Closed Zxilly closed 4 years ago
附上配置
user www www;
worker_processes auto;
error_log /www/wwwlogs/nginx_error.log crit;
pid /www/server/nginx/logs/nginx.pid;
worker_rlimit_nofile 51200;
events
{
use epoll;
worker_connections 51200;
multi_accept on;
}
http
{
include mime.types;
#include luawaf.conf;
include proxy.conf;
http2_push_preload on;
default_type application/octet-stream;
server_names_hash_bucket_size 512;
client_header_buffer_size 32k;
large_client_header_buffers 4 32k;
client_max_body_size 50m;
sendfile on;
tcp_nopush on;
keepalive_timeout 60;
tcp_nodelay on;
fastcgi_connect_timeout 300;
fastcgi_send_timeout 300;
fastcgi_read_timeout 300;
fastcgi_buffer_size 64k;
fastcgi_buffers 4 64k;
fastcgi_busy_buffers_size 128k;
fastcgi_temp_file_write_size 256k;
fastcgi_intercept_errors on;
gzip on;
gzip_min_length 1k;
gzip_buffers 4 16k;
gzip_http_version 1.1;
gzip_comp_level 2;
gzip_types text/plain application/javascript application/x-javascript text/javascript text/css application/xml;
gzip_vary on;
gzip_proxied expired no-cache no-store private auth;
gzip_disable "MSIE [1-6]\.";
ssl_early_data on;
limit_conn_zone $binary_remote_addr zone=perip:10m;
limit_conn_zone $server_name zone=perserver:10m;
server_tokens off;
access_log off;
server
{
listen 888;
server_name phpmyadmin;
index index.html index.htm index.php;
root /www/server/phpmyadmin;
#error_page 404 /404.html;
include enable-php.conf;
location ~ .*\.(gif|jpg|jpeg|png|bmp|swf)$
{
expires 30d;
}
location ~ .*\.(js|css)?$
{
expires 12h;
}
location ~ /\.
{
deny all;
}
access_log /www/wwwlogs/access.log;
}
map $ssl_early_data $tls1_3_early_data {
"~." $ssl_early_data;
default "";
}
include /www/server/panel/vhost/nginx/*.conf;
}
server块
server
{
listen 443 quic reuseport;
listen 443 ssl;
server_name learningman.top;
index index.php index.html index.htm default.php default.htm default.html;
root /www/wwwroot/learningman.top;
#SSL-START SSL相关配置,请勿删除或修改下一行带注释的404规则
#error_page 404/404.html;
#HTTP_TO_HTTPS_START
#HTTP_TO_HTTPS_END
add_header Strict-Transport-Security "max-age=31536000; includeSubdomains; preload";
#add_header Alt-Svc 'h3-23=":8443"; ma=31536000; persist=1';
#add_header Alt-Svc 'h3-27=":8443"; ma=31536000; persist=1';
add_header alt-svc 'h3-27=":443"; ma=2592000,h3-25=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q049=":443"; ma=2592000,h3-Q048=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43"';
ssl_certificate /www/server/panel/vhost/cert/learningman.top/fullchain.pem;
ssl_certificate_key /www/server/panel/vhost/cert/learningman.top/privkey.pem;
ssl_protocols TLSv1.2 TLSv1.3;
#ssl_ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:!DSS;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
#SSL-END
#ssl_session_ticket_key /www/server/panel/vhost/cert/learningman.top/tls_session_ticket.key;
#ssl_session_tickets on;
#ssl_dhparam /www/server/panel/vhost/cert/learningman.top/dhparam.pem;
#ssl_trusted_certificate /www/server/panel/vhost/cert/learningman.top/full.pem;
resolver 8.8.8.8 8.8.4.4 valid=60s;
resolver_timeout 2s;
ssl_early_data on;
brotli on;
brotli_static on;
brotli_comp_level 6;
brotli_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript application/javascript image/svg+xml;
#ERROR-PAGE-START 错误页配置,可以注释、删除或修改
#ERROR-PAGE-END
#PHP-INFO-START PHP引用配置,可以注释或修改
include enable-php-74.conf;
#PHP-INFO-END
#REWRITE-START URL重写规则引用,修改后将导致面板设置的伪静态规则失效
include /www/server/panel/vhost/rewrite/learningman.top.conf;
#REWRITE-END
#禁止访问的文件或目录
location ~ ^/(\.user.ini|\.htaccess|\.git|\.svn|\.project|LICENSE|README.md)
{
return 404;
}
#一键申请SSL证书验证目录相关设置
location ~ \.well-known{
allow all;
}
location ~ .*\.(gif|jpg|jpeg|png|bmp|swf|woff2)$
{
expires 30d;
error_log off;
access_log /dev/null;
}
location ~ .*\.(js|css)?$
{
expires 30d;
error_log off;
access_log /dev/null;
}
access_log /www/wwwlogs/learningman.top.log.test;
error_log /www/wwwlogs/learningman.top.error.log debug;
}
server {
listen 80;
server_name learningman.top;
return 301 https://$server_name$request_uri;
}
测试了一下,貌似是在有多个server块的时候,就会出现error:QUIC_HANDSHAKE_FAILED, details:Failed to get proof, source:0
,是因为没有实现SNI吗?
使用本项目
master
分支和chromuim 83.0.4100.2
编译,在不打开quic时工作正常,打开quic后所有网页都无法访问,查看log表明nginx没有接收到任何请求 使用nmap扫描443
端口,tcp
状态为fliter
,udp
状态为open|fliter
系统的内核版本是4.14.129
,发行版本是CentOS Linux release 7.8.2003 (Core)
在Ubuntu18.04上完成编译附上编译完成的文件 nginx.zip