Swoft| Swoft Official Website Full Station HTTP2 Practice

  http-2, https, php, swoole

date: 2018-3-8 13:50:03
Title: Swoft| Swoft official website HTTP2 practice

Swoft1.0 officially strikes, Swoft also ushered in a milestone of its own.Star Number Breaks 1kAs an important channel for service developers of the project team, the. Swoft website has also ushered in a major update of its own:

  • Refactoring, upgrade to Swoft1.0
  • The whole station implements HTTP2

This article first introducesSwoft official website HTTP2 practice

First oneSwoftEffect diagram town building:

swoft 官网: 全站 HTTP2

  • Static resources are managed by nginx and http2 is turned on
  • The business code is handed over toSwoftExecute, setSwooleHttpServerUsing the HTTP2 protocol

To implement HTTP2 is very simple:

  • Nginx opens HTTP2
  • Swoft opens HTTP2
  • Nginx+Swoft
  • Benefits: Domain Name Certificate ApplicationEasy guide

Nginx opens HTTP2

First, check whether HTTP2 module is turned on in nginx.

# -V: show version and configure options then exit
/var/www # nginx -V

# 新版 nginx 默认开启了 HTTP2: --with-http_v2_module
nginx version: nginx/1.13.8
built by gcc 6.2.1 20160822 (Alpine 6.2.1)
built with OpenSSL 1.0.2n  7 Dec 2017
TLS SNI support enabled
configure arguments: --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --modules-path=/usr/lib/nginx/modules --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx.pid --lock-path=/var/run/nginx.lock --http-client-body-temp-path=/var/cache/nginx/client_temp --http-proxy-temp-path=/var/cache/nginx/proxy_temp --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp --http-scgi-temp-path=/var/cache/nginx/scgi_temp --user=nginx --group=nginx --with-http_ssl_module --with-http_realip_module --with-http_addition_module --with-http_sub_module --with-http_dav_module --with-http_flv_module --with-http_mp4_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_random_index_module --with-http_secure_link_module --with-http_stub_status_module --with-http_auth_request_module --with-http_xslt_module=dynamic --with-http_image_filter_module=dynamic --with-http_geoip_module=dynamic --with-threads --with-stream --with-stream_ssl_module --with-stream_ssl_preread_module --with-stream_realip_module --with-stream_geoip_module=dynamic --with-http_slice_module --with-mail --with-mail_ssl_module --with-compat --with-file-aio
--with-http_v2_module

Nginx opens an HTTP2 configuration example, which can be found inMy Open Source Project -dockerSee examples in:

# http2
server {
    listen 80;
    server_name www.daydaygo.top;
    # 将 HTTP 请求强制跳转到 HTTPS
    rewrite ^(.*)$ https://${server_name}$1 permanent;
}
server {
    # 开启 HTTP2
    listen 443 ssl http2 default_server;
    server_name www.daydaygo.top;

    # 证书极简设置
    ssl on;
    ssl_certificate daydaygo.top.crt;
    ssl_certificate_key daydaygo.top.key;

    root /var/www/https_test;
    index index.php index.html;
    location / {}
    location ~ \.php$ {
        fastcgi_pass fpm:9000;
        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
        include fastcgi_params;
    }
}

Swoft opens HTTP2

Swoole opens HTTP2, refer toDockerfile provided by Swoft

# Debian系Linux
apt-get install -y libssl-dev libnghttp2-dev

# Swoole 添加编译参数
./configure --enable-async-redis --enable-mysqlnd --enable-coroutine --enable-openssl --enable-http2

HTTP2 is turned on in the Swoft configuration, refer toEnv.example file

# 默认配置
OPEN_HTTP2_PROTOCOL=false
SSL_CERT_FILE=/path/to/ssl_cert_file
SSL_KEY_FILE=/path/to/ssl_key_file

# 开启 HTTP2: 这里是将证书放到项目 resource/ 目录下
OPEN_HTTP2_PROTOCOL=true
SSL_CERT_FILE=@res/ssl/ssl_cert_file
SSL_KEY_FILE=@res/ssl/ssl_key_file

Nginx is used in conjunction with Swoft.

Nginx is used in conjunction with Swoft, similar tonginx+fpmConfiguration is enough, code examples can be referred toMy Open Source Project -docker

# swoft-site
server {
  listen 80;
  server_name swoft.daydaygo.top;
  # 将 HTTP 请求强制跳转到 HTTPS
  rewrite ^(.*)$ https://${server_name}$1 permanent;
}
server {
  # 开启 HTTP2
  listen 443 ssl http2;
  server_name swoft.daydaygo.top;

  # 证书极简配置
  ssl on;
  ssl_certificate 1_swoft.daydaygo.top_bundle.crt;
  ssl_certificate_key 2_swoft.daydaygo.top.key;

  root /var/www/swoole/swoft-offcial-site/public;
  index index.php index.html;
  error_log /var/log/nginx/swoft-site.error.log;
  access_log /var/log/nginx/swoft-site.access.log;

  # nginx 转发请求给 swoft
  location / {
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header Host $host;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header Connection "keep-alive";
    proxy_pass https://swoft:9501;
  }
  location ~ \.php(.*)$ {
    proxy_pass https://swoft:9501;
  }

  # nginx 托管静态文件
  location ~* \.(js|map|css|png|jpg|jpeg|gif|ico|ttf|woff2|woff)$ {
    expires       max;
  }
}

Benefits: Domain Name Certificate ApplicationEasy guide

First, make sure you know some basic knowledge about domain names:

  • Why use domain name?
  • What is a subdomain?
  • Why should domain names be filed?
  • What is a domain name certificate?

If these are not familiar with, it is recommended to apply for a domain name to experience.

Domain name certificates can be divided into two types: single domain name certificate and universal domain name certificate. The difference comes fromWhat is a subdomainFor example, I have a domain name.daydaygo.top, then I can set any child domain name, such aswww.daydaygo.top,test.www.daydaygo.topIf it is a single domain name certificate, then I need a certificate for each subdomain, and a universal domain name certificate can be effective for all my subdomains.

The domain name certificate is issued by relevant institutions and generally needs to be purchased. since it isWelfareHere are 2 free and easy-to-use ways:

  • Move the mouse and get the certificate., tengxuyun-apply for a free domain name certificate
  • Finally wait until the free pan-domain certificate, Let’s Encrypt pan-domain certificate

Practice of Single Domain Name Certificate

Tengxuyun-apply for free domain name certificate:https://console.qcloud.com/ssl

All you need to do is move the mouse:

  • Apply to tengxunyun website

腾讯云 - 单域名证书申请

  • Configure Domain Name Resolution to Verify Domain Name Ownership

配置域名解析

Then download the certificate and configure it into nginx. Please refer to Tengxun Cloud’s official documents for detailed tutorials.

However, it should be noted that:

  • The certificate is valid for one year.
  • Only 20 certificates can be applied for the same domain name

Wildcard Domain Name Certificate Practice

Let’s Encrypt finally supports wildcard certificates:https://www.jianshu.com/p/c5c …

Let's EncryptIn the field of free domain name certificatesWell known, now finally supportWildcard certificateYes. But according to the above blog tutorial, it was a lot of trouble. Although there were many twists and turns, due to the use of docker as the development environment, there was no great obstacle when trying various solutions.

Here is a way to record the final successful use:

# 安装 certbot
yum install certbot-nginx

# 稍微修改教程中的命令
certbot certonly -d *.daydaygo.top --manual --preferred-challenges dns --server https://acme-v02.api.letsencrypt.org/directory

After all the way to confirm, finally addConfigure Domain Name Resolution to Verify Domain Name Ownership, you’re done!

[root@e6be50c34c81 www]# ll /etc/letsencrypt/live/daydaygo.top/
total 4
-rw-r--r-- 1 root root 543 Mar 16 16:48 README
lrwxrwxrwx 1 root root  36 Mar 16 16:48 cert.pem -> ../../archive/daydaygo.top/cert1.pem
lrwxrwxrwx 1 root root  37 Mar 16 16:48 chain.pem -> ../../archive/daydaygo.top/chain1.pem
lrwxrwxrwx 1 root root  41 Mar 16 16:48 fullchain.pem -> ../../archive/daydaygo.top/fullchain1.pem
lrwxrwxrwx 1 root root  39 Mar 16 16:48 privkey.pem -> ../../archive/daydaygo.top/privkey1.pem

examineREADME, the corresponding relationship between the obtained certificate and nginx configuration is as follows:

ssl_certificate  -> fullchain1.pem
ssl_certificate_key -> privkey1.pem

certbotYou can also configure crontab toAutomatically update certificatesAccording toOfficial courseConfiguration is sufficient

The process of tossing and turning is rather complicated. Let’s simply record it and hope to give you some help.

  • I personally like to use alpine linux, so I use my own directly.Docker development environment-alpineInstall certbot:apk add certbotHowever, reporting errors after execution does not support pan-domain names.
  • Baidu, the first article isLet's EncryptThe official news found that the url inside is different from the url of the tutorial.Without looking closelyI thought it was a wrong url, but I actually saw this news earlier. The url was the url of the pre-release.
  • Keep lookingLet's EncryptThe official news, the news released by the official url in the commentary, is the link mentioned in the above tutorial, thus knowing that the certbot version used is wrong:Certbot (Certbot >= 0.22.0)
  • Another false attempt was to usecertbot-auto, according to the error report found that operation needs to rely onpython + gugeas, and then try to use their ownDocker Development Environment-pythonTo try, butpip install python-gugeasI always report mistakes, and the solution to software dependence is fruitless.

Write at the end

It is quite interesting to keep curious about technology and dare to try new ones.

Letter of recommendation:Turing Community-HTTP/2 Basic Tutorial

Don’t limit your ability and investment because of the environment.dockerThe arms of the bar