From 24106288cb5041f53688c0cc1ada2bd5007985f1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E8=80=97=E5=AD=90?= Date: Fri, 8 Dec 2023 00:11:11 +0800 Subject: [PATCH] =?UTF-8?q?feat:=20QUIC=20=E4=B8=8E=20IPV6=20=E5=AE=9E?= =?UTF-8?q?=E9=AA=8C=E6=80=A7=E6=94=AF=E6=8C=81?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- app/plugins/openresty/openresty.go | 2 +- app/services/website.go | 34 +++++++++++--- scripts/install_panel.sh | 2 + scripts/openresty/install.sh | 72 ++++++++++++++---------------- 4 files changed, 64 insertions(+), 46 deletions(-) diff --git a/app/plugins/openresty/openresty.go b/app/plugins/openresty/openresty.go index 83a916e929..08ebfcd4d4 100644 --- a/app/plugins/openresty/openresty.go +++ b/app/plugins/openresty/openresty.go @@ -4,7 +4,7 @@ var ( Name = "OpenResty" Description = "OpenResty® 是一款基于 NGINX 和 LuaJIT 的 Web 平台。" Slug = "openresty" - Version = "1.21.4.3" + Version = "1.25.3.1rc1" Requires = []string{} Excludes = []string{} Install = "bash /www/panel/scripts/openresty/install.sh" diff --git a/app/services/website.go b/app/services/website.go index c73dd21fef..2c21673c6f 100644 --- a/app/services/website.go +++ b/app/services/website.go @@ -177,9 +177,11 @@ func (r *WebsiteImpl) Add(website PanelWebsite) (models.Website, error) { for i, port := range website.Ports { if _, ok := portUsed[port]; !ok { if i == len(website.Ports)-1 { - portList += " listen " + cast.ToString(port) + ";" + portList += " listen " + cast.ToString(port) + ";\n" + portList += " listen [::]:" + cast.ToString(port) + ";" } else { portList += " listen " + cast.ToString(port) + ";\n" + portList += " listen [::]:" + cast.ToString(port) + ";\n" } portUsed[port] = true } @@ -354,12 +356,22 @@ func (r *WebsiteImpl) SaveConfig(config requests.SaveConfig) error { for i, v := range ports { vStr := cast.ToString(v) if v == 443 && config.Ssl { - vStr = "443 ssl http2" + vStr = ` listen 443 ssl; + listen [::]:443 ssl; + listen 443 quic reuseport; + listen [::]:443 quic reuseport;` + port.WriteString(vStr) + if i != len(ports)-1 { + port.WriteString("\n") + } + continue } if i != len(ports)-1 { port.WriteString(" listen " + vStr + ";\n") + port.WriteString(" listen [::]:" + vStr + ";\n") } else { - port.WriteString(" listen " + vStr + ";") + port.WriteString(" listen " + vStr + ";\n") + port.WriteString(" listen [::]:" + vStr + ";") } } portConfigOld := tools.Cut(raw, "# port标记位开始", "# port标记位结束") @@ -446,10 +458,11 @@ func (r *WebsiteImpl) SaveConfig(config requests.SaveConfig) error { ssl_certificate_key /www/server/vhost/ssl/` + website.Name + `.key; ssl_session_timeout 1d; ssl_session_cache shared:SSL:10m; - ssl_session_tickets off; ssl_protocols TLSv1.2 TLSv1.3; ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; ssl_prefer_server_ciphers off; + ssl_early_data on; + add_header Alt-Svc 'h3=":443"; ma=86400'; ` if config.HttpRedirect { sslConfig += `# http重定向标记位开始 @@ -564,9 +577,18 @@ func (r *WebsiteImpl) GetConfig(id uint) (WebsiteSetting, error) { if len(match) < 2 { continue } + // 跳过 ipv6 + if strings.Contains(match[1], "[::]") { + continue + } - port := strings.Fields(match[1])[0] - setting.Ports = append(setting.Ports, cast.ToUint(port)) + // 处理 443 ssl 之类的情况 + ports := strings.Fields(match[1]) + if len(ports) == 1 { + setting.Ports = append(setting.Ports, cast.ToUint(ports[0])) + } else if len(ports) > 1 && ports[1] == "ssl" { + setting.Ports = append(setting.Ports, cast.ToUint(ports[0])) + } } serverName := tools.Cut(config, "# server_name标记位开始", "# server_name标记位结束") match := regexp.MustCompile(`server_name\s+(.*);`).FindStringSubmatch(serverName) diff --git a/scripts/install_panel.sh b/scripts/install_panel.sh index b5ac294305..9fd29da05d 100644 --- a/scripts/install_panel.sh +++ b/scripts/install_panel.sh @@ -248,6 +248,7 @@ Init_Panel() { firewall-cmd --permanent --zone=public --add-port=22/tcp > /dev/null 2>&1 firewall-cmd --permanent --zone=public --add-port=80/tcp > /dev/null 2>&1 firewall-cmd --permanent --zone=public --add-port=443/tcp > /dev/null 2>&1 + firewall-cmd --permanent --zone=public --add-port=443/udp > /dev/null 2>&1 firewall-cmd --permanent --zone=public --add-port=8888/tcp > /dev/null 2>&1 firewall-cmd --permanent --zone=public --add-port=${sshPort}/tcp > /dev/null 2>&1 firewall-cmd --reload @@ -257,6 +258,7 @@ Init_Panel() { ufw allow 22/tcp ufw allow 80/tcp ufw allow 443/tcp + ufw allow 443/udp ufw allow 8888/tcp ufw allow ${sshPort}/tcp ufw reload diff --git a/scripts/openresty/install.sh b/scripts/openresty/install.sh index 0df2502b2a..6b94fd7e82 100644 --- a/scripts/openresty/install.sh +++ b/scripts/openresty/install.sh @@ -24,7 +24,7 @@ OS=$(source /etc/os-release && { [[ "$ID" == "debian" ]] && echo "debian"; } || downloadUrl="https://git.haozi.net/opensource/download/-/raw/main/panel/openresty" setupPath="/www" openrestyPath="${setupPath}/server/openresty" -openrestyVersion="1.21.4.3" +openrestyVersion="1.25.3.1rc1" cpuCore=$(cat /proc/cpuinfo | grep "processor" | wc -l) source ${setupPath}/panel/scripts/calculate_j.sh @@ -67,36 +67,36 @@ mv openresty-${openrestyVersion} src cd src # openssl -wget -T 120 -t 3 -O openssl-1.1.1w.tar.gz ${downloadUrl}/openssl/openssl-1.1.1w.tar.gz -wget -T 20 -t 3 -O openssl-1.1.1w.tar.gz.checksum.txt ${downloadUrl}/openssl/openssl-1.1.1w.tar.gz.checksum.txt +wget -T 120 -t 3 -O openssl-3.0.12.tar.gz ${downloadUrl}/openssl/openssl-3.0.12.tar.gz +wget -T 20 -t 3 -O openssl-3.0.12.tar.gz.checksum.txt ${downloadUrl}/openssl/openssl-3.0.12.tar.gz.checksum.txt -if ! sha256sum --status -c openssl-1.1.1w.tar.gz.checksum.txt; then +if ! sha256sum --status -c openssl-3.0.12.tar.gz.checksum.txt; then echo -e $HR echo "错误:OpenSSL 源码 checksum 校验失败,文件可能被篡改或不完整,已终止操作" rm -rf ${openrestyPath} exit 1 fi -tar -zxvf openssl-1.1.1w.tar.gz -rm -f openssl-1.1.1w.tar.gz -rm -f openssl-1.1.1w.tar.gz.checksum.txt -mv openssl-1.1.1w openssl +tar -zxvf openssl-3.0.12.tar.gz +rm -f openssl-3.0.12.tar.gz +rm -f openssl-3.0.12.tar.gz.checksum.txt +mv openssl-3.0.12 openssl # patch openssl cd openssl -wget -T 20 -t 3 -O openssl-1.1.1f-sess_set_get_cb_yield.patch ${downloadUrl}/openssl/openssl-1.1.1f-sess_set_get_cb_yield.patch -wget -T 20 -t 3 -O openssl-1.1.1f-sess_set_get_cb_yield.patch.checksum.txt ${downloadUrl}/openssl/openssl-1.1.1f-sess_set_get_cb_yield.patch.checksum.txt +wget -T 20 -t 3 -O openssl-3.0.12-sess_set_get_cb_yield.patch ${downloadUrl}/openssl/openssl-3.0.12-sess_set_get_cb_yield.patch +wget -T 20 -t 3 -O openssl-3.0.12-sess_set_get_cb_yield.patch.checksum.txt ${downloadUrl}/openssl/openssl-3.0.12-sess_set_get_cb_yield.patch.checksum.txt -if ! sha256sum --status -c openssl-1.1.1f-sess_set_get_cb_yield.patch.checksum.txt; then +if ! sha256sum --status -c openssl-3.0.12-sess_set_get_cb_yield.patch.checksum.txt; then echo -e $HR echo "错误:OpenSSL 补丁文件 checksum 校验失败,文件可能被篡改或不完整,已终止操作" rm -rf ${openrestyPath} exit 1 fi -patch -p1 < openssl-1.1.1f-sess_set_get_cb_yield.patch -rm -f openssl-1.1.1f-sess_set_get_cb_yield.patch -rm -f openssl-1.1.1f-sess_set_get_cb_yield.patch.checksum.txt +patch -p1 < openssl-3.0.12-sess_set_get_cb_yield.patch +rm -f openssl-3.0.12-sess_set_get_cb_yield.patch +rm -f openssl-3.0.12-sess_set_get_cb_yield.patch.checksum.txt cd ../ # pcre @@ -221,43 +221,33 @@ fi cd ${openrestyPath}/src # brotli -wget -T 20 -t 3 -O ngx_brotli-1.0.0rc.zip ${downloadUrl}/modules/ngx_brotli-1.0.0rc.zip -wget -T 20 -t 3 -O ngx_brotli-1.0.0rc.zip.checksum.txt ${downloadUrl}/modules/ngx_brotli-1.0.0rc.zip.checksum.txt +wget -T 20 -t 3 -O ngx_brotli-a71f931.zip ${downloadUrl}/modules/ngx_brotli-a71f931.zip +wget -T 20 -t 3 -O ngx_brotli-a71f931.zip.checksum.txt ${downloadUrl}/modules/ngx_brotli-a71f931.zip.checksum.txt -if ! sha256sum --status -c ngx_brotli-1.0.0rc.zip.checksum.txt; then +if ! sha256sum --status -c ngx_brotli-a71f931.zip.checksum.txt; then echo -e $HR echo "错误:ngx_brotli 源码 checksum 校验失败,文件可能被篡改或不完整,已终止操作" rm -rf ${openrestyPath} exit 1 fi -unzip -o ngx_brotli-1.0.0rc.zip -mv ngx_brotli-1.0.0rc ngx_brotli -rm -f ngx_brotli-1.0.0rc.zip -rm -f ngx_brotli-1.0.0rc.zip.checksum.txt -cd ngx_brotli/deps -rm -rf brotli - -wget -T 20 -t 3 -O brotli-1.0.9.zip ${downloadUrl}/modules/brotli-1.0.9.zip -wget -T 20 -t 3 -O brotli-1.0.9.zip.checksum.txt ${downloadUrl}/modules/brotli-1.0.9.zip.checksum.txt - -if ! sha256sum --status -c brotli-1.0.9.zip.checksum.txt; then - echo -e $HR - echo "错误:brotli 源码 checksum 校验失败,文件可能被篡改或不完整,已终止操作" - rm -rf ${openrestyPath} - exit 1 -fi - -unzip -o brotli-1.0.9.zip -mv brotli-1.0.9 brotli -rm -f brotli-1.0.9.zip -rm -f brotli-1.0.9.zip.checksum.txt +unzip -o ngx_brotli-a71f931.zip +mv ngx_brotli-a71f931 ngx_brotli +rm -f ngx_brotli-a71f931.zip +rm -f ngx_brotli-a71f931.zip.checksum.txt +cd ngx_brotli/deps/brotli +mkdir out && cd out +cmake -DCMAKE_BUILD_TYPE=Release -DBUILD_SHARED_LIBS=OFF -DCMAKE_C_FLAGS="-Ofast -march=native -mtune=native -funroll-loops -ffunction-sections -fdata-sections -Wl,--gc-sections" -DCMAKE_CXX_FLAGS="-Ofast -march=native -mtune=native -funroll-loops -ffunction-sections -fdata-sections -Wl,--gc-sections" -DCMAKE_INSTALL_PREFIX=./installed .. +cmake --build . --config Release --target brotlienc +cd ../../../../ cd ${openrestyPath}/src export