ToC - 文章结构
Preface
From Nginx v1.13.9, we gain HTTP2/Server Push eventually.
And after nginx 1.15.4
it also support TLS1.3 0-RTT (early data) which support 0 roundtrip handshake (with OpenSSL 1.1.1).
Here is the doc for you to install it to AWS EC2 (Amazon AMI Linux)
Steps
Make sure Kernel version is 4.13+
uname -r
# output:
# 4.14.72-68.55.amzn1.x86_64
If not, upgrade it first (please Google tutorial by yourself)
Download OpenSSL 1.1.1+ (for TLS1.3 to work)
sudo su
yum install libtool perl-core zlib-devel -y
usrLocal=/usr/local/src
openSSLVersion=OpenSSL_1_1_1a
openSSLVersionUnzipped=openssl-OpenSSL_1_1_1a
openSSLFinalFolder={usrLocal}/{openSSLVersionUnzipped}
cd {usrLocal}
curl -O -L https://github.com/openssl/openssl/archive/{openSSLVersion}.tar.gz
tar -zxvf ${openSSLVersion}.tar.gz
(Optional) Install OpenSSL 1.1.1 globally
If you want to also install OpenSSL 1.1.1 globally, perform:
cd ${openSSLVersionUnzipped}
./config --prefix=/usr/local/openssl --openssldir=/usr/local/openssl shared zlib && make && make install
And add it to /etc/profile.d/openssl.sh
sudo vi /etc/profile.d/openssl.sh
Paste the content
# /etc/profile.d/openssl.sh
pathmunge /usr/local/openssl/bin
And edit “/etc/ld.so.conf`
sudo vim /etc/ld.so.conf
Paste the content
# paste this line without any prefix to /etc/ld.so.conf
/usr/local/openssl/lib
And reload ldconfig
sudo ldd $(which openssl)
sudo ldconfig
Disconnect shell / SSH and reconnect, check version
exit
After Reconnect to SSH
openssl version
# terminal output:
# OpenSSL 1.1.1a 20 Nov 2018
Build and Install Nginx
usrLocal=/usr/local/src
nginxVersion=nginx-1.15.8
wget http://nginx.org/download/{nginxVersion}.tar.gz
tar -xzvf{nginxVersion}.tar.gz
cd {nginxVersion}
./configure \
--with-openssl={openSSLFinalFolder} \
--with-openssl-opt=enable-tls1_3 \
--prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --modules-path=/usr/lib64/nginx/modules --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx.pid --lock-path=/var/run/nginx.lock --http-client-body-temp-path=/var/cache/nginx/client_temp --http-proxy-temp-path=/var/cache/nginx/proxy_temp --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp --http-scgi-temp-path=/var/cache/nginx/scgi_temp --user=nginx --group=nginx --with-compat --with-file-aio --with-threads --with-http_addition_module --with-http_auth_request_module --with-http_dav_module --with-http_flv_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_mp4_module --with-http_random_index_module --with-http_realip_module --with-http_secure_link_module --with-http_slice_module --with-http_ssl_module --with-http_stub_status_module --with-http_sub_module --with-http_v2_module --with-mail --with-mail_ssl_module --with-stream --with-stream_realip_module --with-stream_ssl_module --with-stream_ssl_preread_module --with-cc-opt='-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -m64 -mtune=generic -fPIC' --with-ld-opt='-Wl,-z,relro -Wl,-z,now -pie' \
&& make && make install
Change Nginx config
sudo vim /etc/nginx/conf.d/YOUR_CONFIG_FILE
File content
server {
# listen 443 ssl;
listen 443 ssl http2;
# SSL configuration
#
listen [::]:443 ssl http2;
# ...
}
# With TLS1.3 stronger ciphers, and support fallback to TLS1.2
ssl_ciphers 'TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-256-GCM-SHA384:TLS13-AES-128-GCM-SHA256:EECDH+CHACHA20:EECDH+AESGCM:EECDH+AES';
# For more security, maybe you just want to leave TLSv1.3
ssl_protocols TLSv1.2 TLSv1.3;
root /PATH_TO_YOUR_DOC_ROOT;
http2_push_preload on;
ssl_early_data on;
proxy_set_header Early-Data ssl_early_data;
location ~ .php {
#NOTE: You should have "cgi.fix_pathinfo = 0;" in php.ini
# Or fastcgi_pass unix:/run/php/php7.0-fpm.sock;
fastcgi_pass unix:/var/run/php-fpm/php-fpm.sock;
#fastcgi_index index.php;
# nginx 1.13.9+
#include fastcgi.conf;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME document_root/fastcgi_script_name;
fastcgi_intercept_errors on;
#fastcgi_pass php;
}
Restart Nginx and check
sudo chkconfig nginx on
sudo service nginx restart
nginx -V
Terminal output
nginx version: nginx/1.15.8
built by gcc 4.8.5 20150623 (Red Hat 4.8.5-28) (GCC)
built with OpenSSL 1.1.1a 20 Nov 2018
TLS SNI support enabled
configure arguments: --with-openssl=/usr/local/src/openssl-OpenSSL_1_1_1a --with-openssl-opt=enable-tls1_3 --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --modules-path=/usr/lib64/nginx/modules --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx.pid --lock-path=/var/run/nginx.lock --http-client-body-temp-path=/var/cache/nginx/client_temp --http-proxy-temp-path=/var/cache/nginx/proxy_temp --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp --http-scgi-temp-path=/var/cache/nginx/scgi_temp --user=nginx --group=nginx --with-compat --with-file-aio --with-threads --with-http_addition_module --with-http_auth_request_module --with-http_dav_module --with-http_flv_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_mp4_module --with-http_random_index_module --with-http_realip_module --with-http_secure_link_module --with-http_slice_module --with-http_ssl_module --with-http_stub_status_module --with-http_sub_module --with-http_v2_module --with-mail --with-mail_ssl_module --with-stream --with-stream_realip_module --with-stream_ssl_module --with-stream_ssl_preread_module --with-cc-opt='-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -m64 -mtune=generic -fPIC' --with-ld-opt='-Wl,-z,relro -Wl,-z,now -pie'
Test HTTP2 / 0-RTT early data end to end
Test with WordPress W3Total Cache HTTP/2 PUSH
0-RTT with early data
domainToTest=www.YOUR_DOMAIN.com
# If your openssl 1.1.1 is already intalled globally, you could test it. Otherwise, return to the step mentioned if you want to test it
openssl s_client -CAfile /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem -connect {domainToTest}:443 -sess_out session.pem
echo -n | openssl s_client -CAfile /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem -connect{domainToTest}:443 -sess_in session.pem -early_data /tmp/https.txt
See the `Max Early Data: ****“