HTTP/2 and HTTPS

Sadaf_N · March 14, 2016, 11:44pm

Hi everyone,

I have strange issue with nginx 1.9.12. I have 3 IP addresses as a
server
name that are alias IPs on a single Ubuntu server 15.10. Each servername
related to specific protocol:

http:

server {
listen 80;
server_name 192.168.1.161;

#charset koi8-r;
#access_log  /var/log/nginx/log/host.access.log  main;

location / {
    root   /usr/share/nginx/static;
    index  index.html;
}

#error_page  404              /404.html;

# redirect server error pages to the static page /50x.html
#
error_page   500 502 503 504  /50x.html;
location = /50x.html {
    root   /usr/share/nginx/html;
}

}

https:

server {
listen 443 ssl;
server_name 192.168.1.162;

#charset koi8-r;
#access_log  /var/log/nginx/log/host.access.log  main;

root   /usr/share/nginx/static;
index  index.html index.htm;

ssl_certificate /etc/nginx/tls/certificate.crt;
ssl_certificate_key /etc/nginx/tls/privatekey.key;


ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers HIGH+kEECDH+AESGCM:HIGH+kEECDH:HIGH+kEDH:HIGH:!aNULL;

location / {
   try_files $uri $uri/ =404;
}

#error_page  404              /404.html;

# redirect server error pages to the static page /50x.html
#
error_page   500 502 503 504  /50x.html;
location = /50x.html {
    root   /usr/share/nginx/html;
}

}

http2:

server {
listen 443 ssl http2;
server_name 192.168.1.163;

#charset koi8-r;
#access_log  /var/log/nginx/log/host.access.log  main;

ssl_certificate /etc/nginx/tls/certificate.crt;
ssl_certificate_key /etc/nginx/tls/privatekey.key;

location / {
    root   /usr/share/nginx/static;
    index  index.html index.htm;
}

#error_page  404              /404.html;

# redirect server error pages to the static page /50x.html
#
error_page   500 502 503 504  /50x.html;
location = /50x.html {
    root   /usr/share/nginx/html;
}

}

As you see for those servers content is the same, and it is served well.
However, if I use webconsole of Firefox I am getting that https site is
a
http2 site and http2 site is http2. The same situation is in Internet
explorer.

What I am doing wrong?

Thank you.

Posted at Nginx Forum:

Roswebnet · March 15, 2016, 12:09am

You probably need to specify the IP on the listen directive if you want
different configurations of listening ports on different IPs.

On Mon, Mar 14, 2016 at 11:43 PM, Roswebnet
[email protected]

Roswebnet · March 15, 2016, 12:39am

Thank you for your fast response.

However, could you please provide an example of “IP on the listen
directive”

I am accessing content from Firefox like https://192.168.1.162 for https
connection and
https://192.168.1.163 for http2. Moreover, those ip also accessible by
http:// and served also well, but in my opinion it should gave some kind
of
error, because those server names do not have port 80 configured.

Posted at Nginx Forum:

Roswebnet · March 15, 2016, 1:38am

Hi,

a similar issue has been discussed here:

In short: If you have any http2 directives for a port in your
configuration, every connection on that port can use http2.
Im not sure if specifying the listen IP will help in this case, but its
worth a try. Modify your listen directives to “listen ip:port options;”,
for example for your last vhost: “listen 192.168.1.163:443 ssl http2;”

Mit Freundlichen Grüßen
Sven Kirschbaum

2016-03-15 0:39 GMT+01:00 Roswebnet [email protected]:

Roswebnet · March 15, 2016, 9:02am

RTFM (listen
http://nginx.org/en/docs/http/ngx_http_core_module.html#listen
directive)? :o)

B. R.

On Tue, Mar 15, 2016 at 12:39 AM, Roswebnet
[email protected]

Roswebnet · March 15, 2016, 3:24pm

Hi,

I tried this one:
http.conf:
listen 192.168.1.161:80;

https.conf:
listen 192.168.1.162:443 ssl;

http2.conf:
listen 192.168.1.163:443 ssl http2;

Looks like it solve issue especially when I do request for the first
time.
For the second time in IE I can get https in place of http2. Firefox
mostly
do not provide such behaviour. May it lay on certificate? I use the same
certificate for both HTTPS and HTTP2. And certificate was issued for
server
hostname not for vhost IP.

