HTTP/2 with NGINX on Debian Jessie
Today I upgraded my web server to support HTTP/2 protocol. It is the first major upgrade to the HTTP protocol in over 15 years and should speed up your website. It also has the ability to use a single TCP connection from a browser to a website. NGINX experimentally introduced HTTP/2 in version 1.9.5 (September 2015).
Chrome will stop supporting the TLS protocol extension NPN, which allows servers to negotiate SPDY and HTTP/2 connections with clients. SPDY and NPN support will be removed with the release of Chrome 51.
My server is running Debian Jessie operating system. Workaround to make HTTP/2 enabled with ALPN support is to install NGINX v1.10 from Debian Stretch repository, because ALPN requires libssl1.0.2 (in Jessie repository there is only 1.0.1). Yea I know it isn't the best solution, but I'm aware of the consequences :)
Installation and configuration
Add debian stretch repository
vim /etc/apt/sources.list
deb http://ftp.debian.org/debian jessie main contrib non-free deb http://ftp.debian.org/debian jessie-updates main contrib non-free deb http://security.debian.org jessie/updates main contrib non-free deb http://httpredir.debian.org/debian/ stretch main contrib non-free deb-src http://httpredir.debian.org/debian/ stretch main contrib non-free deb http://security.debian.org/ stretch/updates main contrib non-free deb-src http://security.debian.org/ stretch/updates main contrib non-free # stretch-updates, previously known as 'volatile' deb http://httpredir.debian.org/debian/ stretch-updates main contrib non-free deb-src http://httpredir.debian.org/debian/ stretch-updates main contrib non-free
Configure APT pinning
vim /etc/apt/preferences.d/stretch
Package: * Pin: release n=jessie Pin-Priority: 900 Package: * Pin: release n=stretch Pin-Priority: 100
Install nginx
apt-get update apt-get install -t stretch nginx
Reading package lists... Done Building dependency tree Reading state information... Done The following extra packages will be installed: libnginx-mod-http-auth-pam libnginx-mod-http-geoip libnginx-mod-http-image-filter libnginx-mod-http-xslt-filter libnginx-mod-mail libnginx-mod-stream libssl1.0.2 nginx-common nginx-full Suggested packages: fcgiwrap nginx-doc The following NEW packages will be installed: libnginx-mod-http-auth-pam libnginx-mod-http-geoip libnginx-mod-http-image-filter libnginx-mod-http-xslt-filter libnginx-mod-mail libnginx-mod-stream libssl1.0.2 nginx nginx-common nginx-full
Configure nginx site
vim /etc/nginx/sites-enabled/vsefer.com
server {
listen 80;
server_name vsefer.com www.vsefer.com;
return 301 https://vsefer.com$request_uri;
}
server {
listen 443 ssl http2;
server_name vsefer.com www.vsefer.com;
ssl on;
ssl_certificate /etc/letsencrypt/live/vsefer.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/vsefer.com/privkey.pem;
ssl_session_timeout 60m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS';
ssl_session_cache shared:SSL:50m;
ssl_prefer_server_ciphers on;
add_header Strict-Transport-Security max-age=15768000;
........
}Reload nginx
/etc/init.d/nginx reload
Test your page online or via openssl CLI
openssl s_client -servername vsefer.com -connect vsefer.com:443 -nextprotoneg ''
CONNECTED(00000003) Protocols advertised by server: h2, http/1.1 ....
And if everything goes well, you should see
Add new comment