[Nginx] Turn on http3
plhDigital nomadHTTP3
BACKGROUND
Recently, NGINX already added http3 as a default module, so, no need for too much effort to install nginx-http3. Google's whole site already supported http3.
NGINX
how to check whether your nginx supports http3 or not? run nginx -V, if get those result
nginx version: nginx/1.25.0
built by gcc 10.2.1 20210110 (Debian 10.2.1-6)
built with OpenSSL 1.1.1k 25 Mar 2021 (running with OpenSSL 1.1.1n 15 Mar 2022)
TLS SNI support enabled
configure arguments:
--prefix=/etc/nginx
--sbin-path=/usr/sbin/nginx
--modules-path=/usr/lib/nginx/modules
--conf-path=/etc/nginx/nginx.conf
--error-log-path=/var/log/nginx/error.log
--http-log-path=/var/log/nginx/access.log
--pid-path=/var/run/nginx.pid
--lock-path=/var/run/nginx.lock
--http-client-body-temp-path=/var/cache/nginx/client_temp
--http-proxy-temp-path=/var/cache/nginx/proxy_temp
--http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp
--http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp
--http-scgi-temp-path=/var/cache/nginx/scgi_temp
--user=nginx
--group=nginx
--with-compat
--with-file-aio
--with-threads
--with-http_addition_module
--with-http_auth_request_module
--with-http_dav_module
--with-http_flv_module
--with-http_gunzip_module
--with-http_gzip_static_module
--with-http_mp4_module
--with-http_random_index_module
--with-http_realip_module
--with-http_secure_link_module
--with-http_slice_module
--with-http_ssl_module
--with-http_stub_status_module
--with-http_sub_module
--with-http_v2_module
--with-http_v3_module # http3 module
--with-mail
--with-mail_ssl_module
--with-stream
--with-stream_realip_module
--with-stream_ssl_module
--with-stream_ssl_preread_module
--with-cc-opt='-g -O2 -ffile-prefix-map=/data/builder/debuild/nginx-1.25.0/debian/debuild-base/nginx-1.25.0=. -fstack-protector-strong -Wformat -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -fPIC'
--with-ld-opt='-Wl,-z,relro -Wl,-z,now -Wl,--as-needed -pie'if you can find --with-http_v3_module , that's mean your nginx support http3.
NGINX CONFIG
here is the following config
listen 443 quic reuseport; # turn on http3
listen 443 ssl http2; # turn on http2 as optional
ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; # add http3 support protocols
ssl_certificate fullchain.pem; # http3 run base on TSL, so must add https first
ssl_certificate_key privkey.pem; # http3 run base on TSL, so must add https first
add_header Alt-Svc 'h3=":443"; ma=86400'; # tell browser your server support http3
add_header QUIC-Status $http3; # tell browser your server support http3TIP
http3 run in UDP protocols, so definitely you need to make sure 443/UDP is able to access.
FIREWALL GROUP
add 443/UDP rule
Ubuntu ufw
run this command to make sure your operation system can access 443/UDP port
ufw allow 443/udpDOCKER port export
services:
nginx:
restart: always
build:
context: "./nginx"
volumes:
- ./nginx/conf.d/:/etc/nginx/conf.d/
- ./nginx/cert/:/etc/nginx/cert/
- ./nginx/log:/var/log/nginx/
- ./packages/frontend/dist/:/var/www/app/
ports:
- "80:80"
- "443:443"
- "443:443/udp" # Make sure docker-compose already expose UDP port
- "8443:8443"
networks:
- gate-tierHOW TO VERIFY HTTP3
how to know that your http3 already deploy success
first way
in chrome, press F12, check the networking tab, if protocol display h3, that mean http3 already turn on.
second way
check this website
https://http3check.net/?host=https%3A%2F%2Fchat1.plhh.xyz%2F