From c8b70e47dead461346ae3cc7a831c939f5029ead Mon Sep 17 00:00:00 2001 From: drawing Date: Mon, 24 Jul 2023 21:27:13 +0800 Subject: [PATCH 1/2] README:add xquic document --- modules/ngx_http_xquic_module/README.md | 90 +++++++++++++++++++++++++ 1 file changed, 90 insertions(+) diff --git a/modules/ngx_http_xquic_module/README.md b/modules/ngx_http_xquic_module/README.md index 2b9355a183..590d0fe5a5 100644 --- a/modules/ngx_http_xquic_module/README.md +++ b/modules/ngx_http_xquic_module/README.md @@ -97,3 +97,93 @@ http { ``` 更为详细的指令可参考官网文档 [XQUIC模块](http://tengine.taobao.org/document_cn/xquic_cn.html) + +# 浏览器使用 HTTP3 + +浏览器默认不会使用 `HTTP3` 请求,需要服务端响应包头 `Alt-Svc` 进行升级说明,浏览器通过响应包头感知到服务端是支持 `HTTP3` 的,下次请求会尝试使用 `HTTP3`。 + +```nginx +worker_processes 1; + +events { + worker_connections 1024; +} + +xquic_log "pipe:rollback /usr/local/tengine/logs/tengine-xquic.log baknum=10 maxsize=1G interval=1d adjust=600" info; + +http { + xquic_ssl_certificate /usr/local/tengine/ssl/default-fake-certificate.pem; + xquic_ssl_certificate_key /usr/local/tengine/ssl/default-fake-certificate.pem; + + server { + listen 2443 xquic reuseport; + + location / { + } + } + + server { + listen 80 default_server reuseport backlog=4096; + listen 443 default_server reuseport backlog=4096 ssl http2; + listen 443 default_server reuseport backlog=4096 xquic; + + add_header Alt-Svc 'h3=":443"; ma=2592000,h3-29=":443"; ma=2592000' always; + + ssl_certificate /etc/ingress-controller/ssl/s1.crt; + ssl_certificate_key /etc/ingress-controller/ssl/s1.key; + } + + server { + listen 80; + listen 443 ssl http2; + listen 443 xquic; + + add_header Alt-Svc 'h3=":443"; ma=2592000,h3-29=":443"; ma=2592000' always; + + ssl_certificate /etc/ingress-controller/ssl/s2.crt; + ssl_certificate_key /etc/ingress-controller/ssl/s2.key; + } +} +``` + +通过以上配置,浏览器访问对应域名,第一次访问 `HTTP2`,下次访问会切换至 `HTTP3`。 + +**注意**: + +在生产环境中,处于安全性考虑,一般情况会以普通用户权限启动 `Tenigne`,而 `xquic` 功能在普通用户权限下,监听端口必须配置为 1024 以上,如监听 2443 端口,那对外的四层负载均衡需要做 443 到 2443 端口的映射,`Tenigne` `Server`段配置示例: + +```nginx + server { + listen 80 default_server reuseport backlog=4096; + listen 443 default_server reuseport backlog=4096 ssl http2; + listen 2443 default_server reuseport backlog=4096 xquic; + + add_header Alt-Svc 'h3=":443"; ma=2592000,h3-29=":443"; ma=2592000' always; + + ssl_certificate /etc/ingress-controller/ssl/s1.crt; + ssl_certificate_key /etc/ingress-controller/ssl/s1.key; + } +``` + +四层负载均衡配置示例: + +```yaml + type: LoadBalancer + ports: + - port: 80 + name: tengine-tcp-80 + protocol: TCP + targetPort: 80 + - port: 443 + name: tengine-tcp-443 + protocol: TCP + targetPort: 443 + - port: 443 + name: tengine-udp-443 + protocol: UDP + targetPort: 2443 + selector: + app: tengine +``` + +对用户来讲,还是通过 443 端口访问,通过四层负责均衡设备,转换为 `Tengine` 的 2443 端口。 From 62aa98bfba0d8f4ff699609fe238e121a910a866 Mon Sep 17 00:00:00 2001 From: drawing Date: Mon, 24 Jul 2023 21:32:10 +0800 Subject: [PATCH 2/2] README:xquic document add servername --- modules/ngx_http_xquic_module/README.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/modules/ngx_http_xquic_module/README.md b/modules/ngx_http_xquic_module/README.md index 590d0fe5a5..3291fb89be 100644 --- a/modules/ngx_http_xquic_module/README.md +++ b/modules/ngx_http_xquic_module/README.md @@ -127,6 +127,8 @@ http { listen 443 default_server reuseport backlog=4096 ssl http2; listen 443 default_server reuseport backlog=4096 xquic; + server_name s1.test.com; + add_header Alt-Svc 'h3=":443"; ma=2592000,h3-29=":443"; ma=2592000' always; ssl_certificate /etc/ingress-controller/ssl/s1.crt; @@ -138,6 +140,8 @@ http { listen 443 ssl http2; listen 443 xquic; + server_name s2.test.com; + add_header Alt-Svc 'h3=":443"; ma=2592000,h3-29=":443"; ma=2592000' always; ssl_certificate /etc/ingress-controller/ssl/s2.crt;