Nginx & http3

[latez]

Hello Team,

Hope I am asking in the right place! Any chance that support for http3 will be added in order to support QUIC?

Thanks!

[ekohl]

I don't think this is the right place. This is only the Puppet module to install and configure the nginx package. That means you need to contact the nginx developers.

[latez]

@ekohl Nginx has already added support for QUIC

My question is more around implementing the necessary config lines -

;Enable QUIC and HTTP/3. listen 443 quic reuseport;

;Request buffering in not currently supported for HTTP/3. proxy_request_buffering off;

;Add Alt-Svc header to negotiate HTTP/3. add_header alt-svc 'h3-27=":443"; ma=86400'; ssl_protocols TLSv1.3;

[ekohl]

Ah, then I misunderstood. In that case, a PR is welcome.

[hashworks]

;Enable QUIC and HTTP/3.
listen 443 quic reuseport;

Note: reuseport can only be applied to one vhost (per IP), so it should be added to a default https vhost.

reuseport is a hard requirement as well, otherwise only one worker will be able to handle HTTP/3.

---

;Request buffering in not currently supported for HTTP/3.
proxy_request_buffering off;

Do you have a source for this? It's been 4 years, maybe that is no longer the case?

---

;Add Alt-Svc header to negotiate HTTP/3.
add_header alt-svc 'h3-27=":443"; ma=86400';

Could you elaborate on those values? What does -27 mean? On my end using h3 worked fine. Also, we should use the $server_port variable (or the listen_port).

add_header Alt-Svc 'h3=":$server_port"; ma=86400';
add_header x-quic 'h3';

---

ssl_protocols TLSv1.3;

While we should make sure that TLSv1.3 is enabled whith quic, I don't think we have to drop TLS1.2 if the server supports http2 as well.

---

We should also evaluate the following options:

# Default?
http3 on;

http3_hq on;
quic_retry on;

# Enabling QUIC 0-RTT, might be a sec risk
ssl_early_data on;