最近,我尝试升级我的服务器配置以支持HTTP 2,并注意到当浏览器尝试加载没有SSL的站点时,它会改为下载50字节的二进制文件。
配置如下。
它按预期工作 - 通过重定向将请求升级到HTTPS - 直到我将http2
添加到最后重定向的listen
指令。
后果是现在缓存了不安全的HTTP请求,这非常糟糕,但我想了解为什么会发生这种情况以及我应该如何配置我的服务器。
我从重定向listen
指令中删除了http2
。
我认为最好向浏览器指定服务器全程支持http2,但它没有按计划进行 - 由于某种原因,response类型没有作为html发送。
为什么会这样?
server {
root /var/domains/mywebsite.com/html;
error_log off;
access_log off;
index index.php index.html;
server_name mywebsite.com;
gzip on;
gzip_types text/plain application/xml application/json application/javascript;
location /service-worker.js {
add_header Cache-Control "max-age=0, no-cache, no-store, must-revalidate";
expires off;
access_log off;
}
location / {
try_files $uri $uri/ /index.html;
}
location ~ \.php$ {
include snippets/fastcgi-php.conf;
fastcgi_pass unix:/var/run/php/php7.2-fpm.sock;
}
location ~ /\.ht {
deny all;
}
listen 443 ssl http2;
ssl_certificate /etc/letsencrypt/live/mywebsite.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/mywebsite.com/privkey.pem; # managed by Certbot
# include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_ciphers "EECDH+CHACHA20:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5";
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
server {
error_log off;
access_log off;
server_name www.mywebsite.com;
location ~ {
rewrite ^/(.*)$ https://mywebsite.com/$1 permanent;
}
listen 443 ssl http2;
ssl_certificate /etc/letsencrypt/live/mywebsite.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/mywebsite.com/privkey.pem; # managed by Certbot
# include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_ciphers "EECDH+CHACHA20:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5";
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
server {
server_name mywebsite.com;
if ($host = mywebsite.com) {
return 301 https://$host$request_uri;
}
listen 80 http2;
return 404;
}
server {
server_name www.mywebsite.com;
if ($host = www.mywebsite.com) {
return 301 https://$host$request_uri;
}
listen 80 http2;
return 404;
}
分析解答
Nginx不允许在non-HTTPS连接上使用HTTP/2和HTTP/1。这里提出的Bug:https://trac.nginx.org/nginx/ticket/816。
non-HTTPS HTTP / 2(也称为h2c)连接没有什么意义,说实话,因为web浏览器仅在HTTPS上使用HTTP/2因此没有优先考虑这个错误。
因此,从port 80服务器配置中删除http2并将其留给port 443配置。