Hi Eric, > On 9 Mar 2023, at 10:56, Eric Germann via nginx <nginx@nginx.org> wrote: > > I’m having an issue where I (think I) have enabled HTTP3 correctly on my > nginx server. When I connect to the server the first time, it indicates > HTTP/2 in the logs. If I hit refresh it indicates HTTP/3 from then on.
Normally you connect to the server using regular https first (http/2 is probably an option as well). Only after that the client analyses Alt-Svc response header and tries http/3. > So something is wrong with the configuration of the server to offer headers > to negotiate it. I’ve even added HTTPS DNS records to indicate the preferred > connection schemes. > Bonus points if you can help me get QUIC working too. > > The result of http3check.net <http://http3check.net/> is "HTTP/3 Check could > not get the server's advertised QUIC versions due to the error given below. > Bad status code from server. Can you please check nginx error.log for errors? If no errors, can you please enable debugging and send the error.log to me. > Thanks in advance for any pointers > > Eric > > Source code was pulled 2023-02-27 > > > Build information is: > > nginx version: nginx/1.23.4 > built by gcc 7.3.1 20180712 (Red Hat 7.3.1-15) (GCC) > built with OpenSSL 3.0.8+quic 7 Feb 2023 > TLS SNI support enabled > configure arguments: --with-threads --with-cc-opt='-static -static-libgcc' > --with-ld-opt=-static --with-debug --with-compat --with-file-aio > --with-stream --with-stream_ssl_module --with-stream_ssl_preread_module > --with-stream_realip_module --with-http_realip_module > --with-http_secure_link_module --with-http_random_index_module > --with-http_geoip_module --with-http_ssl_module --with-http_v2_module > --with-http_v3_module --with-stream_quic_module --with-http_sub_module > --without-mail_pop3_module --without-mail_imap_module > --without-mail_smtp_module --with-cc-opt=-I/usr/local/include > --with-ld-opt=-L/usr/local/lib --with-openssl=../quictls > --with-openssl-opt=enable-tls1_3 --add-module=/source/ngx_brotli > > > Pertinent config for the server block is > > upstream httpd_backend { > server 172.28.10.91:443; > > keepalive 120; > } > > log_format quic '$remote_addr - $remote_user [$time_local] ' > '"$request" $status $body_bytes_sent ' > '"$http_referer" "$http_user_agent" "$http3"'; > > access_log logs/access.log quic; > > # NON-SSL > server { > listen 80; > listen [::]:80; > server_name www.example.com; > > location / { > rewrite ^ https://www.example.com$request_uri?/ > permanent; > } > } > > # SSL > server { > listen 443 ssl http2; > listen [::]:443 ssl http2; > listen 443 http3 reuseport; > listen [::]:443 http3 reuseport; > > quic_retry on; > > server_name noc2.semperen.com; > > # Set up your cert paths > ssl_certificate_key > /etc/letsencrypt/live/www.example.com/privkey.pem; > ssl_certificate > /etc/letsencrypt/live/www.example.com/fullchain.pem; > ssl_trusted_certificate > /etc/letsencrypt/live/www.example.com/chain.pem; > ssl_dhparam SSLKeys/dhparam.pem; > ssl_protocols TLSv1.3; > ssl_prefer_server_ciphers On; > ssl_ciphers > TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-256-GCM-SHA384:AES256+EECDH:AES256+EDH:!aNULL:!CBC; > ssl_ecdh_curve secp384r1; > ssl_early_data on; > > # enable ocsp stapling > ssl_stapling on; > ssl_stapling_verify on; > > resolver 8.8.4.4 8.8.8.8 valid=86400s; > resolver_timeout 10s; > > # upgrade to HTTP3 and HTTP2 > add_header alt-svc 'h3=":443"; ma=86400, h2=":443"; > ma=86400'; > add_header alt-svc 'h2=":443"; ma=86400; persist=1'; > add_header alt-svc 'h2=":443"; ma=86400;'; > > add_header X-Frame-Options "SAMEORIGIN"; > > > # tell users to go to SSL version next time > add_header Strict-Transport-Security "max-age=31104000; > includeSubdomains" always; > > # handle brotli compression > brotli on; > brotli_static on; > > # Note this is one line, even if it wraps and renders as two > brotli_types text/plain text/css application/json > application/x-javascript text/xml application/xml application/xml+rss > text/javascript; > > brotli_buffers 16 8k; > brotli_comp_level 9; > > client_max_body_size 32M; > > error_page 502 /custom_502.html; > location = /custom_502.html { > root /usr/local/nginx/html; > internal; > } > > location / { > proxy_pass https://httpd_backend; > proxy_http_version 1.1; > proxy_buffering on; > proxy_set_header X-Forwarded-For $remote_addr; > proxy_set_header X-Real-IP $remote_addr; > proxy_set_header Host $host; > proxy_pass_header Authorization; > # proxy_set_header X-Scheme $scheme; > # proxy_set_header Upgrade $http_upgrade; > # proxy_set_header Connection "upgrade"; > } > > location /roundcube { > proxy_pass https://172.28.10.100; > proxy_http_version 1.1; > proxy_buffering on; > proxy_set_header X-Forwarded-For $remote_addr; > proxy_set_header X-Real-IP $remote_addr; > proxy_set_header Host $host; > proxy_pass_header Authorization; > # proxy_set_header X-Scheme $scheme; > # proxy_set_header Upgrade $http_upgrade; > # proxy_set_header Connection "upgrade"; > } > } > > > > > -- > Eric Germann > ekgermann {at} semperen {dot} com || ekgermann {at} gmail {dot} com > LinkedIn: https://www.linkedin.com/in/ericgermann > Medium: https://ekgermann.medium.com <https://ekgermann.medium.com/> > Twitter: @ekgermann > Telegram || Signal || Skype || WhatsApp || Phone +1 {dash} 419 {dash} 513 > {dash} 0712 > > GPG Fingerprint: 89ED 36B3 515A 211B 6390 60A9 E30D 9B9B 3EBF F1A1 > > > > > > > > _______________________________________________ > nginx mailing list > nginx@nginx.org > https://mailman.nginx.org/mailman/listinfo/nginx ---- Roman Arutyunyan a...@nginx.com
_______________________________________________ nginx mailing list nginx@nginx.org https://mailman.nginx.org/mailman/listinfo/nginx
