HTTP2.0学习与Nginx和Tomcat配置HTTP2.0
⽬录
⼀、HTTP2.0
1.1 简介
1.2 新的特性
1.3 h2c 的⽀持度
⼆、Nginx 对 http2.0 的⽀持
2.1 Nginx 作为服务端使⽤http2.0
2.2 Nginx 作为客户端使⽤ http2.0
三、Tomcat 对 HTTP2.0 的⽀持
3.1.1、依赖环境
3.1.2、h2c 配置(⾮加密)
3.1.3、h2 配置(加密)
3.1 、Tomcat 8.5
四、扩展
问题
解决
⽅法⼀(没⾏通)
⽅法⼆(可⾏)
4.1、测试 h2c
4.2、查看浏览器是否⽀持 http2.0
4.3、查看⽹站是否⽀持 http2.0
4.4、JAVA8 如何⽀持 HTTP2.0 TLS
⼀、HTTP2.0
1.1 简介
HTTP/2(超⽂本传输协议第2版,最初命名为HTTP 2.0),简称为h2(基于TLS/1.2或以上版本的加密连接)或h2c(⾮加密连接),是HTTP协议的的第⼆个主要版本。
1.2 新的特性
具体可以看这篇⽂章:segmentfault/a/1190000013420784
1. 头数据压缩 Data compression of HTTP headers
2. 服务器推送 HTTP/2 Server Push
3. 管线化请求 Pipelining of requests.
4. 对数据传输采⽤多路复⽤,让多个请求合并在同⼀ TCP 连接内 Multiplexing multiple requests over a single TCP connection,因为每⼀个tcp 连接在创建的时候都需要耗费资源,⽽且在创建初期,传输
也是⽐较
5. 采⽤了⼆进制⽽⾮明⽂来打包、传输客户端<——>服务器间的数据。
1.3 h2c 的⽀持度
HTTP/2 的设计本⾝允许⾮加密的 HTTP 协议,也允许使⽤TLS 1.2或更新版本协议进⾏加密。协议本⾝未要求必须使⽤加密,惟多数客户端 (例如 Firefox, Chrome, Safari, Opera, IE, Edge) 的开发者声明,他们只会实⼆、Nginx 对 http2.0 的⽀持
2.1 Nginx 作为服务端使⽤http2.0
使⽤ http2.0 的条件
1. Nginx 版本⼤于或等于 1.9.5 。
2. openssl 版本等于或者⼤于OpenSSL 1.0.2
3. 编译的时候开启--with-http_v2_module
我们这⾥配置的 h2 ,因为浏览器对 h2c 基本不⽀持。
Nginx 在 1.9.5 才开始引⼊ http2.0 ,官⽅⽇志。
编译的时候加⼊--with-http_v2_module,然后在 Nginx 配置中加上 http2
⽰例
listen 443 ssl http2 default_server;
2.2 Nginx 作为客户端使⽤ http2.0
Nginx 作为服务端是可以进⾏配置 http2.0 的,但是 Nginx 如果作为客户端的话。Nginx 官⽅说的是不⽀持
Q: Will you support HTTP/2 on the upstream side as well, or only support HTTP/2 on the client side?
A: At the moment, we only support HTTP/2 on the client side. You can’t configure HTTP/2 with proxy_pass. [Editor – In the original version of this post, this sentence was incorrectly transcribed as “You can configure HTTP/2 with proxy_pass.” We apologize for But what is the point of HTTP/2 on the backend side? Because as you can see from the benchmarks, there’s not much benefit in HTTP/2 for low‑latency networks such as upstream connections.
Also, in NGINX you have the keepalive module, and you can configure a keepalive cache. The main performance benefit of HTTP/2 is to eliminate additional handshakes, but if you do that already with a keepalive cache, you don’t need HTTP/2 on the upstream 不能使⽤ proxy_pass配置 http2.0, http2.0性能的主要优势是减少多次tcp连接,我们通过配置keepalive 也可以做到这点。 (Google翻译总结)
后续可以了解下grpc .
