HTTP2 on NGINX (Ubuntu/Debian)

Short story

Nahian Abdullah
Jul 25, 2017 · 2 min read

Assuming that you already have an nginx setup serving content over https, having http2 is as simple as adding a single word http2 in your nginx configuration.

server {
listen 443 ssl http2;

ssl_certificate /etc/nginx/ssl/yourserver.crt;
ssl_certificate_key /etc/nginx/ssl/yourserver.key;

...
}

Voila! Now, it just works and serves content over http2.

Long story — requirements

Not so fast if you are NOT running a later version of nginx on a fairly newer version of OS. Here, you can see that browsers expects a few things from server to use http2 protocol http://caniuse.com/#feat=http2. Notable things are.

  1. Web server must provide TLS
  2. Web server must support protocol negotiation via ALPN

I was using an nginx/1.10.3 on Ubuntu/14.04.3. This setup did not support ALPN.

Verify and prepare

$ nginx -V
nginx version: nginx/1.10.3
built with OpenSSL 1.0.1f 6 Jan 2014
TLS SNI support enabled
configure arguments: ... --with-http_v2_module ...

Look for the --with-http_v2_module argument. Otherwise, your installation of nginx does not support http2.

Here, the OpenSSL/1.0.1f does not support ALPN for protocol negotiation. That means you need some more work to upgrade both openssl and nginx. Now, you have several options starting from upgrading OS to have compatible nginx and openssl available. However, I did not want to change anything on my OS. So, I found some help to install an NGINX that compiles with OpenSSL/1.0.2 statically linked. You can see details here if the page is still around. You can however build both openssl and nginx by yourself if that suits you. I took a pass and basically this is what I did.

$ sudo service nginx stop
$ sudo apt-get remove nginx nginx-common
$ sudo add-apt-repository ppa:ondrej/nginx
$ sudo apt-get update
$ sudo apt-get install nginx
$ sudo service nginx start

Now, I have following versions and http2 works fine.

$ nginx -V
nginx version: nginx/1.12.1
built with OpenSSL 1.0.2l 25 May 2017

A note on self-signed server with ssl/tls

If Chrome sees some problem in signing with SSL/TLS(yes, that includes non-verified self-signed certificates), it will not cache any Ajax response. So, you’ll get a penalty if you depend on a lot of Ajax requests. Then, all the Ajax requests you are expecting to be served from browser cache or served with 304 because of headers like If-None-Match, will eventually be always served from the server.

Cheers!

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade