Nginx – enabling SPDY with freeware certificate

I was thinking about allowing access to my website using SPDY protocol for better performance and security (and for fun of course πŸ™‚ ). But SPDY have one disadvantage – you need SSL certificate signed by known authority that will verfiy in common browsers. So you can’t use self signed certificates because everyone will see a warning entering your site. Certs are quite expensive so I started searching for free one and to my surprise I found such!

I found these two sites where you can generate freeware certificates for your website:

I wouldn’t trust these certification authorities enough to use it for: access my mail or other private data. But I’m fine with using it for my public websites (like my blog) to gain speed from SPDY.

Configuring cert

Fetch the Root CA and Class 1 Intermediate Server CA certificates:

wget http://www.startssl.com/certs/ca.pem
wget http://www.startssl.com/certs/sub.class1.server.ca.pem

Create a unified certificate from your certificate and the CA certificates:

cat ssl.crt sub.class1.server.ca.pem ca.pem > /etc/nginx/conf/ssl-unified.crt

Enable SPDY

Configure your nginx server to use the new key and certificate (in the global settings or a server section):

ssl on;
ssl_certificate /etc/nginx/conf/ssl-unified.crt;
ssl_certificate_key /etc/nginx/conf/ssl.key;

Then enable SPDY like that:

server {
listen your_ip:80;
listen your_id:443 default_server ssl spdy;

# other stuff
}

Advertise SPDY protocol

Now advertise SPDY with Alternate-Protocol header – add this clause in main location:

add_header Alternate-Protocol "443:npn-spdy/2";

Have fun with SPDY on your site πŸ™‚

7 thoughts on “Nginx – enabling SPDY with freeware certificate”

  1. Unfortunately, it doesn’t work… because browsers remove support for spdy2 (Chrome no longer, Firefox will stop in v28).
    Solution: use spdy3… but we must use nginx 1.5.10 or newer from mainline.

    1. I missed out this issue…
      I’m using nginx packages from dotdeb and for now there is no 1.5.x version. But I saw recently that Nginx serves own repos with current version for popular distros here: http://nginx.org/en/linux_packages.html. I’m planning this switch but have no time lately. You could try it and let me know if it works for you πŸ˜‰

  2. I also use dotdeb now and I’m also planning switch to official.
    Here is the disadvantage that it (official repo) doesn’t offer as much modules as dotdeb (example: lack of pagespeed module).

    I will try and inform about this πŸ™‚

Leave a Reply

Your email address will not be published. Required fields are marked *