listen 443 default_server; 我是这样配置的应该怎么修改 listen 443 ssl http2; # 启用HTTP/2

not image

要将Nginx的配置从 `listen 443 default_server;` 修改为启用SSL和HTTP/2,请按照以下步骤操作: --- ### **1. 修改 `listen` 指令** 将原来的监听行改为: ```nginx listen 443 ssl http2 default_server; ``` - **`ssl`**:启用SSL/TLS加密。 - **`http2`**:启用HTTP/2协议(需Nginx 1.9.5+且依赖OpenSSL 1.0.2+)。 - **`default_server`**:保持默认服务器标识。 --- ### **2. 配置SSL证书路径** 在 `server` 块中添加SSL证书和私钥的路径: ```nginx ssl_certificate /etc/nginx/ssl/your_domain.crt; # 证书文件路径 ssl_certificate_key /etc/nginx/ssl/your_domain.key; # 私钥文件路径 ``` - 确保证书文件和私钥文件实际存在,且Nginx有权限读取。 - 如果证书链不完整(如中间证书),需将中间证书合并到证书文件中。 --- ### **3. 推荐的SSL安全配置** 添加以下参数以增强安全性(可选但推荐): ```nginx ssl_protocols TLSv1.2 TLSv1.3; # 禁用不安全的旧版本(如SSLv3、TLSv1.0/1.1) ssl_ciphers HIGH:!aNULL:!MD5; # 使用强加密套件 ssl_prefer_server_ciphers on; ssl_session_cache shared:SSL:10m; # 会话缓存 ssl_session_timeout 10m; # 会话超时时间 ssl_stapling on; # 启用OCSP装订 ssl_stapling_verify on; # 验证OCSP响应 resolver 8.8.8.8 valid=300s; # DNS解析器(用于OCSP) resolver_timeout 5s; add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; # HSTS头 ``` --- ### **4. 检查IPv6支持(可选)** 如果需要支持IPv6,添加: ```nginx listen [::]:443 ssl http2 default_server; ``` --- ### **5. 验证Nginx配置** 运行以下命令检查配置是否正确: ```bash nginx -t ``` 如果提示 `syntax is ok` 和 `test is successful`,则配置无误。 --- ### **6. 重载Nginx** 应用更改: ```bash nginx -s reload ``` --- ### **7. 验证HTTP/2和SSL** - **浏览器访问**:使用Chrome开发者工具(F12)查看“Network”标签,检查协议是否为`h2`(HTTP/2)。 - **在线工具**:通过 [SSL Labs](https://www.ssllabs.com/ssltest/) 测试SSL配置安全性。 - **命令行检查**: ```bash curl -I --http2 https://your_domain ``` --- ### **常见问题排查** - **证书路径错误**:确保 `ssl_certificate` 和 `ssl_certificate_key` 的路径正确。 - **OpenSSL版本不足**:Nginx需使用OpenSSL 1.0.2+(支持ALPN),可通过 `nginx -V` 检查。 - **HTTP/2未生效**:确认Nginx编译时包含 `--with-http_v2_module`(通过 `nginx -V` 验证)。 - **证书过期或不信任**:使用受信任的CA证书(如Let's Encrypt)。 --- ### **完整配置示例** ```nginx server { listen 443 ssl http2 default_server; listen [::]:443 ssl http2 default_server; server_name example.com; ssl_certificate /etc/nginx/ssl/example.com.crt; ssl_certificate_key /etc/nginx/ssl/example.com.key; ssl_protocols TLSv1.2 TLSv1.3; ssl_ciphers HIGH:!aNULL:!MD5; ssl_prefer_server_ciphers on; ssl_session_cache shared:SSL:10m; ssl_session_timeout 10m; ssl_stapling on; ssl_stapling_verify on; resolver 8.8.8.8 valid=300s; resolver_timeout 5s; add_header Strict-Transport-Security "max-age=31536000; includeSub

China-Hubei-Ezhou
Facebook Twitter Pinterest

评论区:

评论:

请输入内容:

关于我:

not image

Hello I’m Jenny Kurto author of Letter town blog. This is my personal space which is like to share others. And i’m living New York city working and blogging.

More story

热门试题:

我的热门:

not image

Meet my workspace

Lorem Ipsum is simply dummy text of the printing and typesetting industry. Lorem Ipsum has been the industry.

not image

This is how to unique idea born

Lorem Ipsum is simply dummy text of the printing and typesetting industry. Lorem Ipsum has been the industry.

not image

Only you will choose your life.

Lorem Ipsum is simply dummy text of the printing and typesetting industry. Lorem Ipsum has been the industry.

我的标签:

clean minimal cloudy video template fashion bloggers carefully handcrafted print psd music food recipe