nginx quic (http3) support

This commit is contained in:
Anatolii Zimovskii 2021-10-29 15:28:15 +03:00
parent 675168bade
commit cb4ae2603c
Signed by: stam
GPG Key ID: AA3A575AB99E8469
14 changed files with 794 additions and 2 deletions

3
.gitmodules vendored Normal file
View File

@ -0,0 +1,3 @@
[submodule "linux/advanced/redash/redash-repo"]
path = linux/advanced/redash/redash-repo
url = git@github.com:getredash/redash.git

View File

@ -9,6 +9,9 @@ ENV BuildDocker true
ARG BUILDS_DIR=/builds
ARG SRC_DIR=${BUILDS_DIR}/src
ARG EXPORT_DIR=${BUILDS_DIR}/export
ARG NINJA_ARCH=linux
ARG NINJA_VERSION=latest
ARG NINJA_RELEASE_URL=https://api.github.com/repos/ninja-build/ninja/releases/${NINJA_VERSION}
##################################################################
# Files and folders
@ -30,6 +33,9 @@ RUN apt-get update && \
build-essential \
autoconf-archive \
gnu-standards \
cmake \
libunwind-dev \
golang \
at \
autopkgtest \
gcc-multilib \
@ -40,6 +46,7 @@ RUN apt-get update && \
libegl1-mesa-dev \
libgles2-mesa-dev \
libgbm-dev \
uuid-dev \
nvidia-cg-toolkit \
nvidia-cg-dev \
libavcodec-dev \
@ -47,7 +54,6 @@ RUN apt-get update && \
libsdl-image1.2-dev \
libxml2-dev yasm \
devscripts \
autoconf \
automake \
libtool \
autotools-dev \
@ -84,6 +90,15 @@ RUN apt-get update && \
libvpx6 \
tcl
##################################################################
# Get NINJA binary
##################################################################
RUN curl -s ${NINJA_RELEASE_URL} | jq -r ".assets[] | select(.name | test(\"${NINJA_ARCH}\")) | .browser_download_url" > /tmp/ninja-url.txt && \
cat /tmp/ninja-url.txt && \
cd /tmp && \
wget -q -c --input-file=/tmp/ninja-url.txt && \
unzip -o /tmp/ninja-linux.zip -d /bin && \
printf "\n--------------------------------\nninja version: $(ninja --version)\n--------------------------------\n\n"
##################################################################
# other customisations
@ -97,4 +112,5 @@ RUN apt purge policykit-1 -y && \
apt clean -y && \
apt autoclean -y && \
rm -rfv /var/lib/apt/lists/* && \
rm -rfv /var/cache/apt/archives/*.deb
rm -rfv /var/cache/apt/archives/*.deb && \
rm -rfv /tmp/*

View File

@ -3,3 +3,4 @@ all: app
app:
docker-compose build --compress
docker-compose push

View File

@ -0,0 +1,2 @@
NGINX_VERSION=quic
NGINX_DOWNLOAD_URL=https://github.com/VKCOM/nginx-quic/archive/refs/heads/master.tar.gz

View File

@ -0,0 +1,26 @@
FROM nginx AS build
WORKDIR /src
RUN apt-get update && \
apt-get install -y git gcc make g++ cmake perl libunwind-dev golang && \
git clone https://boringssl.googlesource.com/boringssl && \
mkdir boringssl/build && \
cd boringssl/build && \
cmake .. && \
make
RUN apt-get install -y mercurial libperl-dev libpcre3-dev zlib1g-dev libxslt1-dev libgd-ocaml-dev libgeoip-dev && \
hg clone https://hg.nginx.org/nginx-quic && \
hg clone http://hg.nginx.org/njs && \
cd nginx-quic && \
hg update quic && \
auto/configure `nginx -V 2>&1 | sed "s/ \-\-/ \\\ \n\t--/g" | grep "\-\-" | grep -ve opt= -e param= -e build=` \
--build=nginx-quic --with-debug \
--with-http_v3_module --with-http_quic_module --with-stream_quic_module \
--with-cc-opt="-I/src/boringssl/include" --with-ld-opt="-L/src/boringssl/build/ssl -L/src/boringssl/build/crypto" && \
make
FROM nginx
COPY --from=build /src/nginx-quic/objs/nginx /usr/sbin
RUN /usr/sbin/nginx -V > /dev/stderr
EXPOSE 80 443

