nginx-quic chrome 支持度

2021-07-29 07:21:28 +08:00
 v2clay
搭建 nginx-quic,按照 www.nginx.com/blog/introducing-technology-preview-nginx-support-for-quic-http-3 配置的 server 。
www.http3check.net 显示支持 http3 quic 。
但是 chrome 按 f2 显示走的是 tls1.3,不是 quic 协议。

另,chrom 对 cf 的 quic 支持非常友好。对 nginx-quic 支持度不够啊
2890 次点击
所在节点    NGINX
12 条回复
wellsc
2021-07-29 07:25:16 +08:00
quic 本身就包含 tls 了
eason1874
2021-07-29 08:00:19 +08:00
用 Chrome 91 打开官方网页可以看到是支持的,h3-29,你的不支持可能是哪里配置不对,建议按 README 再配置一遍

https://quic.nginx.org/
mons
2021-07-29 08:09:31 +08:00
这 blog 里的 Alt-Svc header 写法有点老了,h3 改成 h3-29 应该就好了;几个月前架过玩,会显 quic
v2clay
2021-07-29 08:11:44 +08:00
@mons 谢谢,我也正在想可能是这个原因
v2clay
2021-07-29 08:47:06 +08:00
alt-svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000,h3-T051=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43"
v2clay
2021-07-29 12:26:42 +08:00
@mons 似乎不行
Love4Taylor
2021-07-29 14:34:44 +08:00
印象中 gQUIC 和 MTU 有关系,到 HTTP/3 之后就不清楚了
mons
2021-07-31 08:34:22 +08:00
@v2clay #6

这是我之前架的时候用的,Alt-Svc 只加了 h3-29 和对应的 max-age,没加 QUIC-Status header. 刚试了一下,还是可以正常走 QUIC

```
server {
listen 443 ssl;
listen 443 http3 reuseport;
listen [::]:443 ssl;
listen [::]:443 http3 reuseport;
server_name abc.xyz;

ssl_protocols TLSv1.3;
ssl_certificate /etc/letsencrypt/live/abc.xyz/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/abc.xyz/privkey.pem;

error_page 497 =307 https://$host$request_uri;

add_header Alt-Svc 'h3-29=":443"; ma=86400';

location / {
proxy_pass http://localhost:8080;
proxy_set_header X-Forwarded-For $remote_addr;
}
}
```

Chrome dev tools:



可能需要刷新一次才会显示 QUIC.
v2clay
2021-07-31 10:26:33 +08:00
@mons 已成功,谢谢
v2clay
2021-07-31 10:35:06 +08:00
@mons #8 自签名的证书是不是不能显示 quic
mons
2021-07-31 13:04:18 +08:00
@v2clay #10 看起来是的:

https://crbug.com/1012564

> Where QUIC and TLS (over TCP) differ is when the cert is valid as determined by the CertVerifier, QUIC imposes an additional check that the cert is issued by a known root (as opposed to a user-installed root) and internally returns QUIC_CERT_ROOT_NOT_KNOWN if it is not issued by a known root.

> The use of --origin-to-force-quic-on is intended for someone developing a QUIC server. When testing that a QUIC server is working as expected, I think that flag is a reasonable way to test that.


https://www.chromium.org/quic/quic-faq

> If you're testing only with the toy quic server, you can do something like:

> % chrome --disable-setuid-sandbox --enable-quic --origin-to-force-quic-on=localhost:6121 http://localhost:6121/
kerro1990
2021-07-31 17:21:38 +08:00
alt-svc: h3-27=":443"; ma=86400, h3-28=":443"; ma=86400, h3-29=":443"; ma=86400, h3=":443"; ma=86400

这是一个专为移动设备优化的页面(即为了让你能够在 Google 搜索结果里秒开这个页面),如果你希望参与 V2EX 社区的讨论,你可以继续到 V2EX 上打开本讨论主题的完整版本。

https://www.v2ex.com/t/792380

V2EX 是创意工作者们的社区,是一个分享自己正在做的有趣事物、交流想法,可以遇见新朋友甚至新机会的地方。

V2EX is a community of developers, designers and creative people.

© 2021 V2EX