月度归档:2018年09月

为网站开启QUIC的几点注意事项

发表评论

QUIC的文章比较多了,但是开启起来仍然是件困扰人的事。本文简要记录一下为网站开启QUIC的几点注意事项。

一 QUIC对比现有HTTP2的主要优势:

  • 显著减少连接建立时间
  • 改进的拥塞控制
  • 无对头阻塞的多路复用
  • 前向纠错
  • 连接迁移

二 开启QUIC的注意事项主要有以下几点:

Caddy的13f9c34已经支持QUIC 44、43、39,运行参数中加入-quic

编译caddy时,需要为主分支的quic-go打一个补丁:
cd $GOPATH/src/github.com/mholt/caddy/vendor/github.com/lucas-clemente/quic-go/

vi quic.patch

quic.pathch的内容如下:

From 20719a7c50c1f97ff0f2272010cda5710794c1d0 Mon Sep 17 00:00:00 2001
From: Marten Seemann <martenseemann@gmail.com>
Date: Thu, 29 Nov 2018 20:33:02 +0700
Subject: [PATCH] use the original tls.Config if tls.Config.GetConfigForClient
 returns nil

---
 internal/crypto/cert_chain.go      | 15 ++++++++++-----
 2 files changed, 10 insertions(+), 5 deletions(-)

diff --git a/internal/crypto/cert_chain.go b/internal/crypto/cert_chain.go
index 0c728fd25..45af2952d 100644
--- a/internal/crypto/cert_chain.go
+++ b/internal/crypto/cert_chain.go
@@ -56,8 +56,7 @@ func (c *certChain) GetLeafCert(sni string) ([]byte, error) {
 }
 
 func (c *certChain) getCertForSNI(sni string) (*tls.Certificate, error) {
-	conf := c.config
-	conf, err := maybeGetConfigForClient(conf, sni)
+	conf, err := maybeGetConfigForClient(c.config, sni)
 	if err != nil {
 		return nil, err
 	}
@@ -107,7 +106,13 @@ func maybeGetConfigForClient(c *tls.Config, sni string) (*tls.Config, error) {
 	if c.GetConfigForClient == nil {
 		return c, nil
 	}
-	return c.GetConfigForClient(&tls.ClientHelloInfo{
-		ServerName: sni,
-	})
+	confForClient, err := c.GetConfigForClient(&tls.ClientHelloInfo{ServerName: sni})
+	if err != nil {
+		return nil, err
+	}
+	// if GetConfigForClient returns nil, use the original config
+	if confForClient == nil {
+		return c, nil
+	}
+	return confForClient, nil
 }

patch -p1 < quic.patch

之后再进入caddy目录进行下一步的编译:

cd $GOPATH/src/github.com/mholt/caddy

请升级到目前的最新版 1.11。

  • 在防火墙中为443端口开启udp

          Firewalld:

sudo firewall-cmd --zone=public --add-port=443/udp --permanent

          iptables:

sudo iptables -A INPUT -p udp --dport 443 -j ACCEPT
  • 将Chrome升级到最新版

在chrome://flags/#enable-quic中启用QUIC支持。

三 一个查看QUIC支持情况的命令

curl -I https://www.coldawn.com we get
HTTP/1.1 200 OK
Alt-Svc: quic=":443"; ma=2592000; v="44,43,39"
Cache-Control: max-age=8640000
Content-Type: text/html; charset=UTF-8
Link: <https://www.coldawn.com/wp-json/>; rel="https://api.w.org/"
Server: Caddy
Strict-Transport-Security: max-age=31536000;
X-Content-Type-Options: nosniff
X-Frame-Options: DENY
X-Powered-By: PHP/7.2.10
X-Xss-Protection: 1; mode=block
Date: Fri, 28 Sep 2018 04:29:41 GMT

解决CentOS 7 上yum update时出现的Error: Multilib version problems found.

发表评论

现象描述

CentOS 7.5 系统,sudo yum update,出现如下错误:

Error:  Multilib version problems found. This often means that the root cause is something else and multilib version checking is just pointing out that there is a problem. Eg.:
       
 1. You have an upgrade for audit-libs which is missing some dependency that another package requires. Yum is trying to solve this by installing an older version of audit-libs of the different architecture. If you exclude the bad architecture yum will tell you what the root cause is (which package requires what). You can try redoing the upgrade with --exclude audit-libs.otherarch ... this should give you an error message showing the root cause of the problem.
       
 2. You have multiple architectures of audit-libs installed, but yum can only see an upgrade for one of those architectures.
 If you don't want/need both architectures anymore then you can remove the one with the missing update and everything will work.
       
 3. You have duplicate versions of audit-libs installed already. You can use "yum check" to get yum show these errors. ...you can also use --setopt=protected_multilib=false to remove this checking, however this is almost never the correct thing to do as something else is very likely to go wrong (often causing much more problems).
       
