diff --git a/modules/ocf/manifests/nginx_proxy.pp b/modules/ocf/manifests/nginx_proxy.pp
index e4a910be7..3a7e7a410 100644
--- a/modules/ocf/manifests/nginx_proxy.pp
+++ b/modules/ocf/manifests/nginx_proxy.pp
@@ -12,6 +12,8 @@
   $ssl_key     = "/etc/ssl/private/${::fqdn}.key",
   $ssl_dhparam = '/etc/ssl/dhparam.pem',
 
+  $http2 = $ssl,
+
   # Accept any other arbitrary options passed in and pass them on to
   # nginx::resource::server
   $nginx_options = {},
@@ -33,6 +35,7 @@
         proxy_set_header => concat($base_headers, $proxy_set_header),
 
         listen_port      => 443,
+        http2            => $http2,
         ssl              => true,
         ssl_cert         => $ssl_cert,
         ssl_key          => $ssl_key,
@@ -63,6 +66,7 @@
           },
 
           listen_port       => 443,
+          http2             => true,
           ssl               => true,
           ssl_cert          => $ssl_cert,
           ssl_key           => $ssl_key,
diff --git a/modules/ocf_apphost/files/vhost-app.jinja b/modules/ocf_apphost/files/vhost-app.jinja
index 67a4b35c8..3fed4bbbb 100644
--- a/modules/ocf_apphost/files/vhost-app.jinja
+++ b/modules/ocf_apphost/files/vhost-app.jinja
@@ -1,9 +1,19 @@
 # {{vhost.comment}}
 server {
-    listen {{vhost.port}};
-    listen [::]:{{vhost.port}};
     server_name "{{vhost.fqdn}}";
 
+    {% if vhost.ssl %}
+        listen {{vhost.port}} ssl http2;
+        listen [::]:{{vhost.port}} ssl http2;
+
+        ssl_certificate {{vhost.ssl.bundle}};
+        ssl_certificate_key {{vhost.ssl.key}};
+        add_header Strict-Transport-Security "max-age=31536000";
+    {% else %}
+        listen {{vhost.port}};
+        listen [::]:{{vhost.port}};
+    {% endif %}
+
     location /.well-known/ {
         alias /var/lib/lets-encrypt/.well-known/;
     }
@@ -26,11 +36,4 @@ server {
     }
 
     access_log /var/log/nginx/vhost_access.log vhost;
-
-    {% if vhost.ssl %}
-        ssl on;
-        ssl_certificate {{vhost.ssl.bundle}};
-        ssl_certificate_key {{vhost.ssl.key}};
-        add_header Strict-Transport-Security "max-age=31536000";
-    {% endif %}
 }
diff --git a/modules/ocf_apphost/templates/default-vhost.erb b/modules/ocf_apphost/templates/default-vhost.erb
index ff14fbaa9..2cbaabd6c 100644
--- a/modules/ocf_apphost/templates/default-vhost.erb
+++ b/modules/ocf_apphost/templates/default-vhost.erb
@@ -11,11 +11,10 @@ server {
 
 # HTTPS default vhost
 server {
-    listen 443 default_server;
-    listen [::]:443 default_server;
+    listen 443 default_server ssl http2;
+    listen [::]:443 default_server ssl http2;
     server_name apphost.ocf.berkeley.edu;
 
-    ssl on;
     ssl_certificate /etc/ssl/private/<%= @fqdn %>.bundle;
     ssl_certificate_key /etc/ssl/private/<%= @fqdn %>.key;
 
diff --git a/modules/ocf_docker/manifests/init.pp b/modules/ocf_docker/manifests/init.pp
index 4e5c11431..bd162e4c0 100644
--- a/modules/ocf_docker/manifests/init.pp
+++ b/modules/ocf_docker/manifests/init.pp
@@ -31,6 +31,7 @@
   nginx::resource::server {
     default:
       listen_port       => 443,
+      http2             => true,
 
       ssl               => true,
       ssl_cert          => "/etc/ssl/private/${::fqdn}.bundle",
diff --git a/modules/ocf_mesos/manifests/master/webui.pp b/modules/ocf_mesos/manifests/master/webui.pp
index c1996b822..7b9b3c949 100644
--- a/modules/ocf_mesos/manifests/master/webui.pp
+++ b/modules/ocf_mesos/manifests/master/webui.pp
@@ -30,6 +30,7 @@
     manage_repo       => false,
     confd_purge       => true,
     server_purge      => true,
+    http2             => true,
     nginx_cfg_prepend => {
       'load_module' => '"modules/ngx_http_auth_pam_module.so"',
     },
diff --git a/modules/ocf_mirrors/manifests/init.pp b/modules/ocf_mirrors/manifests/init.pp
index 1b2665156..2eb318196 100644
--- a/modules/ocf_mirrors/manifests/init.pp
+++ b/modules/ocf_mirrors/manifests/init.pp
@@ -75,6 +75,12 @@
   include apache::mod::headers
   include apache::mod::status
 
+  # Support http2 (rt#5957)
+  apache::mod { 'http2':; }
+  apache::custom_config { 'http2':
+    content => "Protocols h2 http/1.1\n",
+  }
+
   # Restart apache if any cert changes occur
   Class['ocf::ssl::default'] ~> Class['Apache::Service']
 
diff --git a/modules/ocf_ssh/manifests/webssh.pp b/modules/ocf_ssh/manifests/webssh.pp
index 376dc003f..c475e0891 100644
--- a/modules/ocf_ssh/manifests/webssh.pp
+++ b/modules/ocf_ssh/manifests/webssh.pp
@@ -23,6 +23,7 @@
     manage_repo  => false,
     confd_purge  => true,
     server_purge => true,
+    http2        => true,
   }
 
   # Restart nginx if any cert changes occur
diff --git a/modules/ocf_www/manifests/mod/http2.pp b/modules/ocf_www/manifests/mod/http2.pp
new file mode 100644
index 000000000..0405828f8
--- /dev/null
+++ b/modules/ocf_www/manifests/mod/http2.pp
@@ -0,0 +1,8 @@
+class ocf_www::mod::http2 {
+  # Support http2 (rt#5957)
+  apache::mod { 'http2':; }
+
+  apache::custom_config { 'http2':
+    content => "Protocols h2 http/1.1\n",
+  }
+}
diff --git a/modules/ocf_www/manifests/site/www.pp b/modules/ocf_www/manifests/site/www.pp
index 7025e3028..6b98ceada 100644
--- a/modules/ocf_www/manifests/site/www.pp
+++ b/modules/ocf_www/manifests/site/www.pp
@@ -19,6 +19,7 @@
   include apache::mod::status
   include ocf_www::mod::cgi
   include ocf_www::mod::fcgid
+  include ocf_www::mod::http2
   include ocf_www::mod::ocfdir
   include ocf_www::mod::php
   include ocf_www::mod::suexec