server-configs-nginx icon indicating copy to clipboard operation
server-configs-nginx copied to clipboard
verified publisher icon h5bp

Add support for HTTP/3

Open LeoColomb opened this issue 2 years ago • 3 comments

Initial configuration, based on https://nginx.org/en/docs/http/ngx_http_v3_module.html.

See also: https://nginx.org/en/docs/http/ngx_http_core_module.html#listen

  • [x] Move HTTP version support into separate files (to be used at http{} level)
  • [ ] Correctly support all versions on the same port
  • [x] Switch to modern syntax
  • [x] Review backward support
  • [ ] Ensure upstream module is stable

LeoColomb avatar May 24 '23 21:05 LeoColomb

Regarding >1 vhosts on the same Nginx instance, I'm using the config from this PR on multiple vhosts and it fails at the nginx -t stage with nginx: [emerg] duplicate listen options for [::]:443.

Is it possible (or viable) to spin up a second vhost instance in this repo to see if that triggers the error on CI, given the experimental implementation of HTTP/3 in Nginx 1.25.0?

petecooper avatar May 25 '23 14:05 petecooper

Thanks for your comment @petecooper.

I'm using the config from this PR on multiple vhosts and it fails

That is definitely possible. This config is still at its very early stage, only tested with my custom build so far. We have to figure out how to add h3 properly without breaking the current config, and this will be done once the Nginx support leaves its experimental status.

I guess for now the best option is to segregate h3 port from other protocols. Or investigate the reason why reuseport is not respected.

Is it possible (or viable) to spin up a second vhost instance in this repo

Possible, always, but not realistic: this would imply importing the whole Nginx build workflow, which is way too far out of the scope.

LeoColomb avatar May 25 '23 19:05 LeoColomb

If anyone is interested, I once wrote this script to compile NGINX with H3 support, maybe it will help testing/debugging: https://gist.github.com/muuvmuuv/73b9008a393fd1b2c45d202ea11b6487

And, I don't have the issue with "duplicate listen".

www-server.conf 
server {
  listen 443 http3 reuseport;
  listen 443 http2 ssl;

  root /etc/nginx/www;
  server_name localhost;
  index index.html;

  include /etc/nginx/h5bp/h5bp/tls/ssl_engine.conf;
  include /etc/nginx/custom.d/certificate_files.conf;
  include /etc/nginx/custom.d/ssl_policy.conf;

  include /etc/nginx/h5bp/h5bp/security/referrer-policy.conf;
  include /etc/nginx/h5bp/h5bp/security/x-content-type-options.conf;
  include /etc/nginx/h5bp/h5bp/security/x-frame-options.conf;
  include /etc/nginx/h5bp/h5bp/security/content-security-policy.conf;
  include /etc/nginx/h5bp/h5bp/security/strict-transport-security.conf;
  include /etc/nginx/h5bp/h5bp/security/permissions-policy.conf;
  include /etc/nginx/h5bp/h5bp/location/security_file_access.conf;

  location / {
    add_header Access-Control-Expose-Headers '*';
    add_header Access-Control-Allow-Origin '*';
    add_header Access-Control-Allow-Credentials 'true';
    add_header Access-Control-Allow-Methods '*';
    add_header Access-Control-Allow-Headers '*';
    add_header Alt-Svc 'h3=":$server_port"; ma=86400';
    add_header X-Protocol $server_protocol always;

    try_files $uri $uri/ 404=;
  }

  include /etc/nginx/policies/*.conf;
}

muuvmuuv avatar May 26 '23 05:05 muuvmuuv