我的http2的配置
server{
listen 80 fastopen=3 reuseport;
server_name example.com;
valid_referers none *.google.com *.bing.com *.baidu.com *.example.com;
if ($invalid_referer)
{
return 444;
}
rewrite ^(.*) https://example.com$1 permanent;
}
server{
listen 443 ssl http2 fastopen=3 reuseport;
server_name example.com;
server_tokens off;
gzip on;
gzip_proxied any;
gzip_min_length 1024;
gzip_comp_level 3;
gzip_types text/plain text/javascript text/css text/json application/javascript application/json image/jpeg image/gif image/png;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers EECDH+CHACHA20:EECDH+CHACHA20-draft:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5;
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:50m;
ssl_session_timeout 1d;
ssl_session_tickets off;
ssl_stapling on; #OCPS开启
ssl_stapling_verify on; #OCPS验证开启
resolver 8.8.8.8 8.8.4.4 valid=300s; #用于查询OCPS服务器的DNS
resolver_timeout 5s;
ssl_certificate /home/ec2-user/.acme.sh/example.com/fullchain.cer;
ssl_certificate_key /home/ec2-user/.acme.sh/example.com/example.com.key;
add_header Strict-Transport-Security "max-age=31536000; includeSubdomains; preload";
add_header X-Content-Type-Options nosniff;
valid_referers none *.google.com *.bing.com *.baidu.com *.example.com;
if ($invalid_referer)
{
return 444;
}
if ($server_protocol ~* "HTTP/1") {
return 444;
}
location / {
proxy_pass http://127.0.0.1:8084;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-Ssl off;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Port 80;
}
}
大体上是这样;
由于站点不想被大量其他流量使用,就加上了若干限制.
其中valid_referers添加了允许的referers,其他referers全部屏蔽
用server_protocol过滤掉了http1.0,http1.1的请求,即只允许http2
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers EECDH+CHACHA20:EECDH+CHACHA20-draft:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5;
ssl_prefer_server_ciphers on;
关于Chrome不使用http2的问题
当使用仅允许http2连接时,会发现Firefox和Safari使用的是http2协议,而Chrome任然使用http1.1协议导致被屏蔽.
这是由于Chrome从51开始,停止了对NPN
的支持,由于目前系统自带的OpenSSL大部分为1.0.1,而这些版本只支持NPN
OpenSSL从1.0.2开始同时支持ALPN和NPN
nginx -V
查看,如果你编译的nginx里显示built with OpenSSL 1.0.1k-fips 8 Jan 2015
代表着不支持ALPN
,需要重新编译才能让Chrome51以上版本使用http2协议.
查看当前系统的OpenSSL版本:openssl version
可以在https://www.openssl.org/source/ 下载新版的OpenSSL再重新编译.
重新编译,可参考 /post/install-nginx-php-mysql-redis
需要注意的是,如果你原先编译的nginx已经在运行,即使nginx二进制文件已经被替换,nginx -s reload
任然不能切换到新版本
需要nginx -s quit
再重新启用nginx.
No comments:
Post a Comment