Apache2 (HTTPD) Reverse proxy http2

[Vidarr 9]

Hello there,

 

I'm trying to setup HTTP2 on my apache2 server sadly being a user of Let's Encrypt (as most of us i suppose) the process is a real disaster, from what i could understand my link need to be going through https all along the way for HTTP2 to work. But Emby cannot work on the HTTPS2 port without a certificat in PKCS12 which would require a real headick to maintain. Did anyone actually managed to make a nice Apache2 config and find a solution.

    DEFINE host_url localip
    DEFINE host_port 8096
    DEFINE serv_name youserver.com

<IfModule mod_ssl.c>
<VirtualHost *:443>

        ServerName ${serv_name}
        Protocols h2 h2c http/1.1
        <proxy *>
        Order Allow,Deny
        Allow from all
        </proxy>

        RewriteEngine On
        RewriteCond %{HTTP:Upgrade} =websocket [NC]
        RewriteRule /(.*)           ws://${host_url}:${host_port}/$1 [P,L]
        RewriteCond %{HTTP:Upgrade} !=websocket [NC]
        RewriteRule /(.*)           http://${host_url}:${host_port}/$1 [P,L]

        ProxyPass "/embywebsocket" "ws://${host_url}:${host_port}/embywebsocket"
        ProxyPassReverse "/embywebsocket" "ws://${host_url}:${host_port}/embywebsocket"

        ProxyPass "/" "https://${host_url}:${host_port}/"
        ProxyPassReverse "/" "https://${host_url}:${host_port}/"


### Add headers ###
    RequestHeader set X-Forwarded-Proto 'https' env=HTTPS
    Header always set Strict-Transport-Security "max-age=15552000;"
    Header always set X-Content-Type-Options nosniff
    Header always set X-Robots-Tag none
    Header always set X-XSS-Protection "1; mode=block"
    Header always set X-Frame-Options "SAMEORIGIN"
    Header always set Referrer-Policy "same-origin"
    Header always set Permissions-Policy "geolocation=(self), midi=(self), sync-xhr=(self), microphone=(self), camera=(self), magnetometer=(self), gyroscope=(self), fullscreen=(self), payment=(self)"

SSLCertificateFile /fullchain.pem
SSLCertificateKeyFile /yourkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
</VirtualHost>
</IfModule>

 

In case it may help some people here is my config which work pretty fine, if some people wanna contribute or found some way to optimize it feel free to say it
 

[Lessaj 467]

FWIW I've done some testing with http2 and honestly the performance was way worse than http1.1. I see little reason to have to enabled.

Edit: You can use a self signed certificate for your emby configuration because you can ignore the certificate check with your reverse proxy config, so you only need to replace the PFX as long as you set the expiry for. It matters that the reverse proxy certificate is valid but the backend doesn't really matter, as long as it has something that works to listen on the port.

Edit2: It might be beneficial to add these options as well. Helps with keeping sessions open for remote users when they pause, I was finding sessions were being dropped so you'd resume a direct play and it would play for a bit and then just stop and you can only resume by backing out and resuming playback.

KeepAlive On
Timeout 6000

And some additional hardening:

SSLProtocol TLSv1.2 +TLSv1.3
SSLCipherSuite HIGH:!MEDIUM:!SSLv3:!kRSA:!SHA1:!SHA256:!SHA384:!DSS:!aNULL
SSLHonorCipherOrder on 

 

Edited August 27, 2024 by Lessaj

[Vidarr 9]

Ok i see thank you for your feedback :). about the pfx part you are right, i mean we could also add to the truststore our own authority so there's no error but i don't think it's very conveniant tho. 

Actually very good trick you have here i'll add it to my config and update my original post in case someone want to get inspired.

About the hardening i was wondering for days about the official mozilla recommandation which would lead to this :

 

SSLProtocol             all -SSLv3 -TLSv1 -TLSv1.1 -TLSv1.2
SSLHonorCipherOrder     off
SSLSessionTickets       off

SSLUseStapling On
SSLStaplingCache "shmcb:logs/ssl_stapling(32768)"

TLS1.3 is supported since long enough that there is so few cases TLS1.2 would be necessary even if with this config TLS1.2 is still activated somehow..

[Lessaj 467]

Yea so far I haven't seen that it would be an issue to disable TLSv1.2 but I've left is as enabled with support for 1.3 as well. I get an A+ rating on SSL Labs with this configuration.

I was also thinking about this a little more and I think the performance issues I was seeing was when I was connecting to the proxy backend with http2 but I don't want to touch my config too much right now to verify the results again. So you can enable http2 on the reverse proxy but don't use h2 for the proxypass, just keep using https. I couldn't figure out why connecting to the backend with http2 degraded performance as badly as it did, but the reason I was doing that was because it still would show http1.1 on the dashboard for client playback since the reverse proxy would still connect to the backend with http1.1. Ultimately I stuck with http1.1 because I didn't see any performance benefits using http2, even though I know there should be some.