I'm writing nginx config, and I have a fundamental question.
What are the differences among:
listen 443 ssl;
vs listen [::]:443 ssl;
vs listen [::]:443 ssl http2;
My goal is secure this web application, but also remain compatible for old clients.
Note: I understand that [::]:443
has to with ipv6, but does it encompass ipv4 as well in this case? Want to clear my concepts.
Best Answer
listen 443 ssl
: makes nginx listen on all ipv4 address on the server, on port 443 (0.0.0.0:443
)while
listen [::]:443 ssl
: makes nginx listen on all ipv6 address on the server, on port 443 (:::443
)[::]:443
will not make nginx respond on ipv4 by default, unless you specify parameteripv6only=off
:listen [::]:443 ipv6only=off;
As per the doc : http://nginx.org/en/docs/http/ngx_http_core_module.html#listen
ssl :
http2 :
This doesn't mean it accepts only HTTP/2 connections.
As per RFC7540
HTTP/1.1 200 OK Content-Length: 243 Content-Type: text/html
To summarize :
A client that does not support HTTP/2 will never ask the server for an HTTP/2 communication upgrade : the communication between them will be fully HTTP1/1.
A client that supports HTTP/2 will ask the server (using HTTP1/1) for an HTTP/2 upgrade :
Maybe more summarized here : http://qnimate.com/http2-compatibility-with-old-browsers-and-servers/
However the nginx doc states the following about HTTP/2 over TLS :
Make sure old clients are compliant with this requirement.