NGINX HTTP2 OpenSSL ALPN

NGINX

參考文章

• Nginx - HTTP/2 - OpenSSL - ALPN - OCSP - HSTS
• How To Secure Nginx with Let's Encrypt on Ubuntu 14.04

環境

• Ubuntu 14.04
• nginx-1.9.12 [nginx]
• openssl-1.0.2g [openssl]

系統

$ vagrant init ubuntu/trusty64; vagrant up --provider virtual box
$ vagrant ssh
$ sudo apt-get install zsh git-core
$ sh -c "$(wget https://raw.github.com/robbyrussell/oh-my-zsh/master/tools/install.sh -O -)"
$ chsh -s `which zsh`
$ sudo shutdown -r 0

安裝

$ sudo apt-get install libpcre3 libpcre3-dev libssl-dev
$ cd /opt
$ wget http://nginx.org/download/nginx-1.9.12.tar.gz
$ tar xvzf nginx-1.9.12.tar.gz
$ wget https://www.openssl.org/source/openssl-1.0.2g.tar.gz
$ tar xvzf openssl-1.0.2g.tar.gz
$ cd nginx-1.9.12
$ ./configure --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --modules-path=%{_libdir}/nginx/modules --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx.pid --lock-path=/var/run/nginx.lock --http-client-body-temp-path=/var/cache/nginx/client_temp --http-proxy-temp-path=/var/cache/nginx/proxy_temp --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp --http-scgi-temp-path=/var/cache/nginx/scgi_temp --user=nginx --group=nginx --with-http_ssl_module --with-http_realip_module --with-http_addition_module --with-http_sub_module --with-http_dav_module --with-http_flv_module --with-http_mp4_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_random_index_module --with-http_secure_link_module --with-http_stub_status_module --with-http_auth_request_module --with-threads --with-stream --with-stream_ssl_module --with-http_slice_module --with-mail --with-mail_ssl_module --with-file-aio --with-http_v2_module --with-openssl=/opt/openssl-1.0.2g --with-cc-opt='-g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2' --with-ld-opt='-Wl,-Bsymbolic-functions -Wl,-z,relro -Wl,--as-needed' --with-ipv6
$ make depend
$ make
$ make install

將 nginx 加到服務內

因為 nginx 是自己編譯的, 所以必須將服務加到 init.d

$ wget -O init-deb.sh http://www.linode.com/docs/assets/660-init-deb.sh
$ mv init-deb.sh /etc/init.d/nginx
$ chmod +x /etc/init.d/nginx
$ /usr/sbin/update-rc.d -f nginx defaults
$ /etc/init.d/nginx start

查看 nginx

$ nginx -V

nginx version: nginx/1.9.12
built by gcc 4.8.4 (Ubuntu 4.8.4-2ubuntu1~14.04.1)
built with OpenSSL 1.0.2g  1 Mar 2016
TLS SNI support enabled
configure arguments: --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --modules-path=%{_libdir}/nginx/modules --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx.pid --lock-path=/var/run/nginx.lock --http-client-body-temp-path=/var/cache/nginx/client_temp --http-proxy-temp-path=/var/cache/nginx/proxy_temp --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp --http-scgi-temp-path=/var/cache/nginx/scgi_temp --user=nginx --group=nginx --with-http_ssl_module --with-http_realip_module --with-http_addition_module --with-http_sub_module --with-http_dav_module --with-http_flv_module --with-http_mp4_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_random_index_module --with-http_secure_link_module --with-http_stub_status_module --with-http_auth_request_module --with-threads --with-stream --with-stream_ssl_module --with-http_slice_module --with-mail --with-mail_ssl_module --with-file-aio --with-http_v2_module --with-openssl=/opt/openssl-1.0.2g --with-cc-opt='-g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2' --with-ld-opt='-Wl,-Bsymbolic-functions -Wl,-z,relro -Wl,--as-needed' --with-ipv6

設定 nginx

$ mkdir -p /etc/nginx/sites-available
$ mkdir -p /etc/nginx/sites-enabled

$ vim /etc/nginx/nginx.conf

include /etc/nginx/conf.d/*.conf;
include /etc/nginx/sites-enabled/*;

$ vim /etc/nginx/sites-available/server

server {
    listen 80;
    listen [::]:80;
    listen 443 ssl http2;

    server_name  localhost;

    root   /var/www/changwu.me/html;
    index  index.html index.htm;

    location / {
        try_files $uri $uri/ =404;
    }

    #error_page  404              /404.html;

    # redirect server error pages to the static page /50x.html
    #
    error_page   500 502 503 504  /50x.html;
    location = /50x.html {
        root   /usr/share/nginx/html;
    }
}