Shulou(Shulou.com)06/01 Report--

Editor to share with you how to enable HTTP 3.0/QUIC support in Nginx, I believe most people do not know much about it, so share this article for your reference, I hope you can learn a lot after reading this article, let's go to know it!

Support for HTTP3.0 / QUIC in Nginx

HTTP 3.0, also known as HTTP over QUIC. The core is QUIC (pronunciation quick) protocol, a new protocol evolved from SPDY v3 proposed by Google in 2015. the traditional HTTP protocol is based on the transport layer TCP protocol, while QUIC is based on the transport layer UDP protocol, which can be defined as: HTTP3.0 is a secure and reliable HTTP2.0 protocol based on UDP, which mainly has the following characteristics:

The picture is from the official blog of Nginx

Reduce the time of TCP three-way handshake and TLS handshake based on UDP

Solve the problem of thread head blocking in the case of multiplexing packet loss

Optimize retransmission strategy

Flow control

Connection migration

This article focuses on how to turn on HTTP3.0 support in Nginx.

Choice of scheme

For HTTP3.0, since the entire protocol is still in the draft stage and there is no complete standard, major browser vendors will only support it in the developer version, such as Chrome Canary, the canary version of Chrome, and server manufacturers are also following up continuously. For Nginx, there are two options for supporting HTTP3.0:

Nginx, a branch version based on Cloudflare: HTTP3.0/QUIC,Cloudflare is always at the forefront. With the help of the self-maintained open source project quic [2], a branch is pulled out of Nginx to develop and compile a Nginx server that supports HTTP3.0.

Nginx official Nginx-quic project: on June 10 this year, the official Nginx blog [3] announced that it has been developing work to support the HTTP3.0/QUIC agreement, and the project is currently maintained in nginx-quic [4]. This project has nothing to do with the Nginx-based branch based on Cloudflare, so it is relative to the orthodox scheme.

Based on this, this article will deploy nginx-quic to make Nginx support HTTP3.0/QUIC.

Transformation process

Our ultimate goal is to get the nginx-quic version of the nginx executable file, which needs to go through a series of installation and compilation, during which we may encounter a lot of problems. If you don't want to actually operate, you can directly use my compiled version of the nginx-quic.linux-x86_64.zip portal [5].

Preparatory work:

Take centos7 as an example. Download nginx-quic source portal [6]. After the download is completed, you need to compile and install. Since nginx-quic depends on boringSSL, you also need to download boringSSL source portal [7], and then you also need to compile and install boringSSL. Before performing these operations, you need to install some pre-modules on linux, install them through yum, and execute the following commands:

Sudo yum install build-essential mercurial psmisc lsb-release cmake golang libunwind-dev git libpcre3-dev zlib1g-dev

What is boringSSL:

For Nginx, when compiling, you need to configure the SSL library, whether HTTP3.0 or HTTP2.0, which is always based on HTTPS, and the encryption algorithm is mainly provided by OpenSSL, while BoringSSL is an OpenSSL branch created by Google. The encryption algorithm used to support TLS1.3 's UDP protocol 0-RTT data transmission (it can be understood that TLS1.3 is a standard protocol, BoringSSL is an implementation tool), some features of BoringSSL will be synchronized to OpenSSl at the right time.

Compile and install boringSSL:

Cd boringssl-master/ mkdir build cd build cmake.. / make

After execution, you can get the corresponding files under build/crypto and build/ssl, as shown below:

Note that compiling and installing boringSSL requires a version above cmake3.

Compile and install nginx-quic:

Cd nginx-quic/. / auto/configure-- prefix=/root/nginx-- with-http_ssl_module-- with-http_v2_module-- with-http_v3_module-- with-cc-opt= "- I../boringssl-master/include"-with-ld-opt= "- L../boringssl-master/build/ssl-L../boringssl-master/build/crypto" make make install

After executing the command, the corresponding nginx executable file is generated in the / root/nginx directory, as shown below:

Where the configuration file is under conf/ and the nginx command is under the sbin/ directory.

Modify the configuration file to start nginx:

Vi / root/nginx/conf/nginx.conf

Add http3 configuration:

Server {listen 443 ssl http2; # TCP listener for HTTP/2 listen 443 http3 reuseport; # UDP listener for QUIC+HTTP/3 ssl_protocols TLSv1.3; # QUIC requires TLS 1.3 ssl_certificate ssl/www.example.com.crt; ssl_certificate_key ssl/www.example.com.key; add_header Alt-Svc 'quic= ": 443"; h4-27 = ": 443"; h4-25 = ": 443" H4murQ050 = ": 443"; h4murQ050 = ": 443"; h4murQ049 = ": 443"; h4murQ048 = ": 443"; h4murQ046 = ": 443"; h4murQ043 = ": 443"; # Advertise that QUIC is available}

Among them, the TLSv1.3 version is required, and when the browser does not support http3, you can choose http2. In addition, add_header Alt-Svc adds this return is indispensable.