View File

@ -0,0 +1,325 @@
##################################################################
# Set Global ARG to build process
##################################################################
ARG NGINX_VERSION
##################################################################
# Start build process
##################################################################
FROM epicmorg/devel AS builder
LABEL maintainer="EpicMorg DevTeam, developer@epicm.org"
ARG DEBIAN_FRONTEND=noninteractive
##################################################################
# ARGuments
##################################################################
ENV BuildDocker true
ARG BUILDS_DIR=/builds
ARG SRC_DIR=${BUILDS_DIR}/src
ARG EXPORT_DIR=${BUILDS_DIR}/export
ARG PRE_DIR=${BUILDS_DIR}/pre
ARG BSSL_SRC_DIR=${SRC_DIR}/boringssl
ARG NGINX_SRC_DIR=${SRC_DIR}/nginx
ARG NGINX_VERSION
ARG NGINX_DOWNLOAD_URL
ARG LUAJIT_INC=/usr/local/include/luajit-2.1
ARG LUAJIT_LIB=/usr/local/lib
ARG DCMAKE_BUILD_TYPE=Release
##################################################################
# Files and folders
##################################################################
RUN mkdir -p ${PRE_DIR} ${NGINX_SRC_DIR} /usr/lib/nginx
ADD pre/luajit2-description-pak ${PRE_DIR}
ADD pre/nginx-description-pak ${PRE_DIR}
ADD pre/ip2location-description-pak ${PRE_DIR}
ADD pre/boringssl-build.sh ${SRC_DIR}
##################################################################
# IP2Location support for prod nginx module
##################################################################
RUN cd ${SRC_DIR} && \
git clone https://github.com/chrislim2888/IP2Location-C-Library.git ip2 && \
cp -fv ${PRE_DIR}/ip2location-description-pak ${SRC_DIR}/ip2/description-pak && \
cd ${SRC_DIR}/ip2 && \
ls -las && \
autoreconf -i -v --force && \
aclocal && \
automake --gnu --add-missing && \
autoconf && \
autoreconf -i -v --force && \
./configure && \
ls -las && \
make clean && \
make && \
make -C data convert && \
make check && \
ls -las && \
fakeroot checkinstall -D --pakdir=${EXPORT_DIR} --maintainer="EpicMorg, developer@epicm.org" --pkgname=ip2-custom --conflicts=ip2 --install=yes -y && \
ln -s /usr/local/lib/libIP2Location.so /usr/lib/libIP2Location.so && \
ln -s /usr/local/lib/libIP2Location.so.1 /usr/lib/libIP2Location.so.1 && \
ln -s /usr/local/lib/libIP2Location.so.2 /usr/lib/libIP2Location.so.2 && \
ln -s /usr/local/lib/libIP2Location.so /lib/libIP2Location.so && \
ln -s /usr/local/lib/libIP2Location.so.1 /lib/libIP2Location.so.1 && \
ln -s /usr/local/lib/libIP2Location.so.2 /lib/libIP2Location.so.2 && \
ln -s /lib/x86_64-linux-gnu/libcrypto.so.1.1 /lib/x86_64-linux-gnu/libcrypto.so.1 && \
dpkg --force-all -i ${EXPORT_DIR}/*.deb
##################################################################
# luaJIT 2 support for prod nginx module
##################################################################
RUN cd ${SRC_DIR} && \
git clone https://github.com/openresty/luajit2.git luajit2 && \
cp -fv ${PRE_DIR}/luajit2-description-pak ${SRC_DIR}/luajit2/description-pak && \
cd ${SRC_DIR}/luajit2 && \
make && \
make install && \
fakeroot checkinstall -D --pakdir=${EXPORT_DIR} --maintainer="EpicMorg, developer@epicm.org" --pkgname=luajit2-custom --conflicts=luajit2 --install=no -y
##################################################################
# BotingSSL - google fork with quic
##################################################################
# compile from sources
RUN cd ${SRC_DIR} && \
./boringssl-build.sh
