traefik icon indicating copy to clipboard operation
traefik copied to clipboard
Published 2 weeks ago verified publisher icon traefik

Alt-Svc header duplication when proxying response from an HTTP3-ready backend

Open Feliksas opened this issue 3 months ago • 2 comments

Welcome!

  • [x] Yes, I've searched similar issues on GitHub and didn't find any.
  • [x] Yes, I've searched similar issues on the Traefik community forum and didn't find any.

What did you do?

When proxying HTTP traffic from an HTTP3-ready backend (for example, another Traefik instance), HTTP3-enabled Traefik that is proxying the request adds its own Alt-Svc header, thus duplicating it, which breaks RFC2616, section 4.2. In such situation, it is unclear which of the headers the client should take into account, since it is effectively undefined behaviour. I would expect the Alt-Svc header from the backend to be suppressed, when HTTP/3 is effectively handled by the outer Traefik proxy, or (even better) that behaviour should be configurable.

What did you see instead?

Duplicate Alt-Svc header in response from a Traefik instance

What version of Traefik are you using?

Version: 3.5.2 Codename: chabichou Go version: go1.24.7 Built: 2025-09-09T10:16:55Z OS/Arch: linux/arm64

What is your environment & configuration?

---
# Global Traefik config
serversTransport:
  insecureSkipVerify: true
entryPoints:
  web:
    address: :80
  websecure:
    address: :443
    http3: {}
providers:
  file:
    directory: /etc/traefik/conf.d
---
# Relevant router config
tls:
  options:
    kube-external:
      minVersion: VersionTLS12
      cipherSuites:
      - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
      - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
      - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
      - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
      - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
http:
  routers:
    kube-external:
      entryPoints:
      - websecure
      rule: "Host(`myapp.example.com`)"
      service: kube-external
      tls:
        options: kube-external
  services:
    kube-external:
      loadBalancer:
        servers:
          - url: https://192.168.101.100/ # Another traefik instance, version 3.3.6, HTTP3 enabled

Proxying to the underlying Traefik instance is done over HTTP/2

If applicable, please paste the log output in DEBUG level

No response

Feliksas avatar Sep 18 '25 08:09 Feliksas

Hey @Feliksas,

Thanks for the bug report. If any community member can help us find verified steps to reproduce and fix the issue if possible, we would love the help.

nmengin avatar Sep 18 '25 13:09 nmengin

The issue might actually be not with Traefik itself, but rather http3 implementation in quic-go. https://github.com/quic-go/quic-go/blob/master/http3/server.go#L874 Looks like it is appending the Alt-Svc header unconditionally, without checking whether it is already present or not

Feliksas avatar Oct 30 '25 13:10 Feliksas