使用QuicTLS编译支持QUIC/HTTP3的nginx

QuicTLS 是什么

QuicTLS 是一个支持了 QUIC 的 openssl 分支。由 Akamai 和 Microsoft 开发。

上游同步 openssl ，对 openssl 的改动仅增加了 QUIC 支持。适合不想使用 boringssl 又想体验 QUIC 的人群。

它的 API 被微软的 MsQuic 和谷歌的 Chromium QUIC 使用。

下载模块

下载部分依赖模块

hg clone -b quic https://hg.nginx.org/nginx-quic
git clone https://github.com/quictls/openssl quictls
git clone https://github.com/vision5/ngx_devel_kit
git clone https://github.com/openresty/luajit2
git clone https://github.com/google/ngx_brotli
git clone https://github.com/openresty/headers-more-nginx-module
git clone https://github.com/cloudflare/zlib
git clone https://github.com/openresty/lua-nginx-module
git clone https://github.com/openresty/lua-resty-core
git clone https://github.com/openresty/lua-resty-lrucache
wget https://sourceforge.net/projects/pcre/files/pcre/8.45/pcre-8.45.tar.gz
tar zxvf pcre-8.45.tar.gz

预配置

cd luajit2
make install PREFIX=/usr/local/luajit
export LUAJIT_LIB=/usr/local/luajit/lib
export LUAJIT_INC=/usr/local/luajit/include/luajit-2.1
ln -s /usr/local/luajit/lib/libluajit-5.1.so.2 /usr/lib64/libluajit-5.1.so.2

cd zlib
make -f Makefile.in distclean

cd ngx_brotli
git submodule update --init --recursive

打上 kn007 的补丁

Add HTTP2 HPACK Encoding Support.

Add Dynamic TLS Record Support.

Use the OpenSSL library instead of the Nginx original function.

cd nginx-quic
curl https://raw.githubusercontent.com/kn007/patch/master/nginx.patch | patch -p1
curl https://raw.githubusercontent.com/kn007/patch/master/use_openssl_md5_sha1.patch | patch -p1

编译测试

编译完整参数

./auto/configure --user=www --group=www \
--prefix=/usr/local/nginx \
--with-http_stub_status_module \
--with-http_ssl_module \
--with-http_v2_module \
--with-http_v3_module \
--with-http_gzip_static_module \
--with-http_sub_module \
--with-stream \
--with-stream_ssl_module \
--with-stream_quic_module \
--add-module=../src/ngx_brotli \
--add-module=../src/headers-more-nginx-module \
--add-module=../src/ngx_devel_kit \
--add-module=../src/lua-nginx-module \
--with-zlib=../src/zlib \
--with-pcre=../src/pcre-8.45 \
--with-openssl=../src/quictls \
--with-openssl-opt='zlib -march=native -ljemalloc -Wl,-flto' \
--with-cc-opt='-I../src/quictls/build/include' \
--with-ld-opt='-ljemalloc -L../src/quictls/build/lib'

配置文件内添加

listen 443 http3 reuseport;
listen [::]:443 http3 reuseport;
...
add_header Alt-Svc 'h3=":443"; ma=86400';

测试

在线测试网站：https://www.http3check.net