最近,我尝试升级我的服务器配置以支持HTTP 2,并注意到当浏览器尝试加载没有SSL的站点时,它会改为下载50字节的二进制文件。

配置如下。

它按预期工作 - 通过重定向将请求升级到HTTPS - 直到我将http2添加到最后重定向的listen指令。

后果是现在缓存了不安全的HTTP请求,这非常糟糕,但我想了解为什么会发生这种情况以及我应该如何配置我的服务器。

我从重定向listen指令中删除了http2

我认为最好向浏览器指定服务器全程支持http2,但它没有按计划进行 - 由于某种原因,response类型没有作为html发送。

为什么会这样?

server {
    root /var/domains/mywebsite.com/html;
    error_log off;
    access_log off;
    index index.php index.html;
    server_name mywebsite.com;

    gzip on;
    gzip_types text/plain application/xml application/json application/javascript;

    location /service-worker.js {
        add_header Cache-Control "max-age=0, no-cache, no-store, must-revalidate";
        expires off;
        access_log off;
    }

    location / {

        try_files $uri $uri/ /index.html;
    }

    location ~ \.php$ {
        include snippets/fastcgi-php.conf;
        fastcgi_pass unix:/var/run/php/php7.2-fpm.sock;
    }

    location ~ /\.ht {
        deny all;
    }

    listen 443 ssl http2;
    ssl_certificate /etc/letsencrypt/live/mywebsite.com/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/mywebsite.com/privkey.pem; # managed by Certbot
    # include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_ciphers "EECDH+CHACHA20:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5";
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}

server {
    error_log off;
    access_log off;
    server_name www.mywebsite.com;


    location ~ {
            rewrite ^/(.*)$ https://mywebsite.com/$1 permanent;
    }

    listen 443 ssl http2;
    ssl_certificate /etc/letsencrypt/live/mywebsite.com/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/mywebsite.com/privkey.pem; # managed by Certbot
    # include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_ciphers "EECDH+CHACHA20:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5";
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

}

server {
    server_name mywebsite.com;

    if ($host = mywebsite.com) {
        return 301 https://$host$request_uri;
    }

    listen 80 http2;
    return 404;
}

server {
    server_name www.mywebsite.com;

    if ($host = www.mywebsite.com) {
        return 301 https://$host$request_uri;
    }

    listen 80 http2;
    return 404;
}
分析解答

Nginx不允许在non-HTTPS连接上使用HTTP/2和HTTP/1。这里提出的Bug:https://trac.nginx.org/nginx/ticket/816

non-HTTPS HTTP / 2(也称为h2c)连接没有什么意义,说实话,因为web浏览器仅在HTTPS上使用HTTP/2因此没有优先考虑这个错误。

因此,从port 80服务器配置中删除http2并将其留给port 443配置。