nginx-quic使用

Ling Yu
Ling Yu

Nginx + Quic

编译安装nginx开启http3功能。

环境配置

apt install libpcre2-dev libpcre3-dev libgeoip-dev libgd-dev libperl-dev libxml2-dev libxslt1-dev libgoogle-perftools-dev
useradd -c "nginx user" -d /nonexistent -s /usr/sbin/nologin -M nginx

Libress编译

Boringssl, QuicTLS没有配置成功,换成Libress可以。

cd /opt/app/src
curl -LsSfO https://mirrors.aliyun.com/pub/OpenBSD/LibreSSL/libressl-4.1.0.tar.gz
tar -zxf libressl-4.1.0.tar.gz
cd libressl-4.1.0 && mkdir build && cd build && cmake -GNinja -DCMAKE_BUILD_TYPE=Release .. && ninja

Nginx插件

cd /opt/app/src
git clone --depth=1 --recurse-submodules -j8 [email protected]:google/ngx_brotli.git
git clone --depth=1 [email protected]:openresty/headers-more-nginx-module.git

Nginx下载编译

curl -LsSfO https://nginx.org/download/nginx-1.28.0.tar.gz
tar -zxf nginx-1.28.0.tar.gz
cd nginx-1.28.0

编译http3功能

./configure \
--prefix=/opt/app/nginx-quic \
--user=nginx \
--group=nginx \
--with-threads \
--with-file-aio \
--with-http_ssl_module \
--with-http_v2_module \
--with-http_v3_module \
--with-http_realip_module \
--with-http_addition_module \
--with-http_xslt_module=dynamic \
--with-http_image_filter_module=dynamic \
--with-http_geoip_module=dynamic \
--with-http_sub_module \
--with-http_dav_module \
--with-http_flv_module \
--with-http_mp4_module \
--with-http_gunzip_module \
--with-http_gzip_static_module \
--with-http_auth_request_module \
--with-http_random_index_module \
--with-http_secure_link_module \
--with-http_degradation_module \
--with-http_slice_module \
--with-http_stub_status_module \
--with-http_perl_module=dynamic \
--with-mail=dynamic \
--with-mail_ssl_module \
--with-stream=dynamic \
--with-stream_ssl_module \
--with-stream_realip_module \
--with-stream_geoip_module=dynamic \
--with-stream_ssl_preread_module \
--with-google_perftools_module \
--with-compat \
--with-cc-opt='-g -O2 -ffile-prefix-map=/opt/app/src/nginx-1.28.0=. -fstack-protector-strong -Wformat -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -fPIC' \
--with-ld-opt='-Wl,-z,relro -Wl,-z,now -Wl,--as-needed -pie' \
--with-openssl=../libressl-4.1.0 \
--with-pcre-jit \
--add-dynamic-module=../ngx_brotli \
--add-dynamic-module=../headers-more-nginx-module

安装

make -j $(nproc) && make install

Nginx Quic配置

server {
    listen 80;
    server_name *.science4ai.com;
    rewrite ^(.*)$ https://${server_name}$1 permanent;
}
server {
    listen 443 quic reuseport;
    listen [::]:443 quic reuseport;
    listen 443 ssl;
    listen [::]:443 ssl;

    http2 on; # Must Have

    add_header Alt-Svc 'quic=":443"; ma=86400, h3=":443"; ma=86400';
    quic_gso on;
    quic_retry on;
    #ssl_early_data on;
    #ssl_stapling on;
    proxy_buffering off;
    proxy_request_buffering off;
    server_name blog.science4ai.com;

    ssl_certificate /etc/letsencrypt/live/science4ai.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/science4ai.com/privkey.pem;

    ssl_session_cache shared:SSL:1m;
    ssl_session_timeout 5m;
    ssl_protocols TLSv1.2 TLSv1.3; # TLSv1.3 is required for QUIC.
    ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:HIGH:!aNULL:!MD5:!RC4:!DHE;
    ssl_prefer_server_ciphers on;
    location / {
        root html;
        index index.html index.htm;
    }
    error_page 404 /404.html;
    location = /404.html {
        internal;
    }
}

Systemd service

# Stop dance for nginx
# =======================
#
# ExecStop sends SIGQUIT (graceful stop) to the nginx process.
# If, after 5s (--retry QUIT/5) nginx is still running, systemd takes control
# and sends SIGTERM (fast shutdown) to the main process.
# After another 5s (TimeoutStopSec=5), and if nginx is alive, systemd sends
# SIGKILL to all the remaining processes in the process group (KillMode=mixed).
#
# nginx signals reference doc:
# http://nginx.org/en/docs/control.html
#
[Unit]
Description=A high performance web server and a reverse proxy server
Documentation=man:nginx(8)
After=network-online.target remote-fs.target nss-lookup.target
Wants=network-online.target
 
[Service]
Type=forking
PIDFile=/opt/app/nginx-quic/logs/nginx.pid
ExecStartPre=/opt/app/nginx-quic/sbin/nginx -t -q -g 'daemon on; master_process on;'
ExecStart=/opt/app/nginx-quic/sbin/nginx -g 'daemon on; master_process on;'
ExecReload=/opt/app/nginx-quic/sbin/nginx -g 'daemon on; master_process on;' -s reload
ExecStop=-/sbin/start-stop-daemon --quiet --stop --retry QUIT/5 --pidfile /opt/app/nginx-quic/logs/nginx.pid
TimeoutStopSec=5
KillMode=mixed
 
[Install]
WantedBy=multi-user.target
vim /etc/systemd/system/nginx.service 
systemd daemon-reload
systemd start nginx