Thursday 25th August 2016

nginx with HTTP/2 and ALPN in Debian 8

Earlier this year Google broke HTTP/2 for nearly everyone by dropping support for NPN. Thankfully a version of nginx and the OpenSSL library can be installed from Debian Backports which support HTTP/2 and ALPN.

So what happened?

When Google developed SPDY (the predecessor to HTTP/2), they introduced a modification to OpenSSL, called NPN (Next Protocol Negotiation) that allowed clients to negotiate their connection up from HTTP/1 to HTTP/2.

After SPDY was revised and released as HTTP/2 a revised version of NPN, ALPN (Application-layer Protocol Negotiation), was also released into OpenSSL. It's available in version 1.0.2 or higher.

As of Chrome 51, Google have removed support for NPN, despite the community's objections. Since most major operating systems currently ship with OpenSSL 1.0.1, Google Chrome cannot negotiate an HTTP/2 connection with web servers running on these OSes. Support for OpenSSL 1.0.2 and ALPN is unlikely to be provided by these OS vendors until their next major release.

How do I support Google Chrome users in Debian 8?

If you're willing to take a slight risk and install a backported version of nginx, you can support Chrome users easily. If you haven't already, add the Jessie Backports repo to your sources.list file and update apt:

# echo 'deb http://ftp.debian.org/debian jessie-backports main' >> /etc/apt/sources.list
# apt-get update

You can now install nginx:

# apt-get -t jessie-backports install nginx

As it's installing you should notice apt download nginx 1.9 and OpenSSL 1.0.2

Get:1 http://ftp.debian.org/debian/ jessie-backports/main libssl1.0.0 amd64 1.0.2h-1~bpo8+2 [1,290 kB]
Get:2 http://ftp.debian.org/debian/ jessie-backports/main nginx-common all 1.9.10-1~bpo8+3 [98.4 kB]
Get:3 http://ftp.debian.org/debian/ jessie-backports/main nginx-full amd64 1.9.10-1~bpo8+3 [499 kB]
Get:4 http://ftp.debian.org/debian/ jessie-backports/main nginx all 1.9.10-1~bpo8+3 [78.0 kB]

Once installed you can check nginx is running with the correct OpenSSL library (it should say 1.0.2):

# nginx -V
nginx version: nginx/1.9.10
built with OpenSSL 1.0.2h  3 May 2016
TLS SNI support enabled

And you can check ALPN support is working with KeyCDN's HTTP/2 testing tool.

Disclaimer: while the procedure above should work fine, running backports can break your system. The packages are not as well tested as those in Debian stable, and there could be unforseen compatibility issues with backported packages and those already on your system. Use at your own risk.