Since the release of the official version of the HTTP/2 agreement from May 14, 2015 to now has been almost a year, more and more sites deployed HTTP2,HTTP2 's wide range of applications to bring a better browsing experience, as long as the modern browser is supported, so deployment HTTP2 does not bring too much trouble. Although the H2 H2C (HTTP/2 cleartext) can be transmitted over a non-encrypted channel, but the supported browsers are still relatively small in the beginning, so the current deployment H2 still need to go encrypted, but because let's Encrypt vigorously promote the cost of free certificates and certificates, the deployment of H2 Cost is not high.
Introduction
HTTP 2.0 is the Hypertext Transfer Protocol 2.0, which is the next generation HTTP protocol. was developed by the hypertext Transfer Protocol Bis (httpbis) Working Group of the Internet Engineering Task Force (IETF). Is the first update since the release of the http1.1 in 1999, the HTTP/2 agreement evolved from SPDY, SPDY has completed its mission and will soon be out of the historical stage (for example, Chrome will end in "early 2016" SPDY support ";nginx, Apache Also has full support HTTP/2, and also no longer support SPDY), General people HTTP2 referred to as H2, although some friends may not be willing, but this abbreviation has been default, especially in the browser to HTTP2 is this shorthand.
Configuration
Normal HTTPS web browsing will be a bit slower than HTTP Web sites because of the need to handle encryption tasks, and the configuration of H2 HTTPS, in the case of low latency faster than HTTP more stable! Now the frequency of telecommunications hijacking incidents, the site deployed HTTPS encryption can eliminate most of the hijacking, but not completely. Like the e-commerce industry to HTTPS encryption but standard AH, so the deployment of H2 is imperative.
Web Server
Description
The default compiled Nginx does not contain the H2 module, we need to add parameters to compile, the deadline for the publication, Nginx 1.9 development version and above version of the source code need to add their own compilation parameters, downloaded from the software source warehouse is the default compilation. Tengine can deploy both H2 and SPDY to ensure compatibility, and Nginx is no longer supported SPDY.
Install/Compile
If your compiled Nginx is not supported, then add it in ./configure
: --with-http_v2_module
If you do not have SSL support, you will need to add the make --with-http_ssl_module
&& make install.
Configuration
The main configuration is the Nginx server block. Modify the relevant virtual machine .conf
files, generally in /usr/local/nginx/conf/vhost/
or /etc/nginx/conf/
, specific reference to your environmental guidance, do not understand please reply.
server {Listen 443 SSL http2 default_server;server_name Www.mf8.biz;ssl_certificate/path/to/public.crt;ssl_ Certificate_key/path/to/private.key;
Note: Will server_name www.mf8.biz; Replace the www.mf8.biz with your domain name. Then pass /usr/local/nginx/sbin/nginx -t
or nginx -t
to detect whether the configuration is correct, and then restart Nginx, you can.
Inspection
On the Chrome browser, HTTP/2 and SPDY indicator can be checked, if the address bar appears Blue Lightning is H2 can also be examined in chrome://net-internals/#http2. Note the version to be new, posture should be handsome!
Configure Advanced
We all know that last year's painstaking efforts to push SSL to the cusp, so only support the H2, we still need to do some security optimization of SSL!
Configuring the Herman key
OpenSSL dhparam-out Dhparam.pem 2048//runs in SSH, OpenSSL generates a 2048-bit key instead of writing the nginx.conf file as a parameter. SSL_DHPARAM/PATH/TO/DHPARAM.PEM; Configuring in. conf
prohibit unsecured SSL protocol, use security protocol
Ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
prohibit encryption algorithms that are not already secure
Ssl_ciphers ' Ecdhe-rsa-aes256-gcm-sha384:ecdhe-rsa-aes128-gcm-sha256:dhe-rsa-aes256-gcm-sha384:d He-rsa-aes128-gcm-sha256:ecdhe-rsa-aes256-sha384:ecdhe-rsa-aes128-sha256:ecdhe-rsa-aes256-sha: Ecdhe-rsa-aes128-sha:dhe-rsa-aes256-sha256:dhe-rsa-aes128-sha256:dhe-rsa-aes256-sha:dhe-rsa-aes128-sha: ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256: aes256-sha:aes128-sha:des-cbc3-sha:high:!anull:!enull:! export:! camellia:! Des:! md5:! Psk:! RC4 ';
Mitigating BEAST attacks
Ssl_prefer_server_ciphers on;
* * Enable hsts**
This jumps directly over 301 and reduces the risk of a man-in-the-middle attack! Configuration in. conf
Add_header strict-transport-security max-age=15768000;
**301 Jump * *
80 port Jump to 443 port
server {listen; Add_header strict-transport-security max-age=15768000; return 301 https://www.yourwebsite.com$ Request_uri;}
Cache Connection Credentials
Ssl_session_cache shared:ssl:20m;ssl_session_timeout 60m;
OCSP Stitching
Ssl_stapling on;ssl_stapling_verify On;ssl_trusted_certificate/etc/nginx/cert/trustchain.crt;resolver 233.5.5.5 233.6.6.6 valid=300s;
Free to provide the latest Linux technology tutorials Books, for open-source technology enthusiasts to do more and better: http://www.linuxprobe.com/
Maybe it's the most real tutorial on Nginx configuration HTTP2.