Skip to content

Enable HTTP2 Protocol and Improve Nginx SSL Connection Security

The HTTP2 protocol is a secure and faster transfer protocol than the previous generation that helps connect and retrieve the website. We can club together HTTP2 protocol and Let’s Encrypt SSL connection to improve the server security and speed. It is supported by most web browsers that we can easily enable within the nginx configuration file.

HTTP2 is the second-generation hypertext transfer protocol version with improved speed and secured connection. The primary goals are to reduce latency and add support for request prioritization.

In this article, we will learn how to quickly enable the HTTP2 protocol support in the Nginx web server and improve the SSL connection security.

Before we start, ensure you’ve already installed an SSL certificate and configured HTTP to HTTPS redirection. I’ve recently written an article about getting a free SSL certificate from LetsEncrypt, and this is an extended version of the previous article.

If you’re following, this is the seventh article and video demo in our #CloudServer series. We recently published the UFW firewall installation and setup.

Let’s dive into enabling HTTP/2 and advanced Nginx security setup —

How to Check Web Server Protocol?

You can quickly check the currently supporting protocol in Chrome Browser using Developer Options. Follow the below steps:

  1. Open Chrome Browser and Access your Website
  2. Open the Developer Options window by hitting the [F12] button on the keyboard, or you can also right-click for Inspect command
  3. Switch to Network Tab and Select Doc as type filter
  4. Reload the browser and check the Protocol* column in the field

You’ll be able to see the current web server protocol in Developer.

Protocol in Developers Window under Network tab in Chrome

[* if you cannot see the Protocol field, right-click on the Name header and select the protocol to enable.]

How to Enable HTTP2 Protocol Support?

HTTP/2 only supports the secured HTTP, i.e., HTTPS connection. Hence, it’s sure that you will need an SSL certificate configured on your domain.

Since we have already configured the SSL using certbot, we will use the same configuration file.

Open your Nginx configuration file and lookup for the additional rules added by Certbot. It should look like the below:

listen [::]:443 ssl ipv6only=on; # managed by Certbot
listen 443 ssl; # managed by Certbot
Certbot configuration default for SSL Certificate

In my case, I’ve used the default configuration file and will open in the nano editor via SSH connection.

sudo nano /etc/nginx/sites-available/default

Now, modify the mentioned rules to add and support http2 connections like this.

listen [::]:443 ssl http2 ipv6only=on; # managed by Certbot
listen 443 ssl http2;  # managed by Certbot
Added HTTP2 Protocol Support in Nginx Configuration File

Once the changes are made, you can restart the Nginx server and again test the latest protocol of the webserver. I’m sure it will update it to h2, HTTP/2.

HTTP2 Protocol Updated after changing Nginx Conf file

Head over to modify and improve the Nginx SSL certificate security.

Adding Trusted Certificate

In this same server configuration file, you can check for two additional rules added by Certbot. They will look like the below:

ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;

Insert the following line under the ssl_certificate_key rule to add a trusted certificate.

ssl_trusted_certificate /etc/letsencrypt/live/example.com/chain.pem;

In my case, I’ll be replacing the example.com with demo.restorebin.com, and my final ssl_trusted_certificate rule will be:

ssl_trusted_certificate /etc/letsencrypt/live/demo.restorebin.com/chain.pem;
Added Trusted Certificate Certbot

Close the nano editor once you insert this code. Your setup with default nginx configuration is completed.

Stronger SSL Certificate settings

Now let’s edit the shared SSL settings at /etc/letsencrypt/options-ssl-nginx.conf. This configuration file is shared among all the virtual host nginx configuration files.
If you open the file in nano editor, it will look like this.

ssl_session_cache shared:le_nginx_SSL:1m;
ssl_session_timeout 1440m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS";
Default SSL Nginx Let's Encrypt File

When we tested our Domain SSL certificate, we noticed some weak ciphers being flagged by SSLLabs. Hence, I missed scoring a perfect A+.

SSLLabs Test Report for domain

To replace the content file with the below to make those ciphers stronger:

ssl_session_cache shared:le_nginx_SSL:1m;
ssl_session_timeout 1d;
ssl_session_tickets off;
ssl_protocols TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
ssl_ecdh_curve secp384r1;
ssl_stapling on;
ssl_stapling_verify on;
add_header Strict-Transport-Security "max-age=15768000; includeSubdomains; preload;";
add_header Content-Security-Policy "default-src 'none'; frame-ancestors 'none'; script-src 'self'; img-src 'self'; style-src 'self'; base-uri 'self'; form-action 'self';";
add_header Referrer-Policy "no-referrer, strict-origin-when-cross-origin";
add_header X-Frame-Options SAMEORIGIN;
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
Modified SSL Nginx Let's Encrypt File for Security Score

After making the changes, close the nano editor and restart the Nginx server using the below command.

sudo service nginx restart

This will save and make all the changes live on the website server.

You can also test the domain certificate to find the latest security score. After making these changes, I hope it should be rated with an A+ score.

https://www.ssllabs.com/ssltest/analyze.html?d=demo.restorebin.com&latest
SSL Labs A+ Report with Security Updates

Video of HTTP2 Protocol and SSL security

Here is a quick video about enabling the HTTP2 protocol and tightening the SSL certificate security.

Enable HTTP2 Protocol and Improve Nginx SSL Connection Security

I hope you liked the video; please subscribe for more such interesting videos.

What’s next in the #CloudServer series?

Now that we have improved the web server’s security using a firewall and SSL connection. Let’s optimize the server to improve the speed and connection by using Nginx caching rules for browser cache and Gzip compression.

It will help save the static files in the client’s browser and serve the compressed file when requested.

Leave a Reply

Your email address will not be published.