nginx toa 配置 nginx 配置http2

Nginx http2协议

1. 介绍

HTTP 2.0 的主要目标是改进传输性能，实现低延迟和高吞吐量。从另一方面看，HTTP 的高层协议语义并不会因为这次版本升级而受影响。所有HTTP 首部、值，以及它们的使用场景都不会变。

       现有的任何网站和应用，无需做任何修改都可以在HTTP 2.0 上跑起来。不用为了利用HTTP 2.0 的好处而修改标记。HTTP 服务器必须运行HTTP 2.0 协议，但大部分用户都不会因此而受到影响

以下都是基于我的ubuntu16.04上操作，centos的稍微有所不同。

2. 编译安装nginx

1.下载安装
root@leco:~# cd /usr/local/src/
root@leco:/usr/local/src# wget http://nginx.org/download/nginx-1.10.3.tar.gz
root@leco:/usr/local/src# tar xf nginx-1.10.3.tar.gz 
root@leco:/usr/local/src# cd nginx-1.10.3

2.编译参数
root@leco:/usr/local/src/nginx-1.10.3# ./configure --user=nginx --group=nginx --prefix=/usr/local/nginx-1.10.3 --with-http_stub_status_module --with-http_ssl_module --with-http_v2_module
root@leco:/usr/local/src/nginx-1.10.3# make && make install

–with-http_v2_module 支持http2协议

root@leco:/usr/local/src/nginx-1.10.3# /usr/local/nginx/sbin/nginx -V
nginx version: nginx/1.10.3
built by gcc 4.8.5 20150623 (Red Hat 4.8.5-16) (GCC) 
built with OpenSSL 1.0.2k-fips  26 Jan 2017
TLS SNI support enabled
configure arguments: --user=nginx --group=nginx --prefix=/usr/local/nginx-1.10.3 --with-http_stub_status_module --with-http_ssl_module --with-http_v2_module

3. 生成证书

root@leco:/usr/local/src/nginx-1.10.3# ln -s /usr/local/nginx-1.10.3/ /usr/local/nginx
root@leco:/usr/local/src/nginx-1.10.3# cd /usr/local/nginx/conf/
root@leco:/usr/local/nginx/conf# mkdir key
root@leco:/usr/local/nginx/conf# cd key/
#自定义密码
root@leco:/usr/local/nginx/conf# openssl genrsa -des3 -out server.key 1024
Generating RSA private key, 1024 bit long modulus
..........++++++
..........++++++
e is 65537 (0x10001)
Enter pass phrase for server.key:
Verifying - Enter pass phrase for server.key:
#签发证书
[root@leco key]# openssl req -new -key server.key -out server.csr
Enter pass phrase for server.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:BJ
Locality Name (eg, city) [Default City]:BJ
Organization Name (eg, company) [Default Company Ltd]:SDU
Organizational Unit Name (eg, section) []:SA
Common Name (eg, your name or your server's hostname) []:caimengzhi
Email Address []:123@qq.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:123456
An optional company name []:123456
[root@hadoop_node1 key]# cp server.key server.key.ori
[root@hadoop_node1 key]# openssl rsa -in server.key.ori -out server.key
Enter pass phrase for server.key.ori:
writing RSA key
[root@hadoop_node1 key]# openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt
Signature ok
subject=/C=CN/ST=BJ/L=BJ/O=SDU/OU=SA/CN=caimengzhi/emailAddress=123@qq.com
Getting Private key

4. 修改nginx配置

root@leco:/usr/local/nginx/conf# cat nginx.conf
worker_processes  1;
events {
    worker_connections  1024;
}
http {
    include       mime.types;
    default_type  application/octet-stream;
    sendfile        on;
    keepalive_timeout  65;
    server {
        listen       70;
        server_name  localhost;
        location / {
            root   html;
            index  index.html index.htm;
        }
        error_page   500 502 503 504  /50x.html;
        location = /50x.html {
            root   html;
        }
    }
    server {
        listen    8443 ssl http2 default_server;
        server_name  localhost;
        ssl_certificate     key/server.crt;
        ssl_certificate_key key/server.key;
        location / {
            root   html;
            index  index.html index.htm;
        }
        location = /50x.html {
            root   html;
        }
    }
}

