A previous version of this tutorial was written by Sergey Zhukaev.
本教程的先前版本由Sergey Zhukaev编写 。
介绍 (Introduction)
Nginx is a fast and reliable open-source web server. It gained its popularity due to its low memory footprint, high scalability, ease of configuration, and support for a wide variety of protocols.
Nginx是一种快速可靠的开源Web服务器。 它因其低内存占用,高可伸缩性,易于配置以及对各种协议的支持而广受欢迎。
HTTP/2 is a new version of the Hypertext Transport Protocol, which is used on the Web to deliver pages from server to browser. HTTP/2 is the first major update of HTTP in almost two decades: HTTP1.1 was introduced to the public back in 1999 when webpages were usually just a single HTML file with inline CSS stylesheet. The Internet has dramatically changed since then, and now we are facing the limitations of HTTP 1.1 — the protocol limits potential transfer speeds for most modern websites because it downloads parts of a page in a queue (the previous part must download completely before the download of the next part begins), and an average modern webpage requires about 100 request to be downloaded (each request is a picture, js file, css file, etc).
HTTP / 2是超文本传输协议的新版本,该协议在Web上用于将页面从服务器传递到浏览器。 HTTP / 2是近二十年来HTTP的首次重大更新:HTTP1.1于1999年引入公众,当时网页通常只是带有内联CSS样式表的单个HTML文件。 自那时以来,互联网发生了翻天覆地的变化,现在我们正面临HTTP 1.1的局限性-该协议限制了大多数现代网站的潜在传输速度,因为该协议将页面中的部分页面下载到队列中(前一部分必须在完全下载之前下载)接下来的部分开始),平均每个现代网页需要下载约100个请求(每个请求是图片,js文件,css文件等)。
HTTP/2 solves this problem because it brings a few fundamental changes:
HTTP / 2解决了此问题,因为它带来了一些基本变化:
- All requests are downloaded in parallel, not in a queue 所有请求都并行下载,而不是在队列中
- HTTP headers are compressed HTTP标头已压缩
- Pages transfer as a binary, not as a text file, which is more efficient 页面作为二进制文件而不是文本文件进行传输,这样效率更高
- Servers can “push” data even without the user’s request, which improves speed for users with high latency 服务器即使没有用户请求也可以“推送”数据,从而提高了高延迟用户的速度
Even though HTTP/2 does not require encryption, developers of two most popular browsers, Google Chrome and Mozilla Firefox, stated that for the security reasons they will support HTTP/2 only for HTTPS connections. Hence, if you decide to set up servers with HTTP/2 support, you must also secure them with HTTPS.
尽管HTTP / 2不需要加密,但两个最受欢迎的浏览器(Google Chrome和Mozilla Firefox)的开发人员表示,出于安全原因,它们将仅对HTTPS连接支持HTTP / 2。 因此,如果决定设置支持HTTP / 2的服务器,则还必须使用HTTPS保护它们。
This tutorial will help you set up a fast and secure Nginx server with HTTP/2 support.
本教程将帮助您设置具有HTTP / 2支持的快速,安全的Nginx服务器。
先决条件 (Prerequisites)
Before we get started, we will need a few things:
在开始之前,我们需要做一些事情:
One Ubuntu 18.04 server set up by following the Ubuntu 18.04 initial server setup guide, including a sudo non-root user and a firewall.
按照Ubuntu 18.04初始服务器设置指南设置一台Ubuntu 18.04服务器,包括sudo非root用户和防火墙。
Nginx installed on your server, which you can do by following How To Install Nginx on Ubuntu 18.04.
Nginx已安装在服务器上,您可以按照如何在Ubuntu 18.04上安装Nginx进行操作 。
A domain name configured to point to your server. You can purchase one on Namecheap or get one for free on Freenom. You can learn how to point domains to DigitalOcean Droplets by following the documentation on How To Manage Your Domain With DigitalOcean.
