Nginx 编译开启 Quic 或 HTTP/3

随着最近 Nginx-Quic 分支被合并到了 Nginx 主线，Nginx 1.25.0 版本官方二进制包已经支持 Quic/HTTP3，感兴趣的朋友可以前往 https://nginx.org/en/download.html 或 https://nginx.org/en/linux_packages.html 下载安装，体验一下 Quic/HTTP3 的魅力，本文将主要为您介绍如何通过编译的方式开启 Quic/HTTP3。

安装依赖

# Debian 11或12
apt update
apt install build-essential ca-certificates zlib1g-dev libpcre3 libpcre3-dev tar unzip libssl-dev wget curl git cmake ninja-build mercurial libunwind-dev pkg-config
# Ubuntu 22.04或20.04
sudo su
cd /root
apt update
apt install build-essential ca-certificates zlib1g-dev libpcre3 libpcre3-dev tar unzip libssl-dev wget curl git cmake ninja-build mercurial libunwind-dev pkg-config
# CentOS 8 Stream/TencentOS Server 3.1
dnf update
dnf install gcc gcc-c++ pcre-devel openssl-devel zlib-devel cmake make libunwind-devel hg git wget
# OpenCloudOS Server 8
dnf update
dnf install gcc gcc-c++ pcre-devel openssl-devel zlib-devel cmake make hg git wget

安装Go

下载并解压

1 2	wget https://dl.google.com/go/go1.20.4.linux-amd64.tar.gz rm -rf /usr/local/go && tar -C /usr/local -xzf go1.20.4.linux-amd64.tar.gz

添加环境变量

1	export PATH=$PATH:/usr/local/go/bin

具体可参考https://go.dev/doc/install

验证是否安装成功

1	go version

考虑国内用户访问官方较慢，故设置代理

1	export GOPROXY=https://mirrors.cloud.tencent.com/go/

编译 boringssl

Debian/Ubuntu

git clone --depth=1 https://github.com/google/boringssl.git
cd boringssl
mkdir build
cd build
cmake -GNinja ..
ninja
cd ../..

CentOS 8 Stream/TencentOS Server 3.1/OpenCloudOS Server 8

git clone --depth=1 https://github.com/google/boringssl.git
cd boringssl
mkdir build
cd build
cmake -DCMAKE_BUILD_TYPE=Release .. 
make
cd ../..

安装 brotli 压缩

不需要请跳过，并在编译时删除–add-module=/root/ngx_brotli

git clone https://github.com/google/ngx_brotli.git
cd ngx_brotli
git submodule update --init
cd ..

编译安装quic

注意：
本人是直接在 /root 目录下编译的，如果你在其他目录下，请自行修改路径；
如果你不需要 brotli 压缩，请删除–add-module=/root/ngx_brotli
本人将 Nginx 安装在 /www/server/nginx 目录下，如果你需要修改，请自行修改路径；

hg clone -b quic https://hg.nginx.org/nginx
cd nginx
./auto/configure --user=www --group=www --prefix=/www/server/nginx --with-pcre  --add-module=/root/ngx_brotli --with-http_v2_module --with-stream --with-stream_ssl_module --with-http_ssl_module --with-http_gzip_static_module --with-http_gunzip_module --with-http_sub_module --with-http_flv_module --with-http_addition_module --with-http_realip_module --with-http_mp4_module --with-ld-opt=-Wl,-E --with-cc-opt=-Wno-error --with-ld-opt=-ljemalloc --with-http_dav_module --with-http_v3_module --with-cc-opt=-I../boringssl/include --with-ld-opt='-L../boringssl/build/ssl -L../boringssl/build/crypto'
make
make install

添加 www 用户

1 2	groupadd www useradd -g www -s /sbin/nologin www

添加进程管理

本人使用的是 systemd，如果你使用的是其他进程管理，请自行修改

1	vim /usr/lib/systemd/system/nginx.service

输入如下内容：

[Unit]
Description=nginx
After=network.target

[Service]
Type=forking
ExecStart=/www/server/nginx/sbin/nginx
ExecReload=/www/server/nginx/sbin/nginx -s reload
ExecStop=/www/server/nginx/sbin/nginx -s quit
PrivateTmp=true

[Install]
WantedBy=multi-user.target

启动

1	systemctl start nginx

开机自启

1	systemctl enable nginx

配置文件

示例配置文件如下，更多特性请参考官方文档：https://nginx.org/en/docs/http/ngx_http_v3_module.html

server {
       listen 443 ssl http2;
       listen [::]:443 ssl http2;

       # 用于支持Quic或HTTP/3
       listen 443 quic reuseport;
       listen [::]:443 quic reuseport;

       server_name r2wind.cn;

       # Quic或HTTP/3响应头
       add_header Alt-Svc 'h3=":443"; ma=86400';
       # HSTS
       add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";

       location / {
           root /www/wwwroot/r2wind.cn; 
           index  index.html index.htm;
         }

       # 证书配置
       ssl_certificate /root/.acme.sh/smb.wiki/fullchain.cer; 
       ssl_certificate_key /root/.acme.sh/smb.wiki/smb.wiki.key;
       ssl_session_timeout 5m;
       ssl_protocols TLSv1.2 TLSv1.3; 
       ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:HIGH:!aNULL:!MD5:!RC4:!DHE; 
       ssl_prefer_server_ciphers on;
    }