之前在zài Nginx-Quic 分支被合併到了le Nginx 主線的時候寫過一篇使用yòng BoringSSL 編譯yì Nginx 並開啓qǐ Quic 或huò HTTP/3 的文章zhāng ,詳見jiàn Nginx 編譯開啓qǐ Quic 或huò HTTP/3 。但是由於yú BoringSSL 上個月發佈了一個破壞性的更新導致編譯出錯cuò ,雖然最後解決了問題但回頭想想覺得還是可以轉向更穩定dìng 、兼容性更好的de QuicTLS,所以本文將爲您介紹如何使用yòng QuicTLS 編譯yì Nginx 並開啓qǐ Quic 或huò HTTP/3。
安裝依賴lài 1 2 3 4 5 6 7 8 9 10 11 12 13 14 apt update apt install build-essential ca-certificates zlib1g-dev libpcre3 libpcre3-dev tar unzip libssl-dev wget curl git cmake ninja-build mercurial libunwind-dev pkg-config libjemalloc-dev sudo sucd /rootapt update apt install build-essential ca-certificates zlib1g-dev libpcre3 libpcre3-dev tar unzip libssl-dev wget curl git cmake ninja-build mercurial libunwind-dev pkg-config libjemalloc-dev dnf update dnf install gcc gcc-c++ pcre-devel openssl-devel zlib-devel cmake make libunwind-devel hg git wget jemalloc dnf update dnf install gcc gcc-c++ pcre-devel openssl-devel zlib-devel cmake make hg git wget jemalloc
編譯yì QuicTLS 1 2 3 4 5 6 7 wget https://github.com/quictls/openssl/archive/refs/tags/openssl-3.1.5-quic1.tar.gz tar -xzf openssl-3.1.5-quic1.tar.gz cd openssl-openssl-3.1.5-quic1./config --prefix=$(pwd )/build no-shared make make install_sw cd ..
安裝zhuāng brotli 壓縮suō
不需要請跳過guò ,並在編譯時刪除chú –add-module=../ngx_brotli
1 2 3 4 5 6 git clone --recurse-submodules -j8 https://github.com/google/ngx_brotli cd ngx_brotli/deps/brotlimkdir out && cd outcmake -DCMAKE_BUILD_TYPE=Release -DBUILD_SHARED_LIBS=OFF -DCMAKE_C_FLAGS="-Ofast -march=native -mtune=native -flto -funroll-loops -ffunction-sections -fdata-sections -Wl,--gc-sections" -DCMAKE_CXX_FLAGS="-Ofast -march=native -mtune=native -flto -funroll-loops -ffunction-sections -fdata-sections -Wl,--gc-sections" -DCMAKE_INSTALL_PREFIX=./installed .. cmake --build . --config Release --target brotlienc cd ../../../..
編譯yì Nginx 1 2 3 4 5 hg clone https://hg.nginx.org/nginx cd nginx./auto/configure --user=www-data --group=www-data --prefix=/www/server/nginx --with-pcre --add-module=../ngx_brotli --with-http_v2_module --with-stream --with-stream_ssl_module --with-http_ssl_module --with-http_gzip_static_module --with-http_gunzip_module --with-http_sub_module --with-http_flv_module --with-http_addition_module --with-http_realip_module --with-http_mp4_module --with-ld-opt=-Wl,-E --with-cc-opt=-Wno-error --with-ld-opt=-ljemalloc --with-http_dav_module --with-http_v3_module --with-cc-opt="-I../openssl-openssl-3.1.5-quic1/build/include" --with-ld-opt="-L../openssl-openssl-3.1.5-quic1/build/lib64" make make install
添加jiā www 用戶hù 大部分系統下默認存在着zhe www-data
用戶組和hé www-data
用戶hù ,如果沒有請執行以下命令添加jiā 。
1 2 groupadd www-data useradd -g www-data -s /sbin/nologin www-data
添加進程管理lǐ
本人使用的是shì systemd,如果你使用的是其他進程管理lǐ ,請自行修改gǎi
1 vim /usr/lib/systemd/system/nginx.service
輸入如下內容róng :
1 2 3 4 5 6 7 8 9 10 11 12 13 [Unit] Description=nginx After=network.target [Service] Type=forking ExecStart=/www/server/nginx/sbin/nginx ExecReload=/www/server/nginx/sbin/nginx -s reload ExecStop=/www/server/nginx/sbin/nginx -s quit PrivateTmp=true [Install] WantedBy=multi-user.target
啓動dòng
開機自啓qǐ
配置文件jiàn 示例配置文件如下xià ,更多特性請參考官方文檔dàng :https://nginx.org/en/docs/http/ngx_http_v3_module.html
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 server { listen 443 ssl; listen [::]:443 ssl; listen 443 quic reuseport; listen [::]:443 quic reuseport; http2 on ; ssl_certificate /path/to/signed_cert_plus_intermediates; ssl_certificate_key /path/to/private_key; ssl_session_timeout 1d ; ssl_session_cache shared:MozSSL:10m ; ssl_session_tickets off ; location / { root html; } ssl_protocols TLSv1.3 ; ssl_prefer_server_ciphers off ; add_header Strict-Transport-Security "max-age=63072000" always; ssl_stapling on ; ssl_stapling_verify on ; }
配置完成後hòu ,重載zài Nginx 即可生效xiào