检查防火墙是否开启，是否开启8443和80端口

root@leco:/usr/local/nginx/conf# netstat -anlt|grep 8443
tcp        0      0 0.0.0.0:8443            0.0.0.0:*               LISTEN
tcp        0      0 192.168.5.110:45666     180.96.7.201:8443       TIME_WAIT
tcp        0      0 192.168.5.110:39098     180.96.7.198:8443       TIME_WAIT

5. curl支持http2

若是支持就直接跳过


root@leco:/usr/local/nginx/conf# /usr/local/bin/curl --version
curl 7.46.0 (x86_64-pc-linux-gnu) libcurl/7.46.0 OpenSSL/1.0.2g zlib/1.2.8 libidn/1.32 nghttp2/1.38.0-DEV librtmp/2.3
Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3 pop3s rtmp rtsp smb smbs smtp smtps telnet tftp
Features: IDN IPv6 Largefile NTLM NTLM_WB SSL libz TLS-SRP HTTP2 UnixSockets
上面看到支持了HTTP2了

一般我们系统默认是不支持的，效果如下:


root@leco:/usr/local/nginx/conf# curl -I https://nghttp2.org
HTTP/1.1 200 OK
Date: Thu, 21 Mar 2019 03:19:59 GMT
Content-Type: text/html
Last-Modified: Fri, 08 Mar 2019 12:33:02 GMT
Etag: "5c8260fe-19d8"
Accept-Ranges: bytes
Content-Length: 6616
X-Backend-Header-Rtt: 0.00384
Strict-Transport-Security: max-age=31536000
Server: nghttpx
Via: 2 nghttpx
x-frame-options: SAMEORIGIN
x-xss-protection: 1; mode=block
x-content-type-options: nosniff

root@leco:/usr/local/nginx/conf# curl --http2 -I https://nghttp2.org
curl: (1) Unsupported protocol

root@leco:/usr/local/nginx/conf# curl --version
curl 7.47.0 (x86_64-pc-linux-gnu) libcurl/7.47.0 GnuTLS/3.4.10 zlib/1.2.8 libidn/1.32 librtmp/2.3
Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3 pop3s rtmp rtsp smb smbs smtp smtps telnet tftp
Features: AsynchDNS IDN IPv6 Largefile GSS-API Kerberos SPNEGO NTLM NTLM_WB SSL libz TLS-SRP UnixSockets
我们可以看到当前 curl 的版本及支持的协议以及功能特性没有支持 HTTP2。
5.1 编译安装curl¶

sudo apt-get install git g++ make binutils autoconf automake autotools-dev libtool pkg-config \
  zlib1g-dev libcunit1-dev libssl-dev libxml2-dev libev-dev libevent-dev libjansson-dev \
  libjemalloc-dev cython python3-dev python-setuptools

git clone https://github.com/tatsuhiro-t/nghttp2.git
cd nghttp2
autoreconf -i
automake
autoconf
./configure
make
sudo make install
5.2 升级curl版本¶
可以升级的你当前curl的版本

注意


一般ubuntu编译安装后的软件命令在/usr/local/bin /usr/local/sbin中
升级完版本之后，我们再查看 curl 版本时会发布特性中会增加 HTTP2 功能支持。此时 –http2 参数就可以正常使用了：


root@leco:/usr/local/nginx/conf# /usr/local/bin/curl --http2 -I https://nghttp2.org
HTTP/2.0 200
date:Thu, 21 Mar 2019 03:24:21 GMT
content-type:text/html
last-modified:Fri, 08 Mar 2019 12:33:02 GMT
etag:"5c8260fe-19d8"
accept-ranges:bytes
content-length:6616
x-backend-header-rtt:0.002634
strict-transport-security:max-age=31536000
server:nghttpx
via:2 nghttpx
x-frame-options:SAMEORIGIN
x-xss-protection:1; mode=block
x-content-type-options:nosniff

6. 验证

root@leco:/usr/local/nginx/html# /usr/local/bin/curl --http2 -k -s  -I https://192.168.5.110:8443/loocha.html
HTTP/2.0 200
server:nginx/1.10.3
date:Thu, 21 Mar 2019 03:04:43 GMT
content-type:text/html
content-length:22
last-modified:Thu, 21 Mar 2019 03:04:27 GMT
etag:"5c92ff3b-16"
accept-ranges:bytes

root@leco:/usr/local/nginx/html# /usr/local/bin/curl --http2 -k -s   https://192.168.5.110:8443/loocha.html
<h1>hello nginx from sancheng</h1>
完美解决

