Enter the quiche patch developed by Cloudflare; Nginx officially announced support for HTTP/3 on the 10th, so there is another method. Since I am an old Nginx user, I will share the two methods of quiche patch compilation and official compilation of Nginx-quic, as well as the process of blog configuration.
Patch and compile Nginx
To patch and compile Nginx, the first step is to download the quiche of Nginx and Cloudflare, but the actual compilation also requires cmake, go runtime, and rust. Let’s go step by step.
download nginx
Nginx:https://nginx.org/en/download.html
Open the official website to download the latest nginx-1.19.0 and unzip it:
wget -c https://nginx.org/download/nginx-1.19.0.tar.gz -O - | tar -xz
download quiche
git clone --recursive https://github.com/cloudflare/quiche
DOWNLOAD go
Download go and extract it to the /usr/local path:
wget -c https://dl.google.com/go/go1.14.linux-amd64.tar.gz -O - | tar -xz -C /usr/local/
Set the go environment variable, which can also be written to the profile
vi ~/.profile write the following:
| 1 2 3 4 5 | export PATH=$PATH:/usr/local/go/bin export PATH=$PATH:$HOME/.cargo/bin export GOROOT=/usr/local/go export GOBIN=$GOROOT/bin export PATH=$PATH:$GOBIN |
After saving,source ~/.profile
Download and install cmake
Download the latest cmake, and compile and install:
| 1 2 3 4 5 6 | download the latest cmake wget https://github.com/Kitware/CMake/releases/download/v3.16.8/cmake-3.16.8.tar.gz Compile and install tar zxf cmake-3.16.8.tar.gz && cd cmake-3.16.8 && ./bootstrap && make && make install Create soft link ln -s /usr/local/bin/cmake /usr/bin/cmake |
Download and install rust
curl https://sh.rustup.rs -sSf | sh
compile nginx
| 1 2 3 4 5 6 7 8 9 10 11 | cd nginx-1.19.0 # Enter the path of quiche, it is officially said to support nginx-1.16.1 version, in fact, nginx-1.19.0 version is also supported patch -p01 < ../quiche/extras/nginx/nginx-1.16.patch # Compile nginx with plugins, the path and plugins in this step are best to use the old nginx for seamless upgrade. # nginx -V View the old nginx path and plug-ins, copy the content, and # then add the following quiche plug-in to compile. # The old version of nginx should be stopped before compiling, command: systemctl stop nginx ./configure –prefix=$PWD –with-http_ssl_module –with-http_v2_module –with-http_v3_module –with-openssl=../quiche/deps/boringssl –with-quiche=../quiche make # The last step make install is to put the file into the specified path, it is not necessary to execute make install |
The compiled Nginx binaries are in the /nginx-1.19.0/objs/folder, or directly in the path you specified when compiling.
Configure nginx.conf
vi /etc/nginx/nginx.conf
Mainly write quic support under port 443, and atl-svc response header
| 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 | events { worker_connections 1024; } http { server { # enable quic listen 443 quic reuseport; listen 443 ssl http2; # certificate path ssl_certificate cert.crt; ssl_certificate_key cert.key; # TLSv1.3 must be enabled to support quic ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; # Alt-Svc response header add_header alt-svc ‘h3-27=”:443″; ma=86400,h3-29=”:443″; ma=86400’; } } |
Save and restart Nginx, the website should support HTTP/3, you can test it according to the test method below.
Let’s share the method of compiling official Nginx-quic:
Compile the official Nginx-quic
First release the official website of nginx-quic:
https://hg.nginx.org/nginx-quic
Because the official use is also the BoringSSL library, you can borrow the BoringSSL in the quiche plugin above. The compilation environment can refer to the above, mainly cmake, go runtime library, and rust.
download nginx-quic
Download and unzip nginx-quic
wget -c https://hg.nginx.org/nginx-quic/archive/tip.tar.gz -O - | tar -xz
Download the BoringSSL library
| 1 2 3 4 5 6 | git clone https://boringssl.googlesource.com/boringssl cd boringssl/ mkdir build cd build/ cmake .. make |
If you downloaded the quiche plugin above, this step is actually unnecessary. You can borrow the BoringSSL library in quiche for the following compilation.
Compile nginx-quic
| 1 2 3 4 5 6 7 8 9 10 11 12 | cd nginx-quic # Compile nginx with plug-ins, the path and plug-ins in this step are best to use the old nginx for seamless upgrade, the old version of nginx should be stopped before compiling # nginx -V View the old nginx path and plug-ins, copy the content, and then add the following boringssl to compile # boringsslThe library path is the same as the one in the quiche folder above. If BoringSSL is downloaded separately, just modify the path. ./auto/configure –with-debug –with-http_v3_module –with-cc-opt=”-I../quiche/deps/boringssl/include” –with-ld-opt=”-L.. /quiche/deps/boringssl/build/ssl -L../quiche/deps/boringssl/build/crypto” # The following is the complete compilation path, including quic and geoip plug-ins, etc. http/3 only needs to use the above # ./auto/configure –prefix=/etc/nginx –sbin-path=/usr/sbin/nginx –modules-path=/usr/lib/nginx/modules –conf-path=/etc/nginx /nginx.conf –error-log-path=/var/log/nginx/error.log –http-log-path=/var/log/nginx/access.log –pid-path=/var/run /nginx.pid –lock-path=/var/run/nginx.lock –http-client-body-temp-path=/var/cache/nginx/client_temp –http-proxy-temp-path=/var /cache/nginx/proxy_temp –http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp –http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp –http-scgi-temp- path=/var/cache/nginx/scgi_temp –user=nginx –group=nginx –with-compat –with-file-aio –with-threads –with-http_addition_module –with-http_dav_module –with -http_flv_module –with-http_gunzip_module –with-http_gzip_static_module –with-http_random_index_module –with-http_realip_module –with-http_secure_link_module –with-http_slice_module –with-http_sub_module –with-mail –with-mail_ssl_module –with -stream_realip_module –with-stream_ssl_module –with-stream_ssl_prerea d_module –with-pcre –with-stream –user=timo –with-http_mp4_module –with-http_auth_request_module –with-http_stub_status_module –with-http_ssl_module –with-http_v2_module –with-debug –with- http_v3_module –with-cc-opt=”-I../boringssl/include” –with-ld-opt=”-L../boringssl/build/ssl -L../boringssl/build/crypto” – -add-dynamic-module=/root/ngx_http_geoip2_module make # The last step make install is to put the file into the specified path, it is not necessary to execute make install |
nginx-quic configure nginx.conf
vi /etc/nginx/nginx.conf
Mainly write http3 support under port 443, and atl-svc response header
| 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 | events { worker_connections 1024; } http { # http3 logging log_format quic ‘$remote_addr – $remote_user [$time_local] ‘ ‘”$request” $status $body_bytes_sent ‘ ‘”$http_referer” “$http_user_agent” “$quic” “$http3″‘; error_log /var/log/nginx/error.log crit; access_log /var/log/nginx/access.log quic; server { # Open http3, note that this step is different from the above, the above is quic listen 443 http3 reuseport; listen 443 ssl http2; #certificate path ssl_certificate cert.crt; ssl_certificate_key cert.key; #To support quic, TLSv1.3 must be enabled ssl_protocols TLSv1.2 TLSv1.3; #Alt-Svc response header, note that this response header is also different from the above add_header alt-svc ‘h3=”:443″‘; add_header QUIC-Status $quic; } } |
After starting nginx, the website should support http3. You can test it according to the following method.
Test HTTP/3 support
uDP port test
QUIC-HTTP/3 is based on the UDP protocol, so it needs to open the UDP 443 port of the server. Generally, the server is open by default. Can you check whether your own UDP 443 port is open? The server checks the 443 port command:
netstat -anp | grep "443"
If udp 443 port is not open to nginx, you can use iptables to open port 443:
| 1 2 3 4 5 | iptables –I INPUT –p udp –dport 443 -j ACCEPT service iptables save service iptables restart |
Alternatively, on your local computer, execute the following command:
nc -v -u 1.2.3.4 443
Among them, 1.2.3.4 is the IP address of your server. If you receive an echo like the following, it means that the UDP 443 port entering the server is open.
Connection to 1.2.3.4 443 port [udp/*] succeeded!
Then, test the UDP 443 port of the outgoing server. Execute the following command on the server:
nc -v -u google.com 443
If you receive an echo similar to the following, the setting is successful.
Connection to google.com 443 port [udp/*] succeeded!
website test
Currently, there are two websites we can use to test our website for QUIC-HTTP/3 support.
The two sites are:
Enter your own domain name to test whether the website supports http/3
Browser opens http3
Firefox opens http3
First enter in the Firefox address bar: about:config
Then search for http3, find network.http.http3.enabled change false to true, Restart and you’re done.
Chrome canary open http3
Note that http3 is only supported in canary chrome , enter chrome://flags/
Search for quic, find Experimental QUIC protocol, change Default to Enabled, restart the browser.
Then, in the shortcut of Chrome canary, right click, properties, and add --enable-quic --quic-version=h3-29 at the end of the target bar.
Finally, when browsing a website that supports http3, press the f12 key to view the network, the protocol is displayed as HTTP/3 or h3-29.
Note: HTTP/3 mentioned in this article refers to IETF QUIC, not Google QUIC. These two are completely different branches at this stage. The quiche patch of Cloudflare mentioned in the article only supports IETF QUIC and does not yet support Google QUIC, so IETF QUIC is not well supported in Google Chrome browser, and you need to specify a startup item. Of course, its own Google QUIC supports it very much. it is good. The latest version of Firefox directly follows HTTP3 of IETF QUIC and supports it very well.
reference: