plugins icon indicating copy to clipboard operation
plugins copied to clipboard
verified publisher icon opnsense

nginx: add optional HTTP/3

Open Boubik opened this issue 1 month ago • 0 comments

Summary

This PR adds optional HTTP/3 (QUIC) support to the os-nginx HTTP/S server.

  • Adds an enable_http3 toggle to the HTTP/S server model and GUI (default off for backwards compatibility).
  • When HTTP/3 is enabled and a certificate is present, the generated server block:
    • adds corresponding listen ... quic reuseport directives for each configured HTTPS listen address
    • advertises HTTP/3 support using an Alt-Svc response header based on the HTTPS port.
  • When HTTP/3 is disabled or no certificate is configured, the resulting nginx configuration is unchanged from current behavior.

Note: This feature requires a firewall rule allowing UDP on the HTTPS port.

Implementation

  • Model
    • Introduced a new boolean field enable_http3 under the HTTP server model with default 0 (disabled).
  • GUI
    • Added a “HTTP/3 (QUIC)” checkbox to the HTTP server form, next to the existing HTTP/2 toggle.
  • Template
    • Updated the HTTP server template to:
      • emit listen ... quic reuseport only when enable_http3 == 1 and a certificate is configured for the server
      • emit Alt-Svc 'h3=":$server_port"; ma=86400' only when HTTP/3 is enabled and a certificate is configured.

Testing

configctl template reload OPNsense/Nginx
nginx -t

Created an HTTPS HTTP server without HTTP/3 enabled:

  • Verified that no quic listeners and no Alt-Svc header are present in the generated config.
  • Enabled HTTP/3 (QUIC) on the same HTTP server:
  • Verified that nginx config now contains listen ... quic reuseport for each HTTPS listen address.
  • Verified that nginx advertises HTTP/3 via Alt-Svc:

curl -I --http3 -k https://<TARGET_IP>

Example response (abridged):

HTTP/3 200 server: nginx ... alt-svc: h3=":443"; ma=86400

Screenshot

HTTP server configuration with the new HTTP/3 (QUIC) toggled off:

image

Example generated config (HTTP/3 enabled)

server {
    listen 80 default_server;
    listen [::]:80 default_server;

    listen 443 ssl default_server;
    listen 443 quic reuseport default_server;
    listen [::]:443 ssl default_server;
    listen [::]:443 quic reuseport default_server;

    ...

    add_header Alt-Svc 'h3=":443"; ma=86400' always;
    ...

With HTTP/3 disabled (or no certificate configured), the generated server block matches the current implementation.

Boubik avatar Dec 06 '25 01:12 Boubik