nginx支持http2的版本需要1.9.5以上。
安装依赖:
yum install gcc
yum install pcre-devel
yum install zlib zlib-devel
yum install openssl openssl-devel
下载nginx:
wget http://nginx.org/download/nginx-1.13.7.tar.gz
tar -xvf nginx-1.13.7.tar.gz
------------
[root@test data]# cd nginx-1.13.7/
[root@test nginx-1.13.7]# ll
total 748
drwxr-xr-x. 6 root root 4096 Sep 3 09:53 auto
-rw-r--r--. 1 root root 283389 Sep 3 09:53 CHANGES
-rw-r--r--. 1 root root 431910 Sep 3 09:53 CHANGES.ru
drwxr-xr-x. 2 root root 4096 Sep 3 09:53 conf
-rwxr-xr-x. 1 root root 2502 Sep 3 09:53 configure
drwxr-xr-x. 4 root root 4096 Sep 3 09:53 contrib
drwxr-xr-x. 2 root root 4096 Sep 3 09:53 html
-rw-r--r--. 1 root root 1397 Sep 3 09:53 LICENSE
drwxr-xr-x. 2 root root 4096 Sep 3 09:53 man
-rw-r--r--. 1 root root 49 Sep 3 09:53 README
drwxr-xr-x. 9 root root 4096 Sep 3 09:53 src
[root@test nginx-1.13.7]# ./configure
Configuration summary
+ using system PCRE library
+ OpenSSL library is not used
+ using system zlib library
增加--with-http_ssl_module启用openssl:
[root@test nginx-1.13.7]# ./configure --with-http_ssl_module
checking for OS
+ Linux 3.10.0-862.6.3.el7.x86_64 x86_64
Configuration summary
+ using system PCRE library
+ using system OpenSSL library
+ using system zlib library
nginx path prefix: "/usr/local/nginx"
nginx binary file: "/usr/local/nginx/sbin/nginx"
nginx modules path: "/usr/local/nginx/modules"
nginx configuration prefix: "/usr/local/nginx/conf"
nginx configuration file: "/usr/local/nginx/conf/nginx.conf"
nginx pid file: "/usr/local/nginx/logs/nginx.pid"
nginx error log file: "/usr/local/nginx/logs/error.log"
nginx http access log file: "/usr/local/nginx/logs/access.log"
nginx http client request body temporary files: "client_body_temp"
nginx http proxy temporary files: "proxy_temp"
nginx http fastcgi temporary files: "fastcgi_temp"
nginx http uwsgi temporary files: "uwsgi_temp"
nginx http scgi temporary files: "scgi_temp"
增加--prefix指定安装目录、--with-http_v2_module启用http2模块:
[root@test nginx-1.13.7]# ./configure --with-http_ssl_module --with-http_v2_module --prefix=/data/nginx-1.13.7
Configuration summary
+ using system PCRE library
+ using system OpenSSL library
+ using system zlib library
nginx path prefix: "/data/nginx-1.13.7"
nginx binary file: "/data/nginx-1.13.7/sbin/nginx"
nginx modules path: "/data/nginx-1.13.7/modules"
nginx configuration prefix: "/data/nginx-1.13.7/conf"
nginx configuration file: "/data/nginx-1.13.7/conf/nginx.conf"
nginx pid file: "/data/nginx-1.13.7/logs/nginx.pid"
nginx error log file: "/data/nginx-1.13.7/logs/error.log"
nginx http access log file: "/data/nginx-1.13.7/logs/access.log"
nginx http client request body temporary files: "client_body_temp"
nginx http proxy temporary files: "proxy_temp"
nginx http fastcgi temporary files: "fastcgi_temp"
nginx http uwsgi temporary files: "uwsgi_temp"
nginx http scgi temporary files: "scgi_temp"
make
make install
--------------
进入nginx安装目录/data/nginx-1.13.7
检测:
[root@test nginx-1.13.7]# ./sbin/nginx -t
nginx: the configuration file /data/nginx-1.13.7/conf/nginx.conf syntax is ok
nginx: configuration file /data/nginx-1.13.7/conf/nginx.conf test is successful
查看版本:
[root@test nginx-1.13.7]# ./sbin/nginx -v
nginx version: nginx/1.13.7
启动:
[root@test nginx-1.13.7]# ./sbin/nginx
重新加载配置:
[root@test nginx-1.13.7]# ./sbin/nginx -s reload
[root@test nginx-1.13.7]#
关闭:
[root@test nginx-1.13.7]# ./sbin/nginx -s stop
[root@test nginx-1.13.7]#
nginx.conf配置https、http2:
# HTTPS server
server {
listen 443 ssl http2;
server_name localhost;
ssl_certificate cert/20200602_asus.com.cn.pem;
ssl_certificate_key cert/20200602_asus.com.cn.key;
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 5m;
# 加密套件
#ssl_ciphers HIGH:!aNULL:!MD5;
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
ssl_prefer_server_ciphers on;
# DHE 密钥
ssl_dhparam /data/nginx-1.13.7/conf/cert/dhparams.pem;
# 指定tls协议
ssl_protocols TLSv1.2;
# OCSP Stapling 开启。OCSP是用于在线查询证书吊销情况的服务,使用OCSP Stapling能将证书有效状态的信息缓存到服务器,提高 TLS 握手速度
ssl_stapling on;
# OCSP Stapling 验证开启
ssl_stapling_verify on;
# OCSP Stapling 的证书位置(完整的证书链)
ssl_trusted_certificate /data/nginx-1.13.7/conf/cert/20200602_asus.com.cn.crt;
# 用于查询 OCSP 服务器的DNS
resolver 8.8.4.4 8.8.8.8 valid=300s;
#查询域名超时时间
resolver_timeout 10s;
# 强制HTTP使用HTTPS(HSTS), max-age属性以秒为单位设置此标头的到期日期
add_header Strict-Transport-Security max-age=63072000;
# 禁用或限制嵌入
add_header X-Frame-Options DENY;
# 禁用内容嗅探
add_header X-Content-Type-Options nosniff;
location / {
root html;
index index.html index.htm;
}
location /mp_store {
proxy_pass http://localhost:8080/mp_store;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}
备注:
启动时错误:
[root@test nginx-1.13.7]# ./sbin/nginx
nginx: [emerg] the "http2" parameter requires ngx_http_v2_module in /data/nginx-1.13.7/conf/nginx.conf:106
原因:
The ngx_http_v2_module module (1.9.5) provides support for HTTP/2 and supersedes the ngx_http_spdy_module module.
This module is not built by default, it should be enabled with the --with-http_v2_module configuration parameter.