feat: QUIC 与 IPV6 实验性支持

TheTNB · Dec 7, 2023 · 2410628 · 2410628
1 parent ce8addf
commit 2410628
Show file tree

Hide file tree

Showing 4 changed files with 64 additions and 46 deletions.
diff --git a/app/plugins/openresty/openresty.go b/app/plugins/openresty/openresty.go
@@ -4,7 +4,7 @@ var (
 	Name        = "OpenResty"
 	Description = "OpenResty® 是一款基于 NGINX 和 LuaJIT 的 Web 平台。"
 	Slug        = "openresty"
-	Version     = "1.21.4.3"
+	Version     = "1.25.3.1rc1"
 	Requires    = []string{}
 	Excludes    = []string{}
 	Install     = "bash /www/panel/scripts/openresty/install.sh"

diff --git a/app/services/website.go b/app/services/website.go
@@ -177,9 +177,11 @@ func (r *WebsiteImpl) Add(website PanelWebsite) (models.Website, error) {
 	for i, port := range website.Ports {
 		if _, ok := portUsed[port]; !ok {
 			if i == len(website.Ports)-1 {
-				portList += "    listen " + cast.ToString(port) + ";"
+				portList += "    listen " + cast.ToString(port) + ";\n"
+				portList += "    listen [::]:" + cast.ToString(port) + ";"
 			} else {
 				portList += "    listen " + cast.ToString(port) + ";\n"
+				portList += "    listen [::]:" + cast.ToString(port) + ";\n"
 			}
 			portUsed[port] = true
 		}
@@ -354,12 +356,22 @@ func (r *WebsiteImpl) SaveConfig(config requests.SaveConfig) error {
 	for i, v := range ports {
 		vStr := cast.ToString(v)
 		if v == 443 && config.Ssl {
-			vStr = "443 ssl http2"
+			vStr = `    listen 443 ssl;
+	listen [::]:443 ssl;
+    listen 443 quic reuseport;
+	listen [::]:443 quic reuseport;`
+			port.WriteString(vStr)
+			if i != len(ports)-1 {
+				port.WriteString("\n")
+			}
+			continue
 		}
 		if i != len(ports)-1 {
 			port.WriteString("    listen " + vStr + ";\n")
+			port.WriteString("    listen [::]:" + vStr + ";\n")
 		} else {
-			port.WriteString("    listen " + vStr + ";")
+			port.WriteString("    listen " + vStr + ";\n")
+			port.WriteString("    listen [::]:" + vStr + ";")
 		}
 	}
 	portConfigOld := tools.Cut(raw, "# port标记位开始", "# port标记位结束")
@@ -446,10 +458,11 @@ func (r *WebsiteImpl) SaveConfig(config requests.SaveConfig) error {
     ssl_certificate_key /www/server/vhost/ssl/` + website.Name + `.key;
     ssl_session_timeout 1d;
     ssl_session_cache shared:SSL:10m;
-    ssl_session_tickets off;
     ssl_protocols TLSv1.2 TLSv1.3;
     ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
     ssl_prefer_server_ciphers off;
+    ssl_early_data on;
+    add_header Alt-Svc 'h3=":443"; ma=86400';
     `
 		if config.HttpRedirect {
 			sslConfig += `# http重定向标记位开始
@@ -564,9 +577,18 @@ func (r *WebsiteImpl) GetConfig(id uint) (WebsiteSetting, error) {
 		if len(match) < 2 {
 			continue
 		}
+		// 跳过 ipv6
+		if strings.Contains(match[1], "[::]") {
+			continue
+		}
 
-		port := strings.Fields(match[1])[0]
-		setting.Ports = append(setting.Ports, cast.ToUint(port))
+		// 处理 443 ssl 之类的情况
+		ports := strings.Fields(match[1])
+		if len(ports) == 1 {
+			setting.Ports = append(setting.Ports, cast.ToUint(ports[0]))
+		} else if len(ports) > 1 && ports[1] == "ssl" {
+			setting.Ports = append(setting.Ports, cast.ToUint(ports[0]))
+		}
 	}
 	serverName := tools.Cut(config, "# server_name标记位开始", "# server_name标记位结束")
 	match := regexp.MustCompile(`server_name\s+(.*);`).FindStringSubmatch(serverName)

diff --git a/scripts/install_panel.sh b/scripts/install_panel.sh
@@ -248,6 +248,7 @@ Init_Panel() {
         firewall-cmd --permanent --zone=public --add-port=22/tcp > /dev/null 2>&1
         firewall-cmd --permanent --zone=public --add-port=80/tcp > /dev/null 2>&1
         firewall-cmd --permanent --zone=public --add-port=443/tcp > /dev/null 2>&1
+        firewall-cmd --permanent --zone=public --add-port=443/udp > /dev/null 2>&1
         firewall-cmd --permanent --zone=public --add-port=8888/tcp > /dev/null 2>&1
         firewall-cmd --permanent --zone=public --add-port=${sshPort}/tcp > /dev/null 2>&1
         firewall-cmd --reload
@@ -257,6 +258,7 @@ Init_Panel() {
         ufw allow 22/tcp
         ufw allow 80/tcp
         ufw allow 443/tcp
+        ufw allow 443/udp
         ufw allow 8888/tcp
         ufw allow ${sshPort}/tcp
         ufw reload

diff --git a/scripts/openresty/install.sh b/scripts/openresty/install.sh
@@ -24,7 +24,7 @@ OS=$(source /etc/os-release && { [[ "$ID" == "debian" ]] && echo "debian"; } ||
 downloadUrl="https://git.haozi.net/opensource/download/-/raw/main/panel/openresty"
 setupPath="/www"
 openrestyPath="${setupPath}/server/openresty"
-openrestyVersion="1.21.4.3"
+openrestyVersion="1.25.3.1rc1"
 cpuCore=$(cat /proc/cpuinfo | grep "processor" | wc -l)
 
 source ${setupPath}/panel/scripts/calculate_j.sh
@@ -67,36 +67,36 @@ mv openresty-${openrestyVersion} src
 cd src
 
 # openssl
-wget -T 120 -t 3 -O openssl-1.1.1w.tar.gz ${downloadUrl}/openssl/openssl-1.1.1w.tar.gz
-wget -T 20 -t 3 -O openssl-1.1.1w.tar.gz.checksum.txt ${downloadUrl}/openssl/openssl-1.1.1w.tar.gz.checksum.txt
+wget -T 120 -t 3 -O openssl-3.0.12.tar.gz ${downloadUrl}/openssl/openssl-3.0.12.tar.gz
+wget -T 20 -t 3 -O openssl-3.0.12.tar.gz.checksum.txt ${downloadUrl}/openssl/openssl-3.0.12.tar.gz.checksum.txt
 
-if ! sha256sum --status -c openssl-1.1.1w.tar.gz.checksum.txt; then
+if ! sha256sum --status -c openssl-3.0.12.tar.gz.checksum.txt; then
     echo -e $HR
     echo "错误：OpenSSL 源码 checksum 校验失败，文件可能被篡改或不完整，已终止操作"
     rm -rf ${openrestyPath}
     exit 1
 fi
 
-tar -zxvf openssl-1.1.1w.tar.gz
-rm -f openssl-1.1.1w.tar.gz
-rm -f openssl-1.1.1w.tar.gz.checksum.txt
-mv openssl-1.1.1w openssl
+tar -zxvf openssl-3.0.12.tar.gz
+rm -f openssl-3.0.12.tar.gz
+rm -f openssl-3.0.12.tar.gz.checksum.txt
+mv openssl-3.0.12 openssl
 
 # patch openssl
 cd openssl
-wget -T 20 -t 3 -O openssl-1.1.1f-sess_set_get_cb_yield.patch ${downloadUrl}/openssl/openssl-1.1.1f-sess_set_get_cb_yield.patch
-wget -T 20 -t 3 -O openssl-1.1.1f-sess_set_get_cb_yield.patch.checksum.txt ${downloadUrl}/openssl/openssl-1.1.1f-sess_set_get_cb_yield.patch.checksum.txt
+wget -T 20 -t 3 -O openssl-3.0.12-sess_set_get_cb_yield.patch ${downloadUrl}/openssl/openssl-3.0.12-sess_set_get_cb_yield.patch
+wget -T 20 -t 3 -O openssl-3.0.12-sess_set_get_cb_yield.patch.checksum.txt ${downloadUrl}/openssl/openssl-3.0.12-sess_set_get_cb_yield.patch.checksum.txt
 
