我试图弄清楚,尽管 nginx 配置为监听 HTTP1.2,但日志中的所有请求都是 HTTP1.1
[11/Oct/2024:11:53:41 +0300] "GET /el_gr/tapetsaries-toixou/fototapetsaries-toixou/zoa/filtra/xromatikes_omades-psychra-kitrina-xroma-oxia_fusiko-gkri_mpez-leuko-anoichto_mob-mob-somon-anoichto_gkri-anthraki-gkri-thema_fototapetsarias-artistic-apoxrosi_fototapetsarias-egchromo?price=amshopby_slider_from-amshopby_slider_to HTTP/1.1" 200 50347 "-" "Mozilla/5.0 (Linux; Android 6.0.1; Nexus 5X Build/MMB29P) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/129.0.6668.89 Mobile Safari/537.36 (compatible; GoogleOther)"
[11/Oct/2024:11:53:41 +0300] "GET /el_gr/catalog/product/view/id/144583/s/144583-fototsapetsaries-diafora-sxedia-megethi-100-159102/ HTTP/1.1" 200 55818 "-" "Mozilla/5.0 (compatible; Pinterestbot/1.0; +http://www.pinterest.com/bot.html)"
[11/Oct/2024:11:53:43 +0300] "GET /el_gr/catalog/product/view/id/134022/s/134022-fototsapetsaries-diafora-sxedia-megethi-100-148541/ HTTP/1.1" 200 56234 "-" "Mozilla/5.0 (compatible; Pinterestbot/1.0; +http://www.pinterest.com/bot.html)"
[11/Oct/2024:11:53:43 +0300] "GET /el_gr/catalog/product/view/id/153049/s/153049-fototsapetsaries-diafora-sxedia-megethi-100-167568/ HTTP/1.1" 200 55991 "-" "Mozilla/5.0 (compatible; Pinterestbot/1.0; +http://www.pinterest.com/bot.html)"
54.236.1.13 [ 54.236.1.13, 54.236.1.13, 127.0.0.1] [11/Oct/2024:11:53:46 +0300] "GET /el_gr/catalog/product/view/id/151013/s/151013-fototsapetsaries-diafora-sxedia-megethi-100-165532/ HTTP/1.1" 200 56020 "-" "Mozilla/5.0 (compatible; Pinterestbot/1.0; +http://www.pinterest.com/bot.html)"
[11/Oct/2024:11:53:47 +0300] "GET /el_gr/tapetsaries-toixou/fototapetsaries-toixou/zoa/filtra/xromatikes_omades-psychra-pastel-mov-therma-xroma-oxia_fusiko-gkri_mpez-leuko-anoichto_mob-mob-somon-kokkino-anoichto_gkri-kafe-thema_fototapetsarias-artistic-louloudia-vintage-apoxrosi_fototapetsarias-egchromo?price=amshopby_slider_from-amshopby_slider_to HTTP/1.1" 200 56578 "-" "Mozilla/5.0 (Linux; Android 6.0.1; Nexus 5X Build/MMB29P) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/129.0.6668.89 Mobile Safari/537.36 (compatible; GoogleOther)"
[11/Oct/2024:11:53:48 +0300] "GET /el_gr/50369-tapetsaria-arts-crafts-prasino-no-36159-by-casadeco HTTP/1.1" 200 63129 "-" "Mozilla/5.0 (Linux; Android 6.0.1; Nexus 5X Build/MMB29P) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/129.0.6668.89 Mobile Safari/537.36 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)"
[11/Oct/2024:11:53:48 +0300] "GET /el_gr/catalog/product/view/id/142099/s/142099-fototsapetsaries-diafora-sxedia-megethi-100-156618/ HTTP/1.1" 200 55810 "-" "Mozilla/5.0 (compatible; Pinterestbot/1.0; +http://www.pinterest.com/bot.html)"
[11/Oct/2024:11:53:49 +0300] "GET /el_gr/49391-wing-kremasto-ntoulapi-oikologiko-tzaki-no-14297-by-abb?swatch_colour_att=11095 HTTP/1.1" 200 69558 "-" "Mozilla/5.0 (compatible; Pinterestbot/1.0; +http://www.pinterest.com/bot.html)"
