HTTP 2.0即超文本传输协议 2.0,是下一代HTTP协议。是由互联网工程任务组(IETF)的Hypertext Transfer Protocol Bis (httpbis)工作小组进行开发。是自1999年http1.1发布后的首个更新。HTTP 2.0在2013年8月进行首次合作共事性测试。在开放互联网上HTTP 2.0将只用于https://网址,而 http://网址将继续使用HTTP/1,目的是在开放互联网上增加使用加密技术,以提供强有力的保护去遏制主动攻击。DANE RFC6698允许域名管理员不通过第三方CA自行发行证书。 ---百度百科
部署所需条件:1,OpenSSLl版本,最低要求1.0.2。
2,Nginx 1.9.5之后的版本才集成了http_v2_module模块
安装步骤:
(一)升级更新OpenSSL
(1)查看原有的openssl版本:
|
1
2
3
4
5
6
7
8
9
10
11
|
[root@Monitor ~]
# openssl version -a
OpenSSL 1.0.1e-fips 11 Feb 2013
built on: Mon May 9 07:30:30 CDT 2016
platform: linux-x86_64
options: bn(64,64) md2(int) rc4(16x,int) des(idx,cisc,16,int) idea(int) blowfish(idx)
compiler: gcc -fPIC -DOPENSSL_PIC -DZLIB -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -DKRB5_MIT -m64 -DL_ENDIAN -DTERMIO -Wall -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -m64 -mtune=generic -Wa,--noexecstack -DPURIFY -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM
OPENSSLDIR:
"/etc/pki/tls"
engines: dynamic
[root@Monitor ~]
# rpm -qi openssl|grep Version
Version : 1.0.1e Vendor: CentOS
[root@Monitor ~]
#
|
(2)下载最新的openssl-1.1.0e(https://www.openssl.org/source/openssl-1.1.0e.tar.gz)
|
1
2
3
4
5
6
7
8
9
|
[root@Monitor
install
]
# wget https://www.openssl.org/source/openssl-1.1.0e.tar.gz
--2017-02-23 16:27:46-- https:
//www
.openssl.org
/source/openssl-1
.1.0e.
tar
.gz
正在解析主机 www.openssl.org... 104.95.197.32, 2600:1417:9:282::c1e, 2600:1417:9:28a::c1e
正在连接 www.openssl.org|104.95.197.32|:443... 已连接。
已发出 HTTP 请求,正在等待回应... 200 OK
长度:5202247 (5.0M) [application
/x-gzip
]
正在保存至: “openssl-1.1.0e.
tar
.gz”
99% [=====================================================================================> ] 5,182,031 21.0K
/s
eta(英国中部时99% [=====================================================================================> ] 5,198,415 20.2K
/s
eta(英国中部时100%[======================================================================================>] 5,202,247 19.8K
/s
in
7m 16s
2017-02-23 16:35:04 (11.6 KB
/s
) - 已保存 “openssl-1.1.0e.
