This brief tutorial shows students and new users how to add Brotli support to Nginx when using Ubuntu 18.04 | 16.04.
Brotli ( br for short) is an open-source compression algorithm developed by Google that can be used as an alternative to Gzip, Zopfli, and Deflate. In some studies, data can be compressed by 10 to 20 percent more than current compression algorithms.
If you want to use Brotli with Nginx, you’ll have to use the ngx_brotli module developed by Google since Nginx doesn’t have official support, at least for its free version.
The Nginx commercial version might support Brotli.
When you’re ready to include Brotli support with Nginx, follow the steps below:
Install SSL Certificates
Brotli requires SSL. Nginx will need to have SSL support before you can use Brotli. Since Let’s Encrypt is easy to install and use with Ubuntu, use the steps below to install the Let’s Encrypt free SSL certificate.
Before generating your free wildcard certificates, you must ensure that certbot is installed and running. To install it, run the commands below:
sudo apt update sudo apt-get install letsencrypt
The commands above will install the certbot tool and all dependencies allowed to make the tool function.
Once the tool is installed, you can proceed to generate certificates.
Let’s Encrypt provides many ways to challenge you to validate that you own the domain for which you want to provide SSL certificates. You cannot generate certificates if you can’t prove that you own the domain for which you want certificates.
However, for wildcard certificates, the only challenge method Let’s Encrypt accepts is the DNS challenge, which we can invoke via the preferred-challenges=dns flag.
So, to generate a wildcard cert for domain *.example.com, you run the commands below:
sudo certbot certonly --manual --preferred-challenges=dns --email admin@example.com --server https://acme-v02.api.letsencrypt.org/directory --agree-tos -d *.example.com
The command options above are explained below:
- certonly: Obtain or renew a certificate, but do not install
- –manual: Obtain certificates interactively
- –preferred-challenges=dns: Use DNS to authenticate domain ownership
- –server: Specify the endpoint to use to generate
- –agree-tos: Agree to the ACME server’s subscriber terms
- -d: Domain name to provide certificates for
After executing the command above, Let’s Encrypt will provide a text string to add a text record to your DNS entry.
Example:
Saving debug log to /var/log/letsencrypt/letsencrypt.log Plugins selected: Authenticator manual, Installer None ------------------------------------------------------------------------------- Would you be willing to share your email address with the Electronic Frontier Foundation, a founding partner of the Let's Encrypt project and the non-profit organization that develops Certbot? We'd like to send you email about EFF and our work to encrypt the web, protect its users and defend digital rights. ------------------------------------------------------------------------------- (Y)es/(N)o: y Obtaining a new certificate Performing the following challenges: dns-01 challenge for example.com ------------------------------------------------------------------------------- NOTE: The IP of this machine will be publicly logged as having requested this certificate. If you're running certbot in manual mode on a machine that is not your server, please ensure you're okay with that. Are you OK with your IP being logged? ------------------------------------------------------------------------------- (Y)es/(N)o: y ------------------------------------------------------------------------------- Please deploy a DNS TXT record under the name _acme-challenge.example.com with the following value: x4MrZ6y-JqFJQRmq_lGi9ReRQHPa1aTC9J2O7wDKzq8 Before continuing, verify the record is deployed.
Go to your DNS provider portal, add a text record for the string above, and save.
Wait a few minutes before continuing from the prompt. Some DNS providers take a while to propagate changes, which may depend on your provider’s platform.
After the changes above and Let’s Encrypt can validate that you own the domain, you should see a successful message as below:
IMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at: /etc/letsencrypt/live/example.com/fullchain.pem Your key file has been saved at: /etc/letsencrypt/live/example.com/privkey.pem Your cert will expire on 2020-01-09. To obtain a new or tweaked version of this certificate in the future, simply run certbot again. To non-interactively renew *all* of your certificates, run "certbot renew" - Your account credentials have been saved in your Certbot configuration directory at /etc/letsencrypt. You should make a secure backup of this folder now. This configuration directory will also contain certificates and private keys obtained by Certbot so making regular backups of this folder is ideal. - If you like Certbot, please consider supporting our work by: Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate Donating to EFF: https://eff.org/donate-le
That should do it!
The wildcard certificate is now generated and ready to be used.
