共计 9107 个字符,预计需要花费 23 分钟才能阅读完成。
HTTP 2.0 即超文本传输协议 2.0,是下一代 HTTP 协议。是由互联网工程任务组(IETF)的 Hypertext Transfer Protocol Bis (httpbis)工作小组进行开发。是自 1999 年 http1.1 发布后的首个更新。HTTP 2.0 在 2013 年 8 月进行首次合作共事性测试。在开放互联网上 HTTP 2.0 将只用于 https:// 网址,而 http:// 网址将继续使用 HTTP/1,目的是在开放互联网上增加使用加密技术,以提供强有力的保护去遏制主动攻击。DANE RFC6698 允许域名管理员不通过第三方 CA 自行发行证书。
部署所需条件:1,OpenSSLl 版本,最低要求 1.0.2。
2,Nginx 1.9.5 之后的版本才集成了 http_v2_module 模块
安装步骤:
(一)升级更新 OpenSSL
(1)查看原有的 openssl 版本:
[root@Monitor ~]# openssl version -a
OpenSSL 1.0.1e-fips 11 Feb 2013
built on: Mon May 9 07:30:30 CDT 2016
platform: linux-x86_64
options: bn(64,64) md2(int) rc4(16x,int) des(idx,cisc,16,int) idea(int) blowfish(idx)
compiler: gcc -fPIC -DOPENSSL_PIC -DZLIB -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -DKRB5_MIT -m64 -DL_ENDIAN -DTERMIO -Wall -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector –param=ssp-buffer-size=4 -m64 -mtune=generic -Wa,–noexecstack -DPURIFY -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM
OPENSSLDIR: “/etc/pki/tls”
engines: dynamic
[root@Monitor ~]# rpm -qi openssl|grep Version
Version : 1.0.1e Vendor: CentOS
[root@Monitor ~]#
(2)下载最新的 openssl-1.1.0e(https://www.openssl.org/source/openssl-1.1.0e.tar.gz)
[root@Monitor install]# wget https://www.openssl.org/source/openssl-1.1.0e.tar.gz
–2017-02-23 16:27:46– https://www.openssl.org/source/openssl-1.1.0e.tar.gz
正在解析主机 www.openssl.org… 104.95.197.32, 2600:1417:9:282::c1e, 2600:1417:9:28a::c1e
正在连接 www.openssl.org|104.95.197.32|:443… 已连接。
已发出 HTTP 请求,正在等待回应 … 200 OK
长度:5202247 (5.0M) [application/x-gzip]
正在保存至:“openssl-1.1.0e.tar.gz”
99% [=====================================================================================>] 5,182,031 21.0K/s eta(英国中部时 99% [=====================================================================================>] 5,198,415 20.2K/s eta(英国中部时 100%[======================================================================================>] 5,202,247 19.8K/s in 7m 16s
2017-02-23 16:35:04 (11.6 KB/s) – 已保存“openssl-1.1.0e.tar.gz”[5202247/5202247])
(3)更新 zlib 库
[root@Monitor ~]# yum install zlib -y
已加载插件:fastestmirror
设置安装进程
Loading mirror speeds from cached hostfile
epel/metalink | 4.6 kB 00:00
* epel: mirror01.idc.hinet.net
base | 3.7 kB 00:00
dockerrepo | 2.9 kB 00:00
epel | 4.3 kB 00:00
epel/primary_db | 5.9 MB 00:08
extras | 3.4 kB 00:00
updates | 3.4 kB 00:00
updates/primary_db
(4)解压安装最新的 openssl-1.1.0e.tar.gz
[root@Monitor install]# tar xf openssl-1.1.0e.tar.gz
[root@Monitor install# cd openssl-1.1.0e
[root@Monitor openssl-1.1.0e]# ./config shared alib
Operating system: x86_64-whatever-linux2
Configuring for linux-x86_64
Configuring OpenSSL version 1.1.0e (0x1010005fL)
target already defined – linux-x86_64 (offending arg: alib)
[root@Monitor openssl-1.1.0e]# make && make install
[root@Monitor openssl-1.1.0e]# mv /usr/bin/openssl /usr/bin/openssl.old
[root@Monitor openssl-1.1.0e]# ln -s /usr/local/ssl/bin/openssl /usr/bin/openssl
