http/2,http2

為了追求那個深藍閃電,我要讓 Apache 可以 work HTTP/2 傳輸協定

我的環境是 CentOS 6.6,並 upgrade openssl 為 1.0.2 (要這版本以上才行)

而 apache 拿 2.4.17 版本來編譯

編譯 openssl-1.0.2

wget https://www.openssl.org/source/openssl-1.0.2e.tar.gz
tar zxvf openssl-1.0.2e.tar.gz
cd openssl-1.0.2e
./config shared
make
make install

編譯 pcre

wget http://downloads.sourceforge.net/project/pcre/pcre/8.37/pcre-8.37.tar.gz?r=http%3A%2F%2Fsourceforge.net%2Fprojects%2Fpcre%2Ffiles%2Fpcre%2F8.37%2F&ts=1449193330&use_mirror=nchc -O pcre-8.37.tar.gz
tar zxvf pcre-8.37.tar.gz
cd pcre-8.37
./configure --prefix=/usr/local/pcre
make
make install

編譯 NGHTTP2

wget https://github.com/tatsuhiro-t/nghttp2/releases/download/v1.5.0/nghttp2-1.5.0.tar.gz
tar zxvf nghttp2-1.5.0.tar.gz
cd nghttp2-1.5.0
./configure --prefix=/usr/local/nghttp2
make
make install

或
git clone https://github.com/tatsuhiro-t/nghttp2.git 
cd ./nghttp2
autoreconf -i
automake
autoconf
./configure --prefix=/usr/local/nghttp2
make
make install
ldconfig

編譯 httpd-2.4.17

# 下載 httpd
wget http://apache.stu.edu.tw//httpd/httpd-2.4.17.tar.gz
tar zxvf httpd-2.4.17.tar.gz

# 下載 apr 及 apr-util,然後丟到 httpd 的 srclib 裡
wget http://apache.stu.edu.tw//apr/apr-1.5.2.tar.gz
tar zxvf apr-1.5.2.tar.gz
mv apr-1.5.2 httpd-2.4.17/srclib/apr
wget http://apache.stu.edu.tw//apr/apr-util-1.5.4.tar.gz
tar zxvf apr-util-1.5.4.tar.gz
mv apr-util-1.5.4 httpd-2.4.17/srclib/apr-util

# 開始編 httpd
cd httpd-2.4.17
env PKG_CONFIG_PATH=/usr/local/ssl/lib/pkgconfig ./configure --prefix=/usr/local/apache --with-pcre=/usr/local/pcre --enable-http2 --enable-nghttp2-staticlib-deps --with-nghttp2=/usr/local/nghttp2
make
make install

編輯 apache config

# vi /usr/local/apache/conf/httpd.conf
User apache
Group apache
ServerName XX.com
LoadModule http2_module modules/mod_http2.so
LoadModule ssl_module modules/mod_ssl.so
Include conf/extra/httpd-ssl.conf
<IfModule http2_module>
   ProtocolsHonorOrder On
   Protocols h2  http/1.1 # for https
   Protocols h2c http/1.1 # for http
</IfModule>

產生 SSL KEY

openssl req -new -sha256 -x509 -nodes -days 365 -newkey rsa:2048 -keyout /usr/local/apache/conf/server.key -out /usr/local/apache/conf/server.crt

編輯 SSL

# vi /usr/local/apache/conf/extra/httpd-ssl.conf
# 註解 SSLSessionCache
#SSLSessionCache        "shmcb:/usr/local/apache/logs/ssl_scache(512000)"

# KEY
SSLCertificateFile "/usr/local/apache/conf/server.crt"
SSLCertificateKeyFile "/usr/local/apache/conf/server.key"

# 以下安全性設定
SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK

SSLProtocol All -SSLv2 -SSLv3

啟動 httpd

env LD_LIBRARY_PATH=/usr/local/ssl/lib /usr/local/apache/bin/apachectl start

Q:
找不到 mod_ssl.so
A:
export LD_LIBRARY_PATH=/usr/local/ssl/lib/

這樣子就可以用 google chrome 瀏覽器瀏覽網站看到那深藍色的閃電了

用 CURL 指令來查看,版本是要有支援 HTTP2 的 (編譯新版,某版本以上才支援 http/2

wget http://curl.haxx.se/download/curl-7.46.0.tar.gz
tar zxvf curl-7.46.0.tar.gz
cd curl-7.46.0
env LD_LIBRARY_PATH=/usr/local/nghttp2/lib ./configure --with-nghttp2=/usr/local/nghttp2 --with-ssl=/usr/local/ssl
make
make install