grpc_pass grpc://localhost:50051
三、Tomcat 对 HTTP2.0 的⽀持
看了下8.0 版本,是不⽀持HTTP2.0。
看了下8.5版本,是⽀持HTTP2.0。
3.1 、Tomcat 8.5
怕上⾯⽂档没有看清,下⾯⽂中的 h2 指的是(基于TLS/1.2或以上版本的加密连接),h2c 是⾮加密的
⾮加密的,⽤浏览器是访问不了的(因为现在浏览器现在不⽀持),只⽀持 h2 。
官⽅⽂档写到
Tomcat 是⽀持h2 和h2c的。 (你服务端⽀持没有⽤啊,客户端不⽀持,这不就gg了)
HTTP/2 is support is provided for TLS (h2), non-TLS via HTTP upgrade (h2c) and direct HTTP/2 (h2c) connections. To enable HTTP/2 support for an HTTP connector the following UpgradeProtocol element must be nested within the Connector with a className <Connector ... >
<UpgradeProtocol className="http2.Http2Protocol" />
</Connector>
Because Java 8's TLS implementation does not support ALPN (which is required for HTTP/2 over TLS), you must be using an OpenSSL based TLS implementation to enable HTTP/2 support. See the sslImplementationName attribute of the Connector. Additional configuration attributes are available. See the HTTP/2 Upgrade Protocol documentation for details.
3.1.1、依赖环境
需要安装openssl版本⼤于或者等于1.0.2。
yum install openssl
3.1.2、h2c 配置(⾮加密)
也就加<UpgradeProtocol className="http2.Http2Protocol" />
⽰例配置
<Connector port="8080" protocol="http11.Http11NioProtocol"
maxThreads="150">
<UpgradeProtocol className="http2.Http2Protocol" /></Connector>
⽇志中可以看到
The ["http-nio-8080"] connector has been configured to support HTTP upgrade to [h2c]
也就意味着 h2c 配置好了。
我们进⾏测试,使⽤的是curl,但是这个需要最新的版本,具体可以看扩展内容。
# curl --http2 192.168.174.128:8080# tomcat ⽇志 192.168.174.128 - - [26/Mar/2020:09:54:28 +0800] "GET / HTTP/1.1" 101 -
192.168.174.128 - - [26/Mar/2020:09:54:28 +0800] "GET / HTTP/2.0" 200 11195# 101 是转换协议,也就是转为协议为 http2.0 . 第⼆条⽇志也就证实了。
3.1.3、h2 配置(加密)
也就意味着要进⾏配置证书了,
这个是8.5.53 版本的默认配置
<!-- Define an SSL/TLS HTTP/1.1 Connector on port 8443 with HTTP/2
This connector uses the APR/native implementation which always uses
OpenSSL for TLS.
Either JSSE or OpenSSL style configuration may be used. OpenSSL style
configuration is used below.
-->
<Connector port="8443" protocol="http11.Http11AprProtocol"
maxThreads="150" SSLEnabled="true" >
<UpgradeProtocol className="http2.Http2Protocol" />
<SSLHostConfig>
<Certificate certificateKeyFile="conf/localhost-rsa-key.pem"
certificateFile="conf/localhost-rsa-cert.pem"
certificateChainFile="conf/localhost-rsa-chain.pem"
type="RSA" />
</SSLHostConfig>
</Connector>
⽰例配置
<Connector port="8443" protocol="http11.Http11NioProtocol"
maxThreads="150" SSLEnabled="true" >
<UpgradeProtocol className="http2.Http2Protocol" />
<SSLHostConfig>
<Certificate certificateKeyFile="conf/server.key"
certificateFile=""
type="RSA" />
</SSLHostConfig>
</Connector>
配置成功⽇志nginx ssl证书配置
The ["https-openssl-nio-8443"] connector has been configured to support negotiation to [h2] via ALPN
访问
curl --http2 -k 192.168.174.128:8443 # 查看 tomcat 的 localhost_access_log ⽇志
192.168.174.128 - - [26/Mar/2020:10:36:03 +0800] "GET / HTTP/2.0" 200 11195
发现 OK。
浏览器进⾏访问,也是ok。
四、扩展
4.1、测试 h2c
需要安装 curl ,curl 新版本的才⽀持,⽼版本不⽀持 http2.0.
rpm -ivh /ftp/contrib/-arch.rpm
yum clean all
yum makecache
yum update curl --# 可以看到 http2.0 就意味着⽀持了。curl -V
curl 7.69.1 (x86_64-redhat-linux-gnu) libcurl/7.69.1 NSS/3.44 zlib/1.2.7 libpsl/0.7.0 (+libicu/50.1.2) libssh2/1.9.0 nghttp2/1.31.1
Release-Date: 2020-03-11
Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3 pop3s rtsp scp sftp smb smbs smtp smtps telnet tftp
Features: AsynchDNS GSS-API HTTP2 HTTPS-proxy IPv6 Kerberos Largefile libz Metalink NTLM NTLM_WB PSL SPNEGO SSL UnixSockets
参考⽂章:wwwblogs/brookin/p/10713166.html
4.2、查看浏览器是否⽀持 http2.0
查看我们的浏览器是否⽀持 http2.0, 打开⽹址进⾏测试。
4.3、查看⽹站是否⽀持 http2.0
⽹址,需要越墙。
4.4、JAVA8 如何⽀持 HTTP2.0 TLS
问题
1. java8 的 TLS 不⽀持 ALPN(http
2.0 TLS 需要ALPN)
# /tomcat-8.5-doc/config/http.html#HTTP/2_Support
Because Java 8's TLS implementation does not support ALPN (which is required for HTTP/2 over TLS), you must be using an OpenSSL based TLS implementation to enable HTTP/2 support. See the sslImplementationName attribute of the Connector.
java8 的 TLS 不⽀持 ALPN(http2.0 TLS 需要ALPN),我们必须基于 OpenSSL的TLS实现来启⽤HTTP/2⽀持。
2. 默认使⽤ at.util.jsse.JSSEImplementation,但在 Java8 情况下不⽀持 ALPN。
# /tomcat-8.5-doc/config/http.html#HTTP/2_SupportWhen APR/native is enabled, the connectors will default to using OpenSSL through JSSE, which may be more optimized than the JSSE Java implementation depending on the p The following NIO and NIO2 SSL configuration attributes are not specific to a virtual host and, therefore, must be configured on the connector.
也就是说当 APR/native 开启了,连接器会默认使⽤ OpenSSL
解决
⽅法⼀(没⾏通)
我们需要关注这个参数:sslImplementationName
sslImplementationName
The class name of the SSL implementation to use. If not specified and the tomcat-native library is not installed, the default of at.util.jsse.JSSEImplementation will be used which wraps JVM's default JSSE provider. Note that the JVM can be 当我们没有安装 tomcat-native ,将默认使⽤ at.util.jsse.JSSEImplementation,但是这个是不⽀持 ALPN,也就不⽀持 http2.0了。
看官⽅说到我可以配置sslImplementationName="at.util.openssl.OpenSSLImplementation",但是我进⾏配置这个启动就失败了
org.apache.catalina.LifecycleException: 初始化组件[Connector[HTTP/1.1-8443]]失败。 at org.apache.catalina.util.LifecycleBase.handleSubClassException(LifecycleBase.java:440)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:139)
at org.StandardService.initInternal(StandardService.java:552)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
at org.StandardServer.initInternal(StandardServer.java:848)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
at org.apache.catalina.startup.Catalina.load(Catalina.java:639)
at org.apache.catalina.startup.Catalina.load(Catalina.java:662)
flect.NativeMethodAccessorImpl.invoke0(Native Method) flect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
flect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at flect.Method.invoke(Method.java:498)
at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:303)
at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:473)
Caused by: java.lang.UnsatisfiedLinkError: at.ate(J)J
at at.ate(Native Method)
⽅法⼆(可⾏)
安装tomcat-native,只要本地安装了 tomcat-native ,就会默认使⽤ openssl. 虽然我们没有开启 ARP
yum install openssl tomcat-native -y
Tomcat 开启ARP ⽂章
因此我们建议,你在 java 8的环境下需要使⽤ h2 的话,需要做到以下⼏点
1. 安装 openssl ⼤于等于 1.0.2。
2. 使⽤ Tomcat 8.5
3. 安装 tomcat-native。
作者:理想三旬
出处:wwwblogs/operationhome/p/12577540.html
如果觉得⽂章写得不错,或者帮助到您了,请点个赞,加个关注哦。运维学习交流:544692191
本⽂版权归作者所有,欢迎转载,如果⽂章有写的不⾜的地⽅,或者是写得错误的地⽅,请你⼀定要指出,因为这样不光是对我写⽂章的⼀种促进,也是⼀份对后⾯看此⽂章的⼈的责任。谢谢。
版权声明:本站内容均来自互联网,仅供演示用,请勿用于商业和其他非法用途。如果侵犯了您的权益请与我们联系QQ:729038198,我们将在24小时内删除。
发表评论