http 2 with centos 7.0, nginx and a nodejs app (ghost)

just_user asked:

I’m trying to get a ghost blog running over SSL and http2. SSL works fine but its constantly served on HTTP1.1. I’m trying to figure out why this keeps happening.

My nginx conf file looks like the following:

server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;

    server_name example.com;

    ssl_certificate        /etc/letsencrypt/live/example.com-0001/fullchain.pem;
    ssl_certificate_key    /etc/letsencrypt/live/example.com-0001/privkey.pem;
    ssl_dhparam            /etc/letsencrypt/live/example.com-0001/dhparam.pem;
    ssl_ciphers EECDH+CHACHA20:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5;

    add_header Strict-Transport-Security max-age=31536000;
    add_header X-Frame-Options DENY;

    location / {
        proxy_pass http://localhost:2368;
        proxy_set_header Host $http_host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_buffering off;
    }
}

server {
    listen         80;
    listen    [::]:80;
    server_name    example.com;
    return         301 https://$server_name$request_uri;
}

The node.js app is running on port 2368. When ever I do load the domain I am presented with it over SSL so this part works. But it’s always over http/1.1. And I’m running nginx version: nginx/1.11.5.

Any suggestions?

My answer:


HTTP/2 with modern browsers requires ALPN, which requires OpenSSL 1.0.2. CentOS 7 shipped with OpenSSL 1.0.1 and does not support ALPN. It only supports its predecessor NPN, the use of which was deprecated when SPDY became HTTP/2.

I dealt with this by migrating web servers to Fedora, which currently has OpenSSL 1.0.2 and will be moving to 1.1.0 in a few months. This has some additional administrative burden over CentOS due to having recent software and a six month release cycle, but web services typically require recent software anyway.


View the full question and answer on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.