{"id":1119,"date":"2023-07-28T11:06:15","date_gmt":"2023-07-28T03:06:15","guid":{"rendered":"https:\/\/www.sulabs.net\/?p=1119"},"modified":"2023-07-28T12:45:14","modified_gmt":"2023-07-28T04:45:14","slug":"nginx-http3-0-quic-%e7%bc%96%e8%af%91%e5%8f%8a%e9%85%8d%e7%bd%ae%e6%8c%87%e5%8d%97","status":"publish","type":"post","link":"https:\/\/www.sulabs.net\/?p=1119","title":{"rendered":"Nginx HTTP3.0\/QUIC \u7f16\u8bd1\u53ca\u914d\u7f6e\u6307\u5357"},"content":{"rendered":"<p>\u5728\u6700\u65b0\u7684 Web \u670d\u52a1\u5668\u8f6f\u4ef6 Nginx 1.25.0 \u4e3b\u7ebf\u7248\u672c\u4e2d\uff0c\u63d0\u4f9b\u4e86 HTTP 3.0\/QUIC \u534f\u8bae\u7684\u5b98\u65b9\u6b63\u5f0f\u652f\u6301\uff0c\u91c7\u7528\u65b0\u7684\u63e1\u624b\u65b9\u5f0f\u548cUDP\u534f\u8bae\u4f20\u8f93\u540e\uff0c\u80fd\u6781\u5927\u7684\u63d0\u9ad8\u7f51\u7ad9\u8bbf\u95ee\u901f\u5ea6 \u7279\u522b\u662f\u8fdc\u8ddd\u79bb\u8de8\u5883\u4f20\u8f93\u4f53\u9a8c, \u56e0\u76ee\u524d\u53ef\u53c2\u8003\u7684\u914d\u7f6e\u8d44\u6599\u4e0d\u591a\uff0c\u672c\u6587\u5c06\u7b80\u5355\u8bb2\u89e3\u4e0b\u5176\u7f16\u8bd1\u53ca\u914d\u7f6e\u65b9\u6cd5.<br \/>\n<!--more-->1.&nbsp; \u73af\u5883\u8981\u6c42<br \/>\n\u64cd\u4f5c\u7cfb\u7edf: RHEL\/CentOS\/Rocky&nbsp; 7\/8\/9&nbsp; \u6216 Ubuntu 20.02 \/22.02 LTS&nbsp; \u5747\u53ef<br \/>\nSSL \u652f\u6301: QUIC \u9700\u8981\u65b0\u7684SSL\u5e93\u652f\u6301\uff0cBoringSSL , LibreSSL, QuicTLS,&nbsp; OpenSSL 1.1.1 ( Nginx 1.25.1 \u5f00\u59cb\u652f\u6301) \u56db\u9009\u4e00\u5373\u53ef.<br \/>\n\u9a8c\u8bc1\u7248\u672c:&nbsp; CentOS 7.9 2207,&nbsp; &nbsp;Nginx 1.25.1 , OpenSSL 1.1.1u \u548c LibreSSL 3.7.2&nbsp;<br \/>\n\u5ba2\u6237\u7aef\uff1a Chrome 83\/Firefox 88 \u7248\u672c\u540e\u7684\u6d4f\u89c8\u5668\u9ed8\u8ba4\u5df2\u63d0\u4f9bHTTP3\u652f\u6301.<\/p>\n<p>2. \u5b89\u88c5\u8bf4\u660e<br \/>\nyum \u5b89\u88c5\u7f16\u8bd1\u6240\u9700\u8981\u8f6f\u4ef6\u5305( CentOS7 \u6700\u5c0f\u5316\u73af\u5883 , &nbsp;openssl\u5f00\u53d1\u5305\u975e\u5fc5\u987b )<\/p>\n<pre class=\"brush: bash; gutter: true\">yum install -y wget gcc make pcre-devel zlib-devel openssl-devel<\/pre>\n<p>CentOS7&nbsp; \u81ea\u5e26 OpenSSL 1.0.2K&nbsp; \u7248\u672c\u8fc7\u4f4e,&nbsp; \u4ee5\u4e0b\u63d0\u4f9b OpenSSL 1.1.1t \u6216 LibreSSL 3.7.2&nbsp; \u4e24\u79cd\u914d\u7f6e\u65b9\u6cd5\uff0c\u65b0\u7248 Nginx \u5728\u7f16\u8bd1\u65f6\uff0c SSL \u5e93\u53ef\u4ee5\u4f5c\u4e3a\u6269\u5c55\u63d2\u4ef6\u9759\u6001\u7f16\u8bd1\u8fdbBin\u6587\u4ef6\uff0c\u4e5f\u53ef\u4ee5\u4f5c\u4e3aDSO\u52a8\u6001\u52a0\u8f7d\uff0c\u76ee\u524d\u5f88\u591a\u8f6f\u4ef6\u90fd\u4f1a\u7528\u5230SSL\u5e93\uff0c\u7248\u672c\u788e\u7247\u5316\u7ba1\u7406\u4e5f\u662f\u5f88\u68d8\u624b\u7684\u95ee\u9898\uff0c\u53ef\u6839\u636e\u5b9e\u9645\u60c5\u51b5\u6765\u9009\u62e9\uff0c\u63a8\u8350\u4f7f\u7528\u9759\u6001\u7f16\u8bd1\u65b9\u5f0f.