海运的博客

caddy为nginx网站提供http3 quic支持

发布时间：December 27, 2021 // 分类： // No Comments

由于nginx监听了443端口，caddy监听其它端口，通过iptables dnat到caddy端口也能使用，但是caddy head会返回alt-svc包含监听的端口，通过使用docker桥接方式启动caddy可解决。
docker build安装caddy镜像：

FROM debian:bullseye
RUN apt update -y
RUN apt install curl net-tools vim iputils-ping -y
RUN curl -1sLf 'https://dl.cloudsmith.io/public/caddy/stable/gpg.key' | tee /etc/apt/trusted.gpg.d/caddy-stable.asc
RUN curl -1sLf 'https://dl.cloudsmith.io/public/caddy/stable/debian.deb.txt' | tee /etc/apt/sources.list.d/caddy-stable.list
RUN apt update -y
RUN apt install caddy

1	`docker build --tag debian-caddy:v1 - < Dockerfile`

启动：

docker run -d --name caddy-http3 -p 443:443/udp --dns=172.17.0.1 --restart=always -v /etc/caddy:/etc/caddy -v /data/www.haiyun.me:/data/www.haiyun.me -v /acme/haiyun.me:/acme/haiyun.me debian-caddy:v1 caddy run -config /etc/caddy/Caddyfile

caddy配置文件：

{
  admin off
  auto_https off
  servers  {
    protocol {
      experimental_http3
    }
  }
}
https://www.haiyun.me:443 {
  tls /acme/haiyun.me/haiyun.me.cer /acme/haiyun.me/haiyun.me.key
  reverse_proxy https://www.haiyun.me {
    header_up X-Forwarded-For {remote_host}
    header_down -server
  }
}

nginx添加head:

1	`add_header Alt-Svc "h3=\":443\"; ma=86400,h3-29=\":443\"; ma=86400";`

可通过编译curl支持http3测试。

编译curl http3 quic支持

发布时间：December 27, 2021 // 分类： // 2 Comments

方法一，使用openssl ngtcp2 nghttp3编译curl支持http3 quic：

apt install build-essential autoconf libtool pkg-config 
git clone --depth 1 -b OpenSSL_1_1_1m+quic https://github.com/quictls/openssl
cd openssl/
./config enable-tls1_3 --prefix=/usr/local/openssl
 make && make install
cd ../
git clone https://github.com/ngtcp2/nghttp3
cd nghttp3/
autoreconf -fi
./configure --prefix=/usr/local/nghttp3 --enable-lib-only
make && make install
cd ../
git clone https://github.com/ngtcp2/ngtcp2
cd ngtcp2/
autoreconf -fi
./configure PKG_CONFIG_PATH=/usr/local/openssl/lib/pkgconfig:/usr/local/nghttp3/lib/pkgconfig LDFLAGS="-Wl,-rpath,/usr/local/openssl/lib" --prefix=/usr/local/ngtcp2 --enable-lib-only 
 make && make install
cd ../
wget https://github.com/curl/curl/releases/download/curl-7_80_0/curl-7.80.0.tar.gz
tar zxf curl-7.80.0.tar.gz 
cd curl-7.80.0/
LDFLAGS="-Wl,-rpath,/usr/local/openssl/lib64" ./configure --with-openssl=/usr/local/openssl/ --with-nghttp3=/usr/local/nghttp3 --with-ngtcp2=/usr/local/ngtcp2 --prefix=/usr/local/curl
make && make install
LD_LIBRARY_PATH="/usr/local/curl/lib/:/usr/local/openssl/lib/" /usr/local/curl/bin/curl -V

