October 10, 2015 at 18:29Enable HTTP / 2 in NGINX for the site
In this article we will tell you how to enable HTTP / 2 for a site in NGINX hosted on Infobox's VPS and what benefits this will give your site. HTTP / 2 support has been added to NGINX 1.9.5 release .
HTTP / 2 is a new version of the HTTP protocol standardized at the beginning of 2015. The use of HTTP / 1.1, due to some features, has a negative effect on the performance of web applications.
In particular, HTTP / 1.0 allows you to perform only one request at a time in a TCP connection. Pipeline requests were added to HTTP / 1.1, but they only partially help parallel execution of requests and still lead to locks. HTTP / 1.0 and HTTP / 1.1 clients that need to make many requests now use many connections to the server.
In addition, the HTTP header fields are verbose and often repeated, producing unnecessary network traffic. Also, time is wasted on TCP congestion. This can lead to increased delays for many requests made using new TCP connections.
HTTP / 2 solves these problems by defining optimized semantics of the HTTP protocol. In particular, this allows the interleaving of requests and responses through the same connection and provides efficient encoding of HTTP header fields. HTTP / 2 also allows you to prioritize requests, allowing more important requests to run faster.
As a result, the protocol becomes more network friendly, requiring fewer TCP connections compared to HTTP / 1.x, which leads to more efficient use of the network. Also, HTTP / 2 makes it possible to more efficiently process messages using a binary format.
HTTP / 2 is closely related to SSL. Despite the fact that the specification does not require the use of SSL, all currently launched web browsers will work with HTTP / 2 only if the website uses SSL.
If you do not already have VPS from Infobox, you can order a server here . This article describes how to configure HTTP2 for a server with CentOS 7. After ordering and creating a server, connect to it via SSH .
For HTTP / 2 to work, support for HTTPS connections in NGINX must be enabled at the moment.
Usually this process consists of four steps:
This process ensures the trust of users' browsers to the site.
Create a folder in which the encryption keys will be stored and go to it:
To understand the key generation methods, you need to know the following concepts:
Key generation algorithm . OpenSSL supports RSA , DSA and ECDSA keys, but not all types are suitable for practical use in all scenarios. For example, for web servers, you need to use RSA, because DSA keys are limited to 1024 bits (IE does not support anything more complicated) and ECDSA keys are not yet supported by widely recognized certification authorities. If we generated a key for SSH, RSA and DSA would be suitable, since ECDSA may not yet be supported by some clients.
Key size. The default key size may be unsafe. For example, the default key for RSA is only 512 bits and its use is completely unsafe. Today it is recommended that you use a minimum of 2048 bits for RSA, 2048 bits for DSA, and 256 bits for ECDSA. We will use RSA and 4086 bits.
To generate a private key and a certificate signing request, run the command:
In the process, be sure to specify the FQDN (Common name) - the domain name and email in the domain, for example webmaster@domain.tld. Do not set a password for the key.
After generation, you will see two files in the / etc / nginx / ssl folder with the extensions key (private key) and csr (certificate signing request). If you want to use a trusted certificate, order it from a certification authority (you can, for example, order it here ). To generate a certificate, you need csr content , which can be viewed like this:
After ordering and generating the certificate, save its contents in the file /etc/nginx/ssl/domain.crt . After the contents of the certificate itself, from the new line, add the contents of the Intermediate certificate to the same file, if it is provided to you by the certification center and save the file.
If you are deploying a test environment, you can generate a self-signed certificate for free like this:
It is also necessary to generate DH parameters so that in case of theft of a private key it is impossible to decrypt the latest messages.
Edit the NGINX configuration file /etc/nginx/conf.d/default.conf .
In it, delete the server section and add:
, where domain.tld replace with the name of your site for which you enable HTTP2.
After the changes, test the nginx configuration for errors with the command:
Now restart NGINX:
Open the site by the domain name in the browser. If you used a self-signed certificate and did not certify it with a certification authority, you will see a warning.
Add the site to the exceptions, the browser will remember this and it will open correctly.
To verify that the site is running over HTTP2, set the HTTP2 indicator for Firefox or Chrome .
Now when you visit a site that supports HTTP2 or SPDY, you will see a blue lightning.
Indeed, the site works over HTTP2.
You can configure everything described in the article on the trial version of VPS .
To do this, send your name and phone number to trial@infobox.ru , in response you will receive data for access to the control panel. You can test VPS for 10 days.
Successful work!
Why do you need HTTP / 2?
HTTP / 2 is a new version of the HTTP protocol standardized at the beginning of 2015. The use of HTTP / 1.1, due to some features, has a negative effect on the performance of web applications.
In particular, HTTP / 1.0 allows you to perform only one request at a time in a TCP connection. Pipeline requests were added to HTTP / 1.1, but they only partially help parallel execution of requests and still lead to locks. HTTP / 1.0 and HTTP / 1.1 clients that need to make many requests now use many connections to the server.
In addition, the HTTP header fields are verbose and often repeated, producing unnecessary network traffic. Also, time is wasted on TCP congestion. This can lead to increased delays for many requests made using new TCP connections.
HTTP / 2 solves these problems by defining optimized semantics of the HTTP protocol. In particular, this allows the interleaving of requests and responses through the same connection and provides efficient encoding of HTTP header fields. HTTP / 2 also allows you to prioritize requests, allowing more important requests to run faster.
As a result, the protocol becomes more network friendly, requiring fewer TCP connections compared to HTTP / 1.x, which leads to more efficient use of the network. Also, HTTP / 2 makes it possible to more efficiently process messages using a binary format.
HTTP / 2 is closely related to SSL. Despite the fact that the specification does not require the use of SSL, all currently launched web browsers will work with HTTP / 2 only if the website uses SSL.
Deploy the server with the latest version of NGINX
If you do not already have VPS from Infobox, you can order a server here . This article describes how to configure HTTP2 for a server with CentOS 7. After ordering and creating a server, connect to it via SSH .
Install the latest version of NGINX on a new VPS with CentOS 7
To install the latest version of NGINX, add the official repository. To do this, add the following contents to the /etc/yum.repos.d/nginx.repo file :
Stop Apache and prevent it from autostarting:
Update the OS with the command:
After that reboot the OS.
Install nginx and firewalld with the command:
Now run nginx and add to startup:
Similarly, start firewalld:
The last thing left to do is open ports 80, 443 and 22.
Now go to the browser at the ip address of your VPS. You will see the NGINX welcome page.
[nginx]
name=nginx repo
baseurl=http://nginx.org/packages/mainline/centos/7/$basearch/
gpgcheck=0
enabled=1
Stop Apache and prevent it from autostarting:
systemctl stop httpd && systemctl disable httpd
Update the OS with the command:
yum -y update
After that reboot the OS.
reboot
Install nginx and firewalld with the command:
yum install -y nginx firewalld
Now run nginx and add to startup:
systemctl start nginx && systemctl enable nginx
Similarly, start firewalld:
systemctl start firewalld && systemctl enable firewalld
The last thing left to do is open ports 80, 443 and 22.
firewall-cmd --zone=public --add-port=80/tcp --add-port=443/tcp --add-port=22/tcp --permanent
firewall-cmd --reload
Now go to the browser at the ip address of your VPS. You will see the NGINX welcome page.
We generate a certificate
For HTTP / 2 to work, support for HTTPS connections in NGINX must be enabled at the moment.
Usually this process consists of four steps:
- private key generation (key)
- create a request for signature (CSR) and send the request to a certification authority (CA)
- installation of a certificate from a certification center
- NGINX configuration settings
This process ensures the trust of users' browsers to the site.
Create a folder in which the encryption keys will be stored and go to it:
mkdir /etc/nginx/ssl && cd /etc/nginx/ssl
To understand the key generation methods, you need to know the following concepts:
Key generation algorithm . OpenSSL supports RSA , DSA and ECDSA keys, but not all types are suitable for practical use in all scenarios. For example, for web servers, you need to use RSA, because DSA keys are limited to 1024 bits (IE does not support anything more complicated) and ECDSA keys are not yet supported by widely recognized certification authorities. If we generated a key for SSH, RSA and DSA would be suitable, since ECDSA may not yet be supported by some clients.
Key size. The default key size may be unsafe. For example, the default key for RSA is only 512 bits and its use is completely unsafe. Today it is recommended that you use a minimum of 2048 bits for RSA, 2048 bits for DSA, and 256 bits for ECDSA. We will use RSA and 4086 bits.
To generate a private key and a certificate signing request, run the command:
openssl req -out /etc/nginx/ssl/domain.csr -new -newkey rsa:4086 -nodes -keyout /etc/nginx/ssl/domain.key
In the process, be sure to specify the FQDN (Common name) - the domain name and email in the domain, for example webmaster@domain.tld. Do not set a password for the key.
After generation, you will see two files in the / etc / nginx / ssl folder with the extensions key (private key) and csr (certificate signing request). If you want to use a trusted certificate, order it from a certification authority (you can, for example, order it here ). To generate a certificate, you need csr content , which can be viewed like this:
cat /etc/nginx/ssl/domain.csr
After ordering and generating the certificate, save its contents in the file /etc/nginx/ssl/domain.crt . After the contents of the certificate itself, from the new line, add the contents of the Intermediate certificate to the same file, if it is provided to you by the certification center and save the file.
If you are deploying a test environment, you can generate a self-signed certificate for free like this:
openssl req -x509 -nodes -days 365 -newkey rsa:4096 -keyout /etc/nginx/ssl/domain.key -out /etc/nginx/ssl/domain.crt
It is also necessary to generate DH parameters so that in case of theft of a private key it is impossible to decrypt the latest messages.
openssl dhparam -out /etc/nginx/ssl/dhparam.pem 4096
We enable access only via HTTPS in NGINX and activate HTTP2
Edit the NGINX configuration file /etc/nginx/conf.d/default.conf .
In it, delete the server section and add:
server {
listen 80;
server_name domain.tld www.domain.tld;
return 301 https://$host$request_uri;
}
server {
listen 443 ssl http2;
server_name domain.tld www.domain.tld;
ssl on;
ssl_certificate /etc/nginx/ssl/domain.crt;
ssl_certificate_key /etc/nginx/ssl/domain.key;
ssl_dhparam /etc/nginx/ssl/dhparam.pem;
ssl_prefer_server_ciphers On;
ssl_protocols TLSv1.1 TLSv1.2;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK;
add_header Strict-Transport-Security max-age=15768000;
ssl_stapling on;
location / {
root /usr/share/nginx/html;
}
}
}
, where domain.tld replace with the name of your site for which you enable HTTP2.
After the changes, test the nginx configuration for errors with the command:
nginx -t
Now restart NGINX:
systemctl restart nginx
Open the site by the domain name in the browser. If you used a self-signed certificate and did not certify it with a certification authority, you will see a warning.
Add the site to the exceptions, the browser will remember this and it will open correctly.
To verify that the site is running over HTTP2, set the HTTP2 indicator for Firefox or Chrome .
Now when you visit a site that supports HTTP2 or SPDY, you will see a blue lightning.
Indeed, the site works over HTTP2.
Infobox Trial VPS Free
You can configure everything described in the article on the trial version of VPS .
To do this, send your name and phone number to trial@infobox.ru , in response you will receive data for access to the control panel. You can test VPS for 10 days.
Successful work!