Add http2 support for apache/nginx (rt#5957)

modules/ocf/manifests/nginx_proxy.pp

@@ -12,6 +12,8 @@
   $ssl_key     = "/etc/ssl/private/${::fqdn}.key",
   $ssl_dhparam = '/etc/ssl/dhparam.pem',
 
+  $http2 = $ssl,
+
   # Accept any other arbitrary options passed in and pass them on to
   # nginx::resource::server
   $nginx_options = {},
@@ -33,6 +35,7 @@
         proxy_set_header => concat($base_headers, $proxy_set_header),
 
         listen_port      => 443,
+        http2            => $http2,
         ssl              => true,
         ssl_cert         => $ssl_cert,
         ssl_key          => $ssl_key,
@@ -63,6 +66,7 @@
           },
 
           listen_port       => 443,
+          http2             => true,
           ssl               => true,
           ssl_cert          => $ssl_cert,
           ssl_key           => $ssl_key,

modules/ocf_apphost/files/vhost-app.jinja

@@ -1,9 +1,19 @@
 # {{vhost.comment}}
 server {
-    listen {{vhost.port}};
-    listen [::]:{{vhost.port}};
     server_name "{{vhost.fqdn}}";
 
+    {% if vhost.ssl %}
+        listen {{vhost.port}} ssl http2;
+        listen [::]:{{vhost.port}} ssl http2;
+
+        ssl_certificate {{vhost.ssl.bundle}};
+        ssl_certificate_key {{vhost.ssl.key}};
+        add_header Strict-Transport-Security "max-age=31536000";
+    {% else %}
+        listen {{vhost.port}};
+        listen [::]:{{vhost.port}};
+    {% endif %}
+
     location /.well-known/ {
         alias /var/lib/lets-encrypt/.well-known/;
     }
@@ -26,11 +36,4 @@ server {
     }
 
     access_log /var/log/nginx/vhost_access.log vhost;
-
-    {% if vhost.ssl %}
-        ssl on;
-        ssl_certificate {{vhost.ssl.bundle}};
-        ssl_certificate_key {{vhost.ssl.key}};
-        add_header Strict-Transport-Security "max-age=31536000";
-    {% endif %}
 }

modules/ocf_apphost/templates/default-vhost.erb

@@ -11,11 +11,10 @@ server {
 
 # HTTPS default vhost
 server {
-    listen 443 default_server;
-    listen [::]:443 default_server;
+    listen 443 default_server ssl http2;
+    listen [::]:443 default_server ssl http2;
     server_name apphost.ocf.berkeley.edu;
 
-    ssl on;
     ssl_certificate /etc/ssl/private/<%= @fqdn %>.bundle;
     ssl_certificate_key /etc/ssl/private/<%= @fqdn %>.key;
 

modules/ocf_docker/manifests/init.pp

@@ -31,6 +31,7 @@
   nginx::resource::server {
     default:
       listen_port       => 443,
+      http2             => true,
 
       ssl               => true,
       ssl_cert          => "/etc/ssl/private/${::fqdn}.bundle",

modules/ocf_mesos/manifests/master/webui.pp

@@ -30,6 +30,7 @@
     manage_repo       => false,
     confd_purge       => true,
     server_purge      => true,
+    http2             => true,
     nginx_cfg_prepend => {
       'load_module' => '"modules/ngx_http_auth_pam_module.so"',
     },

modules/ocf_mirrors/manifests/init.pp

@@ -75,6 +75,12 @@
   include apache::mod::headers
   include apache::mod::status
 
+  # Support http2 (rt#5957)
+  apache::mod { 'http2':; }
+  apache::custom_config { 'http2':
+    content => "Protocols h2 http/1.1\n",
+  }
+
   # Restart apache if any cert changes occur
   Class['ocf::ssl::default'] ~> Class['Apache::Service']
 

modules/ocf_ssh/manifests/webssh.pp

@@ -23,6 +23,7 @@
     manage_repo  => false,
     confd_purge  => true,
     server_purge => true,
+    http2        => true,
   }
 
   # Restart nginx if any cert changes occur

modules/ocf_www/manifests/mod/http2.pp

@@ -0,0 +1,8 @@
+class ocf_www::mod::http2 {
+  # Support http2 (rt#5957)
+  apache::mod { 'http2':; }
+
+  apache::custom_config { 'http2':
+    content => "Protocols h2 http/1.1\n",
+  }
+}

modules/ocf_www/manifests/site/www.pp

@@ -19,6 +19,7 @@
   include apache::mod::status
   include ocf_www::mod::cgi
   include ocf_www::mod::fcgid
+  include ocf_www::mod::http2
   include ocf_www::mod::ocfdir
   include ocf_www::mod::php
   include ocf_www::mod::suexec