Giters

cloudflare / quiche

šŸ„§ Savoury implementation of the QUIC transport protocol and HTTP/3

Home Page:https://docs.quic.tech/quiche/

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

The patch for nginx seems broken.

IRN-Kawakaze opened this issue Ā· comments

commented

I am trying to compile Nginx with http3 support using this project. When I build and test it, I find that http3 does not work and the Nginx log will output error (Attached below).

After testing, it seems that this problem is introduced by a8ed4e4, because using the previous 38e4d1e the http3 is working.

Or did I do something wrong with the build?

System version: Debian 12 x86-64
Nginx version: 1.16.1
curl version: https://github.com/stunnel/static-curl/releases/tag/8.8.0
quiche vesrion:
2bc513a
a8ed4e4
38e4d1e

Build command:

sudo su

apt update
apt install wget curl -y
apt install cmake git g++ libpcre3-dev zlib1g-dev -y
wget https://static.rust-lang.org/rustup/dist/x86_64-unknown-linux-gnu/rustup-init
chmod 755 ./rustup-init
echo | ./rustup-init
source "$HOME/.cargo/env"
wget https://nginx.org/download/nginx-1.16.1.tar.gz
tar -zxf nginx-1.16.1.tar.gz
git clone --recursive https://github.com/cloudflare/quiche
cd nginx-1.16.1 || exit 1

patch -p01 < ../quiche/nginx/nginx-1.16.patch

./configure                                 \
       --prefix=$PWD                           \
       --build="quiche-$(git --git-dir=../quiche/.git rev-parse --short HEAD)" \
       --with-http_ssl_module                  \
       --with-http_v2_module                   \
       --with-http_v3_module                   \
       --with-openssl=../quiche/quiche/deps/boringssl \
       --with-quiche=../quiche

make

Nginx config:

events {
    worker_connections  1024;
}

http {
    server {
        listen 443 quic reuseport;
        listen 443 ssl http2;
	root /www;
        ssl_certificate /home/debian/fullchain.pem;
        ssl_certificate_key /home/debian/privkey.pem;
        ssl_protocols TLSv1.3;
        add_header alt-svc 'h3=":443"; ma=86400';
    }
}

Test command:

# mkdir logs
# ./objs/nginx -c /home/debian/nginx.conf

# curl -V
curl 8.8.0 (x86_64-pc-linux-gnu) libcurl/8.8.0 OpenSSL/3.3.0 zlib/1.3.1 brotli/1.1.0 zstd/1.5.6 c-ares/1.28.1 libidn2/2.3.7 libpsl/0.21.5 libssh2/1.11.0 nghttp2/1.62.1 nghttp3/1.3.0
Release-Date: 2024-05-22
Protocols: dict file ftp ftps gopher gophers http https imap imaps ipfs ipns mqtt pop3 pop3s rtsp scp sftp smb smbs smtp smtps telnet tftp ws wss
Features: alt-svc AsynchDNS brotli HSTS HTTP2 HTTP3 HTTPS-proxy IDN IPv6 Largefile libz NTLM PSL SSL threadsafe TLS-SRP TrackMemory UnixSockets zstd

# curl --http3-only https://my.domain -vvvv --resolve 'my.domain:443:10.0.1.2'
* Added my.domain:443:10.0.1.2 to DNS cache
* Hostname my.domain was found in DNS cache
*   Trying 10.0.1.2:443...
*  CAfile: /etc/ssl/certs/ca-certificates.crt
*  CApath: /etc/ssl/certs
* QUIC connection has been shut down
* QUIC connect to 10.0.1.2 port 443 failed: Couldn't connect to server
* Failed to connect to my.domain port 443 after 30001 ms: Couldn't connect to server
* Closing connection
curl: (7) QUIC connection has been shut down

Nginx logs:

# cat logs/error.log
2024/07/17 16:50:29 [alert] 77743#0: worker process 77744 exited on signal 11
2024/07/17 16:50:30 [alert] 77743#0: worker process 77746 exited on signal 11
2024/07/17 16:50:32 [alert] 77743#0: worker process 77747 exited on signal 11
2024/07/17 16:50:36 [alert] 77743#0: worker process 77748 exited on signal 11
2024/07/17 16:50:44 [alert] 77743#0: worker process 77749 exited on signal 11
2024/07/17 16:50:59 [alert] 77743#0: worker process 77750 exited on signal 11

