
An nginx.conf for 2017: HTTP/2, IPV6, HTML5 SSE, load balancing and more. - nailer
https://certsimple.com/blog/nginx-http2-load-balancing-config
======
nailer
Author here!

Biggest discovery when researching this was due to the ALPN requirement in
Chrome [1], openssl 1.02 being required for ALPN, and the vagaries of Linux
distro release schedules, Ubuntu 16.04 is the only LTS distro than can serve
HTTP/2 to Chrome users.

When they're eventually announced, RHEL/CentOS 8 (Fedora already has the
necessary openssl) and Debian 9 will also work. But right now Ubuntu is your
only bet unless you want to build and maintain your own openssl. Which you
don't.

[1]
[https://bugs.chromium.org/p/chromium/issues/detail?id=527066](https://bugs.chromium.org/p/chromium/issues/detail?id=527066)

~~~
lstamour
For Debian 8 (Jessie): There's a newer build of Nginx in jessie-backports with
static OpenSSL 1.0.2: [http://serverfault.com/questions/775298/debian-jessie-
nginx-...](http://serverfault.com/questions/775298/debian-jessie-nginx-with-
openssl-1-0-2-to-use-alpn-rather-than-npn)

~~~
nailer
Interesting. What's the maintenance policy for jessie-backports? If it's best-
effort it might be better to avoid suggesting people use it for a package as
frequently updated as openssl.

~~~
lstamour
It is indeed best-effort. You can follow along on packaging in
[https://packages.qa.debian.org/n/nginx.html](https://packages.qa.debian.org/n/nginx.html)
and
[https://packages.qa.debian.org/o/openssl.html](https://packages.qa.debian.org/o/openssl.html)
as well as backports' security mailing lists.

Given what I'm seeing on the Nginx build currently in backports, I might rely
on backports for dependencies, but I'd seriously consider building your own
Nginx from source and/or pay attention yourself to security warnings.

------
thresh
the configuration they provide is wrong on many things

1/ it says "An nginx config for your first million users",

but: worker_connections 768;

2/ html5-sse.conf:

proxy_buffering off;

bad idea for a loaded server / backend

proxy_cache off;

will enable proxy_cache, which is not defined anywhere, so this will actually
fail to validate - and proxy_cache is already disabled when you're doing
proxy_buffering off;

3/ https.conf:

resolver 8.8.8.8 8.8.4.4 valid=300s;

bad idea to trust anything but a local resolver, why do you trust internet to
tell you IP addresses where you will go for ssl stapling info?

~~~
nailer
1/ The article doesn't claim to support one million concurrent users. Top
level directives are Ubuntu/RHEL defaults, but if you have a preferred
scalability config please file an issue!

2a/ buffering is well known to break SSE. As the article notes, if you're not
using SSE you should disable that include.

2b/ I thought the config parser would have caught this but didn't. Filed
[https://github.com/certsimple/nginx-http2-load-balancing-
con...](https://github.com/certsimple/nginx-http2-load-balancing-
config/issues/1) and fixed.

3/ If you think your own DNS server is going to be better maintained than
Google's, sure. But not everyone else would.

~~~
thresh
2a/ ok, I misread what was the intention, maybe it's a good idea then

3/ it's not about "better maintained", it's about trusting the internet on
sensitive data, which you should never do, because dns is easily spoofed and
nginx resolver was not written to operate in a hostile environment. if you
don't have a local caching resolver on your machine (which you should), even
trusting your cloud provider dns is better than trusting goog one. nginx
documentation even says " To prevent DNS spoofing, it is recommended
configuring DNS servers in a properly secured trusted local network. " on
[http://nginx.org/r/resolver](http://nginx.org/r/resolver)

~~~
nailer
You're right: checking this out further, the nginx resolver seems to have a
bunch of issues [1] which is concerning.

I've modified the config accordingly.

[1] [http://blog.zorinaq.com/nginx-resolver-
vulns/](http://blog.zorinaq.com/nginx-resolver-vulns/)

~~~
thresh
Yep - the warning clause in the documentation is there because of those
issues.

thanks!