[root@Monitor openssl-1.1.0e]# ln -s /usr/local/ssl/include/openssl/ /usr/include/openssl
[root@Monitor openssl-1.1.0e]#ln -s /usr/local/lib64/libssl.so.1.1 /usr/lib64/libssl.so.1.1
[root@Monitor openssl-1.1.0e]#ln -s /usr/local/lib64/libcrypto.so.1.1 /usr/lib64/libcrypto.so.1.1
ln: 创建符号链接 “/usr/include/openssl”: 文件已存在
[root@Monitor openssl-1.1.0e]# echo“/usr/local/ssl/lib/”>> /etc/ld.so.conf
[root@Monitor openssl-1.1.0e]# ldconfig -v
[root@Monitor ~]# /usr/local/bin/openssl version -a
OpenSSL 1.1.0e 16 Feb 2017
built on: reproducible build, date unspecified
platform: linux-x86_64
compiler: gcc -DZLIB -DDSO_DLFCN -DHAVE_DLFCN_H -DNDEBUG -DOPENSSL_THREADS -DOPENSSL_NO_STATIC_ENGINE -DOPENSSL_PIC -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DRC4_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DPADLOCK_ASM -DPOLY1305_ASM -DOPENSSLDIR=”\”/usr/local/ssl\”” -DENGINESDIR=”\”/usr/local/lib64/engines-1.1\”” -Wa,–noexecstack
OPENSSLDIR: “/usr/local/ssl”
ENGINESDIR: “/usr/local/lib64/engines-1.1”
[root@Monitor ~]# openssl version
OpenSSL 1.1.0e 16 Feb 2017
(二)重新编译安装 nginx http_v2_module 模块。又有 nginx 从 nginx 1.9.5 开始 http_v2_module 已经替换了 ngx_http_spdy_module,本篇章以最新的版本 nginx 1.10.3 为例。
(1)下载 nginx-1.10.3 稳定版(http://nginx.org/download/nginx-1.10.3.tar.gz)
[root@Monitor install]# wget http://nginx.org/download/nginx-1.10.3.tar.gz
–2017-02-23 18:22:39– http://nginx.org/download/nginx-1.10.3.tar.gz
正在解析主机 nginx.org… 206.251.255.63, 95.211.80.227, 2606:7100:1:69::3f, …
正在连接 nginx.org|206.251.255.63|:80… 已连接。
已发出 HTTP 请求,正在等待回应 … 200 OK
长度:911509 (890K) [application/octet-stream]
正在保存至:“nginx-1.10.3.tar.gz”
1% [] 10,022 2.80K/s eta(英国中部时 1% [
99% [+++++++++++++++++++++++++++++++++++==================================================>] 911,017 2.78K/s eta(英国中部时 99% [+++++++++++++++++++++++++++++++++++==================================================>] 911,017 2.59K/s eta(英国中部时 100%[+++++++++++++++++++++++++++++++++++===================================================>] 911,509 2.46K/s eta(英国中部时 100%[+++++++++++++++++++++++++++++++++++===================================================>] 911,509 2.46K/s in 3m 10s
2017-02-23 19:34:09 (2.77 KB/s) – 已保存“nginx-1.10.3.tar.gz”[911509/911509])
(2)重新安装编译 nginx
[root@Monitor install]# tar xf nginx-1.10.3.tar.gz
[root@Monitor install]# cd nginx-1.10.3
[root@Monitor nginx-1.10.3]#
[root@Monitor nginx-1.10.3]# ./configure –prefix=/usr/local/nginx2 \ ## 重定向安装路径
> –with-http_stub_status_module \
> –with-http_ssl_module \
> –with-http_realip_module \
> –with-http_gzip_static_module \
> –with-http_stub_status_module \
> –with-http_stub_status_module \
> –with-http_v2_module \ ### 启用 https2.0 模块
> –with-openssl=/tmp/install/openssl-1.1.0e
checking for OS
+ Linux 2.6.32-642.3.1.el6.x86_64 x86_64
checking for C compiler … found
+ using GNU C compiler
+ gcc version: 4.4.7 20120313 (Red Hat 4.4.7-17) (GCC)
checking for gcc -pipe switch … found