Q
configure: error: one or more libs available at link-time are not available run-time. Libs used at link-time: -lnghttp2 -lssl -lcrypto -lssl -lcrypto -lz -lrt
A
env LD_LIBRARY_PATH=/usr/local/nghttp2/lib

CURL 瀏覽 HTTP

curl --http2 -I http://localhost

成功狀態 101 Switching Protocols

HTTP/1.1 101 Switching Protocols
Upgrade: h2c
Connection: Upgrade

HTTP/2.0 200
date:Fri, 04 Dec 2015 06:01:59 GMT
server:Apache/2.4.17 (Unix) OpenSSL/1.0.2e
last-modified:Mon, 11 Jun 2007 18:53:14 GMT
etag:"2d-432a5e4a73a80"
accept-ranges:bytes
content-length:45
content-type:text/html

CURL 瀏覽 HTTPS

curl --http2 -I -v -k https://localhost
* Rebuilt URL to: https://localhost/
*   Trying ::1...
* Connected to localhost (::1) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* successfully set certificate verify locations:
*   CAfile: /etc/pki/tls/certs/ca-bundle.crt
  CApath: none
* TLSv1.2 (OUT), TLS header, Certificate Status (22):
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Client hello (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS change cipher, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
* ALPN, server accepted to use h2
* Server certificate:
* 	 subject: C=XX; L=Default City; O=Default Company Ltd
* 	 start date: Dec  4 02:23:24 2015 GMT
* 	 expire date: Dec  3 02:23:24 2016 GMT
* 	 issuer: C=XX; L=Default City; O=Default Company Ltd
* 	 SSL certificate verify result: self signed certificate (18), continuing anyway.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* TCP_NODELAY set
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x9c4070)
> HEAD / HTTP/1.1
> Host: localhost
> User-Agent: curl/7.46.0
> Accept: */*
> 
< HTTP/2.0 200
HTTP/2.0 200
< date:Fri, 04 Dec 2015 06:04:01 GMT
date:Fri, 04 Dec 2015 06:04:01 GMT
< server:Apache/2.4.17 (Unix) OpenSSL/1.0.2e
server:Apache/2.4.17 (Unix) OpenSSL/1.0.2e
< last-modified:Mon, 11 Jun 2007 18:53:14 GMT
last-modified:Mon, 11 Jun 2007 18:53:14 GMT
< etag:"2d-432a5e4a73a80"
etag:"2d-432a5e4a73a80"
< accept-ranges:bytes
accept-ranges:bytes
< content-length:45
content-length:45
< content-type:text/html
content-type:text/html

< 
* Connection #0 to host localhost left intact

有看到 h2c 、h2 字樣就是成功了

參考
http://blog.ctlu.info/2015/10/apache2417-http2.html
https://icing.github.io/mod_h2/howto.html
https://blog.othree.net/log/2015/10/19/apache2-http2/

而 Firefox 要安裝 HTTP/2 and SPDY indicator 外掛才行

http2,http/2

Related posts 相關文章
CVE-2023-44487 HTTP/2 協定漏洞史上最大 DDoS 攻擊
More...
掃網站表頭有沒有安全
More...
解決 Chrome 顯示 This request has been blocked,因為 HTTPS
More...
用 opennssl 指令方法檢查網站是否有 h2 , spdy
More...

作者

留言

請問我用chrome上您的網站看不見閃電,是我要裝甚麼外掛嗎?

作者

NGINX 在 1.9.5 版本 (含) 後就內建 HTTP2

作者

CloudFlare 提了很多測試 HTTP/2 的工具 https://blog.cloudflare.com/tools-for-debugging-testing-and-using-http-2/

撰寫回覆或留言

發佈留言必須填寫的電子郵件地址不會公開。