 Protected multilib versions: -2.8.1-3.el7_5.1.i686 != audit-libs-2.8.1-3.el7.x86_64
Error: Protected multilib versions: systemd-libs-219-57.el7_5.1.i686 != systemd-libs-219-57.el7.x86_64

尝试单独更新相关软件包

单独更新audit-libs,失败

sudo yum update audit-libs 

Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
 * base: mirrors.usc.edu
 * elrepo-kernel: repos.lax-noc.com
 * epel: mirrors.develooper.com
 * extras: mirrors.xtom.com
 * updates: mirror.hostduplex.com
 * webtatic: us-east.repo.webtatic.com
Resolving Dependencies
--> Running transaction check
---> Package audit-libs.i686 0:2.8.1-3.el7 will be updated
---> Package audit-libs.x86_64 0:2.8.1-3.el7 will be updated
--> Processing Dependency: audit-libs(x86-64) = 2.8.1-3.el7 for package: audit-libs-python-2.8.1-3.el7.x86_64
--> Processing Dependency: audit-libs(x86-64) = 2.8.1-3.el7 for package: audit-2.8.1-3.el7.x86_64
---> Package audit-libs.i686 0:2.8.1-3.el7_5.1 will be an update
---> Package audit-libs.x86_64 0:2.8.1-3.el7_5.1 will be an update
--> Running transaction check
---> Package audit.x86_64 0:2.8.1-3.el7 will be updated
---> Package audit.x86_64 0:2.8.1-3.el7_5.1 will be an update
---> Package audit-libs-python.x86_64 0:2.8.1-3.el7 will be updated
---> Package audit-libs-python.x86_64 0:2.8.1-3.el7_5.1 will be an update
--> Finished Dependency Resolution

Dependencies Resolved
=======================================================================================================================================================
 Package                                  Arch                          Version                                   Repository                      Size
=======================================================================================================================================================
Updating:
 audit-libs                               i686                          2.8.1-3.el7_5.1                           updates                        100 k
 audit-libs                               x86_64                        2.8.1-3.el7_5.1                           updates                         99 k
Updating for dependencies:
 audit                                    x86_64                        2.8.1-3.el7_5.1                           updates                        247 k
 audit-libs-python                        x86_64                        2.8.1-3.el7_5.1                           updates                         75 k

Transaction Summary
=======================================================================================================================================================
Upgrade  2 Packages (+2 Dependent packages)

Total size: 521 k
Is this ok [y/d/N]: y
Downloading packages:
Running transaction check
Running transaction test


Transaction check error:
  package audit-libs-2.8.1-3.el7_5.1.x86_64 is already installed

Error Summary
-------------

单独更新systemd-libs,失败

sudo yum update systemd-libs

Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
 * base: mirrors.usc.edu
 * elrepo-kernel: repos.lax-noc.com
 * epel: mirrors.develooper.com
 * extras: mirrors.xtom.com
 * updates: mirror.hostduplex.com
 * webtatic: us-east.repo.webtatic.com
Resolving Dependencies
--> Running transaction check
---> Package systemd-libs.i686 0:219-57.el7 will be updated
--> Processing Dependency: systemd-libs = 219-57.el7 for package: systemd-219-57.el7.x86_64
--> Processing Dependency: systemd-libs = 219-57.el7 for package: libgudev1-219-57.el7.x86_64
---> Package systemd-libs.x86_64 0:219-57.el7 will be updated
--> Processing Dependency: systemd-libs = 219-57.el7 for package: systemd-219-57.el7.x86_64
---> Package systemd-libs.i686 0:219-57.el7_5.1 will be an update
---> Package systemd-libs.x86_64 0:219-57.el7_5.1 will be an update
--> Running transaction check
---> Package libgudev1.x86_64 0:219-57.el7 will be updated
---> Package libgudev1.x86_64 0:219-57.el7_5.1 will be an update
---> Package systemd-libs.i686 0:219-57.el7 will be updated
--> Processing Dependency: systemd-libs = 219-57.el7 for package: systemd-219-57.el7.x86_64
---> Package systemd-libs.x86_64 0:219-57.el7 will be updated
--> Processing Dependency: systemd-libs = 219-57.el7 for package: systemd-219-57.el7.x86_64
--> Finished Dependency Resolution
Error: Package: systemd-219-57.el7.x86_64 (@base)
           Requires: systemd-libs = 219-57.el7
           Removing: systemd-libs-219-57.el7.i686 (@base)
               systemd-libs = 219-57.el7
           Updated By: systemd-libs-219-57.el7_5.1.i686 (updates)
               systemd-libs = 219-57.el7_5.1
 You could try using --skip-broken to work around the problem
** Found 18 pre-existing rpmdb problem(s), 'yum check' output follows:
....

解决办法

系统是64位的,我们在上一步发现了两个不符合x86_64构架的包全名:

audit-libs.i686 0:2.8.1-3.el7

systemd-libs-219-57.el7.i686


需要做的就是移除它们:

sudo yum remove audit-libs.i686 0:2.8.1-3.el7

sudo yum remove systemd-libs-219-57.el7.i686

然后更新系统即可:
sudo yum update