Re: [nginx] QUIC: "handshake_timeout" configuration parameter.

[Roman Arutyunyan]

Hi,

> On 10 Apr 2024, at 10:57 AM, Vladimir Homutov  wrote:
> 
> On Tue, Apr 09, 2024 at 03:02:21PM +0400, Roman Arutyunyan wrote:
>> Hello Vladimir,
>> 
>> On Mon, Apr 08, 2024 at 03:03:27PM +0300, Vladimir Homutov via nginx-devel 
>> wrote:
>>> On Fri, Sep 22, 2023 at 03:36:25PM +, Roman Arutyunyan wrote:
 details:   https://hg.nginx.org/nginx/rev/ad3d34ddfdcc
 branches:
 changeset: 9158:ad3d34ddfdcc
 user:  Roman Arutyunyan 
 date:  Wed Sep 13 17:59:37 2023 +0400
 description:
 QUIC: "handshake_timeout" configuration parameter.
 
 Previously QUIC did not have such parameter and handshake duration was
 controlled by HTTP/3.  However that required creating and storing HTTP/3
 session on first client datagram.  Apparently there's no convenient way to
 store the session object until QUIC handshake is complete.  In the followup
 patches session creation will be postponed to init() callback.
 
>>> 
>>> [...]
>>> 
 diff -r daf8f5ba23d8 -r ad3d34ddfdcc src/event/quic/ngx_event_quic.c
 --- a/src/event/quic/ngx_event_quic.c  Fri Sep 01 20:31:46 2023 +0400
 +++ b/src/event/quic/ngx_event_quic.c  Wed Sep 13 17:59:37 2023 +0400
 @@ -211,6 +211,8 @@ ngx_quic_run(ngx_connection_t *c, ngx_qu
 qc = ngx_quic_get_connection(c);
 
 ngx_add_timer(c->read, qc->tp.max_idle_timeout);
 +ngx_add_timer(>close, qc->conf->handshake_timeout);
 +
>>> 
>>> It looks like I've hit an issue with early data in such case.
>>> See the attached patch with details.
>> 
>> Indeed, there's an issue there.
>> 
>>> While there, I suggest a little debug improvement to better track
>>> stream and their parent connections.
>>> 
>>> 
>> 
>>> # HG changeset patch
>>> # User Vladimir Khomutov 
>>> # Date 1712576340 -10800
>>> #  Mon Apr 08 14:39:00 2024 +0300
>>> # Node ID 6e79f4ec40ed1c1ffec6a46b453051c01e556610
>>> # Parent  99e7050ac886f7c70a4048691e46846b930b1e28
>>> QUIC: fixed close timer processing with early data.
>>> 
>>> The ngx_quic_run() function uses qc->close timer to limit the handshake
>>> duration.  Normally it is removed by ngx_quic_do_init_streams() which is
>>> called once when we are done with initial SSL processing.
>>> 
>>> The problem happens when the client sends early data and streams are
>>> initialized in the ngx_quic_run() -> ngx_quic_handle_datagram() call.
>>> The order of set/remove timer calls is now reversed; the close timer is
>>> set up and the timer fires when assigned, starting the unexpected connection
>>> close process.
>>> 
>>> The patch moves timer cancelling right before the place where the stream
>>> initialization flag is tested, thus making it work with early data.
>>> 
>>> The issue was introduced in ad3d34ddfdcc.
>>> 
>>> diff --git a/src/event/quic/ngx_event_quic_streams.c 
>>> b/src/event/quic/ngx_event_quic_streams.c
>>> --- a/src/event/quic/ngx_event_quic_streams.c
>>> +++ b/src/event/quic/ngx_event_quic_streams.c
>>> @@ -575,6 +575,10 @@ ngx_quic_init_streams(ngx_connection_t *
>>> 
>>> qc = ngx_quic_get_connection(c);
>>> 
>>> +if (!qc->closing && qc->close.timer_set) {
>>> +ngx_del_timer(>close);
>>> +}
>>> +
>>> if (qc->streams.initialized) {
>>> return NGX_OK;
>>> }
>>> @@ -630,10 +634,6 @@ ngx_quic_do_init_streams(ngx_connection_
>>> 
>>> qc->streams.initialized = 1;
>>> 
>>> -if (!qc->closing && qc->close.timer_set) {
>>> -ngx_del_timer(>close);
>>> -}
>>> -
>>> return NGX_OK;
>>> }
>> 
>> This assumes that ngx_quic_init_streams() is always called on handshake end,
>> even if not needed.  This is true now, but it's not something we can to rely 
>> on.
>> 
>> Also, we probably don't need to limit handshake duration after streams are
>> initialized.  Application level will set the required keepalive timeout for
>> this.  Also, we need to include OCSP validation time in handshake timeout,
>> which your removed.
>> 
>> I assume a simpler solution would be not to set the timer in ngx_quic_run()
>> if streams are already initialized.
> 
> Agreed, see the updated patch:
> 
> 
> 

Thanks, committed!


Roman Arutyunyan
a...@nginx.com




___
nginx-devel mailing list
nginx-devel@nginx.org
https://mailman.nginx.org/mailman/listinfo/nginx-devel

Re: [nginx] QUIC: "handshake_timeout" configuration parameter.

[Vladimir Homutov via nginx-devel]

On Tue, Apr 09, 2024 at 03:02:21PM +0400, Roman Arutyunyan wrote:
> Hello Vladimir,
>
> On Mon, Apr 08, 2024 at 03:03:27PM +0300, Vladimir Homutov via nginx-devel 
> wrote:
> > On Fri, Sep 22, 2023 at 03:36:25PM +, Roman Arutyunyan wrote:
> > > details:   https://hg.nginx.org/nginx/rev/ad3d34ddfdcc
> > > branches:
> > > changeset: 9158:ad3d34ddfdcc
> > > user:  Roman Arutyunyan 
> > > date:  Wed Sep 13 17:59:37 2023 +0400
> > > description:
> > > QUIC: "handshake_timeout" configuration parameter.
> > >
> > > Previously QUIC did not have such parameter and handshake duration was
> > > controlled by HTTP/3.  However that required creating and storing HTTP/3
> > > session on first client datagram.  Apparently there's no convenient way to
> > > store the session object until QUIC handshake is complete.  In the 
> > > followup
> > > patches session creation will be postponed to init() callback.
> > >
> >
> > [...]
> >
> > > diff -r daf8f5ba23d8 -r ad3d34ddfdcc src/event/quic/ngx_event_quic.c
> > > --- a/src/event/quic/ngx_event_quic.c Fri Sep 01 20:31:46 2023 +0400
> > > +++ b/src/event/quic/ngx_event_quic.c Wed Sep 13 17:59:37 2023 +0400
> > > @@ -211,6 +211,8 @@ ngx_quic_run(ngx_connection_t *c, ngx_qu
> > >  qc = ngx_quic_get_connection(c);
> > >
> > >  ngx_add_timer(c->read, qc->tp.max_idle_timeout);
> > > +ngx_add_timer(>close, qc->conf->handshake_timeout);
> > > +
> >
> > It looks like I've hit an issue with early data in such case.
> > See the attached patch with details.
>
> Indeed, there's an issue there.
>
> > While there, I suggest a little debug improvement to better track
> > stream and their parent connections.
> >
> >
>
> > # HG changeset patch
> > # User Vladimir Khomutov 
> > # Date 1712576340 -10800
> > #  Mon Apr 08 14:39:00 2024 +0300
> > # Node ID 6e79f4ec40ed1c1ffec6a46b453051c01e556610
> > # Parent  99e7050ac886f7c70a4048691e46846b930b1e28
> > QUIC: fixed close timer processing with early data.
> >
> > The ngx_quic_run() function uses qc->close timer to limit the handshake
> > duration.  Normally it is removed by ngx_quic_do_init_streams() which is
> > called once when we are done with initial SSL processing.
> >
> > The problem happens when the client sends early data and streams are
> > initialized in the ngx_quic_run() -> ngx_quic_handle_datagram() call.
> > The order of set/remove timer calls is now reversed; the close timer is
> > set up and the timer fires when assigned, starting the unexpected connection
> > close process.
> >
> > The patch moves timer cancelling right before the place where the stream
> > initialization flag is tested, thus making it work with early data.
> >
> > The issue was introduced in ad3d34ddfdcc.
> >
> > diff --git a/src/event/quic/ngx_event_quic_streams.c 
> > b/src/event/quic/ngx_event_quic_streams.c
> > --- a/src/event/quic/ngx_event_quic_streams.c
> > +++ b/src/event/quic/ngx_event_quic_streams.c
> > @@ -575,6 +575,10 @@ ngx_quic_init_streams(ngx_connection_t *
> >
> >  qc = ngx_quic_get_connection(c);
> >
> > +if (!qc->closing && qc->close.timer_set) {
> > +ngx_del_timer(>close);
> > +}
> > +
> >  if (qc->streams.initialized) {
> >  return NGX_OK;
> >  }
> > @@ -630,10 +634,6 @@ ngx_quic_do_init_streams(ngx_connection_
> >
> >  qc->streams.initialized = 1;
> >
> > -if (!qc->closing && qc->close.timer_set) {
> > -ngx_del_timer(>close);
> > -}
> > -
> >  return NGX_OK;
> >  }
>
> This assumes that ngx_quic_init_streams() is always called on handshake end,
> even if not needed.  This is true now, but it's not something we can to rely 
> on.
>
> Also, we probably don't need to limit handshake duration after streams are
> initialized.  Application level will set the required keepalive timeout for
> this.  Also, we need to include OCSP validation time in handshake timeout,
> which your removed.
>
> I assume a simpler solution would be not to set the timer in ngx_quic_run()
> if streams are already initialized.

