How to Enable HTTP/2 on Nginx with OpenSSL: A Step‑by‑Step Compilation Guide

What is HTTP/2?

HTTP/2 (the second major version of the Hypertext Transfer Protocol) is the first update to HTTP since 1.1, based on the SPDY protocol and standardized in RFC 7540 in May 2015.

Dependencies

openssl

version must be 1.0.2e or newer. nginx (or OpenResty) version must be 1.9.5 or newer.

Compile and Install OpenSSL

wget --no-check-certificate https://www.openssl.org/source/openssl-1.0.2j.tar.gz
 tar zxvf openssl-1.0.2j.tar.gz
 cd openssl-1.0.2j
 ./config shared zlib
 make && make install
 mv /usr/bin/openssl /usr/bin/openssl.old
 mv /usr/include/openssl /usr/include/openssl.old
 ln -s /usr/local/ssl/bin/openssl /usr/bin/openssl
 ln -s /usr/local/ssl/include/openssl /usr/include/openssl
 echo "/usr/local/ssl/lib" >> /etc/ld.so.conf
 ldconfig -v

Verify the installation:

openssl version
# OpenSSL 1.0.2j  26 Sep 2016

Re‑compile OpenResty with the New OpenSSL

wget https://openresty.org/download/openresty-1.13.6.1.tar.gz
 tar zxvf openresty-1.13.6.1.tar.gz
 cd openresty-1.13.6.1/

Edit the OpenSSL configuration paths in the two files shown below (they point to different OpenSSL directories):

vim /home/www/build/openresty-1.13.6.1/bundle/nginx-1.13.6/auto/lib/openssl/conf
vim /home/www/build/openresty-1.13.6.1/build/nginx-1.13.6/auto/lib/openssl/conf

Replace the original include/library variables with the new ones, for example:

CORE_INCS="$CORE_INCS $OPENSSL/include"
CORE_DEPS="$CORE_DEPS $OPENSSL/include/openssl/ssl.h"
CORE_LIBS="$CORE_LIBS $OPENSSL/lib/libssl.a"
CORE_LIBS="$CORE_LIBS $OPENSSL/lib/libcrypto.a"

Configure and Build OpenResty

./configure \
  --user=www \
  --group=www \
  --prefix=/usr/local/openresty \
  --with-luajit \
  --with-http_v2_module \
  --with-http_realip_module \
  --with-http_mp4_module \
  --with-stream \
  --with-http_gzip_static_module \
  --with-http_ssl_module \
  --with-openssl=/usr/local/ssl \
  --with-openssl-opt="enable-tlsext" \
  --without-http_redis2_module \
  --with-http_iconv_module \
  --with-http_stub_status_module \
  --with-http_xslt_module \
  --add-dynamic-module=/home/www/build/nginx-ts-module \
  --add-dynamic-module=/home/www/build/nginx-rtmp-module \
  --add-dynamic-module=/home/www/build/nginx-module-vts \
  --add-module=/home/www/build/ngx_cache_purge-2.3 \
  make

Only make is needed; make install would overwrite the existing installation.

Replace the Nginx Binary

Stop the running Nginx service, back up the current binary, and copy the newly built binary and any required modules:

cp /usr/local/openresty/nginx/sbin/nginx /usr/local/openresty/nginx/sbin/nginx.old
cp -f /home/www/build/openresty-1.13.6.1/build/nginx-1.13.6/objs/nginx /usr/local/openresty/nginx/sbin/nginx
cp -f /home/www/build/openresty-1.13.6.1/build/nginx-1.13.6/objs/ngx_rtmp_module.so /usr/local/openresty/nginx/modules/
cp -f /home/www/build/openresty-1.13.6.1/build/nginx-1.13.6/objs/ngx_http_ts_module.so /usr/local/openresty/nginx/modules/
cp -f /home/www/build/openresty-1.13.6.1/build/nginx-1.13.6/objs/ngx_http_vhost_traffic_status_module.so /usr/local/openresty/nginx/modules/

Restart the service and verify the build:

sudo systemctl start nginx
sudo /usr/local/openresty/nginx/sbin/nginx -V

Configure Nginx for HTTP/2

server {
    listen 443 ssl http2;
    server_name www.tinywan.com;
    set $root_path /home/www;
    root $root_path;

    ssl on;
    ssl_certificate /etc/letsencrypt/live/www.tinywan.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/www.tinywan.com/privkey.pem;
    server_tokens off;

    location / {
        if (!-e $request_filename) {
            rewrite ^(.*)$ /index.php?s=/$1 last;
            break;
        }
    }
}

Testing HTTP/2

Testing Tool

Use Chrome’s chrome://net-internals/#http2 page to inspect HTTP/2 connections.

Test Results

Note: The request headers sent by the browser change when HTTP/2 is active.