SOLVED HTTP/2 enabled, site is still served http 1.1

[vexx]

Hello,

I've recently activated http2 on my server via EA and while everything installed correctly, the site is still served HTTP 1.1. I've tried all the HTTP2 checkers online, every site is telling me that HTTP2 is enabled with ALPN support. I've checked the Apache config files, everything is set-up correctly, including the vhost.

If I check the site in Chrome devtools (and some additional Chrome plugins), it's served HTTP 1.1. The only things that are h2, are ads or other services. I've done a lot of reading on the matter, I know prefork isn't compatible, fortunately, I have mpm_event installed for a while. The site is served via https and everything seems to be in place.

I have no clue where to look and how to debug this issue.

Thanks a lot in advance for any tips or information.

 

[kdean]

Did you make sure to use https and not http? h2 only works over https.

Did you try emptying your browser cache just in case you're seeing the cached versions and the protocol they used originally?

 

[vexx]

Ya, the site is https only, everything HTTP is redirected. I also cleared the browser cache, site cache etc...same result. I will also leave the site URL here, hope it's not against the TOS.

[Moderator note: removed hyperlink]

 

[kdean]

Everything loaded via h2 for me at your link.

 

[vexx]

how did you test it? I cannot get h2 to load with anything..curl, chrome devtools...anything

[Moderator note: removed screenshot]

 

[kdean]

Google Chrome 83.0.4103.97 on MacOS

[Moderator note: removed screenshot]

 

[vexx]

Found the issue, which is strange, I have Bitdefender Security installed, which scans SSL certs and I think, it replaces them when serving the content. However, for some sites that were h2 as well, this wasn't an issue so that's why I excluded everything from my computer. I still don't understand why it does that, but if I disable the feature, it works.

Thanks a lot, I really appreciate the help.

 

[kdean]

Just did some quick research and Bitdefender Security and other similar SSL Scanning features seem like a bad idea since I saw reports of them slowing down connections, causing SSL key pair issues, increasing the chance of a man-in-the-middle hacks on the transmissions, etc... and now we see it may block the proper negotiation of h2 protocol connections for some servers. Seems the usual sometime too much security can just be bad or worse in other ways than the protection they supposedly provide.

 

[SamuelM]

Hello @vexx

I'm glad to see you were able to identify the problem. I confirmed the site loads with HTTP/2 for me as well. Thanks to kdean for assisting you with this. I've removed the hyperlink you originally shared for your site as well as the screenshots posted in this thread which exposed your domain name.

I will go ahead and mark this thread as Solved.

Best regards