Nginx – why Chrome browser doesn’t recognize the nginx http2 server

google-chromehttp2nginx

I setup my Nginx conf as per Digital Ocean paper,
and now http2 is available…

But in Chrome (Version 54.0.2840.98 (64-bit)) Dev tool, it's always on HTTP 1/1 :

NAME             METHOD  STATUS  PROTOCOL
shell.js?v=xx..    GET    200     http/1.1

my server is running Ubuntu 16.04 LTS which supports both ALPN & NPN , and the openssl version shipped with it is 1.0.2g

I checked http2 support with this tool siteand the result is :

Yeah! example.com supports HTTP/2.0. ALPN supported...

Also checking with curl is OK

 $ curl -I --http2 https://www.example.com
  HTTP/2 200 
  server: nginx/1.10.0 (Ubuntu)
  date: Tue, 13 Dec 2016 15:59:13 GMT
  content-type: text/html; charset=utf-8
  content-length: 5603
  x-powered-by: Express
  cache-control: public, max-age=0
  etag: W/"15e3-EUyjnNnyevoQO+tRlVVZxg"
  vary: Accept-Encoding
  strict-transport-security: max-age=63072000; includeSubdomains
  x-frame-options: DENY
  x-content-type-options: nosniff

I also checked with is-http2 cli from my console

is-http2 www.amazon.com
× HTTP/2 not supported by www.amazon.com
Supported protocols: http/1.1

is-http2 www.example.com
✓ HTTP/2  supported by www.example.com
Supported protocols: h2 http/1.1

tested with openssl from my localhost

$ echo | openssl s_client -alpn h2 -connect www.example.com:443 | grep ALPN
 depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3
 verify return:1
 depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
 verify return:1
 depth=0 CN = example.com
 verify return:1
 ALPN protocol: h2
 DONE

why Chrome is left behind it ?
How can I check it also with Safari (v 10.0.1)

Best Answer

As per my answer on StackOverflow:

Will likely be one of two reasons:

You are using anti-virus software and it is MITM your traffic and so downgrading you to HTTP/1.1. Turn off https traffic monitoring on your AV to connect directly to the server.
You are using older TLS ciphers and specifically one that Chrome disallows for HTTP/2 (https://http2.github.io/http2-spec/#BadCipherSuites) as per Step 5 of above guide. Scan your site using https://www.ssllabs.com/ssltest/ to check your TLS config and improve it.

The third reason is lack of ALPN support in your SSL/TLS library (i.e. You are using openssl 1.0.1 and need to be one 1.0.2 or later, for example) but you have already confirmed you have ALPN support so skipping that for this answer.

Related Solutions

Nginx – Debian jessie nginx with openssl 1.0.2 to use ALPN rather than NPN

Update 2016/08/08: nginx in jessie-backports (version 1.9.10-1~bpo8+3 was built against openssl >= 1.0.2~. Getting ALPN working now if running jessie just requires the packages out of jessie-backports, no need anymore to pull packages out of stretch.

Original answer: Well, here goes my answer, according to the comments: In my opinion, there aren't that many ways to solve this as of today, 2016/05/09. Basically you've to try somehow to get a modern nginx into your system, compiled against >= openssl 1.0.2~.

The only two options I see currently: Either you compile for yourself, which you don't want to do, which is quite understandable, or you pull in modern packages out of Debian stretch into your system. This involves some risks, because you're mixing a stable environment with another one, but in my opinion these risks are quite low, because you're using Debian.

So, let's go and try out this:

Add the Debian stretch repository to your apt sources. Don't use /etc/apt/sources.list for this, but instead use a dedicated file inside /etc/apt/sources.list.d/ to keep it clean, personally I'm using stretch.list.

Put these lines inside there:

deb http://httpredir.debian.org/debian/ stretch main contrib non-free
deb-src http://httpredir.debian.org/debian/ stretch main contrib non-free

deb http://security.debian.org/ stretch/updates main contrib non-free
deb-src http://security.debian.org/ stretch/updates main contrib non-free

# stretch-updates, previously known as 'volatile'
deb http://httpredir.debian.org/debian/ stretch-updates main contrib non-free
deb-src http://httpredir.debian.org/debian/ stretch-updates main contrib non-free

Set up apt pinning to make sure you only pull in packages out of Debian stretch which you're specifying. The file to use for this is /etc/apt/preferences, inside there, put:
```
Package: *
Pin: release n=jessie
Pin-Priority: 900

Package: * 
Pin: release a=jessie-backports
Pin-Priority: 500

Package: *
Pin: release n=stretch
Pin-Priority: 100
```
(You might have to alter the suites and priorities to fit your environment.)
Run apt-get update (via sudo / as root) to update the package cache.
Install nginx from Debian stretch: apt-get install -t stretch nginx (do this via sudo / as root). Profit!
As I described in my comment(s), to even lower the risks involved, you could use something like a chroot or a container-solution like LXC. In case you want to go the chroot way, you have to set up a network interface inside there: To do this, have a look at this blogpost for example, which gives an introduction to network namespaces.
Hope this helps; in case you've got more question, feel free to contact me. I would appreciate feedback and I'm interested in how it goes.

Nginx with nginx communication using http2 without ssl

Your benefits of doing this will be minimal because the latency is very low between software on the same server. Given it's either very difficult or impossible I wouldn't spend your time on this.

Best Answer

Related Solutions

Nginx – Debian jessie nginx with openssl 1.0.2 to use ALPN rather than NPN

Nginx with nginx communication using http2 without ssl

Related Topic