之前在 Nginx-Quic 分支被合并到了 Nginx 主线的时候写过一篇使用 BoringSSL 编译 Nginx 并开启 Quic 或 HTTP/3 的文章,详见 Nginx 编译开启 Quic 或 HTTP/3 。但是由于 BoringSSL 上个月发布了一个破坏性的更新导致编译出错,虽然最后解决了问题但回头想想觉得还是可以转向更稳定、兼容性更好的 QuicTLS,所以本文将为您介绍如何使用 QuicTLS 编译 Nginx 并开启 Quic 或 HTTP/3。
安装依赖 1 2 3 4 5 6 7 8 9 10 11 12 13 14 apt update apt install build-essential ca-certificates zlib1g-dev libpcre3 libpcre3-dev tar unzip libssl-dev wget curl git cmake ninja-build mercurial libunwind-dev pkg-config libjemalloc-dev sudo su cd /rootapt update apt install build-essential ca-certificates zlib1g-dev libpcre3 libpcre3-dev tar unzip libssl-dev wget curl git cmake ninja-build mercurial libunwind-dev pkg-config libjemalloc-dev dnf update dnf install gcc gcc-c++ pcre-devel openssl-devel zlib-devel cmake make libunwind-devel hg git wget jemalloc dnf update dnf install gcc gcc-c++ pcre-devel openssl-devel zlib-devel cmake make hg git wget jemalloc
编译 QuicTLS 1 2 3 4 5 6 7 wget https://github.com/quictls/openssl/archive/refs/tags/openssl-3.1.5-quic1.tar.gz tar -xzf openssl-3.1.5-quic1.tar.gz cd openssl-openssl-3.1.5-quic1./config --prefix=$(pwd )/build no-shared make make install_sw cd ..
安装 brotli 压缩 不需要请跳过,并在编译时删除–add-module=../ngx_brotli
1 2 3 4 5 6 git clone --recurse-submodules -j8 https://github.com/google/ngx_brotli cd ngx_brotli/deps/brotlimkdir out && cd outcmake -DCMAKE_BUILD_TYPE=Release -DBUILD_SHARED_LIBS=OFF -DCMAKE_C_FLAGS="-Ofast -march=native -mtune=native -flto -funroll-loops -ffunction-sections -fdata-sections -Wl,--gc-sections" -DCMAKE_CXX_FLAGS="-Ofast -march=native -mtune=native -flto -funroll-loops -ffunction-sections -fdata-sections -Wl,--gc-sections" -DCMAKE_INSTALL_PREFIX=./installed .. cmake --build . --config Release --target brotlienc cd ../../../..
编译 Nginx 1 2 3 4 5 hg clone https://hg.nginx.org/nginx cd nginx./auto/configure --user=www --group=www --prefix=/www/server/nginx --with-pcre --add-module=/root/ngx_brotli --with-http_v2_module --with-stream --with-stream_ssl_module --with-http_ssl_module --with-http_gzip_static_module --with-http_gunzip_module --with-http_sub_module --with-http_flv_module --with-http_addition_module --with-http_realip_module --with-http_mp4_module --with-ld-opt=-Wl,-E --with-cc-opt=-Wno-error --with-ld-opt=-ljemalloc --with-http_dav_module --with-http_v3_module --with-cc-opt="-I../openssl-openssl-3.1.5-quic1/build/include" --with-ld-opt="-L../openssl-openssl-3.1.5-quic1/build/lib64" make make install
添加 www 用户 1 2 groupadd www useradd -g www -s /sbin/nologin www
添加进程管理 本人使用的是 systemd,如果你使用的是其他进程管理,请自行修改
1 vim /usr/lib/systemd/system/nginx.service
输入如下内容:
1 2 3 4 5 6 7 8 9 10 11 12 13 [Unit] Description=nginx After=network.target [Service] Type=forking ExecStart=/www/server/nginx/sbin/nginx ExecReload=/www/server/nginx/sbin/nginx -s reload ExecStop=/www/server/nginx/sbin/nginx -s quit PrivateTmp=true [Install] WantedBy=multi-user.target
启动 开机自启 配置文件 示例配置文件如下,更多特性请参考官方文档:https://nginx.org/en/docs/http/ngx_http_v3_module.html
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 server { listen 443 ssl; listen [::]:443 ssl; listen 443 quic reuseport; listen [::]:443 quic reuseport; http2 on ; ssl_certificate /path/to/signed_cert_plus_intermediates; ssl_certificate_key /path/to/private_key; ssl_session_timeout 1d ; ssl_session_cache shared:MozSSL:10m ; ssl_session_tickets off ; location / { root html; } ssl_protocols TLSv1.3 ; ssl_prefer_server_ciphers off ; add_header Strict-Transport-Security "max-age=63072000" always; ssl_stapling on ; ssl_stapling_verify on ; }
配置完成后,重载 Nginx 即可生效