search

macbre / docker-nginx-http3

Stable and up-to-date root-less nginx with quic + http/3, google brotli compression, njs, GeoIP2, and Grade A+ SSL config
https://hub.docker.com/r/macbre/nginx-http3
159 stars 52 forks source link

http3 just dont work on 1.25.1 #118

Closed wokalek closed 4 months ago

wokalek commented 11 months ago

Hey. Using this with docker:

nginx:
  container_name: wokalek-nginx
  image: macbre/nginx-http3:1.25.1
  user: root
  restart: always
  depends_on:
    - nuxt
  ports:
    - 80:80
    - 443:443/tcp
    - 443:443/udp
  volumes:
    - ./nginx/conf/nginx.prod.conf:/etc/nginx/nginx.conf
    - ./nginx/types/gzip_types.conf:/etc/nginx/gzip_types.conf
    - ./nginx/types/brotli_types.conf:/etc/nginx/brotli_types.conf
    - ./static:/usr/share/nginx/html/static
    - ./certbot/www:/certbot/www
    - ./certbot/conf/archive:/certbot/cert
nginx prod config ```nginx worker_processes auto; events {} http { server_tokens off; map $sent_http_content_type $expires { "text/html" epoch; "text/html;charset=utf-8" epoch; default off; } expires $expires; gzip on; gzip_proxied any; gzip_comp_level 6; gzip_min_length 256; include gzip_types.conf; brotli on; brotli_static on; brotli_comp_level 6; brotli_min_length 256; include brotli_types.conf; server { listen 80; listen [::]:80; location / { return 301 https://$host$request_uri; } } server { server_name wokalek.com; http2 on; listen 443 quic; listen [::]:443 quic; listen 443 ssl; listen [::]:443 ssl; quic_gso on; quic_retry on; ssl_early_data on; ssl_protocols TLSv1.3; ssl_certificate /certbot/cert/wokalek.ru/fullchain1.pem; ssl_certificate_key /certbot/cert/wokalek.ru/privkey1.pem; add_header alt-svc 'h3=":8889"; ma=86400'; add_header QUIC-Status $http3; return 301 https://wokalek.ru$request_uri; } server { server_name statistic.wokalek.com; http2 on; listen 443 quic; listen [::]:443 quic; listen 443 ssl; listen [::]:443 ssl; quic_gso on; quic_retry on; ssl_early_data on; ssl_protocols TLSv1.3; ssl_certificate /certbot/cert/wokalek.ru/fullchain1.pem; ssl_certificate_key /certbot/cert/wokalek.ru/privkey1.pem; add_header alt-svc 'h3=":8889"; ma=86400'; add_header QUIC-Status $http3; return 301 https://statistic.wokalek.ru$request_uri; } server { server_name statistic.wokalek.ru; http2 on; listen 443 quic; listen [::]:443 quic; listen 443 ssl; listen [::]:443 ssl; quic_gso on; quic_retry on; ssl_early_data on; ssl_protocols TLSv1.3; ssl_certificate /certbot/cert/wokalek.ru/fullchain1.pem; ssl_certificate_key /certbot/cert/wokalek.ru/privkey1.pem; add_header alt-svc 'h3=":8889"; ma=86400'; add_header QUIC-Status $http3; location /.well-known/acme-challenge { root /certbot/www; } location / { proxy_set_header Early-Data $ssl_early_data; proxy_pass http://umami:3000; } } server { server_name wokalek.ru; http2 on; listen 443 quic; listen [::]:443 quic; listen 443 ssl; listen [::]:443 ssl; quic_gso on; quic_retry on; ssl_early_data on; ssl_protocols TLSv1.3; ssl_certificate /certbot/cert/wokalek.ru/fullchain1.pem; ssl_certificate_key /certbot/cert/wokalek.ru/privkey1.pem; add_header alt-svc 'h3=":8889"; ma=86400'; add_header QUIC-Status $http3; location /.well-known/acme-challenge { root /certbot/www; } location ~ ^/static { root /usr/share/nginx/html; try_files $uri =404; } location / { proxy_redirect off; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header Early-Data $ssl_early_data; proxy_pass http://nuxt:3000; } } } ```

And check is failing: 

docker run -it --rm ymuski/curl-http3 curl -IL https://wokalek.ru/ --http3 --max-time 5

You can check this out https://wokalek.ru ...

macbre commented 9 months ago

I'm using the same nginx container on production and the http3 tester passes for my domain.

The tester fails for your domain:

wokalek.ru
HTTP/3 Check could not get the server's advertised QUIC versions due to the error given below.

Server does not advertise any alternative services.
HTTP/1.1 200 OK
Server: nginx
Date: Mon, 18 Sep 2023 11:31:30 GMT
Content-Type: text/html;charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Vary: Accept-Encoding
x-powered-by: Nuxt
Expires: Thu, 01 Jan 1970 00:00:01 GMT
Cache-Control: no-cache
Content-Encoding: gzip

It seems that the add_header alt-svc 'h3=":8889"; ma=86400'; directive is not applied ...

While, my domain mentioned above emits the following HTTP response request:

< alt-svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000,h3-T051=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43"
victor-sm commented 8 months ago

If the header is missing, you might have stumbled across an unintuitive nginx behavior with the add_header directive:

These directives are inherited from the previous configuration level if and only if there are no add_header directives defined on the current level.

See: NGINX Documentation

Meaning this will ignore all headers, except the ones in the location block, since it's the last one with an add_header directive:

server {
    add_header alt-svc 'h3=":8889"; ma=86400';
    [...]

    location / {
        [...]
        add_header Cache-Control "public";
    }
}

But these will work:

server {
    add_header alt-svc 'h3=":8889"; ma=86400';
    add_header Cache-Control "public";

    location / {
        [...]
    }
}
server {
    [...]

    location / {
        add_header alt-svc 'h3=":8889"; ma=86400';
        add_header Cache-Control "public";
    }
}

Took me some time to figure out why my headers were ignored.

wokalek commented 4 months ago

Thanks for the help, maybe this really was the problem. I don’t even remember anymore.