Recently, I was upgrading the infrastructure for Hosted Apache Solr, and as part of the upgrade, I jumped from Nginx 1.8.x to 1.10.x, which includes HTTP/2 support. I had previously used SPDY support in my server configuration to help the site run better/faster on modern browsers with SPDY support:
listen 443 ssl spdy;
After the server upgrades, I was getting the following error on Nginx restarts:
nginx: [warn] invalid parameter "spdy": ngx_http_spdy_module was superseded by ngx_http_v2_module in /etc/nginx/conf.d/hostedapachesolr.conf:10
So I switched the configuration to use
http2 instead of
spdy on the
listen line, and restarted nginx.
Everything worked great in Safari and FireFox, but when I tried loading the page in Chrome, I was greeted with the following error:
This site can’t be reached
The webpage at https://hostedapachesolr.com/ might be temporarily down or it may have moved permanently to a new web address.
Looking further into the problem, it seems the HTTP/2 cipher suites are a little more strict than older protocols, and you need to make sure one of the supported ciphers is listed first in your
ssl_ciphers configuration. In my case, I ended up using:
listen 443 ssl http2;
You can also look at the recommended cipher configuration provided by CloudFlare for more ideas.
After letting Ansible reprovision the server with the new settings, the site's working great in Chrome (as well as other browsers), the Qualys SSL test score is A+, and HTTP/2 support is working great!
The best ciphers seem to have changed already, but your inclusion of the link to the cloudflare repo was enough to get this working quickly. Thanks, a very helpful resource to know about! Will need to see about setting up an alert when they push new commits...
My answer to new commit alerts: https://github.com/mbaynton/github-commit-alert
Nice, simple, and effective!