В репозиторий добавлен NGINX 1.23.1 mainline с поддержкой сжатия brotli от Google, http2, ngx cache purge и ngx http geoip2 module. OpenSSL собран динамически с OpenSSL+QUIC 1.1.1q.
TLS 1.3 final на сегодня работает в Google Chrome 70+ и Mozilla Firefox 63+.
RHEL 7 / CentOS 7:
yum upgrade -y codeit-repo-release yum-config-manager --enable CodeIT-quic --save
RHEL 8 / Alma Linux 8 / Rocky Linux 8 / CentOS 8 / Other EL8 репозиторий стал модульным. Для установки надо включить соответствующий стрим:
dnf module enable -y nginx:codeit-quic
Для включения TLS 1.3 надо указать:
ssl_protocols TLSv1.2 TLSv1.3;
C версии 1.21.6 мы собираем OpenSSL+QUIC 1.1.1 отдельно, он устанавливается в /lib64 отдельно с суффиксом .so.81.1.1 и никак не затрагивает системные библиотеки.
Hello,
the latest version of nginx-1.23.1-1.codeit.el7.x86_64 from CodeIT-testing is not recognizing http3 directive.
….. nginx: [emerg] invalid parameter «http3» in /etc/nginx/conf.d/xxxxxx.conf:14
I have downgraded back to nginx-1.23.0-2.codeit.el7.x86_64
Can you check the case?
regards
Nikolay Kabaivanov
Hello Nikolay,
Sorry for the issue, all the fresh builds are deployed to the testing repo for testing purposes.
I made a separate addon «quic» repository for NGINX EL7 with HTTP/3 support to avoid such problems in the future.
Not all 1.23.1 features are merged in the «quic» branch at the moment, but anyway, please update the repo package to 1.1 and enable quic repo:
yum upgrade -y codeit-repo-release
yum-config-manager --enable CodeIT-quic --save
yum-config-manager --disable CodeIT-testing --save
Then retry the update from the «quic» repository.
Hello, my server is almalinux 8.6, and I install nginx 1.23.1 quic, there is something error, the dependencies of libbrotli is a version problem, please take a look, thanks.
yum install nginx
CodeIT repo 16 kB/s | 3.5 kB 00:00
Dependencies resolved.
=======================================================================================================
Package Arch Version Repository Size
=======================================================================================================
Installing:
nginx x86_64 1:1.23.1-1.module_codeit_quic.codeit.el8 CodeIT 965 k
Installing dependencies:
libbrotli x86_64 1.0.9-1.codeit.el7 CodeIT 311 k
openssl-quic-libs x86_64 1.1.1q-1.codeit.el8 CodeIT 1.4 M
Transaction Summary
=======================================================================================================
Install 3 Packages
Total size: 2.7 M
Installed size: 7.9 M
Is this ok [y/N]: y
Downloading Packages:
[SKIPPED] libbrotli-1.0.9-1.codeit.el8.x86_64.rpm: Already downloaded
[SKIPPED] nginx-1.23.1-1.module_codeit_quic.codeit.el8.x86_64.rpm: Already downloaded
[SKIPPED] openssl-quic-libs-1.1.1q-1.codeit.el8.x86_64.rpm: Already downloaded
Running transaction check
Transaction check succeeded.
Running transaction test
The downloaded packages were saved in cache until the next successful transaction.
You can remove cached packages by executing ‘yum clean packages’.
Error: Transaction test error:
file /usr/lib64/libbrotlicommon.so.1 from install of libbrotli-1.0.9-1.codeit.el7.x86_64 conflicts with file from package brotli-1.0.6-3.el8.x86_64
file /usr/lib64/libbrotlidec.so.1 from install of libbrotli-1.0.9-1.codeit.el7.x86_64 conflicts with file from package brotli-1.0.6-3.el8.x86_64
file /usr/lib64/libbrotlienc.so.1 from install of libbrotli-1.0.9-1.codeit.el7.x86_64 conflicts with file from package brotli-1.0.6-3.el8.x86_64
Hello,
Can you simply replace brotli-1.0.6 package with our brotli (optional) and libbrotli one?
dnf upgrade brotli
should be enough.But your libbrotli and brotli are compiled for EL7, shouldn’t this be the correct corresponding version?
This is the package name error (simply recompiled EL7 SRC RPM under EL8). Please be sure it is compiled for EL8 and works well.
Ok thanks, I’ll try to test it.
Hi, Alexander.
I am guessing this post includes OpenSSL1.1.1q for NGINX only. Or is it for Apache also?
Will you be releasing OpenSSL1.1.1q for Apache?
