tengine3.1.0 nginx启用xquic

1.安装xquic

进入/home目录,执行 `installXquic.sh`脚本

#!/bin/bash
 
yum -y install git cmake gcc gcc-c++ libevent libevent-devel libarchive
# 获取 XQUIC 源码
git clone https://gitee.com/mygitee1231234/xquic.git
cd xquic
 
# 获取并编译 BabaSSL (Tongsuo)
#git clone -b 8.3-stable https://github.com/Tongsuo-Project/Tongsuo.git ./third_party/babassl
git clone https://gitee.com/mygitee1231234/tongsuo.git ./third_party/babassl
cd ./third_party/babassl/
chmod 777 config
./config --prefix=/usr/local/babassl
make -j
if [ $? -ne 0 ]; then
    echo "BabaSSL 编译失败"
    exit 1
fi
SSL_TYPE_STR="babassl"
SSL_PATH_STR="${PWD}"
cd -
 
# 更新子模块并编译 XQUIC
git submodule update --init --recursive
mkdir -p build
cd build
cmake -DGCOV=on -DCMAKE_BUILD_TYPE=Debug -DXQC_ENABLE_TESTING=1 -DXQC_SUPPORT_SENDMMSG_BUILD=1 -DXQC_ENABLE_EVENT_LOG=1 -DXQC_ENABLE_BBR2=1 -DXQC_ENABLE_RENO=1 -DSSL_TYPE=${SSL_TYPE_STR} -DSSL_PATH=${SSL_PATH_STR} ..
if [ $? -ne 0 ]; then
    echo "cmake 失败"
    exit 1
fi
make -j
if [ $? -ne 0 ]; then
    echo "XQUIC 编译失败"
    exit 1
fi

2.安装tengine

进入/home目录,执行 `installTengine3.1.0.sh`脚本

#/bin/bash
# 设置环境变量
export XQUIC_INC=/home/xquic/include
export XQUIC_LIB=/home/xquic/build
cd /home
yum -y install gcc pcre pcre-devel zlib zlib-devel openssl openssl-devel gd-devel
#安装压缩模块
#git clone --recurse-submodules -j8 https://github.com/google/ngx_brotli
git clone --recurse-submodules https://gitee.com/mygitee1231234/ngx_brotli.git
cd ngx_brotli/deps/brotli
[ -d "out" ] && rm -rf out
mkdir out && cd out
cmake -DCMAKE_BUILD_TYPE=Release -DBUILD_SHARED_LIBS=OFF -DCMAKE_C_FLAGS="-Ofast -m64 -march=native -mtune=native -flto -funroll-loops -ffunction-sections -fdata-sections -Wl,--gc-sections" -DCMAKE_CXX_FLAGS="-Ofast -m64 -march=native -mtune=native -flto -funroll-loops -ffunction-sections -fdata-sections -Wl,--gc-sections" -DCMAKE_INSTALL_PREFIX=./installed ..
cmake --build . --config Release --target brotlienc

#安装tengine
cd /home
wget http://tengine.taobao.org/download/tengine-3.1.0.tar.gz
tar -zxvf tengine-3.1.0.tar.gz
cd ./tengine-3.1.0
mkdir run
./configure --prefix=/home/tengine-3.1.0/run --without-http_upstream_keepalive_module --with-http_ssl_module --add-module=modules/ngx_http_upstream_vnswrr_module --add-module=modules/ngx_backtrace_module --add-module=modules/ngx_debug_pool --add-module=modules/ngx_debug_timer --add-module=modules/ngx_http_concat_module --add-module=modules/ngx_http_footer_filter_module --add-module=modules/ngx_http_proxy_connect_module --add-module=modules/ngx_http_reqstat_module --add-module=modules/ngx_http_slice_module --add-module=modules/ngx_http_sysguard_module --add-module=modules/ngx_http_trim_filter_module --add-module=modules/ngx_http_upstream_check_module --add-module=modules/ngx_http_upstream_consistent_hash_module --add-module=modules/ngx_http_upstream_dynamic_module --add-module=modules/ngx_http_upstream_dyups_module --add-module=modules/ngx_http_upstream_keepalive_module --add-module=modules/ngx_http_upstream_session_sticky_module --add-module=modules/ngx_http_user_agent_module --add-module=/home/tengine-3.1.0/modules/ngx_http_xquic_module --with-http_v2_module --add-module=/home/ngx_brotli --with-http_image_filter_module
make && make install
# 授权
chmod -R 777 /home/xquic/build/CMakeFiles/xquic.dir/src/http3/qpack

禁用LTO版本(上面的安装失败用这个)

#!/bin/bash
# 设置环境变量
export XQUIC_INC=/home/xquic/include
export XQUIC_LIB=/home/xquic/build

# 安装所需依赖
yum -y install gcc pcre pcre-devel zlib zlib-devel openssl openssl-devel gd-devel

# 安装 Brotli 模块
cd /home
# 克隆 Brotli 模块
git clone --recurse-submodules https://gitee.com/mygitee1231234/ngx_brotli.git
cd ngx_brotli/deps/brotli