To verify that the certificate is ready, run the commands below:
sudo certbot certificates
That should display a similar screen as below:
Found the following certs: Certificate Name: example.com Domains: *.example.com Expiry Date: 2020-01-05 07:48:04+00:00 (VALID: 85 days) Certificate Path: /etc/letsencrypt/live/example.com/fullchain.pem Private Key Path: /etc/letsencrypt/live/example.com/privkey.pem
You’re all set!
Now, Let’s Encrypt’s certificates are valid for 90 days. You’ll want to set up a cron job to automate the renewal process. To do that, open crontab and add the entry below:
sudo crontab -e
Then add the line below and save.
0 1 * * * /usr/bin/certbot renew >> /var/log/letsencrypt/renew.log
Save, and you’re done!
Install Nginx
If you haven’t already installed the Nginx HTTP server, use the steps below to download and install it from its official repository.
You can get the latest stable version of NGINX from the NGINX PPA on Launchpad.
Run the commands below to get the latest stable version from Nginx PPA.
sudo apt update sudo apt install software-properties-common sudo add-apt-repository ppa:nginx/stable sudo apt-get update sudo apt-get install nginx
After installing Nginx, run the commands below to check the version installed
sudo nginx -v
You should see similar lines below:
Output: nginx version: nginx/1.16.1
Download and compile the Brotli
At this point, you should have Let’s Encrypt Wildcard SSL and Nginx installed.
The next step is to build the ngx_brotli module for Nginx as a dynamic module.
For this to work, you’ll need to compile Brotli using the correct version of Nginx installed. You have Nginx version 1.16.1 for our test above, so we’ll need to compile ngx_brotli module for that specific version.
You first installed the required libraries by running the commands below.
sudo apt install git libpcre3 libpcre3-dev zlib1g zlib1g-dev openssl libssl-dev
After that, download the Nginx version that matches the currently installed version. Then extract it using the commands below:
cd ~/ wget https://nginx.org/download/nginx-1.16.1.tar.gz tar zxvf nginx-1.16.1.tar.gz
After extracting it, go and clone the ngx_brotli module from Github using the commands below:
cd ~/ git clone https://github.com/eustas/ngx_brotli.git cd ~/ngx_brotli git submodule update --init
Change into the Nginx-1.16.1 folder in your home directory.
cd ~/nginx-1.16.1
After that, compile the ngx_brotli as a dynamic module by running the commands below. Then copy it to the standard directory for Nginx modules at /etc/nginx/modules.
./configure --with-compat --add-dynamic-module=./ngx_brotli
make modules
sudo cp objs/*.so /etc/nginx/modules-available
or 
sudo cp objs/*.so /usr/share/nginx/modules
List files in /etc/nginx/modules-available, and you will see
ngx_http_brotli_filter_module.so ngx_http_brotli_static_module.so
Configure Nginx
At this point, we’re ready to load the ngx_brotli module.
Open your default Nginx.conf file and load up the two modules you compiled.
sudo nano /etc/nginx/nginx.conf
Then, add the following two directives at the top of the file to load new Brotli modules.
load_module modules/ngx_http_brotli_filter_module.so; load_module modules/ngx_http_brotli_static_module.so;
Your nginx.conf file should look similar to this:
load_module modules/ngx_http_brotli_filter_module.so;
load_module modules/ngx_http_brotli_static_module.so;
user www-data;
worker_processes auto;
pid /run/nginx.pid;
include /etc/nginx/modules-enabled/*.conf;
events {
        worker_connections 768;
        # multi_accept on;
}
http {
...
After that, run the Nginx test to see if you get any errors.
sudo nginx -t
You should get similar lines as shown below if everything is successful.
Output: nginx: the configuration file /etc/nginx/nginx.conf syntax is ok nginx: configuration file /etc/nginx/nginx.conf test is successful
That it!
When you want to use Brotli with your virtual host configuration files, use the example below:
server {
listen 80;
server_name example.com;
return 301 https://$server_name$request_uri;
}
server {
listen 443 ssl http2;
server_name example.com;
ssl_certificate /etc/letsencrypt/example.com/fullchain.cer;
ssl_certificate_key /etc/letsencrypt/example.com/example.com.key;
brotli on;
brotli_static on;
brotli_types *;
}
Restart Nginx
sudo systemctl reload nginx.service
That should do it!
Conclusion:
This post showed you how to configure the Nginx HTTP server with Brotli to support fast compression. If you find any error, please report it in the comment form below.
Thanks,
You may also like the post below:

Leave a Reply Cancel reply