aioquic
aioquic copied to clipboard
aiortc
Connect AIOQUIC using Browser without passing the flag origin-to-force-quic-on
Hello,
I find that I can connect my chrome browser to https://quic.aiortc.org/ without using the flag "--origin-to-force-quic-on". and the protocol used is HTTP/3. But when I try to connect the chrome browser with the aioquic server locally on my machine without the flag "--origin-to-force-quic-on" it fails to connect with the error "ERR_CONNECTION_REFUSED". I was successful in generating valid certificates for local host using mkcert and I do not need to pass the flag "--ignore-certificate-errors-spki-list" anymore.
Now I don't want to use the flag "--origin-to-force-quic-on" with the chrome, is it possible to run ?
I also would like to know how is your hosted server working without any flag ? and it also works with other browser like Firefox and Safari.
Hey @abnv418,
Could you give a little bit more information on your local setup specifically?
You say "I was successful in generating valid certificates for local host using mkcert and I do not need to pass the flag "--ignore-certificate-errors-spki-list" anymore", but as far as I know, that's... impossible? How exactly did you generate those certs (can you give the mkcert command so I can try to reproduce?)
Are you 100% sure your local setup with the mkcert localhost certificate works if you DO pass --origin-to-force-quic-on but DO NOT pass --ignore-certificate-errors-spki-list? How do you test this?
If that does work but without the --origin-to-force-quic-on flag it does not, you should probably collect a netlog (explained here: https://www.chromium.org/for-testers/providing-network-details/) and upload it here so we can get some more details on what's going wrong...
Finally, are you sure you're doing alt-svc correctly with an HTTP/1 or HTTP/2 server at TCP port 443 so chrome can properly discover the QUIC server at UDP? I'm not sure how to interpret your last sentence it also works with other browser like Firefox and Safari (does it mean your setup works with FF/safari, or are you asking how the hosted server works with them?)
Hello @rmarx,
Apologies for the late reply.
Part: - 1 of my Question
So I use a MAC laptop for producing the localhost certificates. I install mkcert in mac. I use the command
mkcert localhost
and it generates the certificates which I need to trust in the keychain in MAC. I mark the certificates as "Always Trust". I use these certificates when I start the aioquic server.
Server Side Commands on mac: -
python3 examples/http3_server.py --certificate certs/localhost.pem --private-key certs/localhost-key.pem -v
Client Side Commands on mac: -
/Applications/Google\ Chrome.app/Contents/MacOS/Google\ Chrome \
--incognito \
--user-data-dir = "anypath" \
--origin-to-force-quic-on = localhost:4433 \
https://localhost:4433/
After running the client and server with this setup I see the aioquic home page in the browser.
I do not use the ignore --ignore-certificate-errors-spki-list
Below is the screenshots of what I get in the chrome browser.
Part: - 2 of my Question
Other Question I had is how can I see the same behavior in Firfox and Safari if the certificates are trusted in localhost. I was not able to find a parameter like --origin-to-force-quic-on = localhost:4433 \ for Firefox and Safari.
Part: - 3 of my Question
Moving forward, I wanted to run the aioquic in local host without passing the --origin-to-force-quic-on = localhost:4433. So that I can see HTTP/1 or HTTP/2 server falling back to HTTP/3.
I tried to advertise the support in aiohttp serve for aioquic but it doesnot switch to HTTP/3 when I check in Inspect-->Networks-->Protocol tab. I'm not sure what wrong is going on there.
The code I used is below.
from aiohttp import web import ssl
routes = web.RouteTableDef() def html_response(document): s = open(document, "r") return web.Response(text=s.read(), content_type='text/html', headers={ 'alt-svc': 'h3=":4433",h3-29=":4433"; ma=86400, h3-27=":4433"; ma=86400'})
@routes.get('/') async def index_handler(request): return html_response('index.html')
app = web.Application() app.add_routes(routes)
ssl_context = ssl.create_default_context(ssl.Purpose.CLIENT_AUTH) ssl_context.load_cert_chain(certfile="localhost.pem", keyfile="localhost-key.pem")
if name == 'main': web.run_app(app, ssl_context=ssl_context,host='localhost', port=443)
I also have aioquic running simultaneously. I may be doing something wrong here. Please let me know if you find a mistake.
So I wanted to know which server is being used for https://quic.aiortc.org/ this and how HTTP/1 or HTTP/2 falls back to HTTP/3
Let me know if anything else is required. Thanks once again for your help.
quic.aiortc.org is running:
- the unmodified demo aioquic HTTP/3 server directly to serve HTTP/3
- nginx (which does SSL termination + adds the Alt-Svc header) + uvicorn to serve HTTP/1 and HTTP/2
Both these setups run the unmodified demo.py ASGI application.
The nginx configuration is straightforward:
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name quic.aiortc.org;
access_log /var/log/nginx/quic.aiortc.org_access.log;
ssl_certificate /etc/letsencrypt/live/quic.aiortc.org/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/quic.aiortc.org/privkey.pem; # managed by Certbot
ssl_protocols TLSv1.2 TLSv1.3;
add_header Alt-Svc "h3=\":443\"; ma=86400, h3-32=\":443\"; ma=86400, h3-29=\":443\"; ma=86400";
location / {
proxy_pass http://127.0.0.1:8000;
proxy_http_version 1.1;
include proxy_params;
}
}
And uvicorn is simply : uvicorn demo:app from the "examples" directory.
NOTE: you might consider simply using hypercorn which does HTTP/1, HTTP/2, HTTP/3 (using aioquic).
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.
![github-actions[bot] avatar](https://avatars.githubusercontent.com/in/15368?v=4 "Published by a pub.dev verified publisher"){kind=small}