Home > Article > Operation and Maintenance > How to upgrade nginx to support HTTP2.0
How to upgrade nginx to support HTTP2.0
- 王林forward
- 2023-05-24 22:58:042555browse
1. Preface
# ssl写在443端口后面。这样http和https的链接都可以用
listen 443 ssl http2 default_server;
server_name chat.chengxinsong.cn;
# hsts的合理使用,max-age表明hsts在浏览器中的缓存时间,includesubdomainscam参数指定应该在所有子域上启用hsts,preload参数表示预加载,通过strict-transport-security: max-age=0将缓存设置为0可以撤销hsts
add_header strict-transport-security "max-age=63072000; includesubdomains; preload";
ssl_certificate /usr/local/nginx/cert/2540136_chat.chengxinsong.cn.pem;
ssl_certificate_key /usr/local/nginx/cert/2540136_chat.chengxinsong.cn.key;
# 分配20mb的共享内存缓存,不同工作进程共享tls会话信息
# ssl_session_cache shared:ssl:20m;
# 设置会话缓存过期时间1h
ssl_session_timeout 60m;
# tls协议的合理配置
# 指定tls协议的版本,不安全的ssl2和ssl3要废弃掉
ssl_protocols tlsv1 tlsv1.1 tlsv1.2;
# 启用ssl_prefer_server_ciphers,用来告诉nginx在tls握手时启用服务器算法优先,由服务器选择适配算法而不是客户端
ssl_prefer_server_ciphers on;
# 优先选择支持前向加密的算法,且按照性能的优先顺序排列
ssl_ciphers ecdhe-rsa-aes128-gcm-sha256:ecdhe:ecdh:aes:high:!null:!anull:!md5:!adh:!rc4;
# 会话恢复的合理使用
# 配置会话票证,减少了tls握手的开销
ssl_session_tickets on;Then execute the check nginx configuration. nginx -t
means that http2.0 lacks ngx_http_v2_module. nginx lacks the http_ssl_module module. Just bring the --with-http_ssl_module configuration when compiling and installing.
2. Search information to find the reason
The reason for the above is that nginx has replaced ngx_http_spdy_module with the http_v2_module module since 1.9.5, and officially started to support the http2 protocol.
But my nginx is 1.12.2. It should not be an ngin version issue
Notes:
1. And the openssl library version needs to be compiled at or above 1.0.2. 1. To enable http/2 protocol support, you need to compile nginx 1.10 or above and the openssl library version 1.0.2 or above.
2.http2.0 only supports websites with https enabled.
It may be the version of the server's openssl library, which is found to be 1.0.2.
So we still need to upgrade to a higher point.
3. Upgrade openssl
In the http2.0 protocol, it involves support for alpn (application layer protocol negotiation, application layer protocol negotiation). Currently, all mainstream The built-in openssl libraries in unix server systems are all lower than version 1.0.2. By using openssl's command line tool, you can check whether the current http2 service supports alpn.
Find an installation directory
1. Download the latest version of openssl library, compile and install
wget https://www.openssl.org/source/openssl-1.1.0f.tar.gz tar xzf openssl-1.1.0f.tar.gz cd openssl-1.1.0f ./config --prefix=/usr/local/openssl make && make install
2. Replace the old version library
mv /usr/bin/openssl /usr/bin/openssl.old mv /usr/include/openssl /usr/include/openssl.old ln -s /usr/local/openssl/bin/openssl /usr/bin/openssl ln -s /usr/local/openssl/include/openssl /usr/include/openssl #链接新库文件 ln -s /usr/local/openssl/lib/libssl.so /usr/local/lib64/libssl.so ln -s /usr/local/openssl/lib/libcrypto.so /usr/local/lib64/libcrypto.so #检查更新后的openssl依赖库是否是1.1.0f strings /usr/local/lib64/libssl.so | grep openssl #显示结果表明已升级到最新版本链接库 openssl 1.1.0f 25 may 2017 #配置openssl库文件的搜索路径 echo '/usr/local/openssl/lib' >> /etc/ld.so.conf #使修改后的搜索路径生效 ldconfig -v #查看openssl版本,结果显示升级成功 openssl version openssl 1.1.0f 25 may 2017
4 , nginx turns on the ssl module
The default compiled nginx does not include the h2 module. We need to add parameters to compile. As of the time of publishing, the source code of nginx 1.9 development version and above needs to add compilation parameters by ourselves. From the software Those downloaded from the source warehouse are compiled by default. nginx no longer supports spdy.
If the nginx you compiled does not support it, then add: --with-http_v2_module in ./configure. If there is no ssl support, you also need to add --with-http_ssl_module
1. Find the source code package and check whether the configure supports http2
At this time, you need to find the configure in the source code folder when downloading. Note: Not the folder after compilation.
In the "./configure" configuration, "--with" means enabling modules, which means that these modules will not be automatically built when compiling "--without" Indicates that modules are disabled, which means that these modules will be automatically built during compilation. If you want nginx to run lightweight, you can remove some unnecessary modules.
Execute ./configure --help
From the above figure, we know that nginx will not automatically build http_ssl_module and http_v2_module during compilation. So nginx needs to be recompiled.
2. Add parameters to compile
Our new configuration information should be written like this:
./configure --prefix=/usr/local/nginx --with-http_v2_module --with-http_ssl_module --with-openssl=/home/soft/openssl-1.1.0f
The above /usr/local/nginx path It is the package path after we compiled it.
Then add: --with-http_v2_module in ./configure. If there is no ssl support, you also need to add --with-http_ssl_module, plus the openssl just updated to 1.1.0, so you need to add - -with-openssl=/home/soft/openssl-1.1.0f.
Just run the above command. After the configuration is completed
After the configuration is completed, run the command
make
Do not perform make install here, otherwise it will be an overwrite installation
3. Backup and replacement
(1) Then back up the original installed nginx
cp /usr/local/nginx/sbin/nginx /usr/local/nginx/sbin/nginx_07_22.bak
(2) Close nginx, and then install the newly compiled nginx Overwrite the original nginx
Close nginx
./nginx -s quit
Move the compiled nginx to the original nginx
cp ./objs/nginx /usr/local/nginx/sbin/
(3) Start nginx
. /nginx
Wait for 1 minute, and then you can see the effect of http2.0.
5. Check whether the website is http2.0
Right-click the name and check protocol, so that you can see the http protocol.
The website address of the screenshot above:
Compare the http1.1 website
The above is the detailed content of How to upgrade nginx to support HTTP2.0. For more information, please follow other related articles on the PHP Chinese website!