Nginx原生HTTP3预览安装测试

千呼万唤始出来的NGINX适配原生HTTP3终于开始测试了。在nginx的官方git库上新增了一个http://hg.nginx.org/nginx-quic/，就是大家所期待的NGINX的官方QUIC和HTTP/3实现的初始版本，内含http_v3_module模块.

目前为实验性的–不适用于生产.目前基于在nginx主线1.19.x上，同时也在计划合并新的Nginx定期发布到该分支。

NGINX官方也声明了这个QUIC + HTTP/3实现是全新的，与Cloudflare作为其quiche项目的一部分提供的补丁程序无关。

这里我们作为测试，来吃螃蟹。其实本质基本编译方式与nginx1.19.X系列一致，只是增加boringssl作为加密库，其中只要包含quic和http/3的加密库和能够被nginx支持的，理论上都是可以的。比如对应的分支：

#boringssl分支
git clone https://github.com/google/boringssl.git
#tatsuhiro-t 分支
git clone --depth 1 --branch master-quic-support https://github.com/akamai/openssl
#akamai 分支
git clone --depth 1 --branch master-quic-support https://github.com/akamai/openssl

我门在CentOS下按照

#按照编译依赖和工具
yum install mercurial psmisc net-tools wget curl build-essential lsb-release cmake golang libunwind-dev git libpcre3-dev zlib1g-dev hg
#下载nginx-quic和boringssl源码
hg clone -b quic https://hg.nginx.org/nginx-quic --insecure
git clone https://boringssl.googlesource.com/boringssl
#编译boringssl的密码库，以备nginx编译引用
cd boringssl
mkdir -p build .openssl/lib .openssl/include
# 建立软链接，注意其中的路径根据你的下载路径的情况进行调整
ln -sf /root/src/boringssl/include/openssl /root/src/boringssl/.openssl/include/openssl
# 生成库文件
touch /root/src/boringssl/.openssl/include/openssl/ssl.h
# 预编译
cmake -B/root/src/boringssl/build -H/root/src/boringssl
# 编译 
make -C /root/src/boringssl/build
# 拷贝编译好的库文件
cp /root/src/boringssl/build/crypto/libcrypto.a /root/src/boringssl/build/ssl/libssl.a /root/src/boringssl/.openssl/lib
#增加nginx运行用户和用户组
/usr/sbin/groupadd -f www
/usr/sbin/useradd -g www www

