Nginx use HTTP/2 and HTTPS run split test

HTTP 2.0 Introduction

HTTP 2.0, Hypertext Transfer Protocol 2.0, is the next generation HTTP protocol. was developed by the hypertext Transfer Protocol Bis (httpbis) Working Group of the Internet Engineering Task Force (IETF). Is the first update since the release of http1.1 in 1999. HTTP 2.0 conducted its first cooperative testing in August 2013. On the Open Internet HTTP 2.0 will be used only for https://URLs, while the http://Web site will continue to use HTTP/1, with the aim of increasing the use of encryption technology on the open Internet to provide strong protection against active attacks. DANE RFC6698 allows Domain Admins to issue certificates without a third-party CA

Have not used the children's shoes HTTPS please refer to the article: Nginx forced https,http 301 Redirect to HTTPS, in fact, Nginx open HTTP/2 support is very simple, you need to be the original listen 443; listen 443 SSL http2; Can support HTTP2, don't forget overload nginx oh.
HTTP/2 Test

How do I know if the website has been supported after opening HTTP/2? Chrome/firefox Browser can install HTTP/2 and SPDY indicator This extension, if the site support HTTP/2 then automatically display as blue, if Gray is not supported, in addition to Chrome51 later need to support ALPN, Otherwise demote to http/1.1
OpenSSL version
ALPN needs OpenSSL 1.0.2 support, the current Oneinstack version has been supported OpenSSL 1.0.2, you can enter nginx-v for viewing.

Nginx HTTPS optimization

On the V2 to see a user sharing the configuration rules, measured running points have significantly improved, you can directly use, the following several rules:

The code is as follows

Copy Code

Ssl_protocols TLSv1 TLSv1.1 TLSv1.2; #允许的协议 Ssl_ciphers eecdh+chacha20:eecdh+aes128:rsa+aes128:eecdh+aes256:rsa+aes256:eecdh+3des:rsa+3des:! MD5; #加密算法 (CloudFlare recommended Encryption Suite Group) Ssl_prefer_server_ciphers on; #优化 SSL Encryption Kit Ssl_session_timeout 10m; #客户端会话缓存时间 Ssl_session_cache builtin:1000 shared:ssl:10m; #SSL session cache type and size Ssl_buffer_size 1400; # 1400 bytes to fit in one MTU Add_header strict-transport-security max-age=15768000; Ssl_stapling on; Ssl_stapling_verify on;

Here are the complete rules for the small Z blog, there is a need to refer to:

The code is as follows

Copy Code

server { Listen 443 SSL HTTP2; SSL_CERTIFICATE/DATA/SSL/XIAOZ.ME.CRT; Ssl_certificate_key/data/ssl/xiaoz.me.key; Ssl_protocols TLSv1 TLSv1.1 TLSv1.2; #允许的协议 Ssl_ciphers eecdh+chacha20:eecdh+aes128:rsa+aes128:eecdh+aes256:rsa+aes256:eecdh+3des:rsa+3des:! MD5; #加密算法 (CloudFlare recommended Encryption Suite Group) Ssl_prefer_server_ciphers on; #优化 SSL Encryption Kit Ssl_session_timeout 10m; #客户端会话缓存时间 Ssl_session_cache builtin:1000 shared:ssl:10m; #SSL session cache type and size Ssl_buffer_size 1400; # 1400 bytes to fit in one MTU Add_header strict-transport-security max-age=15768000; Ssl_stapling on; Ssl_stapling_verify on; server_name xiaoz.me www.xiaoz.me; Index index.html index.htm index.php; include/usr/local/nginx/conf/rewrite/wordpress.conf; root/data/wwwroot/xiaoz.me; Location ~ [^/]\.php (/|$) { #fastcgi_pass remote_php_ip:9000; Fastcgi_pass Unix:/dev/shm/php-cgi.sock; Fastcgi_index index.php; Include fastcgi.conf; } Location ~. *\. (Gif|jpg|jpeg|png|bmp|swf|flv|ico) $ { Expires 30d; Access_log off; } Location ~. *\. (JS|CSS)? $ { Expires 7d; Access_log off; } } Server { Listen 80; server_name xiaoz.me www.xiaoz.me; Rewrite ^ (. *) https://www.xiaoz.me$1 permanent; }

HTTPS Run split test

We can open SSL Labs test our website HTTPS run points, if you have upgraded to OpenSSL 1.0.2 and opened the HTTP/2 of the case run branch has a significant increase. The following is a screenshot of the Small Z blog:

Pre () not optimized ()

Upgrade OpenSSL 1.0.2 and after optimization ()

Summarize

If you like toss you can consider upgrading the OpenSSL to 1.0.2, please back up the important configuration. In addition, the CDN also has been supporting HTTP/2, if you do not want to toss can directly on the Cloud CDN, if the need for BA

Original from https://www.xiaoz.me/archives/7225