Forgot to add, here are the HTTPS [1] records in DNS
IN HTTPS 100 . no-default-alpn
alpn="h3"
IN HTTPS 200 . no-default-alpn
alpn="h2"
They 100/200 are weights, much like MX records, where the lowest one wins
[1] https://www.ietf.org/archive/id/draft-ietf-dnsop-svcb-https-11.txt
> On Mar 9, 2023, at 01:56, Eric Germann <[email protected]> wrote:
>
> I’m having an issue where I (think I) have enabled HTTP3 correctly on my
> nginx server. When I connect to the server the first time, it indicates
> HTTP/2 in the logs. If I hit refresh it indicates HTTP/3 from then on. So
> something is wrong with the configuration of the server to offer headers to
> negotiate it. I’ve even added HTTPS DNS records to indicate the preferred
> connection schemes. Bonus points if you can help me get QUIC working too.
>
> The result of http3check.net <http://http3check.net/> is "HTTP/3 Check could
> not get the server's advertised QUIC versions due to the error given below.
> Bad status code from server.
> Thanks in advance for any pointers
>
> Eric
>
> Source code was pulled 2023-02-27
>
>
> Build information is:
>
> nginx version: nginx/1.23.4
> built by gcc 7.3.1 20180712 (Red Hat 7.3.1-15) (GCC)
> built with OpenSSL 3.0.8+quic 7 Feb 2023
> TLS SNI support enabled
> configure arguments: --with-threads --with-cc-opt='-static -static-libgcc'
> --with-ld-opt=-static --with-debug --with-compat --with-file-aio
> --with-stream --with-stream_ssl_module --with-stream_ssl_preread_module
> --with-stream_realip_module --with-http_realip_module
> --with-http_secure_link_module --with-http_random_index_module
> --with-http_geoip_module --with-http_ssl_module --with-http_v2_module
> --with-http_v3_module --with-stream_quic_module --with-http_sub_module
> --without-mail_pop3_module --without-mail_imap_module
> --without-mail_smtp_module --with-cc-opt=-I/usr/local/include
> --with-ld-opt=-L/usr/local/lib --with-openssl=../quictls
> --with-openssl-opt=enable-tls1_3 --add-module=/source/ngx_brotli
>
>
> Pertinent config for the server block is
>
> upstream httpd_backend {
> server 172.28.10.91:443;
>
> keepalive 120;
> }
>
> log_format quic '$remote_addr - $remote_user [$time_local] '
> '"$request" $status $body_bytes_sent '
> '"$http_referer" "$http_user_agent" "$http3"';
>
> access_log logs/access.log quic;
>
> # NON-SSL
> server {
> listen 80;
> listen [::]:80;
> server_name www.example.com;
>
> location / {
> rewrite ^ https://www.example.com$request_uri?/
> permanent;
> }
> }
>
> # SSL
> server {
> listen 443 ssl http2;
> listen [::]:443 ssl http2;
> listen 443 http3 reuseport;
> listen [::]:443 http3 reuseport;
>
> quic_retry on;
>
> server_name noc2.semperen.com;
>
> # Set up your cert paths
> ssl_certificate_key
> /etc/letsencrypt/live/www.example.com/privkey.pem;
> ssl_certificate
> /etc/letsencrypt/live/www.example.com/fullchain.pem;
> ssl_trusted_certificate
> /etc/letsencrypt/live/www.example.com/chain.pem;
> ssl_dhparam SSLKeys/dhparam.pem;
> ssl_protocols TLSv1.3;
> ssl_prefer_server_ciphers On;
> ssl_ciphers
> TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-256-GCM-SHA384:AES256+EECDH:AES256+EDH:!aNULL:!CBC;
> ssl_ecdh_curve secp384r1;
> ssl_early_data on;
>
> # enable ocsp stapling
> ssl_stapling on;
> ssl_stapling_verify on;
>
> resolver 8.8.4.4 8.8.8.8 valid=86400s;
> resolver_timeout 10s;
>
> # upgrade to HTTP3 and HTTP2
> add_header alt-svc 'h3=":443"; ma=86400, h2=":443";
> ma=86400';
> add_header alt-svc 'h2=":443"; ma=86400; persist=1';
> add_header alt-svc 'h2=":443"; ma=86400;';
>
> add_header X-Frame-Options "SAMEORIGIN";
>
>
> # tell users to go to SSL version next time
> add_header Strict-Transport-Security "max-age=31104000;
> includeSubdomains" always;
>
> # handle brotli compression
> brotli on;
> brotli_static on;
>
> # Note this is one line, even if it wraps and renders as two
> brotli_types text/plain text/css application/json
> application/x-javascript text/xml application/xml application/xml+rss
> text/javascript;
>
> brotli_buffers 16 8k;
> brotli_comp_level 9;
>
> client_max_body_size 32M;
>
> error_page 502 /custom_502.html;
> location = /custom_502.html {
> root /usr/local/nginx/html;
> internal;
> }
>
> location / {
> proxy_pass https://httpd_backend;
> proxy_http_version 1.1;
> proxy_buffering on;
> proxy_set_header X-Forwarded-For $remote_addr;
> proxy_set_header X-Real-IP $remote_addr;
> proxy_set_header Host $host;
> proxy_pass_header Authorization;
> # proxy_set_header X-Scheme $scheme;
> # proxy_set_header Upgrade $http_upgrade;
> # proxy_set_header Connection "upgrade";
> }
>
> location /roundcube {
> proxy_pass https://172.28.10.100;
> proxy_http_version 1.1;
> proxy_buffering on;
> proxy_set_header X-Forwarded-For $remote_addr;
> proxy_set_header X-Real-IP $remote_addr;
> proxy_set_header Host $host;
> proxy_pass_header Authorization;
> # proxy_set_header X-Scheme $scheme;
> # proxy_set_header Upgrade $http_upgrade;
> # proxy_set_header Connection "upgrade";
> }
> }
>
>
>
>
> --
> Eric Germann
> ekgermann {at} semperen {dot} com || ekgermann {at} gmail {dot} com
> LinkedIn: https://www.linkedin.com/in/ericgermann
> Medium: https://ekgermann.medium.com <https://ekgermann.medium.com/>
> Twitter: @ekgermann
> Telegram || Signal || Skype || WhatsApp || Phone +1 {dash} 419 {dash} 513
> {dash} 0712
>
> GPG Fingerprint: 89ED 36B3 515A 211B 6390 60A9 E30D 9B9B 3EBF F1A1
>
>
>
>
>
>
>
signature.asc
Description: Message signed with OpenPGP
_______________________________________________ nginx mailing list [email protected] https://mailman.nginx.org/mailman/listinfo/nginx
