Shulou(Shulou.com)05/31 Report--

This article introduces the knowledge of "how to turn on HTTP3.0 support in Nginx". In the operation of actual cases, many people will encounter such a dilemma, so let the editor lead you to learn how to deal with these situations. I hope you can read it carefully and be able to achieve something!

Choice of scheme

For HTTP3.0, since the entire protocol is still in the draft stage and there is no complete standard, major browser vendors will only support it in the developer version, such as Chrome Canary, the canary version of Chrome, and server manufacturers are also following up continuously. For Nginx, there are two options for supporting HTTP3.0:

Nginx, a branch version based on Cloudflare: HTTP3.0/QUIC,Cloudflare is always at the forefront. With the help of the self-maintained open source project quic [2], a branch is pulled out of Nginx to develop and compile a Nginx server that supports HTTP3.0. Nginx official Nginx-quic project: on June 10th this year, Nginx official blog [3] announced that it has been developing work to support the HTTP3.0/QUIC agreement, and the project is currently maintained in nginx-quic [4]. This project has nothing to do with the Cloudflare-based Nginx-based branch, which is relative to the orthodox scheme.

Based on this, this article will deploy nginx-quic to make Nginx support HTTP3.0/QUIC.

Transformation process

Our ultimate goal is to get the nginx-quic version of the nginx executable file, which needs to go through a series of installation and compilation, during which we may encounter a lot of problems. If you don't want to actually operate, you can directly use my compiled version of the nginx-quic.linux-x86_64.zip portal [5].

Preparatory work:

Take centos7 as an example. Download nginx-quic source portal [6]. After the download is completed, you need to compile and install. Since nginx-quic depends on boringSSL, you also need to download boringSSL source portal [7], and then you also need to compile and install boringSSL. Before performing these operations, you need to install some pre-modules on linux, install them through yum, and execute the following commands:

Sudo yum install build-essential mercurial psmisc lsb-release cmake golang libunwind-dev git libpcre3-dev zlib1g-dev what is boringSSL:

For Nginx, when compiling, you need to configure the SSL library, whether HTTP3.0 or HTTP2.0, which is always based on HTTPS, and the encryption algorithm is mainly provided by OpenSSL, while BoringSSL is an OpenSSL branch created by Google. The encryption algorithm used to support TLS1.3 's UDP protocol 0-RTT data transmission (it can be understood that TLS1.3 is a standard protocol, BoringSSL is an implementation tool), some features of BoringSSL will be synchronized to OpenSSl at the right time.

Compile and install boringSSL:cd boringssl-master/

Mkdir build

Cd build

Cmake.. /

Make

After execution, you can get the corresponding files under build/crypto and build/ssl, as shown below:

Note that compiling and installing boringSSL requires a version above cmake3.

Compile and install nginx-quic:cd nginx-quic/

. / auto/configure-- prefix=/root/nginx-- with-http_ssl_module-- with-http_v2_module-- with-http_v3_module-- with-cc-opt= "- I../boringssl-master/include"-- with-ld-opt= "- L../boringssl-master/build/ssl-L../boringssl-master/build/crypto"

Make

Make install

After executing the command, the corresponding nginx executable file is generated in the / root/nginx directory, as shown below:

Where the configuration file is under conf/ and the nginx command is under the sbin/ directory.

Modify the configuration file to start nginx:vi / root/nginx/conf/nginx.conf

Add http3 configuration:

Server {

Listen 443 ssl http2; # TCP listener for HTTP/2

Listen 443 http3 reuseport; # UDP listener for QUIC+HTTP/3

Ssl_protocols TLSv1.3; # QUIC requires TLS 1.3

Ssl_certificate ssl/www.example.com.crt

Ssl_certificate_key ssl/www.example.com.key

Add_header Alt-Svc 's quic= ": 443"; h4-27 = ": 443"; h4-25 = ": 443"; h4murQ050 = ": 443"; h4murQ050 = ": 443"; h4murQ049 = ": 443"; h4murQ048 = ": 443"; h4murQ046 = ": 443"; h4murQ043 = ": 443"; # Advertise that QUIC is available

}

Among them, the TLSv1.3 version is required, and when the browser does not support http3, you can choose http2. In addition, add_header Alt-Svc adds this return is indispensable.

