December 08, 2015

HTTP 2.0 With Nginx

Installing the latest Nginx from the MAINLINE branch to get http2 support.

Installing the latest Nginx from the MAINLINE branch to get http2 support.We'll Nginx with HTTP2 on Ubuntu 14.04. We can use the ppa:nginx/development repository, which pulls from the MAINLINE branch of Nginx. While this is not the "STABLE" branch, it's actually considered stable or more stable as it mainly includes bug fixes, rather than bleeding edge code.

UPDATE: Nginx has since released 1.10 as a STABLE release. This is essentially the 1.9 "mainline" branch merged into stable and tagged as 1.10. Keep an eye out within ppa:nginx/stable for 1.10 to show up! However, I wouldn't be afraid to keep using ppa:nginx/development.

sudo add-apt-repository ppa:nginx/development
sudo apt-get update
sudo apt-get install nginx

Here's the Nginx configuration we'll use. We need to use TLS protocols only (as it's required by some browsers). Note that we took configuration from H5BP's Nginx configuration, my go to place for Nginx SSL configuration.

This is file /etc/nginx/sites-available/secure as created in the video:

server {
    listen 443 ssl http2;

    server_name example.com;
    root /var/www/html;

    # @link https://github.com/h5bp/server-configs-nginx/blob/master/h5bp/directive-only/ssl.conf
    ssl on;
    ssl_certificate     /etc/ssl/example/example.crt;
    ssl_certificate_key /etc/ssl/example/example.key;
    ssl_certificate     /etc/ssl/example/example.crt;
    ssl_certificate_key /etc/ssl/example/example.key;
    ssl_protocols              TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers                ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA;
    ssl_prefer_server_ciphers  on;
    ssl_session_cache    shared:SSL:10m; # a 1mb cache can hold about 4000 sessions, so we can hold 40000 sessions
    ssl_session_timeout  24h;
    keepalive_timeout 300; # up from 75 secs default

    location / {
        try_files $uri $uri/ =404;
    }
}

Don't forget to symlink that to sites-enabled:

sudo ln -s /etc/nginx/sites-available/secure /etc/nginx/sites-enabled/secure

sudo service nginx configest
sudo service nginx reload

Self-Signed Certificates

If you want to make your own self-signed SSL certificates like those referenced in the Nginx configuration (for testing!), run the following:

cd /etc/ssl
sudo mkdir example
cd example
sudo openssl genrsa -out example.key 2048
sudo openssl req -new -key example.key -out example.csr
sudo openssl x509 -req -days 365 -in example.csr -signkey example.key -out example.crt

All Topics