Shulou(Shulou.com)06/01 Report--

This article mainly introduces "how to configure nginx domain name to enable http2 protocol". In daily operation, I believe many people have doubts about how to configure nginx domain name to enable http2 protocol. Xiaobian consulted all kinds of information and sorted out simple and easy to use operation methods. I hope to help you answer the doubts about "how to configure nginx domain name to enable http2 protocol"! Next, please follow the small series to learn together!

introduced

HTTP 2.0, or Hypertext Transfer Protocol 2.0, is the next generation HTTP protocol. It was developed by the Internet Engineering Task Force (IETF) Hypertext Transfer Protocol Bis (httpbis) Working Group. HTTP/2 is the first update since http 1.1 was released in 1999. HTTP/2 evolved from SPDY, which has completed its mission and will soon be retired.(For example, Chrome will end its support for SPDY in early 2016;Nginx and Apache have also fully supported HTTP/2 and no longer support SPDY), and generally everyone refers to HTTP2 as h3, although some friends may not be willing to, but this abbreviation has been defaulted, especially in browsers that HTTP2 is abbreviated.

configured

Regular HTTPS website browsing will be slightly slower than HTTP website, because it needs to handle encryption tasks, while HTTPS configured with h3 will be faster and more stable than HTTP in the case of low latency!

Telecom hijacking incidents are frequent now, and most hijacking can be eliminated after the website deploys HTTPS encryption, but not completely. For example, the e-commerce industry is standard on HTTPS encryption, so it is imperative to deploy h3.

Web server

description

Nginx compiled by default does not contain h3 module, we need to add parameters to compile, until the release, Nginx 1.9 development version and above source code needs to add their own compilation parameters, downloaded from the software source repository is compiled by default. Tengine can deploy h3 and SPDY simultaneously to ensure compatibility, while Nginx is one-size-fits-all and no longer supports SPDY.

Installation/compilation

If your compiled Nginx does not support it, then in./ Add: --with-http_v2_module to configure. If SSL is not supported, add--with-http_ssl_module.

Then make && make install.

configured

The main configuration is Nginx server block. Modify the.conf file of the relevant virtual machine, generally in/usr/local/nginx/conf/vhost/or/etc/nginx/conf/, refer to your environment guide for details, please reply if you do not understand.

server {listen 443 ssl http2 default_server;server_name www.mf8.biz;ssl_certificate /path/to/public.crt;ssl_certificate_key /path/to/private.key;

Note: Replace www.mf8.biz in server_name www.mf8.biz; with your domain name.

Then check whether the configuration is correct by/usr/local/nginx/sbin/nginx -t or nginx -t, and then restart Nginx.

inspection

On Chrome, HTTP/2 and SPDY indicators can be used to verify that if blue lightning appears in the address bar, it is h3.

It can also be checked in chrome://net-internals/#http2. Pay attention to the new version and handsome posture!

Advanced Configuration

We all know that last year's painstaking vulnerability pushed SSL to the forefront, so with h3 support alone, we still need to do some security optimization for SSL!

Configure Herman Key

openssl dhparam -out dhparam.pem 2048 //Running in ssh, openssl generates a 2048-bit key instead of writing it as a parameter to the nginx.conf file. ssl_dhparam /path/to/dhparam.pem; //configure in.conf

Ban insecure SSL protocols, use secure protocols

ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

Ban encryption algorithms that are already insecure

ssl_ciphers 'ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:! aNULL:! eNULL:! EXPORT:! CAMELLIA:! DES:! MD5:! PSK:! RC4';

Mitigating BEAST attacks

ssl_prefer_server_ciphers on;

* Enable HSTS*

This move directly skipped the 301 jump and also reduced the risk of man-in-the-middle attacks! Configuration in.conf

add_header Strict-Transport-Security max-age=15768000;

*301 Jump *

Port 80 Jump to port 443

server {listen 80;add_header Strict-Transport-Security max-age=15768000;return 301 https://www.yourwebsite.com$request_uri;}

Cache connection credentials

ssl_session_cache shared:SSL:20m;ssl_session_timeout 60m;

OCSP suture

ssl_stapling on;ssl_stapling_verify on;ssl_trusted_certificate/etc/nginx/cert/trustchain.crt;resolver 233.5.5.5 233.6.6.6 valid=300s; At this point, the study of "how to configure nginx domain names to enable http2 protocol" is over, hoping to solve everyone's doubts. Theory and practice can better match to help you learn, go and try it! If you want to continue learning more relevant knowledge, please continue to pay attention to the website, Xiaobian will continue to strive to bring more practical articles for everyone!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.