時(shí)間:2022-08-11 07:12:01 | 來源:網(wǎng)站運(yùn)營
時(shí)間:2022-08-11 07:12:01 來源:網(wǎng)站運(yùn)營
本文講述了如何快速簡(jiǎn)單地搭建一個(gè)http2的網(wǎng)站。nginx version: nginx/1.10.3built by gcc 5.3.0 (Alpine 5.3.0)built with OpenSSL 1.0.2k 26 Jan 2017TLS SNI support enabledconfigure arguments: --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --modules-path=/usr/lib/nginx/modules --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx.pid --lock-path=/var/run/nginx.lock --http-client-body-temp-path=/var/cache/nginx/client_temp --http-proxy-temp-path=/var/cache/nginx/proxy_temp --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp --http-scgi-temp-path=/var/cache/nginx/scgi_temp --user=nginx --group=nginx --with-http_ssl_module --with-http_realip_module --with-http_addition_module --with-http_sub_module --with-http_dav_module --with-http_flv_module --with-http_mp4_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_random_index_module --with-http_secure_link_module --with-http_stub_status_module --with-http_auth_request_module --with-http_xslt_module=dynamic --with-http_image_filter_module=dynamic --with-http_geoip_module=dynamic --with-http_perl_module=dynamic --with-threads --with-stream --with-stream_ssl_module --with-http_slice_module --with-mail --with-mail_ssl_module --with-file-aio --with-http_v2_module --with-ipv6
可以看到最后一行顯示nginx已經(jīng)安裝了http2的擴(kuò)展,nginx從1.9.5版本后就開始支持http_v2module這個(gè)擴(kuò)展,如果你沒有這個(gè)擴(kuò)展,可以下載新的nginx源碼包,編譯時(shí)加入--with-http_v2_module這個(gè)參數(shù):./configure --prefix=/etc/nginx /--sbin-path=/usr/sbin/nginx /--modules-path=/usr/lib/nginx/modules /--conf-path=/etc/nginx/nginx.conf /--error-log-path=/var/log/nginx/error.log /--http-log-path=/var/log/nginx/access.log /--pid-path=/var/run/nginx.pid /--lock-path=/var/run/nginx.lock /--http-client-body-temp-path=/var/cache/nginx/client_temp /--http-proxy-temp-path=/var/cache/nginx/proxy_temp /--http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp /--http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp /--http-scgi-temp-path=/var/cache/nginx/scgi_temp /--user=nginx /--group=nginx /--with-http_ssl_module /--with-http_realip_module /--with-http_addition_module /--with-http_sub_module /--with-http_dav_module /--with-http_flv_module /--with-http_mp4_module /--with-http_gunzip_module /--with-http_gzip_static_module /--with-http_random_index_module /--with-http_secure_link_module /--with-http_stub_status_module /--with-http_auth_request_module /--with-http_xslt_module=dynamic /--with-http_image_filter_module=dynamic /--with-http_geoip_module=dynamic /--with-http_perl_module=dynamic /--with-threads /--with-stream /--with-stream_ssl_module /--with-http_slice_module /--with-mail /--with-mail_ssl_module /--with-file-aio /--with-ipv6 /--with-http_v2_module /
除此以外,由于ALPN逐漸取代NPN成為當(dāng)前主流的http2協(xié)商協(xié)議,而OpenSSL 1.0.2 才開始支持 ALPN,要支持http2,你還需要把openssl的版本升級(jí)到1.0.2之上。wget https://www.openssl.org/source/openssl-1.0.2-latest.tar.gz
執(zhí)行openssl version查看openssl當(dāng)前版本,已經(jīng)為1.0.2了:openssl versionOpenSSL 1.0.2k 26 Jan 2017
