文章目录
Nginx从1.25.0开始支持QUIC和HTTP/3协议。此外,从1.25.0开始,Linux二进制包中提供了QUIC和HTTP/3支持。
QUIC和HTTP/3支持是实验性的
建议使用提供QUIC支持的SSL库来构建nginx,例如BoringSSL
,LibreSSL
或QuicTLS
。否则,将使用不支持早期数据的OpenSSL
兼容层。
安装BoringSSL证书
对于Nginx来说,在编译时需要配置对于的SSL库,不管是HTTP3.0还是HTTP2.0,始终都要基于HTTPS,而加密算法这块主要有OpenSSL来提供,而BoringSSL是谷歌创建的OpenSSL分支,用于支持TLS1.3的UDP协议0-RTT数据传输的加密算法(可以理解成TLS 1.3是标准协议,BoringSSL是实现工具),BoringSSL的一些特性会在合适的时机同步给OpenSSl。
官方推荐了3种SSL库,参考文档https://nginx.org/en/docs/quic.html
我这里使用BoringSSL
本次环境使用unbuntu进行数据演示!
#克隆boringssl
git clone --depth=1 https://github.com/google/boringssl.git
#安装依赖
sudo apt-get update
sudo apt-get install -y build-essential
sudo apt-get install cmake
sudo add-apt-repository ppa:longsleep/golang-backports
sudo apt-get update
sudo apt-get install golang-go
sudo apt-get install libpcre3 libpcre3-dev
sudo apt-get install openssl libssl-dev zlib1g-dev
#编译
cd boringssl && mkdir build && cd build && cmake .. && make && cd ../../
安装Nginx
下载nginx,截止2023-10-09 最新版nginx为1-25.2
wget https://nginx.org/download/nginx-1.25.2.tar.gz
tar xf nginx-1.25.2.tar.gz
useradd nginx -s /sbin/nologin -M
编译nginx
./configure --prefix=/opt/nginx-1.25.2 \
--with-debug \
--with-http_v3_module \
--with-http_v2_module \
--with-cc-opt="-I../boringssl/include" --with-ld-opt="-L../boringssl/build/ssl -L../boringssl/build/crypto"
make && make install
检查nginx模块
root@abcdocker:/opt/nginx-1.25.2# /opt/nginx-1.25.2/sbin/nginx -V
nginx version: nginx/1.25.2
built by gcc 11.4.0 (Ubuntu 11.4.0-1ubuntu1~22.04)
built with OpenSSL 1.1.1 (compatible; BoringSSL) (running with BoringSSL)
TLS SNI support enabled
configure arguments: --prefix=/opt/nginx-1.25.2 --with-debug --with-http_v3_module --with-http_v2_module --with-cc-opt=-I../boringssl/include --with-ld-opt='-L../boringssl/build/ssl -L../boringssl/build/crypto'
配置Nginx
备份旧版本配置文件,新增http3配置文件
cd /opt/nginx-1.25.2/conf
mv nginx.conf nginx.conf_old_2023-10-09
上传nginx证书https://console.cloud.tencent.com/ssl
添加新配置文件
新配置文件更新nginx.conf
user nginx;
worker_processes 1;
events {
worker_connections 65535;
}
http {
log_format quic '$remote_addr - $remote_user [$time_local] '
'"$request" $status $body_bytes_sent '
'"$http_referer" "$http_user_agent" "$http3"';
access_log logs/access.log quic;
server {
server_name apisix.frps.fun;
# for better compatibility it's recommended
# to use the same port for http/3 and https
listen 443 quic reuseport;
listen 443 ssl;
ssl_certificate ssl/apisix.frps.fun.crt;
ssl_certificate_key ssl/apisix.frps.fun.key;
ssl_protocols TLSv1.3; # QUIC requires TLS 1.3
location / {
# used to advertise the availability of HTTP/3
add_header Alt-Svc 'h3=":443"; ma=86400';
}
}
}
参数解释
- listen 443 quic reuseport; #开启quic协议
- listen 443 ssl; #开启http2协议
- ssl_certificate ssl/apisix.frps.fun.crt; #证书上传路径
- ssl_certificate_key ssl/apisix.frps.fun.key;
- ssl_protocols TLSv1.3; # QUIC requires TLS 1.3 #支持tls协议1.3
- add_header Alt-Svc 'h3=":443"; ma=86400'; #请求头添加quic协议
检查配置文件
root@abcdocker:/opt/nginx-1.25.2/conf# /opt/nginx-1.25.2/sbin/nginx -t
nginx: the configuration file /opt/nginx-1.25.2/conf/nginx.conf syntax is ok
nginx: configuration file /opt/nginx-1.25.2/conf/nginx.conf test is successful
启动Nginx
root@abcdocker:/opt/nginx-1.25.2/conf# /opt/nginx-1.25.2/sbin/nginx
检查相关端口号及服务
root@abcdocker:/opt/nginx-1.25.2/conf# lsof -i:443
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
nginx 109949 root 6u IPv4 2590745 0t0 UDP *:https
nginx 109949 root 7u IPv4 2590746 0t0 TCP *:https (LISTEN)
nginx 109950 nginx 3u IPv4 2588208 0t0 TCP abcdocker:https->111.201.214.30:10606 (ESTABLISHED)
nginx 109950 nginx 6u IPv4 2590745 0t0 UDP *:https
nginx 109950 nginx 7u IPv4 2590746 0t0 TCP *:https (LISTEN)
nginx 109950 nginx 11u IPv4 2588209 0t0 TCP abcdocker:https->111.201.214.30:10603 (ESTABLISHED)
root@abcdocker:/opt/nginx-1.25.2/conf# ps -ef|grep nginx
root 109949 1 0 16:05 ? 00:00:00 nginx: master process /opt/nginx-1.25.2/sbin/nginx
nginx 109950 109949 0 16:05 ? 00:00:00 nginx: worker process
root 109955 71970 0 16:07 pts/1 00:00:00 grep --color=auto nginx
测试
Nginx防火墙相关策略需要开启UDP/TCP协议!
测试地址:https://http3check.net/?host=apisix.frps.fun
chrome浏览器中也可以看到