-if ! sha256sum --status -c openssl-1.1.1f-sess_set_get_cb_yield.patch.checksum.txt; then
+if ! sha256sum --status -c openssl-3.0.12-sess_set_get_cb_yield.patch.checksum.txt; then
     echo -e $HR
     echo "错误：OpenSSL 补丁文件 checksum 校验失败，文件可能被篡改或不完整，已终止操作"
     rm -rf ${openrestyPath}
     exit 1
 fi
 
-patch -p1 < openssl-1.1.1f-sess_set_get_cb_yield.patch
-rm -f openssl-1.1.1f-sess_set_get_cb_yield.patch
-rm -f openssl-1.1.1f-sess_set_get_cb_yield.patch.checksum.txt
+patch -p1 < openssl-3.0.12-sess_set_get_cb_yield.patch
+rm -f openssl-3.0.12-sess_set_get_cb_yield.patch
+rm -f openssl-3.0.12-sess_set_get_cb_yield.patch.checksum.txt
 cd ../
 
 # pcre
@@ -221,43 +221,33 @@ fi
 cd ${openrestyPath}/src
 
 # brotli
-wget -T 20 -t 3 -O ngx_brotli-1.0.0rc.zip ${downloadUrl}/modules/ngx_brotli-1.0.0rc.zip
-wget -T 20 -t 3 -O ngx_brotli-1.0.0rc.zip.checksum.txt ${downloadUrl}/modules/ngx_brotli-1.0.0rc.zip.checksum.txt
+wget -T 20 -t 3 -O ngx_brotli-a71f931.zip ${downloadUrl}/modules/ngx_brotli-a71f931.zip
+wget -T 20 -t 3 -O ngx_brotli-a71f931.zip.checksum.txt ${downloadUrl}/modules/ngx_brotli-a71f931.zip.checksum.txt
 
-if ! sha256sum --status -c ngx_brotli-1.0.0rc.zip.checksum.txt; then
+if ! sha256sum --status -c ngx_brotli-a71f931.zip.checksum.txt; then
     echo -e $HR
     echo "错误：ngx_brotli 源码 checksum 校验失败，文件可能被篡改或不完整，已终止操作"
     rm -rf ${openrestyPath}
     exit 1
 fi
 
-unzip -o ngx_brotli-1.0.0rc.zip
-mv ngx_brotli-1.0.0rc ngx_brotli
-rm -f ngx_brotli-1.0.0rc.zip
-rm -f ngx_brotli-1.0.0rc.zip.checksum.txt
-cd ngx_brotli/deps
-rm -rf brotli
-
-wget -T 20 -t 3 -O brotli-1.0.9.zip ${downloadUrl}/modules/brotli-1.0.9.zip
-wget -T 20 -t 3 -O brotli-1.0.9.zip.checksum.txt ${downloadUrl}/modules/brotli-1.0.9.zip.checksum.txt
-
-if ! sha256sum --status -c brotli-1.0.9.zip.checksum.txt; then
-    echo -e $HR
-    echo "错误：brotli 源码 checksum 校验失败，文件可能被篡改或不完整，已终止操作"
-    rm -rf ${openrestyPath}
-    exit 1
-fi
-
-unzip -o brotli-1.0.9.zip
-mv brotli-1.0.9 brotli
-rm -f brotli-1.0.9.zip
-rm -f brotli-1.0.9.zip.checksum.txt
+unzip -o ngx_brotli-a71f931.zip
+mv ngx_brotli-a71f931 ngx_brotli
+rm -f ngx_brotli-a71f931.zip
+rm -f ngx_brotli-a71f931.zip.checksum.txt
+cd ngx_brotli/deps/brotli
+mkdir out && cd out
+cmake -DCMAKE_BUILD_TYPE=Release -DBUILD_SHARED_LIBS=OFF -DCMAKE_C_FLAGS="-Ofast -march=native -mtune=native -funroll-loops -ffunction-sections -fdata-sections -Wl,--gc-sections" -DCMAKE_CXX_FLAGS="-Ofast -march=native -mtune=native -funroll-loops -ffunction-sections -fdata-sections -Wl,--gc-sections" -DCMAKE_INSTALL_PREFIX=./installed ..
+cmake --build . --config Release --target brotlienc
+cd ../../../../
 