# cat logs/access.log
<no any logs>

Then I tried to switch to a specific commit and rebuild using the following command:

### kill nginx use htop
cd ..
rm -rf  nginx-1.16.1/ quiche/
tar -zxf nginx-1.16.1.tar.gz
git clone https://github.com/cloudflare/quiche
cd quiche/
git checkout <commit hash>
git submodule update --init --recursive
cd ..
cd nginx-1.16.1

patch -p01 < ../quiche/nginx/nginx-1.16.patch

./configure                                 \
       --prefix=$PWD                           \
       --build="quiche-$(git --git-dir=../quiche/.git rev-parse --short HEAD)" \
       --with-http_ssl_module                  \
       --with-http_v2_module                   \
       --with-http_v3_module                   \
       --with-openssl=../quiche/quiche/deps/boringssl \
       --with-quiche=../quiche

make

Then use the same nginx configuration file and test command.
a8ed4e4:

# mkdir logs
# ./objs/nginx -c /home/debian/nginx.conf

# curl --http3-only https://my.domain -vvvv --resolve 'my.domain:443:10.0.1.2'
* Added my.domain:443:10.0.1.2 to DNS cache
* Hostname my.domain was found in DNS cache
*   Trying 10.0.1.2:443...
*  CAfile: /etc/ssl/certs/ca-certificates.crt
*  CApath: /etc/ssl/certs
* QUIC connection has been shut down
* QUIC connect to 10.0.1.2 port 443 failed: Couldn't connect to server
* Failed to connect to my.domain port 443 after 30001 ms: Couldn't connect to server
* Closing connection
curl: (7) QUIC connection has been shut down

38e4d1e:

# mkdir logs
# ./objs/nginx -c /home/debian/nginx.conf

### Note: I am using a trusted certificate, and if I build with version 0.16.0 there will be no certificate errors.
# curl --http3-only https://my.domain -vvvv --resolve 'my.domain:443:10.0.1.2'
* Added my.domain:443:10.0.1.2 to DNS cache
* Hostname my.domain was found in DNS cache
*   Trying 10.0.1.2:443...
* SSL certificate problem: unable to get local issuer certificate
* QUIC connect to 10.0.1.2 port 443 failed: SSL peer certificate or SSH remote key was not OK
* Failed to connect to my.domain port 443 after 0 ms: SSL peer certificate or SSH remote key was not OK
* Closing connection
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.

# curl --http3-only https://my.domain -vvvv --resolve 'my.domain:443:10.0.1.2' -k
* Added my.domain:443:10.0.1.2 to DNS cache
* Hostname my.domain was found in DNS cache
*   Trying 10.0.1.2:443...
<some certificate info>
* Connected to my.domain (10.0.1.2) port 443
* using HTTP/3
* [HTTP/3] [0] OPENED stream for https://my.domain/
* [HTTP/3] [0] [:method: GET]
* [HTTP/3] [0] [:scheme: https]
* [HTTP/3] [0] [:authority: my.domain]
* [HTTP/3] [0] [:path: /]
* [HTTP/3] [0] [user-agent: curl/8.8.0]
* [HTTP/3] [0] [accept: */*]
> GET / HTTP/3
> Host: my.domain
> User-Agent: curl/8.8.0
> Accept: */*
> 
* Request completely sent off
< HTTP/3 200 
< server: nginx/1.16.1
< date: Thu, 18 Jul 2024 00:18:42 GMT
< content-type: text/html
< content-length: 4
< last-modified: Wed, 17 Jul 2024 22:10:41 GMT
< etag: "66984161-4"
< alt-svc: h3=":443"; ma=86400
< accept-ranges: bytes
< 
123
* Connection #0 to host my.domain left intact

# cat logs/access.log 
10.0.1.2 - - [17/Jul/2024:17:15:08 -0700] "GET / HTTP/3" 200 4 "-" "curl/8.8.0"
10.0.1.2 - - [17/Jul/2024:17:18:42 -0700] "GET / HTTP/3" 200 4 "-" "curl/8.8.0"

# cat logs/error.log
<no any logs>