Nginx服務器HTTP2的搭建

1.下載NGINX源碼，下載並編譯

  

./configure --with-http_ssl_module --prefix=/home/damon/dev/3rd/sdk/x86/local_server/nginx --with-http_ssl_module --with-http_v2_module --with-debug

make install

 配置https server

    server {
    	listen [::]:443 ssl http2 ipv6only=on;
        listen       443 ssl http2;
        server_name  localhost;
	ssl_certificate      /home/damon/dev/tools/openssl/rootCA.pem;
        ssl_certificate_key  /home/damon/dev/tools/openssl/rootCA.key;
	ssl_protocols		TLSv1 TLSv1.1 TLSv1.2;
	ssl_ciphers	      HIGH:!aNULL:!MD5;
        ssl_session_cache    shared:SSL:1m;
        ssl_session_timeout  5m;

        ssl_prefer_server_ciphers  on;

        location / {
            root   html;
            index  index.html index.htm;
        }
    }

本地證書的生成

生成本地根證書：
# 使用AES256-bit編碼加密生成4096位的根祕鑰
openssl genrsa -aes256 -out rootCA.key 4096

Enter pass phrase for rootCA.key: password
Verifying - Enter pass phrase for rootCA.key: password


# 使用根祕鑰生成根證書
openssl req -x509 -new -nodes -key rootCA.key -sha256 -days 1024 -out rootCA.pem

Enter pass phrase for rootCA.key: password
You are about to be asked to enter information that will be incorporated
...
-----
Country Name (2 letter code) [AU]:CN
State or Province Name (full name) [Some-State]:Guangdong
Locality Name (eg, city) []:Shenzhen
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Dreaming.org
Organizational Unit Name (eg, section) []:Dreaming CA
Common Name (e.g. server FQDN or YOUR name) []:Dreaming ROOT CA
Email Address []:
Generating a RSA private key

#生成自籤祕鑰
openssl req -new -sha256 -nodes -out server.csr -newkey rsa:2048 -keyout server.key -config server.csr.cnf

#生成自簽證書
openssl x509 -req -in server.csr -CA rootCA.pem -CAkey rootCA.key -CAcreateserial -out server.crt -days 600 -sha256 -extfile v3.ext

server.csr.cnf生成效果

[ req ]
default_bits       = 2048
prompt             = no
default_md         = sha256
distinguished_name = req_distinguished_name

[ req_distinguished_name ]
C            = CN
ST           = Beijing
L            = Beijing
O            = MyOrganization
OU           = MyOrganizationUnit
emailAddress = [email protected]
CN           = localhost

v3.ext生成效果

authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage=digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
subjectAltName=@alt_names

[alt_names]
DNS.1=localhost

nginx服務器添加效果

    server {
    	listen [::]:443 ssl http2 ipv6only=on;
        listen       443 ssl http2;
        server_name  localhost;
	ssl_certificate      /home/damon/dev/tools/openssl/rootCA.pem;
        ssl_certificate_key  /home/damon/dev/tools/openssl/rootCA.key;
	ssl_protocols		TLSv1 TLSv1.1 TLSv1.2;
	ssl_ciphers	      HIGH:!aNULL:!MD5;
        ssl_session_cache    shared:SSL:1m;
        ssl_session_timeout  5m;

        ssl_prefer_server_ciphers  on;

        location / {
            root   html;
            index  index.html index.htm;
        }
    }