Agreed, see the updated patch:


# HG changeset patch
# User Vladimir Khomutov 
# Date 1712731090 -10800
#  Wed Apr 10 09:38:10 2024 +0300
# Node ID 155c9093de9db02e3c0a511a45930d39ff51c709
# Parent  99e7050ac886f7c70a4048691e46846b930b1e28
QUIC: fixed close timer processing with early data.

The ngx_quic_run() function uses qc->close timer to limit the handshake
duration.  Normally it is removed by ngx_quic_do_init_streams() which is
called once when we are done with initial SSL processing.

The problem happens when the client sends early data and streams are
initialized in the ngx_quic_run() -> ngx_quic_handle_datagram() call.
The order of set/remove timer calls is now reversed; the close timer is
set up and the timer fires when assigned, starting the unexpected connection
close process.

The fix is to skip setting the timer if streams were initialized during
handling of the initial datagram.  The idle timer for quic is set anyway,
and 

Re: [nginx] QUIC: "handshake_timeout" configuration parameter.

[Roman Arutyunyan]

Hello Vladimir,

On Mon, Apr 08, 2024 at 03:03:27PM +0300, Vladimir Homutov via nginx-devel 
wrote:
> On Fri, Sep 22, 2023 at 03:36:25PM +, Roman Arutyunyan wrote:
> > details:   https://hg.nginx.org/nginx/rev/ad3d34ddfdcc
> > branches:
> > changeset: 9158:ad3d34ddfdcc
> > user:  Roman Arutyunyan 
> > date:  Wed Sep 13 17:59:37 2023 +0400
> > description:
> > QUIC: "handshake_timeout" configuration parameter.
> >
> > Previously QUIC did not have such parameter and handshake duration was
> > controlled by HTTP/3.  However that required creating and storing HTTP/3
> > session on first client datagram.  Apparently there's no convenient way to
> > store the session object until QUIC handshake is complete.  In the followup
> > patches session creation will be postponed to init() callback.
> >
> 
> [...]
> 
> > diff -r daf8f5ba23d8 -r ad3d34ddfdcc src/event/quic/ngx_event_quic.c
> > --- a/src/event/quic/ngx_event_quic.c   Fri Sep 01 20:31:46 2023 +0400
> > +++ b/src/event/quic/ngx_event_quic.c   Wed Sep 13 17:59:37 2023 +0400
> > @@ -211,6 +211,8 @@ ngx_quic_run(ngx_connection_t *c, ngx_qu
> >  qc = ngx_quic_get_connection(c);
> >
> >  ngx_add_timer(c->read, qc->tp.max_idle_timeout);
> > +ngx_add_timer(>close, qc->conf->handshake_timeout);
> > +
> 
> It looks like I've hit an issue with early data in such case.
> See the attached patch with details.

Indeed, there's an issue there.

> While there, I suggest a little debug improvement to better track
> stream and their parent connections.
> 
> 

> # HG changeset patch
> # User Vladimir Khomutov 
> # Date 1712576340 -10800
> #  Mon Apr 08 14:39:00 2024 +0300
> # Node ID 6e79f4ec40ed1c1ffec6a46b453051c01e556610
> # Parent  99e7050ac886f7c70a4048691e46846b930b1e28
> QUIC: fixed close timer processing with early data.
> 
> The ngx_quic_run() function uses qc->close timer to limit the handshake
> duration.  Normally it is removed by ngx_quic_do_init_streams() which is
> called once when we are done with initial SSL processing.
> 
> The problem happens when the client sends early data and streams are
> initialized in the ngx_quic_run() -> ngx_quic_handle_datagram() call.
> The order of set/remove timer calls is now reversed; the close timer is
> set up and the timer fires when assigned, starting the unexpected connection
> close process.
> 
> The patch moves timer cancelling right before the place where the stream
> initialization flag is tested, thus making it work with early data.
> 
> The issue was introduced in ad3d34ddfdcc.
> 
> diff --git a/src/event/quic/ngx_event_quic_streams.c 
> b/src/event/quic/ngx_event_quic_streams.c
> --- a/src/event/quic/ngx_event_quic_streams.c
> +++ b/src/event/quic/ngx_event_quic_streams.c
> @@ -575,6 +575,10 @@ ngx_quic_init_streams(ngx_connection_t *
>  
>  qc = ngx_quic_get_connection(c);
>  
> +if (!qc->closing && qc->close.timer_set) {
> +ngx_del_timer(>close);
> +}
> +
>  if (qc->streams.initialized) {
>  return NGX_OK;
>  }
> @@ -630,10 +634,6 @@ ngx_quic_do_init_streams(ngx_connection_
>  
>  qc->streams.initialized = 1;
>  
> -if (!qc->closing && qc->close.timer_set) {
> -ngx_del_timer(>close);
> -}
> -
>  return NGX_OK;
>  }

This assumes that ngx_quic_init_streams() is always called on handshake end,
even if not needed.  This is true now, but it's not something we can to rely on.

Also, we probably don't need to limit handshake duration after streams are
initialized.  Application level will set the required keepalive timeout for
this.  Also, we need to include OCSP validation time in handshake timeout,
which your removed.

I assume a simpler solution would be not to set the timer in ngx_quic_run()
if streams are already initialized.

> # HG changeset patch
> # User Vladimir Khomutov 
> # Date 1712575741 -10800
> #  Mon Apr 08 14:29:01 2024 +0300
> # Node ID d9b80de50040bb8ac2a7e193971d1dfeb579cfc9
> # Parent  6e79f4ec40ed1c1ffec6a46b453051c01e556610
> QUIC: added debug logging of stream creation.
> 
> Currently, it is hard to associate stream connection number with its parent
> connection.  The typical case is to identify QUIC connection number given
> some user-visible URI (which occurs in request stream).
> 
> The patch adds the debug log message which reports about stream creation in
> the stream log and also shows the parent connection number.
> 
> diff --git a/src/event/quic/ngx_event_quic_streams.c 
> b/src/event/quic/ngx_event_quic_streams.c
> --- a/src/event/quic/ngx_event_quic_streams.c
> +++ b/src/event/quic/ngx_event_quic_streams.c
> @@ -805,6 +805,10 @@ ngx_quic_create_stream(ngx_connection_t 
>  
>  ngx_rbtree_insert(>streams.tree, >node);
>  
> +ngx_log_debug2(NGX_LOG_DEBUG_EVENT, sc->log, 0,
> +   "quic stream id:0x%xL created in connection *%uA", id,
> +   c->log->connection);
> +
>  return qs;
>  }
>  

> ___
> 

Re: [nginx] QUIC: "handshake_timeout" configuration parameter.

