Enabling HTTP/2, HTTPS, and going HTTPS-only on inf2
Inf2 is a web server at University of Rijeka Department of Informatics, hosting Sphinx-produced static HTML course materials (mirrored elsewhere), some big files, a WordPress instance (archived elsewhere), and an internal instance of Moodle.
HTTPS was enabled on inf2 for a long time, albeit using a self-signed certificate. However, with Let's Encrpyt coming into public beta, we decided to join the movement to HTTPS.
HTTPS was optional. Almost a year and a half later, we also enabled HTTP/2 for the users who access the site using HTTPS. This was very straightforward.
Mozilla has a long-term plan to deprecate non-secure HTTP. The likes of NCBI (and the rest of the US Federal Government), Wired, and StackOverflow have already moved to HTTPS-only. We decided to do the same.
Configuring nginx to redirect to HTTPS is very easy, but configuring particular web applications at the same time can be tricky. Let's go through them one by one.
Sphinx-produced static content does not hardcode local URLs, and the resources loaded from CDNs in Sphinx Bootstrap Theme are already loaded via HTTPS. No changes were needed.
WordPress requires you to set the HTTPS URL in Admin, Settings/General. If you forget to do so before you go HTTPS only, you can still use the config file to adjust the URL.
Moodle requires you to set $CFG->wwwroot in the config file to the HTTPS URL of your website.
And that's it! Since there is a dedicated IP address used just for the inf2 domain, we can afford to not require Server Name Indication support from the clients (I'm sure that both of our Android 2.3 users are happy for it).