quic端口无法访问，tengine启动有报错

BobFang2023 commented 7 months ago

Question

tengine信息：

nginx -V
Tengine version: Tengine/3.1.0
nginx version: nginx/1.24.0
built by gcc 4.8.5 20150623 (Red Hat 4.8.5-44) (GCC) 
built with OpenSSL 1.1.1h  22 Sep 2020
TLS SNI support enabled
configure arguments: --user=www --group=www --prefix=/data/app/tengine-3.1.0 --with-pcre --with-http_ssl_module --with-http_v2_module --with-http_realip_module --with-http_addition_module --with-http_geoip_module --with-http_gzip_static_module --with-http_auth_request_module --with-http_secure_link_module --with-http_degradation_module --with-http_stub_status_module --add-module=modules/ngx_http_concat_module --add-module=modules/ngx_http_footer_filter_module --add-module=modules/ngx_http_proxy_connect_module --add-module=modules/ngx_http_reqstat_module --add-module=modules/ngx_http_sysguard_module --add-module=modules/ngx_http_trim_filter_module --add-module=modules/ngx_http_upstream_check_module --add-module=modules/ngx_http_upstream_consistent_hash_module --add-module=modules/ngx_http_upstream_dynamic_module --add-module=modules/ngx_http_upstream_dyups_module --add-module=modules/ngx_http_upstream_session_sticky_module --add-module=modules/ngx_http_upstream_vnswrr_module --add-module=modules/ngx_http_user_agent_module --add-module=modules/ngx_multi_upstream_module --with-jemalloc --with-http_lua_module --with-stream --with-stream_ssl_module --with-stream_realip_module --with-http_dav_module --with-luajit-lib=/usr/local/lib/ --with-luajit-inc=/usr/local/include/luajit-2.1/ --with-ld-opt=-Wl,-rpath,/usr/local/lib --add-module=../ngx_brotli --with-http_lua_module --with-cc-opt='-I modules/ngx_http_lua_module/src' --with-xquic-inc=../xquic-1.6.0/include --with-xquic-lib=../xquic-1.6.0/build --add-module=modules/ngx_http_xquic_module --with-openssl=../Tongsuo-8.3.2

配置：

user  root root;
xquic_log   "pipe:rollback /data/app/tengine/logs/tengine-xquic.log baknum=10 maxsize=1G interval=1d adjust=600" info;
http {
    xquic_ssl_certificate /data/app/tengine/ssl/domain.key;
    xquic_ssl_certificate_key /data/app/tengine/ssl/domain.pem;
    xquic_congestion_control bbr;
    xquic_socket_rcvbuf 5242880;
    xquic_socket_sndbuf 5242880;
    xquic_anti_amplification_limit 5;

server {
        listen 80 default_server reuseport backlog=4096;
        listen 443 default_server reuseport backlog=4096 ssl http2;
        listen 443 default_server reuseport backlog=4096 xquic;
        server_name aa.domain.com;

        add_header Alt-Svc 'h3=":443"; ma=2592000,h3-29=":443"; ma=2592000' always;
        error_log  /data/app/tengine/logs/error-xquic.log debug;
        ssl_certificate /data/app/tengine/ssl/domain.pem;
        ssl_certificate_key /data/app/tengine/ssl/domain.key;
        location / {
          return 200 "quic";
        }
}
server {
        listen 80 ;
        listen 443 ssl http2;
        listen 443 xquic;
        server_name bb.domain.com;

        add_header Alt-Svc 'h3=":443"; ma=2592000,h3-29=":443"; ma=2592000' always;
        error_log  /data/app/tengine/logs/error-xquic.log debug;
        ssl_certificate /data/app/tengine/ssl/domain.pem;
        ssl_certificate_key /data/app/tengine/ssl/domain.key;

        location / {
          return 200 "quic";
        }
}
}

lianglli commented 7 months ago

开启XQUIC

需要使用root用户 user root;
H3协议默认使用TLS 1.3，使用XQUIC证书指令，配置默认H3证书

参考： https://github.com/alibaba/tengine/blob/master/modules/ngx_http_xquic_module/README.md

可以打开debug级别日志，查看具体的报错信息。

BobFang2023 commented 6 months ago

开启XQUIC

需要使用root用户 user root;

H3协议默认使用TLS 1.3，使用XQUIC证书指令，配置默认H3证书

参考： https://github.com/alibaba/tengine/blob/master/modules/ngx_http_xquic_module/README.md

可以打开debug级别日志，查看具体的报错信息。

你好，我是用root用户跑的，xquic_ssl_certificate和xquic_ssl_certificate_key也在https配置内有配置，debug模式开启了，没有多余其它的报错

user  root root;
worker_processes  auto;
pid       /data/app/tengine/pid/nginx.pid;
events {
    worker_connections  65536;
    use epoll;
}

xquic_log   "pipe:rollback /data/app/tengine/logs/tengine-xquic.log baknum=10 maxsize=1G interval=1d adjust=600" debug;

http {
    ##http3
    xquic_ssl_certificate /data/app/tengine/ssl/域名.key;
    xquic_ssl_certificate_key /data/app/tengine/ssl/域名.pem;
    xquic_congestion_control bbr;
    xquic_socket_rcvbuf 5242880;
    xquic_socket_sndbuf 5242880;
    xquic_anti_amplification_limit 5;

server {
        listen 80 default_server reuseport backlog=4096;
        listen 443 default_server reuseport backlog=4096 ssl http2;
        listen 443 default_server reuseport backlog=4096 xquic;
        server_name aa.域名;

        add_header Alt-Svc 'h3=":443"; ma=2592000,h3-29=":443"; ma=2592000' always;

        error_log  /data/app/tengine/logs/error-xquic.log debug;

        ssl_certificate /data/app/tengine/ssl/域名.pem;
        ssl_certificate_key /data/app/tengine/ssl/域名.key;
        ssl_protocols TLSv1.1 TLSv1.2 TLSv1.3;

        location / {
          return 444 "quic";
        }
}

}

lianglli commented 6 months ago

在配置文件main段设置日志指令 error_log

看下具体的报错信息

error_log "pipe:rollback /data/app/tengine/logs/tengine-error.log baknum=10 maxsize=2G interval=1d adjust=600" debug; xquic_log "pipe:rollback /data/app/tengine/logs/tengine-xquic.log baknum=10 maxsize=1G interval=1d adjust=600" info;

BobFang2023 commented 6 months ago

在配置文件main段设置日志指令 error_log

看下具体的报错信息

error_log "pipe:rollback /data/app/tengine/logs/tengine-error.log baknum=10 maxsize=2G interval=1d adjust=600" debug; xquic_log "pipe:rollback /data/app/tengine/logs/tengine-xquic.log baknum=10 maxsize=1G interval=1d adjust=600" info;

多谢，通过开启error_log的debug模式找到原因了，是我证书配反了，已解决

alibaba / tengine

quic端口无法访问，tengine启动有报错 #1902

Question