Understanding HTTP/2, TLS 1.3, ECC, and Brotli: Practical Nginx Configuration Guide

HTTP/2 Overview

HTTP/2 (also called HTTP 2.0) is the next‑generation HTTP protocol developed by the IETF HTTPBIS working group, evolving from SPDY and now supported by major browsers and servers such as Chrome, Nginx 1.9.5+, and Apache 2.4.16+.

Binary Framing

HTTP/2 inserts a binary framing layer between the application and transport layers, splitting all communication into small frames encoded in binary format. A frame is the smallest unit and contains a header, stream identifier, priority, and payload.

DATA – carries HTTP message bodies.

HEADERS – carries header fields.

SETTINGS – negotiates client‑server configuration (e.g., initial flow‑control window).

WINDOW_UPDATE – adjusts flow‑control windows for streams or the whole connection.

PRIORITY – specifies resource priority.

RST_STREAM – aborts a stream.

PUSH_PROMISE – signals server‑initiated push.

PING – measures round‑trip time.

GOAWAY – tells the peer to stop creating new streams.

Flags such as END_STREAM indicate the end of a message, and stream IDs are odd for client‑initiated streams and even for server‑initiated streams.

Header Compression (HPACK)

HTTP/2 uses HPACK to compress header fields. A shared header table stores previously sent key‑value pairs, so subsequent requests only transmit indexes or new entries, reducing overhead without affecting semantics.

Flow Control

Flow control is per‑connection and per‑stream, based on WINDOW_UPDATE frames. The receiver advertises how many bytes it can accept, and only DATA frames consume the flow‑control window; control frames are exempt.

Multiplexing

Multiple logical streams share a single TCP connection. Frames from different streams are interleaved and reassembled using stream IDs, eliminating the head‑of‑line blocking that plagued HTTP/1.1.

Request Priority

Each stream can carry a 31‑bit priority value (0 = highest). Clients can hint ordering (e.g., CSS → JS → images) and servers may use it to schedule frame transmission, though server support varies.

Server Push

Using PUSH_PROMISE, the server can proactively send additional resources (e.g., CSS or JS) alongside the primary response, provided the client has not already cached them and the push follows the request‑response model.

TLS 1.3 Improvements

TLS 1.3, standardized in RFC 8446, introduces a new key‑exchange mechanism (PSK), 0‑RTT data transmission, removal of legacy ciphers (3DES, RC4, AES‑CBC) and hash algorithms (MD5, SHA‑1), and encrypts all handshake messages after ServerHello, dramatically reducing round‑trip latency.

ECC Advantages

Elliptic Curve Cryptography (ECC) provides comparable security to RSA with much shorter keys (e.g., 256‑bit ECC ≈ 3072‑bit RSA), leading to lower CPU usage, smaller certificates, and faster TLS handshakes—especially beneficial for mobile devices.

Brotli Compression

Brotli, a Google‑originated lossless compression algorithm, outperforms Gzip by 17‑25 % on typical web assets and achieves higher compression ratios even at its lowest level. It requires HTTPS and can be enabled in Nginx via the ngx_brotli module.

Nginx Configuration

To enable HTTP/2, TLS 1.3, ECC certificates, and Brotli in Nginx, add the following directives (adjust paths as needed):

server {
    listen 443 ssl http2;
    ssl_certificate     /path/to/ecc_cert.pem;
    ssl_certificate_key /path/to/ecc_key.pem;
    ssl_protocols       TLSv1.3 TLSv1.2;
    ssl_ciphers         "TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384";
    ssl_early_data      on;               # enable 0‑RTT
    brotli on;
    brotli_comp_level 5;
    brotli_types text/plain text/css application/javascript image/svg+xml;
    http2_push_preload on;               # enable server push for preload links
    # additional location blocks …
}

After recompiling Nginx with --add-module=/path/to/ngx_brotli (or using a package that includes the module), reload the configuration to apply the changes.