Posted at Nginx Forum:

Roswebnet · March 15, 2016, 4:14pm

On Tuesday 15 March 2016 10:23:37 Roswebnet wrote:

listen 192.168.1.163:443 ssl http2;

Looks like it solve issue especially when I do request for the first time.
For the second time in IE I can get https in place of http2. Firefox mostly
do not provide such behaviour. May it lay on certificate? I use the same
certificate for both HTTPS and HTTP2. And certificate was issued for server
hostname not for vhost IP.

Your version of IE may not support HTTP/2 negotiation using NPN, or may
not
support HTTP/2 at all.

wbr, Valentin V. Bartenev

Roswebnet · March 15, 2016, 4:55pm

I am using W10Pro and IE 11.162.10586.0 Desktop version.

“The standardization effort was supported by Chrome, Opera, Firefox,
Internet Explorer 11, Safari, Amazon Silk and Edge browsers.[9] Most
major
browsers added HTTP/2 support by the end of 2015.”

In addition:

Of course, it is maybe some wrong implementation of Microsoft…

Still a bit strange.

P.S.: F12 tools of Chrome do not catch type of protocol. At least I
could
not find this functionality by default. Therefore, I use only IE and FF.

Posted at Nginx Forum:

Roswebnet · March 15, 2016, 5:44pm

On Tuesday 15 March 2016 11:54:33 Roswebnet wrote:

Of course, it is maybe some wrong implementation of Microsoft…

Still a bit strange.
[…]

None of the links above mention that IE supports HTTP/2 negotiation
using NPN.

I guess it supports only ALPN, which isn’t supported by OpenSSL
version in your Ubuntu 15.10.

P.S.: F12 tools of Chrome do not catch type of protocol. At least I could
not find this functionality by default. Therefore, I use only IE and FF.

[…]

You can find all the information on “chrome://net-internals” page.

wbr, Valentin V. Bartenev

Roswebnet · March 15, 2016, 7:32pm

On Tuesday 15 March 2016 13:33:31 Roswebnet wrote:

root@LIA-RP-VS-WEB:/etc/nginx/tls# openssl version -a -v -b -o -f -p -d
-DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DWHIRLPOOL_ASM
Actually I should have OpenSSL 1.0.2d

In addition, the LIA-RP-VS-WEB is a XEN guest.

[…]

You should also check the output of “nginx -V” command to be sure
that nginx is built with this version of OpenSSL

wbr, Valentin V. Bartenev

Roswebnet · March 15, 2016, 6:33pm

None of the links above mention that IE supports HTTP/2 negotiation
using NPN.

Agree.

I guess it supports only ALPN, which isn’t supported by OpenSSL
version in your Ubuntu 15.10.

I have just researched installed openssl.

root@LIA-RP-VS-WEB:/etc/nginx/tls# openssl version -a -v -b -o -f -p -d
OpenSSL 1.0.2g 1 Mar 2016
built on: reproducible build, date unspecified
platform: debian-amd64
options: bn(64,64) rc4(16x,int) des(idx,cisc,16,int) blowfish(idx)
compiler: gcc -I. -I… -I…/include -fPIC -DOPENSSL_PIC
-DOPENSSL_THREADS
-D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -m64 -DL_ENDIAN -g -O2
-fstack-protector-strong -Wformat -Werror=format-security
-D_FORTIFY_SOURCE=2 -Wl,-Bsymbolic-functions -Wl,-z,relro
-Wa,–noexecstack
-Wall -DMD32_REG_T=int -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT
-DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM
-DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DWHIRLPOOL_ASM
-DGHASH_ASM -DECP_NISTZ256_ASM
OPENSSLDIR: “/usr/lib/ssl”

According this note:
https://www.openssl.org/news/openssl-1.0.2-notes.html

Major changes between OpenSSL 1.0.1l and OpenSSL 1.0.2 [22 Jan 2015]:
[…]
•ALPN support.

