[go: up one dir, main page]

DEV Community

Cover image for How To Set Up Nginx with HTTP/2 Support
Grigor Khachatryan
Grigor Khachatryan

Posted on

How To Set Up Nginx with HTTP/2 Support

NGINX is a fast and reliable open-source web server. It gained its popularity due to its low memory footprint, high scalability, ease of configuration, and support for the vast majority of different protocols.

One of the protocols supported is the relatively new HTTP/2, which was published in May 2015. The main advantage of HTTP/2 is its high transfer speed for content-rich websites.

Prerequisites

Before we get started, we will need a few things:

  • Ubuntu 18.04 (or 16.04/14.04)
  • An SSL certificate. Generate a self-signed certificate, obtain a free one from Let's Encrypt, or buy one from another provider.
  • That is all. If you have everything listed above, you are ready to go.

Step 1 — Installing the Latest Version of Nginx

Support of the HTTP/2 protocol was introduced in Nginx 1.9.5. Fortunately, the default repository in Ubuntu 16.04 contains a version higher than this, so we don't have to add a third party repository.

First, update the list of available packages in the apt packaging system:

sudo apt-get update
Enter fullscreen mode Exit fullscreen mode

Then, install Nginx:

sudo apt-get install nginx
Enter fullscreen mode Exit fullscreen mode

After the installation process finishes, you can check the version of Nginx by typing:

sudo nginx -v
Enter fullscreen mode Exit fullscreen mode

The output should be similar to the following:

nginx version: nginx/1.14.0 (Ubuntu)
Enter fullscreen mode Exit fullscreen mode

Step 2 — Changing the Listening Port and Enabling HTTP/2

The first change we will make will be to change the listening port from 80 to 443.

Let's open the configuration file:

sudo nano /etc/nginx/sites-available/default
Enter fullscreen mode Exit fullscreen mode

By default, Nginx is set to listen to port 80, which is the standard HTTP port:

listen 80; 
listen [::]:80;
Enter fullscreen mode Exit fullscreen mode

As you can see, we have two different listen variables. The first one is for all IPv4connections. The second one is for IPv6 connections. We will enable encryption for both.

Modify the listening port to 443, which is used by the HTTPS protocol:

listen 443 ssl http2; 
listen [::]:443 ssl http2;
Enter fullscreen mode Exit fullscreen mode

Notice that in addition to ssl, we also added http2 to the line. This variable tells Nginx to use HTTP/2 with supported browsers.

Step 3 — Changing the Server Name

We use the server_name entry to specify which domain should be associated with the configuration file. Locate the server_name entry in the configuration file.

By default, server_name is set to _ (underscore), which means the config file is responsible for all incoming requests. Change _ to your actual domain, like this:

server_name example.com;
Enter fullscreen mode Exit fullscreen mode

Save the configuration file and edit the text editor.

Whenever you make changes to Nginx configuration files, you should check the configuration for syntax errors, like this:

sudo nginx -t
Enter fullscreen mode Exit fullscreen mode

If the syntax is error-free, you will see the following output:

nginx: the configuration file /etc/nginx/nginx.conf syntax is ok nginx: configuration file /etc/nginx/nginx.conf test is successful
Enter fullscreen mode Exit fullscreen mode

Step 4 — Adding the SSL Certificates

Next, you need to configure Nginx to use your SSL certificate. If you don't know what an SSL certificate is or currently don't have any, please follow this tutorial.

