I'm writing nginx config, and I have a fundamental question.
What are the differences among:
listen 443 ssl; vs listen [::]:443 ssl; vs listen [::]:443 ssl http2;
My goal is secure this web application, but also remain compatible for old clients.
Note: I understand that [::]:443 has to with ipv6, but does it encompass ipv4 as well in this case? Want to clear my concepts.
listen 443 ssl : makes nginx listen on all ipv4 address on the server, on port 443 (0.0.0.0:443)
while
listen [::]:443 ssl : makes nginx listen on all ipv6 address on the server, on port 443 (:::443)
[::]:443 will not make nginx respond on ipv4 by default, unless you specify parameter ipv6only=off :
listen [::]:443 ipv6only=off;
As per the doc : http://nginx.org/en/docs/http/ngx_http_core_module.html#listen
ssl :
The ssl parameter (0.7.14) allows specifying that all connections accepted on this port should work in SSL mode.
http2 :
The http2 parameter (1.9.5) configures the port to accept HTTP/2 connections.
This doesn't mean it accepts only HTTP/2 connections.
As per RFC7540
A client that makes a request for an "http" URI without prior knowledge about support for HTTP/2 on the next hop uses the HTTP Upgrade mechanism. The client does so by making an HTTP/1.1 request that includes an Upgrade header field with the "h2c" token.
A server that does not support HTTP/2 can respond to the request as though the Upgrade header field were absent.
HTTP/1.1 200 OK Content-Length: 243 Content-Type: text/html
A server that supports HTTP/2 accepts the upgrade with a 101 (Switching Protocols) response. After the empty line that terminates the 101 response, the server can begin sending HTTP/2 frames.
To summarize :
A client that does not support HTTP/2 will never ask the server for an HTTP/2 communication upgrade : the communication between them will be fully HTTP1/1.
A client that supports HTTP/2 will ask the server (using HTTP1/1) for an HTTP/2 upgrade :
Maybe more summarized here : http://qnimate.com/http2-compatibility-with-old-browsers-and-servers/
However the nginx doc states the following about HTTP/2 over TLS :
Note that accepting HTTP/2 connections over TLS requires the “Application-Layer Protocol Negotiation” (ALPN) TLS extension support, which is available only since OpenSSL version 1.0.2.
Make sure old clients are compliant with this requirement.
There is an option called ipv6only which determines whether or not the IPv6 address applies to IPv4 as well. By default it is turned on (which means it doesn't).
The manual states that it can only be set once, which I think means that if you turn it off in one listen directive, it is turned off for all.
See this document for details.
