nginx启用http3.0

今天看了下cf的博客,居然cf都开始启用http3.0了,而且cf还贡献了对应的patch,那我们就按照教程也来进行启用。

https://blog.cloudflare.com/experiment-with-http-3-using-nginx-and-quiche/

首先是要下载nginx1.16.1和cf的quiche,这是官方文档里有的。
但是实际编译中还需要cmake > 3.0版本
go运行库
还有rust

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
# 下载nginx
wget http://nginx.org/download/nginx-1.16.1.tar.gz
# 下载quiche
git clone --recursive https://github.com/cloudflare/quiche
# 下载go
wget https://dl.google.com/go/go1.13.linux-amd64.tar.gz
# 下载cmake
wget https://github.com/Kitware/CMake/releases/download/v3.15.4/cmake-3.15.4.tar.gz
# 编译安装
tar zxf cmake-3.15.4.tar.gz && cd cd cmake-3.15.4 && ./bootstrap && make && make install
ln -s /usr/local/bin/cmake /usr/bin/cmake
# 解压go
tar -C /usr/local -xzf go1.13.linux-amd64.tar.gz
# 安装rust
curl https://sh.rustup.rs -sSf | sh

# 设置系统环境变量,也可以写入到profile中
export PATH=$PATH:/usr/local/go/bin
export PATH=$PATH:$HOME/.cargo/bin
export GOROOT=/usr/local/go
export GOBIN=$GOROOT/bin
export PATH=$PATH:$GOBIN

开始正式安装了

1
2
3
4
5
6
tar zxvf nginx-1.16.1.tar.gz
cd nginx-1.16.1
patch -p01 < ../quiche/extras/nginx/nginx-1.16.patch
./configure --prefix=/opt/server/nginx --with-pcre --with-stream --with-http_ssl_module --user=timo --with-http_mp4_module --with-http_gzip_static_module --with-http_auth_request_module --with-http_stub_status_module --with-http_v2_module --with-http_v3_module --with-openssl=../quiche/deps/boringssl --with-quiche=../quiche
make
sudo make install

安装过程中可能会有如下的错误
比如这个

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
make -f objs/Makefile
make[1]: 进入目录“/home/timo/nginx-1.16.1”
mkdir -p ../quiche/deps/boringssl/build ../quiche/deps/boringssl/.openssl/lib ../quiche/deps/boringssl/.openssl/include/openssl \
&& cd ../quiche/deps/boringssl/build \
&& cmake -DCMAKE_C_FLAGS="" -DCMAKE_CXX_FLAGS="" .. \
&& make VERBOSE=1 \
&& cd .. \
&& cp -r include/openssl/*.h .openssl/include/openssl \
&& cp build/ssl/libssl.a build/crypto/libcrypto.a .openssl/lib
CMake Error at CMakeLists.txt:1 (cmake_minimum_required):
CMake 3.0 or higher is required. You are running version 2.8.12.2


-- Configuring incomplete, errors occurred!
make[1]: *** [../quiche/deps/boringssl/.openssl/include/openssl/ssl.h] 错误 1
make[1]: 离开目录“/home/timo/nginx-1.16.1”
make: *** [build] 错误 2

只要执行下面这个就行了

1
[timo@centos7 nginx-1.16.1]# touch ../quiche/deps/boringssl/.openssl/include/openssl/ssl.h

比如下面这个

1
2
3
4
--   No package 'libunwind-generic' found
libunwind not found. Disabling unwind tests.
CMake Error at CMakeLists.txt:51 (message):
Could not find Go

都提示你缺乏运行库了,可能没有装好go

再比如下面这个

1
2
3
4
5
6
7
make -f objs/Makefile
make[1]: 进入目录“/home/timo/nginx-1.16.1”
cd ../quiche && cargo build --release --no-default-features
/bin/sh: cargo: 未找到命令
make[1]: *** [../quiche/target/release/libquiche.a] 错误 127
make[1]: 离开目录“/home/timo/nginx-1.16.1”
make: *** [build] 错误 2

这个就是没有装好rust

最后就是修改nginx对应的配置了

1
2
3
4
5
6
7
8
9
10
# Enable QUIC and HTTP/3.
listen 443 quic reuseport;

# Enable HTTP/2 (optional).
listen 443 ssl http2;

# 只支持tls1.3
ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;

add_header alt-svc 'h3-23=":443"; ma=86400';

然后就可以mac下用支持http3的curl进行请求了

1
2
brew install --HEAD -s https://raw.githubusercontent.com/cloudflare/homebrew-cloudflare/master/curl.rb
./curl -I https://blog.timoq.com/ --http3

用linux的可以参考
https://github.com/curl/curl/blob/master/docs/HTTP3.md

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
git clone --recursive https://github.com/cloudflare/quiche

cd quiche/deps/boringssl
mkdir build
cd build
cmake -DCMAKE_POSITION_INDEPENDENT_CODE=on ..
make
cd ..
mkdir -p .openssl/lib
cp build/crypto/libcrypto.a build/ssl/libssl.a .openssl/lib
ln -s $PWD/include .openssl

cd ../..
QUICHE_BSSL_PATH=$PWD/deps/boringssl cargo build --release --features pkg-config-meta

cd ..
git clone https://github.com/curl/curl
cd curl
./buildconf
./configure LDFLAGS="-Wl,-rpath,$PWD/../quiche/target/release" --with-ssl=$PWD/../quiche/deps/boringssl/.openssl --with-quiche=$PWD/../quiche/target/release
make

执行看看就是

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
# ./curl -I --http3 https://blog.timoq.com
HTTP/3 200
server: nginx/1.16.1
date: Wed, 23 Oct 2019 14:31:40 GMT
content-type: text/html
content-length: 78273
vary: Accept-Encoding
etag: "5db0624a-131c1"
strict-transport-security: max-age=15552000
x-frame-options: deny
x-content-type-options: nosniff
alt-svc: h3-23=":443"; ma=86400
accept-ranges: bytes


#或者请求下cloudflare也行
# ./curl -I --http3 https://blog.cloudflare.com
HTTP/3 200
date: Wed, 23 Oct 2019 14:32:58 GMT
content-type: text/html; charset=utf-8
set-cookie: __cfduid=df2829c6d9106e2d9a762674e026f1c4d1571841178; expires=Thu, 22-Oct-20 14:32:58 GMT; path=/; domain=.blog.cloudflare.com; HttpOnly; Secure
x-powered-by: Express
cache-control: public, max-age=60
vary: Accept-Encoding
cf-cache-status: HIT
age: 7
expires: Wed, 23 Oct 2019 14:33:58 GMT
alt-svc: h3-23=":443"; ma=86400
expect-ct: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
server: cloudflare
cf-ray: 52a46c67da00d9a0-SIN