Nginx 部署Http2和Grpc记录+windows生成自签名证书！

提前需要知道的：

　　第一：Grpc依赖Http2

　　第二：Nginx不支持上游Http2，也就是HTTP/2 协议的的站点，仅支持客户端Http2。

　　第三：Nginx 在 1.13.10支持Grpc协议

　　第四：openssl 版本必须openssl-1.1.1f

　　第五：不使用ssl，则同一端口不支持http1和http2的模式,这种情况下，http1.1需要和http2的端口分开。

　　第六：grpc协议其实contenttype为：application/grpc

　　

　　以下是配置方法：

　　

    server{
        server_name xxx.xxx.xxx;
        listen 443 ssl http2 fastopen=3 reuseport;
        access_log on; 
        ssl_stapling on; 
        ssl_stapling_verify on; 
        ssl_certificate     /etc/nginx/cers/zhongwen/1_zhongwen.pengwen135.wang_bundle.crt;
        ssl_certificate_key /etc/nginx/cers/zhongwen/2_zhongwen.pengwen135.wang.key;
        ssl_protocols TLSv1 TLSv1.1 TLSv1.2 SSLv2 SSLv3; 
        ssl_ciphers EECDH+CHACHA20:EECDH+CHACHA20-draft:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!aNULL:!MD5:!RC4:!DHE:!kEDH; 
        add_header Strict-Transport-Security "max-age=15768001; preload"; 
        ssl_prefer_server_ciphers on;
        ssl_session_cache shared:SSL:50m;
        ssl_session_timeout 1d;
        ssl_session_tickets on;

        location / 
        {

　　　　　　if ( $content_type ~* "application/grpc"){
　　　　　　　　　　
　　　　　　　　　 #Grpc协议，如果没有启用证书，则直接使用 grpc_pass grpc://localhost:5001
                grpc_pass grpcs://localhost:5001;
            }
　　　　　　　

            #走Grpc，如果此端口启用了http1和http2，则可以在下面使用https://localhost:5001;

            proxy_pass http://localhost:5000;
        }
    }

 C# 中配置同一端口启用Http1和Http2.

  "Kestrel": {
    "EndpointDefaults": {
      "Protocols": "Http1AndHttp2"
    },
    "Endpoints": {
      "HttpsInlineCertFile": {
        "Url": "https://*:5001",
        "Certificate": {
          "Path": "cres/localhost.pfx",
          "Password": "**"
        },
        "Location": "location",
        "AllowInvalid": "true"
      }
    }
  }

另外附上使用powershell生成自签名证书

add-type -assembly System
Write-Output "请输入安装时标题:"
$subject = Read-Host
Write-Output "输入要生成的域名:"
$dnsName = Read-Host
Write-Output "请输入证书密码:"
$passwd =Read-Host
Write-Host "请输入证书名称:"
$certificateName = Read-Host
$certificate = New-SelfSignedCertificate `
    -Subject $subject `
    -DnsName  $dnsName `
    -KeyAlgorithm RSA `
    -KeyLength 2048 `
    -NotBefore (Get-Date) `
    -NotAfter (Get-Date).AddYears(2) `
    -CertStoreLocation "cert:CurrentUser\My" `
    -FriendlyName $friendlyName `
    -HashAlgorithm SHA256 `
    -KeyUsage DigitalSignature, KeyEncipherment, DataEncipherment `
    -TextExtension @("2.5.29.37={text}1.3.6.1.5.5.7.3.1")
$certificatePath = 'Cert:\CurrentUser\My\' + ($certificate.ThumbPrint) 
 
# create temporary certificate path
$tmpPath = "cres"
If (!(test-path $tmpPath)) {
    New-Item -ItemType Directory -Force -Path $tmpPath
}
 
# set certificate password here
$pfxPassword = ConvertTo-SecureString -String $passwd -Force -AsPlainText
$pfxFilePath = "$tmpPath\" + $certificateName + ".pfx"
$cerFilePath = "$tmpPath\" + $certificateName + ".cer"
 
# create pfx certificate
Export-PfxCertificate -Cert $certificatePath -FilePath $pfxFilePath -Password $pfxPassword
Export-Certificate -Cert $certificatePath -FilePath $cerFilePath

# 以下是安装

Write-Output "证书生成完成"
Read-Host

 

oppenssl转为key和crt

　　openssl pkcs12 -in myssl.pfx -nodes -out server.pem
　　openssl rsa -in server.pem -out server.key
　　openssl x509 -in server.pem -out server.crt