Enable HTTP/2 for ntfy.sh

[otbutz]

Any reason that https://ntfy.sh is limited to HTTP/1.1 ?

[binwiederhier]

Good question. No particular reason, other than I have never set that up for nginx. I could probably do it. Do you happen to have experience with that @otbutz?

Here's how it's set up: https://github.com/binwiederhier/ntfy-ansible/blob/main/roles/nginx/templates/sites-available/ntfy.j2

[binwiederhier]

Looks like it's just adding the http2 stanza: https://ubiq.co/tech-blog/how-to-enable-http2-in-nginx/

Maybe I'll yolo-deploy that tomorrow and see what happens.

[otbutz]

I would follow Mozillas best practices and also enable TLS1.3 while you're at it:

https://ssl-config.mozilla.org/#server=nginx&version=1.17.7&config=intermediate&openssl=1.1.1k&hsts=false&ocsp=false&guideline=5.6 (You should really consider to ditch HTTP and enforce HTTPS with HSTS.)

You could also switch to caddy if you're feeling adventurous and get HTTP/3 support 😉

[binwiederhier]

I would follow Mozillas best practices and also enable TLS1.3 while you're at it

Sure why not.

You should really consider to ditch HTTP and enforce HTTPS with HSTS

Nope. That prevents the awesome curl -d hi ntfy.sh/yo usage. Don't wanna type https:// all the time, and I am usually not fearing MITM or sharing state secrets. If people are, they can set up their own server.

You could also switch to caddy if you're feeling adventurous and get HTTP/3 support wink

If it ain't broke, don't fix it. :-D

[otbutz]

That should still work without https:// if you allow curl to follow redirects:

curl -L -d hi ntfy.sh/yo

[binwiederhier]

See binwiederhier/ntfy-ansible#1

[binwiederhier]

Sadly the Unix socket change causes a (benign) warning in the ntfy code for every single request (r.RemoteAddr now contains @, instead of an IP address), which means I need a small code change to handle that case. Otherwise I'd get flooded in warnings.

[otbutz]

Shouldn't the remote address not be populated from X-Forwarded-For header in this case?