# 创建输出目录并构建 Brotli
[ -d "out" ] && rm -rf out
mkdir out && cd out

# 配置 Brotli 编译，并禁用 LTO
cmake -DCMAKE_BUILD_TYPE=Release -DBUILD_SHARED_LIBS=OFF \
      -DCMAKE_C_FLAGS="-Ofast -m64 -march=native -mtune=native -funroll-loops -ffunction-sections -fdata-sections -Wl,--gc-sections -fno-lto" \
      -DCMAKE_CXX_FLAGS="-Ofast -m64 -march=native -mtune=native -funroll-loops -ffunction-sections -fdata-sections -Wl,--gc-sections -fno-lto" \
      -DCMAKE_INSTALL_PREFIX=./installed ..

# 构建 Brotli 编码库
cmake --build . --config Release --target brotlienc

# 安装 Tengine
cd /home
wget http://tengine.taobao.org/download/tengine-3.1.0.tar.gz
tar -zxvf tengine-3.1.0.tar.gz
cd ./tengine-3.1.0
mkdir run

# 配置 Tengine，并链接 Brotli 库
./configure --prefix=/home/tengine-3.1.0/run \
            --without-http_upstream_keepalive_module \
            --with-http_ssl_module \
            --add-module=modules/ngx_http_upstream_vnswrr_module \
            --add-module=modules/ngx_backtrace_module \
            --add-module=modules/ngx_debug_pool \
            --add-module=modules/ngx_debug_timer \
            --add-module=modules/ngx_http_concat_module \
            --add-module=modules/ngx_http_footer_filter_module \
            --add-module=modules/ngx_http_proxy_connect_module \
            --add-module=modules/ngx_http_reqstat_module \
            --add-module=modules/ngx_http_slice_module \
            --add-module=modules/ngx_http_sysguard_module \
            --add-module=modules/ngx_http_trim_filter_module \
            --add-module=modules/ngx_http_upstream_check_module \
            --add-module=modules/ngx_http_upstream_consistent_hash_module \
            --add-module=modules/ngx_http_upstream_dynamic_module \
            --add-module=modules/ngx_http_upstream_dyups_module \
            --add-module=modules/ngx_http_upstream_keepalive_module \
            --add-module=modules/ngx_http_upstream_session_sticky_module \
            --add-module=modules/ngx_http_user_agent_module \
            --add-module=/home/tengine-3.1.0/modules/ngx_http_xquic_module \
            --with-http_v2_module \
            --add-module=/home/ngx_brotli \
            --with-cc-opt="-I/home/ngx_brotli/deps/brotli/out" \
            --with-ld-opt="-L/home/ngx_brotli/deps/brotli/out -lbrotlicommon -lbrotlienc -fno-lto" \
            --with-http_image_filter_module

# 编译并安装 Tengine
make && make install
# 授权
chmod -R 777 /home/xquic/build/CMakeFiles/xquic.dir/src/http3/qpack

 3.内核优化 (sh optimize_kernel.sh)

#!/bin/bash

# 提升文件描述符限制
echo "fs.file-max = 1000000" >> /etc/sysctl.conf
echo "fs.nr_open = 1000000" >> /etc/sysctl.conf

# 提升进程文件描述符限制
echo "* soft nofile 1000000" >> /etc/security/limits.conf
echo "* hard nofile 1000000" >> /etc/security/limits.conf
echo "root soft nofile 1000000" >> /etc/security/limits.conf
echo "root hard nofile 1000000" >> /etc/security/limits.conf

# TCP参数优化
echo "net.core.somaxconn = 4096" >> /etc/sysctl.conf
echo "net.core.netdev_max_backlog = 16384" >> /etc/sysctl.conf
echo "net.core.rmem_max = 16777216" >> /etc/sysctl.conf
echo "net.core.wmem_max = 16777216" >> /etc/sysctl.conf
echo "net.ipv4.tcp_rmem = 4096 87380 16777216" >> /etc/sysctl.conf
echo "net.ipv4.tcp_wmem = 4096 65536 16777216" >> /etc/sysctl.conf
echo "net.ipv4.tcp_max_syn_backlog = 65536" >> /etc/sysctl.conf
echo "net.ipv4.tcp_syncookies = 1" >> /etc/sysctl.conf
echo "net.ipv4.tcp_timestamps = 0" >> /etc/sysctl.conf
echo "net.ipv4.tcp_sack = 1" >> /etc/sysctl.conf
echo "net.ipv4.tcp_window_scaling = 1" >> /etc/sysctl.conf
echo "net.ipv4.tcp_ecn = 0" >> /etc/sysctl.conf
echo "net.ipv4.tcp_fin_timeout = 15" >> /etc/sysctl.conf
echo "net.ipv4.tcp_keepalive_time = 600" >> /etc/sysctl.conf
echo "net.ipv4.tcp_keepalive_probes = 5" >> /etc/sysctl.conf
echo "net.ipv4.tcp_keepalive_intvl = 15" >> /etc/sysctl.conf
echo "net.ipv4.ip_local_port_range = 1024 65535" >> /etc/sysctl.conf