Therefore, ALPN is supported and should work with IE. Am I right?
Actually I should have OpenSSL 1.0.2d

In addition, the LIA-RP-VS-WEB is a XEN guest.

Thank you for your tip about chrome. I can see and investigate the
protocol
information:

454: HTTP2_SESSION
192.168.100.163:443 (DIRECT)
Start Time: 2016-03-15 18:13:13.832

t=1138095 [st= 0] +HTTP2_SESSION [dt=180146]
→ host = “192.168.100.163:443”
→ proxy = “DIRECT”
t=1138095 [st= 0] HTTP2_SESSION_INITIALIZED
→ protocol = “h2”
→ source_dependency = 453 (SOCKET)
t=1138095 [st= 0] HTTP2_SESSION_SEND_SETTINGS

[…]

Posted at Nginx Forum:

Roswebnet · March 16, 2016, 12:10pm

On US15.10 I have nginx:

root@LIA-RP-VS-WEB:/etc/nginx/tls# nginx -V
nginx version: nginx/1.9.12
built by gcc 5.2.1 20151010 (Ubuntu 5.2.1-22ubuntu2)
built with OpenSSL 1.0.2d 9 Jul 2015
TLS SNI support enabled
configure arguments: --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx
–modules-path=/etc/nginx/modules --conf-path=/etc/nginx/nginx.conf
–error-log-path=/var/log/nginx/error.log
–http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx.pid
–lock-path=/var/run/nginx.lock
–http-client-body-temp-path=/var/cache/nginx/client_temp
–http-proxy-temp-path=/var/cache/nginx/proxy_temp
–http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp
–http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp
–http-scgi-temp-path=/var/cache/nginx/scgi_temp --user=nginx
–group=nginx
–with-http_ssl_module --with-http_realip_module
–with-http_addition_module
–with-http_sub_module --with-http_dav_module --with-http_flv_module
–with-http_mp4_module --with-http_gunzip_module
–with-http_gzip_static_module --with-http_random_index_module
–with-http_secure_link_module --with-http_stub_status_module
–with-http_auth_request_module --with-http_xslt_module=dynamic
–with-http_image_filter_module=dynamic --with-http_geoip_module=dynamic
–with-threads --with-stream --with-stream_ssl_module
–with-http_slice_module --with-mail --with-mail_ssl_module
–with-file-aio
–with-http_v2_module --with-cc-opt=‘-g -O2 -fstack-protector-strong
-Wformat -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2’
–with-ld-opt=‘-Wl,-Bsymbolic-functions -Wl,-z,relro -Wl,–as-needed’
–with-ipv6

OpenSSL

root@LIA-RP-VS-WEB:/etc/nginx/tls# openssl version -a -v -b -o -f -p -d
OpenSSL 1.0.2g 1 Mar 2016
built on: reproducible build, date unspecified
platform: debian-amd64
options: bn(64,64) rc4(16x,int) des(idx,cisc,16,int) blowfish(idx)
compiler: gcc -I. -I… -I…/include -fPIC -DOPENSSL_PIC
-DOPENSSL_THREADS
-D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -m64 -DL_ENDIAN -g -O2
-fstack-protector-strong -Wformat -Werror=format-security
-D_FORTIFY_SOURCE=2 -Wl,-Bsymbolic-functions -Wl,-z,relro
-Wa,–noexecstack
-Wall -DMD32_REG_T=int -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT
-DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM
-DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DWHIRLPOOL_ASM
-DGHASH_ASM -DECP_NISTZ256_ASM
OPENSSLDIR: “/usr/lib/ssl”

Problem with IE 11 is still exist. First connection to static page is
HTTP/2
and if I do refresh I am getting HTTPS in developers tools. FF and
Chrome do
not have this problem.

