Enable HTTP2 Protocol and Improve Nginx SSL Connection Security

Kushal Azza · Nov 11, 2019
Learn how to easily enable the HTTP2 protocol and also improve the SSL certificate security by modifying the Nginx configuration on LEMP Stack Ubuntu Server.

HTTP2 is the second generation hypertext transfer protocol version with improved speed and secured connection. The primary goals are to reduce latency and add support for request prioritization.

In this article, we are going to learn how to quickly enable the HTTP2 protocol support in the Nginx web server and also improve the SSL connection security.

Before we start off, make sure that you’ve already installed an SSL certificate and configured HTTP to HTTPS redirection. I’ve recently written an article about getting a free SSL certificate from LetsEncrypt and this is an extended version of the previous article.

If you’re following, this is theĀ seventh article and video demo in our #CloudServer series. We recently published the UFW firewall installation and setup.

Let’s dive into enabling HTTP/2 and advanced Nginx security setup —

How to Check Web Server Protocol?

You can easily check the currently supporting protocol in Chrome Browser using Developer Options. Follow the below steps:

  1. Open Chrome Browser and Access your Website
  2. Open the Developer Options window by hit [F12] button on the keyboard or you can also right-click for Inspect command
  3. Switch to Network Tab and Select Doc as type filter
  4. Reload the browser and check the Protocol* column in the field

You’ll be able to see the current web server protocol in Developer.

Protocol in Developers Window under Network tab in Chrome

[* if you’re unable to see the Protocol field, right-click on the Name header and select the protocol to enable.]

How to Enable HTTP2 Protocol Support?

HTTP/2 only supports the secured HTTP i.e. HTTPS connection. Hence, it’s certain that you will need an SSL certificate configured on your domain.

Since we have already configured the SSL using certbot, we are going to use the same configuration file.

Open your Nginx configuration file and lookup for the additional rules added by Certbot. It should look like below:

listen [::]:443 ssl ipv6only=on; # managed by Certbot
listen 443 ssl; # managed by Certbot

Certbot configuration default for SSL Certificate
In my case, I’ve used the default configuration file and will open in the nano editor via SSH connection.

sudo nano /etc/nginx/sites-available/default

Now, modify the mentioned rules to add and support http2 connections like this.

listen [::]:443 ssl http2 ipv6only=on; # managed by Certbot
listen 443 ssl http2;  # managed by Certbot

Added HTTP2 Protocol Support in Nginx Configuration File

Once the changes are made, you can restart the Nginx server and again test the latest protocol of the webserver. I’m sure that it will be updated to h2 which is HTTP/2.
HTTP2 Protocol Updated after changing Nginx Conf file

Head over to modify and improve the Nginx SSL certificate security.

Adding Trusted Certificate

In this same server configuration file, you can check for two additional rules added by Certbot. They will look like below:

ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;

Insert the following line under the ssl_certificate_key rule to add a trusted certificate.

ssl_trusted_certificate /etc/letsencrypt/live/example.com/chain.pem;

In my case, I’ll be replacing the example.com with demo.restorebin.com and my final ssl_trusted_certificate rule will be:

ssl_trusted_certificate /etc/letsencrypt/live/demo.restorebin.com/chain.pem;

Added Trusted Certificate Certbot

Close the nano editor once you insert this code. Your setup with default nginx configuration is completed.

Stronger SSL Certificate settings

Now let’s edit the shared SSL settings at /etc/letsencrypt/options-ssl-nginx.conf. This configuration file is shared among all the virtual host nginx configuration files.
If you open the file in nano editor, it will look like this.

ssl_session_cache shared:le_nginx_SSL:1m;
ssl_session_timeout 1440m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS";

Default SSL Nginx Let's Encrypt File

When we tested our Domain SSL certificate, we noticed a few weak ciphers being flags by SSLLabs. Hence, I missed scoring perfect A+.
SSLLabs Test Report for domain

So just replace the content file with below to make those ciphers stronger:

ssl_session_cache shared:le_nginx_SSL:1m;
ssl_session_timeout 1d;
ssl_session_tickets off;
ssl_protocols TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
ssl_ecdh_curve secp384r1;
ssl_stapling on;
ssl_stapling_verify on;
add_header Strict-Transport-Security "max-age=15768000; includeSubdomains; preload;";
add_header Content-Security-Policy "default-src 'none'; frame-ancestors 'none'; script-src 'self'; img-src 'self'; style-src 'self'; base-uri 'self'; form-action 'self';";
add_header Referrer-Policy "no-referrer, strict-origin-when-cross-origin";
add_header X-Frame-Options SAMEORIGIN;
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";

Modified SSL Nginx Let's Encrypt File for Security Score

After making the changes, close the nano editor and restart the Nginx server using the below command.

sudo service nginx restart

This will save and make all the changes live on the website server.

You can also test the domain certificate to find out the latest security score. I hope it should be rated with an A+ score now after making these changes.

https://www.ssllabs.com/ssltest/analyze.html?d=demo.restorebin.com&latest

SSL Labs A+ Report with Security Updates

Video of HTTP2 Protocol and SSL security

Here is the quick video to watch about enabling the HTTP2 protocol and also tightening the SSL certificate security.

I hope you liked the video, please subscribe for more such interesting videos.

What’s next in the #CloudServer series?

Now that we have improved the security of the web server using a firewall and SSL connection. Let’s move on to optimizing the server to improve the speed and connection by using Nginx caching rules for browser cache and Gzip compression.

This will help to save the static files in the client’s browser and also serve the compressed file when requested.

If you've any thoughts on Enable HTTP2 Protocol and Improve Nginx SSL Connection Security, then feel free to drop in below comment box. Cheers!

Tags:

Share
Kushal Azza
Kushal Azza
Fond of latest technologies and gadgets. I'm a digital dev and analytics consultant. Also, the geek behind this blog!

You may also like

Leave a Reply

Your email address will not be published. Required fields are marked *