讲QUIC的文章比较多了,但是开启起来仍然是件困扰人的事。本文简要记录一下为网站开启QUIC的几点注意事项。
一 QUIC对比现有HTTP2的主要优势:
- 显著减少连接建立时间
- 改进的拥塞控制
- 无对头阻塞的多路复用
- 前向纠错
- 连接迁移
二 开启QUIC的注意事项主要有以下几点:
- 编译最新版的Caddy
Caddy的13f9c34已经支持QUIC 44、43、39,运行参数中加入-quic
编译caddy时,需要为主分支的quic-go打一个补丁:
cd $GOPATH/src/github.com/mholt/caddy/vendor/github.com/lucas-clemente/quic-go/
vi quic.patch
quic.pathch的内容如下:
From 20719a7c50c1f97ff0f2272010cda5710794c1d0 Mon Sep 17 00:00:00 2001
From: Marten Seemann <martenseemann@gmail.com>
Date: Thu, 29 Nov 2018 20:33:02 +0700
Subject: [PATCH] use the original tls.Config if tls.Config.GetConfigForClient
returns nil
---
internal/crypto/cert_chain.go | 15 ++++++++++-----
2 files changed, 10 insertions(+), 5 deletions(-)
diff --git a/internal/crypto/cert_chain.go b/internal/crypto/cert_chain.go
index 0c728fd25..45af2952d 100644
--- a/internal/crypto/cert_chain.go
+++ b/internal/crypto/cert_chain.go
@@ -56,8 +56,7 @@ func (c *certChain) GetLeafCert(sni string) ([]byte, error) {
}
func (c *certChain) getCertForSNI(sni string) (*tls.Certificate, error) {
- conf := c.config
- conf, err := maybeGetConfigForClient(conf, sni)
+ conf, err := maybeGetConfigForClient(c.config, sni)
if err != nil {
return nil, err
}
@@ -107,7 +106,13 @@ func maybeGetConfigForClient(c *tls.Config, sni string) (*tls.Config, error) {
if c.GetConfigForClient == nil {
return c, nil
}
- return c.GetConfigForClient(&tls.ClientHelloInfo{
- ServerName: sni,
- })
+ confForClient, err := c.GetConfigForClient(&tls.ClientHelloInfo{ServerName: sni})
+ if err != nil {
+ return nil, err
+ }
+ // if GetConfigForClient returns nil, use the original config
+ if confForClient == nil {
+ return c, nil
+ }
+ return confForClient, nil
}
patch -p1 < quic.patch
之后再进入caddy目录进行下一步的编译:
cd $GOPATH/src/github.com/mholt/caddy
- 升级Golang到最新版
请升级到目前的最新版 1.11。
- 在防火墙中为443端口开启udp
Firewalld:
sudo firewall-cmd --zone=public --add-port=443/udp --permanent
iptables:
sudo iptables -A INPUT -p udp --dport 443 -j ACCEPT
- 将Chrome升级到最新版
在chrome://flags/#enable-quic中启用QUIC支持。
三 一个查看QUIC支持情况的命令
curl -I https://www.coldawn.com we get
HTTP/1.1 200 OK
Alt-Svc: quic=":443"; ma=2592000; v="44,43,39"
Cache-Control: max-age=8640000
Content-Type: text/html; charset=UTF-8
Link: <https://www.coldawn.com/wp-json/>; rel="https://api.w.org/"
Server: Caddy
Strict-Transport-Security: max-age=31536000;
X-Content-Type-Options: nosniff
X-Frame-Options: DENY
X-Powered-By: PHP/7.2.10
X-Xss-Protection: 1; mode=block
Date: Fri, 28 Sep 2018 04:29:41 GMT