HTTP/3 not works and fallback to HTTP/2

[dalisoft]

Config

static.conf

server {
    listen 443 http3 reuseport;
    listen 443 ssl http2;

    server_name _;

    ssl_certificate /etc/nginx/ssl/cert.pem;
    ssl_certificate_key /etc/nginx/ssl/privkey.pem;
    ssl_trusted_certificate /etc/nginx/ssl/fullchain.pem;

    # Enable all TLS versions (TLSv1.3 is required for QUIC).
    ssl_protocols TLSv1.3;

    # 0-RTT QUIC connection resumption
    ssl_early_data on;

    # Add Alt-Svc header to negotiate HTTP/3.
    add_header alt-svc 'h3-27=":4300"; ma=86400, h3-28=":4300"; ma=86400, h3-29=":4300"; ma=86400';
    add_header QUIC-Status $http3; # Sent when QUIC was used

    # resolver 127.0.0.11;
    autoindex off;

    root /usr/share/nginx/html;
    index index.html;

    # limit_req zone=perip burst=5 nodelay;
    # limit_req_status 460;
    # limit_conn perserver 5;
    # limit_rate 10240k;
}

docker-compose.yml

version: "3.8"

services:
  ssb-http3:
    image: macbre/nginx-http3
    container_name: docker-ssb-demo
    restart: always
    ports:
      - "0.0.0.0:4300:443/tcp"
      - "0.0.0.0:4300:443/udp"
    environment:
      - "NODE_ENV=development"
    networks:
      - demo-connect
    volumes:
      # - ./nginx/nginx.conf:/etc/nginx/nginx.conf:ro
      - ./nginx/static.conf:/etc/nginx/conf.d/static.conf:ro
      - ./static:/usr/share/nginx/html
      - ./ssl:/etc/nginx/ssl

networks:
  demo-connect:
    driver: bridge

Checks

ubuntu@ubuntu-vm:~/Documents/ssb$ docker-compose ps
     Name               Command          State                                Ports                              
-----------------------------------------------------------------------------------------------------------------
docker-ssb-demo   nginx -g daemon off;   Up      0.0.0.0:4300->443/tcp, 0.0.0.0:4300->443/udp, 8080/tcp, 8443/tcp


ubuntu@ubuntu-vm:~/Documents/ssb$ docker run -it --rm ymuski/curl-http3 curl -ILv https://localhost.dalisoft.uz:4300 --http3
*   Trying 127.0.0.1:4300...
* Connect socket 5 over QUIC to 127.0.0.1:4300
* Sent QUIC client Initial, ALPN: h3-29,h3-28,h3-27
* quiche: recv() unexpectedly returned -1 (errno: 111, socket 5)
* connect to 127.0.0.1 port 4300 failed: Connection refused
* Failed to connect to localhost.dalisoft.uz port 4300: Connection refused
* Closing connection 0
curl: (7) quiche: recv() unexpectedly returned -1 (errno: 111, socket 5)
ubuntu@ubuntu-vm:~/Documents/ssb$ 

Environments

• docker macbre/nginx-http3 latest
• os ubuntu 22.04 (amd64)

Expected Result

HTTP/3 responses

Actual Result

[jcschmidig]

I encounter the same problem. How is this resolved?

[imraan-go]

The curl-http3 image that you are using is outdated. It doesn't support the latest released http/3 version. It only supports the old draft versions.

[jcschmidig]

The curl-http3 image that you are using is outdated. It doesn't support the latest released http/3 version. It only supports the old draft versions.

Doesn't matter. Check it with the browser (actual Firefox or Chrome), it doesn't work.

[muuvmuuv]

Same here, even with latest 1.25.1 official build I cannot get it to work...

[natsl05164]

i tested the latest version from docker hub (macbre/nginx-http3:1.25.1) and is able to work with http/3 when using curl as below

` $ curl -IL https://localhost:8889/ -k --http3

HTTP/3 200 date: Wed, 28 Jun 2023 09:43:23 GMT content-type: text/html; charset=utf-8 vary: accept-encoding x-frame-options: SAMEORIGIN x-xss-protection: 1; mode=block content-security-policy: object-src 'none'; frame-ancestors 'self'; form-action 'self'; block-all-mixed-content; sandbox allow-forms allow-same-origin allow-scripts allow-popups allow-downloads; base-uri 'self'; alt-svc: h3=":8889"; ma=86400 quic-status: h3 - Sent when QUIC was used `

• use latest curl version with http3 support download from https://github.com/curl/curl-for-win . Put -k option to ignore ssl cert issues

on my browser http/3 didn't work , apparently is the ssl cert issue below , u can remove the -k option above to see it . No idea why though, i have used openssl3.0.0 to generate and my chrome browser supports TLS1.3 , but since its a local cert issue i guess it can be ignored .

SSL peer certificate or SSH remote key was not OK

[muuvmuuv]

@natsl05164 can you try with mkcert (choco install mkcert)? This will add the Root CA to your keychain in Windows so Chrome wont complain about local certs.

[natsl05164]

@natsl05164 can you try with mkcert (choco install mkcert)? This will add the Root CA to your keychain in Windows so Chrome wont complain about local certs.

but trouble is my Chrome browser doesn't complain of the cert, it shows its valid cert with the "lock" icon without the red slash, i did add the cert to the Trusted Root CA in Chrome..

does mkcert works for you ?

[muuvmuuv]

Nope, h3 does not work at all on my Mac with M1... but I don't have cert issues.

[HeyJoFlyer]

I have the same problem, using

docker run -it --rm ymuski/curl-http3 curl -kIL https://home-server.home --http3

returns HTTP/3 200 , but Firefox refuses to use HTTP/3. (Using -k because the certificate isn't trusted by the docker container, but Firefox shows the lock icon so the certificate is trusted by Firefox).

[Sokwva]

same issue: nginx version: nginx/1.25.4 (quic-89bff782528a)

[github-actions[bot]]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.