Nginx：在 Debian / Ubuntu Linux 上安装和配置 SPDY SSL

所需软件

1. Openssl 和 Openssl 开发(libssl) 库版本 1.0.1+。请注意，CentOS/RHEL v6.xx 仅附带 OpenSSL 版本 1.0.0。这是在同一端口上同时接受 HTTPS 和 SPDY 连接所必需的，使用的 OpenSSL 库应支持“Next Protocol Negotiation” TLS 扩展，自 OpenSSL 版本 1.0.1 起可用。如果您使用的是 RHEL/CentOS 版本 6.x 或更早版本，则需要安装 OpenSSL v1.0.1。最新版本的 RHEL/CentOS 6.5 附带 OpenSSL 1.0.1e-fips，即您可以在 CentOS/RHEL 版本 6.5 上编译 nginx。有关更多信息，请参阅本指南。
2. GNU C 编译器和构建工具。
3. Libpcre 版本 3 和libpcre3-dev。
4. 最新稳定的nginx 版本 1.4.x +。
5. 以下任一网络浏览器：
1. Google Chrome 或 Chromium（跨平台）
2. Mozilla Firefox（跨平台）Opera（跨平台）
3. Opera（跨平台）

请注意，IE 和 Safari 均不支持 SPDY。请参阅此兼容性表，了解桌面和移动浏览器对 SPDY 网络协议的支持情况。

安装所需软件

打开终端和/或使用 ssh 客户端登录，输入：在 Debian 或 Ubuntu Linux 上
$ sudo apt-get install libssl-dev libpcre3 libpcre3-dev
安装编译器和构建工具：
$ sudo apt-get install build-essential

验证版本

键入以下命令：

gcc --version
make --version
openssl version

示例输出：

图 01：找出已安装的 gcc/make/openssl 版本和操作系统。

下载最新的 nginx

使用wget 命令下载 nginx，输入： 示例输出：
$ cd /tmp
$ wget http://nginx.org/download/nginx-1.6.0.tar.gz

--2013-05-19 16:22:53--  http://nginx.org/download/nginx-1.6.0.tar.gz
Resolving nginx.org (nginx.org)... 206.251.255.63
Connecting to nginx.org (nginx.org)|206.251.255.63|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 767107 (749K) [application/octet-stream]
Saving to: `nginx-1.6.0.tar.gz'
 
100%[======================================>] 7,67,107     154K/s   in 4.9s
 
2013-05-19 16:22:59 (154 KB/s) - `nginx-1.6.0.tar.gz' saved [767107/767107]

要解压名为 nginx-1.6.0.tar.gz 的 tar 包，请输入：
$ tar xvf nginx-1.6.0.tar.gz

配置 nginx 以支持 spdy

cd 进入 nginx-1.6.0 目录：
$ cd nginx-1.6.0
配置 nginx 命令，输入：
$ ./configure --with-http_spdy_module --with-http_ssl_module
您可能需要将附加选项传递给./configure例如： 示例输出：
$ ./configure --prefix=/etc/nginx \
--sbin-path=/usr/sbin/nginx \
--conf-path=/etc/nginx/nginx.conf \
--error-log-path=/var/log/nginx/error.log \
--http-log-path=/var/log/nginx/access.log \
--pid-path=/var/run/nginx.pid \
--lock-path=/var/run/nginx.lock \
--http-client-body-temp-path=/var/lib/nginx/body \
--http-proxy-temp-path=/var/lib/nginx/proxy \
--http-fastcgi-temp-path=/var/lib/nginx/fastcgi \
--http-uwsgi-temp-path=/var/lib/nginx/uwsgi \
--http-scgi-temp-path=/var/lib/nginx/scgi \
--user=nginx \
--group=nginx \
--with-http_ssl_module \
--with-http_spdy_module \
--with-http_realip_module \
--with-http_addition_module \
--with-http_sub_module \
--with-http_dav_module \
--with-http_flv_module \
--with-http_mp4_module \
--with-http_gunzip_module \
--with-http_gzip_static_module \
--with-http_random_index_module \
--with-http_secure_link_module \
--with-http_stub_status_module \
--with-mail \
--with-mail_ssl_module \
--with-file-aio \
--with-ipv6 \
--with-debug \
'--with-cc-opt=-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -m64 -mtune=generic '

checking for OS
 + Linux 3.5.0-30-generic x86_64
checking for C compiler ... found
 + using GNU C compiler
 + gcc version: 4.6.3 (Ubuntu/Linaro 4.6.3-1ubuntu5)
checking for gcc -pipe switch ... found
checking for gcc builtin atomic operations ... found
checking for C99 variadic macros ... found
checking for gcc variadic macros ... found
checking for unistd.h ... found
...
..
...Configuration summary
  + using system PCRE library
  + using system OpenSSL library
  + md5: using OpenSSL library
  + sha1: using OpenSSL library
  + using system zlib library
 
  nginx path prefix: "/etc/nginx"
  nginx binary file: "/usr/sbin/nginx"
  nginx configuration prefix: "/etc/nginx"
  nginx configuration file: "/etc/nginx/nginx.conf"
  nginx pid file: "/var/run/nginx.pid"
  nginx error log file: "/var/log/nginx/error.log"
  nginx http access log file: "/var/log/nginx/access.log"
  nginx http client request body temporary files: "/var/lib/nginx/body"
  nginx http proxy temporary files: "/var/lib/nginx/proxy"
  nginx http fastcgi temporary files: "/var/lib/nginx/fastcgi"
  nginx http uwsgi temporary files: "/var/lib/nginx/uwsgi"
  nginx http scgi temporary files: "/var/lib/nginx/scgi"

编译安装nginx

键入以下命令：
$ make
示例输出：

make -f objs/Makefile
make[1]: Entering directory `/tmp/nginx-1.6.0'
cc -c -pipe  -O -W -Wall -Wpointer-arith -Wno-unused-parameter -Werror -g -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -m64 -mtune=generic  -I src/core -I src/event -I src/event/modules -I src/os/unix -I objs \
		-o objs/src/core/nginx.o \
		src/core/nginx.c
cc -c -pipe  -O -W -Wall -Wpointer-arith -Wno-unused-parameter -Werror -g -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -m64 -mtune=generic  -I src/core -I src/event -I src/event/modules -I src/os/unix -I objs \
		-o objs/src/core/ngx_log.o \
		src/core/ngx_log.c
...
..
..
	objs/src/mail/ngx_mail_smtp_module.o \
	objs/src/mail/ngx_mail_smtp_handler.o \
	objs/src/mail/ngx_mail_auth_http_module.o \
	objs/src/mail/ngx_mail_proxy_module.o \
	objs/ngx_modules.o \
	-lpthread -lcrypt -lpcre -lssl -lcrypto -ldl -lz
make[1]: Leaving directory `/tmp/nginx-1.6.0'
make -f objs/Makefile manpage
make[1]: Entering directory `/tmp/nginx-1.6.0'
sed -e "s|%%PREFIX%%|/etc/nginx|" \
		-e "s|%%PID_PATH%%|/var/run/nginx.pid|" \
		-e "s|%%CONF_PATH%%|/etc/nginx/nginx.conf|" \
		-e "s|%%ERROR_LOG_PATH%%|/var/log/nginx/error.log|" \
		< man/nginx.8 > objs/nginx.8
make[1]: Leaving directory `/tmp/nginx-1.6.0'

您需要删除现有的 nginx 包：
$ dpkg -l | grep nginx
或
$ dpkg -l '*nginx*'
示例输出：

图 02：查找并删除 nginx-full 和 nginx-common 版本 1.1.19 包

## backup config files, just in case ##
sudo mkdir -p /root/old.nginx/etc_nginx/
sudo cp -avr /etc/nginx/* /root/old.nginx/etc_nginx/
 
## delete it ##
sudo apt-get remove nginx-full nginx-common

示例输出：

Reading package lists... Done
Building dependency tree
Reading state information... Done
The following packages will be REMOVED:
  nginx-common nginx-full
0 upgraded, 0 newly installed, 2 to remove and 0 not upgraded.
After this operation, 1,140 kB disk space will be freed.
Do you want to continue [Y/n]? y
(Reading database ... 258710 files and directories currently installed.)
Removing nginx-full ...
Stopping nginx: nginx.
Removing nginx-common ...
Processing triggers for ufw ...
Processing triggers for ureadahead ...
Processing triggers for man-db ...

最后，安装 nginx，输入：
$ sudo make install
示例输出：

make -f objs/Makefile install
make[1]: Entering directory `/tmp/nginx-1.6.0'
test -d '/etc/nginx' || mkdir -p '/etc/nginx'
test -d '/usr/sbin' 		|| mkdir -p '/usr/sbin'
test ! -f '/usr/sbin/nginx' 		|| mv '/usr/sbin/nginx' 		'/usr/sbin/nginx.old'
cp objs/nginx '/usr/sbin/nginx'
test -d '/etc/nginx' 		|| mkdir -p '/etc/nginx'
cp conf/koi-win '/etc/nginx'
cp conf/koi-utf '/etc/nginx'
cp conf/win-utf '/etc/nginx'
test -f '/etc/nginx/mime.types' 		|| cp conf/mime.types '/etc/nginx'
cp conf/mime.types '/etc/nginx/mime.types.default'
test -f '/etc/nginx/fastcgi_params' 		|| cp conf/fastcgi_params '/etc/nginx'
cp conf/fastcgi_params 		'/etc/nginx/fastcgi_params.default'
test -f '/etc/nginx/fastcgi.conf' 		|| cp conf/fastcgi.conf '/etc/nginx'
cp conf/fastcgi.conf '/etc/nginx/fastcgi.conf.default'
test -f '/etc/nginx/uwsgi_params' 		|| cp conf/uwsgi_params '/etc/nginx'
cp conf/uwsgi_params 		'/etc/nginx/uwsgi_params.default'
test -f '/etc/nginx/scgi_params' 		|| cp conf/scgi_params '/etc/nginx'
cp conf/scgi_params 		'/etc/nginx/scgi_params.default'
test -f '/etc/nginx/nginx.conf' 		|| cp conf/nginx.conf '/etc/nginx/nginx.conf'
cp conf/nginx.conf '/etc/nginx/nginx.conf.default'
test -d '/var/run' 		|| mkdir -p '/var/run'
test -d '/var/log/nginx' || 		mkdir -p '/var/log/nginx'
test -d '/etc/nginx/html' 		|| cp -R html '/etc/nginx'
test -d '/var/log/nginx' || 		mkdir -p '/var/log/nginx'
make[1]: Leaving directory `/tmp/nginx-1.6.0'

Nginx SPDY 配置

首先，您需要为 Nginx 生成并安装 SSL 证书。有关更多信息，请参阅如何使用 nginx 设置 SSL 反向代理/负载平衡 SSL 代理nginx.conf。接下来，编辑、输入：
$ sudo vi /usr/local/ngnix/conf/nginx.conf
或
$ sudo vi /etc/nginx/nginx.conf
查找以下内容：

listen          202.54.1.1:443 ssl;

更新如下

listen          202.54.1.1:443 ssl spdy;

保存并关闭文件。以下是完整文件：

server {
	### server port and name ###
        listen          202.54.1.1:443 ssl spdy;
        server_name     example.in;
 
	### SSL log files ###
        access_log      logs/ssl-access.log;
        error_log       logs/ssl-error.log;
 
	### SSL cert files ###
        ssl_certificate      ssl/example.in.crt;
        ssl_certificate_key  ssl/example.in.key;
 
	### Add SSL specific settings here ###
	ssl_protocols        SSLv3 TLSv1 TLSv1.1 TLSv1.2;
	ssl_ciphers RC4:HIGH:!aNULL:!MD5;
     	ssl_prefer_server_ciphers on;
     	keepalive_timeout    60;
	ssl_session_cache    shared:SSL:10m;
     	ssl_session_timeout  10m;
 
	### We want full access to SSL via backend ###
     	location / {
	        proxy_pass  http://example;
 
		### force timeouts if one of backend is died ##
        	proxy_next_upstream error timeout invalid_header http_500 http_502 http_503 http_504;
 
		### Set headers ####
                proxy_set_header        Accept-Encoding   "";
	        proxy_set_header        Host            $host;
	        proxy_set_header        X-Real-IP       $remote_addr;
	        proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
 
		### Most PHP, Python, Rails, Java App can use this header ###
		#proxy_set_header X-Forwarded-Proto https;##
		#This is better##
	        proxy_set_header        X-Forwarded-Proto $scheme;
		add_header              Front-End-Https   on;
 
 		## Let the browser know about spdy ##
		add_header        Alternate-Protocol  443:npn-spdy/2;
 
		### By default we don't want to redirect it ####
	        proxy_redirect     off;
}

最后，重新加载 nginx 服务器，输入：
$ sudo /usr/sbin/nginx -s reload

我如何测试 spdy 是否正常工作？

1. Firefox 用户尝试浏览器 SPDY 指示器插件。
2. Google Chrome 或 Chromium 用户，请尝试浏览器 SPDY 指示器插件。

或者，Google Chrome 或 Chromium 用户可以在地址栏中输入以下内容：

chrome://net-internals/#spdy

参考

• Nginx http_spdy_module 文档。
• SPDY 协议 – 草案 2。