LD_LIBRARY_PATH=/usr/local/lib/:$LD_LIBRARY_PATH export LIB_UTHASH=${openrestyPath}/src/uthash +export CFLAGS="-march=native -mtune=native -Ofast -funroll-loops -ffunction-sections -fdata-sections -Wl,--gc-sections" +export LDFLAGS="-Wl,-s -Wl,-Bsymbolic -Wl,--gc-sections" -./configure --user=www --group=www --prefix=${openrestyPath} --with-luajit --add-module=${openrestyPath}/src/ngx_cache_purge --add-module=${openrestyPath}/src/nginx-sticky-module --with-openssl=${openrestyPath}/src/openssl --with-pcre=${openrestyPath}/src/pcre --with-pcre-jit --with-http_v2_module --with-http_slice_module --with-threads --with-stream --with-stream_ssl_module --with-stream_realip_module --with-stream_ssl_preread_module --with-http_stub_status_module --with-http_ssl_module --with-http_image_filter_module --with-http_gzip_static_module --with-http_gunzip_module --with-ipv6 --with-http_sub_module --with-http_flv_module --with-http_addition_module --with-http_realip_module --with-http_mp4_module --with-http_auth_request_module --with-http_secure_link_module --with-http_random_index_module --with-ld-opt="-Wl,-E" --with-cc-opt="-DNGX_LUA_ABORT_AT_PANIC" --with-luajit-xcflags="-DLUAJIT_NUMMODE=2 -DLUAJIT_ENABLE_LUA52COMPAT" --with-compat --with-http_dav_module --add-module=${openrestyPath}/src/nginx-dav-ext-module --add-module=${openrestyPath}/src/ngx_brotli --add-module=${openrestyPath}/ngx_waf +./configure --user=www --group=www --prefix=${openrestyPath} --with-luajit --add-module=${openrestyPath}/src/ngx_cache_purge --add-module=${openrestyPath}/src/nginx-sticky-module --with-openssl=${openrestyPath}/src/openssl --with-pcre=${openrestyPath}/src/pcre --with-pcre-jit --with-http_v2_module --with-http_v3_module --with-http_slice_module --with-threads --with-stream --with-stream_ssl_module --with-stream_realip_module --with-stream_ssl_preread_module --with-http_stub_status_module --with-http_ssl_module --with-http_image_filter_module --with-http_gzip_static_module --with-http_gunzip_module --with-ipv6 --with-http_sub_module --with-http_flv_module --with-http_addition_module --with-http_realip_module --with-http_mp4_module --with-http_auth_request_module --with-http_secure_link_module --with-http_random_index_module --with-ld-opt="-Wl,-E" --with-cc-opt="-DNGX_LUA_ABORT_AT_PANIC" --with-luajit-xcflags="-DLUAJIT_NUMMODE=2 -DLUAJIT_ENABLE_LUA52COMPAT" --with-compat --with-http_dav_module --add-module=${openrestyPath}/src/nginx-dav-ext-module --add-module=${openrestyPath}/src/ngx_brotli --add-module=${openrestyPath}/ngx_waf make "-j${j}" if [ "$?" != "0" ]; then echo -e $HR @@ -300,6 +290,7 @@ worker_processes auto; error_log /www/wwwlogs/openresty_error.log crit; pid /www/server/openresty/nginx.pid; worker_rlimit_nofile 51200; +quic_bpf on; stream { log_format tcp_format '\$time_local|\$remote_addr|\$protocol|\$status|\$bytes_sent|\$bytes_received|\$session_time|\$upstream_addr|\$upstream_bytes_sent|\$upstream_bytes_received|\$upstream_connect_time'; @@ -335,6 +326,9 @@ http { keepalive_timeout 60; + http2 on; + http3 on; + quic_gso on; tcp_nodelay on; fastcgi_connect_timeout 300;