Nginx HTTP/2协议优化与安全设置指南

HTTP/2是HTTP协议的重大升级，能显著提升网站性能。以下是针对Nginx服务器的HTTP/2优化与安全配置方案。

基础HTTP/2配置

1. 启用HTTP/2

server {
    listen 443 ssl http2;  # 在SSL基础上启用HTTP/2
    server_name example.com;

    # 其他配置...
}

2. 必须的SSL配置

ssl_protocols TLSv1.2 TLSv1.3;  # 禁用旧版TLS
ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384';
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;

性能优化配置

1. 调整缓冲区大小

http2_chunk_size 8k;  # 默认16k，可调整为8k以改善小文件传输
http2_max_concurrent_streams 128;  # 默认128，可根据服务器性能调整
http2_max_field_size 16k;  # 请求头字段最大大小
http2_max_header_size 64k;  # 请求头最大总大小

2. 资源推送 (Server Push)

location = /index.html {
    http2_push /style.css;
    http2_push /script.js;
    http2_push /image.jpg;
}

3. 连接优化

keepalive_timeout 75s;
keepalive_requests 1000;

安全加固配置

1. 禁用旧协议

ssl_protocols TLSv1.2 TLSv1.3;  # 禁用TLS 1.0和1.1

2. 强化加密套件

ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256';

3. OCSP Stapling

ssl_stapling on;
ssl_stapling_verify on;
resolver 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 5s;

4. HSTS头部

add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;

高级优化技巧

1. 0-RTT配置 (TLS 1.3)

ssl_early_data on;

2. 动态调整优先级

location ~* \.(js|css)$ {
    http2_priority_highest;
}

location ~* \.(jpg|png|gif)$ {
    http2_priority_low;
}

3. 连接预热

http2_idle_timeout 3m;  # 保持空闲连接时间

监控与调试

1. 日志记录

log_format http2 '$remote_addr - $remote_user [$time_local] '
                 '"$request" $status $body_bytes_sent '
                 '"$http_referer" "$http_user_agent" '
                 'protocol:$server_protocol h2:$http2';

2. 状态监控

location /nginx_status {
    stub_status;
    allow 127.0.0.1;
    deny all;
}

完整配置示例

server {
    listen 443 ssl http2;
    server_name example.com;

    ssl_certificate /path/to/cert.pem;
    ssl_certificate_key /path/to/key.pem;

    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305';
    ssl_prefer_server_ciphers on;

    ssl_session_cache shared:SSL:10m;
    ssl_session_timeout 10m;

    ssl_stapling on;
    ssl_stapling_verify on;
    resolver 8.8.8.8 8.8.4.4 valid=300s;

    http2_max_concurrent_streams 128;
    http2_chunk_size 8k;

    add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;

    location / {
        root /var/www/html;
        index index.html;

        # 资源推送
        http2_push /styles/main.css;
        http2_push /scripts/app.js;
    }
}

注意事项

1. 启用HTTP/2必须同时启用SSL
2. 修改配置后需重载Nginx: nginx -s reload
3. 使用工具如Qualys SSL Test测试配置安全性
4. 监控服务器资源使用情况，根据负载调整并发流数量

通过以上配置，您可以充分利用HTTP/2的多路复用、头部压缩和服务器推送等特性，同时确保连接的安全性。