Nginx – enabling SPDY with freeware certificate

I was thinking about allowing access to my website using SPDY protocol for better performance and security (and for fun of course ๐Ÿ™‚ ). But SPDY have one disadvantage – you need SSL certificate signed by known authority that will verfiy in common browsers. So you can’t use self signed certificates because everyone will see a warning entering your site. Certs are quite expensive so I started searching for free one and to my surprise I found such!

I found these two sites where you can generate freeware certificates for your website:

I wouldn’t trust these certification authorities enough to use it for: access my mail or other private data. But I’m fine with using it for my public websites (like my blog) to gain speed from SPDY.

Configuring cert

Fetch the Root CA and Class 1 Intermediate Server CA certificates:

wget http://www.startssl.com/certs/ca.pem
wget http://www.startssl.com/certs/sub.class1.server.ca.pem

Create a unified certificate from your certificate and the CA certificates:

cat ssl.crt sub.class1.server.ca.pem ca.pem > /etc/nginx/conf/ssl-unified.crt

Enable SPDY

Configure your nginx server to use the new key and certificate (in the global settings or a server section):

ssl on;
ssl_certificate /etc/nginx/conf/ssl-unified.crt;
ssl_certificate_key /etc/nginx/conf/ssl.key;

Then enable SPDY like that:

server {
listen your_ip:80;
listen your_id:443 default_server ssl spdy;

# other stuff
}

Advertise SPDY protocol

Now advertise SPDY with Alternate-Protocol header – add this clause in main location:

add_header Alternate-Protocol "443:npn-spdy/2";

Have fun with SPDY on your site ๐Ÿ™‚