WeAir

Nginx启用HTTP/3(QUIC)

准备

Nginx 1.25.0版本以后已支持HTTP/3,直接下载源码解压编译安装即可,另需防火墙放行UDP的443端口。

编译安装Boringssl

谷歌官方建议使用ninja来编译安装Boringssl,因此需先安装ninja

1
2
3
wget https://github.com/ninja-build/ninja/releases/download/v1.12.1/ninja-linux.zip
unzip ninja-linux.zip
cp ninja /usr/local/bin/
1
2
3
4
git clone https://boringssl.googlesource.com/boringssl
cd boringssl/
cmake -GNinja -B build
ninja -C build

编译安装Nginx QUIC

开启HTTP/3模块需要使用--with-http_v3_module --with-cc-opt="-I../boringssl-master/include" --with-ld-opt="-L../boringssl-master/build/ssl -L../boringssl-master/build/crypto"参数。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
wget https://nginx.org/download/nginx-1.27.2.tar.gz
tar -zxvf 1.27.2.tar.gz
cd nginx-1.27.2
./configure --prefix=/usr/local/nginx \
--with-cc=c++ \
--with-debug \
--with-http_v3_module \
--with-cc-opt="-I../boringssl/include -x c" \
--with-ld-opt="-L../boringssl/build/ssl \
-L../boringssl/build/crypto" \
#下面可以添加自己的编译参数
...

make
make install

编译完成后查看Nginx信息。

1
2
3
4
5
6
nginx -V
nginx version: nginx/1.27.2
built by gcc 10.2.1 20210110
built with OpenSSL 1.1.1 (compatible; BoringSSL) (running with BoringSSL)
TLS SNI support enabled
configure arguments: --prefix=/usr/local/nginx --with-cc=c++ --with-debug --with-http_v3_module --with-cc-opt='-I../boringssl/include -x c' --with-ld-opt='-L../boringssl/build/ssl -L../boringssl/build/crypto'

配置Nginx

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
server {
listen 443 ssl;
listen 443 quic reuseport;
listen [::]:443 ssl;
listen [::]:443 quic reuseport;
http2 on;
http3 on;
http3_hq on;
quic_retry on;
quic_gso on;
server_name domain.name;

add_header Alt-Svc Alt-Svc 'h3=":443"; ma=2592000, h3-29=":443"; ma=2592000, quic=":443"; ma=2592000';

...
}

配置完成后重新启动Nginx。

测试

可以通过http3check.net等检测网站或使用浏览器查看协议检测是否启用成功。