On Tue, 7 Jun 2022 at 14:15, Sergey Kandaurov <pluk...@nginx.com> wrote:
> > On 7 Jun 2022, at 13:41, Peter Volkov <peter.vol...@gmail.com> wrote:
> > After we enabled HTTP/2 in nginx some old software started to fail. So
> we would like to have HTTP v2 enabled in general but disabled for some
> specific IP:PORT. I've tried two listen directives in server block:
> >
> > listen IP:443 ssl http2;
> > listen IP:1443 ssl;
> >
> > The problem is that on both ports I see: * ALPN: offers h2. Is it
> possible to disable HTTP v2 for specific IP:PORT?
>
> nginx offers HTTP/2 ALPN on IP:PORT configured to accept HTTP/2
> connections.
> Make sure you have no the "http2" option on a particular IP:1443 elsewhere,
> as "http2" attributes to all virtual servers sharing such IP:PORT.
>
That was my understanding as well. But take a look at nginx.conf in
attachment - I see nginx announces h2 on both ports 1444 and 1445.
# nginx -V
nginx version: nginx/1.21.6
built with OpenSSL 1.1.1d 10 Sep 2019
TLS SNI support enabled
configure arguments: --prefix=/usr --conf-path=/etc/nginx/nginx.conf
--error-log-path=/var/log/nginx/error_log --pid-path=/run/nginx.pid
--lock-path=/run/lock/nginx.lock --with-cc-opt=-I/usr/include
--with-ld-opt=-L/usr/lib64 --http-log-path=/var/log/nginx/access_log
--http-client-body-temp-path=/var/lib/nginx/tmp/client
--http-proxy-temp-path=/var/lib/nginx/tmp/proxy
--http-fastcgi-temp-path=/var/lib/nginx/tmp/fastcgi
--http-scgi-temp-path=/var/lib/nginx/tmp/scgi
--http-uwsgi-temp-path=/var/lib/nginx/tmp/uwsgi --with-compat
--with-http_v2_module --with-pcre --without-http_grpc_module
--without-http_ssi_module --without-http_upstream_hash_module
--without-http_upstream_zone_module --with-http_flv_module
--with-http_geoip_module --with-http_mp4_module --with-http_realip_module
--with-http_secure_link_module --with-http_stub_status_module
--with-http_realip_module
--add-module=external_module/headers-more-nginx-module-0.33
--add-module=external_module/nginx_upstream_check_module-9aecf15ec379fe98f62355c57b60c0bc83296f04
--add-module=external_module/nginx-push-stream-module-0.5.4
--add-module=external_module/ngx_http_geoip2_module-3.3
--with-http_ssl_module --without-stream_access_module
--without-stream_geo_module --without-stream_limit_conn_module
--without-stream_map_module --without-stream_return_module
--without-stream_split_clients_module --without-stream_upstream_hash_module
--without-stream_upstream_least_conn_module
--without-stream_upstream_zone_module --without-mail_imap_module
--without-mail_pop3_module --without-mail_smtp_module --user=nginx
--group=nginx
user nginx nginx;
worker_processes auto;
worker_rlimit_nofile 32768;
events {
worker_connections 16384;
use epoll;
multi_accept on;
}
error_log /var/log/nginx/NG_error_log warn;
http {
server_tokens off;
include /etc/nginx/mime.types;
default_type application/octet-stream;
log_format main
'$remote_addr - $remote_user [$time_local] '
'"$request_uri" $status $bytes_sent '
'"$http_referer" "$http_user_agent" '
'"$gzip_ratio" "$request_time"';
access_log /var/log/nginx/NG_access.log main;
client_header_timeout 10m;
client_body_timeout 10m;
send_timeout 10m;
connection_pool_size 256;
client_header_buffer_size 1k;
large_client_header_buffers 4 16k;
request_pool_size 4k;
proxy_buffering on;
proxy_buffers 256 32k;
proxy_buffer_size 32k;
uwsgi_buffering on;
uwsgi_buffers 256 4k;
# http://nginx.org/ru/docs/hash.html
server_names_hash_max_size 1024;
server_names_hash_bucket_size 128;
variables_hash_max_size 2048;
variables_hash_bucket_size 128;
sendfile on;
tcp_nopush on;
tcp_nodelay on;
gzip on;
gzip_comp_level 5;
gzip_min_length 1024;
gzip_buffers 4 8k;
gzip_types
text/plain
text/css
application/x-javascript
application/javascript
application/json
application/octet-stream
;
output_buffers 1 32k;
postpone_output 1460;
keepalive_timeout 75 20;
keepalive_requests 4096;
ignore_invalid_headers on;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers
'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
ssl_prefer_server_ciphers on;
ssl_dhparam dhparams.pem;
ssl_session_cache shared:SSL:30m;
ssl_session_timeout 10m;
index index.html;
ssl_stapling on;
ssl_stapling_verify on;
resolver 172.16.11.20 172.16.11.91 valid=300s ipv6=off;
resolver_timeout 1s;
server {
listen edge1_clients_vip1:1445 ssl;
listen edge1_clients_vip1:1444 ssl http2;
server_name *.proxy.lfstrm.tv proxy.lfstrm.tv;
ssl_certificate /etc/letsencrypt/live/proxy.lfstrm.tv/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/proxy.lfstrm.tv/privkey.pem;
ssl_trusted_certificate
/etc/letsencrypt/live/proxy.lfstrm.tv/chain.pem;
location / {
return 200;
}
}
}
_______________________________________________
nginx mailing list -- nginx@nginx.org
To unsubscribe send an email to nginx-le...@nginx.org