方法二，通过quiche编译支持http3 quic：

apt install build-essential cmake pkg-config
curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh
source $HOME/.cargo/env
git clone --recursive https://github.com/cloudflare/quiche
cd quiche/
cargo build --package quiche --release --features ffi,pkg-config-meta,qlog
mkdir quiche/deps/boringssl/src/lib
ln -vnf $(find target/release -name libcrypto.a -o -name libssl.a) quiche/deps/boringssl/src/lib/
cd ../
wget https://github.com/curl/curl/releases/download/curl-7_80_0/curl-7.80.0.tar.gz
tar zxf curl-7.80.0.tar.gz 
cd curl-7.80.0/
./configure LDFLAGS="-Wl,-rpath,$PWD/../quiche/target/release" --with-openssl=$PWD/../quiche/quiche/deps/boringssl/src --with-quiche=$PWD/../quiche/target/release --prefix=/usr/local/curl
make && make install
cp ../quiche/target/release/libquiche.so /usr/local/curl/lib/
LD_LIBRARY_PATH="/usr/local/curl/lib/"  /usr/local/curl/bin/curl -V

使用curl测试http3 quic：

LD_LIBRARY_PATH="/usr/local/curl/lib/:/usr/local/openssl/lib/"  /usr/local/curl/bin/curl --http3 https://www.haiyun.me  -I

使用中遇到的问题，quiche编译的curl下载一会后断流，openssl编译的curl下载速度很慢。
参考：
https://github.com/curl/curl/blob/master/docs/HTTP3.md

此内容被密码保护

发布时间：December 17, 2021 // 分类： // No Comments

此内容被密码保护

发布时间：December 15, 2021 // 分类： // No Comments

PVE/postfix配置smtp发送邮件

发布时间：December 9, 2021 // 分类： // No Comments

安装认证模块：

apt install libsasl2-modules
#如需pcre匹配安装
#apt install postfix-pcre

修改/etc/postfix/main.cf添加：

myhostname=pve.lan
#配置文件内有relayhost要先注释，465端口是SMTPS，587端口是STARTTLS
relayhost = smtp.qq.com:465
 
#此参数被smtp_tls_security_level取代
#smtp_use_tls = yes
#使用SMTPS非STARTTLS加密方式
smtp_tls_wrappermode = yes
#加密级别
smtp_tls_security_level = encrypt
smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt
 
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_sasl_security_options = noanonymous
 
#本地用户替换为smtp认证用户，smtp_generic_maps和sender_canonical_maps都可以
smtp_generic_maps = hash:/etc/postfix/generic
#sender_canonical_maps = hash:/etc/postfix/sender_canonical
#使用pcre匹配本机用户
#sender_canonical_maps = pcre:/etc/postfix/sender_pcre_canonical
#header检查并替换发送者名称
smtp_header_checks = pcre:/etc/postfix/smtp_header_checks

sender_canonical或generic映射本机用户到smtp账号：

cat /etc/postfix/generic
#本机所有用户，注意pve.lan为主配置文件myhostname
@pve.lan support@haiyun.me
#下面2个等效
root support@haiyun.me
root@pve.lan support@haiyun.me

正则映射：

cat /etc/postfix/sender_pcre_canonical
#匹配所有hostname和所有用户
/.*/ support@haiyun.me

smtp账号密码：

cat /etc/postfix/sasl_passwd
smtp.qq.com support@haiyun.me:password

生成hash数据库，pcre不用生成：

postmap /etc/postfix/sasl_passwd
postmap /etc/postfix/generic
postmap /etc/postfix/sender_canonical

替换发件人姓名：

cat /etc/postfix/smtp_header_checks 
/^From:.*/ REPLACE From: 重要通知 <support@haiyun.me>

发送邮件测试：

apt install bsd-mailx
echo "www.haiyun.me" |mail -s test support@haiyun.me
echo "test" | /usr/bin/pvemailforward

将其它用户邮件转发到root用户：

cat /etc/aliases
postmaster: root
nobody: root
#也可使用~/.forward 
#root: support@haiyun.me

1	`postalias /etc/aliases`

将root用户邮件转发到外部邮箱：

cat ~/.forward 
support@haiyun.me

参考：
https://serverfault.com/questions/717719/how-can-i-strip-or-rewrite-the-senders-name-of-a-from-address-when-using-postfi
https://forum.proxmox.com/threads/get-postfix-to-send-notifications-email-externally.59940/

海运的博客

caddy为nginx网站提供http3 quic支持

编译curl http3 quic支持

此内容被密码保护

此内容被密码保护

PVE/postfix配置smtp发送邮件

分类

最新文章

最近回复

归档