Maybe it's the most real tutorial on Nginx configuration HTTP2.

Source: Internet
Author: User
Tags http 2 nginx server

Since the release of the official version of the HTTP/2 agreement from May 14, 2015 to now has been almost a year, more and more sites deployed HTTP2,HTTP2 's wide range of applications to bring a better browsing experience, as long as the modern browser is supported, so deployment HTTP2 does not bring too much trouble. Although the H2 H2C (HTTP/2 cleartext) can be transmitted over a non-encrypted channel, but the supported browsers are still relatively small in the beginning, so the current deployment H2 still need to go encrypted, but because let's Encrypt vigorously promote the cost of free certificates and certificates, the deployment of H2 Cost is not high.


HTTP 2.0 is the Hypertext Transfer Protocol 2.0, which is the next generation HTTP protocol. was developed by the hypertext Transfer Protocol Bis (httpbis) Working Group of the Internet Engineering Task Force (IETF). Is the first update since the release of the http1.1 in 1999, the HTTP/2 agreement evolved from SPDY, SPDY has completed its mission and will soon be out of the historical stage (for example, Chrome will end in "early 2016" SPDY support ";nginx, Apache Also has full support HTTP/2, and also no longer support SPDY), General people HTTP2 referred to as H2, although some friends may not be willing, but this abbreviation has been default, especially in the browser to HTTP2 is this shorthand.


Normal HTTPS web browsing will be a bit slower than HTTP Web sites because of the need to handle encryption tasks, and the configuration of H2 HTTPS, in the case of low latency faster than HTTP more stable! Now the frequency of telecommunications hijacking incidents, the site deployed HTTPS encryption can eliminate most of the hijacking, but not completely. Like the e-commerce industry to HTTPS encryption but standard AH, so the deployment of H2 is imperative.

Web Server Description

The default compiled Nginx does not contain the H2 module, we need to add parameters to compile, the deadline for the publication, Nginx 1.9 development version and above version of the source code need to add their own compilation parameters, downloaded from the software source warehouse is the default compilation. Tengine can deploy both H2 and SPDY to ensure compatibility, and Nginx is no longer supported SPDY.


If your compiled Nginx is not supported, then add it in ./configure : --with-http_v2_module If you do not have SSL support, you will need to add the make --with-http_ssl_module && make install.


The main configuration is the Nginx server block. Modify the relevant virtual machine .conf files, generally in /usr/local/nginx/conf/vhost/ or /etc/nginx/conf/ , specific reference to your environmental guidance, do not understand please reply.

server {Listen 443 SSL http2 default_server;server_name;ssl_certificate/path/to/public.crt;ssl_ Certificate_key/path/to/private.key;

Note: Will server_name; Replace the with your domain name. Then pass /usr/local/nginx/sbin/nginx -t or nginx -t to detect whether the configuration is correct, and then restart Nginx, you can.


On the Chrome browser, HTTP/2 and SPDY indicator can be checked, if the address bar appears Blue Lightning is H2 can also be examined in chrome://net-internals/#http2. Note the version to be new, posture should be handsome!

Configure Advanced

We all know that last year's painstaking efforts to push SSL to the cusp, so only support the H2, we still need to do some security optimization of SSL!

Configuring the Herman key
OpenSSL dhparam-out Dhparam.pem 2048//runs in SSH, OpenSSL generates a 2048-bit key instead of writing the nginx.conf file as a parameter. SSL_DHPARAM/PATH/TO/DHPARAM.PEM; Configuring in. conf
prohibit unsecured SSL protocol, use security protocol
Ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
prohibit encryption algorithms that are not already secure
Ssl_ciphers ' Ecdhe-rsa-aes256-gcm-sha384:ecdhe-rsa-aes128-gcm-sha256:dhe-rsa-aes256-gcm-sha384:d He-rsa-aes128-gcm-sha256:ecdhe-rsa-aes256-sha384:ecdhe-rsa-aes128-sha256:ecdhe-rsa-aes256-sha: Ecdhe-rsa-aes128-sha:dhe-rsa-aes256-sha256:dhe-rsa-aes128-sha256:dhe-rsa-aes256-sha:dhe-rsa-aes128-sha: ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256: aes256-sha:aes128-sha:des-cbc3-sha:high:!anull:!enull:! export:! camellia:! Des:! md5:! Psk:! RC4 ';
Mitigating BEAST attacks
Ssl_prefer_server_ciphers on;
* * Enable hsts**

This jumps directly over 301 and reduces the risk of a man-in-the-middle attack! Configuration in. conf

Add_header strict-transport-security max-age=15768000;
**301 Jump * *

80 port Jump to 443 port

server {listen; Add_header strict-transport-security max-age=15768000; return 301$ Request_uri;}
Cache Connection Credentials
Ssl_session_cache shared:ssl:20m;ssl_session_timeout 60m;
OCSP Stitching
Ssl_stapling on;ssl_stapling_verify On;ssl_trusted_certificate/etc/nginx/cert/trustchain.crt;resolver valid=300s;

Free to provide the latest Linux technology tutorials Books, for open-source technology enthusiasts to do more and better:

Maybe it's the most real tutorial on Nginx configuration HTTP2.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.