Recently, due to the migration of code on the company's vm, some problems have been encountered. One VM configures the https protocol. It was thought that after migrating the security certificate, nginx can be configurated. But after modifying the nginx configuration file, after executing the nginx-t command, the following error is reported:
nginx: [warn] invalid parameter "spdy": ngx_http_spdy_module was superseded by ngx_http_v2_module in /usr/local/nginx/conf/sites-enable
After google on the internet, it was found that the reason was related to the version of nginx. In the vm environment before migration, nginx is version 1.8, and nginx on the new vm is version 1.10. According to the official instructions, if ssl protocol is to be enabled in version 1.9.5 or above, the original configuration of ssl needs to be rewritten:
Old ssl configuration: listen 443 ssl spdy;
New Writing: listen 443 default_server ssl http2
After modification, nginx-t is executed and the following information is reported:
The reason is that nginx has replaced ngx_http_spdy_module with http_v2_module since 1.9.5, and has officially begun to support http2 protocol. So, I can't help it. I have to download the source code of the new version of nginx and recompile and upgrade it.nginx: [emerg] the "http2" parameter requires ngx_http_v2_module in /usr/local/nginx/conf/sites-enable
For some explanations of SPDY and HTTP2 protocols, you can refer to the following contents:
(2)Definition of HTTP2 Protocol
The following is a record of the process of upgrading nginx and configuring ssl.
Notes:
1. To turn on HTTP/2 protocol support, you need to compile the version of nginx 1.10 or above and the version of openssl library at 1.0.2 or above.
2. HTTP 2.0 only supports the opening of https websites.
Upgrading OpenSSL
In HTTP 2.0 protocol, the support of ALPN(Application Layer Protocol Negotiation) is involved. At present, the built-in OpenSSL Library in all mainstream Unix server systems is less than 1.0.2 version. Using OpenSSL's command line tools, you can check whether the current http2 service supports ALPN.
If an error is reported:openssl s_client -alpn h2 -servername topics.orthonline.com.cn -connect topics.orthonline.com.cn:443 < /dev/null | grep 'ALPN'
Explain that the current version of OpenSSL is not supported. Execute the following command to check the version of OpenSSL:unknown option -alpn
My current local version is OpenSSL 1.0.1e-fips, which needs to be upgraded.openssl version
Specific operation steps:
1. Download the latest version of OpenSSL library compilation and installation
2. Replace old version Librarieswget https://www.openssl.org/source/openssl-1.1.0f.tar.gz tar xzf openssl.tar.gz cd openssl-1.1.0f ./config --prefix=/usr/local/openssl make && make install
mv /usr/bin/openssl /usr/bin/openssl.old mv /usr/include/openssl /usr/include/openssl.old ln -s /usr/local/openssl/bin/openssl /usr/bin/openssl ln -s /usr/local/openssl/include/openssl /usr/include/openssl #Link to new library files ln -s /usr/local/openssl/lib/libssl.so /usr/local/lib64/libssl.so ln -s /usr/local/openssl/lib/libcrypto.so /usr/local/lib64/libcrypto.so #Check whether the updated openssl dependency library is 1.1.0f? strings /usr/local/lib64/libssl.so | grep OpenSSL #The results show that the link library has been upgraded to the latest version. OpenSSL 1.1.0f 25 May 2017 #Configure the search path for openssl library files echo '/usr/local/openssl/lib' >> /etc/ld.so.conf #Make the modified search path effective ldconfig -v #View the openssl version and the results show that the upgrade was successful openssl version OpenSSL 1.1.0f 25 May 2017
Upgrading nginx
1. Download the latest version of nginx source code and decompose and compile it
wget http://nginx.org/download/nginx-1.10.3.tar.gz tar zxvf nginx-1.10.3.tar.gz cd nginx-1.10.3 #Compile nginx and add http_v2 module application. The new version of compiler command is as follows ./configure --prefix=/usr/local/nginx \ --conf-path=/usr/local/nginx/conf/nginx.conf \ --sbin-path=/usr/local/nginx/sbin/nginx \ --pid-path=/usr/local/nginx/nginx.pid \ --error-log-path=/var/log/nginx/nginx-error.log \ --http-log-path=/var/log/nginx/nginx-access.log \ --user=nginx \ --group=nginx \ --with-http_ssl_module \ --with-http_realip_module \ --with-http_flv_module \ --with-http_mp4_module \ --with-http_gunzip_module \ --with-http_gzip_static_module \ --with-http_secure_link_module \ --with-http_v2_module \ --with-http_stub_status_module \ --with-http_sub_module \ --with-openssl=/home/softwares/openssl-1.1.0f
After compilation is complete, make is executed, but make install is not executed.
Rename the old version of the nginx binary file with a name. During this period, the current running nginx process will not stop, and will not affect the running of the application.make
Then copy the new version of nginx binary file compiled by make to the running directorymv /usr/local/nginx/sbin/nginx /usr/local/nginx/sbin/nginx.old
Under the source directory root directory, execute the update installation commandcp objs/nginx /usr/local/nginx/sbin/nginx
Note: If ssl-related configuration information is written in the original configuration file, it needs to be commented out temporarily, otherwise the update will report an error.make upgrade
Upon completion of the update, execute
You can see that nginx has been updated to version 1.10.3.nginx -V
By doing this, the update of nginx has been completed and the latest support for http2 and https has been turned on.
IV. Modify the relevant nginx configuration files
In the application configuration file that needs to be opened for https protocol support, add the following:
Restart nginx to complete https settings.listen 443 ssl http2;