之前zài Nginx-Quic 分支被合併到le Nginx 主線的時候寫過一篇使yòng BoringSSL 編 Nginx 並開 Quic huò HTTP/3 的文zhāng,詳jiàn Nginx 編譯開 Quic huò HTTP/3。但是由 BoringSSL 上個月發佈了一個破壞性的更新導致編譯出cuò,雖然最後解決了問題但回頭想想覺得還是可以轉向更穩dìng、兼容性更好de QuicTLS,所以本文將爲您介紹如何使yòng QuicTLS 編 Nginx 並開 Quic huò HTTP/3。

安裝依lài

1
2
3
4
5
6
7
8
9
10
11
12
13
14
# Debian 11huò12
apt update
apt install build-essential ca-certificates zlib1g-dev libpcre3 libpcre3-dev tar unzip libssl-dev wget curl git cmake ninja-build mercurial libunwind-dev pkg-config libjemalloc-dev
# Ubuntu 22.04huò20.04
sudo su
cd /root
apt update
apt install build-essential ca-certificates zlib1g-dev libpcre3 libpcre3-dev tar unzip libssl-dev wget curl git cmake ninja-build mercurial libunwind-dev pkg-config libjemalloc-dev
# CentOS 8 Stream/TencentOS Server 3.1
dnf update
dnf install gcc gcc-c++ pcre-devel openssl-devel zlib-devel cmake make libunwind-devel hg git wget jemalloc
# OpenCloudOS Server 8
dnf update
dnf install gcc gcc-c++ pcre-devel openssl-devel zlib-devel cmake make hg git wget jemalloc

QuicTLS

1
2
3
4
5
6
7
wget https://github.com/quictls/openssl/archive/refs/tags/openssl-3.1.5-quic1.tar.gz
tar -xzf openssl-3.1.5-quic1.tar.gz
cd openssl-openssl-3.1.5-quic1
./config --prefix=$(pwd)/build no-shared
make
make install_sw
cd ..

zhuāng brotli 壓suō

不需要請跳guò,並在編譯時刪chú–add-module=../ngx_brotli

1
2
3
4
5
6
git clone --recurse-submodules -j8 https://github.com/google/ngx_brotli
cd ngx_brotli/deps/brotli
mkdir out && cd out
cmake -DCMAKE_BUILD_TYPE=Release -DBUILD_SHARED_LIBS=OFF -DCMAKE_C_FLAGS="-Ofast -march=native -mtune=native -flto -funroll-loops -ffunction-sections -fdata-sections -Wl,--gc-sections" -DCMAKE_CXX_FLAGS="-Ofast -march=native -mtune=native -flto -funroll-loops -ffunction-sections -fdata-sections -Wl,--gc-sections" -DCMAKE_INSTALL_PREFIX=./installed ..
cmake --build . --config Release --target brotlienc
cd ../../../..

Nginx

1
2
3
4
5
hg clone https://hg.nginx.org/nginx
cd nginx
./auto/configure --user=www-data --group=www-data --prefix=/www/server/nginx --with-pcre --add-module=../ngx_brotli --with-http_v2_module --with-stream --with-stream_ssl_module --with-http_ssl_module --with-http_gzip_static_module --with-http_gunzip_module --with-http_sub_module --with-http_flv_module --with-http_addition_module --with-http_realip_module --with-http_mp4_module --with-ld-opt=-Wl,-E --with-cc-opt=-Wno-error --with-ld-opt=-ljemalloc --with-http_dav_module --with-http_v3_module --with-cc-opt="-I../openssl-openssl-3.1.5-quic1/build/include" --with-ld-opt="-L../openssl-openssl-3.1.5-quic1/build/lib64"
make
make install

jiā www 用

大部分系統下默認存在zhewww-data用戶組www-data,如果沒有請執行以下命令添jiā

1
2
groupadd www-data
useradd -g www-data -s /sbin/nologin www-data

添加進程管

本人使用的shì systemd,如果你使用的是其他進程管,請自行修gǎi

1
vim /usr/lib/systemd/system/nginx.service

輸入如下內róng

1
2
3
4
5
6
7
8
9
10
11
12
13
[Unit]
Description=nginx
After=network.target

[Service]
Type=forking
ExecStart=/www/server/nginx/sbin/nginx
ExecReload=/www/server/nginx/sbin/nginx -s reload
ExecStop=/www/server/nginx/sbin/nginx -s quit
PrivateTmp=true

[Install]
WantedBy=multi-user.target

dòng

1
systemctl start nginx

開機自

1
systemctl enable nginx

配置文jiàn

示例配置文件如xià,更多特性請參考官方文dànghttps://nginx.org/en/docs/http/ngx_http_v3_module.html

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
server {
listen 443 ssl;
listen [::]:443 ssl;

# 用於支chíQuichuòHTTP/3
listen 443 quic reuseport;
listen [::]:443 quic reuseport;

# 用以支chíHTTP/2
http2 on;

ssl_certificate /path/to/signed_cert_plus_intermediates;
ssl_certificate_key /path/to/private_key;
ssl_session_timeout 1d;
ssl_session_cache shared:MozSSL:10m; # about 40000 sessions
ssl_session_tickets off;

location / {
root html;
}

# modern configuration
ssl_protocols TLSv1.3;
ssl_prefer_server_ciphers off;

# HSTS (ngx_http_headers_module is required) (63072000 seconds)
add_header Strict-Transport-Security "max-age=63072000" always;

# OCSP stapling
ssl_stapling on;
ssl_stapling_verify on;

}

配置完成hòu,重zài Nginx 即可生xiào

1
systemctl reload nginx