HTTP/2 Now Fully Supported in NGINX Plus

Earlier this week we released NGINX Plus R7 with support for HTTP/2. As the latest standard for the HTTP protocol, HTTP/2 is designed to bring increased performance and security to modern web applications.

The HTTP/2 implementation in NGINX Plus works seamlessly with existing sites and applications. Minimal changes are required, as NGINX Plus delivers HTTP/1.x and HTTP/2 traffic in parallel for the best experience, no matter what browser your users choose.

HTTP/2 support is available in the optional nginx‑plus‑http2 package only. The nginx‑plus and nginx‑plus‑extras packages provide SPDY support and are currently recommended for production sites because of wider browser support and code maturity.

Why Move to HTTP/2?

HTTP/2 makes data transfer more efficient and more secure for your applications. HTTP/2 adds five key features that improve performance when compared to HTTP/1.x:

True multiplexing – HTTP/1.1 enforces strict in-order completion of requests that come in over a keepalive connection. A request must be satisfied before processing on the next one can begin. HTTP/2 eliminates this requirement and allows requests to be satisfied in parallel and out of order.
Single, persistent connection – As HTTP/2 allows for true multiplexing of requests, all objects on a web page can now be downloaded in parallel over a single connection. WIth HTTP/1.x, multiple connections are used to download resources in parallel, leading to inefficient use of the underlying TCP protocol.
Binary encoding – Header information is sent in compact, binary format, rather than plain text, saving bytes on the wire.
Header compression – Headers are compressed using a purpose-built algorithm, HPACK compression, which further reduces the amount of data crossing the network.
SSL/TLS encryption – With HTTP/2, SSL/TLS encryption is mandatory. This is not enforced in the RFC, which allows for plain-text HTTP/2, but rather by all web browsers that currently implement HTTP/2. SSL/TLS makes your site more secure, and with all the performance improvements in HTTP/2, the performance penalty from encryption and decryption is mitigated.

To learn more about HTTP/2:

Please read our white paper, which covers everything you need to know about HTTP/2.
Download our special edition of the High Performance Browser Networking ebook by Ilya Grigorik of Google.

How NGINX Plus Implements HTTP/2

Our implementation of HTTP/2 is based on our support for SPDY, which is widely deployed (nearly 75% of websites that use SPDY use NGINX or NGINX Plus). With NGINX Plus, you can deploy HTTP/2 with very little change to your application infrastructure. This section discusses how NGINX Plus implements support for HTTP/2.

An HTTP/2 Gateway

NGINX Plus acts an HTTP/2 gateway. It talks HTTP/2 to client web browsers that support it, but translates HTTP/2 requests back to HTTP/1.x (or FastCGI, SCGI, uWSGI, etc. – whatever protocol you are currently using) for communication with back-end servers.

Backward Compatibility

For the foreseeable future you’ll need to support HTTP/2 and HTTP/1.x side by side. As of this writing, over 50% of users already run a web browser that supports HTTP/2, but this also means almost 50% don’t.

To support both HTTP/1.x and HTTP/2 side by side, NGINX Plus implements the Next Protocol Negotiation (NPN) extension to TLS. When a web browser connects to a server, it sends a list of supported protocols to the server. If the browser includes h2 – that is, HTTP/2 – in the list of supported protocols, NGINX Plus uses HTTP/2 for connections to that browser. If the browser doesn’t implement NPN, or doesn’t send h2 in its list of supported protocols, NGINX Plus falls back to HTTP/1.x.

Moving to HTTP/2

NGINX, Inc. aims to make the transition to HTTP/2 as seamless as possible. This section goes through the changes that need to be made to enable HTTP/2 for your applications, which include just a few changes to the configuration of NGINX Plus.

Prerequisites

Upgrade to the NGINX Plus R7 nginx‑plus‑http2 package. Note that an HTTP/2-enabled version of the nginx‑plus‑extras package is not available at this time.

Redirecting All Traffic to SSL/TLS

If your app is not already encrypted with SSL/TLS, now would be a good time to make that move. Encrypting your app protects you from spying as well as from man-in-the-middle attacks. Some search engines even reward encrypted sites with improved rankings in search results. The following configuration block redirects all plain HTTP requests to the encrypted version of the site.

server {
    listen 80;
    location / {
        return 301 https://$host$request_uri;
    }
}

Enabling HTTP/2

To enable HTTP/2 support, simply add the http2 parameter to all listen directives. Also include the ssl parameter, required because browsers do not support HTTP/2 without encryption.

server {
    listen 443 ssl http2 default_server;

    ssl_certificate     server.crt;
    ssl_certificate_key server.key;
    …
}

If necessary, restart NGINX Plus, for example by running the nginx -s reload command. To verify that HTTP/2 translation is working, you can use the “HTTP/2 and SPDY indicator” plug-in available for Google Chrome and Firefox.

Caveats

Before installing the nginx‑plus‑http2 package, you must remove the spdy parameter on all listen directives in your configuration (replace it with the http2 and ssl parameters to enable support for HTTP/2). With this package, NGINX Plus fails to start if any listen directives have the spdy parameter.
If you are using a web application firewall (WAF) that is sitting in front of NGINX Plus, ensure that it is capable of parsing HTTP/2, or move it behind NGINX Plus.
The “Server Push” feature defined in the HTTP/2 RFC is not supported in this release. Future releases of NGINX Plus might include it.
NGINX Plus R7 supports both SPDY and HTTP/2. In a future release we will deprecate support for SPDY. Google is deprecating SPDY in early 2016, making it unnecessary to support both protocols at that point.
If ssl_prefer_server_ciphers is set to on and/or a list of ssl_ciphers that are defined in Appendix A: TLS 1.2 Ciper Suite Black List is used, the browser will experience handshake-errors and not work. Please refer to section 9.2.2 of the HTTP/2 RFC for more details.-

Special Thanks

NGINX, Inc. would like to thank Dropbox and Automattic, who are heavy users of our software and graciously cosponsored the development of our HTTP/2 implementation. Their contributions have helped accelerate our ability to bring this software to you, and we hope you are able to support them in turn.