Install Nginx latest build (1.15.4+) in Amazon EC2 (AMI Linux) , enable HTTP2/Server Push and TLS1.3 O-RTT – 安装 Nginx 最新版本到 EC2 上,并启用 HTTP2/Server Push 和 TLS1.3 O-RTT

Posted on By paulPosted in FRONT-END 前端, TECH

Preface

From Nginx v1.13.9, we gain HTTP2/Server Push eventually.

And after nginx 1.15.4 it also support TLS1.3 0-RTT (early data) which support 0 roundtrip handshake (with OpenSSL 1.1.1).

Here is the doc for you to install it to AWS EC2 (Amazon AMI Linux)

Steps

Make sure Kernel version is 4.13+

uname -r
# output:
# 4.14.72-68.55.amzn1.x86_64

If not, upgrade it first (please Google tutorial by yourself)

Download OpenSSL 1.1.1+ (for TLS1.3 to work)

sudo su
yum install libtool perl-core zlib-devel -y
usrLocal=/usr/local/src
openSSLVersion=OpenSSL_1_1_1a
openSSLVersionUnzipped=openssl-OpenSSL_1_1_1a
openSSLFinalFolder={usrLocal}/{openSSLVersionUnzipped}

cd {usrLocal}
curl -O -L https://github.com/openssl/openssl/archive/{openSSLVersion}.tar.gz
tar -zxvf ${openSSLVersion}.tar.gz

(Optional) Install OpenSSL 1.1.1 globally

If you want to also install OpenSSL 1.1.1 globally, perform:

cd ${openSSLVersionUnzipped}
./config --prefix=/usr/local/openssl --openssldir=/usr/local/openssl shared zlib && make && make install

And add it to /etc/profile.d/openssl.sh

sudo vi /etc/profile.d/openssl.sh

Paste the content

# /etc/profile.d/openssl.sh
pathmunge /usr/local/openssl/bin

And edit “/etc/ld.so.conf`

sudo vim /etc/ld.so.conf

Paste the content

# paste this line without any prefix to /etc/ld.so.conf
/usr/local/openssl/lib

And reload ldconfig

sudo ldd $(which openssl)
sudo ldconfig

Disconnect shell / SSH and reconnect, check version

    exit

After Reconnect to SSH

openssl version
    # terminal output: 
    # OpenSSL 1.1.1a  20 Nov 2018

Build and Install Nginx

usrLocal=/usr/local/src
nginxVersion=nginx-1.15.8
wget http://nginx.org/download/{nginxVersion}.tar.gz
tar -xzvf{nginxVersion}.tar.gz
cd {nginxVersion}
./configure \
--with-openssl={openSSLFinalFolder} \
--with-openssl-opt=enable-tls1_3 \
--prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --modules-path=/usr/lib64/nginx/modules --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx.pid --lock-path=/var/run/nginx.lock --http-client-body-temp-path=/var/cache/nginx/client_temp --http-proxy-temp-path=/var/cache/nginx/proxy_temp --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp --http-scgi-temp-path=/var/cache/nginx/scgi_temp --user=nginx --group=nginx --with-compat --with-file-aio --with-threads --with-http_addition_module --with-http_auth_request_module --with-http_dav_module --with-http_flv_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_mp4_module --with-http_random_index_module --with-http_realip_module --with-http_secure_link_module --with-http_slice_module --with-http_ssl_module --with-http_stub_status_module --with-http_sub_module --with-http_v2_module --with-mail --with-mail_ssl_module --with-stream --with-stream_realip_module --with-stream_ssl_module --with-stream_ssl_preread_module --with-cc-opt='-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -m64 -mtune=generic -fPIC' --with-ld-opt='-Wl,-z,relro -Wl,-z,now -pie' \
    && make && make install

Change Nginx config

sudo vim /etc/nginx/conf.d/YOUR_CONFIG_FILE

File content

server {

        # listen 443 ssl;
        listen 443 ssl http2;

        # SSL configuration
        #
        listen [::]:443 ssl http2;
        # ...
        }

        # With TLS1.3 stronger ciphers, and support fallback to TLS1.2
        ssl_ciphers 'TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-256-GCM-SHA384:TLS13-AES-128-GCM-SHA256:EECDH+CHACHA20:EECDH+AESGCM:EECDH+AES';

        # For more security, maybe you just want to leave TLSv1.3
        ssl_protocols TLSv1.2 TLSv1.3;

        root /PATH_TO_YOUR_DOC_ROOT;

        http2_push_preload on;
        ssl_early_data on;
        proxy_set_header Early-Data ssl_early_data;



 location ~ .php {
                #NOTE: You should have "cgi.fix_pathinfo = 0;" in php.ini

                # Or fastcgi_pass unix:/run/php/php7.0-fpm.sock;
                fastcgi_pass    unix:/var/run/php-fpm/php-fpm.sock;
                #fastcgi_index   index.php;

                # nginx 1.13.9+
                #include fastcgi.conf;
                include fastcgi_params;

                fastcgi_param   SCRIPT_FILENAME  document_root/fastcgi_script_name;
                fastcgi_intercept_errors on;
                #fastcgi_pass php;
        }

Restart Nginx and check

sudo chkconfig nginx on
sudo service nginx restart
nginx -V

Terminal output

nginx version: nginx/1.15.8
built by gcc 4.8.5 20150623 (Red Hat 4.8.5-28) (GCC) 
built with OpenSSL 1.1.1a  20 Nov 2018
TLS SNI support enabled
configure arguments: --with-openssl=/usr/local/src/openssl-OpenSSL_1_1_1a --with-openssl-opt=enable-tls1_3 --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --modules-path=/usr/lib64/nginx/modules --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx.pid --lock-path=/var/run/nginx.lock --http-client-body-temp-path=/var/cache/nginx/client_temp --http-proxy-temp-path=/var/cache/nginx/proxy_temp --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp --http-scgi-temp-path=/var/cache/nginx/scgi_temp --user=nginx --group=nginx --with-compat --with-file-aio --with-threads --with-http_addition_module --with-http_auth_request_module --with-http_dav_module --with-http_flv_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_mp4_module --with-http_random_index_module --with-http_realip_module --with-http_secure_link_module --with-http_slice_module --with-http_ssl_module --with-http_stub_status_module --with-http_sub_module --with-http_v2_module --with-mail --with-mail_ssl_module --with-stream --with-stream_realip_module --with-stream_ssl_module --with-stream_ssl_preread_module --with-cc-opt='-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -m64 -mtune=generic -fPIC' --with-ld-opt='-Wl,-z,relro -Wl,-z,now -pie'

Test HTTP2 / 0-RTT early data end to end

Test with WordPress W3Total Cache HTTP/2 PUSH

Test in my Church website

0-RTT with early data

domainToTest=www.YOUR_DOMAIN.com

# If your openssl 1.1.1 is already intalled globally, you could test it. Otherwise, return to the step mentioned if you want to test it
openssl s_client -CAfile /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem -connect {domainToTest}:443 -sess_out session.pem 
echo -n | openssl s_client -CAfile /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem -connect{domainToTest}:443 -sess_in session.pem -early_data /tmp/https.txt

See the `Max Early Data: ****“