编译Nginx配置QUIC/HTTP3.0

1. 安装BoringSSL

sudo apt update
sudo apt install -y build-essential ca-certificates zlib1g-dev libpcre3 \
libpcre3-dev tar unzip libssl-dev wget curl git cmake ninja-build mercurial \
libunwind-dev pkg-configgit clone --depth=1 https://github.com/google/boringssl.git
cd boringssl
cmake -GNinja -B build -DCMAKE_BUILD_TYPE=Release -DBUILD_SHARED_LIBS=1
ninja -C build
cd ..

2.安装ngx_brotli

git clone --recurse-submodules -j8 https://github.com/google/ngx_brotli
mkdir ngx_brotli/deps/brotli/out 
cd ngx_brotli/deps/brotli/out
cmake -DCMAKE_BUILD_TYPE=Release -DBUILD_SHARED_LIBS=OFF -DCMAKE_C_FLAGS="-Ofast -m64 -march=native -mtune=native -flto -funroll-loops -ffunction-sections -fdata-sections -Wl,--gc-sections" -DCMAKE_CXX_FLAGS="-Ofast -m64 -march=native -mtune=native -flto -funroll-loops -ffunction-sections -fdata-sections -Wl,--gc-sections" -DCMAKE_INSTALL_PREFIX=./installed ..
cmake --build . --config Release --target brotlienc
cd -

3. 安装Nginx

hg clone https://hg.nginx.org/nginx
cd nginx
./auto/configure --user=www --group=www --prefix=/www/server/nginx --with-pcre --add-module=../ngx_brotli --with-http_v2_module --with-stream --with-stream_ssl_module --with-http_ssl_module --with-http_gzip_static_module --with-http_gunzip_module --with-http_sub_module --with-http_flv_module --with-http_addition_module --with-http_realip_module --with-http_mp4_module --with-ld-opt='-Wl,-E' --with-cc-opt=-Wno-error --with-ld-opt='-ljemalloc' --with-http_dav_module --with-http_v3_module --with-cc=c++ --with-cc-opt='-I ../boringssl/include -x c' --with-ld-opt='-L../boringssl/build/ssl -L../boringssl/build/crypto'
make
sudo make install
cd ..
cd /usr/sbin
sudo ln -s /www/server/nginx/sbin/nginx
nginx --version
cd -
echo '[Unit]                                                                  1
Description=nginx - high performance web server
After=network.target remote-fs.target nss-lookup.target[Service]
Type=forking
PIDFile=/www/server/nginx/logs/nginx.pid
ExecStartPre=nginx -t
ExecStart=nginx
ExecReload=nginx -s reload
ExecStop=nginx -s stop
ExecQuit=nginx -s quit
PrivateTmp=true[Install]
WantedBy=multi-user.target' > nginx.service
[ -f /etc/systemd/system/nginx.service ] && ([ -f /etc/systemd/system/nginx.service.bak ] || sudo mv /etc/systemd/system/nginx.service /etc/systemd/system/nginx.service.bak)
sudo mv nginx.service /etc/systemd/system/
sudo systemctl daemon-reload
sudo systemctl start nginx
sudo systemctl enable nginx

4. 配置Nginx

user  root;
worker_processes  1;#error_log  logs/error.log;
#error_log  logs/error.log  notice;
#error_log  logs/error.log  info;#pid        logs/nginx.pid;events {worker_connections  1024;
}http {include       mime.types;include sites-enabled/*;default_type  application/octet-stream;log_format quic '$remote_addr - $remote_user [$time_local] ''"$request" $status $body_bytes_sent ''"$http_referer" "$http_user_agent" "$http3"';access_log logs/access.log quic;sendfile        on;#tcp_nopush     on;keepalive_timeout  65;#gzip  on;server {listen       80;server_name  localhost;#charset koi8-r;location / {root   html;index  index.html index.htm;}error_page   500 502 503 504  /50x.html;location = /50x.html {root   html;}}}

- 配置域名

cd /www/server/nginx/conf/
sudo chown -R $USER:$USER .
mkdir sites-avaliable sites-enabled
touch sites-avaliable/quic.waketzheng.top
ln -s `pwd`/sites-avaliable/quic.waketzheng.top `pwd`/sites-enabled/quic.waketzheng.top
# vi sites-enabled/quic.waketzheng.top
cat sites-enabled/quic.waketzheng.top

- 配置文件内容：

upstream quic_api {server 127.0.0.1:9798;
}server {server_name quic.waketzheng.top;client_max_body_size 30m;location / {proxy_set_header Host $host;proxy_set_header X-Real-IP $remote_addr;proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;proxy_set_header X-Forwarded-Proto $scheme;proxy_pass http://quic_api;add_header Alt-Svc 'h3=":443"; ma=86400';}ssl_certificate /etc/letsencrypt/live/quic.waketzheng.top/fullchain.pem; # managed by Certbotssl_certificate_key /etc/letsencrypt/live/quic.waketzheng.top/privkey.pem; # managed by Certbotinclude /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbotssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbotlisten 443 ssl;listen 443 quic reuseport;
}server {if ($host = quic.waketzheng.top) {return 301 https://$host$request_uri;} # managed by Certbotserver_name quic.waketzheng.top;listen 80;return 404; # managed by Certbot
}

- 测试配置并重启Nginx 

sudo nginx -t
sudo nginx -s reload

5.验证 HTTP3 是否生效

打开这个https://http3.wcode.net/

输入网址即可知道效果