环境和工具:
mac curl openresty
- 升级curl支持http2
brew install curl-openssl
echo 'export PATH="/usr/local/opt/curl-openssl/bin:$PATH"' >> ~/.zshrc
2.测试jd页面
curl --http2 -I "https://www.jd.com"
HTTP/2 200
server: JDWS/2.0
date: Thu, 17 Oct 2019 04:06:39 GMT
content-type: text/html; charset=utf-8
content-length: 103636
vary: Accept-Encoding
vary: Accept-Encoding
expires: Thu, 17 Oct 2019 04:06:51 GMT
cache-control: max-age=30
ser: 6.155
via: BJ-Y-NX-105(HIT), http/1.1 BJ-CT-2-JCS-35 ( [cRs f ])
age: 12
strict-transport-security: max-age=7776000
- 本地nginx配置
http {
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
ssl_prefer_server_ciphers on; 协商加密算法时,优先使用服务端的加密套件
}
server {
listen 443 ssl http2;
server_name <your_server>;
ssl_certificate <your_cert_path>;
ssl_certificate_key <your_key_path>;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers HIGH:!aNULL:!MD5;
}
https://wiki.mozilla.org/Security/Server_Side_TLS 推荐的ciphers配置,分为现代兼容性、中级兼容性、旧的向后兼容性