I'm really struggling to get a new Debian 8 server, with nginx and HTTP/2 configured
I installed nginx with apt-get:
apt-get install nginx
That all runs fine, and I get this with nginx -V;
configure arguments: –prefix=/etc/nginx –sbin-path=/usr/sbin/nginx
–modules-path=/usr/lib/nginx/modules –conf-path=/etc/nginx/nginx.conf –error-log-path=/var/log/nginx/error.log –http-log-path=/var/log/nginx/access.log –pid-path=/var/run/nginx.pid –lock-path=/var/run/nginx.lock –http-client-body-temp-path=/var/cache/nginx/client_temp –http-proxy-temp-path=/var/cache/nginx/proxy_temp –http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp –http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp –http-scgi-temp-path=/var/cache/nginx/scgi_temp –user=nginx –group=nginx –with-compat –with-file-aio –with-threads –with-http_addition_module –with-http_auth_request_module –with-http_dav_module –with-http_flv_module –with-http_gunzip_module –with-http_gzip_static_module –with-http_mp4_module –with-http_random_index_module –with-http_realip_module –with-http_secure_link_module –with-http_slice_module –with-http_ssl_module –with-http_stub_status_module –with-http_sub_module –with-http_v2_module –with-mail –with-mail_ssl_module –with-stream –with-stream_realip_module –with-stream_ssl_module –with-stream_ssl_preread_module –with-cc-opt='-g -O2 -fstack-protector –param=ssp-buffer-size=4 -Wformat -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -fPIC' –with-ld-opt='-Wl,-Bsymbolic-functions -Wl,-z,relro -Wl,-z,now -Wl,–as-needed -pie'
My nginx config file looks like:
server {
listen 80; ## listen for ipv4; this line is default and implied
listen [::]:80;
server_name site.pro www.site.pro;
access_log /srv/www/site.pro/logs/access.log;
error_log /srv/www/site.pro/logs/error.log;
root /srv/www/site.pro/www;
location ~ /.well-known {
allow all;
}
if ($uri !~ "\.(robots\.txt)$") {
rewrite ^/(.*)$ https://site.pro/$1 permanent;
}
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name site.pro www.site.pro;
access_log /srv/www/site.pro/logs/access.log;
error_log /srv/www/site.pro/logs/error.log;
root /srv/www/site.pro/www;
ssl on;
ssl_certificate /etc/nginx/ssl/nginx.crt;
ssl_certificate_key /etc/nginx/ssl/nginx.key;
location ~ /.well-known {
allow all;
}
location ~ \.cgi {
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass http://127.0.0.1:8181;
try_files $uri =404;
gzip off;
}
}
Apache is setup as a reverse proxy-pass (mainly so we can use mod_perl with it). That part all works fine. The issue is when I check the site out from the browser:
I'm just baffled as to why it's not working. This is literally the last bit that I need to do, and its doing my nut in!
Note: I'm using OpenSSL 1.0.1t. Is it because that isn't version 1.0.2d? I tried upgrading to 1.0.2d using this method:
sudo apt-get install php5-curl (Install cURL library)
sudo apt-get install make (Install compiling library Make)
curl https://www.openssl.org/source/openssl-1.0.2g.tar.gz | tar xz && cd openssl-1.0.2g && sudo ./config && sudo make && sudo make install (single command that will download latest binaries, extract them, cd into the directory, compile configuration and then install the files)
sudo ln -sf /usr/local/ssl/bin/openssl ‘which openssl’ (This will create a sym link to the new binaries)
openssl version -v (Used to check the version of the Current OpenSSL binaries)
However, I get the following error on the 3rd step:
make depend
making all in crypto...
make[1]: Entering directory '/root/openssl-1.0.2g/crypto'
/usr/bin/perl ../util/mkbuildinf.pl "gcc -I. -I.. -I../include -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -m64 -DL_ENDIAN -O3 -Wall -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM -DECP_NISTZ256_ASM" "linux-x86_64" >buildinf.h
gcc -I. -I.. -I../include -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -m64 -DL_ENDIAN -O3 -Wall -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -c -o cryptlib.o cryptlib.c
make[1]: gcc: Command not found
<builtin>: recipe for target 'cryptlib.o' failed
make[1]: *** [cryptlib.o] Error 127
make[1]: Leaving directory '/root/openssl-1.0.2g/crypto'
Makefile:284: recipe for target 'build_crypto' failed
make: *** [build_crypto] Error 1
UPDATE: I fixed the error about gcc not being found. It turns out I also needed run:
apt-get install build-essential
That at least got rid of that error, but it still doesn't load the files as http/2 🙁
UPDATE 2: A bit more on this
It was suggested to run this, to see if ALPN was available:
root@trust:~/openssl-1.0.2g/openssl-1.0.2g# echo | openssl s_client -alpn h2 -connect site.pro:443 | grep ALPN
depth=0 C = GB, ST = Test, L = Test, O = Ultranerds, CN = etrust, emailAddress = andy@xxx.com
verify error:num=18:self signed certificate
verify return:1
depth=0 C = GB, ST = Test, L = Test, O = Ultranerds, CN = etrust, emailAddress = andy@xxx.com
verify return:1
No ALPN negotiated
DONE
The fact it can't find it- would that stop http2 working? How to fix that?
