Table of Contents for
Learning HTTP/2

Version ebook / Retour

Cover image for bash Cookbook, 2nd Edition Learning HTTP/2 by Javier Garza Published by O'Reilly Media, Inc., 2017
  1. nav
  2. Cover
  3. Learning HTTP/2
  4. Learning HTTP/2
  5. Preface
  6. Foreword
  7. 1. The Evolution of HTTP
  8. 2. HTTP/2 Quick Start
  9. 3. How and Why We Hack the Web
  10. 4. Transition to HTTP/2
  11. 5. The HTTP/2 Protocol
  12. 6. HTTP/2 Performance
  13. 7. HTTP/2 Implementations
  14. 8. Debugging h2
  15. 9. What Is Next?
  16. A. HTTP/2 Frames
  17. B. Tools Reference
  18. Index
  19. About the Authors
  20. Colophon

Chapter 2. HTTP/2 Quick Start

When faced with something new and shiny, rarely do we want to spend the first hours meticulously going through the manual, reading the instructions, maintenance details, and safety advisories. We want to tear it out of the packaging, plug it in, turn it on, and start experiencing the wonders promised on the box. HTTP/2 (h2) should be no different.

So let’s start tinkering.

Up and Running

Realistically, you have likely been experiencing HTTP/2 on a daily basis. Open a modern browser (e.g., Edge, Safari, Firefox, Chrome) and point it at a major website like Facebook, Instagram, or Twitter, and voila! you are using h2. Truth be told, this is likely anticlimactic and not the reason you are holding this book in your hands. Let’s get things up and running so that you can be running the next major website over h2.

There are two major steps to getting an h2 server up and running:

  • Get and install a web server that speaks h2

  • Get and install a TLS certificate so the browser will speak h2 with the server

Neither of these are trivial, but we are going to try to make it as simple as possible. There is a more exhaustive treatment of the subject in “Servers, Proxies, and Caches”, but hopefully you will be running an h2 server by the end of this chapter.

Get a Certificate

Working with certificates is a subject that merits a book of its own. We are going to skip right through all of the theory and get a certificate in your hands for experimentation purposes as quickly as possible. We will explore three methods: using online resources, creating a cert on your own, and obtaining a cert from a Certificate Authority (CA)—we’ll use Let’s Encrypt in this case. It should be noted that the first two methods will create what is called a self-signed certificate, and are useful for testing purposes only. Since a self-signed cert is not signed by a CA, it will generate warnings in a web browser.

Use an Online Generator

There are a number of online resources for generating a self-signed certificate. Since you will not have generated the private key in your own secure environment, these certs should never be used for any purpose beyond experimentation like we are doing here. A web search will quickly get you to a couple of resources. One option is https://www.sslchecker.com/csr/self_signed.

Use the tool and save the generated certificate and key to two local files. Name the files privkey.pem and cert.pem, respectively, for now.

Self Signed

The openssl tool, available from https://www.openssl.org, is fairly universal and easily obtainable. There are ports for almost every major platform, and it is what we will use to show how to create a self-signed certificate and key. If you have a Unix/Linux or Mac OS flavor machine you very likely have this tool installed already. Fire up your terminal and repeat after me:

$ openssl genrsa -out privkey.pem 2048
$ openssl req -new -x509 -sha256 -key privkey.pem -out cert.pem -days 365 \
    -subj "/CN=fake.example.org"

With this you will have a new key called privkey.pem and a new cert called cert.pem.

Let’s Encrypt

Let’s Encrypt is a new player on the Certificate Authority scene, having gone live with its public beta in the fall of 2015. Its goal is to make TLS certificates available in an easy, automated, and inexpensive (free) manner to anyone and everyone. This is core to the TLS Everywhere movement, which can be summed up as the belief that all of our web communications should always be encrypted and authenticated. For our purposes here, the “easy” bit is what is attractive so we can get up and running as soon as possible.

Though there are now many clients and libraries to choose from1 that integrate with Let’s Encrypt, the Electronic Frontier Foundation (EFF) maintains the Let’s Encrypt recommended client called certbot.2 Certbot is intended to make certificate acquisition and maintenance a complete hands-off process by doing everything from obtaining the certificate and then installing the certificate on your web server for you.

Note

In order to obtain a certificate from Let’s Encrypt, you will need to be able to validate your domain. This implies you have control of the domain and can prove it by modifying DNS or the web server. If you do not have a domain or do not want to be bothered, simply use the self-signed method shown previously.

Follow instructions for downloading certbot for your favorite operating system. For the purposes of this chapter you do not need to be concerned with the web server choice. For Linux flavors, the simplest method for most cases is to do the following on the machine running your web server:

$ wget https://dl.eff.org/certbot-auto
$ chmod a+x certbot-auto

Once downloaded, run certbot-auto like so:

$ ./certbot-auto certonly --webroot -w <your web root> -d <your domain>

substituting your web server filesystem root and your domain in the relevant places. This will automatically install any needed packages, prompt you with a number of questions, and finally, if all goes well, obtain the certificate from Let’s Encrypt. Your newly minted cert and private keys will be placed in /etc/letsencrypt/live/<your domain>:

File Description

/etc/letsencrypt/live/<your domain>/privkey.pem

Your certificate’s private key

/etc/letsencrypt/live/<your domain>/cert.pem

Your new certificate

/etc/letsencrypt/live/<your domain>/chain.pem

The Let’s Encrypt CA chain

/etc/letsencrypt/live/<your domain>/fullchain.pem

Your new cert and the chain all in one

Get and Run Your First HTTP/2 Server

There are numerous choices for obtaining and running a web server that speaks HTTP/2. (“Servers, Proxies, and Caches” describes several options.) Our goal here is to be quick and simple, and for that we will look toward the nghttp2 package. nghttp2,3 developed by Tatsuhiro Tsujikawa, provides a number of useful tools for working with and debugging h2. For now, we are interested in the nghttpd tool.

There is more information on nghttp2 in “nghttp2”, but we’ll try to get you started here. Install nghttp2 via your favorite package manager or (for the brave) from the source. For example, on Ubuntu 16:

$ sudo apt-get install nghttp2

Once installed, with certificates in hand, run nghttpd as:

$ ./nghttpd -v -d <webroot> <port> <key> <cert>

where <webroot> is the path to your website, <port> is the port you want the server to listen to, and <key> and <cert> are paths to the key and certificate you generated. For example:

$ ./nghttpd -v -d /usr/local/www 8443 \
            /etc/letsencrypt/live/yoursite.com/privkey.pem \
            /etc/letsencrypt/live/yoursite.com/cert.pem

Pick a Browser

Finally, the reward for the hard work. Pick a modern browser and point it at your new server. See “Desktop Web Browsers” for a very comprehensive list of browsers that support HTTP/2. If you created a self-signed certificate, you should see a security warning. Confirm that it is complaining about the cert you created, and accept the warnings. You should see your website now.

And it is being served over h2!