NGINX does not support http3 officially, so we need to build from source code to support it.
BTW, the easiest way to enable http3 is to use Caddy as web server (just add experimental_http3
as global option), but NGINX is more efficient. That’s why this post exists.
In this post, we assume the distribution is Debian bullseye and the login user is root.
TL;DR
You can simply download pre-built packages here. Or you can follow instructions below to build by yourself.
Preparation
Run these commands.
|
|
Get source code
First, we should fetch NGINX and its QUIC branch’s source code. Run these commands.
|
|
Note that the version of NGINX might be different. Change that accordingly.
Then we need to get BoringSSL source code and build it as a module. However, NGINX’s OCSP implementation is not compatible with BoringSSL. If you need OCSP stapling, use this patch. The commands below use the patch and solve the issue.
|
|
Run these commands to deal with BoringSSL.
|
|
You may also want to add Brotli compression support (since it’s not that easy to build NGINX from source, why not do all things once and for all). Just run this command.
|
|
Edit build rules
Edit rules
file in nginx/debian
.
|
|
Find config.env.nginx
and make CFLAGS="-Wno-ignored-qualifiers"
. Then add --add-module="$(CURDIR)/debian/modules/ngx_brotli"
right after --sbin-path=/usr/sbin/nginx
, and add --with-http_v3_module --with-stream_quic_module --with-cc-opt="-I../modules/boringssl/include $(CFLAGS)" --with-ld-opt="-L../modules/boringssl/build/ssl -L../modules/boringssl/build/crypto $(LDFLAGS)"
right after --with-stream_ssl_preread_module
. Make sure the original --with-cc-opt
and --with-ld-opt
are deleted and replaced by the ones above.
Build as deb package
Everything is almost OK. You can build the code as Debian package. Run these commands.
|
|
Then just install it.
|
|
Note that the name of package might be different.
When you need to make another PC with Debian bullseye has NGINX with http3 support, just copy that package and install it with dpkg. You do not need to build again. So keep that package, since you might need it in the future.
Edit NGINX configuration
Follow this official documentation.
To enable Brotli, simply add brotli on;
in http
context of NGINX configuration.
For OCSP stapling, use ssl_stapling_file
. You can create it by running the command below.
|
|
You can use this site to test http3 status.