Enable HTTP / 2 in NGINX for the site
In this article, we will explain how to enable HTTP / 2 for a site in NGINX hosted on a VPS from the Infobox and what advantages it will give to your site. HTTP / 2 support has been added to the NGINX 1.9.5 release.
HTTP / 2 is a new version of the HTTP protocol, standardized in early 2015. The use of HTTP / 1.1 due to certain features contributes negatively to the performance of web applications.
')
In particular, HTTP / 1.0 allows you to perform only one request at a time on a TCP connection. Pipeline requests have been added to HTTP / 1.1, but they only partially help parallel execution of requests and still result in locks. HTTP / 1.0 and HTTP / 1.1 clients that need to make a lot of requests now use multiple connections to the server.
In addition, the HTTP header fields are verbose and often repeated, producing unnecessary network traffic. Also, time is spent on TCP congestion. This can lead to increased latency for multiple requests made using new TCP connections.
HTTP / 2 solves these problems by defining the optimized semantics of the HTTP protocol. In particular, it allows the alternation of requests and responses through the same connection and provides efficient coding of HTTP header fields. Also HTTP / 2 allows you to prioritize requests, allowing more important requests to be performed faster.
As a result, the protocol becomes more network-friendly, requiring the installation of fewer TCP connections as compared to HTTP / 1.x, which results in more efficient use of the network. Also HTTP / 2 makes it possible to more efficiently process messages using a binary format.
HTTP / 2 is closely related to SSL. Despite the fact that the specification does not require the use of SSL, all web browsers currently released will work with HTTP / 2 only if the website uses SSL.
If you do not have a VPS from Infobox yet, you can order a server here . The article describes how to configure HTTP2 for a server with CentOS 7. After ordering and creating a server, connect to it via SSH .
For HTTP / 2 to work, support for HTTPS connection in NGINX must be enabled at this time.
Usually this process consists of four steps:
Such a process ensures the trust of users' browsers to the site.
Create a folder in which the encryption keys will be stored and navigate to it:
To understand the key generation methods, you need to know the following concepts:
Key generation algorithm . OpenSSL supports RSA , DSA and ECDSA keys, but not all types are suitable for practical use in all scenarios. For example, for web servers, you need to use RSA, because DSA keys are limited to 1024 bits (IE does not support anything more complicated) and ECDSA keys are not yet supported by widely certified certification centers. If we had generated a key for SSH, RSA and DSA would be suitable, since ECDSA may not yet be supported by some clients.
Key size The default key size may not be secure. For example, the default key for RSA is only 512 bits and its use is completely unsafe. Today it is recommended to use at least 2048 bits for RSA, 2048 bits for DSA and 256 bits for ECDSA. We will use RSA and 4086 bits.
To generate a private key and request signing a certificate, run the following command:
In the process, be sure to specify the FQDN (Common name) - domain name and email in the domain, for example webmaster@domain.tld. Do not set the password to the key.
After generation, you will see two files with the key (private key) and csr (certificate signing certificate) extensions in the / etc / nginx / ssl folder. If you want to use a trusted certificate - order it from a certification authority (for example, you can order it here ). To generate a certificate, you need the contents of csr , which can be viewed as
After ordering and generating a certificate, save its contents in the /etc/nginx/ssl/domain.crt file. After the contents of the certificate in the same file with a new line, add the contents of the Intermediate certificate, if it is provided to you by the certification center and save the file.
If you deploy a test environment, you can generate a self-signed certificate for free like this:
It is also necessary to generate DH parameters so that in case of theft of the private key it was impossible to decrypt the latest messages.
Edit the NGINX configuration file /etc/nginx/conf.d/default.conf .
In it, delete the server section and add:
where domain.tld is replaced with the name of your site for which you enable HTTP2.
After the changes, test the nginx configuration for errors with the command:
Now restart NGINX:
Open the site by domain name in the browser. If you used a self-signed certificate and did not certify it at a certification authority, you will see a warning.
Add a site to the exceptions, the browser will remember this and it will open correctly.
To verify that the site is working over HTTP2, set the HTTP2 indicator for Firefox or Chrome .
Now when entering a website that supports HTTP2 or SPDY, you will see a blue lightning.
Indeed, the site works over HTTP2.
You can configure everything described in the article on a trial version of VPS .
To do this, send your name and phone number to trial@infobox.ru , in response, you will receive information to access the control panel. You can test VPS for 10 days.
Successful work!
Why need HTTP / 2
HTTP / 2 is a new version of the HTTP protocol, standardized in early 2015. The use of HTTP / 1.1 due to certain features contributes negatively to the performance of web applications.
')
In particular, HTTP / 1.0 allows you to perform only one request at a time on a TCP connection. Pipeline requests have been added to HTTP / 1.1, but they only partially help parallel execution of requests and still result in locks. HTTP / 1.0 and HTTP / 1.1 clients that need to make a lot of requests now use multiple connections to the server.
In addition, the HTTP header fields are verbose and often repeated, producing unnecessary network traffic. Also, time is spent on TCP congestion. This can lead to increased latency for multiple requests made using new TCP connections.
HTTP / 2 solves these problems by defining the optimized semantics of the HTTP protocol. In particular, it allows the alternation of requests and responses through the same connection and provides efficient coding of HTTP header fields. Also HTTP / 2 allows you to prioritize requests, allowing more important requests to be performed faster.
As a result, the protocol becomes more network-friendly, requiring the installation of fewer TCP connections as compared to HTTP / 1.x, which results in more efficient use of the network. Also HTTP / 2 makes it possible to more efficiently process messages using a binary format.
HTTP / 2 is closely related to SSL. Despite the fact that the specification does not require the use of SSL, all web browsers currently released will work with HTTP / 2 only if the website uses SSL.
