apache2 - http2 / h2 proxy configuration with WampServer

In this short article we would like to show how to configure http2 (called h2 over TSL) proxy with Apache 2.4.

Note: presented below configuration shoul be working on Linux too.

1. Prerequrements

Go to this article to see how to confiugure http2 / h2 that is requred by h2 proxy.

Note: configuration was tested on Apache 2.4.39 installed as WampServer x64 under Windows 10.

2. Enabling Apache 2.4 modules

In this case we need to enable only 2 modules: proxy_module and proxy_http2_module.

We can do it in 2 ways:

• from context menu:
  Apache -> Apache modules -> proxy_module
  Apache -> Apache modules -> proxy_http2_module
  optionally we can enable:
  Apache -> Apache modules -> proxy_http_module
• from configuration file c:\wamp64\bin\apache\apache2.4.39\conf\httpd.conf by uncommenting following lines:

  LoadModule proxy_module modules/mod_proxy.so
  LoadModule proxy_http2_module modules/mod_proxy_http2.so

  optionally we can enable:

  LoadModule proxy_http_module modules/mod_proxy_http.so

3. Setting Apache 2.4 configurations

It is necessary to create new one VirtualHost with http2 / h2 proxy.

We should select one of below configuration.

3.1. Simple solution

This approach is useful when we have proxy on same apache2 server and it is not required to verify corectness of certificate.

Solution: open c:\wamp64\bin\apache\apache2.4.39\conf\extra\httpd-vhosts.conf file and add as last configuration following VirtualHost:

<VirtualHost *:443>
  ServerName localhost
  ServerAlias localhost
  SSLEngine on
  SSLCertificateKeyFile "${INSTALL_DIR}/bin/apache/apache2.4.39/conf/cert/localhost.key"
  SSLCertificateFile "${INSTALL_DIR}/bin/apache/apache2.4.39/conf/cert/localhost.crt"
  SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
  Protocols h2 http/1.1
  SSLProxyEngine on
  ProxyPass "/tomcat" "h2://localhost:8080"
  ProxyPassReverse "/tomcat" "https://localhost:8080"
</VirtualHost>

Where:

• https://localhost/tomcat will be redirected to https://localhost:8080 with h2 protocol,
• reverse proxy will provide bidirectional communication that is required by http2 protocol.

Note: read this article to know more about http2 / h2 proxy configuration.

3.2. Disabled verification

This approach is useful when servers are in internal network and we don't need to take care of additional security - checking details of certificates like domain, whi signed certificate etc. can be disabled.

e.g. we want to redirect requests from Apache 2.4 to Spring Boot Application that uses Tomcat 9

Solution: open c:\wamp64\bin\apache\apache2.4.39\conf\extra\httpd-vhosts.conf file and add as last configuration following VirtualHost:

<VirtualHost *:443>
  ServerName localhost
  ServerAlias localhost
  SSLEngine on
  SSLCertificateKeyFile "${INSTALL_DIR}/bin/apache/apache2.4.39/conf/cert/localhost.key"
  SSLCertificateFile "${INSTALL_DIR}/bin/apache/apache2.4.39/conf/cert/localhost.crt"
  SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
  Protocols h2 http/1.1
  SSLProxyEngine on
  SSLProxyVerify none 
  SSLProxyCheckPeerCN off
  SSLProxyCheckPeerName off
  SSLProxyCheckPeerExpire off
  ProxyPass "/tomcat" "h2://localhost:8080"
  ProxyPassReverse "/tomcat" "https://localhost:8080"
</VirtualHost>

4. Verify HTTP2 / h2 pxoxy

Type in web browser address bar https://localhost/tomcat and confirm with Enter key.

Screenshot: