Easily make your nginx server support HTTP2 protocol

Introduction

Nginx is an efficient web server, because of its unique response processing mechanism and low memory consumption, it is deeply loved by everyone, and nginx can be used with a variety of protocols, and the HTTP2 protocol is a very good protocol. If you combine the two The combination of these will produce unexpected results. Today we will explain how to configure the HTTP2 protocol in nginx.

HTTP1.1 and HTTP2

The full name of HTTP is Hypertext Transfer Protocol, which is a standard protocol that appeared after the development of the World Wide Web in 1989 and is used to transmit data on the WWW. HTTP/1.1 is a supplement and optimization based on the original HTTP protocol in 1997.

In 2015, in order to meet the needs of fast-transmitting web applications and modern browsers, a new HTTP/2 protocol has been developed, which is mainly optimized in mobile browsers, delay processing, image processing and video processing.

Compared with HTTP1.1, HTTP2 has the following advantages:

1. Using multiplexing technology, multiple requests can be processed in parallel in the same connection.
2. The HTTP header can be compressed to reduce the size of the request.
3. The data transmission format is carried out in binary, so the transmission is more efficient.
4. The server can push data to the client so that the application can handle more complex functions.

Although HTTP2 does not require encryption, for modern browsers such as Google Chrome and Mozilla Firefox, HTTP2 and HTTPS are used together by default, so if you want to configure HTTP2, you still need to configure SSL at the same time.

Install the latest nginx

At the time of writing this article, the latest version of nginx is 1.21.1. We can download the corresponding compiled file from the nginx official website and unzip it directly to run. Or you can download its source file and manually compile and install it.

If you are in a mac environment, you can directly use the brew command to install:

brew install nginx

After the installation is complete, it will tell us some useful information:

Docroot is: /usr/local/var/www

The default port has been set in /usr/local/etc/nginx/nginx.conf to 8080 so that
nginx can run without sudo.

nginx will load all files in /usr/local/etc/nginx/servers/.

To have launchd start nginx now and restart at login:
  brew services start nginx
Or, if you don't want/need a background service you can just run:
  nginx

I won’t explain them in detail here, and interested friends can explore on their own.

Enable HTTP2 support

As you can see from the above, the default configuration file of nginx is /usr/local/etc/nginx/nginx.conf. Open the file and you can see the last line:

include servers/*;

So we can create a new www.flydean.com.conf file in the servers as the domain name that will enable HTTP2 support today.

By default, the port that nginx listens on is 80, as shown below:

listen 80 default_server;
listen [::]:80 default_server;

Why are there two listeners? The first listen refers to all IPv4 connections, and the second listen refers to IPv6 connections.

Because HTTP2 needs to turn on SSL support, we modify it to 443 here, and add http2 support as shown below:

        listen       443 ssl http2;
        server_name  www.flydean.com;

In the above configuration, we also specify server_name, which is the domain name address to be accessed, here we use www.flydean.com.

Add SSL support

If you want to add SSL support, you need to add a certificate. One way is to buy or have some free SSL certificates available on the Internet. If it is only in a test environment, you can also generate a self-signed certificate.

Here we introduce how to generate a self-signed certificate. Here we use the openssl command to complete this work.

openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout selfsigned.key -out selfsigned.crt
Generating a RSA private key

After executing the above command, you will be asked to enter some certificate information as follows:

Country Name (2 letter code) [AU]:CN
State or Province Name (full name) [Some-State]:SH
Locality Name (eg, city) []:SH
Organization Name (eg, company) [Internet Widgits Pty Ltd]:flydean
Organizational Unit Name (eg, section) []:flydean
Common Name (e.g. server FQDN or YOUR name) []:127.0.0.1
Email Address []:flydean@163.com

Then two files are generated: selfsigned.crt and selfsigned.key.

Here is a little explanation of the commands for self-signed certificate generation.

openssl is a very powerful key generation tool that can complete most of the key generation work.

What req means is that this is an X.509 certificate signing request (CSR).

-x509 means we want to generate a self-signed certificate.

-nodes means that we don't need to password encrypt the generated key.

-days 365 indicates the validity period of the certificate.

-newkey rsa:2048 means that the RSA algorithm is used to generate the certificate and key at the same time, and the length of the key is 2048.

-keyout: Specify the generation path of the key.

-out: Specify the generation path of the certificate.

Even if SSL is used here, in order to ensure security, we can also use a technology called perfect forward secrecy. Here we need to generate a Diffie-Hellman group:

openssl dhparam -out dhparam.pem 2048

This command will take some time. After it is generated, we can start the SSL configuration of nginx.

        ssl_certificate      ssl/selfsigned.crt;
        ssl_certificate_key  ssl/selfsigned.key;

Modify encryption algorithm

We know that many encryption algorithms already exist, and with the development of cryptography, many algorithms have been proven to be insecure. So here we need to modify the default encryption algorithm.

The default algorithm is:

        ssl_ciphers  HIGH:!aNULL:!MD5;

We modify it to:

ssl_ciphers EECDH+CHACHA20:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5;

Diffie–Hellman encrypts the message

Although we use private key to configure the encrypted connection between the client and the server, after the connection is established, in the ServerKeyExchange step, the two parties will also ask about the encryption method of the information to build the encrypted channel.

The content of ServerKeyExchange may include two forms:

• If the RSA protocol is selected, then the parameters (E, N) for RSA to construct a public key cipher are passed. Let us recall the formula for constructing the public key in RSA: $ciphertext=plaintext^E\ mod\ N$, as long as we know E and N, then we know the public key of RSA, and what is passed here is the two numbers E and N . For specific content, please refer to RSA algorithm detailed
• If the Diff-Hellman key exchange protocol is selected, then the key exchange parameters are passed. For details, please refer to more secure key generation method Diffie-Hellman

Here we choose to use Diffie–Hellman. Remember the Diffie–Hellman file we created in the previous section? You can use it directly here.

By default, Nginx uses a 1028-bit DHE (Ephemeral Diffie-Hellman) key, which is easier to crack, so we need to use a file generated by ourselves.

       ssl_dhparam  ssl/dhparam.pem;

Redirect all HTTP requests to HTTPS

By default, all websites we visit are HTTP, so we need to redirect HTTP requests to HTTPS:

server {
       listen         80;
       listen    [::]:80;
       server_name    www.flydean.com;
       return         301 https://$server_name$request_uri;
}

Start nginx and test

Ok, so far all the nginx configuration is completed, we use the following command to test the nginx file and start:

nginx -t
nginx: the configuration file /usr/local/etc/nginx/nginx.conf syntax is ok
nginx: configuration file /usr/local/etc/nginx/nginx.conf test is successful

nginx

To access the website, you also need to configure the host to point www.flydean.com to your nginx server.

Then you can visit www.flydean.com.

There may be a problem here. If you are a self-signed certificate, the certificate will be considered invalid in the default security environment of Chrome, and you need to add the certificate to the certificate's trust chain.

How do you know which protocol this website uses?

Open the debugging switch of the browser, go to the tab of the network, click on the visited page, you can see the following content:

You can see that the version is HTTP/2 and the response header contains X-Firefox-Spdy h2.

Summarize

Well, you can already configure a perfect HTTPS and support HTTP2 protocol website. Congratulations!

This article has been included in http://www.flydean.com/01-nginx-http2/

The most popular interpretation, the most profound dry goods, the most concise tutorial, and many tips you don't know are waiting for you to discover!

Welcome to pay attention to my official account: "Program those things", know technology, know you better!