千呼万唤始出来的NGINX适配原生HTTP3终于开始测试了。在nginx的官方git库上新增了一个http://hg.nginx.org/nginx-quic/,就是大家所期待的NGINX的官方QUIC和HTTP/3实现的初始版本,内含http_v3_module模块.
目前为实验性的–不适用于生产.目前基于在nginx主线1.19.x上,同时也在计划合并新的Nginx定期发布到该分支。
#boringssl分支
git clone https://github.com/google/boringssl.git
#tatsuhiro-t 分支
git clone --depth 1 --branch master-quic-support https://github.com/akamai/openssl
#akamai 分支
git clone --depth 1 --branch master-quic-support https://github.com/akamai/opensslNGINX官方也声明了这个QUIC + HTTP/3实现是全新的,与Cloudflare作为其quiche项目的一部分提供的补丁程序无关。
这里我们作为测试,来吃螃蟹。其实本质基本编译方式与nginx1.19.X系列一致,只是增加boringssl作为加密库,其中只要包含quic和http/3的加密库和能够被nginx支持的,理论上都是可以的。比如对应的分支:
我门在CentOS下按照
#按照编译依赖和工具
yum install mercurial psmisc net-tools wget curl build-essential lsb-release cmake golang libunwind-dev git libpcre3-dev zlib1g-dev hg
#下载nginx-quic和boringssl源码
hg clone -b quic https://hg.nginx.org/nginx-quic --insecure
git clone https://boringssl.googlesource.com/boringssl
#编译boringssl的密码库,以备nginx编译引用
cd boringssl
mkdir -p build .openssl/lib .openssl/include
# 建立软链接,注意其中的路径根据你的下载路径的情况进行调整
ln -sf /root/src/boringssl/include/openssl /root/src/boringssl/.openssl/include/openssl
# 生成库文件
touch /root/src/boringssl/.openssl/include/openssl/ssl.h
# 预编译
cmake -B/root/src/boringssl/build -H/root/src/boringssl
# 编译
make -C /root/src/boringssl/build
# 拷贝编译好的库文件
cp /root/src/boringssl/build/crypto/libcrypto.a /root/src/boringssl/build/ssl/libssl.a /root/src/boringssl/.openssl/lib
#增加nginx运行用户和用户组
/usr/sbin/groupadd -f www
/usr/sbin/useradd -g www www
cd ..
cd nginx-quic
#取消 debug 模式进行编译设置
sed -i 's@CFLAGS="$CFLAGS -g"@#CFLAGS="$CFLAGS -g"@' auto/cc/gcc
#configure
#注意需要密码库的引用和nginx模块的启用;详见:http://hg.nginx.org/nginx-quic/file/tip/README
./auto/configure \
--prefix=/usr/local/nginx \
--user=www \
--group=www \
--with-http_stub_status_module \
--with-http_v2_module \
--with-http_ssl_module \
--with-http_gzip_static_module \
--with-http_realip_module \
--with-http_flv_module \
--with-http_mp4_module \
--with-pcre\
--with-pcre-jit \
--with-zlib=../zlib-cf \
--add-module=../nginx-ct \
--add-module=../ngx_brotli \
--with-ld-opt='-ljemalloc' \
--with-cc-opt="-I../boringssl/include" \
--with-ld-opt="-L../boringssl/build/ssl \
-L../boringssl/build/crypto" \
--with-debug --with-http_v3_module \
--with-http_quic_module \
--with-stream_quic_module
#编译安装
make && make install
#其他参照nginx编译后配置如下:
vim /etc/profile
#末尾增加以下内容
PATH=$PATH:/usr/local/php/bin:/usr/local/nginx/sbin
export PATH
#内容结尾
source /etc/profile
#增加系统服务
vim /lib/systemd/system/nginx.service
#输入以下内容
[Unit]
Description=nginx - high performance web server
Documentation=http://nginx.org/en/docs/
After=network.target
[Service]
Type=forking
PIDFile=/var/run/nginx.pid
ExecStartPost=/bin/sleep 0.1
ExecStartPre=/usr/local/nginx/sbin/nginx -t -c /usr/local/nginx/conf/nginx.conf
ExecStart=/usr/local/nginx/sbin/nginx -c /usr/local/nginx/conf/nginx.conf
ExecReload=/bin/kill -s HUP $MAINPID
ExecStop=/bin/kill -s QUIT $MAINPID
LimitNOFILE=1000000
LimitNPROC=1000000
LimitCORE=1000000
[Install]
WantedBy=multi-user.target
#内容结束
#赋予启动服务权限
chmod +x /lib/systemd/system/nginx.service
#设置开机启动
systemctl enable nginx
#设置nginx配置文件,根据自己实际情况
vim /usr/local/nginx/conf/nginx.conf
#输入以下内容
user www www;
worker_processes auto;
error_log /data/wwwlogs/error_nginx.log crit;
pid /var/run/nginx.pid;
worker_rlimit_nofile 51200;
events {
use epoll;
worker_connections 51200;