[Vladimir Homutov via nginx-devel]

On Fri, Sep 22, 2023 at 03:36:25PM +, Roman Arutyunyan wrote:
> details:   https://hg.nginx.org/nginx/rev/ad3d34ddfdcc
> branches:
> changeset: 9158:ad3d34ddfdcc
> user:  Roman Arutyunyan 
> date:  Wed Sep 13 17:59:37 2023 +0400
> description:
> QUIC: "handshake_timeout" configuration parameter.
>
> Previously QUIC did not have such parameter and handshake duration was
> controlled by HTTP/3.  However that required creating and storing HTTP/3
> session on first client datagram.  Apparently there's no convenient way to
> store the session object until QUIC handshake is complete.  In the followup
> patches session creation will be postponed to init() callback.
>

[...]

> diff -r daf8f5ba23d8 -r ad3d34ddfdcc src/event/quic/ngx_event_quic.c
> --- a/src/event/quic/ngx_event_quic.c Fri Sep 01 20:31:46 2023 +0400
> +++ b/src/event/quic/ngx_event_quic.c Wed Sep 13 17:59:37 2023 +0400
> @@ -211,6 +211,8 @@ ngx_quic_run(ngx_connection_t *c, ngx_qu
>  qc = ngx_quic_get_connection(c);
>
>  ngx_add_timer(c->read, qc->tp.max_idle_timeout);
> +ngx_add_timer(>close, qc->conf->handshake_timeout);
> +

It looks like I've hit an issue with early data in such case.
See the attached patch with details.

While there, I suggest a little debug improvement to better track
stream and their parent connections.


# HG changeset patch
# User Vladimir Khomutov 
# Date 1712576340 -10800
#  Mon Apr 08 14:39:00 2024 +0300
# Node ID 6e79f4ec40ed1c1ffec6a46b453051c01e556610
# Parent  99e7050ac886f7c70a4048691e46846b930b1e28
QUIC: fixed close timer processing with early data.

The ngx_quic_run() function uses qc->close timer to limit the handshake
duration.  Normally it is removed by ngx_quic_do_init_streams() which is
called once when we are done with initial SSL processing.

The problem happens when the client sends early data and streams are
initialized in the ngx_quic_run() -> ngx_quic_handle_datagram() call.
The order of set/remove timer calls is now reversed; the close timer is
set up and the timer fires when assigned, starting the unexpected connection
close process.

The patch moves timer cancelling right before the place where the stream
initialization flag is tested, thus making it work with early data.

The issue was introduced in ad3d34ddfdcc.

diff --git a/src/event/quic/ngx_event_quic_streams.c 
b/src/event/quic/ngx_event_quic_streams.c
--- a/src/event/quic/ngx_event_quic_streams.c
+++ b/src/event/quic/ngx_event_quic_streams.c
@@ -575,6 +575,10 @@ ngx_quic_init_streams(ngx_connection_t *
 
 qc = ngx_quic_get_connection(c);
 
+if (!qc->closing && qc->close.timer_set) {
+ngx_del_timer(>close);
+}
+
 if (qc->streams.initialized) {
 return NGX_OK;
 }
@@ -630,10 +634,6 @@ ngx_quic_do_init_streams(ngx_connection_
 
 qc->streams.initialized = 1;
 
-if (!qc->closing && qc->close.timer_set) {
-ngx_del_timer(>close);
-}
-
 return NGX_OK;
 }
 
# HG changeset patch
# User Vladimir Khomutov 
# Date 1712575741 -10800
#  Mon Apr 08 14:29:01 2024 +0300
# Node ID d9b80de50040bb8ac2a7e193971d1dfeb579cfc9
# Parent  6e79f4ec40ed1c1ffec6a46b453051c01e556610
QUIC: added debug logging of stream creation.

Currently, it is hard to associate stream connection number with its parent
connection.  The typical case is to identify QUIC connection number given
some user-visible URI (which occurs in request stream).

The patch adds the debug log message which reports about stream creation in
the stream log and also shows the parent connection number.

diff --git a/src/event/quic/ngx_event_quic_streams.c 
b/src/event/quic/ngx_event_quic_streams.c
--- a/src/event/quic/ngx_event_quic_streams.c
+++ b/src/event/quic/ngx_event_quic_streams.c
@@ -805,6 +805,10 @@ ngx_quic_create_stream(ngx_connection_t 
 
 ngx_rbtree_insert(>streams.tree, >node);
 
+ngx_log_debug2(NGX_LOG_DEBUG_EVENT, sc->log, 0,
+   "quic stream id:0x%xL created in connection *%uA", id,
+   c->log->connection);
+
 return qs;
 }
 
___
nginx-devel mailing list
nginx-devel@nginx.org
https://mailman.nginx.org/mailman/listinfo/nginx-devel

Re: Nginx - quic issue

[claire liu]

Hello Sergey,

Thanks for your reply. I will update this to opentelemetry. But I still
want to ensure that I only need to load the opentelemetry-webserver module
in nginx.conf to get the traces, no other steps need to be done. I am
afraid I missed something. I checked the source code of the mainline and
quic version but didn't see any code related to opentelemetry. Please let
me know if you know any material about getting nginx-quic traces, if there
is any person I can reach out to, or if there is an nginx-quic community.
All of the official articles I saw are about the mainline version, not quic
version. I want to use nginx-quic in my research, but I have
already been suck at here for several weeks. Thanks for your help.

Best regards,
Claire

On Thu, Nov 17, 2022 at 12:48 PM Sergey A. Osokin 
wrote:

> Hi Claire,
>
> thanks for the question.
>
> On Thu, Nov 17, 2022 at 12:30:46PM -0600, claire liu wrote:
> > I am using Nginx-quic in my research and having trouble getting traces
> from
> > Nginx-quic using the opentelemetry-Nginx module provided by
> opentelemetry,
> > which enables tracing of incoming requests to the server by injecting
> > instrumentation into the Nginx server at runtime. These are the steps
> > I followed
> >
> https://github.com/open-telemetry/opentelemetry-cpp-contrib/tree/main/instrumentation/otel-webserver-module
> .
> > Nginx mainline was also tested, and I got traces. Please confirm whether
> > Nginx-quic also supports opentelemetry. If it does support it, could you
> > let me know how to do it? The version I am using is 1.23.1. Thank you for
> > the help in advance.
>
> It's better to use nginx mailling list for this case, because primary gold
> of the nginx-devel mailing list is nginx development.
>
> The opentelemery module is a third-party product, follow that, would you
> mind to ask the vendor to update the functionality of the module to support
> a modern protocol.
>
> Thank you.
>
> --
> Sergey A. Osokin
> ___
> nginx-devel mailing list -- nginx-devel@nginx.org
> To unsubscribe send an email to nginx-devel-le...@nginx.org
>
___
nginx-devel mailing list -- nginx-devel@nginx.org
To unsubscribe send an email to nginx-devel-le...@nginx.org

Re: Nginx - quic issue

[Sergey A. Osokin]

Hi Claire,

thanks for the question.