# git clone https://github.com/google/boringssl.git boringssl && \
# apt-get update && \
# apt-get install -y git gcc make g++ cmake perl libunwind-dev golang && \
# cd boringssl && \
# mkdir build && \
# cd build && \
# pwd && \
# cmake .. && \
# make
# cmake -GNinja .. && \
# ninja
# cmake -DCMAKE_BUILD_TYPE=Release -DBUILD_SHARED_LIBS=0 -GNinja .. && \
# ninja
# cmake -DCMAKE_BUILD_TYPE=Release -DBUILD_SHARED_LIBS=0 .. && \
# make
# Make an .openssl directory for nginx and then symlink BoringSSL's include directory tree
#RUN mkdir -p ${BSSL_SRC_DIR}/.openssl/lib && \
# ln -sf ${BSSL_SRC_DIR}/include ${BSSL_SRC_DIR}/.openssl/include
# Copy the BoringSSL crypto libraries to .openssl/lib so nginx can find them
#RUN cp -rfv ${BSSL_SRC_DIR}/build/crypto/libcrypto.a ${BSSL_SRC_DIR}/.openssl/lib && \
# cp -rfv ${BSSL_SRC_DIR}/build/ssl/libssl.a ${BSSL_SRC_DIR}/.openssl/lib
# Fix "Error 127" during build
#RUN touch ${BSSL_SRC_DIR}/include/openssl/ssl.h
#RUN touch ${BSSL_SRC_DIR}/.openssl/include/openssl/ssl.h
##################################################################
# quictls/openssl - community fork with quic
##################################################################
#RUN printf "\n--------------------------------\nPreinstlalled openssl version is: $(openssl version)\n--------------------------------\n\n"
#RUN cd ${SRC_DIR} && \
# git clone https://github.com/quictls/openssl.git openssl && \
# cd openssl && \
# pwd && \
# ./Configure
# && \
# make && \
# make test
# && \
# make install
#RUN printf "\n--------------------------------\nCurrent openssl version is: $(openssl version)\n--------------------------------\n\n"
#RUN openssl fipsinstall
#RUN openssl version
##################################################################
# nginx preparing
##################################################################
#RUN wget -qO - ${NGINX_DOWNLOAD_URL} | tar -zxv --strip-components=1 -C ${NGINX_SRC_DIR} && \
RUN cd ${SRC_DIR} && \
hg clone https://hg.nginx.org/nginx-quic nginx && \
cd ${NGINX_SRC_DIR} && \
hg update quic && \
hg clone http://hg.nginx.org/njs && \
git clone https://github.com/openresty/headers-more-nginx-module.git http-headers-more-filter && \
git clone https://github.com/sto/ngx_http_auth_pam_module.git http-auth-pam && \
git clone https://github.com/arut/nginx-dav-ext-module.git http-dav-ext && \
git clone https://github.com/openresty/echo-nginx-module.git http-echo && \
git clone https://github.com/aperezdc/ngx-fancyindex.git http-fancyindex && \
git clone https://github.com/slact/nchan.git nchan && \
git clone https://github.com/masterzen/nginx-upload-progress-module.git http-uploadprogress && \
git clone https://github.com/yaoweibin/ngx_http_substitutions_filter_module http-subs-filter && \
git clone https://github.com/grahamedgecombe/nginx-ct.git ssl-ct && \
git clone https://github.com/stnoonan/spnego-http-auth-nginx-module.git spnego-http-auth-nginx-module && \
git clone https://github.com/leev/ngx_http_geoip2_module http-geoip2 && \
git clone https://github.com/flavioribeiro/nginx-audio-track-for-hls-module.git nginx-audio-track-for-hls-module && \
git clone https://github.com/chrislim2888/ip2location-nginx.git ip2location-nginx && \
git clone https://github.com/kaltura/nginx-vod-module.git nginx-vod-module && \
git clone https://github.com/vozlt/nginx-module-vts.git nginx-module-vts && \
git clone https://github.com/evanmiller/mod_zip.git mod-zip && \
git clone https://github.com/alibaba/nginx-http-user-agent.git nginx-http-user-agent && \
git clone https://github.com/youzee/nginx-unzip-module.git nginx-unzip-module && \
git clone https://github.com/vladbondarenko/ngx_webp.git ngx-webp && \