<\/p>\n<p>\u5b89\u88c5\u65b9\u6cd51\uff1a\u5c06SSL\u5e93\u4f5c\u4e3a\u63d2\u4ef6\u9759\u6001\u7f16\u8bd1\u8fdb nginx \uff08\u63a8\u8350\u65b9\u5f0f\uff09<br \/>\n# \u4e0b\u8f7d\u89e3\u538b Openssl 1.1.1t \u6216&nbsp; LibreSSL 3.7.2&nbsp;<\/p>\n<pre class=\"brush: bash; gutter: true\">wget https:\/\/www.openssl.org\/source\/old\/1.1.1\/openssl-1.1.1t.tar.gz\r\ntar zxf openssl-1.1.1t.tar.gz\r\n\u6216\u8005\r\nwget https:\/\/ftp.openbsd.org\/pub\/OpenBSD\/LibreSSL\/libressl-3.7.2.tar.gz\r\ntar zxf libressl-3.7.2.tar.gz<\/pre>\n<p># \u4e0b\u8f7d\u89e3\u538b nginx , \u914d\u7f6e\u6307\u5b9a\u7684SSL\u5e93\u6e90\u7801\u8def\u5f84\u540e\u7f16\u8bd1\u5b89\u88c5.<\/p>\n<pre class=\"brush: bash; gutter: true\">wget http:\/\/nginx.org\/download\/nginx-1.25.1.tar.gz\r\ntar zxf nginx-1.25.1.tar.gz\r\ncd nginx-1.25.1\/\r\n.\/configure --prefix=\/usr\/local\/nginx \\\r\n--with-http_v2_module \\\r\n--with-http_v3_module \\\r\n--with-http_stub_status_module \\\r\n--with-http_ssl_module \\\r\n--with-http_sub_module \\\r\n--with-http_realip_module \\\r\n--with-openssl=..\/openssl-1.1.1u\r\nmake -j 4 &amp;&amp; make install<\/pre>\n<p># \u5b89\u88c5\u5230 \/usr\/local\/nginx&nbsp; &nbsp;\u5982\u6709\u5176\u5b83\u53c2\u6570\u81ea\u884c\u8c03\u6574\uff0c \u53c2\u6570 --with-http_v3_module \u5f00\u542fHTTP3\u652f\u6301,&nbsp; \u5982\u679c\u4f7f\u7528&nbsp; libressl&nbsp; 3.7.2&nbsp; \u6539\u4e3a&nbsp; &nbsp;--with-openssl=..\/libressl-3.7.2<\/p>\n<p>\u5b89\u88c5\u65b9\u6cd52\uff1a \u5355\u72ec\u5b89\u88c5 SSL\u5e93\uff0c\u7ed9Nginx \u4f20\u9012 ld-opt ,cc-opt&nbsp; \u53c2\u6570\u8ba9\u5176\u7f16\u8bd1\u8c03\u7528.<br \/>\n# \u4e0b\u8f7d\u89e3\u538b \u7f16\u8bd1\u5b89\u88c5OpenSSL 1.1.1t \u6216 LibreSSL 3.7.2&nbsp; \u5230 \/usr\/local\/&nbsp; \u8def\u5f84\u4e0b<\/p>\n<pre class=\"brush: bash; gutter: true\">wget https:\/\/www.openssl.org\/source\/old\/1.1.1\/openssl-1.1.1t.tar.gz\r\ntar zxf openssl-1.1.1t.tar.gz\r\ncd openssl-1.1.1t\r\n.\/config --prefix=\/usr\/local\/openssl\r\nmake -j 4 &amp;&amp; make install\r\n\u6216\u8005\r\nwget https:\/\/ftp.openbsd.org\/pub\/OpenBSD\/LibreSSL\/libressl-3.7.2.tar.gz\r\ncd libressl-3.7.2\/\r\n.\/config --prefix=\/usr\/local\/libressl\r\nmake -j 4 &amp;&amp; make install<\/pre>\n<p># \u4e0b\u8f7d\u5e76\u89e3\u538b\u914d\u7f6e nginx \u53c2\u6570, \u6307\u5b9aSSL\u5934\u6587\u4ef6\u548c\u52a8\u6001\u5e93\u8def\u5f84\u540e\u7f16\u8bd1\u5b89\u88c5.<\/p>\n<pre class=\"brush: bash; gutter: true\">wget http:\/\/nginx.org\/download\/nginx-1.25.1.tar.gz\r\ntar zxf nginx-1.25.1.tar.gz\r\ncd nginx-1.25.1\/\r\n.