On Thu, Nov 17, 2022 at 12:30:46PM -0600, claire liu wrote:
> I am using Nginx-quic in my research and having trouble getting traces from
> Nginx-quic using the opentelemetry-Nginx module provided by opentelemetry,
> which enables tracing of incoming requests to the server by injecting
> instrumentation into the Nginx server at runtime. These are the steps
> I followed
> https://github.com/open-telemetry/opentelemetry-cpp-contrib/tree/main/instrumentation/otel-webserver-module.
> Nginx mainline was also tested, and I got traces. Please confirm whether
> Nginx-quic also supports opentelemetry. If it does support it, could you
> let me know how to do it? The version I am using is 1.23.1. Thank you for
> the help in advance.

It's better to use nginx mailling list for this case, because primary gold
of the nginx-devel mailing list is nginx development.

The opentelemery module is a third-party product, follow that, would you
mind to ask the vendor to update the functionality of the module to support
a modern protocol.

Thank you.

-- 
Sergey A. Osokin
___
nginx-devel mailing list -- nginx-devel@nginx.org
To unsubscribe send an email to nginx-devel-le...@nginx.org

Re: [nginx-quic] fastcgi cookie param is overwritten resulting in getting only last cookie

[Sergey Kandaurov]

> On 23 Dec 2021, at 19:19, Guillaume Bilic  wrote:
> 
> Hi all,
> 
>  
> 
> Using nginx-quic (1.21.4), cookies are parsed individually by http3 code :
> 
>  
> 
> 2021/12/23 14:29:37 [debug] 32322#0: *3576 http3 parse literal done 
> "number1=this+is+the+first+one"
> 
> 2021/12/23 14:29:37 [debug] 32322#0: *3576 http3 parse field lri done 
> static[5] "number1=this+is+the+first+one"
> 
> 2021/12/23 14:29:37 [debug] 32322#0: *3576 http3 static[5] lookup "cookie":""
> 
> 2021/12/23 14:29:37 [debug] 32322#0: *3576 http3 parse field representation 
> done
> 
> 2021/12/23 14:29:37 [debug] 32322#0: *3576 http3 header: "cookie: 
> number1=this+is+the+first+one"
> 
> 2021/12/23 14:29:37 [debug] 32322#0: *3576 http3 parse field representation
> 
> 2021/12/23 14:29:37 [debug] 32322#0: *3576 http3 parse field lri
> 
> 2021/12/23 14:29:37 [debug] 32322#0: *3576 http3 parse prefix int 5
> 
> 2021/12/23 14:29:37 [debug] 32322#0: *3576 http3 parse prefix int 24
> 
> 2021/12/23 14:29:37 [debug] 32322#0: *3576 http3 parse literal huff:1, len:24
> 
> 2021/12/23 14:29:37 [debug] 32322#0: *3576 http3 parse literal done 
> "number2=this+is+the+second+one"
> 
> 2021/12/23 14:29:37 [debug] 32322#0: *3576 http3 parse field lri done 
> static[5] "number2=this+is+the+second+one"
> 
> 2021/12/23 14:29:37 [debug] 32322#0: *3576 http3 static[5] lookup "cookie":""
> 
> 2021/12/23 14:29:37 [debug] 32322#0: *3576 http3 parse field representation 
> done
> 
> 2021/12/23 14:29:37 [debug] 32322#0: *3576 http3 header: "cookie: 
> number2=this+is+the+second+one"
> 
> 2021/12/23 14:29:37 [debug] 32322#0: *3576 http3 parse field representation
> 
> 2021/12/23 14:29:37 [debug] 32322#0: *3576 http3 parse field lri
> 
> 2021/12/23 14:29:37 [debug] 32322#0: *3576 http3 parse prefix int 5
> 
> 2021/12/23 14:29:37 [debug] 32322#0: *3576 http3 parse prefix int 23
> 
> 2021/12/23 14:29:37 [debug] 32322#0: *3576 http3 parse literal huff:1, len:23
> 
> 2021/12/23 14:29:37 [debug] 32322#0: *3576 http3 parse literal done 
> "number3=this+is+the+third+one"
> 
> 2021/12/23 14:29:37 [debug] 32322#0: *3576 http3 parse field lri done 
> static[5] "number3=this+is+the+third+one"
> 
> 2021/12/23 14:29:37 [debug] 32322#0: *3576 http3 static[5] lookup "cookie":""
> 
> 2021/12/23 14:29:37 [debug] 32322#0: *3576 http3 parse field representation 
> done
> 
> 2021/12/23 14:29:37 [debug] 32322#0: *3576 http3 parse headers done
> 
> 2021/12/23 14:29:37 [debug] 32322#0: *3576 http3 header: "cookie: 
> number3=this+is+the+third+one »
> 
>  
> 
>  
> 
> But then the fastcgi param HTTP_COOKIE is passed for each cookie, resulting 
> in overwriting it and keeping only the last one :
> 
>  
> 
> 2021/12/23 14:29:37 [debug] 32322#0: *3576 fastcgi param: "HTTP_COOKIE: 
> number1=this+is+the+first+one"
> 
> 2021/12/23 14:29:37 [debug] 32322#0: *3576 fastcgi param: "HTTP_COOKIE: 
> number2=this+is+the+second+one"
> 
> 2021/12/23 14:29:37 [debug] 32322#0: *3576 fastcgi param: "HTTP_COOKIE: 
> number3=this+is+the+third+one »
> 
>  
> 
> The HTTP_COOKIE param should be the whole cookie header.
> 
> Http2 code handles cookie header in a dedicated function « 
> ngx_http_v2_construct_cookie_header » and then processes other headers.
> 
> There doesn’t seem to be the case of http3 code which process cookie the same 
> way of others headers. 

This behaviour was recently applied to HTTP/3 implementation,
see https://hg.nginx.org/nginx-quic/rev/10522e8dea41
Thanks for prodding.

-- 
Sergey Kandaurov

___
nginx-devel mailing list
nginx-devel@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-devel

Re: nginx-quic, php able to access last set cookie only

[Sergey Kandaurov]

> On 19 Dec 2021, at 21:24, Kareti Ramakrishna MBA  wrote:
> 
> I implemented nginx-quic using the steps at https://quic.nginx.org/readme.html
> The page is validating http3 quic at https://http3check.net and 
> https://gf.dev/http3-test
> 
> The page elements show h3 protocol in developer tools network tab.
> 
> in a test.php page, I have set 3 php cookies like this:
> 
>  $q=setcookie('test1', 'content1', time()+31536, '/', '', true, true
> );
> 
> $q=setcookie('test2', 'content2', time()+31536, '/', '', true, true
> );
> 
> $q=setcookie('test3', 'content3', time()+31536, '/', '', true, true
> );
> 
> ?>
> In test2.php in the same domain and same directory, I tried to access the 
> cookies :
> 
>  
> var_dump(
> $_COOKIE
> );
> 
> ?>
> It is showing only the last set cookie.
> 
>  array(1) { ["test3"]=> string(8) "content3"
>  }
> 
> all the three cookies are showing in developer tools.
> 
> Javascript is able to read all the three cookies :
> 
> 
> 
> var
>  decodedCookie = decodeURIComponent(document.cookie);
> console.log(
> 'c='
> +decodedCookie);
> 
> 
> If I use nginx http2, php is able to access all the three cookies.
> 
> But, If I use nginx http3, php is able to access only the last cookie.

Hello.

There was a recent fix to proxy cookies in a concatenated list.
See https://hg.nginx.org/nginx-quic/rev/10522e8dea41

-- 
Sergey Kandaurov

___
nginx-devel mailing list
nginx-devel@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-devel

Re: [nginx-quic] revision 6ccf3867959a seems to break http3 response

[Roman Arutyunyan]

Hi Guillaume,

On Tue, Jan 04, 2022 at 05:11:19PM +0100, Guillaume Bilic wrote:
> Hi all,
> 
> Latest revisions of quic branch does not work anymore in h3 using chrome
> and firefox.
> Revision 6ccf3867959a "refactored ngx_quic_order_bufs() and
> ngx_quic_split_bufs()" seems to be the culprit.

Can you provide the debug log?  You can send it to the mailing list or
directly to my email.