git clone https://github.com/openresty/xss-nginx-module.git xss-nginx-module && \
git clone https://github.com/openresty/set-misc-nginx-module.git set-misc-nginx-module && \
git clone https://github.com/arut/nginx-rtmp-module.git rtmp && \
git clone https://github.com/kvspb/nginx-auth-ldap.git http-auth-ldap && \
git clone https://github.com/simplresty/ngx_devel_kit.git http-ndk && \
git clone https://github.com/chrislim2888/IP2Location-C-Library.git ip2location-c-7.0.0 && \
git clone https://github.com/itoffshore/nginx-upstream-fair.git http-upstream-fair && \
git clone https://github.com/yaoweibin/nginx_upstream_check_module.git nginx-upstream-check-module && \
git clone https://github.com/openresty/lua-nginx-module http-lua
##################################################################
# nginx compilling
##################################################################
RUN cd ${NGINX_SRC_DIR} && \
./auto/configure `nginx -V 2>&1 | sed "s/ \-\-/ \\\ \n\t--/g" | grep "\-\-" | grep -ve opt= -e param= -e build=` \
--build=nginx-quic \
--add-module=./njs/nginx \
--with-openssl=/builds/src/boringssl \
--with-http_v3_module \
--with-http_quic_module \
--with-stream_quic_module \
--sbin-path=/usr/sbin/nginx \
--prefix=/usr/share/nginx \
--conf-path=/etc/nginx/nginx.conf \
--http-log-path=/var/log/nginx/access.log \
--error-log-path=/var/log/nginx/error.log \
--lock-path=/var/lock/nginx.lock \
--pid-path=/run/nginx.pid \
--modules-path=/usr/lib/nginx/modules \
--http-client-body-temp-path=/var/lib/nginx/body \
--http-fastcgi-temp-path=/var/lib/nginx/fastcgi \
--http-proxy-temp-path=/var/lib/nginx/proxy \
--http-scgi-temp-path=/var/lib/nginx/scgi \
--http-uwsgi-temp-path=/var/lib/nginx/uwsgi \
# --with-cc-opt='-I/usr/local/include/luajit-2.1 -I/builds/src/nginx/boringssl/include -g -O2 -lz -fstack-protector-strong -Wformat -Wno-error=date-time -Wno-error=implicit-fallthrough= -Wno-error=cast-function-type -Wno-error=format-security -Wno-error=implicit-function-declaration -Wno-error=deprecated-declarations -Wno-error=unused-result -fPIC -Wdate-time -D_FORTIFY_SOURCE=2' \
# --with-ld-opt='-Wl,-z,relro -Wl,-z,now -lz -fPIC -L/usr/local/lib -L /builds/src/nginx/boringssl/build/ssl -L/builds/src/nginx/boringssl/build/crypto' \
--with-cc-opt='-I/usr/local/include/luajit-2.1 -I/builds/src/boringssl/include -g -O2 -lz -fstack-protector-strong -Wformat -Wno-error=date-time -Wno-error=implicit-fallthrough= -Wno-error=cast-function-type -Wno-error=format-security -Wno-error=implicit-function-declaration -Wno-error=deprecated-declarations -Wno-error=unused-result -fPIC -Wdate-time -D_FORTIFY_SOURCE=2' \
--with-ld-opt='-Wl,-z,relro -Wl,-z,now -lz -fPIC -L/builds/src/boringssl/build/ssl -L/builds/src/boringssl/build/crypto' \
--with-file-aio \
--with-compat \
--with-debug \
--with-threads \
--with-pcre-jit \
--with-http_ssl_module \
--with-http_stub_status_module \
--with-http_realip_module \
--with-http_auth_request_module \
--with-http_v2_module \
--with-http_dav_module \
--with-http_slice_module \
--with-http_addition_module \
--with-http_flv_module \
--with-http_geoip_module=dynamic \
--with-http_gunzip_module \
--with-http_gzip_static_module \
--with-http_image_filter_module=dynamic \
--with-http_mp4_module \
--with-http_perl_module=dynamic \
--with-http_random_index_module \
--with-http_secure_link_module \
--with-http_sub_module \
--with-http_xslt_module=dynamic \
--with-mail=dynamic \
--with-mail_ssl_module \
--with-stream=dynamic \
--with-stream_ssl_module \
--with-stream_ssl_preread_module \
--add-dynamic-module=http-headers-more-filter \
