给nginx加上HTTP/2特技 作者: Semesse 时间: 2018-04-23 分类: 千叶 为什么要上http2呢 因为它看起来很cooooooooooooooool! <!--more--> nginx官方文档写着默认是没有http2模块的,需要编译的时候加上--with-http_v2_module * 2018.8.2 在另一台没有手动编译的主机上直接用上了,或许不需要了吧 然后申请证书 ```bash $ curl https://get.acme.sh | sh $ ~/.acme.sh/acme.sh --issue -d example.com -k ec-256 --standalone #申请证书方式自己选择 $ acme.sh --install-cert -d example.com\ --key-file /path/to/keyfile/key.pem \ --fullchain-file /path/to/fullchain/cert.pem \ --reloadcmd "systemctl restart nginx" ``` 最后给nginx加上配置然后restart ```nginx listen 443 ssl http2 default_server; listen [::]:443 ssl http2 default_server; #ssl on; ssl_certificate change_me; ssl_certificate_key change_me; ssl_session_cache shared:SSL:20m; ssl_session_timeout 10m; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256; ``` cipher是不会配的,这辈子都不可能了解这些玩意,都是抄的 [mozilla推荐配置](https://wiki.mozilla.org/Security/Server_Side_TLS#Recommended_configurations) 标签: nginx