Enable HTTP / 2 in NGINX for the site

    In this article we will tell you how to enable HTTP / 2 for a site in NGINX hosted on Infobox's VPS and what benefits this will give your site. HTTP / 2 support has been added to NGINX 1.9.5 release .



    Why do you need HTTP / 2?


    HTTP / 2 is a new version of the HTTP protocol standardized at the beginning of 2015. The use of HTTP / 1.1, due to some features, has a negative effect on the performance of web applications.

    In particular, HTTP / 1.0 allows you to perform only one request at a time in a TCP connection. Pipeline requests were added to HTTP / 1.1, but they only partially help parallel execution of requests and still lead to locks. HTTP / 1.0 and HTTP / 1.1 clients that need to make many requests now use many connections to the server.

    In addition, the HTTP header fields are verbose and often repeated, producing unnecessary network traffic. Also, time is wasted on TCP congestion. This can lead to increased delays for many requests made using new TCP connections.

    HTTP / 2 solves these problems by defining optimized semantics of the HTTP protocol. In particular, this allows the interleaving of requests and responses through the same connection and provides efficient encoding of HTTP header fields. HTTP / 2 also allows you to prioritize requests, allowing more important requests to run faster.

    As a result, the protocol becomes more network friendly, requiring fewer TCP connections compared to HTTP / 1.x, which leads to more efficient use of the network. Also, HTTP / 2 makes it possible to more efficiently process messages using a binary format.

    HTTP / 2 is closely related to SSL. Despite the fact that the specification does not require the use of SSL, all currently launched web browsers will work with HTTP / 2 only if the website uses SSL.


    Deploy the server with the latest version of NGINX


    If you do not already have VPS from Infobox, you can order a server here . This article describes how to configure HTTP2 for a server with CentOS 7. After ordering and creating a server, connect to it via SSH .

    Install the latest version of NGINX on a new VPS with CentOS 7
    To install the latest version of NGINX, add the official repository. To do this, add the following contents to the /etc/yum.repos.d/nginx.repo file :
    [nginx]
    name=nginx repo
    baseurl=http://nginx.org/packages/mainline/centos/7/$basearch/
    gpgcheck=0
    enabled=1
    

    Stop Apache and prevent it from autostarting:
    systemctl stop httpd && systemctl disable httpd
    

    Update the OS with the command:
    yum -y update
    

    After that reboot the OS.
    reboot
    

    Install nginx and firewalld with the command:
    yum install -y nginx firewalld
    

    Now run nginx and add to startup:
    systemctl start nginx && systemctl enable nginx
    

    Similarly, start firewalld:
    systemctl start firewalld && systemctl enable firewalld
    

    The last thing left to do is open ports 80, 443 and 22.
    firewall-cmd --zone=public --add-port=80/tcp --add-port=443/tcp --add-port=22/tcp  --permanent
    

    firewall-cmd --reload
    

    Now go to the browser at the ip address of your VPS. You will see the NGINX welcome page.




    We generate a certificate


    For HTTP / 2 to work, support for HTTPS connections in NGINX must be enabled at the moment.
    Usually this process consists of four steps:
    • private key generation (key)
    • create a request for signature (CSR) and send the request to a certification authority (CA)
    • installation of a certificate from a certification center
    • NGINX configuration settings

    This process ensures the trust of users' browsers to the site.

    Create a folder in which the encryption keys will be stored and go to it:
    mkdir /etc/nginx/ssl && cd /etc/nginx/ssl
    

    To understand the key generation methods, you need to know the following concepts:
    Key generation algorithm . OpenSSL supports RSA , DSA and ECDSA keys, but not all types are suitable for practical use in all scenarios. For example, for web servers, you need to use RSA, because DSA keys are limited to 1024 bits (IE does not support anything more complicated) and ECDSA keys are not yet supported by widely recognized certification authorities. If we generated a key for SSH, RSA and DSA would be suitable, since ECDSA may not yet be supported by some clients.
    Key size. The default key size may be unsafe. For example, the default key for RSA is only 512 bits and its use is completely unsafe. Today it is recommended that you use a minimum of 2048 bits for RSA, 2048 bits for DSA, and 256 bits for ECDSA. We will use RSA and 4086 bits.

    To generate a private key and a certificate signing request, run the command:
    openssl req -out /etc/nginx/ssl/domain.csr -new -newkey rsa:4086 -nodes -keyout /etc/nginx/ssl/domain.key
    

    In the process, be sure to specify the FQDN (Common name) - the domain name and email in the domain, for example webmaster@domain.tld. Do not set a password for the key.

    After generation, you will see two files in the / etc / nginx / ssl folder with the extensions key (private key) and csr (certificate signing request). If you want to use a trusted certificate, order it from a certification authority (you can, for example, order it here ). To generate a certificate, you need csr content , which can be viewed like this:
    cat /etc/nginx/ssl/domain.csr
    

    After ordering and generating the certificate, save its contents in the file /etc/nginx/ssl/domain.crt . After the contents of the certificate itself, from the new line, add the contents of the Intermediate certificate to the same file, if it is provided to you by the certification center and save the file.

    If you are deploying a test environment, you can generate a self-signed certificate for free like this:
    openssl req -x509 -nodes -days 365 -newkey rsa:4096 -keyout /etc/nginx/ssl/domain.key -out /etc/nginx/ssl/domain.crt
    




    It is also necessary to generate DH parameters so that in case of theft of a private key it is impossible to decrypt the latest messages.
    openssl dhparam -out /etc/nginx/ssl/dhparam.pem 4096
    


    We enable access only via HTTPS in NGINX and activate HTTP2


    Edit the NGINX configuration file /etc/nginx/conf.d/default.conf .
    In it, delete the server section and add:
    server {
            listen 80;
            server_name domain.tld  www.domain.tld;
            return 301 https://$host$request_uri;
        }
        server {
            listen 443 ssl http2;
            server_name domain.tld  www.domain.tld;
            ssl on;
            ssl_certificate /etc/nginx/ssl/domain.crt;
            ssl_certificate_key /etc/nginx/ssl/domain.key;
            ssl_dhparam /etc/nginx/ssl/dhparam.pem;
            ssl_prefer_server_ciphers On;
            ssl_protocols TLSv1.1 TLSv1.2;
            ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK;
            add_header Strict-Transport-Security max-age=15768000;
            ssl_stapling on;
            location / {
                root /usr/share/nginx/html;
    	}
        }
    }
    

    , where domain.tld replace with the name of your site for which you enable HTTP2.



    After the changes, test the nginx configuration for errors with the command:
    nginx -t
    




    Now restart NGINX:
    systemctl restart nginx
    

    Open the site by the domain name in the browser. If you used a self-signed certificate and did not certify it with a certification authority, you will see a warning.



    Add the site to the exceptions, the browser will remember this and it will open correctly.

    To verify that the site is running over HTTP2, set the HTTP2 indicator for Firefox or Chrome .

    Now when you visit a site that supports HTTP2 or SPDY, you will see a blue lightning.



    Indeed, the site works over HTTP2.

    Infobox Trial VPS Free


    You can configure everything described in the article on the trial version of VPS .
    To do this, send your name and phone number to trial@infobox.ru , in response you will receive data for access to the control panel. You can test VPS for 10 days.

    Successful work!

    Also popular now: