HAProxy, Nginx configuration HTTP/2 Complete Guide

Source: Internet
Author: User
Tags ssl certificate ssl connection haproxy

HAProxy, Nginx configuration HTTP/2 Complete Guide

Based on the recent controversy over HTTP/2 and its advantages, it's time to upgrade the underlying architecture. This article will show you how to install and configure Haproxy and Ngnix (using SSL terminals). To streamline the process, I recommend that you be ready to use the Docker image.

If you want to skip the installation or you are only interested in the configuration, you can skip to the configuration section.

Why do I need to focus on HTTP/2?

Here are some articles that introduce the benefits of HTTP/2-and I encourage you to read them. I'll focus on some of the more important points I think.

HTTP/2 's main advantages:
    • Use binary data (unlike http/1.1, which uses clear text) and it uses header data compression. No more worrying about the size of the header and cookie.
    • It is fully diversified and can be used to load multiple resources with a single connection in order to improve concurrency. Your site performance is better when you need to introduce multiple resources, because now they can all be loaded in a single TCP connection, in nonblocking mode. Domain Segmentation and resource cascade become reverse patterns. To put it simply: your site will load faster.
    • It allows the server to pre-push requests to the client's cache (currently Ngnix does not support this feature)
    • It uses the new ALPN extension, which will allow faster encryption of connections. This encryption protocol is available during the initialization phase of the connection.
Can I use it today?

Yes, you can. As you can see, all modern browsers now support HTTP/2, which includes IE11 and edge, just as you have seen on the use of could I. The only exception is that the mobile side of Opera Mini and the Android browser do not support it.

In addition, the configuration described below will ensure that clients are returned to http/1.1 without support for HTTP/2. This is important: your site should provide access support for older browsers or search engine crawlers.

Installation

I will install it under CentOS 7, and if you use another Linux release, you can simply tweak the code below.

What you need to do:

1. The site can run through SSL. If you do not have a virtual certificate, you need to use a virtual certificate (simple).

2.Ngnix 1.9.5 or later (simple).

3. Install the Haporxy 1.6 or later version of OpenSSL (requires some tips).

4. Good haproxy and Ngnix configuration (simple).

5. Confirm that you are already using HTTP/2,HTTP/2 and SPDY indicator for chrome friendly.

The OpenSSL section requires some skill, as most Linux branches with Opwnssl 1.0.1 (or older versions) do not support ALPN (application-level protocol negotiation). The ALPN protocol allows the application layer to negotiate, this protocol will be used in the connection, and this is basic if we want to support HTTP/2 and HTTP/1 on the same TCP port. In addition, HTTP/2 only supports the use of ALPN in Haproxy, so it will definitely be in our list.

If you are familiar with the installation process, please skip to the configuration section directly.

1. Obtaining an SSL Certificate

You can buy a certificate of trust from the ssl2buy.com very cheaply, and there are many distributors selling it. I used to buy a bunch of certificates there and I recommend their services and customer support. From there you can get a APHASSL certificate below $20.

If you need to generate a virtual certificate for Haproxy or Nginx, you can use the following command:

We need to use the generated certificate and secret key in the next configuration.

2.Nginx Installation

Installing Ngnix 1.9 on CentOS 7 is simple. The only thing you need to do is use the main version of the Yum source instead of the stable version. As described on Ngnix.org.oage, place the configuration of the Yum source in the/etc/yum.repos.d/nginx.repo location and execute the Yum install:

Get.

Let's Create a Ngnix vhost.conf (virtual host profile) to ensure that our nginx works properly with HTTP/2. The following is a simple vhost configuration:

1th: The key point is the listen 443 default_server SSL HTTP2 line. This is the equivalent of using HTTP/2.

2nd: Now ignore the third line listen 81 configuration – we'll come back to see it later.

3rd: I use the standard 80/443 port to run this example in a Docker image, so they will not conflict with any port on my host. If necessary, you can adjust it to suit your needs.

4th: Use the DUMMY.CRT and Dummy.key generated in the Get SSL certificate step.

Well, when you use the https://protocol to connect to a site, the HTTP/2 prompt prompts you for the HTTP/2 protocol that the site is running.

Congratulations, your Ngnix is already running HTTP/2!

3. OpenSSL and HAProxy Installation

This part is a bit tricky. We need to compile the source of the OpenSSL 1.0.2 (because there are no resources available in Yum) and use it in subsequent haproxy recompilation.

To establish the work of OpenSSL, we use the no-shared parameter, and the Haproxy is statically connected to OpenSSL. I followed the official readme of Haproxy. But the funny thing is, I finally used the other way ... and be very resourceful. Do you often read these tedious and tedious readme files?

After that, you should have compiled it through Haproxy and installed it. Test it:

Haproxy-vv
4. Configuration

This is the one we will use to complete the/etc/haproxy/haproxy.cfg (Haproxy configuration):

The most essential part in this:

Here we define the HTTPS front-end interface to listen on port 443 when the client requests haproxy.

Whether the request is NODES-HTTP2 or nodes-http by the backend depends on the client's support for HTTP2. Note We decided to use this configuration for SSL on Haproxy, and the connection was decrypted for the backend server. Our back-end servers can be accessed by haproxy with the domain name of the Web server (this is the nginx in operation, as we said above).

In the bind *:443 line with ALPN h2,http/1.1 Row we recommend that the best two protocols (HTTP/2 and http/1.1) are supported for the convenience of the client.

This way the browser can browse our website even if it doesn't support HTTP/2.

Use_backend NODES-HTTP2 If {ssl_fc_alpn-i H2} supports HTTP/2 clients will be redirected to the NODES-HTTP2 backend node, and the remaining http/1.1 protocol will be nodes-http processed. This is important if you want back-end compatibility to not support HTTP/2 clients.

So we'll have the following line:

Server Node1 web.server:81 Check Send-proxy

Here, we only discuss the Haproxy and HTTP/2 protocols. Usually it connects Web.server on 81 ports. Do we have a more delightful surprise?

Let's use the Nginx following virtual host configuration (as described above):

This line: Listen Bayi default_server HTTP2 proxy_protocol;

Defines the server on port 81, which handles HTTP/2 requests. Please note that we are unable to use port 443 for SSL connection on the server: SSL connection has been decrypted by haproxy, so now we have a non-encrypted connection. So we need to limit the server's 81 ports to use only HTTP/2, not SSL.

Off topic: Small also has proxy_protocol keyword. The HAPROXY.CFG equivalent send agent is configured on the back-end server. The agency agreement is independent, and here is a very good explanation of the reason for this article. In short, it allows the client's IP address and port number to be delivered through the Haproxy backend server, which is usually ideal.

You can run Haproxy using the configuration above:

Haproxy-f/etc/haproxy/haproxy.cfg

Now you should be able to connect to your proxy host (for example, https://localhost:443/) and see that it is running HTTP/2. If you are testing in Firefox, check the header of the Web request header and you will see X-firefox-spdy: "H2″."

Docker Images

If you have already used Docker, you can use our MILLION12 image. We've been using Docker for a long time when Docker was in version 1.0 (MILLION12 This is our warehouse address), and we've built a bunch of useful mirrors. In this example, we will use the two mirrors, Million12/haproxy and Million12/nginx. The configuration inside is the final result of our discussion.

You can run the entire stack by using the Docker-compose.yml file. Note that we are connected Nignx by the web.server hostname in the Haproxy container, which is the host name that is currently used for haproxy.cfg.

Connect https://haproxy:8443 you will see the screen showing the following (note the Blue HTTP/2 hint section).

Http://m12.io/blog/http-2-with-haproxy-and-nginx-guide

Https://github.com/million12/docker-haproxy

Https://github.com/million12/docker-nginx

HAProxy, Nginx configuration HTTP/2 Complete Guide

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.