HTTP/2 with NGINX on Debian Jessie

Today I upgraded my web server to support HTTP/2 protocol. It is the first major upgrade to the HTTP protocol in over 15 years and should speed up your website. It also has the ability to use a single TCP connection from a browser to a website. NGINX experimentally introduced HTTP/2 in version 1.9.5 (September 2015). 

Chrome will stop supporting the TLS protocol extension NPN, which allows servers to negotiate SPDY and HTTP/2 connections with clients. SPDY and NPN support will be removed with the release of Chrome 51.  

My server is running Debian Jessie operating system. Workaround to make HTTP/2 enabled with ALPN support is to install NGINX v1.10 from Debian Stretch repository, because ALPN requires libssl1.0.2 (in Jessie repository there is only 1.0.1). Yea I know it isn't the best solution, but I'm aware of the consequences :)

Installation and configuration

Add debian stretch repository

vim /etc/apt/sources.list
deb http://ftp.debian.org/debian jessie main contrib non-free
deb http://ftp.debian.org/debian jessie-updates main contrib non-free
deb http://security.debian.org jessie/updates main contrib non-free

deb http://httpredir.debian.org/debian/ stretch main contrib non-free
deb-src http://httpredir.debian.org/debian/ stretch main contrib non-free

deb http://security.debian.org/ stretch/updates main contrib non-free
deb-src http://security.debian.org/ stretch/updates main contrib non-free

# stretch-updates, previously known as 'volatile'
deb http://httpredir.debian.org/debian/ stretch-updates main contrib non-free
deb-src http://httpredir.debian.org/debian/ stretch-updates main contrib non-free

Configure APT pinning

vim /etc/apt/preferences.d/stretch
Package: *
Pin: release n=jessie
Pin-Priority: 900

Package: *
Pin: release n=stretch
Pin-Priority: 100

Install nginx

apt-get update
apt-get install -t stretch nginx
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following extra packages will be installed:
  libnginx-mod-http-auth-pam libnginx-mod-http-geoip libnginx-mod-http-image-filter libnginx-mod-http-xslt-filter libnginx-mod-mail libnginx-mod-stream
  libssl1.0.2 nginx-common nginx-full
Suggested packages:
  fcgiwrap nginx-doc
The following NEW packages will be installed:
  libnginx-mod-http-auth-pam libnginx-mod-http-geoip libnginx-mod-http-image-filter libnginx-mod-http-xslt-filter libnginx-mod-mail libnginx-mod-stream
  libssl1.0.2 nginx nginx-common nginx-full

Configure nginx site

vim /etc/nginx/sites-enabled/vsefer.com
server {
        listen 80;
        server_name vsefer.com www.vsefer.com;
        return 301 https://vsefer.com$request_uri;
}

server {
        listen 443 ssl http2;
        server_name vsefer.com www.vsefer.com;

        ssl on;
        ssl_certificate /etc/letsencrypt/live/vsefer.com/fullchain.pem;
        ssl_certificate_key /etc/letsencrypt/live/vsefer.com/privkey.pem;
        ssl_session_timeout 60m;
        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
        ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS';
        ssl_session_cache shared:SSL:50m;
        ssl_prefer_server_ciphers on;
        add_header Strict-Transport-Security max-age=15768000;       
        ........
}

Reload nginx

/etc/init.d/nginx reload

Test your page online or via openssl CLI

openssl s_client -servername vsefer.com -connect vsefer.com:443 -nextprotoneg ''
CONNECTED(00000003)
Protocols advertised by server: h2, http/1.1
....

And if everything goes well, you should see

Add new comment

Filtered HTML

  • Web page addresses and e-mail addresses turn into links automatically.
  • Allowed HTML tags: <a> <em> <strong> <cite> <blockquote> <code> <ul> <ol> <li> <dl> <dt> <dd>
  • Lines and paragraphs break automatically.

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
CAPTCHA
This question is for testing whether or not you are a human visitor and to prevent automated spam submissions.