Setting up nginx with HTTP/2 via ALPN on Debian 8
Recently I’ve questioned myself why the assets on the project I maintain (licornemag.com) aren’t delivered through the HTTP2 protocol, but rather use HTTP 1.1, even though the server is preconfigured to use http2 module via Nginx.
After a short investigation I’ve found that Chrome has switched to the newer Application-Layer Protocol Negotiation (ALPN) extension for TLS negotiation. ALPN requires at least OpenSSL 1.0.2 installed on the server. Debian only supports OpenSSL up to 1.0.1. This leads to the problem that there are no builds based on OpenSSL 1.0.2 available in Nginx repository.
One and the most obvious option would be recompile everything from the sources and do the same every time you decide to update Nginx to the latest version.
On the other hand, the other option would be to install precompiled builds from not so officially supported sources. OpenSSL 1.0.2 is available from jessie-backports deb and Nginx (precompiled with OpenSSL 1.0.2) is available in Ubuntu 16.04 LTS builds.
To do that add following sources to the /etc/apt/sources.list
# jessie-backports, from stretch-level but with no dependencies
deb http://httpredir.debian.org/debian/ jessie-backports main contrib non-free
deb-src http://httpredir.debian.org/debian/ jessie-backports main contrib non-free
# Nginx repository - use Ubuntu 16.04 LTS Xenial to get packages compiled with OpenSSL 1.0.2
deb http://nginx.org/packages/mainline/ubuntu/ xenial nginx
deb-src http://nginx.org/packages/mainline/ubuntu/ xenial nginx
And then run following commands in the terminal:
apt-get install -t jessie-backports openssl
apt-get install nginx
This method obviously puts you into an officially unsupported configuration, but perhaps that’s better than not having a package at all — and it worked for me. Plus, using nginx’s repo means you get fresh updates.
Originally published at sergii.rocks.