.github/workflows/build.yml

@@ -1,11 +1,11 @@
 name: build
 on:
   schedule:
-  - cron: '0 */12 * * *'
+    - cron: "0 0 * * *"
   push:
-    branches: [ main ]
-    paths: 
-      - '**.sh'
+    branches: [main]
+    paths:
+      - "**.sh"
       - Dockerfile
   workflow_dispatch:
 jobs:
@@ -14,17 +14,17 @@ jobs:
     name: build
     steps:
       - name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
       - name: Build
         uses: ./
       - name: Upload
-        uses: actions/upload-artifact@v3.0.0
+        uses: actions/upload-artifact@v4
         with:
-          name: v5.${{ env.minor }}.${{ env.patch }}
+          name: v8.${{ env.minor }}.${{ env.patch }}
           path: /home/runner/work/_temp/_github_home/nginx.deb
       - name: Update
         if: ${{ env.change }}
-        uses: stefanzweifel/git-auto-commit-action@v4
+        uses: stefanzweifel/git-auto-commit-action@v5
         with:
           commit_message: Update hash and version
       - name: Release
@@ -33,5 +33,5 @@ jobs:
         with:
           files: /home/runner/work/_temp/_github_home/nginx.deb
           body: "SHA256: ${{ env.hash }}"
-          tag_name: v5.${{ env.minor }}.${{ env.patch }}
+          tag_name: v8.${{ env.minor }}.${{ env.patch }}
           generate_release_notes: false

.github/workflows/test.yml

@@ -1,9 +1,9 @@
 name: test
 on:
   push:
-    branches-ignore: [ main ]
+    branches-ignore: [main]
     paths:
-      - '**.sh'
+      - "**.sh"
       - Dockerfile
   workflow_dispatch:
 jobs:
@@ -12,11 +12,11 @@ jobs:
     name: test
     steps:
       - name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
       - name: Build
         uses: ./
       - name: Upload
-        uses: actions/upload-artifact@v3.0.0
+        uses: actions/upload-artifact@v4
         with:
-          name: v5.${{ env.minor }}.${{ env.patch }}
+          name: v8.${{ env.minor }}.${{ env.patch }}
           path: /home/runner/work/_temp/_github_home/nginx.deb

Dockerfile

@@ -1,3 +1,3 @@
-FROM debian:bullseye-slim
+FROM debian:bookworm
 COPY build.sh /build.sh
 ENTRYPOINT ["bash", "/build.sh"]

README.md

@@ -1,10 +1,15 @@
 # nginx-http3
 
+## Distribution switch notice
+
+According to [Debian Wiki](https://wiki.debian.org/DebianReleases), Debian bullseye will reach its end-of-life date in July 2024. Therefore, the project will switch to Debian bookworm as the packaging environment in June 2024.
+
+**Update:** already switched on June 25th.
+
 ## Table of Contents
 
 - [Features](#features)
 - [Usage](#usage)
-- [Note](#note)
 - [Removed modules](#removed-modules)
 - [Add modules back](#add-modules-back)
 - [Use in another distribution](#use-in-another-distribution)
@@ -13,11 +18,10 @@
 ## Features
 
 - Based on latest [NGINX](https://hg.nginx.org/nginx) mainline version
-- HTTP/3 and QUIC support
+- HTTP/3 and QUIC support, powered by [quictls](https://github.com/quictls/openssl)
 - Brotli support, powered by [ngx_brotli](https://github.com/google/ngx_brotli)
 - GeoIP2 support, powered by [ngx_http_geoip2_module](https://github.com/leev/ngx_http_geoip2_module)
 - Headers More support, powered by [ngx_headers_more](https://github.com/openresty/headers-more-nginx-module)
-- OCSP stapling support, powered by [this patch](https://github.com/kn007/patch/blob/master/Enable_BoringSSL_OCSP.patch)
 - Remove mountains of useless modules to improve performance
 