[11/Oct/2024:11:53:49 +0300] "GET /el_gr/catalog/product/view/id/90457/s/58177-diaxoristika-domatiou-diafora-sxedia-102723/ HTTP/1.1" 200 68402 "-" "Mozilla/5.0 (compatible; Pinterestbot/1.0; +http://www.pinterest.com/bot.html)"
这是我的虚拟主机:
server {
listen 443 ssl;
http2 on;
server_name www.example.com;
ssl_certificate /etc/nginx/ssl/2023/ssl_bundle.crt;
ssl_certificate_key /etc/nginx/ssl/2023/example.key;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers 'AES128+EECDH:AES128+EDH:!aNULL';
return 301 https://example.com$request_uri;
# Nginx Bad Bot Blocker Includes
# REPO: https://github.com/mitchellkrogza/nginx-ultimate-bad-bot-blocker
##
include /etc/nginx/bots.d/ddos.conf;
include /etc/nginx/bots.d/blockbots.conf;
# apply ratebot rules
limit_req zone=ratebot_soft nodelay;
limit_req zone=ratebot_medium nodelay;
limit_req zone=ratebot_hard nodelay;
}
server {
listen 443 ssl;
http2 on;
server_name example.com;
proxy_headers_hash_bucket_size 128;
proxy_headers_hash_max_size 1024;
ssl_certificate /etc/nginx/ssl/2023/ssl_bundle.crt;
ssl_certificate_key /etc/nginx/ssl/2023/example.key;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers 'AES128+EECDH:AES128+EDH:!aNULL';
include /etc/nginx/bots.d/ddos.conf;
include /etc/nginx/bots.d/blockbots.conf;
# apply ratebot rules
limit_req zone=ratebot_soft nodelay;
limit_req zone=ratebot_medium nodelay;
limit_req zone=ratebot_hard nodelay;
location / {
proxy_pass http://127.0.0.1:6081;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
proxy_set_header X-Forwarded-Port 443;
proxy_set_header X-Forwarded-Host $http_host;
proxy_set_header X-Forwarded-Server $http_host;
proxy_set_header Host $http_host;
proxy_buffering off;
proxy_buffer_size 16k;
proxy_buffers 64 4k;
proxy_busy_buffers_size 24k;
fastcgi_buffer_size 32k;
fastcgi_buffers 16 32k;
if ($cors_origin) {
add_header 'Access-Control-Allow-Origin' '$cors_origin' always;
add_header 'Access-Control-Allow-Methods' 'GET,POST,PUT,DELETE,HEAD,PATCH' always;
add_header 'Access-Control-Allow-Headers' '*' always;
add_header 'Access-Control-Allow-Credentials' 'true' always;
}
}
}
这是 Hetzner 的专用服务器。它位于防火墙后面,防火墙已关闭。此外,我们没有使用任何面板,只有 Ubuntu 22 操作系统。CSF 防火墙已启用
Nginx 充当 Varnish 的代理,使用 SSL 终止。因此 Varnish 处理第一个请求
该服务器的前面 Cloudflare 还启用了对 http1.2 的支持
大家,我在这里遗漏了什么?
您的设置看起来 100% 正确,并且我在 Docker 环境中复制了 Nginx 配置。
这是我所看到的。
客户端和 Nginx 使用的 HTTP/2
当我通过 HTTP 向充当 TLS 代理的 Nginx 发送请求时,我收到 HTTP/2 响应,如下面输出中看到的那样:
到目前为止,一切都很好。
Nginx 使用 HTTP/1.0 进行代理
尽管客户端通过 HTTP/2 与 TLS 代理(在本例中为 Nginx)顺利通信,但 Nginx 默认向 Varnish 发送 HTTP/1.0 请求。
可以设置
proxy_http_version 1.1;升级 HTTP 版本到 HTTP 1/1。但是根据文档描述,Nginx 似乎不支持 HTTP/2 代理。当我
varnishncsa在 Varnish 容器中运行时,查看访问日志,您会看到使用了 HTTP/1.1:改用 Hitch
如果您在使用 Varnish 时想要端到端 HTTP/2,我建议您使用 Hitch 作为 TLS 代理。Hitch 是一个清除 TLS 代理,甚至没有 HTTP 感知功能。
Hitch 可以通过PROXY 协议与 Varnish 通信,只要使用运行时参数启动 Varnish ,并且 Hitch在其 ALPN 协议中
-p feature=+http2公开,它就应该可以完美运行。h2, http/1.1请查看以下教程,其中详细解释了这种情况:https://www.varnish-software.com/developers/tutorials/terminate-tls-varnish-hitch/
一个非常简单的 Hitch 配置可能看起来像这样:
同样简单的 Varnish 运行时配置,带有 HTTP/2 和 PROXY 支持,如下所示:
可以使用以下 VCL 代码片段进行 Varnish 中的 TLS 检测: