跳至主要內容

nginx-quic 编译和使用

MonoLogueChiLinux大约 2 分钟

最近又打算从 caddy 换回 nginx 了,简单记录一下一些操作。

提示

官方已发布预览版二进制包,通常情况下不需要自己手动编译了,详见 https://quic.nginx.org/packages.htmlopen in new window

说明

当前这个阶段,nginx 默认还是不支持 http3 的,但是 nginx-quic 分支是可以使用的。

(下面的不要照抄代码,理解了再去执行,一定要先知道每一句都是在做什么,如果系统不一样,或者版本不一致,一定要检查一下)

准备编译环境

本文以 ubuntu 22.10 为例

首先确保软件已更新到最新

sudo apt update
sudo apt upgrade
sudo apt update

sudo apt install build-essential libtool libpcre3-dev zlib1g-dev libzstd-dev unzip cmake ninja-build golang wget git

准备源码和编译

下面是一些需要准备的源码

mkdir nginx-src
cd nginx-src

编译 boringssl

git clone https://github.com/google/boringssl.git
cd boringssl/
mkdir build
cd build
cmake -GNinja ..
ninja

下载 ngx_brotli

cd ../../       // nginx-src目录下

git clone --recurse-submodules https://github.com/google/ngx_brotli.git

下载 zstd-nginx-module

git clone --recurse-submodules https://github.com/tokers/zstd-nginx-module.git

下载 nginx-quic

wget https://hg.nginx.org/nginx-quic/archive/tip.zip
unzip tip.zip
rm tip.zip
cd nginx-quic-af5adec171b4/

编译

./auto/configure \
 --with-http_gzip_static_module \
 --with-http_ssl_module --with-http_v2_module \
 --with-http_v3_module --with-stream_quic_module \
 --with-cc-opt="-I../boringssl/include" --with-ld-opt="-L../boringssl/build/ssl -L../boringssl/build/crypto" \
 --add-module="../ngx_brotli" \
 --add-module="../zstd-nginx-module"

make

安装

安装 nginx

sudo make install

配置进程守护

创建并编辑文件 /home/mc/www/nginx/nginx.service

[Unit]
Description=nginx - high performance web server
After=network.target remote-fs.target nss-lookup.target

[Service]
Type=forking
PIDFile=/usr/local/nginx/logs/nginx.pid
ExecStartPre=/usr/local/nginx/sbin/nginx -t -c /usr/local/nginx/conf/nginx.conf
ExecStart=/usr/local/nginx/sbin/nginx -c /usr/local/nginx/conf/nginx.conf
ExecReload=/usr/local/nginx/sbin/nginx -s reload
ExecStop=/usr/local/nginx/sbin/nginx -s stop
PrivateTmp=true

[Install]
WantedBy=multi-user.target

设置开机启动

sudo systemctl enable /home/mc/www/nginx/nginx.service

编辑配置文件

修改配置文件

创建并编辑文件 /home/mc/www/nginx/nginx.conf

zstd on;
brotli on;
gzip on;

zstd_static on;
brotli_static on;
gzip_static  on;

zstd_types text/plain application/css text/css application/xml text/javascript application/javascript application/x-javascript application/json;
brotli_types text/plain application/css text/css application/xml text/javascript application/javascript application/x-javascript application/json;
gzip_types text/plain application/css text/css application/xml text/javascript application/javascript application/x-javascript application/json;


server {
    listen 80;
    server_name localhost;

    #charset koi8-r;

    #access_log  logs/host.access.log  main;
    location / {
        root html;
        index index.html index.htm;
    }

    #error_page  404              /404.html;

    # redirect server error pages to the static page /50x.html
    #
    error_page 500 502 503 504 /50x.html;
    location = /50x.html {
        root html;
    }
}

编辑文件 /usr/local/nginx/conf/nginx.conf

#user  nobody;
worker_processes  1;

#error_log  logs/error.log;
#error_log  logs/error.log  notice;
#error_log  logs/error.log  info;

#pid        logs/nginx.pid;


events {
    worker_connections  1024;
}


http {
    include       mime.types;
    default_type  application/octet-stream;

    #log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
    #                  '$status $body_bytes_sent "$http_referer" '
    #                  '"$http_user_agent" "$http_x_forwarded_for"';

    #access_log  logs/access.log  main;

    sendfile        on;
    #tcp_nopush     on;

    #keepalive_timeout  0;
    keepalive_timeout  65;
    include /home/mc/www/nginx/nginx.conf;
}

这样,以后大部分配置就可以通过修改 /home/mc/www/nginx/nginx.conf 完成了。

配置 http3

server {
    listen 443 http3 reuseport;
    listen 443 ssl http2;
    server_name xx.xxwhite.com;
    ssl_protocols TLSv1.2 TLSv1.3;
    add_header Alt-Svc 'h3=":443"; ma=86400; h3-29=":443"; h3-28=":443";';
    ssl_certificate /home/mc/.acme.sh/*.xxwhite.com/fullchain.cer;
    ssl_certificate_key /home/mc/.acme.sh/*.xxwhite.com/*.xxwhite.com.key;

    location / {
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_pass http://localhost:5000;
    }
}

其中,证书可以通过 acme.sh 完成自动化更新。