Skip to content

Instantly share code, notes, and snippets.

@sbstnmsch-zz

sbstnmsch-zz/lets-encrypt-to-support-http-2-on-nginx.md

Last active April 12, 2016 05:04
Show Gist options
  • Save sbstnmsch-zz/a28d937f9ea9d54fd8fc to your computer and use it in GitHub Desktop.
Save sbstnmsch-zz/a28d937f9ea9d54fd8fc to your computer and use it in GitHub Desktop.
Download ZIP
HTTP/2 is here. Now let's encrypt and use it with nginx!
Raw
lets-encrypt-to-support-http-2-on-nginx.md

HTTP/2 is here. Now let's encrypt and use it with nginx!

HTTP/2 has arrived in most recent browsers and is therefore ready to use (http://caniuse.com/#search=http2).

Generate lets-encrypt certificates

The Let's-Encrypt project allows you to generate SSL certificates for free. To start using it clone letsencrypt from github:

$ git clone https://github.com/letsencrypt/letsencrypt
$ cd letsencrypt

Now stop nginx (if running on port 80) and generate your certificates:

$ sudo service nginx stop
$ ./letsencrypt-auto certonly -d <your-domain.tld> -d www.<your-domain.tld>

letsencrypt-auto writes pem-files to /etc/letsencrypt/live/<your-domain.tld>/*.

Update nginx to at least 1.9.5

Before updating nginx be sure to backup your current /etc/nginx-configuration. Newer nginx`s use a slightly different directory layout. So we may need to fix that later.

$ tar cvf /tmp/etc-nginx.tar /etc/nginx

Add nginx.org GPG key to APT:

$ curl http://nginx.org/packages/keys/nginx_signing.key | sudo apt-key add -

Add to /etc/apt/sources.list.d/nginx.list:

On Ubuntu 15.04:

deb http://nginx.org/packages/mainline/ubuntu/ vivid nginx
deb-src http://nginx.org/packages/mainline/ubuntu/ vivid nginx

On Ubuntu 15.10:

deb http://nginx.org/packages/mainline/ubuntu/ wily nginx
deb-src http://nginx.org/packages/mainline/ubuntu/ wily nginx

Now update, purge old nginx, install new one and verify:

$ sudo apt-get update
$ sudo apt-get purge nginx nginx-core nginx-common
$ sudo apt-get install nginx
$ nginx -v

The last command should display a version greater than 1.9.5

Now it's time to migrate your virtual hosts to the new config layout. This seems easy. Just copy your sites_available/<your-domain.tld> to /etc/nginx/conf.d/<your-domain.tld>.conf.

Restart and check:

$ sudo service nginx restart

After that check that each of your virtual hosts is up and running like it did before.

Setup nginx to use HTTP/2

In your virtial host configuration /etc/nginx/conf.d/<your-domain.tld>.conf:

server {
  listen 443 ssl http2;

  ssl on;
  ssl_certificate       /etc/letsencrypt/live/<your-domain.tld>/fullchain.pem;
  ssl_certificate_key   /etc/letsencrypt/live/<your-domain.tld>/privkey.pem;

  root /srv/www/<your-domain.tld>/;
  index index.html;

  server_name <your-domain.tld>;

  location / {
    ...
  }
}

After that reload your nginx and try https://<your-domain.tld>

$ sudo service nginx reload

Optional: Redirect http to https by default

server {
  listen 80;

  server_name <your-domain.tld>;

  return 301 https://<your-domain.tld>/$request_uri;
}

After that reload your nginx and try http://<your-domain.tld>. You should be redirected to HTTPS.

$ sudo service nginx reload

Serve & surf like a boss

Try it out at https://sebastian-misch.de

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment