I'm trying to get a ghost blog running over SSL and http2. SSL works fine but its constantly served on HTTP1.1. I'm trying to figure out why this keeps happening.

My nginx conf file looks like the following:

server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;

    server_name example.com;

    ssl_certificate        /etc/letsencrypt/live/example.com-0001/fullchain.pem;
    ssl_certificate_key    /etc/letsencrypt/live/example.com-0001/privkey.pem;
    ssl_dhparam            /etc/letsencrypt/live/example.com-0001/dhparam.pem;

    add_header Strict-Transport-Security max-age=31536000;
    add_header X-Frame-Options DENY;

    location / {
        proxy_pass http://localhost:2368;
        proxy_set_header Host $http_host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_buffering off;

server {
    listen         80;
    listen    [::]:80;
    server_name    example.com;
    return         301 https://$server_name$request_uri;

The node.js app is running on port 2368. When ever I do load the domain I am presented with it over SSL so this part works. But it's always over http/1.1. And I'm running nginx version: nginx/1.11.5.

Any suggestions?

  • 202
  • 2
  • 7

2 Answers2


HTTP/2 with modern browsers requires ALPN, which requires OpenSSL 1.0.2. CentOS 7 shipped with OpenSSL 1.0.1 and does not support ALPN. It only supports its predecessor NPN, the use of which was deprecated when SPDY became HTTP/2.

I dealt with this by migrating web servers to Fedora, which currently has OpenSSL 1.0.2 and will be moving to 1.1.0 in a few months. This has some additional administrative burden over CentOS due to having recent software and a six month release cycle, but web services typically require recent software anyway.

Michael Hampton
  • 237,123
  • 42
  • 477
  • 940
  • 1
    Thanks! I didn't know this about CentOS. So I did some searching and found this: https://gist.github.com/moneytoo/ab3f34e4fddc2110675952f8280f49c5 by building a new version NGINX you can get it working. I just did it and now my page is served correctly. So your answer led me to this solution. – just_user Dec 01 '16 at 08:02

As Michael Hampton answered my question CentOS 7 is not shipped with ALPN which is necessary to have HTTP2 running which is the correct answer.

This made me search around a bit more and found this:


With this gist it shows you how to build a version of Nginx yourself. I tried it and it worked for me.

Before that I also upgraded my OpenSSL from the stock 1.0.1e to the latest 1.0.2.. version by following this tutorial.


I can't say if the first part is enough as I did the OpenSSL part first. Hope this can help who doesn't want to change to Feodora. :)

  • 202
  • 2
  • 7