安装支持http3的nginx服务器

Posted on By 投稿用户 技术

下载源:

mkdir -p /data/src

wget https://nginx.org/download/nginx-1.25.4.tar.gz
wget https://github.com/quictls/openssl/archive/refs/heads/openssl-3.1.5+quic.zip
wget https://www.zlib.net/zlib-1.3.1.tar.gz
wget https://github.com/PCRE2Project/pcre2/releases/download/pcre2-10.43/pcre2-10.43.tar.gz

下载完后解压缩

ubuntu 安装依赖

apt install -y build-essential make gcc libjemalloc-dev libxml2-dev  libgd-dev  libgeoip-dev  libgoogle-perftools-dev libgeoip1 libpcre3 libpcre3-dev geoip-database  libxslt-dev

编译打包安装

mkdir -p /data/server/nginx/temp

./configure --prefix=/data/server/nginx --pid-path=/data/server/nginx/var/nginx.pid --http-client-body-temp-path=/data/server/nginx/temp/client_body_temp --http-proxy-temp-path=/data/server/nginx/temp/proxy_temp --http-fastcgi-temp-path=/data/server/nginx/temp/fastcgi_temp --http-uwsgi-temp-path=/data/server/nginx/temp/uwsgi_temp --http-scgi-temp-path=/data/server/nginx/temp/scgi_temp --with-poll_module --with-threads --with-file-aio --with-mail_ssl_module --with-http_v2_module --with-http_realip_module --with-http_addition_module --with-http_xslt_module --with-http_xslt_module=dynamic --with-http_image_filter_module --with-http_image_filter_module=dynamic --with-http_geoip_module --with-http_geoip_module=dynamic --with-http_sub_module --with-http_dav_module --with-http_flv_module --with-http_mp4_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_auth_request_module --with-http_random_index_module --with-http_secure_link_module --with-http_degradation_module --with-http_slice_module --with-http_stub_status_module --with-http_ssl_module --with-mail=dynamic --with-stream --with-stream=dynamic --with-stream_ssl_module --with-stream_realip_module --with-stream_geoip_module --with-stream_geoip_module=dynamic --with-stream_ssl_preread_module --with-pcre=/data/src/pcre2-10.43 --with-zlib=/data/src/zlib-1.3.1 --with-openssl=/data/src/openssl-openssl-3.1.5-quic --with-openssl-opt=enable-tls1_3 --with-http_v3_module


make
make install

修改配置即可,示例:

server {
    listen 80;
    server_name  your.doamin.com;
    server_tokens  off;

    listen 443 ssl;
    listen 443 quic reuseport;

    http2 on;
    http3 on;

    include "/data/server/nginx-conf/ssl.inc";
    ssl_certificate "/data/server/nginx-conf/ssl/domain.crt";
    ssl_certificate_key "/data/server/nginx-conf/ssl/domain.key";

    #if ($scheme = http){
    #  rewrite ^(.*)$  https://$host$1 permanent;
    #}


    location / {
        add_header Alt-Svc 'h3=":443"; ma=86400';

        root "/data/server/nginx-conf/html";
        autoindex off;
        index index.html;
        autoindex_exact_size off;
        autoindex_localtime on;
        try_files $uri $uri/ /index.html =404;
   }
}

ssl.inc



    #优先采取服务器算法
    ssl_prefer_server_ciphers off;


    ssl_protocols TLSv1.2 TLSv1.3;

    ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;

    #ssl_ciphers  TLS13-AES-256-GCM-SHA384:TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-128-GCM-SHA256:TLS13-AES-128-CCM-8-SHA256;

    #ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA;

    # SSL session cache timeout defaults to 5 minutes, 1 minute should
    # be plenty.  This is abused by advertisers like Google and Facebook,
    # long timeouts like theirs will look suspicious.  See, for example:
    # https://www.zdnet.com/article/advertisers-can-track-users-across-the-internet-via-tls-session-resumption/
    ssl_session_cache    shared:SSL:10m;
    ssl_session_timeout  5m;

    # HSTS (ngx_http_headers_module is required) (63072000 seconds)
    add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;

    # OCSP stapling
    ssl_stapling off;
    ssl_stapling_verify off;

    #减少点击劫持
    #add_header X-Frame-Options SAMEORIGIN;

    #禁止服务器自动解析资源类型
    add_header X-Content-Type-Options nosniff;

    #防XSS攻击
    add_header X-Xss-Protection 1;