NGINX 1.23.1 QUIC, собранный с Brotli, TLS 1.3, OpenSSL 1.1.1q, поддержкой http2 для Red Hat Enterprise Linux, CentOS, Rocky, Oracle, Alma Linux EL7/EL8/EL9

В репозиторий добавлен NGINX 1.23.1 mainline с поддержкой сжатия brotli от Google, http2, ngx cache purge и ngx http geoip2 module. OpenSSL собран динамически с OpenSSL+QUIC 1.1.1q.

TLS 1.3 final на сегодня работает в Google Chrome 70+ и Mozilla Firefox 63+.

RHEL 7 / CentOS 7:

yum upgrade -y codeit-repo-release
yum-config-manager --enable CodeIT-quic --save

RHEL 8 / Alma Linux 8 / Rocky Linux 8 / CentOS 8 / Other EL8 репозиторий стал модульным. Для установки надо включить соответствующий стрим:

dnf module enable -y nginx:codeit-quic

Для включения TLS 1.3 надо указать:

ssl_protocols TLSv1.2 TLSv1.3;

C версии 1.21.6 мы собираем OpenSSL+QUIC 1.1.1 отдельно, он устанавливается в /lib64 отдельно с суффиксом .so.81.1.1 и никак не затрагивает системные библиотеки.

NGINX 1.23.1 QUIC, собранный с Brotli, TLS 1.3, OpenSSL 1.1.1q, поддержкой http2 для Red Hat Enterprise Linux, CentOS, Rocky, Oracle, Alma Linux EL7/EL8/EL9: 19 комментариев

  1. Hello,
    the latest version of nginx-1.23.1-1.codeit.el7.x86_64 from CodeIT-testing is not recognizing http3 directive.
    ….. nginx: [emerg] invalid parameter «http3» in /etc/nginx/conf.d/xxxxxx.conf:14
    I have downgraded back to nginx-1.23.0-2.codeit.el7.x86_64
    Can you check the case?

    regards
    Nikolay Kabaivanov

    1. Hello Nikolay,

      Sorry for the issue, all the fresh builds are deployed to the testing repo for testing purposes.
      I made a separate addon «quic» repository for NGINX EL7 with HTTP/3 support to avoid such problems in the future.
      Not all 1.23.1 features are merged in the «quic» branch at the moment, but anyway, please update the repo package to 1.1 and enable quic repo:
      yum upgrade -y codeit-repo-release
      yum-config-manager --enable CodeIT-quic --save
      yum-config-manager --disable CodeIT-testing --save

      Then retry the update from the «quic» repository.

  2. Hello, my server is almalinux 8.6, and I install nginx 1.23.1 quic, there is something error, the dependencies of libbrotli is a version problem, please take a look, thanks.

    yum install nginx
    CodeIT repo 16 kB/s | 3.5 kB 00:00
    Dependencies resolved.
    =======================================================================================================
    Package Arch Version Repository Size
    =======================================================================================================
    Installing:
    nginx x86_64 1:1.23.1-1.module_codeit_quic.codeit.el8 CodeIT 965 k
    Installing dependencies:
    libbrotli x86_64 1.0.9-1.codeit.el7 CodeIT 311 k
    openssl-quic-libs x86_64 1.1.1q-1.codeit.el8 CodeIT 1.4 M

    Transaction Summary
    =======================================================================================================
    Install 3 Packages

    Total size: 2.7 M
    Installed size: 7.9 M
    Is this ok [y/N]: y
    Downloading Packages:
    [SKIPPED] libbrotli-1.0.9-1.codeit.el8.x86_64.rpm: Already downloaded
    [SKIPPED] nginx-1.23.1-1.module_codeit_quic.codeit.el8.x86_64.rpm: Already downloaded
    [SKIPPED] openssl-quic-libs-1.1.1q-1.codeit.el8.x86_64.rpm: Already downloaded
    Running transaction check
    Transaction check succeeded.
    Running transaction test
    The downloaded packages were saved in cache until the next successful transaction.
    You can remove cached packages by executing ‘yum clean packages’.
    Error: Transaction test error:
    file /usr/lib64/libbrotlicommon.so.1 from install of libbrotli-1.0.9-1.codeit.el7.x86_64 conflicts with file from package brotli-1.0.6-3.el8.x86_64
    file /usr/lib64/libbrotlidec.so.1 from install of libbrotli-1.0.9-1.codeit.el7.x86_64 conflicts with file from package brotli-1.0.6-3.el8.x86_64
    file /usr/lib64/libbrotlienc.so.1 from install of libbrotli-1.0.9-1.codeit.el7.x86_64 conflicts with file from package brotli-1.0.6-3.el8.x86_64

