nginx http2 support

[mhf-ir]

nginx added http2 support but seems be also on jessie backports not available.

https://www.nginx.com/blog/early-alpha-patch-http2/ http://nginx.org/patches/http2/

client support http://caniuse.com/#feat=http2 ... 52.01% client support now ...

[gplessis]

:)

I'm sticking to the stable 1.8 branch of Nginx because of compatibility issues with 3rd-party module. I'm afraid this will have to wait until 1.10/2.0 has been tagged as stable.

[fnkr]

On the other hand nginx stable may contain more bugs then mainline. They only port critical bugfixes back to stable.

+1 for mainline

[luckyraul]

@gplessis It's stable now

2016-04-26  

nginx-1.10.0 stable version has been released, incorporating new features from the 1.9.x mainline branch - including the stream module, HTTP/2, dynamic modules support and more. 

[cyppe]

Hello!

Any plans to move to 1.10 + latest ngx_pagespeed closest time? Is there something I can do to make it happen?

[gplessis]

I'll provide Nginx 1.10 asap.

[gplessis]

1.10 packages were built for Wheezy and Jessie : https://ci.dotdeb.org/job/dotdeb-nginx/

Feel free to test on your development environments.

[gplessis]

It looks like having http2 support in Nginx will be hard :

• I seriously doubt that OpenSSL 1.0.2 will be available for Wheezy
• Maybe the backport team will provide it for Jessie (request here)
• I won't provide OpenSSL 1.0.2 on Dotdeb

https://ma.ttias.be/day-google-chrome-disables-http2-nearly-everyone-may-31st-2016/

[hugomrdias]

i have OpenSLL 1.0.2 on wheezy and https://tools.keycdn.com/http2-test still reports no ALPN support @gplessis can you help pls

for reference openssl upgrade guide https://blog.okturtles.com/2014/04/how-to-update-openssl-on-debian-testing-jessie-for-heartbleed/

[soren121]

@hugomrdias That will not work, since Nginx is still linked against libssl1.0.0 and not libssl1.0.2.

I don't think Debian will be backporting OpenSSL 1.0.2, since every package that links against OpenSSL would also have to be backported for support.

If you want ALPN support, your only options are to:

• Upgrade to Debian Testing or Unstable
• Compile nginx and statically link OpenSSL 1.0.2 (I do not know if this is possible)
• Switch to a different distro (like Fedora)

Also, keep in mind that HTTP/2 is still usable on Jessie! Only Chrome has dropped support for NPN. It should still work with Firefox, Safari, IE, or Edge.

[b-a-t]

Does it sound too harsh to statically link appropriate version of OpenSSL? Of course that brings extra hassle to track down security issues with 1.0.2, but hopefully they are not SO frequent.

[valmiRe]

@gplessis thanks for your work, I use your package in production for a long time now. Please consider adding a jessie version compliled with a statically linked OpenSSL 1.0.2 or a stretch version that we could backport (the version in debian repo seems to work well in jessie http://serverfault.com/a/775656)

[valmiRe]

for those interested, you can build nginx with openssl 1.0.2 statically linked by adding the prragma --with-openssl=/path/to/openssl-1.0.2 I've done this on a wheezy and a jessie box without any problem, just used the dotdeb nginx package sources and the openssl sources from stretch.

[thmo]

There's openssl 1.0.2h in jessie-backports now.

Of course this does not help out of the box, as nginx has to be (re-)compiled against this to pick up the API changes for ALPN support.

[Skunnyk]

Yes, and nginx debian package in jessie-backports now use openssl 1.0.2 from jessie-backports to be able to use http2/alpn. I don't know what is the dotdeb policy about linking on backports packages ?

[gplessis]

I'm thinking about including OpenSSL 1.0.2 directly from jessie-backports and to rebuild nginx against it.

[Skunnyk]

You mean include openssl directly in dotdeb repository ? this is a big responsibility :) What about depending on jessie-backports ? Maybe the "first" update will be complicated but I think it's a safer mesure on the long term. If you are able to use dotdeb, you can use backports.

[gplessis]

Ok, I now have a build with full http2 support thanks to jessie-backports. To install it :

1. Activate the jessie-backports repository because you will now rely on its OpenSSL 1.0.2+ backport (@Skunnyk is right was right about responsibility 😉)
2. Add the following repo to your sources.list : deb http://packages.dotdeb.org jessie-nginx-http2 all

Then you should be able to upgrade your nginx packages. Please confirm that it enables full http2 support (with ALPN negotiation) on your environment.

[piotrantosik]

I confirm, it works

[thmo]

I can also confirm that it works.

[Skunnyk]

Yai \o It works for me too :) Seamless upgrade !

[ElectronicWar]

Working here as well, no problems during upgrade.

[gplessis]

Thank you guys

[benjaminblack]

Wow. Flawless timing.

Just adding one more voice that the alternate repo version works. Thank you.