HTTP / 2 is the second version of the http network protocol, which includes many different improvements. These include multiplexing requests (all requests can be processed in parallel), increased performance, header compression, etc.
HTTP / 2 has replaced SPDY, which has been discontinued.
Nginx supports the http / 2 protocol, starting with version 1.9.5. However, only version 1.6.2 is present in the stable release of Debian Jessie. Therefore, we will connect the backports repository to upgrade nginx to 1.9.10.
Before upgrading, you need to know which nginx packages are installed on the system (there are several of them). See the output of the command:
# dpkg -l | grep nginx
On my server it is like this:
root @ ww.kr.ua: ~ # dpkg -l | grep nginx ii nginx-common 1.6.2-5 + deb8u1 small, powerful, scalable web / proxy server - common files ii nginx-extras 1.6.2-5 + deb8u1 i386 nginx web / proxy server (extended version)
So I should upgrade these packages. What I did.
# aptitude install nginx-common nginx-extras openssl -t jessie-backports
Here, after the -t switch, specify the jessie-backports repository.
OpenSSL version 1.0.2 we install to support ALPN.
Enable http / 2 for virtual host
In the configuration file of all your sites that support ssl (if you use separate files for virtual hosts in the / etc / nginx / sites-enabled folder) or in the main configuration file /etc/nginx/nginx.conf, we find the listen parameter.
Usually, this parameter looks like this:
listen 443 ssl;
If spdy is enabled, then:
listen 443 ssl spdy;
In the first case, you just need to add after the ssl parameter http2. In the second, replace spdy with http2. In the end, this should be:
listen 443 ssl http2;
ssl_prefer_server_ciphers set to
Or give a list of available ciphers to match with the black list of RFC 7540, Appendix A.
ssl_ciphers EECDH: EDH:! 3DES:! DES:! DSS:! SEED:! CAMELLIA:! NULL:! RC4:! SHA;
After all the changes you have made, you should test the configuration with the
nginx -t command.
In case of successful testing, we restart nginx and go to the ssllabs.com to test the server. You can also use the supplement SPDY indicator for Firefox .