The full name of Alt-Svc is "Alternative-Service" and literally translated as "alternative services". The header lists a list of alternative access methods for the current site, so that the server can tell the client, "look, I use this protocol to provide the same service on this port of this host." It is generally used to achieve backward compatibility while providing support for emerging protocols such as "QUIC". Refer to MDN [8]. Verify that the HTTP3 is valid:

Since browsers currently have limited support for HTTP3.0/QUIC, you can use http3check.net/ [9] to verify whether the site has enabled HTTP3 successfully. Take my site as an example:

Pothole summary

The whole process seems to be very simple, but the real configuration process encountered a lot of holes, before and after plus search problems took a day and a half to really solve, record these problems and share them with you.

Open port 443 of UDP:

Since the quic protocol uses port 443 of UDP, this port is closed by default for centos7 and can be turned on with the following command:

Firewall-cmd-zone=public-add-port=443/udp-permanent

If the project is hosted on Aliyun, you need to update the security group policy of ECS to open the corresponding protocols and ports, as shown below:

The TLS version is backward compatible:

Due to the use of TLS 1.3, the corresponding encryption algorithm will be modified, but such a high version is not supported for some browsers, especially for Apple's Safari. Therefore, when configuring the nginx configuration file, you need to configure several versions that are backward compatible, as follows:

Ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;-Werror error question:

When compiling nginx-quic, you sometimes encounter the following errors:

Cc-c-pipe-O-W-Wall-Wpointer-arith-Wno-unused-parameter-Werror-g-I../boringssl-master/include-I src/core-I src/event-I src/event/modules-I src/os/unix-I objs\

-o objs/src/os/unix/ngx_linux_sendfile_chain.o\

Src/os/unix/ngx_linux_sendfile_chain.c

Cc-c-pipe-O-W-Wall-Wpointer-arith-Wno-unused-parameter-Werror-g-I../boringssl-master/include-I src/core-I src/event-I src/event/modules-I src/os/unix-I objs\

-o objs/src/event/ngx_event_openssl.o\

Src/event/ngx_event_openssl.c

Cc-c-pipe-O-W-Wall-Wpointer-arith-Wno-unused-parameter-Werror-g-I../boringssl-master/include-I src/core-I src/event-I src/event/modules-I src/os/unix-I objs\

-o objs/src/event/ngx_event_openssl_stapling.o\

Src/event/ngx_event_openssl_stapling.c

Cc-c-pipe-O-W-Wall-Wpointer-arith-Wno-unused-parameter-Werror-g-I../boringssl-master/include-I src/core-I src/event-I src/event/modules-I src/os/unix-I objs\

-o objs/src/event/ngx_event_quic.o\

Src/event/ngx_event_quic.c

Cc-c-pipe-O-W-Wall-Wpointer-arith-Wno-unused-parameter-Werror-g-I../boringssl-master/include-I src/core-I src/event-I src/event/modules-I src/os/unix-I objs\

-o objs/src/event/ngx_event_quic_transport.o\

Src/event/ngx_event_quic_transport.c

Src/event/ngx_event_quic_transport.c: In function 'ngx_quic_create_stream':

Src/event/ngx_event_quic_transport.c:54:9: error: comparison is always true due to limited range of data type [- Werror=type-limits]

: ((uint32_t) value) type)

^

Cc1: all warnings being treated as errors

Make [1]: * * [objs/src/event/ngx_event_quic_transport.o] Error 1

Make [1]: Leaving directory `/ root/nginx-quic'

Make: * * [build] Error 2

[root@iz2zehmi1ztqtx8tg6ca7gz nginx-quic] #

The solution is:

Cd nginx-quic\ objs

Vi Makefile

Find CFLAGS =-pipe-O-W-Wall-Wpointer-arith-Wno-unused-parameter-Werror-g-I../boringssl-master/include and remove the-Werror parameter.

Reuseport only needs to be configured once:

If there are multiple domain names that need to enable http3, reuseport is recommended to configure them only on the root domain name. If more than one reuseport appears in a configuration file, an error will be reported. The configuration is as follows:

Server {

Listen 443 ssl http2; # TCP listener for HTTP/2

Listen 443 http3 reuseport; # UDP listener for QUIC+HTTP/3

Server_name www.nihaoshijie.com.cn default_server

}

Server {

Listen 443 ssl http2; # TCP listener for HTTP/2

Listen 443 http3; # UDP listener for QUIC+HTTP/3

Server_name app.nihaoshijie.com.cn

} performance issues during compilation and installation:

If the compilation and installation Times is similar to the following error, it may be that the content of the host is insufficient and you need to close some running programs to and fro.

...

This is the content of "how to turn on HTTP3.0 support in Nginx" from internal compiler error: Killed (program cc1plus). Thanks for reading. If you want to know more about the industry, you can follow the website, the editor will output more high-quality practical articles for you!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.