Nginx 认证

1. 介绍¶
 我们在使用Nginx的时候，希望需要密码验证，此时我们就可以使用Nginx的认证模块ngx_http_auth_basic_module，有的时候暴漏Nginx的web页面很不安全，需要添加一个认证，本文介绍使用htpasswd工具为Nginx添加认证的用户名和密码。

在 Nginx下，提供了 ngx_http_auth_basic_module模块实现让用户只有输入正确的用户名密码才允许访问web内容。默认情况下，Nginx 已经安装了该模块。所以整体的一个过程就是先用第三方工具设置用户名、密码（其中密码已经加过密），然后保存到文件中，接着在 Nginx配置文件中根据之前事先保存的文件开启访问验证。


https://nginx.org/en/docs/http/ngx_http_auth_basic_module.html
 这个ngx_http_auth_basic_module模块允许通过使用“HTTP基本身份验证”协议验证用户名和密码来限制对资源的访问。

 访问也可能受到以下因素的限制：地址，由分请求结果，或通过JWT。同时对地址和密码的访问限制由满足感指令。

demo配置


location / {
    auth_basic           "closed site";
    auth_basic_user_file conf/htpasswd;
}
2. 语法¶
语法指令**

Syntax:	**auth_basic** *string* | off;
Default:	auth_basic off;
Context:	http, server, location, limit_except
启用使用“HTTP基本身份验证”协议验证用户名和密码。指定的参数用作*realm*。参数值可以包含变量(1.3.10，1.2.7)。特殊价值off允许取消auth_basic指令继承自以前的配置级别。

语法：	**auth_basic_user_file** *file*;
默认：	—
背景：	http, server, location, limit_except
指出了使用的范围。只能在http, server, location, limit_except

3. 密码¶
使用的时候要结和密码文件，以下是密码文件格式，指定以下列格式保存用户名和密码的文件：


# comment
name1:password1
name2:password2:comment
name3:password3
密码必须使用函数 crypt(3) 加密。你可以使用来自 Apache 的 htpasswd工具来创建密码文件


-c 创建 -b新建首次密码问。再次追加密码文件的是就去掉-b
htpasswd -cb htpasswd container container

htpasswd -cb htpasswd caimengzhi caimengzhi
container container，左侧是账号，右侧是密码

没有htpasswd命令,可以安装apache软件。

4. 案例¶

设定密码
root@leco:/etc/nginx/sites-enabled# htpasswd -b ./htpasswd leco leco
Adding password for user leco

配置文件
root@leco:/etc/nginx/sites-enabled# cat book1.conf 
server {
    listen  10000;
    charset utf-8;
    location / {    
        auth_basic   "hello boy,we need username and password"; # 弹出页面提示
        auth_basic_user_file /etc/nginx/sites-enabled/htpasswd; # 密码文件
        root    /root/book/books/site;
        index   index.html;
    }
}

重启nginx
root@leco:/etc/nginx/sites-enabled# /etc/init.d/nginx restart
[ ok ] Restarting nginx (via systemctl): nginx.service.

测试没加账号和密码
root@leco:/etc/nginx/sites-enabled# curl 127.0.0.1:10000 -I
HTTP/1.1 401 Unauthorized
Server: nginx
Date: Wed, 15 May 2019 07:50:30 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 188
Connection: keep-alive
WWW-Authenticate: Basic realm="hello boy,we need username and password"

测试加账号和密码
root@leco:/etc/nginx/sites-enabled# curl -u leco:leco 127.0.0.1:10000 -I
HTTP/1.1 200 OK
Server: nginx
Date: Wed, 15 May 2019 07:50:52 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 119849
Last-Modified: Wed, 15 May 2019 06:30:23 GMT
Connection: keep-alive
ETag: "5cdbb1ff-1d429"
Accept-Ranges: bytes
测试OK。

Nginx 优化

1. 介绍¶
       根源上修改nginx版本号。这个比较彻底，一般是安装之前就修改源码，如安装过的，就要修改源码重新编译。一般修改三个地方：

修改src/core/nginx.h（Nginx内部名称的）

#define NGINX_VERSION      "1.12.0"
#define NGINX_VER          "nginx/" NGINX_VERSION
- 修改src/http/ngx_http_header_filter_module.c（HTTP ResponseHeader）

static u_char ngx_http_server_string[] = "Server: nginx" CRLF
修改src/http/ngx_http_special_response.c（修改错误页的底部Footer）

static u_char ngx_http_error_tail[] = 下的nginx信息