我试图弄清楚,尽管 nginx 配置为监听 HTTP1.2,但日志中的所有请求都是 HTTP1.1
[11/Oct/2024:11:53:41 +0300] "GET /el_gr/tapetsaries-toixou/fototapetsaries-toixou/zoa/filtra/xromatikes_omades-psychra-kitrina-xroma-oxia_fusiko-gkri_mpez-leuko-anoichto_mob-mob-somon-anoichto_gkri-anthraki-gkri-thema_fototapetsarias-artistic-apoxrosi_fototapetsarias-egchromo?price=amshopby_slider_from-amshopby_slider_to HTTP/1.1" 200 50347 "-" "Mozilla/5.0 (Linux; Android 6.0.1; Nexus 5X Build/MMB29P) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/129.0.6668.89 Mobile Safari/537.36 (compatible; GoogleOther)"
[11/Oct/2024:11:53:41 +0300] "GET /el_gr/catalog/product/view/id/144583/s/144583-fototsapetsaries-diafora-sxedia-megethi-100-159102/ HTTP/1.1" 200 55818 "-" "Mozilla/5.0 (compatible; Pinterestbot/1.0; +http://www.pinterest.com/bot.html)"
[11/Oct/2024:11:53:43 +0300] "GET /el_gr/catalog/product/view/id/134022/s/134022-fototsapetsaries-diafora-sxedia-megethi-100-148541/ HTTP/1.1" 200 56234 "-" "Mozilla/5.0 (compatible; Pinterestbot/1.0; +http://www.pinterest.com/bot.html)"
[11/Oct/2024:11:53:43 +0300] "GET /el_gr/catalog/product/view/id/153049/s/153049-fototsapetsaries-diafora-sxedia-megethi-100-167568/ HTTP/1.1" 200 55991 "-" "Mozilla/5.0 (compatible; Pinterestbot/1.0; +http://www.pinterest.com/bot.html)"
54.236.1.13 [ 54.236.1.13, 54.236.1.13, 127.0.0.1] [11/Oct/2024:11:53:46 +0300] "GET /el_gr/catalog/product/view/id/151013/s/151013-fototsapetsaries-diafora-sxedia-megethi-100-165532/ HTTP/1.1" 200 56020 "-" "Mozilla/5.0 (compatible; Pinterestbot/1.0; +http://www.pinterest.com/bot.html)"
[11/Oct/2024:11:53:47 +0300] "GET /el_gr/tapetsaries-toixou/fototapetsaries-toixou/zoa/filtra/xromatikes_omades-psychra-pastel-mov-therma-xroma-oxia_fusiko-gkri_mpez-leuko-anoichto_mob-mob-somon-kokkino-anoichto_gkri-kafe-thema_fototapetsarias-artistic-louloudia-vintage-apoxrosi_fototapetsarias-egchromo?price=amshopby_slider_from-amshopby_slider_to HTTP/1.1" 200 56578 "-" "Mozilla/5.0 (Linux; Android 6.0.1; Nexus 5X Build/MMB29P) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/129.0.6668.89 Mobile Safari/537.36 (compatible; GoogleOther)"
[11/Oct/2024:11:53:48 +0300] "GET /el_gr/50369-tapetsaria-arts-crafts-prasino-no-36159-by-casadeco HTTP/1.1" 200 63129 "-" "Mozilla/5.0 (Linux; Android 6.0.1; Nexus 5X Build/MMB29P) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/129.0.6668.89 Mobile Safari/537.36 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)"
[11/Oct/2024:11:53:48 +0300] "GET /el_gr/catalog/product/view/id/142099/s/142099-fototsapetsaries-diafora-sxedia-megethi-100-156618/ HTTP/1.1" 200 55810 "-" "Mozilla/5.0 (compatible; Pinterestbot/1.0; +http://www.pinterest.com/bot.html)"
[11/Oct/2024:11:53:49 +0300] "GET /el_gr/49391-wing-kremasto-ntoulapi-oikologiko-tzaki-no-14297-by-abb?swatch_colour_att=11095 HTTP/1.1" 200 69558 "-" "Mozilla/5.0 (compatible; Pinterestbot/1.0; +http://www.pinterest.com/bot.html)"
[11/Oct/2024:11:53:49 +0300] "GET /el_gr/catalog/product/view/id/90457/s/58177-diaxoristika-domatiou-diafora-sxedia-102723/ HTTP/1.1" 200 68402 "-" "Mozilla/5.0 (compatible; Pinterestbot/1.0; +http://www.pinterest.com/bot.html)"
这是我的虚拟主机:
server {
listen 443 ssl;
http2 on;
server_name www.example.com;
ssl_certificate /etc/nginx/ssl/2023/ssl_bundle.crt;
ssl_certificate_key /etc/nginx/ssl/2023/example.key;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers 'AES128+EECDH:AES128+EDH:!aNULL';
return 301 https://example.com$request_uri;
# Nginx Bad Bot Blocker Includes
# REPO: https://github.com/mitchellkrogza/nginx-ultimate-bad-bot-blocker
##
include /etc/nginx/bots.d/ddos.conf;
include /etc/nginx/bots.d/blockbots.conf;
# apply ratebot rules
limit_req zone=ratebot_soft nodelay;
limit_req zone=ratebot_medium nodelay;
limit_req zone=ratebot_hard nodelay;
}
server {
listen 443 ssl;
http2 on;
server_name example.com;
proxy_headers_hash_bucket_size 128;
proxy_headers_hash_max_size 1024;
ssl_certificate /etc/nginx/ssl/2023/ssl_bundle.crt;
ssl_certificate_key /etc/nginx/ssl/2023/example.key;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers 'AES128+EECDH:AES128+EDH:!aNULL';
include /etc/nginx/bots.d/ddos.conf;
include /etc/nginx/bots.d/blockbots.conf;
# apply ratebot rules
limit_req zone=ratebot_soft nodelay;
limit_req zone=ratebot_medium nodelay;
limit_req zone=ratebot_hard nodelay;
location / {
proxy_pass http://127.0.0.1:6081;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
proxy_set_header X-Forwarded-Port 443;
proxy_set_header X-Forwarded-Host $http_host;
proxy_set_header X-Forwarded-Server $http_host;
proxy_set_header Host $http_host;
proxy_buffering off;
proxy_buffer_size 16k;
proxy_buffers 64 4k;
proxy_busy_buffers_size 24k;
fastcgi_buffer_size 32k;
fastcgi_buffers 16 32k;
if ($cors_origin) {
add_header 'Access-Control-Allow-Origin' '$cors_origin' always;
add_header 'Access-Control-Allow-Methods' 'GET,POST,PUT,DELETE,HEAD,PATCH' always;
add_header 'Access-Control-Allow-Headers' '*' always;
add_header 'Access-Control-Allow-Credentials' 'true' always;
}
}
}
这是 Hetzner 的专用服务器。它位于防火墙后面,防火墙已关闭。此外,我们没有使用任何面板,只有 Ubuntu 22 操作系统。CSF 防火墙已启用
Nginx 充当 Varnish 的代理,使用 SSL 终止。因此 Varnish 处理第一个请求
该服务器的前面 Cloudflare 还启用了对 http1.2 的支持
大家,我在这里遗漏了什么?
