How to use HTTP2 behind AWS Network Load Balancer terminating SSL

Question

I have the following setup:

client --> AWS NLB (terminates SSL) --> nginx --> webserver

How can I get nginx to serve content over HTTP2? Enabling it on the nginx server config just causes the browser to download a file when accessing a page.

Answer 1

The solution I ultimately arrived at was this:

client --> AWS NLB --> AWS ALB (terminates SSL) --> nginx --> webserver

The trick was to use TCP on port 443 on the NLB at creation time! The web ui does not permit you to add a TCP listener on 443 afterward — it requires you to use the TLS choice on 443 and select a cert for TLS termination. The only reason I'm using NLB is because it supports static IP association. TCP passthrough to the ALB works for my use case.

Since the ALB terminates TLS and also supports HTTP/2 this setup works.

Answer 2

Browsers use ALPN as part of the TLS negotiation to decide to sue the HTTP/2 protocol.

As your TLS termination is happening at the NLB it must announce this HTTP/2 support and the pass on the unencrypted HTTP/2 data to Nginx.

I can’t see anything to suggest that NLB supports setting of ALPN so not sure this is possible. You will need to ask AWS if this is supported as nothing in their documentation on it, but that in itself probably gives you the answer that you don’t want.

Not sure why it’s downloading a file. Does the same thing happen if you connect directly to Nginx?