配置为指向您的服务器的域名。 你可以购买一个Namecheap或免费获得一个上Freenom 。 您可以按照有关如何使用DigitalOcean管理域的文档,学习如何将域指向DigitalOcean Droplet。
-
You can get a free certificate from Let’s Encrypt by following How to Secure Nginx with Let’s Encrypt on Ubuntu 18.04.
您可以通过在Ubuntu 18.04上遵循如何使用Let's Encrypt保护Nginx来从Let's Encrypt获得免费证书。
You can also generate and configure a self-signed certificate by following How to Create a Self-signed SSL Certificate for Nginx in Ubuntu 18.04.
您还可以遵循如何在Ubuntu 18.04中为Nginx创建自签名SSL证书来生成和配置自签名证书。
You can buy one from another provider and configure Nginx to use it by following Steps 2 through 6 of How to Create a Self-signed SSL Certificate for Nginx in Ubuntu 18.04.
您可以按照如何在Ubuntu 18.04中为Nginx创建自签名SSL证书中的步骤2至6, 从另一提供商处购买 Nginx并将其配置为使用Nginx 。
Nginx configured to redirect traffic from port
80
to port443
, which should be covered by the previous prerequisites.Nginx配置为将流量从端口
80
重定向到端口443
,之前的先决条件应将其覆盖。- Nginx configured to use a 2048-bit or higher Ephemeral Diffie-Hellman (DHE) key, which should also be covered by the previous prerequisites. Nginx配置为使用2048位或更高版本的临时Diffie-Hellman(DHE)密钥,以前的先决条件也应涵盖此密钥。
步骤1 —启用HTTP / 2支持 (Step 1 — Enabling HTTP/2 Support)
If you followed the server block set up step in the Nginx installation tutorial, you should have a server block for your domain at /etc/nginx/sites-available/your_domain
with the server_name
directive already set appropriately. The first change we will make will be to modify your domain’s server block to use HTTP/2.
如果按照Nginx安装教程中的服务器块设置步骤进行操作 ,则应该在/etc/nginx/sites-available/ your_domain
为您的域设置一个服务器块,并且已经正确设置了server_name
指令。 我们将进行的第一个更改是将您域的服务器块修改为使用HTTP / 2。
Open the configuration file for your domain:
打开您的域的配置文件:
sudo nano /etc/nginx/sites-available/your_domain
须藤纳米/ etc / nginx / sites-available / your_domain
In the file, locate the listen
variables associated with port 443
:
在文件中,找到与端口443
关联的listen
变量:
...
listen [::]:443 ssl ipv6only=on;
listen 443 ssl;
...
The first one is for IPv6 connections. The second one is for all IPv4 connections. We will enable HTTP/2 for both.
第一个用于IPv6连接。 第二个适用于所有IPv4连接。 我们将同时启用HTTP / 2。
Modify each listen
directive to include http2
:
修改每个listen
指令以包含http2
:
...
listen [::]:443 ssl http2 ipv6only=on;
listen 443 ssl http2;
...
This tells Nginx to use HTTP/2 with supported browsers.
这告诉Nginx在支持的浏览器中使用HTTP / 2。
Save the configuration file and edit the text editor.
保存配置文件并编辑文本编辑器。
Whenever you make changes to Nginx configuration files, you should check the configuration for syntax errors, like this:
每当更改Nginx配置文件时,都应检查配置中是否存在语法错误,如下所示:
- sudo nginx -t 须藤Nginx -t
If the syntax is error-free, you will see the following output:
如果语法正确无误,您将看到以下输出:
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
Next, we’ll configure our server to use a more restrictive list of ciphers.
接下来,我们将配置服务器以使用更为严格的密码列表。
第2步-删除旧的和不安全的密码套件 (Step 2 — Removing Old and Insecure Cipher Suites)
HTTP/2 has a blacklist of old and insecure ciphers, so we must avoid them. Cipher suites are cryptographic algorithms that describe how the transferred data should be encrypted.