  3. hi. i can’t seem to make http3 work. nginx is listening properly on udp 443. but firefox browser is using http2 instead of http3. error logs not showing anything in debug mode.

    nginx x86_64 1:1.23.1-1.codeit.el7 CodeIT-quic 926 k
    nginx -V;
    nginx version: nginx/1.23.0
    built by gcc 4.8.5 20150623 (Red Hat 4.8.5-44) (GCC)
    built with OpenSSL 1.1.1o+quic 3 May 2022 (running with OpenSSL 1.1.1q+quic 5 Jul 2022)
    TLS SNI support enabled
    configure arguments: —prefix=/etc/nginx —sbin-path=/usr/sbin/nginx —modules-path=/usr/lib64/nginx/modules —conf-path=/etc/nginx/nginx.conf —error-log-path=/var/log/nginx/error.log —http-log-path=/var/log/nginx/access.log —pid-path=/var/run/nginx.pid —lock-path=/var/run/nginx.lock —http-client-body-temp-path=/var/cache/nginx/client_temp —http-proxy-temp-path=/var/cache/nginx/proxy_temp —http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp —http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp —http-scgi-temp-path=/var/cache/nginx/scgi_temp —user=nginx —group=nginx —with-compat —with-file-aio —with-threads —with-http_addition_module —with-http_auth_request_module —with-http_dav_module —with-http_flv_module —with-http_gunzip_module —with-http_gzip_static_module —with-http_mp4_module —with-http_random_index_module —with-http_realip_module —with-http_secure_link_module —with-http_slice_module —with-http_ssl_module —with-http_stub_status_module —with-http_sub_module —with-http_v2_module —with-mail —with-mail_ssl_module —with-stream —with-stream_realip_module —with-stream_ssl_module —with-stream_ssl_preread_module —add-module=/home/builder/rpmbuild/BUILD/nginx-1.23.1/ngx_brotli —add-module=/home/builder/rpmbuild/BUILD/nginx-1.23.1/ngx_cache_purge-2.3 —add-module=/home/builder/rpmbuild/BUILD/nginx-1.23.1/ngx_http_geoip2_module-3.4 —with-http_v3_module —with-stream_quic_module —with-cc-opt=’-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong —param=ssp-buffer-size=4 -grecord-gcc-switches -m64 -mtune=generic -fPIC’ —with-ld-opt=’-Wl,-z,relro -Wl,-z,now -pie’

    1. Hi,

      Please check if you have set up headers like in config example: connection is established using H2 first by default, only then switched to HTTP/3. Browsers save last connection result and do not connect again after unsuccessful attempt. Please also check firewall. I always test using nghttp2 client (we have the builds of it also) with http/3 support, not a browser first.

        1. It worked in Firefox 103.0.1 after I did a quick comparison of the Alt-Svc header.
          I was adding the headers like this below which used to work in nginx version 1.21.6:

          add_header alt-svc ‘h3-27=»:443″; ma=86400, h3-28=»:443″; ma=86400, h3-29=»:443″; ma=86400’;

          But now it works like this below (thanks to the default-ssl.conf.example) shipped with your package:

          add_header Alt-Svc ‘h3=»:443″‘;

          Great job!

  4. Hi Alex,

    Not sure if this is AlmaLinux 9 ready? Info from my lab below.

    dnf install nginx
    Last metadata expiration check: 0:00:41 ago on Mon 05 Sep 2022 11:04:36 PM CST.
    Dependencies resolved.
    ==================================================================================================================================================================================================================
    Package Architecture Version Repository Size
    ==================================================================================================================================================================================================================
    Installing:
    nginx x86_64 1:1.23.1-2.module_codeit_quic.codeit.el9 CodeIT 1.0 M
    Installing dependencies:
    libmaxminddb x86_64 1.5.2-3.el9 appstream 33 k
    openssl-quic-libs x86_64 1.1.1q-1.codeit.el9 CodeIT 1.4 M

    Transaction Summary
    ==================================================================================================================================================================================================================
    Install 3 Packages

    Total download size: 2.5 M
    Installed size: 7.4 M
    Is this ok [y/N]:

Добавить комментарий

Ваш адрес email не будет опубликован. Обязательные поля помечены *