tar
.gz” [5202247
/5202247
])
|
(3)更新zlib库
|
1
2
3
4
5
6
7
8
9
10
11
12
13
|
[root@Monitor ~]
# yum install zlib -y
已加载插件:fastestmirror
设置安装进程
Loading mirror speeds from cached hostfile
epel
/metalink
| 4.6 kB 00:00
* epel: mirror01.idc.hinet.net
base | 3.7 kB 00:00
dockerrepo | 2.9 kB 00:00
epel | 4.3 kB 00:00
epel
/primary_db
| 5.9 MB 00:08
extras | 3.4 kB 00:00
updates | 3.4 kB 00:00
updates
/primary_db
|
(4)解压安装最新的openssl-1.1.0e.tar.gz
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
|
[root@Monitor
install
]
# tar xf openssl-1.1.0e.tar.gz
[root@Monitor
install
# cd openssl-1.1.0e
[root@Monitor openssl-1.1.0e]
# ./config shared zlib
[root@iZbp1h901rvv69gdzz4l75Z openssl-1.1.0e]
# ./config shared zlib
Operating system: x86_64-whatever-linux2
Configuring
for
linux-x86_64
Configuring OpenSSL version 1.1.0e (0x1010005fL)
no-asan [default] OPENSSL_NO_ASAN
no-crypto-mdebug [default] OPENSSL_NO_CRYPTO_MDEBUG
no-crypto-mdebug-backtrace [default] OPENSSL_NO_CRYPTO_MDEBUG_BACKTRACE
no-ec_nistp_64_gcc_128 [default] OPENSSL_NO_EC_NISTP_64_GCC_128
no-egd [default] OPENSSL_NO_EGD
no-fuzz-afl [default] OPENSSL_NO_FUZZ_AFL
no-fuzz-libfuzzer [default] OPENSSL_NO_FUZZ_LIBFUZZER
no-heartbeats [default] OPENSSL_NO_HEARTBEATS
no-md2 [default] OPENSSL_NO_MD2 (skip
dir
)
no-msan [default] OPENSSL_NO_MSAN
no-rc5 [default] OPENSSL_NO_RC5 (skip
dir
)
no-sctp [default] OPENSSL_NO_SCTP
no-ssl-trace [default] OPENSSL_NO_SSL_TRACE
no-ssl3 [default] OPENSSL_NO_SSL3
no-ssl3-method [default] OPENSSL_NO_SSL3_METHOD
no-ubsan [default] OPENSSL_NO_UBSAN
no-unit-
test
[default] OPENSSL_NO_UNIT_TEST
no-weak-ssl-ciphers [default] OPENSSL_NO_WEAK_SSL_CIPHERS
no-zlib-dynamic [default]
Configuring
for
linux-x86_64
CC =gcc
CFLAG =-Wall -O3 -pthread -m64 -DL_ENDIAN -Wa,--noexecstack
SHARED_CFLAG =-fPIC -DOPENSSL_USE_NODELETE
DEFINES =ZLIB DSO_DLFCN HAVE_DLFCN_H NDEBUG OPENSSL_THREADS OPENSSL_NO_STATIC_ENGINE OPENSSL_PIC OPENSSL_IA32_SSE2 OPENSSL_BN_ASM_MONT OPENSSL_BN_ASM_MONT5 OPENSSL_BN_ASM_GF2m SHA1_ASM SHA256_ASM SHA512_ASM RC4_ASM MD5_ASM AES_ASM VPAES_ASM BSAES_ASM GHASH_ASM ECP_NISTZ256_ASM PADLOCK_ASM POLY1305_ASM
LFLAG =
PLIB_LFLAG =
EX_LIBS =-lz -ldl
APPS_OBJ =
CPUID_OBJ =x86_64cpuid.o
UPLINK_OBJ =
BN_ASM =asm
/x86_64-gcc
.o x86_64-mont.o x86_64-mont5.o x86_64-gf2m.o rsaz_exp.o rsaz-x86_64.o rsaz-avx2.o
EC_ASM =ecp_nistz256.o ecp_nistz256-x86_64.o
DES_ENC =des_enc.o fcrypt_b.o
AES_ENC =aes-x86_64.o vpaes-x86_64.o bsaes-x86_64.o aesni-x86_64.o aesni-sha1-x86_64.o aesni-sha256-x86_64.o aesni-mb-x86_64.o
BF_ENC =bf_enc.o
CAST_ENC =c_enc.o
RC4_ENC =rc4-x86_64.o rc4-md5-x86_64.o
RC5_ENC =rc5_enc.o
MD5_OBJ_ASM =md5-x86_64.o
SHA1_OBJ_ASM =sha1-x86_64.o sha256-x86_64.o sha512-x86_64.o sha1-mb-x86_64.o sha256-mb-x86_64.o
RMD160_OBJ_ASM=
CMLL_ENC =cmll-x86_64.o cmll_misc.o
MODES_OBJ =ghash-x86_64.o aesni-gcm-x86_64.o
PADLOCK_OBJ =e_padlock-x86_64.o
CHACHA_ENC =chacha-x86_64.o
POLY1305_OBJ =poly1305-x86_64.o
BLAKE2_OBJ =
PROCESSOR =
RANLIB =ranlib
ARFLAGS =
PERL =
/usr/bin/perl
SIXTY_FOUR_BIT_LONG mode
Configured
for
linux-x86_64.