# 启用TCP快速打开
echo "net.ipv4.tcp_fastopen = 3" >> /etc/sysctl.conf

# 应用更改
sysctl -p

# 设置当前会话的文件描述符限制
ulimit -n 1000000

4.修改nginx配置文件

user  root;
worker_processes auto; # 根据可用的CPU核心数自动设置工作进程数量
events{
    worker_connections 65535; # 增加工作连接数以提高并发性能
    use epoll; # 使用epoll事件模型，适用于Linux系统
    multi_accept on; # 开启多路复用以提高并发性能
}


http {
    include       mime.types;
    default_type  application/octet-stream;
    charset utf-8;
    proxy_hide_header X-Powered-By;
    proxy_hide_header Server;
    
    server_tokens         off;
    
    xquic_congestion_control bbr;
    xquic_socket_rcvbuf 5242880;
    xquic_socket_sndbuf 5242880;
    xquic_anti_amplification_limit 5;
    # lua_package_path '/home/tengine-2.3.3/run/lua/?.lua;;';
    # lua_shared_dict cc_defense 10m;
    
    #log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
    #                  '$status $body_bytes_sent "$http_referer" '
    #                  '"$http_user_agent" "$http_x_forwarded_for"';
    
    #access_log  logs/access.log  main;
    #access_log  "pipe:rollback logs/access_log interval=1d baknum=7 maxsize=2G"  main;
    xquic_ssl_certificate        /home/nginxcert/aaa.com_server.crt.pem;
    xquic_ssl_certificate_key    /home/nginxcert/aaa.com_server.key.pem;
    
    sendfile        on;
    tcp_nodelay on;
    #tcp_nopush     on;
    
    #keepalive_timeout  0;
    keepalive_timeout  65;
    brotli on;
    brotli_comp_level 7;
    brotli_buffers 16 8k; 
    #大于1KB的文件才压缩
    brotli_min_length 1024; 
    brotli_static off;    # 如果有预压缩的 .br 文件，直接使用
    brotli_types  text/xml text/plain text/css application/javascript application/x-javascript application/rss+xml text/javascript image/tiff image/svg+xml application/json application/xml;

    # 启用Gzip压缩
    gzip on;
    #设置最小文件大小为1KB
    gzip_min_length 1k;
    #设置压缩级别为9（最大压缩）
    gzip_comp_level 9;
    #定义需要进行Gzip压缩的文件类型
    gzip_types text/xml text/plain text/css application/javascript application/x-javascript application/rss+xml text/javascript image/tiff image/svg+xml application/json application/xml;
    #使Gzip压缩对所有浏览器都生效
    gzip_vary on;
    #禁用对早期IE浏览器的Gzip压缩
    gzip_disable "MSIE [1-6]\.";
    client_max_body_size 300M;
    client_body_buffer_size 512k;
    
    #80 port redirect
    server{
        listen       80;
        server_name  *.aaa.com;        
        return 301 https://$host$request_uri;
    }
    #default server
    server{
        listen 80 default_server;
        listen [::]:80 default_server;
        server_name _;
        return 444;
    }
    server {
	    listen 443 ssl http2;
	    listen 443 xquic reuseport;
	    server_name  bbbb.aaa.com;	
	    add_header Alt-Svc 'h3=":443"; ma=2592000,h3-29=":443"; ma=2592000' always;	
	    ssl_certificate             /home/nginxcert/aaa.com_server.crt.pem;
	    ssl_certificate_key         /home/nginxcert/aaa.com_server.key.pem;
	    ssl_prefer_server_ciphers on;
	    ssl_session_cache shared:SSL:10m;
	    ssl_session_timeout 10m;
	    ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:!aNULL:!MD5:!DSS';
	    #ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
	    ssl_protocols TLSv1.3;
	    
	    
	    location / {
	    	   root   /home/html;
	   	   index  index.html index.htm;	    	   	        
	        try_files $uri $uri/ /index.html;
	    }
	
	    # 图片缓存设置
	    location ~* \.(gif|jpg|jpeg|png|bmp|swf)$ {
	        root   /home/html;
	        expires 1d;
	        log_not_found off;
	        access_log off;
	    }
	
	    # JS和CSS缓存设置
	    location ~* \.(js|css)$ {
	        root   /home/html;
	        expires 1h;
	        log_not_found off;
	        access_log off;
	    }
	
	    # 禁止访问的文件或目录
	    location ~ ^/(\.user.ini|\.htaccess|\.git|\.env|\.svn|\.project|LICENSE|README.md) {
	        return 404;
	    }
    }
}

5.配置环境变量

/etc/profile 文件最下面增加

export PATH=/home/tengine-3.1.0/run/sbin:$PATH

执行source /etc/profile生效

6.测试XQUIC

HTTP/3 QUIC 在线测试 - 免费在线工具

参考文档

阿里巴巴