The full name of Alt-Svc is "Alternative-Service" and literally translated as "alternative services". The header lists a list of alternative access methods for the current site, so that the server can tell the client, "look, I use this protocol to provide the same service on this port of this host." It is generally used to achieve backward compatibility while providing support for emerging protocols such as "QUIC". Refer to MDN [8].

Verify that the HTTP3 is valid:

Since browsers currently have limited support for HTTP3.0/QUIC, you can use http3check.net/ [9] to verify whether the site has enabled HTTP3 successfully. Take my site as an example:

Pothole summary

The whole process seems to be very simple, but the real configuration process encountered a lot of holes, before and after plus search problems took a day and a half to really solve, record these problems and share them with you.

Open port 443 of UDP:

Since the quic protocol uses port 443 of UDP, this port is closed by default for centos7 and can be turned on with the following command:

Firewall-cmd-zone=public-add-port=443/udp-permanent

If the project is hosted on Aliyun, you need to update the security group policy of ECS to open the corresponding protocols and ports, as shown below:

The TLS version is backward compatible:

Due to the use of TLS 1.3, the corresponding encryption algorithm will be modified, but such a high version is not supported for some browsers, especially for Apple's Safari. Therefore, when configuring the nginx configuration file, you need to configure several versions that are backward compatible, as follows:

Ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3

-Werror error problem:

When compiling nginx-quic, you sometimes encounter the following errors:

Cc-c-pipe-O-W-Wall-Wpointer-arith-Wno-unused-parameter-Werror-g-I../boringssl-master/include-I src/core-I src/event-I src/event/modules-I src/os/unix-I objs\-o objs/src/os/unix/ngx_linux_sendfile_chain.o\ src/os/unix/ngx_linux_sendfile_chain.c cc-c-pipe-O-W-Wall-Wpointer-arith-Wno- Unused-parameter-Werror-g-I../boringssl-master/include-I src/core-I src/event-I src/event/modules-I src/os/unix-I objs\-o objs/src/event/ngx_event_openssl.o\ src/event/ngx_event_openssl.c cc-c-pipe-O-W-Wall-Wpointer-arith-Wno-unused-parameter-Werror-g-I../boringssl-master/include-I src/core-I src/event -I src/event/modules-I src/os/unix-I objs\-o objs/src/event/ngx_event_openssl_stapling.o\ src/event/ngx_event_openssl_stapling.c cc-c-pipe-O-W-Wall-Wpointer-arith-Wno-unused-parameter-Werror-g-I../boringssl-master/include-I src/core-I src/event-I src/event/modules-I src/os/unix-I objs\-o objs / src/event/ngx_event_quic.o\ src/event/ngx_event_quic.c cc-c-pipe-O-W-Wall-Wpointer-arith-Wno-unused-parameter-Werror-g-I../boringssl-master/include-I src/core-I src/event-I src/event/modules-I src/os/unix-I objs\-o objs/src/event/ngx_event_quic_transport.o\ src/event/ngx_event_quic_ Transport.c src/event/ngx_event_quic_transport.c: In function 'ngx_quic_create_stream': src/event/ngx_event_quic_transport.c:54:9: error: comparison is always true due to limited range of data type [- Werror=type-limits]: ((uint32_t) value) type) ^ cc1: all warnings being treated as errors make [1]: * * [objs/src/event/ngx_event_quic_transport.o] Error 1 make [1]: Leaving directory `/ root/nginx-quic' make: * [build] Error 2 [root@iz2zehmi1ztqtx8tg6ca7gz nginx-quic] #

The solution is:

Cd nginx-quic\ objs vi Makefile

Find CFLAGS =-pipe-O-W-Wall-Wpointer-arith-Wno-unused-parameter-Werror-g-I../boringssl-master/include and remove the-Werror parameter.

Reuseport only needs to be configured once:

If there are multiple domain names that need to enable http3, reuseport is recommended to configure them only on the root domain name. If more than one reuseport appears in a configuration file, an error will be reported. The configuration is as follows:

Server {listen 443 ssl http2; # TCP listener for HTTP/2 listen 443 http3 reuseport; # UDP listener for QUIC+HTTP/3 server_name www.nihaoshijie.com.cn default_server;} server {listen 443 ssl http2; # TCP listener for HTTP/2 listen 443 http3; # UDP listener for QUIC+HTTP/3 server_name app.nihaoshijie.com.cn;}

Performance issues during compilation and installation:

If the compilation and installation Times is similar to the following error, it may be that the content of the host is insufficient and you need to close some running programs to and fro.

... Internal compiler error: Killed (program cc1plus) above is all the content of the article "how to enable HTTP 3.0/QUIC support in Nginx". Thank you for reading! I believe we all have a certain understanding, hope to share the content to help you, if you want to learn more knowledge, welcome to follow the industry information channel!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.