目标环境
- CentOS 6.10 x86_x64
- Nginx v1.18.0 Stable
- HTTPS/TLS v1.3 Supported
- HTTP/2 Supported
- Brotli Compression Supported
准备工作
OpenSSL 需要 v1.1.1x 版本或以上,升级参考 CentOS 6 升级最新版 OpenSSL 与 OpenSSH 。
安装工具yum install -y gcc git pcre pcre-devel zlib zlib-devel
编译安装
下载
https://nginx.org/download
https://github.com/google/ngx_brotli
wget https://nginx.org/download/nginx-1.18.0.tar.gz
tar zxvf nginx-1.18.0.tar.gz
git clone https://github.com/google/ngx_brotli.git
cd ngx_brotli
git submodule update --init编译
cd ../nginx-1.18.0
./configure \
--prefix=/etc/nginx \
--sbin-path=/usr/sbin/nginx \
--conf-path=/etc/nginx/nginx.conf \
--error-log-path=/var/log/nginx/error.log \
--http-log-path=/var/log/nginx/access.log \
--pid-path=/var/run/nginx.pid \
--lock-path=/var/run/nginx.lock \
--user=www-data \
--group=www-data \
--add-module=../ngx_brotli \
--with-file-aio \
--with-http_gzip_static_module \
--with-http_realip_module \
--with-http_ssl_module \
--with-http_stub_status_module \
--with-http_v2_module \
--with-openssl=/usr/local/ssl-1.1.1g \
--with-openssl-opt=enable-tls1_3 \
--with-pcremake
如果编译报错
make[1]: * [<your_openssl_patch>/.openssl/include/openssl/ssl.h] Error 127
修改配置文件 vi ./auto/lib/openssl/conf ,将以下几行:
CORE_INCS="$CORE_INCS $OPENSSL/.openssl/include"
CORE_DEPS="$CORE_DEPS $OPENSSL/.openssl/include/openssl/ssl.h"
CORE_LIBS="$CORE_LIBS $OPENSSL/.openssl/lib/libssl.a"
CORE_LIBS="$CORE_LIBS $OPENSSL/.openssl/lib/libcrypto.a"
修改为:
CORE_INCS="$CORE_INCS $OPENSSL/include"
CORE_DEPS="$CORE_DEPS $OPENSSL/include/openssl/ssl.h"
CORE_LIBS="$CORE_LIBS $OPENSSL/lib/libssl.a"
CORE_LIBS="$CORE_LIBS $OPENSSL/lib/libcrypto.a"
make clean
再编译就没问题了。
./configure ... ...
make安装
make install
验证
/usr/sbin/nginx -V
built with OpenSSL 1.1.1g
添加服务
创建文件并写入内容vi /etc/init.d/nginx
#!/bin/sh
#
# nginx - this script starts and stops the nginx daemin
#
# chkconfig: - 85 15
# description: Nginx is an HTTP(S) server, HTTP(S) reverse \
# proxy and IMAP/POP3 proxy server
# processname: nginx
# config: /etc/nginx/nginx.conf
# pidfile: /var/run/nginx.pid
# user: nginx
# Source function library.
. /etc/rc.d/init.d/functions
# Source networking configuration.
. /etc/sysconfig/network
# Check that networking is up.
[ "$NETWORKING" = "no" ] && exit 0
nginx="/usr/sbin/nginx"
prog=$(basename $nginx)
NGINX_CONF_FILE="/etc/nginx/nginx.conf"
lockfile=/var/run/nginx.lock
start() {
[ -x $nginx ] || exit 5
[ -f $NGINX_CONF_FILE ] || exit 6
echo -n $"Starting $prog: "
daemon $nginx -c $NGINX_CONF_FILE
retval=$?
echo
[ $retval -eq 0 ] && touch $lockfile
return $retval
}
stop() {
echo -n $"Stopping $prog: "
killproc $prog -QUIT
retval=$?
echo
[ $retval -eq 0 ] && rm -f $lockfile
return $retval
}
restart() {
configtest || return $?
stop
start
}
reload() {
configtest || return $?
echo -n $"Reloading $prog: "
killproc $nginx -HUP
RETVAL=$?
echo
}
force_reload() {
restart
}
configtest() {
$nginx -t -c $NGINX_CONF_FILE
}
rh_status() {
status $prog
}
rh_status_q() {
rh_status >/dev/null 2>&1
}
case "$1" in
start)
rh_status_q && exit 0
$1
;;
stop)
rh_status_q || exit 0
$1
;;
restart|configtest)
$1
;;
reload)
rh_status_q || exit 7
$1
;;
force-reload)
force_reload
;;
status)
rh_status
;;
condrestart|try-restart)
rh_status_q || exit 0
;;
*)
echo $"Usage: $0 {start|stop|status|restart|condrestart|try-restart|reload|force-reload|configtest}"
exit 2
esac修改文件权限并设置开机自启
chmod +x /etc/init.d/nginx
chkconfig --add nginx
chkconfig nginx on启动服务 service nginx start
Starting nginx: [ OK ]
配置
在站点配置文件中的监听端口行尾,添加 http2 即可。
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
...
}
更详细 Nginx 站点配置可以参考 迷你VPS部署LEMP及优化 - Nginx 配置 。
证书
具体方法参考 迷你VPS部署LEMP及优化 - 创建证书 。
测试
访问 https://www.ssllabs.com/ssltest/analyze.html
检验 Brotli 压缩访问 https://tools.keycdn.com/brotli-test 或参考 Nginx 启用 Brotli 压缩算法 - 验证 。
版权声明:本文为原创文章,版权归 BenhoN 所有。
本文链接:https://blog.benhon.net/archives/enable_tlsv1_3_and_http2_in_nginx.html
所有原创文章采用知识共享 署名-非商业性使用 4.0 国际 许可协议进行许可,你可以自由地转载和修改,但请务必注明文章来源并且不可用于商业目的。
