Hello, everyone,

and Merry Christmas to all!

I'm a developer of an nginx fork Angie. Recently we implemented
an HTTP/3 proxy support in our fork [1].

We'd like to contribute this functionality to nginx OSS community.
Hence here is a patch series backported from Angie to the current
head of nginx mainline branch (1.25.3)

If you find patching and building nginx from source irritating in order
to test the feature, you can use the prebuilt packages of Angie [2]

[1] https://angie.software/en/http_proxy/#proxy-http-version
[2] https://angie.software/en/install/

Your feedback is welcome!

__. .--,
*-/___, ,-/___,-/___,-/___,-/___, _.-.=,{\/ _/ /`)
`\ _ ),-/___,-/___,-/___,-/___, ) _..-'`-(`._(_.;` /
/< \\=`\ _ )`\ _ )`\ _ )`\ _ )<`--''` (__\_________/___,
/< <\ </ /< /< /< </ /< (_____Y_____Y___,


*** CONFIGURATION ***

The following configuration is minimally required to proxy to your
HTTP/3-enabled server:

http {
server {
...

location /foo {
proxy_http_version 3;
proxy_pass https://http3-server.example.com:4433;
}
}

You may also need to configure SNI using the appropriate values
for the "proxy_ssl_name" and "proxy_ssl_server_name" directives
as well as certificates and other related things.

There is a number of proxy_http3_<quic_foo> directives is available that
configure quic settings. For the interop testing purposes, HQ support
is available.


Below are technical details about the current state of the patch set.

*** TESTS ***

The patchset includes tests which are added to the "t" directory for
convenience. Copy them to nginx-tests and run them as usual.
Most of them are proxy tests adapted for use with HTTP/3.

*** LIMITATIONS ***

The following features are NOT implemented:

* Trailers: it requires full trailers support in nginx first
* Connection migration: does not seem necessary for proxying scenarios
* 0RTT: currently not supported

The SSL library requirements are the same as for the server-side support.
There are some interoperability issues when using different libraries on
client and server: the combination of client + openssl/compat
and server + boringssl leads to a handshake failure with an error:

>> SSL_do_handshake() failed (SSL: error:10000132:SSL routines:
>> OPENSSL_internal:UNEXPECTED_COMPATIBILITY_MODE)


*** MULTIPLEXING ***

With keepalive disabled, the HTTP/3 connection to backend is very similar
to a normal TCP SSL connection: the connection is established, handshake
is performed, the request stream is created and everything is closed
when the request is completed.

With keepalive enabled, the underlying QUIC connection is cached,
and can be reused by another client. Each client is using its own
QUIC connection.

Theoretically, it is possible to use only one quic connection to each
backend and use separate HTTP/3 streams to make requests. This is NOT
currently implemented, as it requires more changes to the upstream
and keepalive modules and has security implications.


*** INTERNALS ***

This is a first attempt to integrating the HTTP/3 proxy into nginx,
so all currently exposed interfaces are not final.

Probably, the HTTP/3 proxy should be implemented in a separate module.
Currently it is a patch to the HTTP proxy module to minimize boilerplate.

Things that need improvement:
- client interface: the way to create client, start handshake and
create first stream to use for request;
The way SSL sessions are supported doesn't look good.

- upstreams interface: one way is to hide quic details and make it
feel more SSL-like, maybe even kind of SSL module.
Probably need a separate keepalive module for HTTP/3 to
allow some controlled level of multiplexing.

- connection termination is quite tricky due to the handling of
the underlying quic UDP connection and stream requests.
Closing an HTTP/3 connection may be incorrect in some cases.

- Some interop tests still fail. This is partly due to the nature
of the tests. This part requires more work with hard-to-reproduce
cases.

_______________________________________________
nginx-devel mailing list
nginx-devel@nginx.org
https://mailman.nginx.org/mailman/listinfo/nginx-devel