checking for -Wl,-E switch … found
checking for gcc builtin atomic operations … found
checking for C99 variadic macros … found
checking for zlib library … found
creating objs/Makefile
Configuration summary
+ using system PCRE library
+ using OpenSSL library: /tmp/install/openssl-1.1.0e
+ md5: using OpenSSL library
+ sha1: using OpenSSL library
+ using system zlib library
nginx path prefix: “/usr/local/nginx2”
nginx binary file: “/usr/local/nginx2/sbin/nginx”
nginx modules path: “/usr/local/nginx2/modules”
nginx configuration prefix: “/usr/local/nginx2/conf”
nginx configuration file: “/usr/local/nginx2/conf/nginx.conf”
nginx pid file: “/usr/local/nginx2/logs/nginx.pid”
nginx error log file: “/usr/local/nginx2/logs/error.log”
nginx http access log file: “/usr/local/nginx2/logs/access.log”
nginx http client request body temporary files: “client_body_temp”
nginx http proxy temporary files: “proxy_temp”
nginx http fastcgi temporary files: “fastcgi_temp”
nginx http uwsgi temporary files: “uwsgi_temp”
nginx http scgi temporary files: “scgi_temp”
[root@Monitor nginx-1.10.3]#make && make install
备注:
./configure –prefix=/usr/local/nginx2 –with-http_stub_status_module –with-http_ssl_module –wi
th-http_realip_module –with-http_gzip_static_module –with-http_stub_status_module –with-http_stub_status_module –with-http_
v2_module –with-openssl=/tmp/install/openssl-1.1.0e
(3)配置 nginx.conf 文件中 listen 80 return 301 https://$host$request_uri; 和 listen 443 ssl http2; 即可
server {
listen 80 ;
server_name localhost;
return 301
}
server {
listen 443 ssl http2 default_server;
server_name localhost;
ssl_certificate cert.pem;
ssl_certificate_key cert.key;
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 5m;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
location / {
root html;
index index.html index.htm;
}
}
(4)重新加载 nginx
[root@Monitor conf]# /usr/local/nginx2/sbin/nginx -t
nginx: the configuration file /usr/local/nginx2/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx2/conf/nginx.conf test is successful
[root@Monitor conf]# /usr/local/nginx2/sbin/nginx -s reload
[root@Monitor conf]#
(5)在浏览器上查看请求:
至此,http2.0 配置完毕。
下面关于 Nginx 的文章您也可能喜欢,不妨参考下:
CentOS 7.2 下编译安装 PHP7.0.10+MySQL5.7.14+Nginx1.10.1 http://www.linuxidc.com/Linux/2016-09/134804.htm
搭建基于 Linux6.3+Nginx1.2+PHP5+MySQL5.5 的 Web 服务器全过程 http://www.linuxidc.com/Linux/2013-09/89692.htm
Linux 下编译安装 Nginx 1.8.1 及配置 http://www.linuxidc.com/Linux/2017-02/140495.htm
CentOS 6.4 安装配置 Nginx+Pcre+php-fpm http://www.linuxidc.com/Linux/2013-08/88984.htm
Nginx 日志过滤 使用 ngx_log_if 不记录特定日志 http://www.linuxidc.com/Linux/2014-07/104686.htm
Nginx 的 500,502,504 错误解决方法 http://www.linuxidc.com/Linux/2015-03/115507.htm
Nginx 版本号修改隐藏及记录用户请求需要的时间 http://www.linuxidc.com/Linux/2017-02/141044.htm
CentOS 7 编译安装 Nginx1.10.2 脚本启动失败解决思路 http://www.linuxidc.com/Linux/2017-01/139794.htm
Nginx 的详细介绍:请点这里
Nginx 的下载地址:请点这里
本文永久更新链接地址:http://www.linuxidc.com/Linux/2017-02/141104.htm