http3.0特性 [1]

• 流多路复用
• 流和连接级别的流量控制
• 低延迟的连接建立，0-RTT
• 连接迁移和 NAT 重新绑定的恢复能力
• 认证加密的报头和数据

boringSSL编译安装

nginx-quic的加密模块使用的是boringSSL，所以先编译安装boringSSL。
先安装golang

apt-get install golang-go

在编译安装boringSSL

git clone https://boringssl.googlesource.com/boringssl
cd boringssl/
mkdir build
cd build
cmake ../
make -j 8

编译boringSSL过程中报错：

go: golang.org/x/crypto@v0.0.0-20200622213623-75b288015ac9: Get "https://proxy.golang.org/golang.org/x/crypto/@v/v0.0.0-20200622213623-75b288015ac9.mod": dial tcp 172.217.166.145:443: connect: connection refused

设置GOPROXY后继续编译成功

export GOPROXY=https://goproxy.io

编译完成后手动拷贝头文件和库文件固定的目录后，目录结构如下：

root@ubuntu:/usr/local/thirdparty/boringssl# find ./ -maxdepth 2
./include/openssl
./lib/libssl.a
./lib/libcrypto.a

nginx-quic编译安装

nginx-quic目前还在开发过程中，有独立的开发分支，按照官方README [2] 的指引操作：

git clone -b quic https://hg.nginx.org/nginx-quic
./auto/configure --with-debug \
                 --prefix=/usr/local/nginx-quic \
                 --with-http_v3_module       \
                 --with-cc-opt="-I/usr/local/thirdparty/boringssl/include"   \
                 --with-ld-opt="-L/usr/local/thirdparty/boringssl/lib"
make -j 8
make install

如果遇到了

./auto/configure: error: certain modules require OpenSSL QUIC support.
You can either do not enable the modules, or install the OpenSSL library
into the system, or build the OpenSSL library statically from the source
with nginx by using --with-openssl=<path> option.

请查看**--with-cc-opt=和-with-ld-opt=**的路径是否正确。

安装完成后查看nginx详细信息

# ./sbin/nginx  -V
nginx version: nginx/1.19.2
built by gcc 7.5.0 (Ubuntu 7.5.0-3ubuntu1~18.04) 
configure arguments: --with-debug --with-openssl=/home/wanghao/worker/opensourcecode/boringssl --prefix=/usr/local/nginx-quic

nginx配置文件

#user  nobody;
worker_processes  2;

error_log  logs/debug.log  debug;

events {
    worker_connections  1024;
}

http {
	log_format quic '$remote_addr - $remote_user [$time_local] '
                        '"$request" $status $body_bytes_sent '
                        '"$http_referer" "$http_user_agent" "$quic" "$http3"';
	access_log logs/access.log quic;
	
    server {        
		listen 8443 http3 reuseport;
        listen 8443 ssl;
        server_name www.haha.com;
		client_max_body_size 4G;
        root /data;
		
		ssl_certificate     ssl/server.crt;
		ssl_certificate_key ssl/server.key;
		ssl_protocols       TLSv1.3;
		
        location / {
            autoindex on;
            autoindex_exact_size on;
            autoindex_localtime on;
			add_header Alt-Svc '$http3=":8443"; ma=86400';
        }
    }
}

启动后可以看到nginx监听的8443端口使用的udp协议

# netstat -annp |egrep nginx
udp        0      0 0.0.0.0:8443            0.0.0.0:*                           37737/nginx: master 
udp        0      0 0.0.0.0:8443            0.0.0.0:*                           37737/nginx: master 
unix  3      [ ]         STREAM     CONNECTED     127155   37737/nginx: master  
unix  3      [ ]         STREAM     CONNECTED     127156   37737/nginx: master  
unix  3      [ ]         STREAM     CONNECTED     127157   37737/nginx: master  
unix  3      [ ]         STREAM     CONNECTED     127154   37737/nginx: master

nginx支持quic按照官方文档的指引很快就搞定了，但是支持quic的客户端却比较麻烦。

测试

TODO

参考

[1] docs.wxclimb.top/draft-ietf-…
[2] quic.nginx.org/readme.html