升级 NGINX 以启用 HTTP/3(QUIC) 支持

Nginx 在 1.25.0 版本中将 QUIC 分支并入主线，正式支持 HTTP/3¹2023-05-23   nginx-1.25.0 mainline version has been released, featuring experimental HTTP/3 support. https://nginx.org/。笔者也于前不久更新了自己的服务器，为网站添加 HTTP/3(QUIC) 支持。本文主要记载了笔者编译更新 Nginx 的过程和遇到的一些坑，希望能够帮助到有需要的人。

下载源代码

NGINX

wget https://nginx.org/download/nginx-1.25.3.tar.gz
tar -zxvf nginx-1.25.3.tar.gz
cd nginx-1.25.3-src

BoringSSL

git clone https://boringssl.googlesource.com/boringssl

PCRE2

前往 Releases · PCRE2Project/pcre2 (github.com) 下载最新版本。

Nginx 模块

这是笔者使用到的模块列表，可根据实际需要自行修改

• ngx_brotli
• nginx-http-concat
• ngx-fancyindex
• ngx_devel_kit
• ngx_cache_purge
• ngx_http_substitutions_filter_module
• nginx-dav-ext-module

编译

BoringSSL

Google 官方推荐使用 Ninja 进行编译。²Building BoringSSL (googlesource.com)

cd boringssl
cmake -GNinja -B build
ninja -C build

NGINX

./configure --user=www --group=www --prefix=/www/server/nginx --add-module=/www/server/nginx/src/ngx_devel_kit --add-module=/www/server/nginx/src/ngx_cache_purge --with-pcre=pcre2-10.42 --with-http_v2_module --with-stream --with-stream_ssl_module --with-stream_ssl_preread_module --with-http_stub_status_module --with-http_ssl_module --with-http_image_filter_module --with-http_gzip_static_module --with-http_gunzip_module --with-http_sub_module --with-http_flv_module --with-http_addition_module --with-http_realip_module --with-http_mp4_module --add-module=/www/server/nginx/src/ngx_http_substitutions_filter_module-master --with-ld-opt=-Wl,-E --with-cc-opt=-Wno-error --with-ld-opt=-ljemalloc --with-http_dav_module --add-module=/www/server/nginx/src/nginx-dav-ext-module --add-module=/www/server/nginx/src/ngx_brotli --add-module=/www/server/nginx/src/ngx-fancyindex --with-http_v3_module --with-cc-opt=-I./boringssl/include --with-ld-opt='-L./boringssl/build/ssl -L./boringssl/build/crypto'
make

测试

先结束 Nginx，替换旧版本后重新启动。

查看当前 Nginx 版本：

root@mail:~# nginx -V
nginx version: nginx/1.25.3
built by gcc 11.4.0 (Ubuntu 11.4.0-1ubuntu1~22.04) 
built with OpenSSL 1.1.1 (compatible; BoringSSL) (running with BoringSSL)
TLS SNI support enabled
configure arguments: --user=www --group=www --prefix=/www/server/nginx --add-module=/www/server/nginx/src/ngx_devel_kit --add-module=/www/server/nginx/src/ngx_cache_purge --with-pcre=pcre2-10.42 --with-http_v2_module --with-stream --with-stream_ssl_module --with-stream_ssl_preread_module --with-http_stub_status_module --with-http_ssl_module --with-http_image_filter_module --with-http_gzip_static_module --with-http_gunzip_module --with-http_sub_module --with-http_flv_module --with-http_addition_module --with-http_realip_module --with-http_mp4_module --add-module=/www/server/nginx/src/ngx_http_substitutions_filter_module-master --with-ld-opt=-Wl,-E --with-cc-opt=-Wno-error --with-ld-opt=-ljemalloc --with-http_dav_module --add-module=/www/server/nginx/src/nginx-dav-ext-module --add-module=/www/server/nginx/src/ngx_brotli --add-module=/www/server/nginx/src/ngx-fancyindex --with-http_v3_module --with-cc-opt=-I./boringssl/include --with-ld-opt='-L./boringssl/build/ssl -L./boringssl/build/crypto'

配置文件

示例

server {
    listen 80;
    listen 443 quic;
	listen 443 ssl;
	http2 on;
    add_header Alt-Svc 'h3=":443"; ma=86400';
    server_name aiccrop.com ...;
    ssl_early_data on;

    ......

}

Reference

• 1
  2023-05-23   nginx-1.25.0 mainline version has been released, featuring experimental HTTP/3 support. https://nginx.org/
• 2
  Building BoringSSL (googlesource.com)