|
|
HTTP 2.0即超文本传输协议 2.0,是下一代HTTP协议。是由互联网工程任务组(IETF)的Hypertext Transfer Protocol Bis (httpbis)工作小组进行开发。是自1999年http1.1发布后的首个更新。HTTP 2.0在2013年8月进行首次合作共事性测试。在开放互联网上HTTP 2.0将只用于https://网址,而 http://网址将继续使用HTTP/1,目的是在开放互联网上增加使用加密技术,以提供强有力的保护去遏制主动攻击。DANE RFC6698允许域名管理员不通过第三方CA自行发行证书。 ---百度百科
部署所需条件:1,OpenSSLl版本,最低要求1.0.2。
2,Nginx 1.9.5之后的版本才集成了http_v2_module模块
安装步骤:
(一)升级更新OpenSSL
(1)查看原有的openssl版本:
1
2
3
4
5
6
7
8
9
10
11
| [iyunv@Monitor ~]# openssl version -a
OpenSSL 1.0.1e-fips 11 Feb 2013
built on: Mon May 9 07:30:30 CDT 2016
platform: linux-x86_64
options: bn(64,64) md2(int) rc4(16x,int) des(idx,cisc,16,int) idea(int) blowfish(idx)
compiler: gcc -fPIC -DOPENSSL_PIC -DZLIB -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -DKRB5_MIT -m64 -DL_ENDIAN -DTERMIO -Wall -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -m64 -mtune=generic -Wa,--noexecstack -DPURIFY -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM
OPENSSLDIR: "/etc/pki/tls"
engines: dynamic
[iyunv@Monitor ~]# rpm -qi openssl|grep Version
Version : 1.0.1e Vendor: CentOS
[iyunv@Monitor ~]#
|
(2)下载最新的openssl-1.1.0e(https://www.openssl.org/source/openssl-1.1.0e.tar.gz)
1
2
3
4
5
6
7
8
9
| [iyunv@Monitor install]# wget https://www.openssl.org/source/openssl-1.1.0e.tar.gz
--2017-02-23 16:27:46-- https://www.openssl.org/source/openssl-1.1.0e.tar.gz
正在解析主机 www.openssl.org... 104.95.197.32, 2600:1417:9:282::c1e, 2600:1417:9:28a::c1e
正在连接 www.openssl.org|104.95.197.32|:443... 已连接。
已发出 HTTP 请求,正在等待回应... 200 OK
长度:5202247 (5.0M) [application/x-gzip]
正在保存至: “openssl-1.1.0e.tar.gz”
99% [=====================================================================================> ] 5,182,031 21.0K/s eta(英国中部时99% [=====================================================================================> ] 5,198,415 20.2K/s eta(英国中部时100%[======================================================================================>] 5,202,247 19.8K/s in 7m 16s
2017-02-23 16:35:04 (11.6 KB/s) - 已保存 “openssl-1.1.0e.tar.gz” [5202247/5202247])
|
(3)更新zlib库
1
2
3
4
5
6
7
8
9
10
11
12
13
| [iyunv@Monitor ~]# yum install zlib -y
已加载插件:fastestmirror
设置安装进程
Loading mirror speeds from cached hostfile
epel/metalink | 4.6 kB 00:00
* epel: mirror01.idc.hinet.net
base | 3.7 kB 00:00
dockerrepo | 2.9 kB 00:00
epel | 4.3 kB 00:00
epel/primary_db | 5.9 MB 00:08
extras | 3.4 kB 00:00
updates | 3.4 kB 00:00
updates/primary_db
|
(4)解压安装最新的openssl-1.1.0e.tar.gz
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
| [iyunv@Monitor install]# tar xf openssl-1.1.0e.tar.gz
[iyunv@Monitor install# cd openssl-1.1.0e
[iyunv@Monitor openssl-1.1.0e]# ./config shared alib
Operating system: x86_64-whatever-linux2
Configuring for linux-x86_64
Configuring OpenSSL version 1.1.0e (0x1010005fL)
target already defined - linux-x86_64 (offending arg: alib)
[iyunv@Monitor openssl-1.1.0e]# make && make install
[iyunv@Monitor openssl-1.1.0e]# mv /usr/bin/openssl /usr/bin/openssl.old
[iyunv@Monitor openssl-1.1.0e]# ln -s /usr/local/ssl/bin/openssl /usr/bin/openssl
[iyunv@Monitor openssl-1.1.0e]# ln -s /usr/local/ssl/include/openssl/ /usr/include/openssl
[iyunv@Monitor openssl-1.1.0e]#ln -s /usr/local/lib64/libssl.so.1.1 /usr/lib64/libssl.so.1.1
[iyunv@Monitor openssl-1.1.0e]#ln -s /usr/local/lib64/libcrypto.so.1.1 /usr/lib64/libcrypto.so.1.1
ln: 创建符号链接 "/usr/include/openssl": 文件已存在
[iyunv@Monitor openssl-1.1.0e]# echo “/usr/local/ssl/lib/” >> /etc/ld.so.conf
[iyunv@Monitor openssl-1.1.0e]# ldconfig -v
[iyunv@Monitor ~]# /usr/local/bin/openssl version -a
OpenSSL 1.1.0e 16 Feb 2017
built on: reproducible build, date unspecified
platform: linux-x86_64
compiler: gcc -DZLIB -DDSO_DLFCN -DHAVE_DLFCN_H -DNDEBUG -DOPENSSL_THREADS -DOPENSSL_NO_STATIC_ENGINE -DOPENSSL_PIC -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DRC4_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DPADLOCK_ASM -DPOLY1305_ASM -DOPENSSLDIR="\"/usr/local/ssl\"" -DENGINESDIR="\"/usr/local/lib64/engines-1.1\"" -Wa,--noexecstack
OPENSSLDIR: "/usr/local/ssl"
ENGINESDIR: "/usr/local/lib64/engines-1.1"
[iyunv@Monitor ~]# openssl version
OpenSSL 1.1.0e 16 Feb 2017
|
(二)重新编译安装nginx http_v2_module模块。又有nginx从nginx 1.9.5开始http_v2_module 已经替换了 ngx_http_spdy_module,本篇章以最新的版本nginx 1.10.3为例。
(1)下载nginx-1.10.3稳定版(http://nginx.org/download/nginx-1.10.3.tar.gz)
1
2
3
4
5
6
7
8
9
10
| [iyunv@Monitor install]# wget http://nginx.org/download/nginx-1.10.3.tar.gz
--2017-02-23 18:22:39-- http://nginx.org/download/nginx-1.10.3.tar.gz
正在解析主机 nginx.org... 206.251.255.63, 95.211.80.227, 2606:7100:1:69::3f, ...