\/configure --prefix=\/usr\/local\/nginx \\\r\n--with-http_v2_module \\\r\n--with-http_v3_module \\\r\n--with-http_stub_status_module \\\r\n--with-http_ssl_module \\\r\n--with-http_sub_module \\\r\n--with-http_realip_module \\\r\n--with-cc-opt=&quot;-I\/usr\/local\/openssl\/include&quot; \\\r\n--with-ld-opt=&quot;-L\/usr\/local\/openssl\/lib&quot;\r\nmake -j 4 &amp;&amp; make install<\/pre>\n<p># \u5b89\u88c5\u5230 \/usr\/local\/nginx&nbsp; &nbsp;\u5982\u6709\u5176\u5b83\u53c2\u6570\u81ea\u884c\u8c03\u6574, &nbsp;with-http_v3_module \u53c2\u6570\u542f\u7528HTTP3 , with-cc-opt\/ld-opt \u6307\u5b9a\u4f7f\u7528 SSL\u5e93\u5934\u6587\u4ef6\u548c\u52a8\u6001\u5e93\u8def\u5f84.\u5982\u679c\u4f7f\u7528libressl \u5e93\uff0c\u6539\u4e3a\u4ee5\u4e0b\u8def\u5f84.<br \/>\n--with-cc-opt=\"-I\/usr\/local\/libressl\/include\" \\<br \/>\n--with-ld-opt=\"-L\/usr\/local\/libressl\/lib\"<\/p>\n<p>#&nbsp; \u914d\u7f6e SSL \u5e93\u641c\u7d22\u8def\u5f84<br \/>\n\u7f16\u8bd1\u5b89\u88c5\u7684SSL\u5e93\u5728 \/usr\/local\/***\/lib \u8def\u5f84\u4e0b\uff0c\u9700\u8981\u5f80\u7cfb\u7edf\u6dfb\u52a0LD\u641c\u7d22\u8def\u5f84,\u5426\u5219Nginx \u627e\u4e0d\u5230 libssl.so \u6587\u4ef6. \u5982\u679c\u4f7f\u7528\u7684libressl \u5c06\u8def\u5f84\u4e2d\u7684 openssl \u66ff\u6362\u6389 .<\/p>\n<pre class=\"brush: bash; gutter: true\">echo &quot;\/usr\/local\/openssl\/lib&quot; &gt;&gt; \/etc\/ld.so.conf\r\nldconfig\r\nldconfig -p | grep openssl<\/pre>\n<p># \u67e5\u770b\u7248\u672c\u4fe1\u606f, \u6ce8\u610f\u786e\u8ba4\u8fd4\u56de\u7684SSL\u5e93\u7248\u672c\u4fe1\u606f<\/p>\n<pre class=\"brush: bash; gutter: true\">\/usr\/local\/nginx\/sbin\/nginx -V\r\n\r\nnginx version: nginx\r\nbuilt by gcc 4.8.5 20150623 (Red Hat 4.8.5-44) (GCC)\r\nbuilt with OpenSSL 1.1.1t 7 Feb 2023\r\nTLS SNI support enabled\r\nconfigure arguments: --prefix=\/usr\/local\/nginx --with-http_v2_module --with-http_v3_module<\/pre>\n<p>3. \u914d\u7f6e\u8bf4\u660e<br \/>\nNginx \u7ad9\u70b9\u4e3b\u673a\u53ef\u53c2\u8003\u4ee5\u4e0b\u914d\u7f6e\u6587\u4ef6\uff0c\u5173\u952e\u90e8\u5206\u5df2\u7ed9\u51fa\u8bf4\u660e.<\/p>\n<pre class=\"brush: text; gutter: true\">server {\r\n    # IPV4 \u7aef\u53e3\u76d1\u542c \u540c\u65f6\u542f\u7528http 80, http1\/2 443, http3 443\r\n    listen         80;\r\n    listen         443 ssl;\r\n    listen         443 quic reuseport;\r\n\r\n    # IPV6 \u7aef\u53e3\u76d1\u542c\r\n    listen         [::]:80;\r\n    listen         [::]:443 ssl;\r\n    listen         [::]:443 quic reuseport;\r\n\r\n    # HTTP2, HTTP3\u5f00\u5173, HTTP3\u534f\u8bae\u534f\u5546(\u4ece1.25.1\u5f00\u59cb\u652f\u6301)\r\n    http2 on;\r\n    http3 on;\r\n    