如果你對(duì)以上安裝nginx和升級(jí)openssl的步驟感到麻煩,你也可以通過docker下載nginx alpine版本的鏡像,里面已經(jīng)內(nèi)置了openssl的最新版本以及支持httpv2的nginx,只需要把證書和網(wǎng)站目錄映射到nginx容器內(nèi)部,運(yùn)行docker容器:docker run -d /--name=nginx /--net=host /--privileged=true /-v /etc/nginx:/etc/nginx /-v /var/www:/var/www /-v /etc/letsencrypt:/etc/letsencrypt /nginx:stable-alpine
sudo apt-get install certbot
接著使用certbot來部署證書,輸入certbot certonly進(jìn)入命令行的向?qū)В?br>$ certbot certonly?How would you like to authenticate with the ACME CA?-------------------------------------------------------------------------------1: Spin up a temporary webserver (standalone)2: Place files in webroot directory (webroot)
certbot提供了兩種驗(yàn)證方式:location ^~ /.well-known/acme-challenge/ { default_type "text/plain"; root /var/www/le;}?location = /.well-known/acme-challenge/ { return 404;}
下一步輸入你網(wǎng)站的域名:Please enter in your domain name(s) (comma and/or space separated) (Enter 'c'to cancel):liangwentao.cc
然后下一步輸入webroot的路徑,就是之前nginx中root指令指向的目錄:Input the webroot for test.testnode.com: (Enter 'c' to cancel):/var/www/le
最后certbot驗(yàn)證成功,生成證書:Waiting for verification...Cleaning up challengesGenerating key (2048 bits): /etc/letsencrypt/keys/0000_key-certbot.pemCreating CSR: /etc/letsencrypt/csr/0000_csr-certbot.pem IMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at /etc/letsencrypt/live/liangwentao.cc/fullchain.pem. Your cert will expire on 2017-06-18. To obtain a new or tweaked version of this certificate in the future, simply run certbot again. To non-interactively renew *all* of your certificates, run "certbot renew" - If you like Certbot, please consider supporting our work by: Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
執(zhí)行certbot certificates可以發(fā)現(xiàn)證書和私鑰都已經(jīng)在/etc/letsencrypt/live這個(gè)目錄下了。$ certbot certificatesSaving debug log to /var/log/letsencrypt/letsencrypt.log?-------------------------------------------------------------------------------Found the following certs: Certificate Name: liangwentao.cc Domains: liangwentao.cc Expiry Date: 2017-06-18 04:09:00+00:00 (VALID: 87 days) Certificate Path: /etc/letsencrypt/live/liangwentao.cc/fullchain.pem Private Key Path: /etc/letsencrypt/live/liangwentao.cc/privkey.pem-------------------------------------------------------------------------------
最后還要在nginx上添加配置,使用剛才生成的證書:server { listen 443 ssl; listen [::]:443 ssl ipv6only=on; server_name liangwentao.cc; ssl_certificate /etc/letsencrypt/live/liangwentao.cc/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/liangwentao.cc/privkey.pem; ssl_trusted_certificate /etc/letsencrypt/live/liangwentao.cc/chain.pem;}
打開網(wǎng)頁,發(fā)現(xiàn)左邊有了把綠色的小鎖了,說明https證書已經(jīng)被正確安裝了:server { listen 443 http2 ssl; listen [::]:443 http2 ssl ipv6only=on; server_name liangwentao.cc; ssl_certificate /etc/letsencrypt/live/liangwentao.cc/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/liangwentao.cc/privkey.pem; ssl_trusted_certificate /etc/letsencrypt/live/liangwentao.cc/chain.pem;}
重啟nginx服務(wù),打開網(wǎng)頁,此時(shí)通過chrome的控制臺(tái)可以看到協(xié)議一列的值為h2,說明網(wǎng)站使用http2協(xié)議進(jìn)行通信:關(guān)鍵詞:
客戶&案例
營銷資訊
關(guān)于我們
微信公眾號(hào)
版權(quán)所有? 億企邦 1997-2025 保留一切法律許可權(quán)利。