NGINX is a fast and reliable open-source web server. It gained its popularity due to its low memory footprint, high scalability, ease of configuration, and support for the vast majority of different protocols.
One of the protocols supported is the relatively new HTTP/2, which was published in May 2015. The main advantage of HTTP/2 is its high transfer speed for content-rich websites.
Prerequisites
Before we get started, we will need a few things:
- Ubuntu 18.04 (or 16.04/14.04)
- An SSL certificate. Generate a self-signed certificate, obtain a free one from Let's Encrypt, or buy one from another provider.
- That is all. If you have everything listed above, you are ready to go.
Step 1 — Installing the Latest Version of Nginx
Support of the HTTP/2
protocol was introduced in Nginx 1.9.5
. Fortunately, the default repository in Ubuntu 16.04 contains a version higher than this, so we don't have to add a third party repository.
First, update the list of available packages in the apt packaging system:
sudo apt-get update
Then, install Nginx:
sudo apt-get install nginx
After the installation process finishes, you can check the version of Nginx by typing:
sudo nginx -v
The output should be similar to the following:
nginx version: nginx/1.14.0 (Ubuntu)
Step 2 — Changing the Listening Port and Enabling HTTP/2
The first change we will make will be to change the listening port from 80
to 443
.
Let's open the configuration file:
sudo nano /etc/nginx/sites-available/default
By default, Nginx is set to listen to port 80
, which is the standard HTTP
port:
listen 80;
listen [::]:80;
As you can see, we have two different listen variables. The first one is for all IPv4
connections. The second one is for IPv6
connections. We will enable encryption for both.
Modify the listening port to 443
, which is used by the HTTPS protocol:
listen 443 ssl http2;
listen [::]:443 ssl http2;
Notice that in addition to ssl, we also added http2 to the line. This variable tells Nginx to use HTTP/2 with supported browsers.
Step 3 — Changing the Server Name
We use the server_name
entry to specify which domain should be associated with the configuration file. Locate the server_name
entry in the configuration file.
By default, server_name is set to _
(underscore), which means the config file is responsible for all incoming requests. Change _
to your actual domain, like this:
server_name example.com;
Save the configuration file and edit the text editor.
Whenever you make changes to Nginx configuration files, you should check the configuration for syntax errors, like this:
sudo nginx -t
If the syntax is error-free, you will see the following output:
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok nginx: configuration file /etc/nginx/nginx.conf test is successful
Step 4 — Adding the SSL Certificates
Next, you need to configure Nginx to use your SSL
certificate. If you don't know what an SSL
certificate is or currently don't have any, please follow this tutorial.
Create a directory to store your SSL
certificates inside the Nginx configuration directory:
sudo mkdir /etc/nginx/ssl
Copy your certificate and the private key to this location. We will also rename the files to show which domain they are associated. This will come in handy in the future, when you have more than one domain associated with this server. Replace example.com with your actual hostname:
sudo cp /path/to/your/certificate.crt /etc/nginx/ssl/example.com.crt sudo cp /path/to/your/private.key /etc/nginx/ssl/example.com.key
Now, let's open our configuration file one again and configure SSL.
sudo nano /etc/nginx/sites-available/default
On new lines inside the server block, define the location of your certificates:
ssl_certificate /etc/nginx/ssl/example.com.crt;
ssl_certificate_key /etc/nginx/ssl/example.com.key;
Save the file, and exit the text editor.
Step 5 — Avoiding Old Cipher Suites
HTTP/2
has a huge blacklist of old and insecure ciphers, so we must avoid them. Cipher suites are a bunch of cryptographic algorithms, which describe how the transferring data should be encrypted.
We will use a really popular cipher set, whose security was approved by Internet giants like CloudFlare. It does not allow the usage of MD5 encryption (which was known as insecure since 1996, but despite this fact, its use is widespread even to this day).
Open the following configuration file:
sudo nano /etc/nginx/nginx.conf
Add this line after ssl_prefer_server_ciphers on;
.
ssl_ciphers EECDH+CHACHA20:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5;
Save the file, and exit the text editor.
Once again, check the configuration for syntax errors:
sudo nginx -t
Step 6 — Redirecting all HTTP Request to HTTPS
Since we are interested in serving the content through HTTPS only, we should tell Nginx what it should do if the server receives an HTTP request.
At the bottom of our file, we will create a new server block for redirecting all HTTP requests to HTTPS (be sure to replace the server name with your actual domain name):
server {
listen 80;
listen [::]:80;
server_name example.com;
return 301 ;
}
Save the file, and exit the configuration file.
Check the configuration for syntax errors:
sudo nginx -t
Step 7 — Reloading Nginx
That's it for all the Nginx configuration changes. Since we checked for syntax errors with each change, you should be ready to restart Nginx and test your changes.
To summarize, ignoring commented out lines, your configuration file should now look similar to this:
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name example.com;
root /var/www/html;
index index.html index.htm index.nginx-debian.html;
location / {
try_files $uri $uri/ =404;
}
ssl_certificate /etc/nginx/ssl/example.com.crt;
ssl_certificate_key /etc/nginx/ssl/example.com.key;
ssl_dhparam /etc/nginx/ssl/dhparam.pem;
}
server {
listen 80;
listen [::]:80;
server_name example.com;
return 301 https://$server_name$request_uri;
}
To apply the changes, restart the Nginx server.
sudo systemctl restart nginx
Conclusion
Your Nginx server is now serving HTTP/2 pages. If you want to test the strength of your SSL connection, please visit Qualys SSL Lab and run a test against your server. If everything is configured properly, you should get an A+ mark for security.
Top comments (4)
I recently reconfigured my server to use nginx. I wrote an article on enabling http/2 in apache on ubuntu because I was using apache at the time.
With the move, I now have to reconfigured http/2 for nginx. Thanks for the article.
Please fix the "Qualys SSL" URL. Thanks :)
Thanks, fixed :D
Thank you Grigor for sharing this and for great explanation. I have read alot of articles about this topic but this one was very clear and helped me fully understand.