[root@Monitor openssl-1.1.0e]
# make && make install
[root@Monitor openssl-1.1.0e]
# mv /usr/bin/openssl /usr/bin/openssl.old
[root@Monitor openssl-1.1.0e]
# mv /usr/include/openssl /usr/include/openssl.old
[root@Monitor openssl-1.1.0e]
#ln -s /usr/local/bin/openssl /usr/bin/openssl
[root@Monitor openssl-1.1.0e]
#ln -s /usr/local/include/openssl /usr/include/openssl
[root@Monitor openssl-1.1.0e]
#ln -s /usr/local/lib64/libssl.so.1.1 /usr/lib64/libssl.so.1.1
[root@Monitor openssl-1.1.0e]
#ln -s /usr/local/lib64/libcrypto.so.1.1 /usr/lib64/libcrypto.so.1.1
[root@Monitor openssl-1.1.0e]
# strings /usr/local/lib64/libssl.so |grep OpenSSL
OpenSSL 1.1.0e 16 Feb 2017
[root@Monitor openssl-1.1.0e]
# echo “/usr/local/ssl/lib/” >> /etc/ld.so.conf
[root@Monitor openssl-1.1.0e]
# ldconfig -v
[root@Monitor ~]
# /usr/local/bin/openssl version -a
OpenSSL 1.1.0e 16 Feb 2017
built on: reproducible build,
date
unspecified
platform: linux-x86_64
compiler: gcc -DZLIB -DDSO_DLFCN -DHAVE_DLFCN_H -DNDEBUG -DOPENSSL_THREADS -DOPENSSL_NO_STATIC_ENGINE -DOPENSSL_PIC -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DRC4_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DPADLOCK_ASM -DPOLY1305_ASM -DOPENSSLDIR=
"\"/usr/local/ssl\""
-DENGINESDIR=
"\"/usr/local/lib64/engines-1.1\""
-Wa,--noexecstack
OPENSSLDIR:
"/usr/local/ssl"
ENGINESDIR:
"/usr/local/lib64/engines-1.1"
[root@Monitor ~]
# openssl version
OpenSSL 1.1.0e 16 Feb 2017
|
(二)重新编译安装nginx http_v2_module模块。又有nginx从nginx 1.9.5开始http_v2_module 已经替换了 ngx_http_spdy_module,本篇章以最新的版本nginx 1.10.3为例。
(1)下载nginx-1.10.3稳定版(http://nginx.org/download/nginx-1.10.3.tar.gz)
|
1
2
3
4
5
6
7
8
9
10
|
[root@Monitor
install
]
# wget http://nginx.org/download/nginx-1.10.3.tar.gz
--2017-02-23 18:22:39-- http:
//nginx
.org
/download/nginx-1
.10.3.
tar
.gz
正在解析主机 nginx.org... 206.251.255.63, 95.211.80.227, 2606:7100:1:69::3f, ...
正在连接 nginx.org|206.251.255.63|:80... 已连接。
已发出 HTTP 请求,正在等待回应... 200 OK
长度:911509 (890K) [application
/octet-stream
]
正在保存至: “nginx-1.10.3.
tar
.gz”
1% [ ] 10,022 2.80K
/s
eta(英国中部时 1% [
99% [+++++++++++++++++++++++++++++++++++==================================================> ] 911,017 2.78K
/s
eta(英国中部时99% [+++++++++++++++++++++++++++++++++++==================================================> ] 911,017 2.59K
/s
eta(英国中部时100%[+++++++++++++++++++++++++++++++++++===================================================>] 911,509 2.46K
/s
eta(英国中部时100%[+++++++++++++++++++++++++++++++++++===================================================>] 911,509 2.46K
/s
in
3m 10s
2017-02-23 19:34:09 (2.77 KB
/s
) - 已保存 “nginx-1.10.3.