-- 
Roman Arutyunyan
___
nginx-devel mailing list
nginx-devel@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-devel

Re: nginx-quic: download speed is very slow when network has added a delay of 1500ms by tc

[Sergey Kandaurov]

> On 1 Oct 2021, at 15:33, 杨明杰  wrote:
> 
> Hi,
>   when when network has  added a delay of 1500ms by tc, doing e.g.
>tc qdisc add dev eno1 root netem delay 1500ms
> 
>  [..]
> 
>   when I download a 3GB file whth firefox browser , then download speed is 
> about 45 kb/s, but I confirm the prototal is http3.
> I might be doing wrong for something...
>   Please help me, thanks.

Thanks for sharing the results. 
What is your link speed? Can you compare with http2 ?

-- 
Sergey Kandaurov

___
nginx-devel mailing list
nginx-devel@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-devel

Re: NGINX-QUIC, ALPN offering only Http/1.1 and h2, but not h3

[Sergey Kandaurov]

> On 15 Sep 2021, at 09:39, J B  wrote:
> 
> Hello all,
> 
> I played around with nginx-quic branch, following the blog post here 
> https://www.nginx.com/blog/our-roadmap-quic-http-3-support-nginx/
> 
> I have trouble to get my browser to use http3 with the server. I checked with 
> CURL http3 enabled - there it works when providing the http3 option, it does 
> not when using --alt-svc option.
> I assume it's a configuration issue, or an issue with self-signed 
> certificates, ...
> 
> 
> What did I do:
> 1. Build Docker (copy from blogpost) and generate self signed certs.
> 
> ```
> COPY ./nginx/csr.conf /root/csr.conf
> COPY ./nginx/cert.pass /etc/keys/cert.pass
> 
> # generate self signed certificate
> RUN openssl genrsa -aes128 -passout "pass:supersecure" -out ca.key 4096
> RUN openssl req -new -config csr.conf -key ca.key -out ca.csr -passin 
> "pass:supersecure"
> RUN openssl x509 -req -days 365 -in ca.csr -signkey ca.key -out ca.crt 
> -passin "pass:supersecure"
> 
> # copy them to /etc/ssl/
> RUN cp ca.crt /etc/ssl/certs/
> RUN cp ca.key /etc/ssl/private/
> RUN cp ca.csr /etc/ssl/private/
> 
> # setup ssl config
> COPY ./nginx/ssl.conf /etc/nginx/conf.d/ssl.conf
> 
> EXPOSE 80 443
> ```
> 
> 2. Run the Docker with
> docker run -it --rm -p 443:443/udp -p 443:443/tcp nginx_quic
> 
> Testing:
> 
> Using HTTP3 enabled curl ends up in:
> ``` curl -k -vvv --alt-svc altsvc.cache https://localhost:443
> *   Trying 127.0.0.1:443...
> * TCP_NODELAY set
> * Connected to localhost (127.0.0.1) port 443 (#0)
> * ALPN, offering h2
> * ALPN, offering http/1.1
> * successfully set certificate verify locations:
> *   CAfile: /etc/ssl/certs/ca-certificates.crt
>   CApath: /etc/ssl/certs
> * TLSv1.3 (OUT), TLS handshake, Client hello (1):
> * OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to localhost:443
> * Closing connection 0
> curl: (35) OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to 
> localhost:443
> ```
> 

This means you didn't proceed up to obtaining alternative services
as specified in the Alt-SVC HTTP response field.
Successful response would look like this:

* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
...
< HTTP/1.1 200 OK
< Server: nginx/1.21.3
< Date: Fri, 17 Sep 2021 11:12:26 GMT
< Content-Type: text/plain
* Added alt-svc: localhost:443 over h3-29
< Alt-Svc: h3-29=":443"; ma=86400

Note the last two lines.
Then, on next curl command, with saved alt service:
$ curl -vvv --alt-svc svc.txt ...
* Alt-svc connecting from [h1]localhost:443 to [h3-29]localhost:443

> 
> using http3 option on curl works as expected:
> ```
> ./curl -v --http3 https://localhost:443/
> *   Trying 127.0.0.1:443...
> * Connect socket 5 over QUIC to 127.0.0.1:443
> * Connected to localhost () port 443 (#0)
> * Using HTTP/3 Stream ID: 0 (easy handle 0x55c46567b290)
> > GET / HTTP/3
> > Host: localhost
> > user-agent: curl/7.79.0-DEV
> > accept: */*
> >
> * ngh3_stream_recv returns 0 bytes and EAGAIN
> < HTTP/3 200
> < server: nginx/1.21.3
> < date: Tue, 14 Sep 2021 22:21:26 GMT
> < content-type: text/html
> < content-length: 615
> < last-modified: Tue, 07 Sep 2021 15:21:03 GMT
> < etag: "6137835f-267"
> < alt-svc: h3=":443"; ma=2592000
> < quic-status: quic
> < x-quic: quic
> < accept-ranges: bytes
> 
> 
> Any Idea how to solve this?
> 

The latest curl uses quic draft-29 if connecting directly.
I presume it would also expect the same version in Alt-Svc.
So, I'd try to substitute it with "h3-29" as provided above.

-- 
Sergey Kandaurov

___
nginx-devel mailing list
nginx-devel@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-devel

Re: [nginx-quic] Segmentation offloading

[Vladimir Homutov]

On Mon, Jul 26, 2021 at 04:08:02PM -0500, Lucas Cuminato wrote:
> Hello,
>
> I was testing this feature the other day but unsure if it's doing the right
> thing.
> Nginx is generating 65k UDP datagrams which are then being fragmented at
> the IP layer.
> Reading the spec, rfc9000, it looks like IP fragmentation is not allowed
> (Section 14).
>
> "UDP datagrams MUST NOT be fragmented at the IP layer. In IPv4
>
> IPv4 ], the
> Don't Fragment (DF) bit MUST be set if possible, to
> prevent fragmentation on the path."
>
>
> Also, it doesn't seem to be respecting the client's endpoint
> max_udp_payload_size.
>
>
> Can you please confirm if this is desired ?

Hi Lucas,

thank you for the feedback.

Of course, 65K datagrams is not something expected. It looks like GSO is
not working properly in your case. The expected result is that kernel
will split 65K buffer into smaller UDP datagrams of specified (segment) size,
and this segment size respects QUIC settings.

Do you see it in the wire? If yes, please share output of configure
script, debug log [1], and output of 'nginx -T'.
Are you running nginx on hardware directly or is it some virtual machine?
NIC/interface details are valuable (ethtool -k ,
ip link show ).


[1] http://nginx.org/en/docs/debugging_log.html
___
nginx-devel mailing list
nginx-devel@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-devel

Re: [nginx-quic]

[Vladimir Homutov]

14.06.2021 19:43, Lucas Cuminato пишет:

Hi, Vladimir, thanks for replying.

I'm not using any protocol over QUIC, just using QUIC to send/receive 
raw data to/from my application and the server, and having nginx proxy 
it to a TCP server.
I do have a proxy_pass configured in my setup. I just omitted for 
simplicity.


R,
Lucas.


Ok, so you have custom backend that knows what to do with QUIC streams?
And you backend is TCP-based? Sounds quite interesting. Or does it deal
with single stream only?

Anyway, right now it fails at ALPN stage. Probably, in future, we may
introduce some configuration directive to control it. It is not yet
absolutely clear how the stream module should deal with quic.

Yoy may want to try to copy the code wich sets ALPN callback from 
http_quic module and provides some meaningful value for protocol.