UPDATE 3: As suggested, I'm trying out the dotdeb version to see if that works. I added the repo to the sources file,then did apt-get update, and I can see it in the list:
Ign http://mirrors.linode.com jessie InRelease
Hit http://mirrors.linode.com jessie-updates InRelease
Hit http://mirrors.linode.com jessie Release.gpg
Hit http://mirrors.linode.com jessie Release
Hit http://mirrors.linode.com jessie-updates/main Sources
Hit http://security.debian.org jessie/updates InRelease
Get:1 http://mirrors.linode.com jessie-updates/main amd64 Packages/DiffIndex [7,408 B]
Get:2 http://mirrors.linode.com jessie-updates/main Translation-en/DiffIndex [2,704 B]
Hit http://mirrors.linode.com jessie/main Sources
Hit http://mirrors.linode.com jessie/main amd64 Packages
Hit http://mirrors.linode.com jessie/main Translation-en
Hit http://security.debian.org jessie/updates/main Sources
Hit http://ftp.debian.org jessie-backports InRelease
Hit http://packages.dotdeb.org jessie-nginx-http2 InRelease
Hit http://security.debian.org jessie/updates/main amd64 Packages
Hit http://security.debian.org jessie/updates/main Translation-en
Hit http://nginx.org jessie InRelease
Get:3 http://ftp.debian.org jessie-backports/main amd64 Packages/DiffIndex [27.8 kB]
Hit http://packages.dotdeb.org jessie-nginx-http2/all Sources
Hit http://nginx.org jessie/nginx Sources
Hit http://packages.dotdeb.org jessie-nginx-http2/all amd64 Packages
Hit http://nginx.org jessie/nginx amd64 Packages
Get:4 http://ftp.debian.org jessie-backports/main Translation-en/DiffIndex [27.8 kB]
Ign http://packages.dotdeb.org jessie-nginx-http2/all Translation-en_US
Ign http://packages.dotdeb.org jessie-nginx-http2/all Translation-en
Ign http://nginx.org jessie/nginx Translation-en_US
Ign http://nginx.org jessie/nginx Translation-en
Fetched 65.7 kB in 2s (29.8 kB/s)
..but it shows up at the end. When I try and install nginx again, I'm not sure its using the right repo?
root@trust:~# apt-get install nginx
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following NEW packages will be installed:
nginx
0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
Need to get 0 B/739 kB of archives.
After this operation, 2,679 kB of additional disk space will be used.
Selecting previously unselected package nginx.
(Reading database ... 42637 files and directories currently installed.)
Preparing to unpack .../nginx_1.10.3-1~jessie_amd64.deb ...
----------------------------------------------------------------------
Thanks for using nginx!
Please find the official documentation for nginx here:
* http://nginx.org/en/docs/
Commercial subscriptions for nginx are available on:
* http://nginx.com/products/
----------------------------------------------------------------------
Unpacking nginx (1.10.3-1~jessie) ...
Processing triggers for systemd (215-17+deb8u6) ...
Processing triggers for man-db (2.7.0.2-5) ...
Setting up nginx (1.10.3-1~jessie) ...
Am I missing something?
UPDATE 4: The more I look at it – the more I'm convinced it's not getting from the right repo:
root@trust:~# dpkg -s nginx
Package: nginx
Status: install ok installed
Priority: optional
Section: httpd
Installed-Size: 2616
Maintainer: Sergey Budnevitch <sb@nginx.com>
Architecture: amd64
Version: 1.10.3-1~jessie
Provides: httpd
Depends: libc6 (>= 2.14), libpcre3 (>= 1:8.35), libssl1.0.0 (>= 1.0.1), zlib1g (>= 1:1.1.4), lsb-base, adduser
Conffiles:
/etc/default/nginx e2b1ae0f31c6d03d3305ef526b0ba3b5
/etc/default/nginx-debug 719f6f9981039a05a64c201a4b1db19f
/etc/init.d/nginx dcf017106023019328f311c7e0498aa3
/etc/init.d/nginx-debug b106d0292496a076bb67d2d227eaf60b
/etc/logrotate.d/nginx a4da44b03e39926b999329061770362b
/etc/nginx/conf.d/default.conf 4dce452bf8dbb01f278ec0ea9ba6cf40
/etc/nginx/fastcgi_params 4729c30112ca3071f4650479707993ad
/etc/nginx/koi-utf 3e338aca6a53a5420fc791b5ef86f64c
/etc/nginx/koi-win bfa0b80381fed2b1dfcf617b0ba204ec
/etc/nginx/mime.types bd837e7b34f5c9b8d89957d0527f0d44
/etc/nginx/nginx.conf f7984934bd6cab883e1f33d5129834bb
/etc/nginx/scgi_params df8c71e25e0356ffc539742f08fddfff
/etc/nginx/uwsgi_params 88ac833ee8ea60904a8b3063fde791de
/etc/nginx/win-utf 3749ffe19bedd842eb87e83d544e5ce6
Description: high performance web server
nginx [engine x] is an HTTP and reverse proxy server, as well as
a mail proxy server.
Homepage: http://nginx.org
My sources.list file only has this in it though :/
deb http://packages.dotdeb.org jessie-nginx-http2 all
deb-src http://packages.dotdeb.org jessie-nginx-http2 all
Best Answer
You can follow the dotdeb repos for Debian
See here https://www.dotdeb.org/instructions/
Nginx with “full” HTTP2 support (with ALPN negotiation) on Debian 8 “Jessie”, activate the jessie-backports repository and add these two lines too :