Welcome! Log In Create A New Profile

Advanced

Issue with getting to HTTP/3 or QUIC on first connect

Eric Germann via nginx
March 09, 2023 01:58AM
I’m having an issue where I (think I) have enabled HTTP3 correctly on my nginx server. When I connect to the server the first time, it indicates HTTP/2 in the logs. If I hit refresh it indicates HTTP/3 from then on. So something is wrong with the configuration of the server to offer headers to negotiate it. I’ve even added HTTPS DNS records to indicate the preferred connection schemes. Bonus points if you can help me get QUIC working too.

The result of http3check.net http://http3check.net/ is "HTTP/3 Check could not get the server's advertised QUIC versions due to the error given below.
Bad status code from server.
Thanks in advance for any pointers

Eric

Source code was pulled 2023-02-27


Build information is:

nginx version: nginx/1.23.4
built by gcc 7.3.1 20180712 (Red Hat 7.3.1-15) (GCC)
built with OpenSSL 3.0.8+quic 7 Feb 2023
TLS SNI support enabled
configure arguments: --with-threads --with-cc-opt='-static -static-libgcc' --with-ld-opt=-static --with-debug --with-compat --with-file-aio --with-stream --with-stream_ssl_module --with-stream_ssl_preread_module --with-stream_realip_module --with-http_realip_module --with-http_secure_link_module --with-http_random_index_module --with-http_geoip_module --with-http_ssl_module --with-http_v2_module --with-http_v3_module --with-stream_quic_module --with-http_sub_module --without-mail_pop3_module --without-mail_imap_module --without-mail_smtp_module --with-cc-opt=-I/usr/local/include --with-ld-opt=-L/usr/local/lib --with-openssl=../quictls --with-openssl-opt=enable-tls1_3 --add-module=/source/ngx_brotli


Pertinent config for the server block is

upstream httpd_backend {
server 172.28.10.91:443;

keepalive 120;
}

log_format quic '$remote_addr - $remote_user [$time_local] '
'"$request" $status $body_bytes_sent '
'"$http_referer" "$http_user_agent" "$http3"';

access_log logs/access.log quic;

# NON-SSL
server {
listen 80;
listen [::]:80;
server_name www.example.com;

location / {
rewrite ^ https://www.example.com$request_uri?/ permanent;
}
}

# SSL
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
listen 443 http3 reuseport;
listen [::]:443 http3 reuseport;

quic_retry on;

server_name noc2.semperen.com;

# Set up your cert paths
ssl_certificate_key /etc/letsencrypt/live/www.example.com/privkey.pem;
ssl_certificate /etc/letsencrypt/live/www.example.com/fullchain.pem;
ssl_trusted_certificate /etc/letsencrypt/live/www.example.com/chain.pem;
ssl_dhparam SSLKeys/dhparam.pem;
ssl_protocols TLSv1.3;
ssl_prefer_server_ciphers On;
ssl_ciphers TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-256-GCM-SHA384:AES256+EECDH:AES256+EDH:!aNULL:!CBC;
ssl_ecdh_curve secp384r1;
ssl_early_data on;

# enable ocsp stapling
ssl_stapling on;
ssl_stapling_verify on;

resolver 8.8.4.4 8.8.8.8 valid=86400s;
resolver_timeout 10s;

# upgrade to HTTP3 and HTTP2
add_header alt-svc 'h3=":443"; ma=86400, h2=":443"; ma=86400';
add_header alt-svc 'h2=":443"; ma=86400; persist=1';
add_header alt-svc 'h2=":443"; ma=86400;';

add_header X-Frame-Options "SAMEORIGIN";


# tell users to go to SSL version next time
add_header Strict-Transport-Security "max-age=31104000; includeSubdomains" always;

# handle brotli compression
brotli on;
brotli_static on;

# Note this is one line, even if it wraps and renders as two
brotli_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript;

brotli_buffers 16 8k;
brotli_comp_level 9;

client_max_body_size 32M;

error_page 502 /custom_502.html;
location = /custom_502.html {
root /usr/local/nginx/html;
internal;
}

location / {
proxy_pass https://httpd_backend;
proxy_http_version 1.1;
proxy_buffering on;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_pass_header Authorization;
# proxy_set_header X-Scheme $scheme;
# proxy_set_header Upgrade $http_upgrade;
# proxy_set_header Connection "upgrade";
}

location /roundcube {
proxy_pass https://172.28.10.100;
proxy_http_version 1.1;
proxy_buffering on;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_pass_header Authorization;
# proxy_set_header X-Scheme $scheme;
# proxy_set_header Upgrade $http_upgrade;
# proxy_set_header Connection "upgrade";
}
}




--
Eric Germann
ekgermann {at} semperen {dot} com || ekgermann {at} gmail {dot} com
LinkedIn: https://www.linkedin.com/in/ericgermann
Medium: https://ekgermann.medium.com https://ekgermann.medium.com/
Twitter: @ekgermann
Telegram || Signal || Skype || WhatsApp || Phone +1 {dash} 419 {dash} 513 {dash} 0712

GPG Fingerprint: 89ED 36B3 515A 211B 6390 60A9 E30D 9B9B 3EBF F1A1







_______________________________________________
nginx mailing list
nginx@nginx.org
https://mailman.nginx.org/mailman/listinfo/nginx
Subject Author Posted

Issue with getting to HTTP/3 or QUIC on first connect

Eric Germann via nginx March 09, 2023 01:58AM

Re: Issue with getting to HTTP/3 or QUIC on first connect

Eric Germann via nginx March 09, 2023 02:18AM

Re: Issue with getting to HTTP/3 or QUIC on first connect

Roman Arutyunyan March 09, 2023 04:42AM

Re: Issue with getting to HTTP/3 or QUIC on first connect

Eric Germann via nginx March 09, 2023 09:24AM



Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 256
Record Number of Users: 8 on April 13, 2023
Record Number of Guests: 421 on December 02, 2018
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready