Understanding different values for nginx 'listen' directive

listen 443 ssl : makes nginx listen on all ipv4 address on the server, on port 443 (0.0.0.0:443)

while

listen [::]:443 ssl : makes nginx listen on all ipv6 address on the server, on port 443 (:::443)


[::]:443 will not make nginx respond on ipv4 by default, unless you specify parameter ipv6only=off :

listen [::]:443 ipv6only=off;


As per the doc : http://nginx.org/en/docs/http/ngx_http_core_module.html#listen

ssl :

The ssl parameter (0.7.14) allows specifying that all connections accepted on this port should work in SSL mode.

http2 :

The http2 parameter (1.9.5) configures the port to accept HTTP/2 connections.

This doesn't mean it accepts only HTTP/2 connections.

As per RFC7540

A client that makes a request for an "http" URI without prior knowledge about support for HTTP/2 on the next hop uses the HTTP Upgrade mechanism. The client does so by making an HTTP/1.1 request that includes an Upgrade header field with the "h2c" token.

A server that does not support HTTP/2 can respond to the request as though the Upgrade header field were absent.

HTTP/1.1 200 OK Content-Length: 243 Content-Type: text/html

A server that supports HTTP/2 accepts the upgrade with a 101 (Switching Protocols) response. After the empty line that terminates the 101 response, the server can begin sending HTTP/2 frames.

To summarize :

A client that does not support HTTP/2 will never ask the server for an HTTP/2 communication upgrade : the communication between them will be fully HTTP1/1.

A client that supports HTTP/2 will ask the server (using HTTP1/1) for an HTTP/2 upgrade :

  • If the server is HTTP/2 ready, then the server will notice the client as such : the communication between them will be switched to HTTP/2.
  • If the server is not HTTP/2 ready, then the server will ignore the upgrade request answering with HTTP1/1 : the communication between them should stay plenty HTTP1/1.

Maybe more summarized here : http://qnimate.com/http2-compatibility-with-old-browsers-and-servers/


However the nginx doc states the following about HTTP/2 over TLS :

Note that accepting HTTP/2 connections over TLS requires the “Application-Layer Protocol Negotiation” (ALPN) TLS extension support, which is available only since OpenSSL version 1.0.2.

Make sure old clients are compliant with this requirement.