HTTP / 2 列出了旧密码和不安全密码的黑名单 ,因此我们必须避免使用它们。 密码套件是一种加密算法,描述了应如何加密传输的数据。
The method you’ll use to define the ciphers depends on how you’ve configured your TLS/SSL certificates for Nginx.
用来定义密码的方法取决于为Nginx配置TLS / SSL证书的方式。
If you used Certbot to obtain your certificates, it also created the file /etc/letsencrypt/options-ssl-nginx.conf
which contains ciphers which aren’t strong enough for HTTP/2. Modifying this file will unfortunately prevent Certbot from applying updates in the future, so we’ll just tell Nginx not to use this file and we’ll specify our own list of ciphers.
如果您使用Certbot来获取证书,那么它还会创建文件/etc/letsencrypt/options-ssl-nginx.conf
,其中包含的密码强度不足以支持HTTP / 2。 不幸的是,修改此文件将阻止Certbot将来应用更新,因此我们仅告诉Nginx不要使用此文件,并指定自己的密码列表。
Open the server block configuration file for your domain:
打开您的域的服务器块配置文件:
sudo nano /etc/nginx/sites-available/your_domain
Locate the line that includes the options-ssl-nginx.conf
file and comment it out:
找到包含options-ssl-nginx.conf
文件的行并将其注释掉:
# include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot<^>
Below that line, add this line to define the allowed ciphers:
在该行下面,添加以下行以定义允许的密码:
ssl_ciphers EECDH+CHACHA20:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5;
Save the file and exit the editor.
保存文件并退出编辑器。
If you used self-signed certificates or used a certificate from a third party and configured it according to the prerequisites, open the file /etc/nginx/snippets/ssl-params.conf
in your text editor:
如果您使用自签名证书或使用来自第三方的证书并根据先决条件进行了配置, /etc/nginx/snippets/ssl-params.conf
在文本编辑器中打开文件/etc/nginx/snippets/ssl-params.conf
:
- sudo nano /etc/nginx/snippets/ssl-params.conf 须藤纳米/etc/nginx/snippets/ssl-params.conf
Locate the following line:
找到以下行:
...
ssl_ciphers ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384;
...
Modify it so it looks like this:
对其进行修改,如下所示:
...
ssl_ciphers EECDH+CHACHA20:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5;
Save the file and exit your editor.
保存文件并退出编辑器。
Once again, check the configuration for syntax errors:
再次检查配置是否存在语法错误:
- sudo nginx -t 须藤Nginx -t
If you see any errors, address them and test again.
如果发现任何错误,请解决它们并再次测试。
Once you see no syntax errors, restart Nginx:
如果没有语法错误,请重新启动Nginx:
- sudo systemctl reload nginx 须藤systemctl重新加载nginx
With the server restarted, let’s verify that it works.
重新启动服务器后,让我们验证其是否正常运行。
步骤3 —验证是否启用了HTTP / 2 (Step 3 — Verifying that HTTP/2 is Enabled)
Let’s ensure the server is running and working with HTTP/2.
让我们确保服务器正在运行并且正在使用HTTP / 2。
Use the curl
command to make a request to your site and view the headers:
使用curl
命令向您的站点发出请求并查看标题:
curl -I -L https://your_domain
curl -I -L https:// your_domain
You’ll see the following output:
您将看到以下输出:
Output
HTTP/1.1 301 Moved Permanently
Server: nginx/1.14.0 (Ubuntu)
Date: Fri, 06 Jul 2018 19:07:12 GMT
Content-Type: text/html
Content-Length: 194
Connection: keep-alive
Location: https://your_domain/
HTTP/2 200
server: nginx/1.14.0 (Ubuntu)
date: Fri, 06 Jul 2018 19:07:12 GMT
content-type: text/html
content-length: 16
last-modified: Fri, 06 Jul 2018 16:55:37 GMT
etag: "5b3f9f09-10"
accept-ranges: bytes
You can also verify that HTTP/2 is in use in Google Chrome. Open Chrome and navigate to http://your_domain
. Open the Chrome Developer Tools (View -> Developer -> Developer Tools) and reload the page (View -> Reload This Page). Navigate to the Network tab, right-click on the table header row that starts with Name, and select the Protocol option from the popup menu.