http3_hq on;\r\n\r\n    # \u7ad9\u70b9\u4e3b\u673a\u540d\u4e3b\u76ee\u5f55\r\n    server_name    sulabs.net www.sulabs.net;\r\n    root           \/data\/www\/sulabs;\r\n\r\n    # \u7ad9\u70b9SSL\u8bc1\u4e66\r\n    ssl_certificate        \/usr\/local\/nginx\/conf\/vhosts\/site_ssl.pem;\r\n    ssl_certificate_key    \/usr\/local\/nginx\/conf\/vhosts\/site_ssl.key;\r\n\r\n    # \u5f00\u542f\u7684SSL\u534f\u8bae ( HTTP3\/QUIC\u9700\u8981 TLS 1.3\u652f\u6301 )\r\n    ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;\r\n\r\n    # \u6dfb\u52a0 Alt-Svc HTTP\u5934\u7528\u4e8e HTTP3 \u534f\u5546 (\u6ce8\u610f:443 \u662f\u7aef\u53e3)\r\n    add_header Alt-Svc &#039;h3=&quot;:443&quot;; ma=86400&#039;;\r\n\r\n    # \u6dfb\u52a0 X-protocol HTTP\u5934\u7528\u4e8e\u6d4b\u8bd5\u9a8c\u8bc1 HTTP3\r\n    add_header X-protocol $server_protocol always;\r\n\r\n    # \u4f7f\u7528 0-RTT \u5feb\u901f\u8fde\u63a5\r\n    ssl_early_data on;\r\n    ssl_session_tickets on;\r\n\r\n    location \/ { #\u5176\u5b83\u914d\u7f6e\uff0c\u7565...\r\n    }\r\n}<\/pre>\n<p>\u6d4b\u8bd5\u9a8c\u8bc1: \u6d4f\u89c8\u5668F12 \u8c03\u8bd5\uff0c\u72b6\u6001\u680f\u53f3\u952e\u52fe\u9009\u534f\u8bae\uff0c\u53ef\u770b\u5230\u5df2\u5f00\u542fHTTP3<a href=\"https:\/\/www.sulabs.net\/wp-content\/uploads\/2023\/07\/http3.png\"><img loading=\"lazy\" decoding=\"async\" class=\"wp-image-1122 size-full alignnone\" src=\"https:\/\/www.sulabs.net\/wp-content\/uploads\/2023\/07\/http3.png\" alt=\"\" width=\"1601\" height=\"888\" srcset=\"https:\/\/www.sulabs.net\/wp-content\/uploads\/2023\/07\/http3.png 1601w, https:\/\/www.sulabs.net\/wp-content\/uploads\/2023\/07\/http3-300x166.png 300w, https:\/\/www.sulabs.net\/wp-content\/uploads\/2023\/07\/http3-1024x568.png 1024w, https:\/\/www.sulabs.net\/wp-content\/uploads\/2023\/07\/http3-768x426.png 768w, https:\/\/www.sulabs.net\/wp-content\/uploads\/2023\/07\/http3-1536x852.png 1536w, https:\/\/www.sulabs.net\/wp-content\/uploads\/2023\/07\/http3-1200x666.png 1200w\" sizes=\"auto, (max-width: 1601px) 100vw, 1601px\" \/><\/a>\u8bf7\u6c42\u5934\u4e2d\uff0c\u80fd\u770b\u5230\u6dfb\u52a0\u7684 Alt-Svc \u548c X-Protocol \u5934\u5c5e\u6027.<a href=\"https:\/\/www.sulabs.net\/wp-content\/uploads\/2023\/07\/http3_2.png\"><br \/>\n<img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-1123 alignnone\" src=\"https:\/\/www.sulabs.net\/wp-content\/uploads\/2023\/07\/http3_2.png\" alt=\"\" width=\"1103\" height=\"714\" srcset=\"https:\/\/www.sulabs.net\/wp-content\/uploads\/2023\/07\/http3_2.png 1103w, https:\/\/www.sulabs.net\/wp-content\/uploads\/2023\/07\/http3_2-300x194.png 300w, https:\/\/www.sulabs.net\/wp-content\/uploads\/2023\/07\/http3_2-1024x663.png 1024w, https:\/\/www.sulabs.net\/wp-content\/uploads\/2023\/07\/http3_2-768x497.png 768w\" sizes=\"auto, (max-width: 1103px) 100vw, 1103px\" \/><\/a><\/p>\n<p>4. \u6392\u9519\u601d\u8def<br \/>\n(1)&nbsp; HTTP3 \u914d\u7f6e\u5e76\u4f7f\u7528\u7684\u7aef\u53e3\uff0c\u9700\u8981\u5728\u9632\u706b\u5899\u4e2d\u540c\u65f6\u6253\u5f00TCP\u548cUDP\u7aef\u53e3.