Keep Server Online
If you find the Apache Lounge, the downloads and overall help useful, please express your satisfaction with a donation.
or
A donation makes a contribution towards the costs, the time and effort that's going in this site and building.
Thank You! Steffen
Your donations will help to keep this site alive and well, and continuing building binaries. Apache Lounge is not sponsored.
| |
|
 Topic: HTTP/2 + mod_proxy: security considerations |
|
| Author |
|
fukonine
Joined: 30 May 2025
Posts: 1
|
 Posted: Fri 30 May '25 9:49 Post subject: HTTP/2 + mod_proxy: security considerations |
 |
|
Hi Apache folks!
some context:
I’m mainly using Apache as a reverse proxy (though I like the fact it can be used both for proxying and classic web serve applications), and recently I had to add a reverse proxy vhost with http/2 backend.
I used mod proxy http/2 and it worked well, but all my other vhosts, that use the “classic” mod proxy, started to answer clients in http2 since I had to enable the module.
questions:
does using the http2 module and the classical mod proxy (http1.1) is secure? I mean, I guess the server downgrades http2 requests before sending them to the backend, and I read in many places that http2 downgrading came with security issues (eg https://www.usenix.org/system/files/sec22-jabiyev.pdf)
would you recommend to use h2 for the backend as well to circumvent that? I wonder what people do when configuring reverse proxies like that, and what is best in terms of performance.
less importantly, out of curiosity, do some of you use Apache only for its reverse proxy feature?
I found the docs off mod proxy http2 and of http2 itself hard to understand regarding what happens when used in conjunction with http1.1 configurations like when does it downgrades (if it does?) and so on.
Here are some additional resources about the potential security issues mentioned above:
There is not that much discussion about this topic on the Internet (afaik), and so I'd like to up this post which is more focused on discussing this topic than on a support request.
Note that this post is a repost from a reddit post on r/apache. Unfortunately, I got no answer and reddit, but here is the link to the original post: https://www.reddit.com/r/apache/comments/1kpvnkm/http2_mod_proxy_questions_on_performances_and/
Edit: I specify that I use apache 2.4.62 on debian 12, but I think it is not relevant considering my question.
Thank you! |
|
| Back to top |
|
|
|
|
|
|