正在连接 nginx.org|206.251.255.63|:80... 已连接。
已发出 HTTP 请求,正在等待回应... 200 OK
长度:911509 (890K) [application/octet-stream]
正在保存至: “nginx-1.10.3.tar.gz”
1% [ ] 10,022 2.80K/s eta(英国中部时 1% [
99% [+++++++++++++++++++++++++++++++++++==================================================> ] 911,017 2.78K/s eta(英国中部时99% [+++++++++++++++++++++++++++++++++++==================================================> ] 911,017 2.59K/s eta(英国中部时100%[+++++++++++++++++++++++++++++++++++===================================================>] 911,509 2.46K/s eta(英国中部时100%[+++++++++++++++++++++++++++++++++++===================================================>] 911,509 2.46K/s in 3m 10s
2017-02-23 19:34:09 (2.77 KB/s) - 已保存 “nginx-1.10.3.tar.gz” [911509/911509])
|
(2)重新安装编译nginx
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
| [iyunv@Monitor install]# tar xf nginx-1.10.3.tar.gz
[iyunv@Monitor install]# cd nginx-1.10.3
[iyunv@Monitor nginx-1.10.3]#
[iyunv@Monitor nginx-1.10.3]# ./configure --prefix=/usr/local/nginx2 \ ##重定向安装路径
> --with-http_stub_status_module \
> --with-http_ssl_module \
> --with-http_realip_module \
> --with-http_gzip_static_module \
> --with-http_stub_status_module \
> --with-http_stub_status_module \
> --with-http_v2_module \ ###启用https2.0模块
> --with-openssl=/tmp/install/openssl-1.1.0e
checking for OS
+ Linux 2.6.32-642.3.1.el6.x86_64 x86_64
checking for C compiler ... found
+ using GNU C compiler
+ gcc version: 4.4.7 20120313 (Red Hat 4.4.7-17) (GCC)
checking for gcc -pipe switch ... found
checking for -Wl,-E switch ... found
checking for gcc builtin atomic operations ... found
checking for C99 variadic macros ... found
checking for zlib library ... found
creating objs/Makefile
Configuration summary
+ using system PCRE library
+ using OpenSSL library: /tmp/install/openssl-1.1.0e
+ md5: using OpenSSL library
+ sha1: using OpenSSL library
+ using system zlib library
nginx path prefix: "/usr/local/nginx2"
nginx binary file: "/usr/local/nginx2/sbin/nginx"
nginx modules path: "/usr/local/nginx2/modules"
nginx configuration prefix: "/usr/local/nginx2/conf"
nginx configuration file: "/usr/local/nginx2/conf/nginx.conf"
nginx pid file: "/usr/local/nginx2/logs/nginx.pid"
nginx error log file: "/usr/local/nginx2/logs/error.log"
nginx http access log file: "/usr/local/nginx2/logs/access.log"
nginx http client request body temporary files: "client_body_temp"
nginx http proxy temporary files: "proxy_temp"
nginx http fastcgi temporary files: "fastcgi_temp"
nginx http uwsgi temporary files: "uwsgi_temp"
nginx http scgi temporary files: "scgi_temp"
[iyunv@Monitor nginx-1.10.3]#make && make install
备注:
./configure --prefix=/usr/local/nginx2 --with-http_stub_status_module --with-http_ssl_module --wi
th-http_realip_module --with-http_gzip_static_module --with-http_stub_status_module --with-http_stub_status_module --with-http_
v2_module --with-openssl=/tmp/install/openssl-1.1.0e
|
(3)配置nginx.conf文件中listen 80 return 301 https://$host$request_uri; 和listen 443 ssl http2;即可
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
| server {
listen 80 ;
server_name localhost;
return 301
}
server {
listen 443 ssl http2 default_server;
server_name localhost;
ssl_certificate cert.pem;
ssl_certificate_key cert.key;
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 5m;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
location / {
root html;
index index.html index.htm;
}
}
|
(4)重新加载nginx
1
2
3
4
5
| [iyunv@Monitor conf]# /usr/local/nginx2/sbin/nginx -t
nginx: the configuration file /usr/local/nginx2/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx2/conf/nginx.conf test is successful
[iyunv@Monitor conf]# /usr/local/nginx2/sbin/nginx -s reload
[iyunv@Monitor conf]#
|
(5)在浏览器上查看请求:
至此,http2.0配置完毕。
|
|
|
QQ群⑧:
窥视卡
雷达卡
发表于 2017-2-27 13:21:00
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