Reputation: 432
NGINX server config with Lets Encrypt SSL, HTTP 2, and redirects
Recently, I attempted to upgrade my server configs to support HTTP 2 and noticed that when a browser attempted to load the site without SSL, it would instead download a 50 byte binary file.
Configuration is as follows.
It worked as expected - upgrade the request to HTTPS via the redirects - until I added http2 to the listen directives on the redirects at the end.
The fallout is that the unsecured HTTP requests are now cached which super sucks but I'd like to understand why this happened and how I should be configuring my server.
I've removed http2 from the redirects listen directives since.
I thought it would be better to specify to the browser that the server supports http2 the whole way but it didn't go as planned - for some reason the response type wasn't being sent as html.
Why has this happened?
server {
root /var/domains/mywebsite.com/html;
error_log off;
access_log off;
index index.php index.html;
server_name mywebsite.com;
gzip on;
gzip_types text/plain application/xml application/json application/javascript;
location /service-worker.js {
add_header Cache-Control "max-age=0, no-cache, no-store, must-revalidate";
expires off;
access_log off;
}
location / {
try_files $uri $uri/ /index.html;
}
location ~ \.php$ {
include snippets/fastcgi-php.conf;
fastcgi_pass unix:/var/run/php/php7.2-fpm.sock;
}
location ~ /\.ht {
deny all;
}
listen 443 ssl http2;
ssl_certificate /etc/letsencrypt/live/mywebsite.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/mywebsite.com/privkey.pem; # managed by Certbot
# include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_ciphers "EECDH+CHACHA20:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5";
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
server {
error_log off;
access_log off;
server_name www.mywebsite.com;
location ~ {
rewrite ^/(.*)$ https://mywebsite.com/$1 permanent;
}
listen 443 ssl http2;
ssl_certificate /etc/letsencrypt/live/mywebsite.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/mywebsite.com/privkey.pem; # managed by Certbot
# include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_ciphers "EECDH+CHACHA20:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5";
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
server {
server_name mywebsite.com;
if ($host = mywebsite.com) {
return 301 https://$host$request_uri;
}
listen 80 http2;
return 404;
}
server {
server_name www.mywebsite.com;
if ($host = www.mywebsite.com) {
return 301 https://$host$request_uri;
}
listen 80 http2;
return 404;
}
Upvotes: 0
Views: 294
Answers (1)
Reputation: 45905
Nginx doesn't allow HTTP/2 and HTTP/1 on non-HTTPS connections. Bug raised here: https://trac.nginx.org/nginx/ticket/816.
There is little point in non-HTTPS HTTP/2 (aka h2c) connections to be honest as web browsers only use HTTP/2 over HTTPS hence why this bug hasn't been prioritised to be fixed yet.
So remove http2 from your port 80 server config and leave it for your port 443 config.
Upvotes: 1
Related Questions
- Nginx seems to ignore server_name when ssl and http2 is on
- nginx + Let's Encrypt + reverse proxy = infinite redirect loop
- How to configure Nginx to serve https only
- Redirect non-http link to HTTPS link using LetsEncrypt in nginx
- NGINX redirect to HTTPS, while still maintaining HTTP route for Let's Encrypt Challenges
- Http not redirecting to https nginx
- How to config NGINX reverse proxy and let's encrypt certificate
- When enable SSL on Nginx page redirects to default page
- letsencrypt on nginx and non-www https to www https redirect
- Latest Nginx with OpenSSL 1.0.2 still won't deliver http/2