 cd ${openrestyPath}/src
 export LD_LIBRARY_PATH=/usr/local/lib/:$LD_LIBRARY_PATH
 export LIB_UTHASH=${openrestyPath}/src/uthash
+export CFLAGS="-march=native -mtune=native -Ofast -funroll-loops -ffunction-sections -fdata-sections -Wl,--gc-sections"
+export LDFLAGS="-Wl,-s -Wl,-Bsymbolic -Wl,--gc-sections"
 
-./configure --user=www --group=www --prefix=${openrestyPath} --with-luajit --add-module=${openrestyPath}/src/ngx_cache_purge --add-module=${openrestyPath}/src/nginx-sticky-module --with-openssl=${openrestyPath}/src/openssl --with-pcre=${openrestyPath}/src/pcre --with-pcre-jit --with-http_v2_module --with-http_slice_module --with-threads --with-stream --with-stream_ssl_module --with-stream_realip_module --with-stream_ssl_preread_module --with-http_stub_status_module --with-http_ssl_module --with-http_image_filter_module --with-http_gzip_static_module --with-http_gunzip_module --with-ipv6 --with-http_sub_module --with-http_flv_module --with-http_addition_module --with-http_realip_module --with-http_mp4_module --with-http_auth_request_module --with-http_secure_link_module --with-http_random_index_module --with-ld-opt="-Wl,-E" --with-cc-opt="-DNGX_LUA_ABORT_AT_PANIC" --with-luajit-xcflags="-DLUAJIT_NUMMODE=2 -DLUAJIT_ENABLE_LUA52COMPAT" --with-compat --with-http_dav_module --add-module=${openrestyPath}/src/nginx-dav-ext-module --add-module=${openrestyPath}/src/ngx_brotli --add-module=${openrestyPath}/ngx_waf
+./configure --user=www --group=www --prefix=${openrestyPath} --with-luajit --add-module=${openrestyPath}/src/ngx_cache_purge --add-module=${openrestyPath}/src/nginx-sticky-module --with-openssl=${openrestyPath}/src/openssl --with-pcre=${openrestyPath}/src/pcre --with-pcre-jit --with-http_v2_module --with-http_v3_module --with-http_slice_module --with-threads --with-stream --with-stream_ssl_module --with-stream_realip_module --with-stream_ssl_preread_module --with-http_stub_status_module --with-http_ssl_module --with-http_image_filter_module --with-http_gzip_static_module --with-http_gunzip_module --with-ipv6 --with-http_sub_module --with-http_flv_module --with-http_addition_module --with-http_realip_module --with-http_mp4_module --with-http_auth_request_module --with-http_secure_link_module --with-http_random_index_module --with-ld-opt="-Wl,-E" --with-cc-opt="-DNGX_LUA_ABORT_AT_PANIC" --with-luajit-xcflags="-DLUAJIT_NUMMODE=2 -DLUAJIT_ENABLE_LUA52COMPAT" --with-compat --with-http_dav_module --add-module=${openrestyPath}/src/nginx-dav-ext-module --add-module=${openrestyPath}/src/ngx_brotli --add-module=${openrestyPath}/ngx_waf
 make "-j${j}"
 if [ "$?" != "0" ]; then
     echo -e $HR
@@ -300,6 +290,7 @@ worker_processes auto;
 error_log /www/wwwlogs/openresty_error.log crit;
 pid /www/server/openresty/nginx.pid;
 worker_rlimit_nofile 51200;
+quic_bpf on;
 
 stream {
     log_format tcp_format '\$time_local|\$remote_addr|\$protocol|\$status|\$bytes_sent|\$bytes_received|\$session_time|\$upstream_addr|\$upstream_bytes_sent|\$upstream_bytes_received|\$upstream_connect_time';
@@ -335,6 +326,9 @@ http {
 
     keepalive_timeout 60;
 
+    http2 on;
+    http3 on;
+    quic_gso on;
     tcp_nodelay on;
 
     fastcgi_connect_timeout 300;