0

To support http3, i build nginx-quic and configure multi server blocks for vhost, my nginx.conf enabled all importmant params but http3's early-data still don't take effect,nginx log contains: quic no early keys, ignoring packet while decrypting packet, unless set 'worker_processes' as only 1, i think the reason is 'ssl_session_cache shared:SSL:100m' didn't take effect, does anyone know? thanks

my nginx.conf key configurations are follows :

http {

    log_format quic '$remote_addr - $remote_user [$time_local] '
                    '"$request" $status $body_bytes_sent '
                    '"$http_referer" "$http_user_agent" "$http3"';

    error_log  /data/log/nginx_quic_error.log;
    error_log  /data/log/nginx_quic_error.log debug;

    ssl_protocols TLSv1.3;
    ssl_early_data on;
    ssl_session_tickets on;
    ssl_session_cache shared:SSL:10m;
    ssl_session_timeout 10m;


    keepalive_timeout  65;

   server {
      listen 443 ssl http2;
      listen [::]:443 ssl http2;
      listen 443 http3 reuseport;
      listen [::]:443 http3 reuseport;
      server_name *.ap.staging-1-aws.xxx.com;
      ssl_certificate /etc/agora/ap.staging-1-aws.xxx.com.crt;
      ssl_certificate_key /etc/agora/ap.staging-1-aws.xxx.com.key;

      location / {
        proxy_pass http://127.0.0.1:1111;
        proxy_redirect off;
        proxy_set_header HOST $host:$server_port;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header Early-Data $ssl_early_data;

        # cors
        if ($request_method = 'OPTIONS') {
          add_header 'Access-Control-Allow-Origin' '*' always;
          add_header 'Timing-Allow-Origin' '*' always;
          add_header 'Access-Control-Allow-Methods' 'GET,POST,OPTIONS,PUT,DELETE' always;
          add_header 'Access-Control-Allow-Credentials' 'true' always;
          add_header 'Access-Control-Allow-Headers' 'Origin,Content-Type,Accept,Authorization,X-Packet-Service-Type,X-Packet-URI,X-User-Address,XD-User-Address,X-Request-From,X-Response-Format' always;
          add_header 'Access-Control-Max-Age' '1728000' always;
          add_header X-XSS-Protection "1; mode=block";
          add_header Alt-Svc 'h3=":443"; ma=2592000';
          add_header x-quic 'h3';
          return 200;
        }

        if ($request_method ~* '(GET|POST|DELETE|PUT)') {
          add_header 'Access-Control-Allow-Origin' '*' always;
          add_header 'Timing-Allow-Origin' '*' always;
          add_header X-XSS-Protection "1; mode=block";
          add_header Alt-Svc 'h3=":443"; ma=2592000';
          add_header x-quic 'h3';
        }
   }

   server {
        xxxxxxxxxxx
   }
}
Robort
  • 1
  • 1
  • Are session tickets enabled (they're the mechanism TLSv1.3 uses for session resumption)? Does TLSv1.3 resume ok over TCP (```openssl s_client -connect SERVER:443 -sess_out session.dat -sess_in session.dat -early_data HTTP_REQUEST.txt```)? – Buffoonism Aug 05 '22 at 05:52
  • Yes, ```nginx ssl_session_tickets on; ssl_early_data on; ``` had enabled, if i set `worker_processes` as 1 , 0-RTT works fine – Robort Aug 05 '22 at 09:06
  • So, just checking: with multiple workers, TCP TLSv1.3 RTT works fine, but QUIC RTT does not? – Buffoonism Aug 05 '22 at 09:27

0 Answers0