在nginx上啓用HTTP2

Question

我想爲我的nginx服務器添加HTTP2支持。我認爲所有的版本好，具有http_v2_module：

nginx version: nginx/1.11.8 
built by gcc 4.8.4 (Ubuntu 4.8.4-2ubuntu1~14.04.3) 
built with OpenSSL 1.0.1f 6 Jan 2014 
TLS SNI support enabled 
configure arguments: --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --modules-path=/usr/lib/nginx/modules --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx.pid --lock-path=/var/run/nginx.lock --http-client-body-temp-path=/var/cache/nginx/client_temp --http-proxy-temp-path=/var/cache/nginx/proxy_temp --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp --http-scgi-temp-path=/var/cache/nginx/scgi_temp --user=nginx --group=nginx --with-compat --with-file-aio --with-threads --with-http_addition_module --with-http_auth_request_module --with-http_dav_module --with-http_flv_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_mp4_module --with-http_random_index_module --with-http_realip_module --with-http_secure_link_module --with-http_slice_module --with-http_ssl_module --with-http_stub_status_module --with-http_sub_module --with-http_v2_module --with-mail --with-mail_ssl_module --with-stream --with-stream_realip_module --with-stream_ssl_module --with-stream_ssl_preread_module --with-cc-opt='-g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2' --with-ld-opt='-Wl,-Bsymbolic-functions -Wl,-z,relro -Wl,-z,now -Wl,--as-needed' 

我已經編輯我的虛擬主機，並添加http2（聽443 SSL http2;），重啓nginx的，但沒有結果。

我的虛擬主機配置：

server { 
    listen 80; 
    listen [::]:80 ipv6only=on; 
    server_name my-domaine.net; 
    return 301 https://my-domaine.net$request_uri; 
} 

server { 
    listen 80; 
    server_name www.my-domaine.net; 
    return 301 https://my-domaine.net$request_uri; 
} 

server { 
    listen 80; 
    server_name xx.xxx.xxx.xxx; 
    return 301 https://my-domaine.net$request_uri; 
} 

server { 

    listen 443 ssl http2; 

    server_name my-domaine.net; 

    access_log   /var/log/nginx/app.dev.access.log; 
    error_log    /var/log/nginx/app.dev.error.log; 

    ssl_certificate xxx; 
    ssl_certificate_key xxx; 

    ssl_session_timeout 1h; 
    ssl_session_cache shared:SSL:16m; 
    ssl_stapling on; 
    ssl_stapling_verify on; 
    resolver 8.8.4.4 8.8.8.8 valid=300s; 
    resolver_timeout 10s; 

    ssl_protocols TLSv1 TLSv1.1 TLSv1.2; 
    ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA 
-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE 
-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:DES-CBC3-SHA:!RC 
4:!aNULL:!eNULL:!MD5:!EXPORT:!EXP:!LOW:!SEED:!CAMELLIA:!IDEA:!PSK:!SRP:!SSLv:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA'; 
    ssl_prefer_server_ciphers on; 

    ssl on; 

    # Eviter de se faire piller son site (merci dsfc.net) 
    add_header X-Robots-Tag "index,follow,noarchive"; 
    # HSTS permet de déclarer au client directement dans la réponse HTTP qu'il faut communiquer en HTTPS 
    # Cette en-tête permet d'éviter le vol de cookies et le downgrade SSL 
    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains"; 
    # Evite que le contenu soit interprété différemment que définit dans le mime Type 
    add_header X-Content-Type-Options nosniff; 
    # Protection contre le clickjacking 
    add_header X-Frame-Options "SAMEORIGIN"; 
    # Protection contre les failles X-XSS 
    add_header X-XSS-Protection "1; mode=block"; 
    # Faille spécifique à IE8 
    add_header X-Download-Options noopen; 
    # Interdire l'embarquement de tout ou partie de votre site dans un site ou logiciel tiers 
    add_header X-Permitted-Cross-Domain-Policies none; 

    location/{ 
    #try_files $uri @prerender; 
    proxy_pass http://localhost:3000; 
    proxy_http_version 1.1; 
    proxy_set_header Upgrade $http_upgrade; 
    proxy_set_header Connection 'upgrade'; 
    proxy_set_header X-Forwarded-For $remote_addr; 
    } 

    location ~ ^/(images|fonts)/.*.(png|jpg|svg|jpeg|ttf|otf|woff|woff2|eot)$ { 
    root /opt/app/current/bundle/programs/web.browser/app; 
    access_log off; 
    expires max; 
    } 

    location ~ \.(css|html|ttf|otf|woff|woff2|eot)$ { 
    root /opt/app/current/bundle/programs/web.browser; 
    access_log off; 
    expires max; 
    } 
} 

如果我測試上this site的http2支持，我看到http2啓用。但在我的瀏覽器網絡上，所有請求都是http1：/

任何人都有想法？

謝謝！

Answer 1

您需要使用openssl 1.0.2或更高版本編譯的Nginx，以便HTTP/2在Chrome上工作，因爲它現在需要較新的協商HTTP/2的ALPN方法，1.0.1僅支持較早的NPN方法。

詳細信息請參閱此頁：https://www.nginx.com/blog/supporting-http2-google-chrome-users/

一旦你解決這個問題，有另一對夫婦陷阱的，可以抓住你：why Chrome browser doesn't recognize my http2 server?