On Mon, Jun 14, 2021 at 11:35 AM Vladimir Homutov > wrote:


14.06.2021 18:08, Lucas Cuminato пишет:
 > Hello,
 >
 > Not sure If this is a bug in nginx-quic or if I'm not configuring
 > it correctly but when trying to use nginx-quic with the following
settings.
 >
 > stream {
 >      server {
 >          listen  quic reuseport;
 >          ssl_session_cache off;
 >          ssl_client_certificate ca.pem
 >          ssl_verify_client on;
 >          ssl_session_tickets off;
 >          ssl_certificate         cert.pem
 >          ssl_certificate_key    key.pem;
 >          ssl_protocols       TLSv1.3;
 >      }
 > }
 >
 > and using a standalone application that uses ngtcp2 to try to
connect to
 > nginx-quic, I get a TLS alert saying that "No application protocol".
 > I've tracked this down and it seems like nginx-quic is not
setting any
 > ALPN for the SSL context when using QUIC as a stream (in
 > ngx_stream_ssl_module.c).
 > It does it set it when using QUIC as HTTP
(in ngx_http_ssl_module.c).
 > Now, I believe ALPN is mandatory for QUIC according to the
 > QUIC-TRANSPORT draft, so this might be a bug.
 > By copying the code done in ngx_http_ssl_module.c for setting the
ALPN
 > and using it in ngx_stream_ssl_module.c, I was able to make my
 > standalone app connect and transfer data, but not sure
 > if this is the right fix.
 >
 > R,
 > Lucas.
 >
Hello,
this is expected with stream module.
ALPN is required, but is not clear what protocol (http3? other protocol
over quic?) is going to be used.
Can you please elaborate your use case? What are you going to achieve?
Also, the suggested configuration is not going to work, since you don't
have any content handling module (i.e. proxy_pass or return).





___
nginx-devel mailing list
nginx-devel@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-devel

Re: [nginx-quic]

[Lucas Cuminato]

Hi, Vladimir, thanks for replying.

I'm not using any protocol over QUIC, just using QUIC to send/receive raw
data to/from my application and the server, and having nginx proxy it to a
TCP server.
I do have a proxy_pass configured in my setup. I just omitted for
simplicity.

R,
Lucas.


On Mon, Jun 14, 2021 at 11:35 AM Vladimir Homutov  wrote:

> 14.06.2021 18:08, Lucas Cuminato пишет:
> > Hello,
> >
> > Not sure If this is a bug in nginx-quic or if I'm not configuring
> > it correctly but when trying to use nginx-quic with the following
> settings.
> >
> > stream {
> >  server {
> >  listen  quic reuseport;
> >  ssl_session_cache off;
> >  ssl_client_certificate ca.pem
> >  ssl_verify_client on;
> >  ssl_session_tickets off;
> >  ssl_certificate cert.pem
> >  ssl_certificate_keykey.pem;
> >  ssl_protocols   TLSv1.3;
> >  }
> > }
> >
> > and using a standalone application that uses ngtcp2 to try to connect to
> > nginx-quic, I get a TLS alert saying that "No application protocol".
> > I've tracked this down and it seems like nginx-quic is not setting any
> > ALPN for the SSL context when using QUIC as a stream (in
> > ngx_stream_ssl_module.c).
> > It does it set it when using QUIC as HTTP (in ngx_http_ssl_module.c).
> > Now, I believe ALPN is mandatory for QUIC according to the
> > QUIC-TRANSPORT draft, so this might be a bug.
> > By copying the code done in ngx_http_ssl_module.c for setting the ALPN
> > and using it in ngx_stream_ssl_module.c, I was able to make my
> > standalone app connect and transfer data, but not sure
> > if this is the right fix.
> >
> > R,
> > Lucas.
> >
> Hello,
> this is expected with stream module.
> ALPN is required, but is not clear what protocol (http3? other protocol
> over quic?) is going to be used.
> Can you please elaborate your use case? What are you going to achieve?
> Also, the suggested configuration is not going to work, since you don't
> have any content handling module (i.e. proxy_pass or return).
>
>
> ___
> nginx-devel mailing list
> nginx-devel@nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx-devel
___
nginx-devel mailing list
nginx-devel@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-devel

Re: [nginx-quic]

[Vladimir Homutov]

14.06.2021 18:08, Lucas Cuminato пишет:

Hello,

Not sure If this is a bug in nginx-quic or if I'm not configuring 
it correctly but when trying to use nginx-quic with the following settings.


stream {
     server {
         listen  quic reuseport;
         ssl_session_cache off;
         ssl_client_certificate ca.pem
         ssl_verify_client on;
         ssl_session_tickets off;
         ssl_certificate         cert.pem
         ssl_certificate_key    key.pem;
         ssl_protocols       TLSv1.3;
     }
}

and using a standalone application that uses ngtcp2 to try to connect to 
nginx-quic, I get a TLS alert saying that "No application protocol".
I've tracked this down and it seems like nginx-quic is not setting any 
ALPN for the SSL context when using QUIC as a stream (in 
ngx_stream_ssl_module.c).
It does it set it when using QUIC as HTTP (in ngx_http_ssl_module.c). 
Now, I believe ALPN is mandatory for QUIC according to the 
QUIC-TRANSPORT draft, so this might be a bug.
By copying the code done in ngx_http_ssl_module.c for setting the ALPN 
and using it in ngx_stream_ssl_module.c, I was able to make my 
standalone app connect and transfer data, but not sure

if this is the right fix.

R,
Lucas.


Hello,
this is expected with stream module.
ALPN is required, but is not clear what protocol (http3? other protocol 
over quic?) is going to be used.

Can you please elaborate your use case? What are you going to achieve?
Also, the suggested configuration is not going to work, since you don't
have any content handling module (i.e. proxy_pass or return).


___
nginx-devel mailing list
nginx-devel@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-devel

Re: [nginx-quic] fix qpack header null value issue

[Sergey Kandaurov]

> On 28 May 2021, at 07:02, sun edward  wrote:
> 
> description:
>  when header with a null value,need to reset st->value,otherwise it is 
> taking previous header field's value
> 

Thanks, a slightly different version committed:
https://hg.nginx.org/nginx-quic/rev/3509b9dcfb47

[..]

-- 
Sergey Kandaurov

___
nginx-devel mailing list
nginx-devel@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-devel

Re: [nginx-quic] fix qpack index issue when lookingup dynamic table

[Sergey Kandaurov]

> On 24 May 2021, at 06:34, sun edward  wrote:
> 
> description:
>  when qpack header insert with name reference, if it is dynamic table, 
> the index should be the relative index, as described in drafts:
> https://quicwg.org/base-drafts/draft-ietf-quic-qpack.html#name-insert-with-name-reference
>  

Committed, thanks.
https://hg.nginx.org/nginx-quic/rev/e6c26cb4d38b

[..]

-- 
Sergey Kandaurov

___
nginx-devel mailing list
nginx-devel@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-devel

Re: nginx-quic: setting transport parameters

[Sergey Kandaurov]

> On 27 Jan 2021, at 13:16, Sergey Kandaurov  wrote:
> 
>> 
>> On 26 Jan 2021, at 13:26, Kyriakos Zarifis  wrote:
>> 
>> Hi, 
>> 
>> I can't seem to set a few of the quic parameters using their respective 
>> directives.
>> Specifically, doing e.g. this in the conf:
>>quic_max_udp_payload_size 1472;
>>quic_max_ack_delay 10;
>>quic_ack_delay_exponent 2;
>> 
>> ... results in the default values being sent (as seen in qvis):
>>"max_packet_size": 65527
>>"max_ack_delay": 25
>>"ack_delay_exponent": 3
>> 
>> Other parameters (like quic_inital_*) are being set just fine. Any idea what 
>> I might be doing wrong for these 3 above?
> 
> These directives do not currently affect sending transport parameters.
> It needs to be fixed.

This was recently fixed:
https://hg.nginx.org/nginx-quic/rev/75603531064a

> 
>> p.s. I think quic_max_packet_size needs to be updated to 
>> quic_max_udp_payload_size in the README to match the latest drafts and code.
> 
> This one has been fixed, thanks.
> https://hg.nginx.org/nginx-quic/rev/27bd6dc24426

-- 
Sergey Kandaurov

___
nginx-devel mailing list
nginx-devel@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-devel

Re: [nginx-quic] HTTP/3(QUIC): I can't test HTTP/3 with nginx-quic repo

[Andrey Khramov]

Hi Roman,

Thanks for your reply.

