
The Complete Guide to HTTP/2 with HAProxy and Nginx - ryzy
http://m12.io/blog/http-2-with-haproxy-and-nginx-guide
======
Ambroos
This feels overly complex. The tutorial lets HAProxy do the SSL and Nginx the
HTTP/2 (without SSL). But Nginx is still set up for HTTPS (that will never be
used). Especially since Nginx can perfectly do both. You might as well replace
the HAProxy server you're using with just another Nginx server (with OpenSSL
1.0.2 statically linked) and remove the SSL steps from your application server
configuration. It reduces the amount of 'different' technologies and
configuration standards you have to keep up with and gives you more
flexibility.

What we do internally where I work is the following: our application servers
all listen only on a secure internal network and accept incoming connections
only from our 'gateway' server. All simple HTTP over port 80. The 'gateway'
servers run just Nginx and nothing else. They staple SSL and HTTP/2 on top of
the forwarded requests to application servers.

Since our gateway servers are stateless and behind a floating IP we can easily
swap them out. And because their task is simple we can take more risks with
those servers (cutting-edge things needed for HTTP/2). Currently our gateway
servers all run Debian Stretch (unstable) since we get Nginx with OpenSSL
1.0.2 for free. Our application servers run whatever stable software they
require.

A simplified but functional version of our Nginx configuration:
[https://gist.github.com/Ambroos/1552515b0dd2b755fe1a](https://gist.github.com/Ambroos/1552515b0dd2b755fe1a)

~~~
lunarmist
And the nginx ssl config is improperly configured, which would give an F under
ssllab's tests.

~~~
thresh
Since when some random website on the internet dictates "proper" configuration
of TLS?

Hint: "A+" will make sure a lot of old clients which do not support fancy new
encryption schemes will not get your content. If you don't care about that,
it's fine, but do not call that "improper". It simply isnt.

~~~
Ambroos
With the Mozilla Intermediate configuration you lose clients that use IE on
Windows XP and Android 2.3. We mostly target a Belgian audience, where those
users pretty much don't exist anymore.

And still, we don't even target those browsers with our development anymore.
Early this year we decided that supporting anything older than IE11 / latest
Chrome / Firefox ESR / latest Safari just isn't worth it, so we don't do that
anymore either.

------
DieBuche
For simple setups Caddy [1] is great. It supports HTTP/2 out of the box, and
even provisions the certs for you from LE automagically. The defaults are much
saner than nginx.

[1] [https://caddyserver.com/](https://caddyserver.com/)

~~~
vnglst
+1, I love the simplicity of Caddy Server! Just a few lines of configuration
and you've got a reverse proxy with SSL.

------
bcherny
Any suggestions for setting up HTTP2 push with Nginx? Or do we just have to
wait for official support?

------
VeejayRampay
I selfishly wish the tutorial could cover HTTPS configuration with
LetsEncrypt. Nicely done though.

~~~
smithclay
I took a stab at building from it source on Ubuntu 14.04 + LetsEncrypt for an
experimental site (i.e follow the config best practices mentioned elsewhere
here).

[https://www.clay.fail/posts/ubuntu-http2-in-mere-
hours/](https://www.clay.fail/posts/ubuntu-http2-in-mere-hours/)

