Maybe it's the most real tutorial on Nginx configuration HTTP2.

Guide

Since the release of the official version of the HTTP/2 agreement from May 14, 2015 to now has been almost a year, more and more sites deployed HTTP2,HTTP2 's wide range of applications to bring a better browsing experience, as long as the modern browser is supported, so deployment HTTP2 does not bring too much trouble.

Although the H2 H2C (HTTP/2 Cleartext) can be transmitted over a non-encrypted channel, but the supported browser is still relatively small, so the current deployment H2 still need to go encrypted, but because let's Encrypt to promote the cost of free certificates and certificates, the deployment of H2 This is not high.

Introduction

HTTP 2.0 is the Hypertext Transfer Protocol 2.0, which is the next generation HTTP Protocol. was developed by the hypertext Transfer Protocol Bis (httpbis) Working Group of the Internet Engineering Task Force (IETF). Is the first update since the release of the http1.1 in 1999, the HTTP/2 agreement evolved from SPDY, SPDY has completed its mission and will soon be out of the historical stage (for example, Chrome will end in "early 2016" SPDY support ";nginx, Apache Also has full support http/2, and also no longer support SPDY), General people HTTP2 referred to as h2, although some friends may not be willing, but this abbreviation has been default, especially in the browser to HTTP2 is this shorthand.

Configuration

Normal HTTPS web browsing will be a bit slower than HTTP Web sites because of the need to handle encryption tasks, and the configuration of H2 https, in the case of low latency faster than HTTP more stable!

Now the frequency of telecommunications hijacking incidents, the site deployed HTTPS encryption can eliminate most of the hijacking, but not completely. Like the E-commerce industry to HTTPS encryption but standard ah, so the deployment of H2 is Imperative.

Web Server Description

The default compiled Nginx does not contain the H2 module, we need to add parameters to compile, the deadline for the publication, Nginx 1.9 development version and above version of the source code need to add their own compilation parameters, downloaded from the software source warehouse is the default Compilation. Tengine can deploy both H2 and SPDY to ensure compatibility, and Nginx is no longer supported SPDY.

Install/compile

If your compiled Nginx is not supported, then the

./configure

Join In:

--with-http_v2_module

, if you do not have SSL support, you will need to join

--with-http_ssl_module

Then make && make Install.

Configuration

The main configuration is the Nginx server Block.
Modify the associated virtual machine

. conf

files, generally in

/usr/local/nginx/conf/vhost/

Or

/etc/nginx/conf/

, specific reference to your environmental guidance, do not understand please reply.

Note: will server_name www.mf8.biz; Replace the www.mf8.biz with your domain Name.

And then through

/usr/local/nginx/sbin/nginx-t

Or

Nginx-t

To detect if the configuration is correct, then restart Nginx.

Inspection

It can be checked on Chrome, HTTP/2 and SPDY indicator, if the address bar appears Blue Lightning is H2

It can also be checked in the chrome://net-internals/#http2. Note the version to be new, posture should be handsome!

Configure Advanced

We all know that last year's painstaking efforts to push SSL to the cusp, so only support the h2, we still need to do some security optimization of ssl!

Configuring the Herman key

prohibit unsecured SSL protocol, use security protocol

prohibit encryption algorithms that are not already secure

ssl_ciphers ' Ecdhe-rsa-aes256-gcm-sha384:ecdhe-rsa-aes128-gcm-sha256:dhe-rsa-aes256-gcm-sha384:d He-rsa-aes128-gcm-sha256:ecdhe-rsa-aes256-sha384:ecdhe-rsa-aes128-sha256:ecdhe-rsa-aes256-sha: Ecdhe-rsa-aes128-sha:dhe-rsa-aes256-sha256:dhe-rsa-aes128-sha256:dhe-rsa-aes256-sha:dhe-rsa-aes128-sha: Ecdhe-rsa-des-cbc3-sha:edh-rsa-des-cbc3-sha:aes256-gcm-sha384:aes128-gcm-sha256:aes256-sha256:aes128-sha256: aes256-sha:aes128-sha:des-cbc3-sha:high:!anull:!enull:! export:! camellia:! Des:! md5:! Psk:! RC4 '; 

Mitigating BEAST attacks

* * Enable hsts**

This jumps directly over 301 and reduces the risk of a man-in-the-middle attack! Configuration in. conf

**301 Jump * *

80 port Jump to 443 port

Cache Connection Credentials

OCSP Stitching

Ssl_stapling on; Ssl_stapling_verify on; ssl_trusted_certificate/etc/nginx/cert/trustchain.crt; Resolver 233.5.5.5 233.6.6.6 valid=300s;

This article was reproduced from:http://www.linuxprobe.com/nginx-http2.html

more Linux Dry goods visit:http://www.linuxprobe.com/

Maybe it's the most real tutorial on Nginx configuration HTTP2.