0

I have a loadbalancer servers (nginx). The traffic comes to the loadbalance servers and forwarding them to the internal web servers (With upstream). (My internal web servers are also nginx.)

I have a config file as below. I have a lot of config files like this config file on loadbalancers. (For different subdomains.)

I want to run 80 and 443 traffic compliant with the "http2" protocol. I would like to enable the http2 protocol on my web server. I add the "http2" parameter after "listen 80" or "listen 443" command. Everything is normal until this part. (Maybe it is normal for me ..)

I have a few questions after this section.

  • 1: All the articles on the internet, made for port 443. Does this have special cause and I can not do it for the 80 port?

  • 2: When I add "http2" parameter to several config files in "/etc/nginx/conf.d" directory as below, the website does not open. Whenever I refresh the site, it is trying to download the page. But when I remove the http2 parameters, the problem is solved. Why is it doing this? Also, nginx configtest does not give an error.

  • 3: Is there any information you can recommend to me in this regard?

#

[root@lbserver1 ~]# nginx -v

nginx version: nginx/1.12.0

[root@lbserver1 ~]# cat /etc/redhat-release

Red Hat Enterprise Linux Server release 6.7 (Santiago)

upstream k-testserver-pool  {
   # ip_hash;
   server testserver.k.local;
}

server {
   listen 80 http2;
   server_name test.www.example.com test.example.com;
   error_log /var/log/nginx/test.www.example.com.80.error.log;

   set $mobile_rewrite_status D;

   large_client_header_buffers 4 16k;

   add_header Set-Cookie "device_type=desktop; Path=/; Domain=test.www.example.com";

   location / {
      proxy_set_header X-Real-IP $remote_addr;
      proxy_set_header X-Forwarded-For $remote_addr;
      proxy_set_header Host $host;
      proxy_pass http://k-testserver-pool;
      proxy_intercept_errors on;

      fastcgi_read_timeout 600;
      proxy_connect_timeout 600;
      proxy_send_timeout 600;
      proxy_read_timeout 600;
      send_timeout 600;
   }

   location ~* \.(pdf|css|js|png|gif|jpg|jpeg|ico|swf|mov|doc|pdf|xls|ppt|docx|pptx|xlsx)$ {
      proxy_set_header X-Real-IP $remote_addr;
      proxy_set_header X-Forwarded-For $remote_addr;
      proxy_set_header Host $host;
      proxy_pass http://k-testserver-pool;
      expires 7d;
      add_header Cache-Control "public";
   }

   location ~ /\.ht {
      deny all;
   }
}


server {
   listen 80 http2;
   server_name test.m.example.com test.webapp.example.com;
   error_log /var/log/nginx/test.www.example.com.80.error.log;

   large_client_header_buffers 4 16k;
   add_header Set-Cookie "device_type=mobile; Path=/; Domain=test.m.example.com";

   location / {
      proxy_set_header X-Real-IP $remote_addr;
      proxy_set_header X-Forwarded-For $remote_addr;
      proxy_set_header Host $host;
      proxy_pass http://k-testserver-pool;
      proxy_intercept_errors on;
      fastcgi_read_timeout 300;
   }

   location ~* \.(pdf|css|js|png|gif|jpg|jpeg|ico|swf|mov|doc|pdf|xls|ppt|docx|pptx|xlsx)$ {
      proxy_set_header X-Real-IP $remote_addr;
      proxy_set_header X-Forwarded-For $remote_addr;
      proxy_set_header Host $host;
      proxy_pass http://k-testserver-pool;
      expires 7d;
      add_header Cache-Control "public";
   }

   location ~ /\.ht {
      deny  all;
   }
}

server {
    listen 443 ssl http2;
    server_name test.www.example.com test.example.com;

    ssl on;
    ssl_certificate /etc/nginx/ssl/www.example.com.crt;
    ssl_certificate_key etc/nginx/ssl/www.example.com.key;
    ssl_ciphers  ...+3DES:DH+3DES:RSA+AES:RSA:!aNULL:!MD5:!DSS;....
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_prefer_server_ciphers on;

    large_client_header_buffers 4 16k;

    location / {
       proxy_set_header Host $host;
       proxy_set_header X-Real-IP $remote_addr;
       proxy_set_header X-Forwarded-Proto https;
       proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
       proxy_pass http://k-testserver-pool;
       proxy_intercept_errors on;
       fastcgi_read_timeout 300;
    }

    location ~* \.(pdf|css|js|png|gif|jpg|jpeg|ico|swf|mov|doc|pdf|xls|ppt|docx|pptx|xlsx)$ {
       proxy_set_header X-Real-IP $remote_addr;
       proxy_set_header X-Forwarded-For $remote_addr;
       proxy_set_header Host $host;
       proxy_pass http://k-testserver-pool;
       expires 7d;
       add_header Cache-Control "public";
    }
}
Improve this question

1 Answer 1

Reset to default
1

You should have an Nginx version compiled with an OpenSSL version that includes ALPN protocol. (NPN will still work for Firefox). You can check the OpenSSL version compiled with your nginx with the nginx -V command. You are going to need OpenSSL 1.0.2d at least to be compatible with HTTP/2.

If your OpenSSL version is the good one, you can also check for the flag --with-http_v2_module in the result of nginx -V.

In case you don't comply with these prerequisites you will have to recompile nginx by yourself or use a prebuilt binary to be compatible with HTTP/2.

About the port 443 : Most of browsers (and nginx implementation itself) doesn't support port 80 for HTTP/2 actually.

Improve this answer
2
  • First of, thank you very much for your detailed reply. In this case I seem to have provided all the possibilities. As far as I understand, I should add the http2 parameter only for port 443. Because there is no support for all browsers for the 80 port. Is it true ? If so, why is there no support for port 80 and why is it only focusing on port 443 ? This new protocol also has improvements in performance. Does it only work with SSL traffic? My mind is confused, I apologize. But when I read it in the wiki or other articles, I never saw this detail. So I have difficulty in understanding it. Commented Jul 19, 2017 at 17:16
  • Yes, you are right. Browsers doesn't implements HTTP/2 on port 80 to force people going forward in https. Maybe you will have more answers to your questions on This page. Feel free to ask if you have more questions! Commented Jul 20, 2017 at 14:47

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.