Hypertext Transfer Protocol Version 2 (HTTP/2) is the latest version of the HTTP protocol, published as an IETF standard in RFC 7540 in 2015. The focus of the protocol is on performance; specifically, end-user perceived latency, network and server resource usage. One major goal is to allow the use of a single connection from browsers to a Web site. The protocol is backward compatible, so HTTP methods, status codes and semantics are the same as for previous versions of the protocol. Nginx has HTTP/2 support since version 1.9.5. In this tutorial, I’m going to assume that you already have a working TLS configuration, and that you have required Nginx version installed on your Linux distribution of choice, and that you know how to use Let’s Encrypt, or you know how to issue a self-signed certificate.
To enable HTTP/2 in Nginx you will need to fulfill the following requirements:
- Nginx version 1.9.5 or greater. You can check your Nginx version by running (
nginx -v) command.
- OpenSSL version 1.0.2 or greater. You can check your OpenSSL version by running (OpenSSL version) command.
- SSL/TLS certificate from Let’s Encrypt or a self-signed certificate.
- TLS 1.2 or higher protocol enabled. Otherwise, you will not be able to use HTTP/2. Implementations of HTTP/2 must use TLS version 1.2 or higher for HTTP/2 over TLS.
To enable HTTP/2 in Nginx, we have to add the
http2 parameter to the
listen directive in our virtual host:
listen 443 ssl http2;
And reload your Nginx configuration:
sudo systemctl reload nginx.service
Here is the minimal virtual server configuration that can be used to enable HTTP/2 in some virtual host:
listen 443 ssl http2;
listen [::]:443 ssl http2;
To check if your server supports HTTP/2, you can use your browser dev tools or Nginx log files. The below is a screenshot from Google Chrome browser that shows HTTP/2 in action on https://example.com domain.
You can also use Nginx $http2 embedded variable to see negotiated protocol. This variable will log: “
h2” for HTTP/2 over TLS, “
h2c” for HTTP/2 over cleartext TCP, or an empty string otherwise in the Nginx access log if configured to do so.