1

I am running nginx version: 1.12.1 behind a CloudFlare machine. The CloudFlare front is http2 enabled.

enter image description here

I was wondering if it’s a good idea to upgrade to Nginx 1.9.5 that supports http2 ?. The cost of the upgrade is significant. My Linode centos is

centos-release-7-3.1611.el7.centos.x86_64

and the default Nginx package that comes via the rpm repository is still at Nginx 1.12.

Does upgrading the Nginx version behind a CloudFlare machines bring in significant advantages?

Edit: Paint me naïve, but I thought 1.12 was lower than 1.9. Silly me. Back to the 2nd question, does this make an impact?

Quintin Par
  • 4,373
  • 11
  • 49
  • 72

4 Answers4

3

CloudFlare does not access origin servers using HTTP/2, only HTTP/1.1. I can confirm this looking at my server logs.

Because of this there's no point enabling HTTP/2 if your server is only accessed by CloudFlare.

Update

To expand on the answer, CloudFlare uses HTTP/2 between their CDN and the client browser. That gives a performance gain for the browser. The back end connection to the origin is less important because on most websites most resources are cached.

It could maybe speed things up slightly if they used HTTP/2, but they're a good company and if it's a useful thing to do they'll do it eventually.

Tim
  • 31,888
  • 7
  • 52
  • 78
  • Wow, so what’s the point in enabling http2 on CloudFlare? – Quintin Par Sep 17 '17 at 01:29
  • 1
    The network between Cloudflare and origin server has often more bandwidth than the end user connection. Also, Cloudflare caches some resources. Both of these mean that when an end user connects to Cloudflare with HTTP/2, he will get the benefits of multiplexing on HTTP/2. – Tero Kilkanen Sep 17 '17 at 01:35
  • What if you are a forum with not many assets to cache? Feels like this is best optimized for a site like imgur. – Quintin Par Sep 17 '17 at 02:25
  • A forum will have plenty of javascript, css, header images, buttons, etc. [This forum page](https://www.webpagetest.org/result/170917_K0_05f76da9e614ae1d2101549d61eb181c/) loads 82 resources, around 30 from the origin server, only one is dynamic. Client side caching and CDN caching reduces bandwidth and processing requirements. – Tim Sep 17 '17 at 02:54
2

As others have mentioned, Cloudflare do not currently talk HTTP/2 to origin servers so there is little advantage in implementing HTTP/2 in your origin server.

The primary benefit of HTTP/2 is over low latency connections like browser to server, which you already have by Cloudflare serve resources over HTTP/2. There is less benefit for server to server connections.

Additionally Cloudflare use a version of Nginx and it does not currently support HTTP/2 to server side and Nginx have stated they have no intention of adding it:

Is HTTP/2 proxy support planned for the near future?

Short answer:

No, there are no plans.

Long answer:

There is almost no sense to implement it, as the main HTTP/2 benefit is that it allows multiplexing many requests within a single connection, thus [almost] removing the limit on number of simalteneous requests - and there is no such limit when talking to your own backends. Moreover, things may even become worse when using HTTP/2 to backends, due to single TCP connection being used instead of multiple ones.

On the other hand, implementing HTTP/2 protocol and request multiplexing within a single connection in the upstream module will require major changes to the upstream module.

Due to the above, there are no plans to implement HTTP/2 support in the upstream module, at least in the foreseeable future. If you still think that talking to backends via HTTP/2 is something needed - feel free to provide patches.

You may agree or disagree with the above, but that seemed fairly definitive when it was written (in 2015) and not seen an update since, though the ticket request for this was reopened 4 months ago and has been left open.

That is not to say that Cloudflare won't go ahead and do this on their own (like the did with Server Push before Nginx supported this), but I'd say it is less likely while the core platform they are based on, does not support this.

Finally you state you are on Centos 7.3. This has an older version of OpenSSL (1.0.1) which does not support ALPN needed to allow HTTP/2 for Chromium-based browsers (Chrome and Opera) and possible more such HTTP/2 clients in future, so this may well be required with an future implemention for Cloudflare. The, very, recently released Centos 7.4 does include OpenSSL 1.0.2 which does support ALPN in theory but the packaged versions of Nginx at the time of writing are still compiled with the older version so that doesn't help (yet). See this blog post for more details. So it is not just a matter of upgrading Nginx but also the OS and/or OpenSSL and even then this will not help at the moment. Of course there are ways around this (installing from source, running it in a Docker image instead...etc.) but if you say the cost to upgrade Nginx alone is significant then I imagine this extra stuff is really going to put a nail in that coffin.

All in all, I would say leave well enough along for now and just enjoy the fact you have HTTP/2 support provided, and looked after, by Cloudflare. In fact one of the simplest ways of getting HTTP/2, given all the issues mentioned above, is to use a service like Cloudflare and not bother implementing this on your own infrastructure.

Barry Pollard
  • 4,591
  • 15
  • 26
1

centos-release-7.3.1611.el7.centos.x86_64 is the version of CentOS you have installed, not the version of nginx.

nginx 1.12.1, which you currently have installed, is a significantly newer version than 1.9.5 (because 12 is greater than 9). So long as the binaries you're using were built with http2 enabled, you should be able to use that feature without changing your nginx version.

0

You're saying that you have Nginx 1.12.1 installed and (correctly) that Nginx has supported HTTP/2 since version 1.9.5.

Since you already have a newer version, I don't really understand why you are talking about a need to upgrade. (You seem to have the latest stable release as of now.)

It appears that you should be all set version-wise and probably just need a configuration change (add http2 to the relevant ssl listen directives).

Håkan Lindqvist
  • 35,011
  • 5
  • 69
  • 94