 ## Usage
@@ -29,15 +33,9 @@ wget https://github.com/ononoki1/nginx-http3/releases/latest/download/nginx.deb
 sudo apt install ./nginx.deb
 ```
 
-## Note
-
-Due to usage of BoringSSL instead of OpenSSL, some directives may not work, e.g. `ssl_conf_command`. Besides, direct OCSP stapling via `ssl_stapling on; ssl_stapling_verify on;` does not work too. You should use `ssl_stapling on; ssl_stapling_file /path/to/ocsp;`. The OCSP file can be generated via `openssl ocsp -no_nonce -issuer /path/to/intermediate -cert /path/to/cert -url "$(openssl x509 -in /path/to/cert -noout -ocsp_uri)" -respout /path/to/ocsp`.
-
-If you really need these directives, you should consider [nginx-quictls](https://github.com/ononoki1/nginx-quictls).
-
 ## Removed modules
 
-- All modules that are not built by default, except `http_ssl_module`, `http_sub_module` and `http_v2_module`
+- All modules that are not built by default, except `http_ssl_module`, `http_v2_module` and `http_v3_module`
 - `http_access_module`
 - `http_autoindex_module`
 - `http_browser_module`
@@ -65,18 +63,19 @@ For example, if you want to add `http_scgi_module` back, you need to remove `--h
 
 ## Use in another distribution
 
-Fork this repo, enable GitHub Actions, edit `Dockerfile` and `build.sh`, and change `bullseye-slim` to the one you like. Then wait for GitHub Actions to run. After it finishes, you can download from releases.
+Fork this repo, enable GitHub Actions, edit `Dockerfile` and `build.sh`, and change `bookworm` to the one you like. Then wait for GitHub Actions to run. After it finishes, you can download from releases.
 
-For example, if you want to use in Debian bookworm, you need to change `bullseye-slim` to `bookworm-slim` in `Dockerfile`.
+For example, if you want to use in Debian bullseye, you need to change `bookworm` to `bullseye`.
 
-Note: if you are using newer version of Debian (e.g. Debian bookworm or unstable), you can simply use releases from this repo as Debian is backward compatible.
+Note: if you are using newer version of Debian (e.g. Debian trixie or unstable), you can still use releases for Debian bookworm as Debian is backward compatible.
 
 ## Recommended NGINX config
 
 ```nginx
 http {
   brotli on;
   gzip on;
+  http2 on;
   http3 on;
   quic_gso on;
   quic_retry on;
@@ -87,14 +86,16 @@ http {
   ssl_protocols TLSv1.2 TLSv1.3;
   ssl_session_cache shared:SSL:10m;
   ssl_session_timeout 1d;
+  ssl_stapling on;
+  ssl_stapling_verify on;
   server {
     listen 80 reuseport;
     listen [::]:80 reuseport; # delete if ipv6 is unavailable
     return 444;
   }
   server {
-    listen 443 reuseport ssl http2;
-    listen [::]:443 reuseport ssl http2;
+    listen 443 reuseport ssl;
+    listen [::]:443 reuseport ssl;
     listen 443 reuseport quic;
     listen [::]:443 reuseport quic;
     ssl_reject_handshake on;

build.sh

@@ -5,10 +5,7 @@ echo deb http://deb.debian.org/debian bullseye-backports main >> /etc/apt/source
 apt-get update > /dev/null 2>&1
 apt-get install --allow-change-held-packages --allow-downgrades --allow-remove-essential \
 -o Dpkg::Options::=--force-confdef -o Dpkg::Options::=--force-confold -fy \
-cmake curl git libmaxminddb-dev ninja-build wget zlib1g-dev > /dev/null 2>&1
-apt-get install --allow-change-held-packages --allow-downgrades --allow-remove-essential \
--o Dpkg::Options::=--force-confdef -o Dpkg::Options::=--force-confold -fy \
--t bullseye-backports golang > /dev/null 2>&1
+cmake git libmaxminddb-dev wget > /dev/null 2>&1
 wget -qO /etc/apt/trusted.gpg.d/nginx_signing.asc https://nginx.org/keys/nginx_signing.key
 echo deb-src https://nginx.org/packages/mainline/debian bullseye nginx \
 >> /etc/apt/sources.list
@@ -20,20 +17,12 @@ apt-get build-dep --allow-change-held-packages --allow-downgrades --allow-remove
 nginx > /dev/null 2>&1
 echo Fetch NGINX source code.
 apt-get source nginx > /dev/null 2>&1
+echo Fetch quictls source code.
 cd nginx-*
-curl -sL https://raw.githubusercontent.com/kn007/patch/master/Enable_BoringSSL_OCSP.patch \
-| patch -p1 > /dev/null 2>&1
-echo Fetch boringssl source code.
 mkdir debian/modules
 cd debian/modules
-git clone --depth 1 --recursive https://github.com/google/boringssl > /dev/null 2>&1
-echo Build boringssl.
-mkdir boringssl/build
-cd boringssl/build
-cmake -GNinja .. > /dev/null 2>&1
-ninja -j$(nproc) > /dev/null 2>&1
+git clone --depth 1 --recursive https://github.com/quictls/openssl > /dev/null 2>&1
 echo Fetch additional dependencies.
-cd ../..
 git clone --depth 1 --recursive https://github.com/google/ngx_brotli > /dev/null 2>&1
 mkdir ngx_brotli/deps/brotli/out
 cd ngx_brotli/deps/brotli/out
@@ -46,14 +35,14 @@ git clone --depth 1 --recursive https://github.com/openresty/headers-more-nginx-
 echo Build nginx.
 cd ..
 sed -i 's|NGINX Packaging <nginx-packaging@f5.com>|ononoki <me@ononoki.org>|g' control
-sed -i 's|CFLAGS=""|CFLAGS="-Wno-ignored-qualifiers"|g' rules
+sed -i 's|export DEB_CFLAGS_MAINT_APPEND=.*|export DEB_CFLAGS_MAINT_APPEND=|g' rules
+sed -i 's|export DEB_LDFLAGS_MAINT_APPEND=.*|export DEB_LDFLAGS_MAINT_APPEND=|g' rules
+sed -i 's|CFLAGS=""|CFLAGS="-Wno-error"|g' rules
 sed -i 's|--sbin-path=/usr/sbin/nginx|--sbin-path=/usr/sbin/nginx --add-module=$(CURDIR)/debian/modules/ngx_brotli --add-module=$(CURDIR)/debian/modules/ngx_http_geoip2_module --add-module=$(CURDIR)/debian/modules/headers-more-nginx-module|g' rules
-sed -i 's|--with-cc-opt="$(CFLAGS)" --with-ld-opt="$(LDFLAGS)"|--with-cc-opt="-I../modules/boringssl/include $(CFLAGS)" --with-ld-opt="-L../modules/boringssl/build/ssl -L../modules/boringssl/build/crypto $(LDFLAGS)"|g' rules
 sed -i 's|--http-scgi-temp-path=/var/cache/nginx/scgi_temp --user=nginx --group=nginx|--user=www-data --group=www-data|g' rules
 sed -i 's|--with-compat||g' rules
-sed -i 's|--with-http_addition_module --with-http_auth_request_module --with-http_dav_module --with-http_flv_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_mp4_module --with-http_random_index_module --with-http_realip_module --with-http_secure_link_module --with-http_slice_module||g' rules
-sed -i 's|--with-http_stub_status_module||g' rules
-sed -i 's|--with-mail --with-mail_ssl_module --with-stream --with-stream_realip_module --with-stream_ssl_module --with-stream_ssl_preread_module|--with-http_v3_module --with-pcre-jit --without-select_module --without-poll_module --without-http_access_module --without-http_autoindex_module --without-http_browser_module --without-http_charset_module --without-http_empty_gif_module --without-http_limit_conn_module --without-http_memcached_module --without-http_mirror_module --without-http_referer_module --without-http_split_clients_module --without-http_scgi_module --without-http_ssi_module --without-http_upstream_hash_module --without-http_upstream_ip_hash_module --without-http_upstream_keepalive_module --without-http_upstream_least_conn_module --without-http_upstream_random_module --without-http_upstream_zone_module|g' rules
+sed -i 's|--with-http_addition_module --with-http_auth_request_module --with-http_dav_module --with-http_flv_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_mp4_module --with-http_random_index_module --with-http_realip_module --with-http_secure_link_module --with-http_slice_module --with-http_ssl_module --with-http_stub_status_module --with-http_sub_module|--with-http_ssl_module|g' rules
+sed -i 's|--with-mail --with-mail_ssl_module --with-stream --with-stream_realip_module --with-stream_ssl_module --with-stream_ssl_preread_module|--with-pcre-jit --without-select_module --without-poll_module --without-http_access_module --without-http_autoindex_module --without-http_browser_module --without-http_charset_module --without-http_empty_gif_module --without-http_limit_conn_module --without-http_memcached_module --without-http_mirror_module --without-http_referer_module --without-http_split_clients_module --without-http_scgi_module --without-http_ssi_module --without-http_upstream_hash_module --without-http_upstream_ip_hash_module --without-http_upstream_keepalive_module --without-http_upstream_least_conn_module --without-http_upstream_random_module --without-http_upstream_zone_module --with-openssl=$(CURDIR)/debian/modules/openssl|g' rules
 cd ..
 dpkg-buildpackage -b > /dev/null 2>&1
 cd ..

hash

@@ -1 +1 @@
-bde01e1a94a9311544226fa4794ed74d2ba65400e3a5c252066ceeb2c053a1f4
+07cc9c989465aa3206a20510353915401814f76ded3d835fdb2939e26e6c4506

minor

@@ -1 +1 @@
-4
+0

patch

@@ -1 +1 @@
-57
+7