0

I'm trying to use the nginx-quic branch of Nginx to make a HTTP-3 server (with BoringSSL).

To avoid any host side effects, I did it on a Dockerfile.

But at this time, I cannot see the effect in Chrome nor in Firefox (they both show http 1.1 as protocol)

I don't understand why these browsers (compatibles with http 3) didn't use it :/

Here is my Dockerfile (just a draft to test it):

FROM ubuntu:20.04

ENV DEBIAN_FRONTEND=noninteractive

RUN apt-get update && apt-get install -y \
  build-essential cmake git golang libunwind-dev mercurial \  
  zlib1g-dev libpcre3 libpcre3-dev libxml2-dev libxslt-dev libgd-dev \
  && rm -rf /var/lib/apt/lists/*

RUN cd /root/ && \
  git clone --depth=1 https://boringssl.googlesource.com/boringssl && \
  mkdir -p boringssl/build && \
  cd boringssl/build && \
  cmake .. && make

RUN cd /root/ && \
  hg clone -b quic https://hg.nginx.org/nginx-quic && \
  cd nginx-quic && \
  ./auto/configure --with-debug --with-compat --with-pcre-jit --with-http_ssl_module --with-http_stub_status_module --with-http_realip_module --with-http_auth_request_module --with-http_v2_module --with-http_dav_module --with-http_slice_module --with-threads --with-http_addition_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_image_filter_module=dynamic --with-http_sub_module --with-http_xslt_module=dynamic --with-stream=dynamic --with-stream_ssl_module --with-mail=dynamic --with-mail_ssl_module --with-http_v3_module --with-cc-opt="-I../boringssl/include" --with-ld-opt="-L../boringssl/build/ssl -L../boringssl/build/crypto" && \
  make install

EXPOSE 80 443 443/udp

STOPSIGNAL SIGTERM

CMD ["/usr/local/nginx/sbin/nginx", "-g", "daemon off;"]

The nginx.conf:

worker_processes  1;

events {
    worker_connections  1024;
}

http {
  include       mime.types;
  default_type  application/octet-stream;

  log_format quic '$remote_addr - $remote_user [$time_local] '
                  '"$request" $status $body_bytes_sent '
                  '"$http_referer" "$http_user_agent" "$http3"';

  access_log logs/access.log quic;

  sendfile        on;
  keepalive_timeout  65;

  server {
    listen       80;
    server_name  localhost;

    location / {
      add_header Alt-Svc 'h3-29=":443"; ma=86400, h3=":443"; ma=86400';
      root   html;
      index  index.html index.htm;
    }

    error_page   500 502 503 504  /50x.html;
      location = /50x.html {
      root   html;
    }
  }

  server {
    listen       443 http3 reuseport;
    listen       443 ssl;
    server_name  localhost;

    ssl_protocols TLSv1.3;

    ssl_certificate /usr/local/nginx/certs/fullchain.pem;
    ssl_certificate_key /usr/local/nginx/certs/privkey.pem;
    ssl_trusted_certificate /usr/local/nginx/certs/fullchain.pem;

    location / {
      add_header Alt-Svc 'h3-29=":443"; ma=86400, h3=":443"; ma=86400';
      root   html;
      index  index.html index.htm;
    }
  }
}

Certificates are valid and built with Certbot.

If I try on https://geekflare.com/fr/api/httpprotocol:

{
  "timestamp": 1651416564015,
  "apiStatus": "success",
  "apiCode": 200,
  "meta": {
    "url": "https://my-website.com",
    "followRedirect": true,
    "redirectedURL": "https://my-website.com/",
    "test": {
      "id": "srg62wvm05cqze9xq202cd2fg2iqfq16"
    }
  },
  "data": {
    "http10": false,
    "http11": true,
    "http2": false,
    "http3": [
      "h3-29"
    ]
  }
}

Does anybody know why Geekflare shows my http3 configuration (maybe it just read the alt-svc header) but Chrome and FF don't use it ?

Thanks !

Doubidou
  • 1,573
  • 3
  • 18
  • 35

0 Answers0