multi_accept on;
}
http {
include mime.types;
default_type application/octet-stream;
server_names_hash_bucket_size 128;
client_header_buffer_size 32k;
large_client_header_buffers 4 32k;
client_max_body_size 1024m;
client_body_buffer_size 10m;
sendfile on;
tcp_nopush on;
keepalive_timeout 120;
server_tokens off;
tcp_nodelay on;
fastcgi_connect_timeout 300;
fastcgi_send_timeout 300;
fastcgi_read_timeout 300;
fastcgi_buffer_size 64k;
fastcgi_buffers 4 64k;
fastcgi_busy_buffers_size 128k;
fastcgi_temp_file_write_size 128k;
fastcgi_intercept_errors on;
#Gzip Compression
gzip on;
gzip_buffers 16 8k;
gzip_comp_level 6;
gzip_http_version 1.1;
gzip_min_length 256;
gzip_proxied any;
gzip_vary on;
gzip_types
text/xml application/xml application/atom+xml application/rss+xml application/xhtml+xml image/svg+xml
text/javascript application/javascript application/x-javascript
text/x-json application/json application/x-web-app-manifest+json
text/css text/plain text/x-component
font/opentype application/x-font-ttf application/vnd.ms-fontobject
image/x-icon;
gzip_disable "MSIE [1-6]\.(?!.*SV1)";
##Brotli Compression
#brotli on;
#brotli_comp_level 6;
#brotli_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript application/javascript image/svg+xml;
##If you have a lot of static files to serve through Nginx then caching of the files' metadata (not the actual files' contents) can save some latency.
#open_file_cache max=1000 inactive=20s;
#open_file_cache_valid 30s;
#open_file_cache_min_uses 2;
#open_file_cache_errors on;
######################## default ############################
server {
listen 80;
server_name _;
access_log /data/wwwlogs/access_nginx.log combined;
root /data/wwwroot/default;
index index.html index.htm index.php;
#error_page 404 /404.html;
#error_page 502 /502.html;
location /nginx_status {
stub_status on;
access_log off;
allow 127.0.0.1;
deny all;
}
location ~ [^/]\.php(/|$) {
#fastcgi_pass remote_php_ip:9000;
fastcgi_pass unix:/dev/shm/php-cgi.sock;
fastcgi_index index.php;
include fastcgi.conf;
}
location ~ .*\.(gif|jpg|jpeg|png|bmp|swf|flv|mp4|ico)$ {
expires 30d;
access_log off;
}
location ~ .*\.(js|css)?$ {
expires 7d;
access_log off;
}
location ~ ^/(\.user.ini|\.ht|\.git|\.svn|\.project|LICENSE|README.md) {
deny all;
}
}
########################## vhost #############################
include vhost/*.conf;
}
#输入内容结束
mkdir -p /data/wwwlogs/
mkdir -p /data/wwwroot/default
mkdir -p /usr/local/nginx/conf/vhost
vim /data/wwwlogs/access_nginx.log
service nginx start
service nginx status
#配置示例
# 以官方配置为例
server {
# for better compatibility it's recommended
# to use the same port for quic and https
listen 443 http3 reuseport;
#注意reuseport参数只能在整个nginx配置文件中出现一次,不必每个vhost都使用,否则会报错
listen 443 ssl http2;
ssl_certificate certs/example.com.crt;
ssl_certificate_key certs/example.com.key;
ssl_protocols TLSv1.3;
location / {
# required for browsers to direct them into quic port
add_header Alt-Svc '$http3=":443"; ma=86400';
#以下为兼容的http3格式
# add_header Alt-Svc 'h3-29=":443"; ma=2592000,h3-28=":443";ma=2592000,h3-27=":443"; ma=2592000,h3-25=":443";ma=2592000,h3-T050=":443"; ma=2592000,h3-Q050=":443";ma=2592000,h3-Q049=":443";ma=2592000,h3-Q048=":443";ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443";ma=2592000,quic=":443"; ma=2592000; v="46,43"';
}
}至此,我们完成了nginx-http/3的安装。测试我们需要使用http3check进行测试.如下图:
