[HLUG] Http2 web serving / letsencrypt Free SSL certificates

Julian Robbins joolsr1 at gmail.com
Thu Dec 31 16:00:01 UTC 2015


Hi

Hope everyone has a good Christmas.

I've been working on enabling Http2 which is the next gen protocol for the
web to speed up the web a bit. Basically it means that instead of a request
and wait for each file or image to be received by the browser that http2
does this as a parallel process is requests for all images etc on a web
page are dealt with at once which does make quite a difference with pages
with lots of small images especially.

I use nginx as a reverse proxy for Odoo Odoo.com and assuming you can use a
relatively new version of nginx via a ppa or rpm repo then you can adjust
your config to allow serving http2 by the addition of just one term ie
http2 . But you do have to serve ssl encrypted pages to be able to serve
http2 it's essential by its design.

The speed improvement I get isn't massive but quite noticeable in usage
making the rep to really zippy in operation.

Which leads me to the next point. The web is moving to ask encrypted sites
everywhere and strides are being made to make this easier. Technically
serving ssl pages isn't too difficult but obtaining the certs used to be a
costly business . Now you can do this free of charge with startssl.com and
others.

A better way to obtain ssl certs easily is with letsencrypt.org which is
still in beta but very usable. This provides an open source completely free
means to create your own ssl certs on the server with apache or nginx or
others via their client. The certificates are only valid for 3 months at a
time which seems odd at first glance but the thinking behind this is that
by their nature they do not provide unwanted or unnecessary validity to
sites . To keep up to date cron is used to run the letsencrypt client on
your web server thus creating and installing ssl certs automatically every
3 months so they are always valid. Currently this only works for apache not
nginx which is deemed 'experimental' . I used the other option which is
'standalone' which works well just allowing me to create and use the certs
myself.

Took a bit of doing but now all set up with the highest levels of ssl
encryption and nice and nippy too.

I'll post some more links later when I get a mo

Julian


More information about the Herefordshire mailing list