2015/10/23

Ubuntu 15.10 + Apache 2.4.17 + HTTP/2.0

最近看到 Apache 2.4.17 釋出,內建支援 HTTP/2.0,於是就測試紀錄一下。

一開始用 Ubuntu 14.04 作,不過內建的 OpenSSL 版本是 1.0.1f,,還需要 TLS 的 ALPN ,
所以需要 OpenSSL 1.0.2 以後的版本。

後來用Ubuntu 15.10 作,因為內建 OpenSSL 版本已經是 1.0.2d了。


 參考 あすのかぜ 這裡的作法。


1. 先安裝 nghttp2

apt-get install make binutils autoconf automake autotools-dev libtool pkg-config \ 
zlib1g-dev libcunit1-dev libssl-dev libxml2-dev libev-dev libevent-dev libjansson-dev \ 
libjemalloc-dev cython python3.4-dev python-setuptools 

git clone https://github.com/tatsuhiro-t/nghttp2.git 
cd ./nghttp2 
autoreconf -i 
automake 
autoconf 

./configure 
make 
sudo make install 
sudo ldconfig

2. 下載並編譯 Apache 2.4.17

apt-get install git gcc g++ libpcre3-dev libcunit1-dev libev-dev libjansson-dev \
libjemalloc-dev cython make binutils autoconf automake autotools-dev libtool pkg-config \
zlib1g-dev libssl-dev libxml2-dev libevent-dev python3.4-dev libevent-openssl-2.0-5

wget http://ftp.jaist.ac.jp/pub/apache//httpd/httpd-2.4.17.tar.gz
tar zxvf httpd-2.4.17.tar.gz

wget http://ftp.yz.yamagata-u.ac.jp/pub/network/apache//apr/apr-1.5.2.tar.gz
tar zxvf apr-1.5.2.tar.gz
mv ./apr-1.5.2 ./httpd-2.4.17/srclib/apr

wget http://ftp.yz.yamagata-u.ac.jp/pub/network/apache//apr/apr-util-1.5.4.tar.gz
tar zxvf apr-util-1.5.4.tar.gz
mv ./apr-util-1.5.4 ./httpd-2.4.17/srclib/apr-util

cd ./httpd-2.4.17/
./configure --enable-http2
make
sudo make install

3. 設定
先設定 /usr/local/apache2/conf/httpd.conf 

#新增這一行,自訂主機名稱
ServerName myserver.com 

LoadModule ssl_module modules/mod_ssl.so     #取消註解
LoadModule http2_module modules/mod_http2.so #取消註解
Include conf/extra/httpd-ssl.conf            #取消註解

#新增
<IfModule http2_module>
    ProtocolsHonorOrder On
Protocols h2 http/1.1 # for http
    Protocols h2c http/1.1 #for https
</IfModule>

接著產生SSL驗證用的金鑰
openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /usr/local/apache2/conf/server.key -out /usr/local/apache2/conf/server.crt


再設定 /usr/local/apache2/conf/extra/httpd-ssl.conf

#SSLSessionCache        "shmcb:/usr/local/apache2/logs/ssl_scache(512000)" #註解這行

#新增驗證金鑰
SSLCertificateFile "/usr/local/apache2/conf/server.crt"
SSLCertificateKeyFile "/usr/local/apache2/conf/server.key"

#修改,參考 How to h2 in apache
SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK

SSLProtocol All -SSLv2 -SSLv3  # 修改

4. 啟動
/usr/local/apache2/bin/httpd 


5. 執行結果

[netstat]
netstat -ta |grep -e http -e https                                
            
tcp6       0      0 [::]:http               [::]:*                  LISTEN                   
tcp6       0      0 [::]:https              [::]:*                  LISTEN    

[用 nghttp 連線]
nghttp -uv http://<IP or Domain Name>

nghttp -uv http://<IP or Domain Name>


[用 Chrome 查看]
直接瀏覽

chrome://net-internals/#http2



沒有留言:

張貼留言