changed (MAX_CONCURRENT_STREAMS updated)!
```
HTTP  the same

```
* Rebuilt URL to: http://host.net/
*   Trying xx.xx.xx.xx...
* TCP_NODELAY set
* Connected to host.net (xx.xx.xx.xx) port 80 (#0)
> GET / HTTP/1.1
> Host: host.net
> User-Agent: curl/7.52.1
> Accept: */*
> Connection: Upgrade, HTTP2-Settings
> Upgrade: h2c
> HTTP2-Settings: AAMAAABkAARAAAAA
>
< HTTP/1.1 101 Switching Protocols
< Upgrade: h2c
< Connection: Upgrade
* Received 101
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Connection state changed (MAX_CONCURRENT_STREAMS updated)!
```

And no data like

```
* Connection state changed (MAX_CONCURRENT_STREAMS updated)!
< HTTP/2 301
< location: https://www.facebook.com/
< strict-transport-security: max-age=15552000; preload
< vary: Accept-Encoding
< cache-control: public, max-age=2592000
< content-type: text/plain
< content-length: 0
< server: proxygen
< date: Fri, 03 Feb 2017 13:43:28 GMT
<
* Curl_http_done: called premature == 0
* Connection #0 to host facebook.com left intact
```

`curl -I --http2 https://host.net` - no luck. To break I push Ctrl+C

Nothing in access log &  error log

What can it be?


----------



## ShelLuser (Feb 3, 2017)

If there's nothing in the logfiles (are you sure you checked the right ones? On Apache you can have separate logfiles per website) then I think it's safe to conclude that you didn't contact the right machine. Does the DNS record actually resolve to the right IP address?


----------



## Nathaniel (Feb 3, 2017)

Yes, i have a separate logfile. If I change protocol order configuration in virtual host
from

```
Protocols h2 http/1.1
```
to

```
Protocols http/1.1 h2
```
it works well and logging, but over http 1.1


----------



## ShelLuser (Feb 3, 2017)

Try using h2c instead of h2, also see the mod_http2 documentation. Best to rule out TLS problems first.


----------



## Nathaniel (Feb 3, 2017)

Yes, it works over ClearText. So the problem is in TLS.

I use

```
ECDHE-ECDSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AESGCM(256) Mac=AEAD
ECDHE-ECDSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AESGCM(128) Mac=AEAD
ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AESGCM(256) Mac=AEAD
ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AESGCM(128) Mac=AEAD
ECDHE-ECDSA-AES256-SHA384 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AES(256)  Mac=SHA384
ECDHE-ECDSA-AES128-SHA256 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AES(128)  Mac=SHA256
ECDHE-RSA-AES256-SHA384 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AES(256)  Mac=SHA384
ECDHE-RSA-AES128-SHA256 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AES(128)  Mac=SHA256
```

and was trying other, all HIGH and MEDIUM, no sense.

aha HowTo said:
Almost all modern browsers support HTTP/2, but only over SSL connections


----------



## drhowarddrfine (Feb 4, 2017)

Yes. I wish I paid more attention to your post but your link is correct. While HTTP/2 does not need SSL to work, all browsers that work with HTTP/2 use SSL by default and won't work without it.


----------