Thanks,
Jonah
Hi Jonah,
Both Apache and NGINX of course. We are using OpenSSL+QUIC for all the builds.
hi. i can’t seem to make http3 work. nginx is listening properly on udp 443. but firefox browser is using http2 instead of http3. error logs not showing anything in debug mode.
nginx x86_64 1:1.23.1-1.codeit.el7 CodeIT-quic 926 k
nginx -V;
nginx version: nginx/1.23.0
built by gcc 4.8.5 20150623 (Red Hat 4.8.5-44) (GCC)
built with OpenSSL 1.1.1o+quic 3 May 2022 (running with OpenSSL 1.1.1q+quic 5 Jul 2022)
TLS SNI support enabled
configure arguments: —prefix=/etc/nginx —sbin-path=/usr/sbin/nginx —modules-path=/usr/lib64/nginx/modules —conf-path=/etc/nginx/nginx.conf —error-log-path=/var/log/nginx/error.log —http-log-path=/var/log/nginx/access.log —pid-path=/var/run/nginx.pid —lock-path=/var/run/nginx.lock —http-client-body-temp-path=/var/cache/nginx/client_temp —http-proxy-temp-path=/var/cache/nginx/proxy_temp —http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp —http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp —http-scgi-temp-path=/var/cache/nginx/scgi_temp —user=nginx —group=nginx —with-compat —with-file-aio —with-threads —with-http_addition_module —with-http_auth_request_module —with-http_dav_module —with-http_flv_module —with-http_gunzip_module —with-http_gzip_static_module —with-http_mp4_module —with-http_random_index_module —with-http_realip_module —with-http_secure_link_module —with-http_slice_module —with-http_ssl_module —with-http_stub_status_module —with-http_sub_module —with-http_v2_module —with-mail —with-mail_ssl_module —with-stream —with-stream_realip_module —with-stream_ssl_module —with-stream_ssl_preread_module —add-module=/home/builder/rpmbuild/BUILD/nginx-1.23.1/ngx_brotli —add-module=/home/builder/rpmbuild/BUILD/nginx-1.23.1/ngx_cache_purge-2.3 —add-module=/home/builder/rpmbuild/BUILD/nginx-1.23.1/ngx_http_geoip2_module-3.4 —with-http_v3_module —with-stream_quic_module —with-cc-opt=’-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong —param=ssp-buffer-size=4 -grecord-gcc-switches -m64 -mtune=generic -fPIC’ —with-ld-opt=’-Wl,-z,relro -Wl,-z,now -pie’
Hi,
Please check if you have set up headers like in config example: connection is established using H2 first by default, only then switched to HTTP/3. Browsers save last connection result and do not connect again after unsuccessful attempt. Please also check firewall. I always test using nghttp2 client (we have the builds of it also) with http/3 support, not a browser first.
Hi,
I see the Alt-Svc and QUIC-Status header in the browser.
Firewall is allowed. I’m going to check with nghttp2.
It worked in Firefox 103.0.1 after I did a quick comparison of the Alt-Svc header.
I was adding the headers like this below which used to work in nginx version 1.21.6:
add_header alt-svc ‘h3-27=»:443″; ma=86400, h3-28=»:443″; ma=86400, h3-29=»:443″; ma=86400’;
But now it works like this below (thanks to the default-ssl.conf.example) shipped with your package:
add_header Alt-Svc ‘h3=»:443″‘;
Great job!
Hi Alex,
Not sure if this is AlmaLinux 9 ready? Info from my lab below.
dnf install nginx
Last metadata expiration check: 0:00:41 ago on Mon 05 Sep 2022 11:04:36 PM CST.
Dependencies resolved.
==================================================================================================================================================================================================================
Package Architecture Version Repository Size
==================================================================================================================================================================================================================
Installing:
nginx x86_64 1:1.23.1-2.module_codeit_quic.codeit.el9 CodeIT 1.0 M
Installing dependencies:
libmaxminddb x86_64 1.5.2-3.el9 appstream 33 k
openssl-quic-libs x86_64 1.1.1q-1.codeit.el9 CodeIT 1.4 M
Transaction Summary
==================================================================================================================================================================================================================
Install 3 Packages
Total download size: 2.5 M
Installed size: 7.4 M
Is this ok [y/N]:
Hi Jeffrey,
Yes, I suppose that it is ready for all EL9, as it passes tests. Not so many feedback for now, so please test and reply if it works for you 🙂
Hi Alex,
I doubt that the packages & dependencies to be installed from my feedback previously are correct ones. Could you be able to verify that?
Jeffrey,
These packages have .el9 suffix and are perfectly correct for AlmaLinux 9.
Note: you selected NGINX QUIC branch package that is experimental branch and no released versions. Anyway, it works fine in thousands of installations.
Hi Alex,
Yes, it works. 🙂
Hi Jeffrey,
Thanks for the confirmation!