Understanding different values for nginx 'listen' directive
listen 443 ssl : makes nginx listen on all ipv4 address on the server, on port 443 (0.0.0.0:443)
while
listen [::]:443 ssl : makes nginx listen on all ipv6 address on the server, on port 443 (:::443)
[::]:443 will not make nginx respond on ipv4 by default, unless you specify parameter ipv6only=off :
listen [::]:443 ipv6only=off;
As per the doc : http://nginx.org/en/docs/http/ngx_http_core_module.html#listen
ssl :
The ssl parameter (0.7.14) allows specifying that all connections accepted on this port should work in SSL mode.
http2 :
The http2 parameter (1.9.5) configures the port to accept HTTP/2 connections.
This doesn't mean it accepts only HTTP/2 connections.
As per RFC7540
A client that makes a request for an "http" URI without prior knowledge about support for HTTP/2 on the next hop uses the HTTP Upgrade mechanism. The client does so by making an HTTP/1.1 request that includes an Upgrade header field with the "h2c" token.
A server that does not support HTTP/2 can respond to the request as though the Upgrade header field were absent.
HTTP/1.1 200 OK Content-Length: 243 Content-Type: text/htmlA server that supports HTTP/2 accepts the upgrade with a 101 (Switching Protocols) response. After the empty line that terminates the 101 response, the server can begin sending HTTP/2 frames.
To summarize :
A client that does not support HTTP/2 will never ask the server for an HTTP/2 communication upgrade : the communication between them will be fully HTTP1/1.
A client that supports HTTP/2 will ask the server (using HTTP1/1) for an HTTP/2 upgrade :
- If the server is HTTP/2 ready, then the server will notice the client as such : the communication between them will be switched to HTTP/2.
- If the server is not HTTP/2 ready, then the server will ignore the upgrade request answering with HTTP1/1 : the communication between them should stay plenty HTTP1/1.
Maybe more summarized here : http://qnimate.com/http2-compatibility-with-old-browsers-and-servers/
However the nginx doc states the following about HTTP/2 over TLS :
Note that accepting HTTP/2 connections over TLS requires the “Application-Layer Protocol Negotiation” (ALPN) TLS extension support, which is available only since OpenSSL version 1.0.2.
Make sure old clients are compliant with this requirement.