Enabling SPDY and HSTS on Nginx

Enabling SPDY and HSTS on Nginx

Also see Enabling SPDY and HSTS on Apache.

We should have Nginx up and running with a SSL certificate. Even though it is theoretically possible to run SPDY without SSL, in practice we need SSL to make it work.

Make sure out version of Nginx is compiled with SPDY support:

$ nginx -V

Make sure we can find –with-http_spdy_module somewhere in that output. If don't, we need to grab a build with the SPDY module enabled. Install the latest version from the Nginx Ubuntu repo. Also make sure we are using version 1.5 or newer. 1.4 only supports SPDY/2 which the browsers have stopped supporting. 1.5–1.9 have support for SPDY/3.1 which is the current version.

Now it is as simple as adding a single word to Nginx config. Open the server block config for SSL site, and change this line:

listen 443 ssl;

to:

listen 443 ssl spdy;

and reload Nginx config:

$ sudo service nginx reload

Now all SPDY enabled visitors should get site delivered over SPDY, while older browsers get regular SSL.

Setting up HSTS in nginx

To be fully HSTS compliant a host should only issue a HSTS header over a secure transport layer. This is because an attacker can maliciously strip out or inject a HSTS header into insecure traffic. For that reason, a browser should also disregard any HSTS headers received via HTTP, so technically it shouldn't matter if you do issue it over HTTP. Still, it's best to do it right. In your nginx server block, specifically the one that listens on port 443, you need to add a new response header.

server {
        listen 443 ssl spdy;
        server_name xuri.me;
        add_header Strict-Transport-Security "max-age=31536000; includeSubdomains; preload";
        add_header X-Frame-Options DENY;
        add_header Alternate-Protocol  443:npn-spdy/3;
Enabling SPDY and HSTS on Nginx
38 votes, 4.04 avg. rating (81% score)