--add-dynamic-module=http-auth-pam \
--add-dynamic-module=http-dav-ext \
--add-dynamic-module=http-ndk \
--add-dynamic-module=http-echo \
--add-dynamic-module=http-fancyindex \
--add-dynamic-module=nchan \
--add-dynamic-module=http-uploadprogress \
--add-dynamic-module=http-subs-filter \
--add-dynamic-module=ssl-ct \
--add-dynamic-module=http-geoip2 \
--add-dynamic-module=spnego-http-auth-nginx-module \
--add-dynamic-module=http-auth-ldap \
# --add-dynamic-module=nginx-audio-track-for-hls-module \
--add-dynamic-module=ip2location-nginx \
--add-dynamic-module=nginx-vod-module \
# --add-dynamic-module=nginx-module-vts \
--add-dynamic-module=mod-zip \
--add-dynamic-module=nginx-http-user-agent \
--add-dynamic-module=nginx-unzip-module \
--add-dynamic-module=ngx-webp \
--add-dynamic-module=set-misc-nginx-module \
--add-dynamic-module=rtmp \
--add-dynamic-module=http-upstream-fair \
--add-dynamic-module=nginx-upstream-check-module \
--add-dynamic-module=http-lua && \
cp -fv ${PRE_DIR}/nginx-description-pak ${NGINX_SRC_DIR}/description-pak && \
# dpkg-buildpackage -b && \
make && \
# fakeroot checkinstall -D --pakdir=/builds/export --maintainer="EpicMorg, developer@epicm.org" --pkgname=nginx-custom --install=no -y && \
apt clean -y && \
apt autoclean -y && \
rm -rfv /var/lib/apt/lists/* && \
rm -rfv /var/cache/apt/archives/*.deb && \
rm -rfv /tmp/*
##################################################################
##################################################################
##################################################################
FROM epicmorg/edge
LABEL maintainer="EpicMorg DevTeam, developer@epicm.org"
ARG DEBIAN_FRONTEND=noninteractive
##################################################################
# LDAP Fix
##################################################################
RUN echo "TLS_REQCERT never" >> /etc/ldap/ldap.conf
##################################################################
# Installing nginx from deb
##################################################################
ADD pre/ngninx.pre.tar.gz /
COPY --from=builder /builds/export /tmp/deb
RUN apt-get update && \
apt-get install -y --allow-unauthenticated \
geoip-database \
geoip-bin \
libgeoip1 \
libmaxminddb0 \
libgd3 \
libxslt1.1 && \
dpkg --force-all -i /tmp/deb/*.deb && \
ln -s /usr/local/lib/libIP2Location.so /usr/lib/libIP2Location.so && \
ln -s /usr/local/lib/libIP2Location.so.1 /usr/lib/libIP2Location.so.1 && \
ln -s /usr/local/lib/libIP2Location.so.2 /usr/lib/libIP2Location.so.2 && \
ln -s /usr/local/lib/libIP2Location.so.3 /usr/lib/libIP2Location.so.3 && \
ln -s /usr/local/lib/libIP2Location.so.4 /usr/lib/libIP2Location.so.4 && \
ln -s /usr/local/lib/libIP2Location.so.5 /usr/lib/libIP2Location.so.5 && \
ln -s /usr/local/lib/libIP2Location.so /lib/libIP2Location.so && \
ln -s /usr/local/lib/libIP2Location.so.1 /lib/libIP2Location.so.1 && \
ln -s /usr/local/lib/libIP2Location.so.2 /lib/libIP2Location.so.2 && \
ln -s /usr/local/lib/libIP2Location.so.3 /lib/libIP2Location.so.3 && \
ln -s /usr/local/lib/libIP2Location.so.4 /lib/libIP2Location.so.4 && \
ln -s /usr/local/lib/libIP2Location.so.5 /lib/libIP2Location.so.5 && \
ln -sf /dev/stdout /var/log/nginx/access.log && \
ln -sf /dev/stderr /var/log/nginx/error.log && \
ln -sf /etc/ssl/dhparam.pem /etc/nginx/dhparam.pem && \
apt clean -y && \
apt autoclean -y && \
rm -rf /var/lib/apt/lists/* && \
rm -rf /var/cache/apt/archives/*.deb && \
rm -rf /tmp/deb/* && \
rm -rf /builds/* && \
rm -rf /valve/* && \
rm -rfv /tmp/*
#Final config
VOLUME ["/var/cache/nginx"]
EXPOSE 80 443
CMD ["nginx", "-g", "daemon off;"]

