Jump to content

6.開啟 HTTP/3 QUIC


Jack

Recommended Posts

Posted (edited)

-----------------------------------
開啟 HTTP/3 QUIC
-----------------------------------

預設網站目錄

/var/www/域名.com

 

修改 域名.com.conf

vi /etc/nginx/sites-available/域名.com.conf

 

給IPS論壇用 (會與vBulletin論壇的偽靜態衝突)

 

前面的步驟有寫了幾行,現在都刪掉,更換為

server {
    listen 443 ssl;
    listen [::]:443 ssl;
    listen 443 quic reuseport;
    listen [::]:443 quic reuseport;
    http2 on;
    # server_name 域名.com www.域名.com;
    server_name 域名.com;

    root /var/www/域名.com;

               index index.html index.htm index.php default.html default.htm default.php;


            try_files $uri $uri/ =404; 

          # Allow only GET,POST to visit website 
             if ($request_method !~* GET|POST) {
             return 403;
        }

    ssl_certificate /etc/nginx/ssl/fullchain.cer;
    ssl_certificate_key /etc/nginx/ssl/域名.com.key;
    ssl_trusted_certificate /etc/nginx/ssl/ca.cer;

    ssl_session_timeout 1d;
    ssl_session_cache shared:MozSSL:10m;
    ssl_session_tickets off;

    ssl_protocols TLSv1.3;
    ssl_prefer_server_ciphers off;
                ssl_ciphers "TLS13-AES-256-GCM-SHA384:TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-128-GCM-SHA256:TLS13-AES-128-CCM-8-SHA256:TLS13-AES-128-CCM-SHA256:EECDH+CHACHA20:EECDH+CHACHA20-draft:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5";
    ssl_stapling on;
    ssl_stapling_verify on;

                include rewrite/ips.conf;

    resolver 1.1.1.1 8.8.8.8 valid=300s;
    resolver_timeout 10s;

    add_header Alt-Svc 'h3=":443"; ma=86400';
                add_header QUIC-Status $http3;
                add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload";
                add_header Content-Security-Policy-Report-Only "default-src https:; script-src https: 'unsafe-eval' 'unsafe-inline'; style-src https: 'unsafe-inline'; img-src https: data:; font-src https: data:";
                add_header X-Frame-Options "SAMEORIGIN";


                location ~ \.php$ {
                        include snippets/fastcgi-php.conf;
                        fastcgi_pass unix:/var/run/php/php8.3-fpm.sock;
                       fastcgi_param  SCRIPT_FILENAME  $document_root$fastcgi_script_name;
                       include   fastcgi_params;
                }
                 brotli on;
                 brotli_types text/css text/x-component application/x-javascript application/javascript text/javascript text/x-js text/richtext image/svg+xml text/plain text/xsd text/xsl text/xml image/x-icon application/octet-stream;

                gzip on;
               gzip_types text/css text/x-component application/x-javascript application/javascript text/javascript text/x-js text/richtext image/svg+xml text/plain text/xsd text/xsl text/xml image/x-icon application/octet-stream;


        location ~ .*\.(gif|jpg|jpeg|png|bmp|swf)$
        {
            expires      30d;
        }

        location ~ .*\.(js|css)?$
        {
            expires      12h;
        }

        location ~ /.well-known {
            allow all;
        }

        location ~ /\.
        {
            deny all;
        }
}


ESC儲存並離開
:wq

 


在 /root/.acme.sh/域名.com_ecc 目錄底下,將那幾個SSL憑證下載回去,並保存好

使用SFTP,將那幾個SSL憑證,再上傳到 /etc/nginx/ssl/ 目錄下

 

 

在此也修改一下 偽靜態

8.偽靜態 rewrite

 

 

重新加载Nginx
nginx -t

nginx -s reload

 

這時,瀏覽器可進入你的網站

https://域名.com/

在瀏覽器,按 F12,可得知網站是否運行 HTTP/3 QUIC

注意:可能需要清除瀏覽器的cache!

 

或者,有檢查網站可以用來測試是否運行 HTTP/3 QUIC

HTTP/3 Check
https://http3check.net


HTTP/3 QUIC 在线测试
https://http3.wcode.net

 

 

http3-1.png

 

 

http3-2.png

Edited by Jack
Link to comment
Share on other sites

vBulletin論壇使用

修改 域名.com.conf

vi /etc/nginx/sites-available/域名.com.conf

server {
    listen 443 ssl default_server;
    listen [::]:443 ssl default_server;
    listen 443 quic reuseport;
    listen [::]:443 quic reuseport;
    http2 on;

    server_name 域名.com;

    root /var/www/域名.com;
    index index.html index.htm index.php default.html default.htm default.php;

    ssl_certificate /etc/nginx/ssl/fullchain.cer;
    ssl_certificate_key /etc/nginx/ssl/域名.com.key;
    ssl_trusted_certificate /etc/nginx/ssl/ca.cer;

    ssl_session_timeout 1d;
    ssl_session_cache shared:MozSSL:10m;
    ssl_session_tickets off;

    ssl_protocols TLSv1.3;
    ssl_prefer_server_ciphers off;
                ssl_ciphers "TLS13-AES-256-GCM-SHA384:TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-128-GCM-SHA256:TLS13-AES-128-CCM-8-SHA256:TLS13-AES-128-CCM-SHA256:EECDH+CHACHA20:EECDH+CHACHA20-draft:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5";
    ssl_stapling on;
    ssl_stapling_verify on;

                include rewrite/vbb.conf;

    resolver 1.1.1.1 8.8.8.8 valid=300s;
    resolver_timeout 10s;

    add_header Alt-Svc 'h3=":443"; ma=86400';
                add_header QUIC-Status $http3;
                add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload";
                add_header Content-Security-Policy-Report-Only "default-src https:; script-src https: 'unsafe-eval' 'unsafe-inline'; style-src https: 'unsafe-inline'; img-src https: data:; font-src https: data:";
                add_header X-Frame-Options "SAMEORIGIN";


                location ~ \.php$ {
                        include snippets/fastcgi-php.conf;
                        fastcgi_pass unix:/var/run/php/php8.3-fpm.sock;
                       fastcgi_param  SCRIPT_FILENAME  $document_root$fastcgi_script_name;
                       include   fastcgi_params;
                }
                 brotli on;
                 brotli_types text/css text/x-component application/x-javascript application/javascript text/javascript text/x-js text/richtext image/svg+xml text/plain text/xsd text/xsl text/xml image/x-icon application/octet-stream;

                gzip on;
               gzip_types text/css text/x-component application/x-javascript application/javascript text/javascript text/x-js text/richtext image/svg+xml text/plain text/xsd text/xsl text/xml image/x-icon application/octet-stream;


        location ~ .*\.(gif|jpg|jpeg|png|bmp|swf)$
        {
            expires      30d;
        }

        location ~ .*\.(js|css)?$
        {
            expires      12h;
        }

        location ~ /.well-known {
            allow all;
        }

        location ~ /\.
        {
            deny all;
        }
}

 

ESC儲存並離開
:wq

 


----------------------------------------------------------------------
在 /root/.acme.sh/域名.com_ecc 目錄底下,將那幾個SSL憑證下載回去,並保存好

使用SFTP,將那幾個SSL憑證,再上傳到 /etc/nginx/ssl/ 目錄下
----------------------------------------------------------------------

 

 

vBulletin論壇 偽靜態 rewrite

在此也修改一下 偽靜態

 


重新加载Nginx

nginx -t

nginx -s reload

 

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...