Create a directory to store your SSL certificates inside the Nginx configuration directory:

sudo mkdir /etc/nginx/ssl
Enter fullscreen mode Exit fullscreen mode

Copy your certificate and the private key to this location. We will also rename the files to show which domain they are associated. This will come in handy in the future, when you have more than one domain associated with this server. Replace example.com with your actual hostname:

sudo cp /path/to/your/certificate.crt /etc/nginx/ssl/example.com.crt sudo cp /path/to/your/private.key /etc/nginx/ssl/example.com.key
Enter fullscreen mode Exit fullscreen mode

Now, let's open our configuration file one again and configure SSL.

sudo nano /etc/nginx/sites-available/default
Enter fullscreen mode Exit fullscreen mode

On new lines inside the server block, define the location of your certificates:

ssl_certificate /etc/nginx/ssl/example.com.crt;   
ssl_certificate_key /etc/nginx/ssl/example.com.key; 
Enter fullscreen mode Exit fullscreen mode

Save the file, and exit the text editor.

Step 5 — Avoiding Old Cipher Suites

HTTP/2 has a huge blacklist of old and insecure ciphers, so we must avoid them. Cipher suites are a bunch of cryptographic algorithms, which describe how the transferring data should be encrypted.

We will use a really popular cipher set, whose security was approved by Internet giants like CloudFlare. It does not allow the usage of MD5 encryption (which was known as insecure since 1996, but despite this fact, its use is widespread even to this day).

Open the following configuration file:

sudo nano /etc/nginx/nginx.conf
Enter fullscreen mode Exit fullscreen mode

Add this line after ssl_prefer_server_ciphers on;.

ssl_ciphers EECDH+CHACHA20:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5;
Enter fullscreen mode Exit fullscreen mode

Save the file, and exit the text editor.

Once again, check the configuration for syntax errors:

sudo nginx -t
Enter fullscreen mode Exit fullscreen mode

Step 6 — Redirecting all HTTP Request to HTTPS

Since we are interested in serving the content through HTTPS only, we should tell Nginx what it should do if the server receives an HTTP request.

At the bottom of our file, we will create a new server block for redirecting all HTTP requests to HTTPS (be sure to replace the server name with your actual domain name):

server {  
listen         80;  
listen    [::]:80;  
server_name    example.com;  
return         301 ;  
}
Enter fullscreen mode Exit fullscreen mode

Save the file, and exit the configuration file.

Check the configuration for syntax errors:

sudo nginx -t
Enter fullscreen mode Exit fullscreen mode

Step 7 — Reloading Nginx

That's it for all the Nginx configuration changes. Since we checked for syntax errors with each change, you should be ready to restart Nginx and test your changes.

To summarize, ignoring commented out lines, your configuration file should now look similar to this:

server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;
    server_name example.com;
    root /var/www/html;
    index index.html index.htm index.nginx-debian.html;

    location / {
        try_files $uri $uri/ =404;
    }
    ssl_certificate /etc/nginx/ssl/example.com.crt;
    ssl_certificate_key /etc/nginx/ssl/example.com.key;
    ssl_dhparam /etc/nginx/ssl/dhparam.pem;
}
server {
       listen         80;
       listen    [::]:80;
       server_name    example.com;
       return         301 https://$server_name$request_uri;
}
Enter fullscreen mode Exit fullscreen mode

To apply the changes, restart the Nginx server.

sudo systemctl restart nginx
Enter fullscreen mode Exit fullscreen mode




Conclusion

Your Nginx server is now serving HTTP/2 pages. If you want to test the strength of your SSL connection, please visit Qualys SSL Lab and run a test against your server. If everything is configured properly, you should get an A+ mark for security.

Top comments (4)

Collapse
 
ayekpleclemence profile image
Ayekple Clemence

I recently reconfigured my server to use nginx. I wrote an article on enabling http/2 in apache on ubuntu because I was using apache at the time.
With the move, I now have to reconfigured http/2 for nginx. Thanks for the article.

Collapse
 
vyspiansky profile image
Ihor Vyspiansky

Please fix the "Qualys SSL" URL. Thanks :)

Collapse
 
grigorkh profile image
Grigor Khachatryan

Thanks, fixed :D

Collapse
 
perlatsp profile image
Perlat Kociaj

Thank you Grigor for sharing this and for great explanation. I have read alot of articles about this topic but this one was very clear and helped me fully understand.