我正在编写Nginx配置,我有一个基本问题.
有什么区别:
听443 ssl; vs listen [::]:443 ssl; vs listen [::]:443 ssl http2;
我的目标是确保此Web应用程序的安全,同时也保持旧客户端的兼容性.
注意:我知道[::]:443必须使用ipv6,但在这种情况下它是否包含ipv4?想要清除我的概念.
而
listen [::]:443 ssl:让Nginx监听服务器上的所有ipv6地址,端口443(::: 443)
[::]:443默认情况下不会对ipv4进行Nginx响应,除非你指定参数ipv6only = off:
listen [::]:443 ipv6only = off;
按照文档:http://nginx.org/en/docs/http/ngx_http_core_module.html#listen
ssl:
The ssl parameter (0.7.14) allows specifying that all connections
accepted on this port should work in SSL mode.
http2:
The http2 parameter (1.9.5) configures the port to accept 07001 connections.
这并不意味着它只接受HTTP / 2连接.
按照RFC7540
A client that makes a request for an “http” URI without prior
knowledge about support for HTTP/2 on the next hop uses the HTTP
Upgrade mechanism. The client does so by making an HTTP/1.1 request
that includes an Upgrade header field with the “h2c” token.A server
that does not support HTTP/2 can respond to the request as though the
Upgrade header field were absent.
HTTP/1.1 200 OK
Content-Length: 243
Content-Type: text/htmlA server that supports HTTP/2
accepts the upgrade with a 101 (Switching Protocols) response. After
the empty line that terminates the 101 response,the server can begin
sending HTTP/2 frames.
总结一下:
不支持HTTP / 2的客户端永远不会向服务器请求
HTTP / 2通信升级:它们之间的通信将是完全的
HTTP1 / 1.
支持HTTP / 2的客户端将要求服务器(使用HTTP1 / 1)进行HTTP / 2升级:
>如果服务器已准备好HTTP / 2,则服务器将注意到客户端
因此:它们之间的通信将切换到HTTP / 2.
>如果服务器未准备好HTTP / 2,则服务器将忽略该服务器
使用HTTP1 / 1进行升级请求应答:之间的通信
他们应该保持足够的HTTP1 / 1.
也许更多地总结一下:http://qnimate.com/http2-compatibility-with-old-browsers-and-servers/
但是,Nginx doc通过TLS声明了以下有关HTTP / 2的内容:
Note that accepting HTTP/2 connections over TLS requires the
“Application-Layer Protocol Negotiation” (ALPN) TLS extension support,
which is available only since OpenSSL version 1.0.2.
确保旧客户符合此要求.
