[FEATURE REQUEST] HTTP/3 support

[pdiaz]

Several companies are working on HTTP/3 support, including on NGINX.

What are the plans related to support this new and exciting protocol?

One first step would be to enable it with https://github.com/cloudflare/quiche/blob/master/extras/nginx/nginx-1.16.patch

[aledbf]

@pdiaz we use the openresty distribution so this feature requires support from that project first. Someone already asked a similar question here https://github.com/openresty/openresty/issues/556

[pdiaz]

The controller is currently build using openresty but seems that everything is contained on this repository. A first step would be to build nginx with the Cloudflare patch...

https://github.com/kubernetes/ingress-nginx/blob/master/images/nginx/rootfs/build.sh#L444

[aledbf]

No, sorry. This must be present in openresty firsts. We cannot add this feature without the QA process they have to ensure nothing breaks.

That said, you can fork the repository and build and maintain the feature in your fork.

[pdiaz]

Sure I can fork it. It's also better to collaborate with other people instead of trying to make all this on my own. Is anyone interested in joining forces?

[fejta-bot]

Issues go stale after 90d of inactivity. Mark the issue as fresh with /remove-lifecycle stale. Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta. /lifecycle stale

[fejta-bot]

Stale issues rot after 30d of inactivity. Mark the issue as fresh with /remove-lifecycle rotten. Rotten issues close after an additional 30d of inactivity.

If this issue is safe to close now please do so with /close.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta. /lifecycle rotten

[fejta-bot]

Rotten issues close after 30d of inactivity. Reopen the issue with /reopen. Mark the issue as fresh with /remove-lifecycle rotten.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta. /close

[k8s-ci-robot]

@fejta-bot: Closing this issue.

In response to [this](https://github.com/kubernetes/ingress-nginx/issues/4760#issuecomment-616915742): >Rotten issues close after 30d of inactivity. >Reopen the issue with `/reopen`. >Mark the issue as fresh with `/remove-lifecycle rotten`. > >Send feedback to sig-testing, kubernetes/test-infra and/or [fejta](https://github.com/fejta). >/close Instructions for interacting with me using PR comments are available [here](https://git.k8s.io/community/contributors/guide/pull-requests.md). If you have questions or suggestions related to my behavior, please file an issue against the [kubernetes/test-infra](https://github.com/kubernetes/test-infra/issues/new?title=Prow%20issue:) repository.

[ernst77]

So no http3 support?

[iakat]

/reopen

[k8s-ci-robot]

@sim1: You can't reopen an issue/PR unless you authored it or you are a collaborator.

In response to [this](https://github.com/kubernetes/ingress-nginx/issues/4760#issuecomment-801474151): >/reopen Instructions for interacting with me using PR comments are available [here](https://git.k8s.io/community/contributors/guide/pull-requests.md). If you have questions or suggestions related to my behavior, please file an issue against the [kubernetes/test-infra](https://github.com/kubernetes/test-infra/issues/new?title=Prow%20issue:) repository.

[pdiaz]

/reopen

[k8s-ci-robot]

@pdiaz: Reopened this issue.

In response to [this](https://github.com/kubernetes/ingress-nginx/issues/4760#issuecomment-801525064): >/reopen Instructions for interacting with me using PR comments are available [here](https://git.k8s.io/community/contributors/guide/pull-requests.md). If you have questions or suggestions related to my behavior, please file an issue against the [kubernetes/test-infra](https://github.com/kubernetes/test-infra/issues/new?title=Prow%20issue:) repository.

[iakat]

/remove-lifecycle rotten

[francescov1]

When can we expect HTTP3 to be supported? Is there any changes in configuration that will need to be made, or will it simply require upgrading versions?

[Kullu14]

I am also looking for HTTP3 support in openresty. Is it supported yet ?

[strongjz]

/kind feature

[k8s-triage-robot]

Issues go stale after 90d of inactivity. Mark the issue as fresh with /remove-lifecycle stale. Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Send feedback to sig-contributor-experience at kubernetes/community. /lifecycle stale

[pdiaz]

/remove-lifecycle stale

[unixfox]

/remove-lifecycle stale

[strongjz]

we have just upgraded to nginx 1.20.1 and from here https://quic.nginx.org/README it looks that HTTP/3 is still experimental so not until there is a stable release will we be implementing HTTP/3.

[strongjz]

/priority important-longterm /triage accepted /lifecycle active

[k8s-triage-robot]

The Kubernetes project currently lacks enough contributors to adequately respond to all issues and PRs.

This bot triages issues and PRs according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

• Mark this issue or PR as fresh with /remove-lifecycle stale
• Mark this issue or PR as rotten with /lifecycle rotten
• Close this issue or PR with /close
• Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

[unixfox]

/remove-lifecycle stale

[k8s-triage-robot]

The Kubernetes project currently lacks enough contributors to adequately respond to all issues and PRs.

This bot triages issues and PRs according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

• Mark this issue or PR as fresh with /remove-lifecycle stale
• Mark this issue or PR as rotten with /lifecycle rotten
• Close this issue or PR with /close
• Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

[unixfox]

/remove-lifecycle stale

[kvzn]

Any new progress?

[stalkerg]

HTTP/3 has some issues with SSL implementations it's why difficult to add it into NGINX. Basically, the responsibility between SSL lib and HTTP server became is dramatically different because we should support UDP protocol QUIC.

[strongjz]

/lifecycle frozen

[henricook]

How do you think this issue will be resolved across webservers as a whole, it sounds like it might be a problem for software other than NGINX that does a similar thing (e.g. Apache) if I'm understanding correctly?

