使用 QuicTLS 编译 Nginx 并开启 Quic 或 HTTP/3
原创使用 QuicTLS 编译 Nginx 并开启 Quic 或 HTTP/3
原创
Im小泽
发布于 2024-04-02 10:58:19
发布于 2024-04-02 10:58:19
之前在 Nginx-Quic 分支被合并到了 Nginx 主线的时候写过一篇使用 BoringSSL 编译 Nginx 并开启 Quic 或 HTTP/3 的文章,详见 Nginx 编译开启 Quic 或 HTTP/3。但是由于 BoringSSL 上个月发布了一个破坏性的更新导致编译出错,虽然最后解决了问题但回头想想觉得还是可以转向更稳定、兼容性更好的 QuicTLS,所以本文将为您介绍如何使用 QuicTLS 编译 Nginx 并开启 Quic 或 HTTP/3。
安装依赖
# Debian 11或12
apt update
apt install build-essential ca-certificates zlib1g-dev libpcre3 libpcre3-dev tar unzip libssl-dev wget curl git cmake ninja-build mercurial libunwind-dev pkg-config libjemalloc-dev
# Ubuntu 22.04或20.04
sudo su
cd /root
apt update
apt install build-essential ca-certificates zlib1g-dev libpcre3 libpcre3-dev tar unzip libssl-dev wget curl git cmake ninja-build mercurial libunwind-dev pkg-config libjemalloc-dev
# CentOS 8 Stream/TencentOS Server 3.1
dnf update
dnf install gcc gcc-c++ pcre-devel openssl-devel zlib-devel cmake make libunwind-devel hg git wget jemalloc
# OpenCloudOS Server 8
dnf update
dnf install gcc gcc-c++ pcre-devel openssl-devel zlib-devel cmake make hg git wget jemalloc编译 QuicTLS
wget https://github.com/quictls/openssl/archive/refs/tags/openssl-3.1.5-quic1.tar.gz
tar -xzf openssl-3.1.5-quic1.tar.gz
cd openssl-openssl-3.1.5-quic1
./config --prefix=$(pwd)/build no-shared
make
make install_sw
cd ..安装 brotli 压缩
不需要请跳过,并在编译时删除--add-module=../ngx_brotli
git clone --recurse-submodules -j8 https://github.com/google/ngx_brotli
cd ngx_brotli/deps/brotli
mkdir out && cd out
cmake -DCMAKE_BUILD_TYPE=Release -DBUILD_SHARED_LIBS=OFF -DCMAKE_C_FLAGS="-Ofast -march=native -mtune=native -flto -funroll-loops -ffunction-sections -fdata-sections -Wl,--gc-sections" -DCMAKE_CXX_FLAGS="-Ofast -march=native -mtune=native -flto -funroll-loops -ffunction-sections -fdata-sections -Wl,--gc-sections" -DCMAKE_INSTALL_PREFIX=./installed ..
cmake --build . --config Release --target brotlienc
cd ../../../..编译 Nginx
hg clone https://hg.nginx.org/nginx
cd nginx
./auto/configure --user=www --group=www --prefix=/www/server/nginx --with-pcre --add-module=/root/ngx_brotli --with-http_v2_module --with-stream --with-stream_ssl_module --with-http_ssl_module --with-http_gzip_static_module --with-http_gunzip_module --with-http_sub_module --with-http_flv_module --with-http_addition_module --with-http_realip_module --with-http_mp4_module --with-ld-opt=-Wl,-E --with-cc-opt=-Wno-error --with-ld-opt=-ljemalloc --with-http_dav_module --with-http_v3_module --with-cc-opt="-I../openssl-openssl-3.1.5-quic1/build/include" --with-ld-opt="-L../openssl-openssl-3.1.5-quic1/build/lib64"
make
make install添加 www 用户
groupadd www
useradd -g www -s /sbin/nologin www添加进程管理
本人使用的是 systemd,如果你使用的是其他进程管理,请自行修改vim /usr/lib/systemd/system/nginx.service输入如下内容:
[Unit]
Description=nginx
After=network.target
[Service]
Type=forking
ExecStart=/www/server/nginx/sbin/nginx
ExecReload=/www/server/nginx/sbin/nginx -s reload
ExecStop=/www/server/nginx/sbin/nginx -s quit
PrivateTmp=true
[Install]
WantedBy=multi-user.target启动
systemctl start nginx开机自启
systemctl enable nginx配置文件
示例配置文件如下,更多特性请参考官方文档:https://nginx.org/en/docs/http/ngx_http_v3_module.html
server {
listen 443 ssl;
listen [::]:443 ssl;
# 用于支持Quic或HTTP/3
listen 443 quic reuseport;
listen [::]:443 quic reuseport;
# 用以支持HTTP/2
http2 on;
ssl_certificate /path/to/signed_cert_plus_intermediates;
ssl_certificate_key /path/to/private_key;
ssl_session_timeout 1d;
ssl_session_cache shared:MozSSL:10m; # about 40000 sessions
ssl_session_tickets off;
location / {
root html;
}
# modern configuration
ssl_protocols TLSv1.3;
ssl_prefer_server_ciphers off;
# HSTS (ngx_http_headers_module is required) (63072000 seconds)
add_header Strict-Transport-Security "max-age=63072000" always;
# OCSP stapling
ssl_stapling on;
ssl_stapling_verify on;
}配置完成后,重载 Nginx 即可生效
systemctl reload nginx原创声明:本文系作者授权腾讯云开发者社区发表,未经许可,不得转载。
如有侵权,请联系 cloudcommunity@tencent.com 删除。
原创声明:本文系作者授权腾讯云开发者社区发表,未经许可,不得转载。
如有侵权,请联系 cloudcommunity@tencent.com 删除。
评论
登录后参与评论
推荐阅读