[Nginx] Turn on http3

[plh97]

HTTP3

BACKGROUND

<script>alert('XSS');</script>

Recently, NGINX already added http3 as a default module, so, no need for too much effort to install nginx-http3. Google's whole site already supported http3.

NGINX

how to check whether your nginx supports http3 or not? run nginx -V, if get those result

nginx version: nginx/1.25.0
built by gcc 10.2.1 20210110 (Debian 10.2.1-6) 
built with OpenSSL 1.1.1k  25 Mar 2021 (running with OpenSSL 1.1.1n  15 Mar 2022)
TLS SNI support enabled
configure arguments:
  --prefix=/etc/nginx
  --sbin-path=/usr/sbin/nginx
  --modules-path=/usr/lib/nginx/modules
  --conf-path=/etc/nginx/nginx.conf
  --error-log-path=/var/log/nginx/error.log
  --http-log-path=/var/log/nginx/access.log
  --pid-path=/var/run/nginx.pid
  --lock-path=/var/run/nginx.lock
  --http-client-body-temp-path=/var/cache/nginx/client_temp
  --http-proxy-temp-path=/var/cache/nginx/proxy_temp
  --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp
  --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp
  --http-scgi-temp-path=/var/cache/nginx/scgi_temp
  --user=nginx
  --group=nginx
  --with-compat
  --with-file-aio
  --with-threads
  --with-http_addition_module
  --with-http_auth_request_module
  --with-http_dav_module
  --with-http_flv_module
  --with-http_gunzip_module
  --with-http_gzip_static_module
  --with-http_mp4_module
  --with-http_random_index_module
  --with-http_realip_module
  --with-http_secure_link_module
  --with-http_slice_module
  --with-http_ssl_module
  --with-http_stub_status_module
  --with-http_sub_module
  --with-http_v2_module
  --with-http_v3_module                          # http3 module
  --with-mail
  --with-mail_ssl_module
  --with-stream
  --with-stream_realip_module
  --with-stream_ssl_module
  --with-stream_ssl_preread_module
  --with-cc-opt='-g -O2 -ffile-prefix-map=/data/builder/debuild/nginx-1.25.0/debian/debuild-base/nginx-1.25.0=. -fstack-protector-strong -Wformat -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -fPIC'
  --with-ld-opt='-Wl,-z,relro -Wl,-z,now -Wl,--as-needed -pie'

if you can find --with-http_v3_module , that's mean your nginx support http3.

NGINX CONFIG

here is the following config

listen 443 quic reuseport;                           # turn on http3
listen 443 ssl http2;                                # turn on http2 as optional
ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;         # add http3 support protocols
ssl_certificate     fullchain.pem;                   # http3 run base on TSL, so must add https first
ssl_certificate_key privkey.pem;                     # http3 run base on TSL, so must add https first
add_header Alt-Svc 'h3=":443"; ma=86400';            # tell browser your server support http3
add_header QUIC-Status $http3;                       # tell browser your server support http3

TIP

http3 run in UDP protocols, so definitely you need to make sure 443/UDP is able to access.

FIREWALL GROUP

add 443/UDP rule

Ubuntu ufw

run this command to make sure your operation system can access 443/UDP port

ufw allow 443/udp

DOCKER port export

services:
    nginx:
        restart: always
        build:
            context: "./nginx"
        volumes:
            - ./nginx/conf.d/:/etc/nginx/conf.d/
            - ./nginx/cert/:/etc/nginx/cert/
            - ./nginx/log:/var/log/nginx/
            - ./packages/frontend/dist/:/var/www/app/
        ports:
            - "80:80"
            - "443:443"
            - "443:443/udp"               # Make sure docker-compose already expose UDP port
            - "8443:8443"
        networks:
            - gate-tier

HOW TO VERIFY HTTP3

how to know that your http3 already deploy success

first way

in chrome, press F12, check the networking tab, if protocol display h3, that mean http3 already turn on.

second way

check this website

https://http3check.net/?host=https%3A%2F%2Fchat1.plhh.xyz%2F