I can't know why the SSL certificate isn't trusted by the Chrome browser
because there is no problem related to the SSL certificate in the Firefox
browser.
I moved the SSL certificate from apache2 to nginx:
apache2  nginx
SSLCertificateFile   ssl_certificate
SSLCertificateKeyFile ssl_certificate_key
SSLCACertificateFile  ssl_trusted_certificate

Could you tell me what I'm missing?

Thanks. Regards.

On Tue, Feb 2, 2021 at 10:41 PM Roman Arutyunyan  wrote:

> Hi Andrey,
>
> Here’s the error:
>
> 2021/02/02 21:17:21 [debug] 18359#0: *4 quic frame rx init
> CONNECTION_CLOSE_APP err:10 28:TLS handshake failure (ENCRYPTION_HANDSHAKE)
> 46: certificate unknown ft:6
>
> Looks like your server certificate is not trusted by the browser.
>
> On 3 Feb 2021, at 00:26, Andrey Khramov  wrote:
>
> Hello, Roman
>
> Sorry.
> I got the error log related to "quic" when connecting in the Chrome
> browser.
> I attached the log file.
> Please check it.
>
> Thank you. Regards.
>
> On Tue, Feb 2, 2021 at 9:01 PM Andrey Khramov  wrote:
>
>> Hello, Roman
>>
>> Thanks for your reply.
>> I checked HTTP/3 (QUIC) in the Firefox browser.
>> But I didn't check it in the Chrome browser.
>> The version of the Chrome is 88.0.4324.104 (64bit).
>> I run the Chrome browser with the following command:
>> chrome --enable-quic --quic-version=h3-29 --origin-to-force-quic-on=
>> apporto.com:7443
>>
>> Also, I enabled "Experimental QUIC protocol" flag in chrome://flags.
>> I can't get any log related to "quic" in error.log.
>>
>> I hope your suggestion and advice.
>> Thanks. Regards
>>
>> On Tue, Feb 2, 2021 at 4:18 PM Roman Arutyunyan  wrote:
>>
>>> Hi Andrey,
>>>
>>> On 2 Feb 2021, at 18:52, Andrey Khramov  wrote:
>>>
>>> Hello,Roman
>>>
>>> Thanks for your reply.
>>>
>>> I already enabled HTTP/3 (QUIC) in those the browsers (Firefox 85,
>>> Chrome 88) accroding to ttps://quic.nginx.org/readme.html..
>>> The https://quic.nginx.org website detects HTTP/3 (QUIC) support in the
>>> browsers.
>>>
>>>
>>> Try cleaning browser cache.
>>>
>>> Also check if there are lines with the word ‘quic’ in the debug log when
>>> you open the page.
>>>
>>> Thanks. Regards
>>>
>>>
>>> On Tue, Feb 2, 2021 at 2:47 PM Roman Arutyunyan  wrote:
>>>
 Hi Andrey,

 On 2 Feb 2021, at 17:30, Andrey Khramov  wrote:

 Hello, there

 I tried to test the HTTP/3 (QUIC) with nginx-quic in several days.
 But I couldn't test HTTP/3 (QUIC).

 I built the quic branch of nginx-quic repo according to README of that
 repo.
 The configuration options follows as below:
 $ ./auto/configure --prefix=/etc/nginx \
  --sbin-path=/usr/sbin/nginx \
  --conf-path=/etc/nginx/nginx.conf \
  --pid-path=/var/run/nginx.pid \
  --error-log-path=/var/log/nginx/error.log \
  --http-log-path=/var/log/nginx/access.log \
  --with-debug \
  --with-http_v2_module --with-http_ssl_module \
  --with-http_v3_module --with-http_quic_module \
  --with-stream_quic_module \
  --with-cc-opt="-I../boringssl/include" \
  --with-ld-opt="-L../boringssl/build/ssl \
  -L../boringssl/build/crypto"
 $ make

 To install the nginx-quic, I installed the nginx 1.19.6 package on
 Ubuntu 18.04 and replaced the nginx binary with the nginx-quic:
 $ sudo cp objs/nginx /usr/sbin/

 I configured that the nginx-quic works as load-balancer of HTTPS:
 HTTPS -> nginx-quic (7443 port) -> Apache2 (80 port) -> Apache Tomcat
 (8080 port)

 The configuration file (nginx.conf) follows as below:

 user  nginx;
 worker_processes  auto;

 events {
 worker_connections  1024;
 }

 http {
 log_format quic '$remote_addr - $remote_user [$time_local] '
 '"$request" $status $body_bytes_sent '
 '"$http_referer" "$http_user_agent" "$quic"
 "$http3"';

 access_log /var/log/nginx/access.log quic;
 error_log  /var/log/nginx/error.log debug;

 server {

 listen 7443 http3 reuseport; # Enable HTTP/3.
 listen 7443 ssl; # Enable HTTP/1.1 (optional).

 ssl_certificate
  /home/ubuntu/andrey/http3/example-fullchain.pem;
 ssl_certificate_key  /etc/ssl/private/example.key;
 ssl_protocolsTLSv1 TLSv1.1 TLSv1.2 TLSv1.3;

 location / {
 add_header alt-svc '$http3=":7443"; ma=86400'; # Advertise
 that QUIC is available
 add_header QUIC-Status $quic; # Sent when QUIC was used

 proxy_pass http://backend1;
 }
 }

 server {
 listen 8443 

Re: [nginx-quic] HTTP/3(QUIC): I can't test HTTP/3 with nginx-quic repo

[Roman Arutyunyan]

Hi Andrey,

Here’s the error:

2021/02/02 21:17:21 [debug] 18359#0: *4 quic frame rx init CONNECTION_CLOSE_APP 
err:10 28:TLS handshake failure (ENCRYPTION_HANDSHAKE) 46: certificate unknown 
ft:6

Looks like your server certificate is not trusted by the browser.

