编译Nginx配置QUIC/HTTP3.0

1. 安装BoringSSL

sudo apt update
sudo apt install -y build-essential ca-certificates zlib1g-dev libpcre3 \
libpcre3-dev tar unzip libssl-dev wget curl git cmake ninja-build mercurial \
libunwind-dev pkg-config

git clone --depth=1 https://github.com/google/boringssl.git
cd boringssl
cmake -GNinja -B build -DCMAKE_BUILD_TYPE=Release -DBUILD_SHARED_LIBS=1
ninja -C build
cd ..

2.安装ngx_brotli

git clone --recurse-submodules -j8 https://github.com/google/ngx_brotli
mkdir ngx_brotli/deps/brotli/out 
cd ngx_brotli/deps/brotli/out
cmake -DCMAKE_BUILD_TYPE=Release -DBUILD_SHARED_LIBS=OFF -DCMAKE_C_FLAGS="-Ofast -m64 -march=native -mtune=native -flto -funroll-loops -ffunction-sections -fdata-sections -Wl,--gc-sections" -DCMAKE_CXX_FLAGS="-Ofast -m64 -march=native -mtune=native -flto -funroll-loops -ffunction-sections -fdata-sections -Wl,--gc-sections" -DCMAKE_INSTALL_PREFIX=./installed ..
cmake --build . --config Release --target brotlienc
cd -

3. 安装Nginx

hg clone https://hg.nginx.org/nginx
cd nginx
./auto/configure --user=www --group=www --prefix=/www/server/nginx --with-pcre --add-module=../ngx_brotli --with-http_v2_module --with-stream --with-stream_ssl_module --with-http_ssl_module --with-http_gzip_static_module --with-http_gunzip_module --with-http_sub_module --with-http_flv_module --with-http_addition_module --with-http_realip_module --with-http_mp4_module --with-ld-opt='-Wl,-E' --with-cc-opt=-Wno-error --with-ld-opt='-ljemalloc' --with-http_dav_module --with-http_v3_module --with-cc=c++ --with-cc-opt='-I ../boringssl/include -x c' --with-ld-opt='-L../boringssl/build/ssl -L../boringssl/build/crypto'
make
sudo make install
cd ..
cd /usr/sbin
sudo ln -s /www/server/nginx/sbin/nginx
nginx --version
cd -
echo '[Unit]                                                                  1
Description=nginx - high performance web server
After=network.target remote-fs.target nss-lookup.target

[Service]
Type=forking
PIDFile=/www/server/nginx/logs/nginx.pid
ExecStartPre=nginx -t
ExecStart=nginx
ExecReload=nginx -s reload
ExecStop=nginx -s stop
ExecQuit=nginx -s quit
PrivateTmp=true

[Install]
WantedBy=multi-user.target' > nginx.service
[ -f /etc/systemd/system/nginx.service ] && ([ -f /etc/systemd/system/nginx.service.bak ] || sudo mv /etc/systemd/system/nginx.service /etc/systemd/system/nginx.service.bak)
sudo mv nginx.service /etc/systemd/system/
sudo systemctl daemon-reload
sudo systemctl start nginx
sudo systemctl enable nginx

4. 配置Nginx

user  root;
worker_processes  1;

#error_log  logs/error.log;
#error_log  logs/error.log  notice;
#error_log  logs/error.log  info;

#pid        logs/nginx.pid;


events {
    worker_connections  1024;
}


http {
    include       mime.types;
    include sites-enabled/*;
    default_type  application/octet-stream;

    log_format quic '$remote_addr - $remote_user [$time_local] '
                    '"$request" $status $body_bytes_sent '
                    '"$http_referer" "$http_user_agent" "$http3"';

    access_log logs/access.log quic;

    sendfile        on;
    #tcp_nopush     on;

    keepalive_timeout  65;

    #gzip  on;

    server {
        listen       80;
        server_name  localhost;

        #charset koi8-r;

        location / {
            root   html;
            index  index.html index.htm;
        }

        error_page   500 502 503 504  /50x.html;
        location = /50x.html {
            root   html;
        }

    }

}

• 配置域名

cd /www/server/nginx/conf/
sudo chown -R $USER:$USER .
mkdir sites-avaliable sites-enabled
touch sites-avaliable/quic.waketzheng.top
ln -s `pwd`/sites-avaliable/quic.waketzheng.top `pwd`/sites-enabled/quic.waketzheng.top
# vi sites-enabled/quic.waketzheng.top
cat sites-enabled/quic.waketzheng.top

• 配置文件内容：

upstream quic_api {
   server 127.0.0.1:9798;
}

server {
    server_name quic.waketzheng.top;
    client_max_body_size 30m;

    location / {
      proxy_set_header Host $host;
      proxy_set_header X-Real-IP $remote_addr;
      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
      proxy_set_header X-Forwarded-Proto $scheme;
      proxy_pass http://quic_api;
      add_header Alt-Svc 'h3=":443"; ma=86400';
    }

    ssl_certificate /etc/letsencrypt/live/quic.waketzheng.top/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/quic.waketzheng.top/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

    listen 443 ssl;
	listen 443 quic reuseport;
}

server {
    if ($host = quic.waketzheng.top) {
        return 301 https://$host$request_uri;
    } # managed by Certbot

    server_name quic.waketzheng.top;

    listen 80;
    return 404; # managed by Certbot
}

• 测试配置并重启Nginx

sudo nginx -t
sudo nginx -s reload

5.验证 HTTP3 是否生效

打开这个https://http3.wcode.net/

输入网址即可知道效果