tar
.gz” [911509
/911509
])
|
(2)重新安装编译nginx
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
|
[root@Monitor
install
]
# tar xf nginx-1.10.3.tar.gz
[root@Monitor
install
]
# cd nginx-1.10.3
[root@Monitor nginx-1.10.3]
#
[root@Monitor nginx-1.10.3]
# ./configure --prefix=/usr/local/nginx \ ##重定向安装路径
> --with-http_stub_status_module \
> --with-http_ssl_module \
> --with-http_realip_module \
> --with-http_gzip_static_module \
> --with-http_stub_status_module \
> --with-http_stub_status_module \
> --with-http_v2_module \
###启用https2.0模块
> --with-openssl=
/tmp/install/openssl-1
.1.0e
checking
for
OS
+ Linux 2.6.32-642.3.1.el6.x86_64 x86_64
checking
for
C compiler ... found
+ using GNU C compiler
+ gcc version: 4.4.7 20120313 (Red Hat 4.4.7-17) (GCC)
checking
for
gcc -pipe switch ... found
checking
for
-Wl,-E switch ... found
checking
for
gcc
builtin
atomic operations ... found
checking
for
C99 variadic macros ... found
checking
for
zlib library ... found
creating objs
/Makefile
Configuration summary
+ using system PCRE library
+ using OpenSSL library:
/tmp/install/openssl-1
.1.0e
+ md5: using OpenSSL library
+ sha1: using OpenSSL library
+ using system zlib library
nginx path prefix:
"/usr/local/nginx2"
nginx binary
file
:
"/usr/local/nginx2/sbin/nginx"
nginx modules path:
"/usr/local/nginx2/modules"
nginx configuration prefix:
"/usr/local/nginx2/conf"
nginx configuration
file
:
"/usr/local/nginx2/conf/nginx.conf"
nginx pid
file
:
"/usr/local/nginx2/logs/nginx.pid"
nginx error log
file
:
"/usr/local/nginx2/logs/error.log"
nginx http access log
file
:
"/usr/local/nginx2/logs/access.log"
nginx http client request body temporary files:
"client_body_temp"
nginx http proxy temporary files:
"proxy_temp"
nginx http fastcgi temporary files:
"fastcgi_temp"
nginx http uwsgi temporary files:
"uwsgi_temp"
nginx http scgi temporary files:
"scgi_temp"
[root@Monitor nginx-1.10.3]
#make && make install
备注:
.
/configure
--prefix=
/usr/local/nginx
\
--with-http_realip_module \
--with-http_addition_module \
--with-http_sub_module \
--with-http_dav_module \
--with-http_flv_module \
--with-http_mp4_module \
--with-http_gunzip_module \
--with-http_gzip_static_module \
--with-http_random_index_module \
--with-http_secure_link_module \
--with-http_stub_status_module \
--with-http_auth_request_module \
--with-threads \
--with-http_ssl_module \
--with-http_v2_module \
--with-http_realip_module \
--with-openssl=
/tmp/install/openssl-1
.1.0e
########现实生产上的。
.
/configure
--prefix=
/usr/local/nginx2
\
--with-http_stub_status_module \
--with-http_ssl_module \
--with-http_realip_module \
--with-http_gzip_static_module \
--with-http_stub_status_module \
--with-http_stub_status_module \
--with-http_v2_module \
--with-openssl=
/tmp/install/openssl-1
.1.0e \
--with-http_image_filter_module \
--with-pcre \
--with-http_flv_module \
--with-http_mp4_module \
--with-http_v2_module
|
(3)配置nginx.conf文件中listen 80 return 301 https://$host$request_uri; 和listen 443 ssl http2;即可
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
|
server {
listen 80 ;
server_name localhost;
return
301
}
server {
listen 443 ssl http2 default_server;
server_name localhost;
ssl_certificate cert.pem;
ssl_certificate_key cert.key;
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 5m;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
location / {
root html;
index index.html index.htm;
}
}
|
(4)重新加载nginx
|
1
2
3
4
5
|
[root@Monitor conf]
# /usr/local/nginx2/sbin/nginx -t
nginx: the configuration
file
/usr/local/nginx2/conf/nginx
.conf syntax is ok
nginx: configuration
file
/usr/local/nginx2/conf/nginx
.conf
test
is successful
[root@Monitor conf]
# /usr/local/nginx2/sbin/nginx -s reload
[root@Monitor conf]
#
|
(5)在浏览器上查看请求:
至此,http2.0配置完毕。
本文转自 lqbyz 51CTO博客,原文链接:http://blog.51cto.com/liqingbiao/1900864
