Issue with getting to HTTP/3 or QUIC on first connect

Roman Arutyunyan arut at nginx.com
Thu Mar 9 09:41:08 UTC 2023


Hi Eric,

> On 9 Mar 2023, at 10:56, Eric Germann via nginx <nginx at nginx.org> wrote:
> 
> I’m having an issue where I (think I) have enabled HTTP3 correctly on my nginx server.  When I connect to the server the first time, it indicates HTTP/2 in the logs.  If I hit refresh it indicates HTTP/3 from then on.

Normally you connect to the server using regular https first (http/2 is probably an option as well).
Only after that the client analyses Alt-Svc response header and tries http/3.

> So something is wrong with the configuration of the server to offer headers to negotiate it.  I’ve even added HTTPS DNS records to indicate the preferred connection schemes.  
> Bonus points if you can help me get QUIC working too.
> 
> The result of http3check.net <http://http3check.net/> is "HTTP/3 Check could not get the server's advertised QUIC versions due to the error given below.
> Bad status code from server.
Can you please check nginx error.log for errors? If no errors, can you please enable debugging and send the error.log to me.

> Thanks in advance for any pointers
> 
> Eric
> 
> Source code was pulled 2023-02-27
> 
> 
> Build information is:
> 
> nginx version: nginx/1.23.4
> built by gcc 7.3.1 20180712 (Red Hat 7.3.1-15) (GCC) 
> built with OpenSSL 3.0.8+quic 7 Feb 2023
> TLS SNI support enabled
> configure arguments: --with-threads --with-cc-opt='-static -static-libgcc' --with-ld-opt=-static --with-debug --with-compat --with-file-aio --with-stream --with-stream_ssl_module --with-stream_ssl_preread_module --with-stream_realip_module --with-http_realip_module --with-http_secure_link_module --with-http_random_index_module --with-http_geoip_module --with-http_ssl_module --with-http_v2_module --with-http_v3_module --with-stream_quic_module --with-http_sub_module --without-mail_pop3_module --without-mail_imap_module --without-mail_smtp_module --with-cc-opt=-I/usr/local/include --with-ld-opt=-L/usr/local/lib --with-openssl=../quictls --with-openssl-opt=enable-tls1_3 --add-module=/source/ngx_brotli
> 
> 
> Pertinent config for the server block is
> 
>     upstream httpd_backend {
>         server 172.28.10.91:443;
> 
>         keepalive 120;
>     }
> 
>     log_format quic '$remote_addr - $remote_user [$time_local] '
>                         '"$request" $status $body_bytes_sent '
>                         '"$http_referer" "$http_user_agent" "$http3"';
> 
>     access_log logs/access.log quic;
> 
>     # NON-SSL
>     server {
>         listen                  80;
>         listen                  [::]:80;
>         server_name             www.example.com;
> 
>         location / {
>           rewrite               ^ https://www.example.com$request_uri?/ permanent;
>         }
>     }
> 
>     # SSL
>     server {
>         listen                  443             ssl http2;
>         listen                  [::]:443        ssl http2;
>         listen                  443             http3 reuseport;
>         listen                  [::]:443        http3 reuseport;
> 
>         quic_retry              on;
> 
>         server_name             noc2.semperen.com;
> 
>         # Set up your cert paths
>         ssl_certificate_key             /etc/letsencrypt/live/www.example.com/privkey.pem;
>         ssl_certificate                 /etc/letsencrypt/live/www.example.com/fullchain.pem;
>         ssl_trusted_certificate         /etc/letsencrypt/live/www.example.com/chain.pem;
>         ssl_dhparam                     SSLKeys/dhparam.pem;
>         ssl_protocols                   TLSv1.3;
>         ssl_prefer_server_ciphers       On;
>         ssl_ciphers                     TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-256-GCM-SHA384:AES256+EECDH:AES256+EDH:!aNULL:!CBC;
>         ssl_ecdh_curve                  secp384r1;
>         ssl_early_data                  on;
> 
>         # enable ocsp stapling
>         ssl_stapling on;
>         ssl_stapling_verify on;
> 
>         resolver 8.8.4.4 8.8.8.8 valid=86400s;
>         resolver_timeout 10s;
> 
>         # upgrade to HTTP3 and HTTP2
>         add_header alt-svc              'h3=":443"; ma=86400, h2=":443"; ma=86400';
>         add_header alt-svc              'h2=":443"; ma=86400; persist=1';
>         add_header alt-svc              'h2=":443"; ma=86400;';
> 
>         add_header X-Frame-Options      "SAMEORIGIN";
> 
> 
>         # tell users to go to SSL version next time
>         add_header Strict-Transport-Security "max-age=31104000; includeSubdomains" always;
> 
>         # handle brotli compression
>         brotli                          on;
>         brotli_static                   on;
> 
> 	# Note this is one line, even if it wraps and renders as two
>         brotli_types                    text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript;
> 
>         brotli_buffers                  16 8k;
>         brotli_comp_level               9;
> 
>         client_max_body_size            32M;
> 
>         error_page 502 /custom_502.html;
>         location = /custom_502.html {
>             root /usr/local/nginx/html;
>             internal;
>         }
> 
>         location / {
>             proxy_pass                  https://httpd_backend;
>             proxy_http_version          1.1;
>             proxy_buffering             on;
>             proxy_set_header            X-Forwarded-For $remote_addr;
>             proxy_set_header            X-Real-IP       $remote_addr;
>             proxy_set_header            Host            $host;
>             proxy_pass_header           Authorization;
> #           proxy_set_header            X-Scheme        $scheme;
> #           proxy_set_header            Upgrade         $http_upgrade;
> #           proxy_set_header            Connection      "upgrade";
>         }
> 
>         location /roundcube {
>             proxy_pass                  https://172.28.10.100;
>             proxy_http_version          1.1;
>             proxy_buffering             on;
>             proxy_set_header            X-Forwarded-For $remote_addr;
>             proxy_set_header            X-Real-IP       $remote_addr;
>             proxy_set_header            Host            $host;
>             proxy_pass_header           Authorization;
> #           proxy_set_header            X-Scheme        $scheme;
> #           proxy_set_header            Upgrade         $http_upgrade;
> #           proxy_set_header            Connection      "upgrade";
>         }
>     }
> 
> 
> 
> 
> --
> Eric Germann
> ekgermann {at} semperen {dot} com || ekgermann {at} gmail {dot} com
> LinkedIn: https://www.linkedin.com/in/ericgermann
> Medium: https://ekgermann.medium.com <https://ekgermann.medium.com/> 
> Twitter: @ekgermann
> Telegram || Signal || Skype || WhatsApp || Phone +1 {dash} 419 {dash} 513 {dash} 0712
> 
> GPG Fingerprint: 89ED 36B3 515A 211B 6390  60A9 E30D 9B9B 3EBF F1A1
> 
> 
> 
> 
> 
> 
> 
> _______________________________________________
> nginx mailing list
> nginx at nginx.org
> https://mailman.nginx.org/mailman/listinfo/nginx

----
Roman Arutyunyan
arut at nginx.com




-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20230309/28782ab6/attachment-0001.htm>


More information about the nginx mailing list