您还可以验证Google Chrome浏览器中是否使用了HTTP / 2。 打开Chrome浏览器,然后导航到http:// your_domain
。 打开Chrome开发者工具( 视图 -> 开发者 -> 开发者工具 ),然后重新加载页面( 视图 -> 重新加载此页面 )。 导航到“ 网络”选项卡,右键单击以Name开头的表标题行,然后从弹出菜单中选择“ 协议”选项。
You’ll see h2
(which stands for HTTP/2) in a new Protocol column, indicating that HTTP/2 is working.
您将在新的Protocol列中看到h2
(代表HTTP / 2),表明HTTP / 2正在运行。
At this point, you’re ready to serve content through the HTTP/2 protocol. Let’s improve security and performance by enabling HSTS.
此时,您已准备好通过HTTP / 2协议提供内容。 让我们通过启用HSTS来提高安全性和性能。
步骤4 —启用HTTP严格传输安全性(HSTS) (Step 4 — Enabling HTTP Strict Transport Security (HSTS))
Even though your HTTP requests redirect to HTTPS, you can enable HTTP Strict Transport Security (HSTS) to avoid having to do those redirects. If the browser finds an HSTS header, it will not try to connect to the server via regular HTTP again for a given time period. No matter what, it will exchange data using only encrypted HTTPS connection. This header also protects us from protocol downgrade attacks.
即使您的HTTP请求重定向到HTTPS,您也可以启用HTTP严格传输安全性 (HSTS)来避免进行那些重定向。 如果浏览器找到HSTS标头,则在给定的时间段内,它将不会尝试通过常规HTTP重新连接到服务器。 无论如何,它将仅使用加密的HTTPS连接交换数据。 此标头还可以保护我们免受协议降级攻击 。
Open the Nginx configuration file in your editor:
在编辑器中打开Nginx配置文件:
sudo nano /etc/nginx/nginx.conf
Add this line to the file to enable HSTS:
将此行添加到文件中以启用HSTS:
http {
...
##
# Virtual Host Configs
##
include /etc/nginx/conf.d/*.conf;
include /etc/nginx/sites-enabled/*;
add_header Strict-Transport-Security "max-age=15768000" always;
}
...
The max-age
is set in seconds. The value 15768000
is equivalent to 6 months.
max-age
以秒为单位设置。 值15768000
等于6个月。
By default, this header is not added to subdomain requests. If you have subdomains and want HSTS to apply to all of them, you should add the includeSubDomains
variable at the end of the line, like this:
默认情况下,此标头不添加到子域请求中。 如果您有子域,并且希望HSTS应用于所有子域,则应在该行的末尾添加includeSubDomains
变量,如下所示:
add_header Strict-Transport-Security "max-age=15768000; includeSubDomains" always;
Save the file, and exit the editor.
保存文件,然后退出编辑器。
Once again, check the configuration for syntax errors:
再次检查配置是否存在语法错误:
- sudo nginx -t 须藤Nginx -t
Finally, restart the Nginx server to apply the changes.
最后,重新启动Nginx服务器以应用更改。
- sudo systemctl reload nginx 须藤systemctl重新加载nginx
结论 (Conclusion)
Your Nginx server is now serving HTTP/2 pages. If you want to test the strength of your SSL connection, please visit Qualys SSL Lab and run a test against your server. If everything is configured properly, you should get an A+ mark for security.
您的Nginx服务器现在正在提供HTTP / 2页面。 如果要测试SSL连接的强度,请访问Qualys SSL Lab并针对您的服务器运行测试。 如果一切配置正确,则应该获得A +标记以确保安全。