<br \/>\n(2)&nbsp; quic reuseport \u7aef\u53e3\u590d\u7528 \u76ee\u524d\u6682\u4e0d\u652f\u6301\u591a\u7ad9\u70b9, \u7b2c\u4e8c\u4e2a\u5f00\u59cb\u8981\u53bb\u6389 reuseport \u53c2\u6570<br \/>\n(3)&nbsp; \u7b2c\u4e09\u65b9\u7684HTTP3\u68c0\u6d4b\u7f51\u7ad9&nbsp; https:\/\/http3check.net\/ \u53ef\u534f\u52a9\u6392\u9519.<\/p>\n<p>\u539f\u521b\u6587\u7ae0\uff0c\u521b\u4f5c\u4e0d\u6613\uff0c\u8f6c\u8f7d\u8bf7\u6ce8\u660e\u51fa\u5904.<br \/>\n\u53c2\u8003\u7f51\u7ad9:<br \/>\nhttps:\/\/nginx.org\/en\/docs\/http\/ngx_http_v3_module.html<br \/>\nhttps:\/\/nginx.org\/en\/docs\/quic.html<\/p>\n<p>&nbsp;<\/p>\n","protected":false},"excerpt":{"rendered":"<p>\u5728\u6700\u65b0\u7684 Web \u670d\u52a1\u5668\u8f6f\u4ef6 Nginx 1.25.0 \u4e3b\u7ebf\u7248\u672c\u4e2d\uff0c\u63d0\u4f9b\u4e86 HT &hellip;<\/p>\n<p class=\"read-more\"><a href=\"https:\/\/www.sulabs.net\/?p=1119\">\u7ee7\u7eed\u9605\u8bfb &raquo;<\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"aside","meta":{"footnotes":""},"categories":[5,1],"tags":[125,119,126],"class_list":["post-1119","post","type-post","status-publish","format-aside","hentry","category-lamp","category-other","tag-http3","tag-nginx","tag-quic","post_format-post-format-aside"],"_links":{"self":[{"href":"https:\/\/www.sulabs.net\/index.php?rest_route=\/wp\/v2\/posts\/1119","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.sulabs.net\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.sulabs.net\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.sulabs.net\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.sulabs.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1119"}],"version-history":[{"count":9,"href":"https:\/\/www.sulabs.net\/index.php?rest_route=\/wp\/v2\/posts\/1119\/revisions"}],"predecessor-version":[{"id":1125,"href":"https:\/\/www.sulabs.net\/index.php?rest_route=\/wp\/v2\/posts\/1119\/revisions\/1125"}],"wp:attachment":[{"href":"https:\/\/www.sulabs.net\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1119"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.sulabs.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1119"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.sulabs.net\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1119"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}