I think (I feel, my intuition tells me ) it may lay on self signed
certificate. I have create it following the
RFC 7540 - Hypertext Transfer Protocol Version 2 (HTTP/2) requirements.

root@LIA-RP-VS-WEB:/etc/nginx/tls# openssl ecparam -out privatekey.key
-name
prime256v1 -genkey
root@LIA-RP-VS-WEB:/etc/nginx/tls# openssl req -new -key privatekey.key
-out
csr.pem
root@LIA-RP-VS-WEB:/etc/nginx/tls# openssl req -x509 -days 365 -key
privatekey.key -in csr.pem -out certificate.crt
root@LIA-RP-VS-WEB:/etc/nginx/tls# ll
total 20
drwxr-xr-x 2 root root 4096 Mar 13 20:48 ./
drwxr-xr-x 4 root root 4096 Mar 13 20:45 …/
-rw-r–r-- 1 root root 899 Mar 13 20:48 certificate.crt
-rw-r–r-- 1 root root 530 Mar 13 20:48 csr.pem
-rw-r–r-- 1 root root 302 Mar 13 20:45 privatekey.key

This certificate is used for both HTTPS and HTTP2.

P.S.: I saw multiple tutorials where nginx plays a role as a simple
forward
proxy for HTTP and HTTPS, will it work for HTTP/2? Any Idea?

Posted at Nginx Forum:

Roswebnet · March 16, 2016, 12:12pm

Oh yeah small addition because I use only IP’s I can not test Self
signed
certificate most of the SSL checking tools online.

Posted at Nginx Forum:

Roswebnet · March 16, 2016, 1:24pm

Roswebnet Wrote:

On US15.10 I have nginx:

root@LIA-RP-VS-WEB:/etc/nginx/tls# nginx -V
nginx version: nginx/1.9.12
built by gcc 5.2.1 20151010 (Ubuntu 5.2.1-22ubuntu2)

built with OpenSSL 1.0.2d 9 Jul 2015
^^^^^^^^^^^^^^^^^^^^^^^^^^^^

You need g, not d.

Posted at Nginx Forum:

Roswebnet · March 16, 2016, 7:01am

On 03/16/2016 06:33 AM, Roswebnet wrote:

built on: reproducible build, date unspecified
OPENSSLDIR: “/usr/lib/ssl”
In addition, the LIA-RP-VS-WEB is a XEN guest.
→ proxy = “DIRECT”
nginx mailing list
[email protected]
nginx Info Page

Have you checked the server directly? I don’t have intimate knowledge of
http2 so rely on Qualys to tell me when I’ve got it set up properly…

https://www.ssllabs.com/ssltest/analyze.html?d=www.greengecko.co.nz&s=101.0.108.116&latest

Works fine for me… nginx 1.9.12 + openssl 1.0.2g. ( note g, not d is
current ). Built from source.

Steve

–
Steve H. BSc(Hons) MIITP

Linkedin: http://www.linkedin.com/in/steveholdoway
Skype: sholdowa

Roswebnet · March 16, 2016, 1:30pm

Ok thank you for pointing out. This version of nginx I got from NGINX
repository.
http://nginx.org/en/linux_packages.html#mainline

deb Index of /packages/mainline/ubuntu/ wily nginx
deb-src Index of /packages/mainline/ubuntu/ wily nginx

It means that it was built with older version of openssl. Am I right?
Therefore, I need to compile nginx by myself…

Posted at Nginx Forum:

RTFM (listen http://nginx.org/en/docs/http/ngx_http_core_module.html#listen directive)? :o)

Roswebnet Wrote:

RTFM (listen
http://nginx.org/en/docs/http/ngx_http_core_module.html#listen
directive)? :o)