View File

@ -0,0 +1,5 @@
all: app
app:
docker-compose build --compress
docker-compose push

View File

@ -0,0 +1,291 @@
# nginx quic
Experimental QUIC support for nginx
-----------------------------------
1. Introduction
2. Installing
3. Configuration
4. Clients
5. Troubleshooting
6. Contributing
7. Links
1. Introduction
This is an experimental QUIC [1] / HTTP/3 [2] support for nginx.
The code is developed in a separate "quic" branch available
at https://hg.nginx.org/nginx-quic. Currently it is based
on nginx mainline 1.21.x. We merge new nginx releases into
this branch regularly.
The project code base is under the same BSD license as nginx.
The code is currently at a beta level of quality and should not
be used in production.
We are working on improving HTTP/3 support with the goal of
integrating it to the main NGINX codebase. Expect frequent
updates of this code and don't rely on it for whatever purpose.
We'll be grateful for any feedback and code submissions however
we don't bear any responsibilities for any issues with this code.
You can always contact us via nginx-devel mailing list [3].
What works now:
Currently we support IETF-QUIC draft-29 through final RFC documents.
Earlier drafts are NOT supported as they have incompatible wire format.
nginx should be able to respond to HTTP/3 requests over QUIC and
it should be possible to upload and download big files without errors.
+ The handshake completes successfully
+ One endpoint can update keys and its peer responds correctly
+ 0-RTT data is being received and acted on
+ Connection is established using TLS Resume Ticket
+ A handshake that includes a Retry packet completes successfully
+ Stream data is being exchanged and ACK'ed
+ An H3 transaction succeeded
+ One or both endpoints insert entries into dynamic table and
subsequently reference them from header blocks
+ Version Negotiation packet is sent to client with unknown version
+ Lost packets are detected and retransmitted properly
+ Clients may migrate to new address
Not (yet) supported features:
- Explicit Congestion Notification (ECN) as specified in quic-recovery [5]
- A connection with the spin bit succeeds and the bit is spinning
- Structured Logging
Since the code is experimental and still under development,
a lot of things may not work as expected, for example:
- Flow control mechanism is basic and intended to avoid CPU hog and make
simple interactions possible
- Not all protocol requirements are strictly followed; some of checks are
omitted for the sake of simplicity of initial implementation
2. Installing
You will need a BoringSSL [4] library that provides QUIC support
$ hg clone -b quic https://hg.nginx.org/nginx-quic
$ cd nginx-quic
$ ./auto/configure --with-debug --with-http_v3_module \
--with-cc-opt="-I../boringssl/include" \
--with-ld-opt="-L../boringssl/build/ssl \
-L../boringssl/build/crypto"
$ make
When configuring nginx, you can enable QUIC and HTTP/3 using the
following new configuration options:
--with-http_v3_module - enable QUIC and HTTP/3
--with-http_quic_module - enable QUIC for older HTTP versions
--with-stream_quic_module - enable QUIC in Stream
3. Configuration
The HTTP "listen" directive got two new options: "http3" and "quic".
The "http3" option enables HTTP/3 over QUIC on the specified port.
The "quic" option enables QUIC for older HTTP versions on this port.
The Stream "listen" directive got a new option "quic" which enables
QUIC as client transport protocol instead of TCP or plain UDP.
Along with "http3" or "quic", you also have to specify "reuseport"
option [6] to make it work properly with multiple workers.
A number of directives were added that specify transport parameter values:
quic_max_idle_timeout
quic_max_ack_delay
quic_max_udp_payload_size
quic_initial_max_data
quic_initial_max_stream_data_bidi_local
quic_initial_max_stream_data_bidi_remote
quic_initial_max_stream_data_uni
quic_initial_max_streams_bidi
quic_initial_max_streams_uni
quic_ack_delay_exponent
quic_disable_active_migration
quic_active_connection_id_limit
To enable address validation:
quic_retry on;
To enable 0-RTT:
ssl_early_data on;
Make sure that TLS 1.3 is configured which is required for QUIC:
ssl_protocols TLSv1.3;