cd ..
cd nginx-quic 
#取消 debug 模式进行编译设置
sed -i 's@CFLAGS="$CFLAGS -g"@#CFLAGS="$CFLAGS -g"@' auto/cc/gcc
#configure
#注意需要密码库的引用和nginx模块的启用；详见：http://hg.nginx.org/nginx-quic/file/tip/README
./auto/configure \
 --prefix=/usr/local/nginx  \
 --user=www  \
 --group=www \
 --with-http_stub_status_module \
 --with-http_v2_module \
 --with-http_ssl_module \
 --with-http_gzip_static_module \
 --with-http_realip_module \
 --with-http_flv_module \
 --with-http_mp4_module \
 --with-pcre\
 --with-pcre-jit \
 --with-zlib=../zlib-cf  \
 --add-module=../nginx-ct \
 --add-module=../ngx_brotli \
 --with-ld-opt='-ljemalloc' \
 --with-cc-opt="-I../boringssl/include"   \
 --with-ld-opt="-L../boringssl/build/ssl \
 -L../boringssl/build/crypto"  \
 --with-debug --with-http_v3_module  \
 --with-http_quic_module \
 --with-stream_quic_module
#编译安装
make && make install
#其他参照nginx编译后配置如下：
vim /etc/profile
#末尾增加以下内容
PATH=$PATH:/usr/local/php/bin:/usr/local/nginx/sbin
export PATH
#内容结尾
source /etc/profile
#增加系统服务
vim  /lib/systemd/system/nginx.service
#输入以下内容
[Unit]
Description=nginx - high performance web server
Documentation=http://nginx.org/en/docs/
After=network.target
[Service]
Type=forking
PIDFile=/var/run/nginx.pid
ExecStartPost=/bin/sleep 0.1
ExecStartPre=/usr/local/nginx/sbin/nginx -t -c /usr/local/nginx/conf/nginx.conf
ExecStart=/usr/local/nginx/sbin/nginx -c /usr/local/nginx/conf/nginx.conf
ExecReload=/bin/kill -s HUP $MAINPID
ExecStop=/bin/kill -s QUIT $MAINPID
LimitNOFILE=1000000
LimitNPROC=1000000
LimitCORE=1000000
[Install]
WantedBy=multi-user.target
#内容结束
#赋予启动服务权限
chmod +x  /lib/systemd/system/nginx.service
#设置开机启动
systemctl enable nginx
#设置nginx配置文件，根据自己实际情况
vim /usr/local/nginx/conf/nginx.conf
#输入以下内容
user www www;
worker_processes auto;
error_log /data/wwwlogs/error_nginx.log crit;
pid /var/run/nginx.pid;
worker_rlimit_nofile 51200;
events {
  use epoll;
  worker_connections 51200;
  multi_accept on;
}
http {
  include mime.types;
  default_type application/octet-stream;
  server_names_hash_bucket_size 128;
  client_header_buffer_size 32k;
  large_client_header_buffers 4 32k;
  client_max_body_size 1024m;
  client_body_buffer_size 10m;
  sendfile on;
  tcp_nopush on;
  keepalive_timeout 120;
  server_tokens off;
  tcp_nodelay on;
  fastcgi_connect_timeout 300;
  fastcgi_send_timeout 300;
  fastcgi_read_timeout 300;
  fastcgi_buffer_size 64k;
  fastcgi_buffers 4 64k;
  fastcgi_busy_buffers_size 128k;
  fastcgi_temp_file_write_size 128k;
  fastcgi_intercept_errors on;
  #Gzip Compression
  gzip on;
  gzip_buffers 16 8k;
  gzip_comp_level 6;
  gzip_http_version 1.1;
  gzip_min_length 256;
  gzip_proxied any;
  gzip_vary on;
  gzip_types
    text/xml application/xml application/atom+xml application/rss+xml application/xhtml+xml image/svg+xml
    text/javascript application/javascript application/x-javascript
    text/x-json application/json application/x-web-app-manifest+json
    text/css text/plain text/x-component
    font/opentype application/x-font-ttf application/vnd.ms-fontobject
    image/x-icon;
  gzip_disable "MSIE [1-6]\.(?!.*SV1)";
  ##Brotli Compression
  #brotli on;
  #brotli_comp_level 6;
  #brotli_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript application/javascript image/svg+xml;
  ##If you have a lot of static files to serve through Nginx then caching of the files' metadata (not the actual files' contents) can save some latency.
  #open_file_cache max=1000 inactive=20s;
  #open_file_cache_valid 30s;
  #open_file_cache_min_uses 2;
  #open_file_cache_errors on;
######################## default ############################
  server {
    listen 80;
    server_name _;
    access_log /data/wwwlogs/access_nginx.log combined;
    root /data/wwwroot/default;
    index index.html index.htm index.php;
    #error_page 404 /404.html;
    #error_page 502 /502.html;
    location /nginx_status {
      stub_status on;
      access_log off;
      allow 127.0.0.1;
      deny all;
    }
    location ~ [^/]\.php(/|$) {
      #fastcgi_pass remote_php_ip:9000;
      fastcgi_pass unix:/dev/shm/php-cgi.sock;
      fastcgi_index index.php;
      include fastcgi.conf;
    }
    location ~ .*\.(gif|jpg|jpeg|png|bmp|swf|flv|mp4|ico)$ {
      expires 30d;
      access_log off;
    }
    location ~ .*\.(js|css)?$ {
      expires 7d;
      access_log off;
    }
    location ~ ^/(\.user.ini|\.ht|\.git|\.svn|\.project|LICENSE|README.md) {
      deny all;
    }
  }
########################## vhost #############################
  include vhost/*.conf;
}
#输入内容结束
mkdir -p /data/wwwlogs/
mkdir -p /data/wwwroot/default
mkdir -p /usr/local/nginx/conf/vhost
vim /data/wwwlogs/access_nginx.log
service nginx start
service nginx status

#配置示例
# 以官方配置为例
server {
            # for better compatibility it's recommended
            # to use the same port for quic and https
            listen 443 http3 reuseport;
#注意reuseport参数只能在整个nginx配置文件中出现一次，不必每个vhost都使用，否则会报错
            listen 443 ssl http2;
 
            ssl_certificate     certs/example.com.crt;
            ssl_certificate_key certs/example.com.key;
            ssl_protocols       TLSv1.3;
 
            location / {
                # required for browsers to direct them into quic port
                add_header Alt-Svc '$http3=":443"; ma=86400';
                #以下为兼容的http3格式
                # add_header Alt-Svc  'h3-29=":443"; ma=2592000,h3-28=":443";ma=2592000,h3-27=":443"; ma=2592000,h3-25=":443";ma=2592000,h3-T050=":443"; ma=2592000,h3-Q050=":443";ma=2592000,h3-Q049=":443";ma=2592000,h3-Q048=":443";ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443";ma=2592000,quic=":443"; ma=2592000; v="46,43"';
            }
        }

至此，我们完成了nginx-http/3的安装。测试我们需要使用http3check进行测试.如下图：