Why is HTTP/2 Disabled?

Asked by Alex Poth on 2016-01-07

I have spent a good amount of time searching and going through archives to try and find the reasoning behind why HTTP/2 support is disabled in Nginx for the upcoming 16.04 release.

All I can find is it is disabled for a security mandate, but cannot find that discussion, nor the reason why anywhere.

Can HTTP/2 not at least be enabled for the extras package so we have the choice to enable it?

Best Thomas Ward (teward) said : #1

You didn't look hard enough.

https://bugs.launchpad.net/ubuntu/+source/nginx/+bug/1510096/comments/2 is the mandate from the Security team that came down, specifically targeting the Merge request.

There is also an ongoing discussion for enabling HTTP/2 post-release via SRU, on the Ubuntu Release mailing list, where an ad-hoc discussion between myself, Robie Basak (of Canonical), Seth Arnold (of the Security Team), and Marc Deslauriers (of the Security Team) discussed HTTP/2 and why we don't enable it, and the long term plan for HTTP/2. That conversation is in the attachment on this message: https://lists.ubuntu.com/archives/ubuntu-release/2016-January/003499.html

In short, though, the Security team doesn't always publish every reason for something being disabled. Will HTTP/2 be enabled in Xenial at some point? Almost certain of it. In the mean time, however, it's remaining disabled, and if you want HTTP/2 you can utilize the NGINX Mainline PPA which has HTTP/2 enabled in the -full and -extras flavors: https://launchpad.net/~nginx/+archive/ubuntu/development (This PPA is also maintained by myself, and matches the Ubuntu Xenial nginx version, but does not disable HTTP/2 nor does it introduce Ubuntu specific changes introduced with the merge).

Alex Poth (alex-poth) said : #2

Thanks for the comprehensive reply, I'm not very experienced with searching on here so google let me down on not finding that.

It is good to hear that it could be enabled at some point, we prefer to stick with the distro provided packages where possible, but I have two aging servers which will need upgrading and it is just planning ahead when/which distro to ensure we are up to date, secure but also with ability to use the latest features such as HTTP/2 in the next couple of years, without requiring another distro/major version change.

Alex Poth (alex-poth) said : #3

Thanks Thomas Ward, that solved my question.

Thomas Ward (teward) said : #4

I will add to this: It is entirely possible HTTP/2 will be enabled after Xenial release, if the Release/SRU teams have no issue with this for nginx. To that end, you will need to ahve the `xenial-updates` repository enabled after release to be sure you get an NGINX version that has HTTP/2 included in it, once Xenial releases.

CORPARIT (corparit) said : #6

Thank you Thomas! This information is quite essential for my research.

Seth Arnold (seth-arnold) said : #7

Thomas and the nginx team have convinced me that nginx's http/2 implementation is widely used and mature enough to enable before 16.04 LTS release.

Thanks

CORPARIT (corparit) said : #8

So, I may conclude that nginx HTTP/2 module will be available in 16.04 LTS release. Am I right?

Thomas Ward (teward) said : #9

CORPARIT:

Currently, there is a pending 1.9.13 upload that needs Release team review before I can upload it - it doesn't have HTTP/2 enabled. I'm planning to make another upload soon after that (the relevant teams know the details) and that next upload for Xenial will have HTTP/2 support re-added to the packages.

CORPARIT (corparit) said : #10

Thank you! Happy that it will come in LTS version.

Alex Poth (alex-poth) said : #11

Great news, sounds like I can upgrade our ageing 12.04 web server sooner rather than later :)