Total Pageviews

Sunday 16 May 2021

nginx webserver启用http2


我的http2的配置

server{
        listen 80 fastopen=3 reuseport;
        server_name example.com;
        valid_referers none *.google.com *.bing.com *.baidu.com *.example.com;
        if ($invalid_referer)
        {
                return 444;
        }
        rewrite ^(.*) https://example.com$1 permanent;
}
server{
        listen 443 ssl http2 fastopen=3 reuseport;
        server_name example.com;
        server_tokens off;
        gzip on;
        gzip_proxied any;
        gzip_min_length 1024;
        gzip_comp_level 3;
        gzip_types text/plain text/javascript text/css text/json application/javascript  application/json image/jpeg image/gif image/png;
        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
        ssl_ciphers EECDH+CHACHA20:EECDH+CHACHA20-draft:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5;
        ssl_prefer_server_ciphers on;
        ssl_session_cache          shared:SSL:50m;
        ssl_session_timeout        1d;
        ssl_session_tickets off;
        ssl_stapling on;    #OCPS开启
        ssl_stapling_verify on;    #OCPS验证开启
        resolver 8.8.8.8 8.8.4.4 valid=300s;    #用于查询OCPS服务器的DNS
        resolver_timeout 5s;
        ssl_certificate /home/ec2-user/.acme.sh/example.com/fullchain.cer;
        ssl_certificate_key /home/ec2-user/.acme.sh/example.com/example.com.key;
        add_header Strict-Transport-Security "max-age=31536000; includeSubdomains; preload";
        add_header X-Content-Type-Options nosniff;
        valid_referers none *.google.com *.bing.com *.baidu.com *.example.com;
        if ($invalid_referer)
        {
                return 444;
        }
        if ($server_protocol ~* "HTTP/1") {
                return 444;
        }
        location / {
                proxy_pass http://127.0.0.1:8084;
                proxy_set_header Host $host;
                proxy_set_header X-Forwarded-Ssl off;
                proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                proxy_set_header X-Forwarded-Port 80;
        }
}

大体上是这样;

由于站点不想被大量其他流量使用,就加上了若干限制.

其中valid_referers添加了允许的referers,其他referers全部屏蔽

用server_protocol过滤掉了http1.0,http1.1的请求,即只允许http2

ssl_protocols               TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers                 EECDH+CHACHA20:EECDH+CHACHA20-draft:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5;
ssl_prefer_server_ciphers   on;

关于Chrome不使用http2的问题

当使用仅允许http2连接时,会发现Firefox和Safari使用的是http2协议,而Chrome任然使用http1.1协议导致被屏蔽.

这是由于Chrome从51开始,停止了对NPN的支持,由于目前系统自带的OpenSSL大部分为1.0.1,而这些版本只支持NPN

OpenSSL从1.0.2开始同时支持ALPN和NPN

nginx -V 查看,如果你编译的nginx里显示built with OpenSSL 1.0.1k-fips 8 Jan 2015 代表着不支持ALPN,需要重新编译才能让Chrome51以上版本使用http2协议.

查看当前系统的OpenSSL版本:openssl version

可以在https://www.openssl.org/source/ 下载新版的OpenSSL再重新编译.

重新编译,可参考 /post/install-nginx-php-mysql-redis

需要注意的是,如果你原先编译的nginx已经在运行,即使nginx二进制文件已经被替换,nginx -s reload任然不能切换到新版本

需要nginx -s quit再重新启用nginx.

No comments:

Post a Comment