The original problem:
- SPDY has been replaced by HTTP2, which is better in a number of ways
- As of June 2016, Chrome has dropped support for SPDY
- HTTP2 uses ALPN
- ALPN requires OpenSSL 1.0.2
- Debian Stable (aka Jessie aka v8) and others OSes only had 1.0.1
What’s changed:
- A newer OpenSSL has been added to the jessie-backports repository
- DotDeb have added jessie-nginx-http2 which works with this
Procedure:
- Add jessie-backports and jessie-nginx-http2 (ansible playbook)
- Upgrade openssl them from the correct place:
sudo apt-get install -t jessie-backports openssl - sudo apt-get install nginx-full (which should pull in various libnginx-mod packages)
- Change any references in your Nginx config files from spdy to http2
- Run
sudo nginx -tto verify the configuration is valid - Start server
Verify HTTP2 is working (Chrome or Opera):
Developer Tools, Network tab, reload page, enable the Protocol column, look for H2, which means HTTP2.
Extra step for LetsEncrypt / Certbot compatibility:
A few days after doing this I got the following error when my weekly cronjob for renewing LetsEncrypt certificates ran:
build/temp.linux-x86_64-2.7/_openssl.c:415:30: fatal error: openssl/opensslv.h: No such file or directory #include <openssl/opensslv.h>
And on running it manually I had this:
The following packages have unmet dependencies: libssl-dev : Depends: libssl1.0.0 (= 1.0.1t-1+deb8u6) but 1.0.2k-1~bpo8+1 is to be installed Recommends: libssl-doc but it is not going to be installed
The solution was just to pull in libssl-dev from jessie-backports too:
apt-get install -t jessie-backports libssl-dev
Note, in my case, I have a git clone of certbot rather than a packaged version, though it is now available as a backport for Debian Jessie.