TL;DR Please let me know what/where I can file my upvotes so that I can cover up my website's performance woes with the new, faster protocol

[cdobbyn]

Now that rfc9114 is published as a proposed standard theoretically webserver devs will probably be working on making this no longer experimental. Looks like traefik has it in experimental state for use with their ingress now, not that it helps ingress-nginx users.

[cdobbyn]

Looks like it saw quite a bit of iteration but not merged / released yet unless I'm reading that wrong. https://hg.nginx.org/nginx-quic/graph/tip

[strongjz]

We are in the middle of a stabilization project, working reducing chess, making release faster and prepping for the gateway api. Right now an experimental is counterintuitive to that.

We support it eventually but right it is not a priority.

[dockercore]

Expect to support http3.0 as soon as possible 2022年08月19日 星期五 14时53分28秒 -0.422328 秒

[clywm520]

什么时候支持HTTP3.0呢 traefik已经支持HTTP3.0了

[clywm520]

When will HTTP3.0 be supported? Traefik has already supported HTTP3.0.

[jkroepke]

For all the people that ask, wenn HTTP/3 is available:

Subscribe

• https://github.com/openresty/openresty/issues/741

Once merged and released on Openresty, come back.

[clywm520]

nginx-1.25.0 已经支持http3.0.　　nginx-ingress 什么时候支持呢

[tao12345666333]

There is a new PR to upgrade OpenResty core to NGINX v1.25+. https://github.com/openresty/openresty/pull/920

[alextes]

PR landed! 🎉 - https://github.com/openresty/openresty/pull/920

What work remains to be done? Perhaps others could contribute the implementation (:

[anyidea]

any progress?

[tao12345666333]

https://github.com/kubernetes/ingress-nginx/pull/10668

Upgraded NGINX to v1.25.3

[koehn]

The current 1.10.0 release doesn’t seem to include http3 support:

nginx version: nginx/1.25.3
built by gcc 13.2.1 20231014 (Alpine 13.2.1_git20231014) 
built with OpenSSL 3.1.4 24 Oct 2023
TLS SNI support enabled
configure arguments: --prefix=/usr/local/nginx --conf-path=/etc/nginx/nginx.conf --modules-path=/etc/nginx/modules --http-log-path=/var/log/nginx/access.log --error-log-path=/var/log/nginx/error.log --lock-path=/var/lock/nginx.lock --pid-path=/run/nginx.pid --http-client-body-temp-path=/var/lib/nginx/body --http-fastcgi-temp-path=/var/lib/nginx/fastcgi --http-proxy-temp-path=/var/lib/nginx/proxy --http-scgi-temp-path=/var/lib/nginx/scgi --http-uwsgi-temp-path=/var/lib/nginx/uwsgi --with-debug --with-compat --with-pcre-jit --with-http_ssl_module --with-http_stub_status_module --with-http_realip_module --with-http_auth_request_module --with-http_addition_module --with-http_gzip_static_module --with-http_sub_module --with-http_v2_module --with-stream --with-stream_ssl_module --with-stream_realip_module --with-stream_ssl_preread_module --with-threads --with-http_secure_link_module --with-http_gunzip_module --without-mail_pop3_module --without-mail_smtp_module --without-mail_imap_module --without-http_uwsgi_module --without-http_scgi_module --with-cc-opt='-g -O2 -fPIE -fstack-protector-strong -Wformat -Werror=format-security -Wno-deprecated-declarations -fno-strict-aliasing -D_FORTIFY_SOURCE=2 --param=ssp-buffer-size=4 -DTCP_FASTOPEN=23 -fPIC -Wno-cast-function-type' --with-ld-opt='-fPIE -fPIC -pie -Wl,-z,relro -Wl,-z,now' --user=www-data --group=www-data --add-module=/tmp/build/ngx_devel_kit --add-module=/tmp/build/set-misc-nginx-module --add-module=/tmp/build/headers-more-nginx-module --add-module=/tmp/build/ngx_http_substitutions_filter_module --add-module=/tmp/build/lua-nginx-module --add-module=/tmp/build/stream-lua-nginx-module --add-module=/tmp/build/lua-upstream-nginx-module --add-dynamic-module=/tmp/build/nginx-http-auth-digest --add-dynamic-module=/tmp/build/ModSecurity-nginx --add-dynamic-module=/tmp/build/ngx_http_geoip2_module --add-dynamic-module=/tmp/build/ngx_brotli

Also ngx_http_v3_module is not in /etc/nginx/modules. If you try turning on quic you get an error:

2024/02/29 14:59:29 [emerg] 347#347: the "quic" parameter requires ngx_http_v3_module in /etc/nginx/nginx.conf:288

This is probably a good thing, as nginx 1.25.4 fixes some http3-related security CVEs.

[zengyuxing007]

Looking forward to Ingress support for HTTP/3.

[koehn]

Recent(-ish) fixes to OpenResty allow it to be built with http3 support. Hopefully that will trickle down to ingress-nginx shortly.

[H0llyW00dzZ]

Any new progress ?

[Mmx233]

Any new progress ?

According to nginx-1.25 readme, we will be close to the goal after the final release of OpenSSL 3.4.0. The OpenSSL final release is currently scheduled for 2024/10/14 according to OpenSSL 3.4.0 Project Schedule. It is worth celebrating that OpenSSL 3.4.0 alpha has been successfully released on schedule. I believe HTTP/3 will be usable in about one or two months.