1
最佳答案
1
您的设置看起来 100% 正确,并且我在 Docker 环境中复制了 Nginx 配置。
这是我所看到的。
客户端和 Nginx 使用的 HTTP/2
当我通过 HTTP 向充当 TLS 代理的 Nginx 发送请求时,我收到 HTTP/2 响应,如下面输出中看到的那样:
$ curl -k -I https://localhost
HTTP/2 200
server: nginx/1.27.2
date: Fri, 11 Oct 2024 11:52:08 GMT
content-type: text/html; charset=UTF-8
content-length: 26
x-powered-by: PHP/8.3.12
cache-control: max-age=10
vary: Accept-Encoding
x-varnish: 32777 32771
age: 4
via: 1.1 varnish (Varnish/7.5)
accept-ranges: bytes
access-control-allow-origin: *
access-control-allow-methods: GET,POST,PUT,DELETE,HEAD,PATCH
access-control-allow-headers: *
access-control-allow-credentials: true
到目前为止,一切都很好。
Nginx 使用 HTTP/1.0 进行代理
尽管客户端通过 HTTP/2 与 TLS 代理(在本例中为 Nginx)顺利通信,但 Nginx 默认向 Varnish 发送 HTTP/1.0 请求。
可以设置proxy_http_version 1.1;升级 HTTP 版本到 HTTP 1/1。,Nginx 似乎不支持 HTTP/2 代理。
当我varnishncsa在 Varnish 容器中运行时,查看访问日志,您会看到使用了 HTTP/1.1:
$ varnishncsa
172.18.0.3 - - [11/Oct/2024:11:52:04 +0000] "HEAD http://localhost/ HTTP/1.1" 200 0 "-" "curl/8.7.1"
172.18.0.3 - - [11/Oct/2024:11:52:07 +0000] "HEAD http://localhost/ HTTP/1.1" 200 0 "-" "curl/8.7.1"
172.18.0.3 - - [11/Oct/2024:11:52:07 +0000] "HEAD http://localhost/ HTTP/1.1" 200 0 "-" "curl/8.7.1"
172.18.0.3 - - [11/Oct/2024:11:52:07 +0000] "HEAD http://localhost/ HTTP/1.1" 200 0 "-" "curl/8.7.1"
172.18.0.3 - - [11/Oct/2024:11:52:08 +0000] "HEAD http://localhost/ HTTP/1.1" 200 0 "-" "curl/8.7.1"
172.18.0.3 - - [11/Oct/2024:11:52:08 +0000] "HEAD http://localhost/ HTTP/1.1" 200 0 "-" "curl/8.7.1"
172.18.0.3 - - [11/Oct/2024:11:52:08 +0000] "HEAD http://localhost/ HTTP/1.1" 200 0 "-" "curl/8.7.1
改用 Hitch
如果您在使用 Varnish 时想要端到端 HTTP/2,。Hitch 是一个清除 TLS 代理,甚至没有 HTTP 感知功能。
与 Varnish 通信,只要使用-p feature=+http2运行时参数启动 Varnish,并且 Hitch 在其 ALPN 协议中公开h2, http/1.1,它就应该可以完美地运行。
请查看以下教程,其中详细解释了这种情况:
一个非常简单的 Hitch 配置可能看起来像这样:
frontend = "[*]:443"
daemon = on
user = "hitch"
group = "hitch"
backend = "[varnish.example.com]:8443"
pem-dir = "/etc/hitch/cert.d"
pem-dir-glob = "*.pem"
alpn-protos = "h2, http/1.1"
write-proxy-v2 = on
同样简单的 Varnish 运行时配置,支持 HTTP/2 和 PROXY,如下所示:
varnishd \
-a http=:80 \
-a proxy=:8443,PROXY \
-p feature=+http2 \
-f /etc/varnish/default.vcl \
-s malloc,2g
可以使用以下 VCL 代码片段进行 Varnish 中的 TLS 检测:
vcl 4.1;
import proxy;
sub vcl_recv {
if(!req.http.X-Forwarded-Proto) {
if (proxy.is_ssl()) {
set req.http.X-Forwarded-Proto = "https";
} else {
set req.http.X-Forwarded-Proto = "http";
}
}
}
|
–
|