Centos6 Tengine opens http2 transport protocol

Keywords: Operation & Maintenance OpenSSL Nginx SSL yum

1. Preface

Recently, we are optimizing the visiting speed of the website and opening http2 protocol for the website. What are the advantages of this protocol? As follows:

  • http2 is the next generation transport protocol, which will be widely used in the future, which is a trend.

  • http2 has the feature of multiplexing, which means to access resources under a domain name, and multiple requests share a TCP link, so it is much faster than http1.1.

2. Preparations

  • It is necessary to recompile openssl version 1.0.2 or above, because our system version is all centos6, which does not support update openssl directly from yum. If it is centos7, update it directly from yum update openssl -y

  • After compiling openssl, we need to recompile Tenginx using the openssl library file. The Tengine version we used is Tengine/2.2.2.

3. Operation steps

  • Install openssl-1.0.2t
#Enter / usr/local/src, and the general software package will be put here
cd /usr/local/src
#Download the installation package
wget https://www.openssl.org/source/openssl-1.0.2t.tar.gz

tar -zxvf openssl-1.0.2t.tar.gz

cd openssl-1.0.2t

./config shared zlib
#Default install to / usr/local/ssl
make && make install 
#Back up the previous version first
mv /usr/bin/openssl /usr/bin/openssl.old
mv /usr/include/openssl /usr/include/openssl.old
#Establish a soft connection
ln -s /usr/local/ssl/bin/openssl /usr/bin/openssl
ln -s /usr/local/ssl/include/openssl /usr/include/openssl
#Add dynamic library to system configuration path
echo "/usr/local/ssl/lib" >> /etc/ld.so.conf
#Check whether the dynamic library is effective
ldconfig -p
#Check openssl version
openssl version
  • Install Tenginx
cd /usr/local/src

wget http://tengine.taobao.org/download/tengine-2.2.2.tar.gz

tar tengine-2.2.2.tar.gz

cd tengine-2.2.2
#The tengine code needs to be modified here. Because we are manually compiling openssl, the path of the dependency library is not the same as that of the original system installation, so we need to specify it manually
vim auto/lib/openssl/conf
#In about 32 lines, the original configuration is as follows:
CORE_INCS="$CORE_INCS $OPENSSL/.openssl/include"
CORE_DEPS="$CORE_DEPS $OPENSSL/.openssl/include/openssl/ssl.h"
CORE_LIBS="$CORE_LIBS $OPENSSL/.openssl/lib/libssl.a"
CORE_LIBS="$CORE_LIBS $OPENSSL/.openssl/lib/libcrypto.a"
#Modify as follows, save and exit
CORE_DEPS="$CORE_DEPS $OPENSSL/include/openssl/ssl.h"
CORE_LIBS="$CORE_LIBS $OPENSSL/lib/libcrypto.a"

#Install some dependencies first (I'm upgrading, actually I don't need to install dependencies. If I install tenginx for the first time, I need to install dependencies)
yum -y install zlib zlib-devel openssl openssl-devel pcre pcre-devel   gcc gcc-c++ autoconf automake jemalloc jemalloc-devel
#Begin compiling tenginx
cd /usr/local/src/tengine-2.2.2  && ./configure --prefix=/usr/local/nginx --with-http_stub_status_module --with-http_ssl_module --with-http_gzip_static_module --with-http_concat_module --with-jemalloc --with-http_v2_module --with-http_secure_link_module --with-openssl=/usr/local/ssl
##Note that if you are installing teginx first, you only need to execute the following command
make install
#But I have installed it, so I need to back up the old tenginx
cp -af /usr/local/nginx/sbin/nginx /usr/local/nginx/sbin/nginx_bak
cp -af /usr/local/nginx/sbin/dso_tool /usr/local/nginx/sbin/dso_tool_bak
#Copy the compiled tenginx to the corresponding directory
cp /usr/local/src/tengine-2.2.2/objs/nginx /usr/local/nginx/sbin/
cp /usr/local/src/tengine-2.2.2/objs/dso_tool /usr/local/nginx/sbin/
#Then restart Tenginx, even if the compilation and installation are completed
  • Tenginx http2 configuration
#Configuring http2 is simple, as follows:
server {
    #HTTP does not support the transport protocol of http2, so port 80 does not change
    listen 80
    # listen add http2 based on the original https configuration file
    listen 443 ssl http2;
    server_name www.oneq.work;

#In addition, a complete Tenginx configuration supporting http2 is attached

upstream server_backend {

    server ip:80 weight=10;

    server ip:80 weight=10;    

    keepalive 800;
#The configuration of the following detection port needs Tenginx to be effective. It's not that Tenginx needs to install additional plug-ins or direct comments    

    check interval=5000 rise=3 fall=3 timeout=5000 type=tcp;

server {
    listen       80;
    listen       443 ssl http2;
    server_name   xxx.xxx.xxx;

    req_status server;

    ssl_certificate      /usr/local/nginx/certs/xxx.xxx.xxx.crt;
    ssl_certificate_key  /usr/local/nginx/certs/xxx.xxx.xxx.key;
    ssl_session_timeout  5m;
    ssl_protocols   TLSv1.1 TLSv1.2 TLSv1;
    ssl_ciphers  HIGH:!aNULL:!MD5;
    ssl_prefer_server_ciphers   on;

    proxy_set_header Host $host;
    proxy_set_header X-Real-IP  $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_pass_header User-Agent;
    proxy_set_header  X-Forwarded-Proto $scheme;
    proxy_set_header Connection "";
    proxy_http_version 1.1;
    access_log  logs/access.log  main;

location / {
 proxy_pass http://server_backend/;
 access_log logs/server_backend.log main;

error_page 404 /404.html;
    location = /404.html {
        root html;

error_page   500 502 503 504  /50x.html;

    location = /50x.html {
        root   html;

4. Effect display

5. summary

1. There are some differences between the first installation of tenginx and the upgrade steps. Please pay attention to the following

2.http does not support the transport protocol of http2, so port 80 still uses the protocol of http1.1, and https uses the transport protocol of http2

>Author blog Qingye's blog

Posted by francisexpress on Sat, 09 Nov 2019 11:07:26 -0800