[FRsAG] [FRnOG] [TECH] Le protocole QUIC désormais normalisé

Jean-Francois Billaud billaud at billaud.eu.org
Ven 28 Mai 09:20:12 CEST 2021


Copie -> FRsAG

On 28/05/2021 07:23, Stephane Bortzmeyer wrote:

> Les quatre RFC sur QUIC viennent d'être publiés. Ce nouveau protocole
> de transport, concurrent de TCP, pourrait bien devenir le transport
> majoritaire sur l'Internet, et changer certaines choses (par exemple,
> la mécanique de la couche transport est désormais chiffrée et n'est
> plus visible par un observateur indiscret, ce qui fera peut-être râler
> certains).
> 
> https://www.bortzmeyer.org/quic.html

On peut tester avec nginx-quic qui utilise boringssl.

https://quic.nginx.org/
https://boringssl.googlesource.com/boringssl/


JFB


PS Testé avec Debian 10 (on peut se passer de ngx-fancyindex et de nginx-ct-master) :

### boringssl
# https://boringssl.googlesource.com/boringssl/
cd /usr/src
git clone https://boringssl.googlesource.com/boringssl
cd boringssl
mkdir build
cd build
cmake ..
make

### nginx-quic
# https://quic.nginx.org/
# https://hg.nginx.org/nginx-quic/shortlog/quic
cd /usr/src
hg clone -b quic https://hg.nginx.org/nginx-quic
cd nginx-quic
# README
./auto/configure --with-debug --with-http_v3_module \
        --with-cc-opt="-I../boringssl/include" \
        --with-ld-opt="-L../boringssl/build/ssl -L../boringssl/build/crypto" \
        --prefix=/usr/local/nginx-quic \
        --with-http_ssl_module --with-http_v2_module \
        --with-http_stub_status_module --with-http_gzip_static_module \
        --with-http_geoip_module \
        --with-openssl-opt=no-shared \
        --with-stream --with-stream_ssl_module --with-mail --with-mail_ssl_module \
        --add-dynamic-module=/usr/src/nginx-ct-master --add-module=../ngx-fancyindex \
        --user=www-data --group=www-data

make
make install

### /usr/local/nginx-quic/conf/nginx.conf
# (1)
events {}

http {
        log_format quic '$remote_addr - $remote_user [$time_local] '
                        '"$request" $status $body_bytes_sent '
                        '"$http_referer" "$http_user_agent" "$quic" "$http3"';

        access_log logs/access.log quic;

        server {
            # for better compatibility it's recommended
            # to use the same port for quic and https
            listen 443 http3 reuseport;
            listen 443 ssl;

            ssl_certificate     fullchain.pem;
            ssl_certificate_key privkey.pem;
            ssl_protocols       TLSv1.3;

            location / {
                # required for browsers to direct them into quic port
                add_header Alt-Svc '$http3=":443"; ma=86400';
                add_header QUIC-Status $quic;
                root   /var/www/html/;
                index  index.html index.htm;

            }
        }
    }



-- 
           __  _
       .-.'  `; `-._  __  _
      (_,         .-:'  `; `-._
    ,'o"(        (_,           )
   (__,-'      ,'o"(            )>
      (       (__,-'            )
       `-'._.--._(             )
          |||  |||`-'._.--._.-'
                     |||  |||
(Bob Allison)


Plus d'informations sur la liste de diffusion FRsAG