To enable GSO (Generic Segmentation Offloading):
quic_gso on;
By default this Linux-specific optimization [8] is disabled.
Enable if your network interface is configured to support GSO.
A number of directives were added that configure HTTP/3:
http3_max_table_capacity
http3_max_blocked_streams
http3_max_concurrent_pushes
http3_push
http3_push_preload
An additional variable is available: $quic.
The value of $quic is "quic" if QUIC connection is used,
or an empty string otherwise.
Example configuration:
http {
log_format quic '$remote_addr - $remote_user [$time_local] '
'"$request" $status $body_bytes_sent '
'"$http_referer" "$http_user_agent" "$quic"';
access_log logs/access.log quic;
server {
# for better compatibility it's recommended
# to use the same port for quic and https
listen 8443 http3 reuseport;
listen 8443 ssl;
ssl_certificate certs/example.com.crt;
ssl_certificate_key certs/example.com.key;
ssl_protocols TLSv1.3;
location / {
# required for browsers to direct them into quic port
add_header Alt-Svc 'h3=":8443"; ma=86400';
}
}
}
4. Clients
* Browsers
Known to work: Firefox 80+ and Chrome 85+ (QUIC draft 29+)
Beware of strange issues: sometimes browser may decide to ignore QUIC
Cache clearing/restart might help. Always check access.log and
error.log to make sure you are using HTTP/3 and not TCP https.
+ to enable QUIC in Firefox, set the following in 'about:config':
network.http.http3.enabled = true
+ to enable QUIC in Chrome, enable it on command line and force it
on your site:
$ ./chrome --enable-quic --quic-version=h3-29 \
--origin-to-force-quic-on=example.com:8443
* Console clients
Known to work: ngtcp2, firefox's neqo and chromium's console clients:
$ examples/client 127.0.0.1 8443 https://example.com:8443/index.html
$ ./neqo-client https://127.0.0.1:8443/
$ chromium-build/out/my_build/quic_client http://example.com:8443 \
--quic_version=h3-29 \
--allow_unknown_root_cert \
--disable_certificate_verification
If you've got it right, in the access log you should see something like:
127.0.0.1 - - [24/Apr/2020:11:27:29 +0300] "GET / HTTP/3" 200 805 "-"
"nghttp3/ngtcp2 client" "quic"
5. Troubleshooting
Here are some tips that may help you to identify problems:
+ Ensure you are building with proper SSL library that supports QUIC
+ Ensure you are using the proper SSL library in runtime
(`nginx -V` will show you what you are using)
+ Ensure your client is actually sending QUIC requests
(see "Clients" section about browsers and cache)
We recommend to start with simple console client like ngtcp2
to ensure you've got server configured properly before trying
with real browsers that may be very picky with certificates,
for example.
+ Build nginx with debug support [7] and check your debug log.
It should contain all details about connection and why it
failed. All related messages contain "quic " prefix and can
be easily filtered out.
+ If you want to investigate deeper, you may want to enable
additional debugging in src/event/quic/ngx_event_quic_connection.h:
#define NGX_QUIC_DEBUG_PACKETS
#define NGX_QUIC_DEBUG_FRAMES
#define NGX_QUIC_DEBUG_ALLOC
#define NGX_QUIC_DEBUG_CRYPTO
6. Contributing
If you are willing to contribute, please refer to
http://nginx.org/en/docs/contributing_changes.html
7. Links
[1] https://datatracker.ietf.org/doc/html/rfc9000
[2] https://datatracker.ietf.org/doc/html/draft-ietf-quic-http
[3] https://mailman.nginx.org/mailman/listinfo/nginx-devel
[4] https://boringssl.googlesource.com/boringssl/
[5] https://datatracker.ietf.org/doc/html/rfc9002
[6] https://nginx.org/en/docs/http/ngx_http_core_module.html#listen
[7] https://nginx.org/en/docs/debugging_log.html
[8] http://vger.kernel.org/lpc_net2018_talks/willemdebruijn-lpc2018-udpgso-paper-DRAFT-1.pdf
# Compose example
```yml
version: '3.7'
services:
balancer:
image: epicmorg/balancer
restart: unless-stopped
ports:
- "0.0.0.0:80:80"
- "0.0.0.0:443:443"
volumes:
- /etc/localtime:/etc/localtime
- /etc/timezone:/etc/timezone
- /etc/letsencrypt:/etc/letsencrypt
- nginx:/etc/nginx
- nginx-usr:/usr/share/nginx/html
- /var/lib/nginx
# extra_hosts:
# - "example.com:192.168.0.11"
depends_on:
- websites
tmpfs:
- /tmp
volumes:
nginx:
external: true
nginx-usr:
external: true
```

