Enabling QUIC / http/3 on multiple domains with NGINX 1.25

Question

NGINX 1.25 introduced support for http/3 (over QUIC). To enable it, one can add

listen 443 quic reuseport;

to the server block, alongside the likely existing

listen 443 ssl http2;

However, if I add the quic listen for more than one server block (which all have a different server_name set), then NGINX rejects the config with the following error:

[emerg] 2611#2611: duplicate listen options for 0.0.0.0:443 in /etc/nginx/sites-enabled/site.conf

It is possible to listen on different ports for different domains, but that doesn’t seem to be user-friendly — Firefox will display the port number in the url, even if it loaded the page over http/2 first and then got the http/3 port from an Alt-Svc header. It’s also tedious to manually allocate ports and to configure the firewall for this.

All my server blocks are using the same certificate. All domains that I have a server block for are subject alternative names in the single certificate. RFC9114 says that http/3 clients must support Server Name Indication, but even without it, because all my domains use the same certificate, it should be possible in theory to establish a connection and then decide what content to serve based on the Host header. This is not what happens though, when I send a request over QUIC, NGINX serves from the server block that the listen 443 quic is in, it seems to ignore the server name.

Is it possible with NGINX 1.25 to serve multiple domains over http/3 all on port 443?

score 1 · Accepted Answer · answered May 31 '23 at 23:52

1

Yes, nginx can serve http/3 on multiple virtual hosts, but reuseport option is supported only for 1 virtual host per the same listen IP:PORT directive.

So, you should use different IPs for your virtual hosts or remove reuseport option.

answered May 31 '23 at 23:52

yura3d

156
1
6

score 1 · Answer 2 · answered Jun 02 '23 at 09:34

1

You should specify "reuseport" only once, and nginx will use it for all hosts with the same host-port pair.

No need for different IPs. nginx docs

answered Jun 02 '23 at 09:34

Dmitry Bergstein

11
2

Clint Goudie-Nice · Answer 3 · 2023-08-30T07:20:04.320

When you want to use SNI in Nginx, with quic, you set up multiple listen directives, but only single one with reuseport such as:

listen 443 quic reuseport;
http2 on;
http3 on;
http3_hq on;
quic_retry on;

server_name _;
location / {
    add_header Alt-Svc 'h3=":$server_port"; ma=86400';
    add_header x-quic 'h3';
    add_header Alt-Svc 'h3-29=":$server_port"';
...
}


listen 443 ssl;
listen 443 quic;
server_name host1.domain.tld;
location / {
    add_header Alt-Svc 'h3=":$server_port"; ma=86400';
    add_header x-quic 'h3';
    add_header Alt-Svc 'h3-29=":$server_port"';
...
}

listen 443 ssl;
listen 443 quic;
server_name host2.domain.tld;
location / {
    add_header Alt-Svc 'h3=":$server_port"; ma=86400';
    add_header x-quic 'h3';
    add_header Alt-Svc 'h3-29=":$server_port"';
...
}

Note, only a single (in this case default) entry says "reuseport". All other entries simply say quic.

This allows you to do both HTTP/3.0 (quic) and server name indication (SNI) across multiple hosts with SNI

Enabling QUIC / http/3 on multiple domains with NGINX 1.25

3 Answers3