DEV Community

Michael
Michael

Posted on • Edited on

1

HTTP3之编译nginx

关于

nginx目前最新版本提供了HTTP3服务,为了测试环境,本文记录从源码编译nginx的过程,其中包括依赖的编译。

环境

lsb_release -a
# Distributor ID: Ubuntu
# Description:    Ubuntu 22.04.4 LTS
# Release:        22.04
# Codename:       jammy

gcc --version
# gcc (Ubuntu 11.4.0-1ubuntu1~22.04) 11.4.0
Enter fullscreen mode Exit fullscreen mode

编译Nginx

编译或安装依赖

SSL Library

Nginx实现HTTP3底层依赖SSL库,可以选择BoringSSL, LibreSSL, QuicTLS,如果选择OpenSSL兼容层将不会提供early data的功能。本次我们选择QuicTLS,她也是基于OpenSSL修改的版本。

git clone --depth 1 -b openssl-3.1.5+quic https://github.com/quictls/openssl
cd openssl
./config enable-tls1_3
make
make install
Enter fullscreen mode Exit fullscreen mode

注意

  1. 如果Linux机器上已经安装了libssllibssl-dev,会有冲突和报错,本质问题及解决方法参考另外一篇文章, 如果那边整不明白,可以查看man ldconfig,或者直接添加相关库的ld config文件,相信走到这里的,动态库这些个问题应该都差不多了:)。

  2. 编译默认动态库位于/usr/local/lib64include文件位于/usr/local/include

其他依赖

apt install build-essential libpcre3 libpcre3-dev zlib1g zlib1g-dev libxml2 libxml2-dev libxslt1-dev
Enter fullscreen mode Exit fullscreen mode

编译Nginx

./configure \
--prefix=/home/michael/nginx \
--with-debug \
--with-http_ssl_module \
--with-http_v2_module \
--with-http_v3_module \
--with-cc-opt="-I/usr/local/include" \
--with-ld-opt="-L/usr/local/lib64" \
--with-cc-opt="-DNGX_QUIC_DEBUG_PACKETS -DNGX_QUIC_DEBUG_FRAMES -DNGX_QUIC_DEBUG_ALLOC -DNGX_QUIC_DEBUG_CRYPTO" \
--add-dynamic-module="$HOME/download/njs-0.8.4/nginx" # 添加njs模块
make
make install
Enter fullscreen mode Exit fullscreen mode

默认情况下,nginx会安装到/root/nginx,进入文件夹后,默认会有如下文件夹

conf 里面有默认的配置文件nginx.conf,可以按照自己要求修改
html 里面对应的默认的index.html页面,可以按照自己要求修改
logs 里面对应nginx的access和error日志
sbin 包括nginx等命令
moudles 如果有添加模块编译比如njs,会有这个目录,包括模块的动态链接库
Enter fullscreen mode Exit fullscreen mode

建议将nginx命令加入到path中

echo 'export PATH="${PATH}:/root/nginx/sbin"' >> ~/.bashrc
Enter fullscreen mode Exit fullscreen mode

测试Nginx

使用如下命令启动nginx,再访问试下,看是否正常

nginx -V #查看详细信息
nginx -t -v #测试配置是否正常
nginx -s start # 启动nginx
curl localhost
Enter fullscreen mode Exit fullscreen mode

配置HTTP3

自签证书

#! /usr/bin/env bash

# Generate self signed ca and server cert for localhost test

set -eou pipefail

CA="ca.pem"
CA_KEY="ca_key.pem"
SERVER_CERT="server_cert.pem"
SERVER_KEY="server_key.pem"
HOST="localhost"
IP="127.0.0.1"

# NOTICE quictls
export LD_LIBRARY_PATH=/usr/local/lib64
openssl version

# clean
rm -f $CA $CA_KEY $SERVER_CERT $SERVER_KEY

# 1. Generate self-signed certificate and private key
openssl req -x509 \
    -newkey rsa:4096 \
    -days 365 \
    -keyout "${CA_KEY}" \
    -out "${CA}" \
    -subj "/C=CN/ST=Hubei/L=Wuhan/O=QUIC/OU=QUICUNIT/CN=localhost/emailAddress=ca@example.com" \
    -noenc > /dev/null 2>&1

echo "CA's self-signed certificate DONE"
# openssl x509 -in "${CA}" -noout -text

# 2. Generate server cert and private key
openssl req -x509\
    -newkey rsa:4096 \
    -keyout "${SERVER_KEY}" \
    -out "${SERVER_CERT}" \
    -subj "/C=CN/ST=Hubei/L=Wuhan/O=QUIC/OU=QUICUNIT/CN=localhost/emailAddress=server@example.com" \
    -addext "subjectAltName=DNS:${HOST},IP:${IP}" \
    -CA "${CA}" \
    -CAkey "${CA_KEY}" \
    -copy_extensions copyall \
    -days 365 \
    -noenc

echo "Server's certificate DONE"
# openssl x509 -in "${SERVER_CERT}" -noout -text

# 6. Verify server certificate
openssl verify \
    -verbose \
    -show_chain \
    -trusted ${CA} \
    "${SERVER_CERT}"
Enter fullscreen mode Exit fullscreen mode

注意脚本里面的IPHOST,将生成的server_cert.pemserver_key.pem放到前面nginx的安装目录/root/nginx/certs,并且将ca_cert.pem添加到信任列表(浏览器可以直接导入)。

Nginx配置文件

修改/root/nginx/conf/nginx.conf中的server块添加如下内容

listen 443 quic reuseport;
listen 443 ssl;
http2 on;
server_name  localhost;

ssl_protocols TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES256-GCM-SHA384;
TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256;
ssl_conf_command Ciphersuites TLS_CHACHA20_POLY1305_SHA256;
ssl_prefer_server_ciphers off;

ssl_certificate     /root/nginx/certs/server_cert.pem;
ssl_certificate_key /root/nginx/certs/server_key.pem;
Enter fullscreen mode Exit fullscreen mode

重新启动Nginx, 测试HTTP3服务。这里ssl_cihpersssl_conf_command Ciphersuitesman openssl-cihpers一致。

测试

浏览器

firefox可以直接使用http3服务, 关于浏览器导入自签证书,后面整个专门文章介绍。

curl

curl需要自编译添加http3服务,是另外一个话题了,curl官网关于编译写的很清晰

curl --http3 --cacert ca_cert.pem -v https://localhost
Enter fullscreen mode Exit fullscreen mode

Image of Timescale

🚀 pgai Vectorizer: SQLAlchemy and LiteLLM Make Vector Search Simple

We built pgai Vectorizer to simplify embedding management for AI applications—without needing a separate database or complex infrastructure. Since launch, developers have created over 3,000 vectorizers on Timescale Cloud, with many more self-hosted.

Read full post →

Top comments (0)

Sentry image

See why 4M developers consider Sentry, “not bad.”

Fixing code doesn’t have to be the worst part of your day. Learn how Sentry can help.

Learn more