View File

@ -0,0 +1,9 @@
version: '3.9'
services:
app:
image: "epicmorg/nginx:${NGINX_VERSION}"
build:
context: .
args:
NGINX_VERSION: ${NGINX_VERSION}
NGINX_DOWNLOAD_URL: ${NGINX_DOWNLOAD_URL}

View File

@ -0,0 +1,111 @@
#!/bin/sh
WORKDIRECTORY=$PWD
ARCH=$(uname -m)
if command -v git > /dev/null 2>&1; then
echo "Checking git: OK"
else
echo "Checking git: FAILED, please install git"
exit 1
fi
if command -v cmake > /dev/null 2>&1; then
echo "Checking cmake: OK"
else
echo "Checking cmake: FAILED, please install cmake"
exit 1
fi
if command -v curl > /dev/null 2>&1; then
echo "Checking curl: OK"
else
echo "Checking curl: FAILED, please install curl"
exit 1
fi
if [ -d $WORKDIRECTORY/go ]; then
PATH=$WORKDIRECTORY/go/bin:$PATH
GOROOT=$WORKDIRECTORY/go
if [ -z $GOROOT ];then
NO_GOROOT_SYSTEM=true
fi
else
if [ -z $GOROOT ];then
if [ "$ARCH" = "x86_64" ]; then
GOURL="https://dl.google.com/go/$(curl https://golang.org/VERSION?m=text).linux-amd64.tar.gz"
fi
if [ "$ARCH" = "i386" ]; then
GOURL="https://dl.google.com/go/$(curl https://golang.org/VERSION?m=text).linux-386.tar.gz"
fi
if [ "$ARCH" = "armv6l" ]; then
GOURL="https://dl.google.com/go/$(curl https://golang.org/VERSION?m=text).linux-armv6l.tar.gz"
fi
if [ "$ARCH" = "armv7l" ]; then
GOURL="https://dl.google.com/go/$(curl https://golang.org/VERSION?m=text).linux-armv6l.tar.gz"
fi
if [ "$ARCH" = "" ]; then
echo "Your architecture is not supported"
fi
echo "Downloading golang"
curl -so $WORKDIRECTORY/go.tar.gz $GOURL
tar -xzf $WORKDIRECTORY/go.tar.gz
rm -rf $WORKDIRECTORY/go.tar.gz
PATH=$WORKDIRECTORY/go/bin:$PATH
GOROOT=$WORKDIRECTORY/go
NO_GOROOT_SYSTEM=true
fi
fi
NETWORK_CHECK=$(curl -I -s --connect-timeout 5 https://github.com -w %{http_code} | tail -n1)
if [ -d $WORKDIRECTORY/boringssl ]; then
cd $WORKDIRECTORY/boringssl
git pull
git reset --hard origin/master
git am $WORKDIRECTORY/*.patch
rm -rf $WORKDIRECTORY/boringssl/build
rm -rf $WORKDIRECTORY/boringssl/build2
rm -rf $WORKDIRECTORY/boringssl/.openssl
else
if [ "$NETWORK_CHECK" = "200" ]; then
git clone --depth 1 https://github.com/google/boringssl.git $WORKDIRECTORY/boringssl
cd $WORKDIRECTORY/boringssl
git am $WORKDIRECTORY/*.patch
else
echo "Unable to connect to GitHub, please check your Internet availability"
exit 1
fi
fi
mkdir $WORKDIRECTORY/boringssl/build
cd $WORKDIRECTORY/boringssl/build
echo "Building Static libraries"
cmake .. -DCMAKE_BUILD_TYPE=Release
make -j`nproc`
mkdir $WORKDIRECTORY/boringssl/build2
cd $WORKDIRECTORY/boringssl/build2
echo "Building Shared objects"
cmake .. -DCMAKE_BUILD_TYPE=Release -DBUILD_SHARED_LIBS=1
make -j`nproc`
mkdir $WORKDIRECTORY/boringssl/.openssl
mkdir $WORKDIRECTORY/boringssl/.openssl/include
mkdir $WORKDIRECTORY/boringssl/.openssl/include/openssl
cd $WORKDIRECTORY/boringssl/.openssl/include/openssl
ln $WORKDIRECTORY/boringssl/include/openssl/* .
mkdir $WORKDIRECTORY/boringssl/.openssl/lib
mkdir $WORKDIRECTORY/boringssl/lib
cp $WORKDIRECTORY/boringssl/build/crypto/libcrypto.a $WORKDIRECTORY/boringssl/.openssl/lib/libcrypto.a
cp $WORKDIRECTORY/boringssl/build/ssl/libssl.a $WORKDIRECTORY/boringssl/.openssl/lib/libssl.a
cp $WORKDIRECTORY/boringssl/build2/crypto/libcrypto.so $WORKDIRECTORY/boringssl/.openssl/lib/libcrypto.so
cp $WORKDIRECTORY/boringssl/build2/ssl/libssl.so $WORKDIRECTORY/boringssl/.openssl/lib/libssl.so
echo "If you want to compile nginx"
echo "git am nginx-boringssl/*.patch in nginx source directory"
echo "and"
echo "Configure nginx with \"--with-openssl=$WORKDIRECTORY/boringssl\". Use nginx version >= 1.15 for best result."
echo ""
#if [ "$NO_GOROOT_SYSTEM" = "true" ]; then
#echo "Runing"
#echo "export PATH=$WORKDIRECTORY/go/bin:\$PATH"
#echo "export GOROOT=$WORKDIRECTORY/go"
#echo "If you want to compile nginx"
#fi

View File

@ -0,0 +1 @@
Custom build of ip2location lib by EpicMorg.

View File

@ -0,0 +1 @@
Custom build of luajit2 for Nginx module, by EpicMorg.

View File

@ -0,0 +1 @@
Custom build of Nginx with some modules by EpicMorg.