原创 腾讯云 cvm 开启 IPv6

一文看懂 Nginx 中开启 IPv6,包含设置 SSL证书。

前置条件

所在服务器已经开启 IPv6

Nginx 开启 IPv6

Nginx 默认配置中已经开启了 IPv6。

listen [::]:80 default_server;

    server {
        listen       80 default_server;
        listen       [::]:80 default_server;
        server_name  _;
        root         /usr/share/nginx/html;

        # Load configuration files for the default server block.
        include /etc/nginx/default.d/*.conf;

        location / {
        }

        error_page 404 /404.html;
            location = /40x.html {
        }

        error_page 500 502 503 504 /50x.html;
            location = /50x.html {
        }
    }
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20

重启后,检查端口监听,发现已经监听在 :::80 上,即监听在 IPv6 的 80端口上。

# netstat -ntlp | grep nginx
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      29391/nginx: master
tcp6       0      0 :::80                   :::*                    LISTEN      29391/nginx: master
1
2
3

参考文档 浏览器访问 IPv6 地址访问 IPv6 网站,验证是否访问成功。

如果访问失败,请检查 安全组是否开放 IPv6 的 80 端口 入请求的访问策略

使用 curl 访问速度测试

$ curl http://6.ipw.cn -v
*   Trying 2402:4e00:1013:e500:0:9671:f018:4947...
* TCP_NODELAY set
* Connected to 6.ipw.cn (2402:4e00:1013:e500:0:9671:f018:4947) port 80 (#0)
> GET / HTTP/1.1
> Host: 6.ipw.cn
> User-Agent: curl/7.64.1
> Accept: */*
>
< HTTP/1.1 200 OK
< Server: nginx
< Date: Sun, 19 Jun 2022 13:22:01 GMT
< Content-Type: text/plain; charset=utf-8
< Content-Length: 38
< Connection: keep-alive
< Access-Control-Allow-Origin: *
<
* Connection #0 to host 6.ipw.cn left intact
2408:824c:200::2b8b:336f:cc9c* Closing connection 0
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19

Nginx 开启 IPv6 SSL

IPv4 中监听 HTTP 和 HTTPS 的配置是 listen 80;listen 443 ssl;

IPv6 分别是 listen [::]:80;listen [::]:443 ssl;

server {
        listen [::]:443 ssl http2;
        listen [::]:80;
        #填写绑定证书的域名
        server_name 6.ipw.cn;
        #证书文件名称
        ssl_certificate ssl/6.ipw.cn_bundle.crt;
        #私钥文件名称
        ssl_certificate_key ssl/6.ipw.cn.key;
        ssl_session_timeout 5m;
        #请按照以下协议配置
        ssl_protocols TLSv1.2 TLSv1.3;
        #请按照以下套件配置,配置加密套件,写法遵循 openssl 标准。
        ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:HIGH:!aNULL:!MD5:!RC4:!DHE;
        ssl_prefer_server_ciphers on;
}
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16

重启后,检查端口监听,发现已经监听在 :::443 上,即监听在 IPv6 的 443 端口上。

# netstat -ntlp | grep nginx
tcp6       0      0 :::443                  :::*                    LISTEN      29391/nginx: master
tcp6       0      0 :::80                   :::*                    LISTEN      29391/nginx: master
1
2
3

测试访问效果。

curl https://6.ipw.cn -v
*   Trying 2402:4e00:1013:e500:0:9671:f018:4947...
* TCP_NODELAY set
* Connected to 6.ipw.cn (2402:4e00:1013:e500:0:9671:f018:4947) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/cert.pem
  CApath: none
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
* ALPN, server accepted to use h2
* Server certificate:
*  subject: CN=6.ipw.cn
*  start date: Jun 19 00:00:00 2022 GMT
*  expire date: Jun 19 23:59:59 2023 GMT
*  subjectAltName: host "6.ipw.cn" matched cert's "6.ipw.cn"
*  issuer: C=CN; O=TrustAsia Technologies, Inc.; CN=TrustAsia RSA DV TLS CA G2
*  SSL certificate verify ok.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x7f90a8811c00)
> GET / HTTP/2
> Host: 6.ipw.cn
> User-Agent: curl/7.64.1
> Accept: */*
>
* Connection state changed (MAX_CONCURRENT_STREAMS == 128)!
< HTTP/2 200
< server: nginx
< date: Sun, 19 Jun 2022 13:21:31 GMT
< content-type: text/plain; charset=utf-8
< content-length: 38
< access-control-allow-origin: *
<
* Connection #0 to host 6.ipw.cn left intact
2408:824c:200::2b8b:336f:cc9c* Closing connection 0
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47

listen ssl 后一个指令是 http2,在开启 ssl 的同时可以把 http2 一并开启了。在上面的测试效果可以看到 HTTP/2