Deploy the server with the latest version of NGINX
If you do not have a VPS from Infobox yet, you can order a server here . The article describes how to configure HTTP2 for a server with CentOS 7. After ordering and creating a server, connect to it via SSH .
Install the latest version of NGINX on a new VPS with CentOS 7
To install the latest version of NGINX, add the official repository. To do this, add the following content to the /etc/yum.repos.d/nginx.repo file:
Stop Apache and disable its autostart:
Update the OS with the command:
After that, restart the OS.
Install nginx and firewalld with the command:
Now run nginx and add to autoload:
Similarly, run firewalld:
The last thing to do is open ports 80, 443 and 22.
Now go to the browser at the ip-address of your VPS. You will see the NGINX welcome page.
[nginx] name=nginx repo baseurl=http://nginx.org/packages/mainline/centos/7/$basearch/ gpgcheck=0 enabled=1 Stop Apache and disable its autostart:
systemctl stop httpd && systemctl disable httpd Update the OS with the command:
yum -y update After that, restart the OS.
reboot Install nginx and firewalld with the command:
yum install -y nginx firewalld Now run nginx and add to autoload:
systemctl start nginx && systemctl enable nginx Similarly, run firewalld:
systemctl start firewalld && systemctl enable firewalld The last thing to do is open ports 80, 443 and 22.
firewall-cmd --zone=public --add-port=80/tcp --add-port=443/tcp --add-port=22/tcp --permanent firewall-cmd --reload Now go to the browser at the ip-address of your VPS. You will see the NGINX welcome page.
We generate a certificate
For HTTP / 2 to work, support for HTTPS connection in NGINX must be enabled at this time.
Usually this process consists of four steps:
- private key generation (key)
- creating a signature request (CSR) and sending a request to a certification authority (CA)
- certificate installation from a certification center
- NGINX configuration setup
Such a process ensures the trust of users' browsers to the site.
Create a folder in which the encryption keys will be stored and navigate to it:
mkdir /etc/nginx/ssl && cd /etc/nginx/ssl To understand the key generation methods, you need to know the following concepts:
Key generation algorithm . OpenSSL supports RSA , DSA and ECDSA keys, but not all types are suitable for practical use in all scenarios. For example, for web servers, you need to use RSA, because DSA keys are limited to 1024 bits (IE does not support anything more complicated) and ECDSA keys are not yet supported by widely certified certification centers. If we had generated a key for SSH, RSA and DSA would be suitable, since ECDSA may not yet be supported by some clients.
Key size The default key size may not be secure. For example, the default key for RSA is only 512 bits and its use is completely unsafe. Today it is recommended to use at least 2048 bits for RSA, 2048 bits for DSA and 256 bits for ECDSA. We will use RSA and 4086 bits.
To generate a private key and request signing a certificate, run the following command:
openssl req -out /etc/nginx/ssl/domain.csr -new -newkey rsa:4086 -nodes -keyout /etc/nginx/ssl/domain.key In the process, be sure to specify the FQDN (Common name) - domain name and email in the domain, for example webmaster@domain.tld. Do not set the password to the key.
After generation, you will see two files with the key (private key) and csr (certificate signing certificate) extensions in the / etc / nginx / ssl folder. If you want to use a trusted certificate - order it from a certification authority (for example, you can order it here ). To generate a certificate, you need the contents of csr , which can be viewed as
cat /etc/nginx/ssl/domain.csr After ordering and generating a certificate, save its contents in the /etc/nginx/ssl/domain.crt file. After the contents of the certificate in the same file with a new line, add the contents of the Intermediate certificate, if it is provided to you by the certification center and save the file.
If you deploy a test environment, you can generate a self-signed certificate for free like this:
openssl req -x509 -nodes -days 365 -newkey rsa:4096 -keyout /etc/nginx/ssl/domain.key -out /etc/nginx/ssl/domain.crt It is also necessary to generate DH parameters so that in case of theft of the private key it was impossible to decrypt the latest messages.
openssl dhparam -out /etc/nginx/ssl/dhparam.pem 4096 We enable HTTPS access only in NGINX and activate HTTP2
Edit the NGINX configuration file /etc/nginx/conf.d/default.conf .
In it, delete the server section and add:
server { listen 80; server_name domain.tld www.domain.tld; return 301 https://$host$request_uri; } server { listen 443 ssl http2; server_name domain.tld www.domain.tld; ssl on; ssl_certificate /etc/nginx/ssl/domain.crt; ssl_certificate_key /etc/nginx/ssl/domain.key; ssl_dhparam /etc/nginx/ssl/dhparam.pem; ssl_prefer_server_ciphers On; ssl_protocols TLSv1.1 TLSv1.2; ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK; add_header Strict-Transport-Security max-age=15768000; ssl_stapling on; location / { root /usr/share/nginx/html; } } } where domain.tld is replaced with the name of your site for which you enable HTTP2.
After the changes, test the nginx configuration for errors with the command:
nginx -t Now restart NGINX:
systemctl restart nginx Open the site by domain name in the browser. If you used a self-signed certificate and did not certify it at a certification authority, you will see a warning.
Add a site to the exceptions, the browser will remember this and it will open correctly.
To verify that the site is working over HTTP2, set the HTTP2 indicator for Firefox or Chrome .
Now when entering a website that supports HTTP2 or SPDY, you will see a blue lightning.
Indeed, the site works over HTTP2.
Infobox VPS Trial for Free
You can configure everything described in the article on a trial version of VPS .
To do this, send your name and phone number to trial@infobox.ru , in response, you will receive information to access the control panel. You can test VPS for 10 days.
Successful work!
Source: https://habr.com/ru/post/268599/
All Articles