Nginx配置QUIC/(HTTP/3.0)

  • 内容
  • 相关

以前听说 Nginx 要支持 HTTP/3.0 了,可是到目前,Nginx 最新的版本 1.19.0 也仍未能见 HTTP/3.0 的踪迹。支持 HTTP/3.0 的客户端也没有,只有谷歌浏览器和火狐浏览器支持 HTTP/3.0 而且需要配置才可以使用。基于 UDP 协议的 QUIC 会不会被QOS?我也不懂,因此测试尝鲜!

教程适合Debian x64

一、分别执行下面的命令,目前nginx最新版本为:nginx-1.19.0

echo "deb http://nginx.org/packages/debian `lsb_release -cs` nginx" \
sudo apt install curl gnupg2 ca-certificates lsb-release
| sudo tee /etc/apt/sources.list.d/nginx.list
echo "deb http://nginx.org/packages/mainline/debian `lsb_release -cs` nginx" \
| sudo tee /etc/apt/sources.list.d/nginx.list
curl -fsSL https://nginx.org/keys/nginx_signing.key | sudo apt-key add -
sudo apt-key fingerprint ABF5BD827BD9BF62
sudo apt update
sudo apt install nginx

二、下载quiche

git clone --recursive https://github.com/cloudflare/quiche

三、安装依赖和go及rust

apt-get install libevent-dev libexpat1-dev libexpat1 expat openssl cmake make gcc git curl libssl-dev
wget https://studygolang.com/dl/golang/go1.14.4.linux-amd64.tar.gz
tar -C /usr/local -xzf go1.12.1.linux-amd64.tar.gz
mkdir -p /root/go
echo 'export GOROOT=/usr/local/go
export PATH=$PATH:$GOROOT/bin
export GOPATH=/root/go' >> /etc/profile
source /etc/profile
 
安装rust
curl https://sh.rustup.rs -sSf | sh

四、编译安装

tar zxvf nginx-1.19.0.tar.gz
cd nginx-1.19.0
 
打补丁,kn007的 Patch 项目地址:https://github.com/kn007/patch
curl https://raw.githubusercontent.com/kn007/patch/master/nginx_with_quic.patch | patch -p1
 
# Cloudflare的补丁
patch -p01 < ../quiche/extras/nginx/nginx-1.16.patch
 
打补丁,使得 Nginx 使用 BoringSSL 时支持 OCSP Stapling
curl https://raw.githubusercontent.com/kn007/patch/master/Enable_BoringSSL_OCSP.patch | patch -p1
 
开始编译,注意configure配置参照给NGINX添加TLSv1.3支持去除"--with-cc-opt", ""--with-ld-opt","--with-openssl-opt” 三处, 然后添加以下参数
--build="quiche-$(git --git-dir=../quiche/.git rev-parse --short HEAD)" --with-http_v3_module --with-openssl=../quiche/deps/boringssl --with-quiche=../quiche
 
执行nginx- V得到之前安装nginx的代码,以下为我的nginx配置
configure arguments: --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --modules-path=/usr/lib/nginx/modules --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx.pid --lock-path=/var/run/nginx.lock --http-client-body-temp-path=/var/cache/nginx/client_temp --http-proxy-temp-path=/var/cache/nginx/proxy_temp --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp --http-scgi-temp-path=/var/cache/nginx/scgi_temp --user=nginx --group=nginx --with-compat --with-file-aio --with-threads --with-http_addition_module --with-http_auth_request_module --with-http_dav_module --with-http_flv_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_mp4_module --with-http_random_index_module --with-http_realip_module --with-http_secure_link_module --with-http_slice_module --with-http_ssl_module --with-http_stub_status_module --with-http_sub_module --with-http_v2_module --with-mail --with-mail_ssl_module --with-stream --with-stream_realip_module --with-stream_ssl_module --with-stream_ssl_preread_module --add-module=../ngx_brotli --add-module=/root/nginx-geoip2/ngx_http_geoip2_module --build=quiche-4125de9 --with-http_v3_module --with-openssl=../quiche/deps/boringssl --with-quiche=../quiche
 
修改上面的命令为
./configure --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --modules-path=/usr/lib/nginx/modules --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx.pid --lock-path=/var/run/nginx.lock --http-client-body-temp-path=/var/cache/nginx/client_temp --http-proxy-temp-path=/var/cache/nginx/proxy_temp --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp --http-scgi-temp-path=/var/cache/nginx/scgi_temp --user=nginx --group=nginx --with-compat --with-file-aio --with-threads --with-http_addition_module --with-http_auth_request_module --with-http_dav_module --with-http_flv_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_mp4_module --with-http_random_index_module --with-http_realip_module --with-http_secure_link_module --with-http_slice_module --with-http_ssl_module --with-http_stub_status_module --with-http_sub_module --with-http_v2_module --with-mail --with-mail_ssl_module --with-stream --with-stream_realip_module --with-stream_ssl_module --with-stream_ssl_preread_module --add-module=../ngx_brotli --add-module=/root/nginx-geoip2/ngx_http_geoip2_module --build=quiche-4125de9 --with-http_v3_module --with-openssl=../quiche/deps/boringssl --with-quiche=../quiche
 
若没有错误提示,就继续下一步
make
make install
 
如果没报错就ok啦
 
查看编译后的版本,显示quic即可说明编译好了
 
执行nginx -V
 
显示下面的代码
 
nginx version: nginx/1.19.0 (quiche-4125de9)
built by gcc 9.3.0 (Debian 9.3.0-13)
built with OpenSSL 1.1.0 (compatible; BoringSSL) (running with BoringSSL)
TLS SNI support enabled

五、修改nginx.conf

# Enable QUIC and HTTP/3.
listen 443 quic reuseport;

# Enable HTTP/2 (optional).
listen 443 ssl http2;

# 只支持tls1.3
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers [TLS13+AESGCM+AES128|TLS13+CHACHA20]:TLS13+AESGCM+AES256:[EECDH+ECDSA+AESGCM+AES128|EECDH+ECDSA+CHACHA20]:EECDH+ECDSA+AESGCM+AES256:EECDH+ECDSA+AES128+SHA:EECDH+ECDSA+AES256+SHA:[EECDH+aRSA+AESGCM+AES128|EECDH+aRSA+CHACHA20]:EECDH+aRSA+AESGCM+AES256:EECDH+aRSA+AES128+SHA:EECDH+aRSA+AES256+SHA;
ssl_prefer_server_ciphers on;
ssl_early_data on;
ssl_ecdh_curve X25519:P-256:P-384;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
error_page 497 https://$host$request_uri;

# OCSP Stapling 启用
ssl_stapling on;
ssl_stapling_verify on;
ssl_stapling_file /home/others/ocsp/nange.cn.ocsp.resp;

# Add Alt-Svc header to negotiate HTTP/3.
add_header alt-svc 'quic=":443"; ma=2592000; v="46,43",h3-27=":443"; ma=2592000,h3-25=":443"; ma=2592000,h3-T050=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q049=":443"; ma=2592000,h3-Q048=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000';
 
下面为我的配置可以参考(doh-over-dns可以直接复制使用)
 
upstream dns-backend {
server 127.0.0.1:8053;
}
 
server {
server_name sdns.kbsml.com;
root /var/www/html/dns;
access_log /var/log/nginx/dns.access.log;
 
location /dns-query {
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
proxy_set_header X-NginX-Proxy true;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_redirect off;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_read_timeout 86400;
proxy_pass http://dns-backend/dns-query ;
}
 
location / {
return 404;
}
 
listen 443 quic reuseport;
listen 443 ssl http2; # managed by Certbot
ssl_protocols TLSv1.2 TLSv1.3;
 
add_header alt-svc 'quic=":443"; ma=2592000; v="46,43",h3-27=":443"; ma=2592000,h3-25=":443"; ma=2592000,h3-T050=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q049=":443"; ma=2592000,h3-Q048=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000';ssl_certificate /etc/letsencrypt/live/sdns.kbsml.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/sdns.kbsml.com/privkey.pem;
include /etc/letsencrypt/options-ssl-nginx.conf;
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;

}

六、quic测试,本文使用火狐浏览器

在浏览器地址栏输入”about:config”,搜”http3″将”network.http.http3.enabled”改为”true”重启浏览器即可

Nginx配置QUIC/(HTTP/3.0)

免责声明:本站一切资源不代表本站立场,如有侵权,请联系本站删除。

发表评论

电子邮件地址不会被公开。 请勿发送垃圾内容!