黄河西来决昆仑,咆哮万里触龙门
编译支持ECH的nginx
编译支持ECH的nginx

编译支持ECH的nginx

注意,ECH的前提是DNSSEC或者DoH/DoT,没有的就没有必要使用了!!

编译带ECH支持的nginx

1.配置安装环境
2.下载带ECH支持的nginx与openssl
3.编译openssl与nginx
4.使用并测试ECH支持

1.配置安装环境

sudo apt install build-essential libpcre2-dev zlib1g-dev

2.下载带ECH支持的nginx与openssl

mkdir ~/src
cd ~/src
git clone https://github.com/sftcd/openssl.git
cd openssl
git checkout ECH-draft-13c
cd ~/src
git clone https://github.com/sftcd/nginx.git
cd nginx
git checkout ECH-experimental

3.编译nginx与openssl

cd ~/src/nginx<br>
./auto/configure --with-debug --prefix=/opt/ech --with-http_ssl_module --with-stream --with-stream_ssl_module --with-stream_ssl_preread_module --with-openssl=~/openssl --with-openssl-opt="--debug '-Wl,--enable-new-dtags,-rpath,$(LIBRPATH)'" --with-http_v2_module<br>
make &amp; make install

4.使用以及测试ECH支持

nginx配置如下
worker_processes  1;
events {
    worker_connections  1024;
}
http {
    include            mime.types;
    default_type       application/octet-stream;
    ssl_echkeydir      ech_keys;
    sendfile           on;
    keepalive_timeout  65;
    # HTTP
    server {
        listen         80 default_server;
        server_name    localhost;
        location / {
            root       html;
            ssi        on;
            index      index.html index.htm;
            keepalive_timeout 0;
            # Force non-cache
            add_header Last-Modified $date_gmt;
            add_header Cache-Control 'no-store, no-cache';
            if_modified_since off;
            expires off;
            etag off;
        }
        error_page     500 502 503 504  /50x.html;
        location = /50x.html {
            root       html;
        }
    }
    # HTTPS
    server {
        listen               443 ssl;
        server_name          _;
        
        ssl_certificate      /path/to/your/cert;
        ssl_certificate_key  /path/to/your/key;
        ssl_session_cache    shared:SSL:1m;
        ssl_session_timeout  5m;
        ssl_ciphers          HIGH:!aNULL:!MD5;
        ssl_prefer_server_ciphers  on;
        location / {
            root   html;
	        ssi    on;
            index  index.html index.htm;
            keepalive_timeout 0;
            # Force non-cache
            add_header Last-Modified $date_gmt;
            add_header Cache-Control 'no-store, no-cache';
            if_modified_since off;
            expires off;
            etag off;
        }
    }
}
签署ECH证书并配置DNS服务器
服务器可以从let’s encrypt获得证书,这里主要讲的是签署ECH相关的证书
cd /opt/ech/conf/ech_keys
sudo /opt/ech/bin/openssl ech -public_name cover.domain -pemout config1.ech
配置DNS的话要向dns服务器添加https记录,如果dns服务器不支持添加此记录的话则无法继续配置ECH ECHCONFIG 可以在config1.ech里面找到
-----BEGIN PRIVATE KEY-----
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
-----END PRIVATE KEY-----
-----BEGIN ECHCONFIG-----
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
-----END ECHCONFIG-----
添加如下记录
your.domain IN HTTPS 1 . alpn="h2" ech="your ECHCONFIG"
测试ECH支持

向nginx添加测试网页

更改nginx默认网页代码成为

<pre>
HTTP host: <!--# echo var="http_host" -->
ALPN protocol: <!--# echo var="ssl_alpn_protocol" -->
SSL cipher: <!--# echo var="ssl_cipher" -->
SSL protocol: <!--# echo var="ssl_protocol" -->
SNI: <!--# echo var="ssl_server_name" -->
ECH status: <!--# echo var="ssl_ech_status" -->
Outer SNI (public name): <!--# echo var="ssl_ech_outer_sni" -->
Inner SNI: <!--# echo var="ssl_ech_inner_sni" -->
</pre>

需要在浏览器内打开ech支持

Chrome的操作办法,在网址框内输入chrome://flags
搜索Encrypted ClientHello,将其设置成Enable即可

接着在你访问你的网页时就会显示相关信息 一般来说看到一下输出就ok
HTTP host: your domain
ALPN protocol: h2
SSL cipher: TLS_AES_256_GCM_SHA384
SSL protocol: TLSv1.3
SNI: your domain
ECH status: success
Outer SNI (public name): cover domain
Inner SNI: your domain

本文参考一下文章进行写作

“https://cujo.com/blog/set-up-ech-website/”

Apache-2.0

Leave a Reply

Your email address will not be published. Required fields are marked *