> On 3 Feb 2021, at 00:26, Andrey Khramov  wrote:
> 
> Hello, Roman
> 
> Sorry.
> I got the error log related to "quic" when connecting in the Chrome browser.
> I attached the log file.
> Please check it.
> 
> Thank you. Regards.
> 
> On Tue, Feb 2, 2021 at 9:01 PM Andrey Khramov  > wrote:
> Hello, Roman
> 
> Thanks for your reply.
> I checked HTTP/3 (QUIC) in the Firefox browser.
> But I didn't check it in the Chrome browser.
> The version of the Chrome is 88.0.4324.104 (64bit).
> I run the Chrome browser with the following command:
> chrome --enable-quic --quic-version=h3-29 
> --origin-to-force-quic-on=apporto.com:7443 
> 
> Also, I enabled "Experimental QUIC protocol" flag in chrome://flags.
> I can't get any log related to "quic" in error.log.
> 
> I hope your suggestion and advice.
> Thanks. Regards
> 
> On Tue, Feb 2, 2021 at 4:18 PM Roman Arutyunyan  > wrote:
> Hi Andrey,
> 
>> On 2 Feb 2021, at 18:52, Andrey Khramov > > wrote:
>> 
>> Hello,Roman
>> 
>> Thanks for your reply.
>> 
>> I already enabled HTTP/3 (QUIC) in those the browsers (Firefox 85, Chrome 
>> 88) accroding to ttps://quic.nginx.org/readme.html 
>> ..
>> The https://quic.nginx.org  website detects HTTP/3 
>> (QUIC) support in the browsers.
> 
> Try cleaning browser cache.
> 
> Also check if there are lines with the word ‘quic’ in the debug log when you 
> open the page.
> 
>> Thanks. Regards
>> 
>> 
>> On Tue, Feb 2, 2021 at 2:47 PM Roman Arutyunyan > > wrote:
>> Hi Andrey,
>> 
>>> On 2 Feb 2021, at 17:30, Andrey Khramov >> > wrote:
>>> 
>>> Hello, there
>>> 
>>> I tried to test the HTTP/3 (QUIC) with nginx-quic in several days.
>>> But I couldn't test HTTP/3 (QUIC).
>>> 
>>> I built the quic branch of nginx-quic repo according to README of that repo.
>>> The configuration options follows as below:
>>> $ ./auto/configure --prefix=/etc/nginx \
>>>  --sbin-path=/usr/sbin/nginx \
>>>  --conf-path=/etc/nginx/nginx.conf \
>>>  --pid-path=/var/run/nginx.pid \
>>>  --error-log-path=/var/log/nginx/error.log \
>>>  --http-log-path=/var/log/nginx/access.log \
>>>  --with-debug \
>>>  --with-http_v2_module --with-http_ssl_module \
>>>  --with-http_v3_module --with-http_quic_module \
>>>  --with-stream_quic_module \
>>>  --with-cc-opt="-I../boringssl/include" \
>>>  --with-ld-opt="-L../boringssl/build/ssl \
>>>  -L../boringssl/build/crypto"
>>> $ make
>>> 
>>> To install the nginx-quic, I installed the nginx 1.19.6 package on Ubuntu 
>>> 18.04 and replaced the nginx binary with the nginx-quic:
>>> $ sudo cp objs/nginx /usr/sbin/
>>> 
>>> I configured that the nginx-quic works as load-balancer of HTTPS:
>>> HTTPS -> nginx-quic (7443 port) -> Apache2 (80 port) -> Apache Tomcat (8080 
>>> port)
>>> 
>>> The configuration file (nginx.conf) follows as below:
>>> 
>>> user  nginx;
>>> worker_processes  auto;
>>> 
>>> events {
>>> worker_connections  1024;
>>> }
>>> 
>>> http {
>>> log_format quic '$remote_addr - $remote_user [$time_local] '
>>> '"$request" $status $body_bytes_sent '
>>> '"$http_referer" "$http_user_agent" "$quic" "$http3"';
>>> 
>>> access_log /var/log/nginx/access.log quic;
>>> error_log  /var/log/nginx/error.log debug;
>>> 
>>> server {
>>> 
>>> listen 7443 http3 reuseport; # Enable HTTP/3.
>>> listen 7443 ssl; # Enable HTTP/1.1 (optional).
>>> 
>>> ssl_certificate  
>>> /home/ubuntu/andrey/http3/example-fullchain.pem;
>>> ssl_certificate_key  /etc/ssl/private/example.key;
>>> ssl_protocolsTLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
>>> 
>>> location / {
>>> add_header alt-svc '$http3=":7443"; ma=86400'; # Advertise that 
>>> QUIC is available
>>> add_header QUIC-Status $quic; # Sent when QUIC was used
>>> 
>>> proxy_pass http://backend1 ;
>>> }
>>> }
>>> 
>>> server {
>>> listen 8443 ssl http2;
>>> 
>>> ssl_certificate  
>>> /home/ubuntu/andrey/http3/example-fullchain.pem;
>>> ssl_certificate_key  /etc/ssl/private/example.key;
>>> ssl_protocolsTLSv1 TLSv1.1 TLSv1.2;
>>> 
>>> location / {
>>> proxy_pass http://backend2 ;
>>> }
>>> }
>>> 
>>> upstream backend1 {
>>> ip_hash;
>>> server 

Re: [nginx-quic] HTTP/3(QUIC): I can't test HTTP/3 with nginx-quic repo

[Andrey Khramov]

Hello, Roman

Sorry.
I got the error log related to "quic" when connecting in the Chrome browser.
I attached the log file.
Please check it.

Thank you. Regards.

On Tue, Feb 2, 2021 at 9:01 PM Andrey Khramov  wrote:

> Hello, Roman
>
> Thanks for your reply.
> I checked HTTP/3 (QUIC) in the Firefox browser.
> But I didn't check it in the Chrome browser.
> The version of the Chrome is 88.0.4324.104 (64bit).
> I run the Chrome browser with the following command:
> chrome --enable-quic --quic-version=h3-29 --origin-to-force-quic-on=
> apporto.com:7443
>
> Also, I enabled "Experimental QUIC protocol" flag in chrome://flags.
> I can't get any log related to "quic" in error.log.
>
> I hope your suggestion and advice.
> Thanks. Regards
>
> On Tue, Feb 2, 2021 at 4:18 PM Roman Arutyunyan  wrote:
>
>> Hi Andrey,
>>
>> On 2 Feb 2021, at 18:52, Andrey Khramov  wrote:
>>
>> Hello,Roman
>>
>> Thanks for your reply.
>>
>> I already enabled HTTP/3 (QUIC) in those the browsers (Firefox 85, Chrome
>> 88) accroding to ttps://quic.nginx.org/readme.html..
>> The https://quic.nginx.org website detects HTTP/3 (QUIC) support in the
>> browsers.
>>
>>
>> Try cleaning browser cache.
>>
>> Also check if there are lines with the word ‘quic’ in the debug log when
>> you open the page.
>>
>> Thanks. Regards
>>
>>
>> On Tue, Feb 2, 2021 at 2:47 PM Roman Arutyunyan  wrote:
>>
>>> Hi Andrey,
>>>
>>> On 2 Feb 2021, at 17:30, Andrey Khramov  wrote:
>>>
>>> Hello, there
>>>
>>> I tried to test the HTTP/3 (QUIC) with nginx-quic in several days.
>>> But I couldn't test HTTP/3 (QUIC).
>>>
>>> I built the quic branch of nginx-quic repo according to README of that
>>> repo.
>>> The configuration options follows as below:
>>> $ ./auto/configure --prefix=/etc/nginx \
>>>  --sbin-path=/usr/sbin/nginx \
>>>  --conf-path=/etc/nginx/nginx.conf \
>>>  --pid-path=/var/run/nginx.pid \
>>>  --error-log-path=/var/log/nginx/error.log \
>>>  --http-log-path=/var/log/nginx/access.log \
>>>  --with-debug \
>>>  --with-http_v2_module --with-http_ssl_module \
>>>  --with-http_v3_module --with-http_quic_module \
>>>  --with-stream_quic_module \
>>>  --with-cc-opt="-I../boringssl/include" \
>>>  --with-ld-opt="-L../boringssl/build/ssl \
>>>  -L../boringssl/build/crypto"
>>> $ make
>>>
>>> To install the nginx-quic, I installed the nginx 1.19.6 package on
>>> Ubuntu 18.04 and replaced the nginx binary with the nginx-quic:
>>> $ sudo cp objs/nginx /usr/sbin/
>>>
>>> I configured that the nginx-quic works as load-balancer of HTTPS:
>>> HTTPS -> nginx-quic (7443 port) -> Apache2 (80 port) -> Apache Tomcat
>>> (8080 port)
>>>
>>> The configuration file (nginx.conf) follows as below:
>>>
>>> user  nginx;
>>> worker_processes  auto;
>>>
>>> events {
>>> worker_connections  1024;
>>> }
>>>
>>> http {
>>> log_format quic '$remote_addr - $remote_user [$time_local] '
>>> '"$request" $status $body_bytes_sent '
>>> '"$http_referer" "$http_user_agent" "$quic"
>>> "$http3"';
>>>
>>> access_log /var/log/nginx/access.log quic;
>>> error_log  /var/log/nginx/error.log debug;
>>>
>>> server {
>>>
>>> listen 7443 http3 reuseport; # Enable HTTP/3.
>>> listen 7443 ssl; # Enable HTTP/1.1 (optional).
>>>
>>> ssl_certificate
>>>  /home/ubuntu/andrey/http3/example-fullchain.pem;
>>> ssl_certificate_key  /etc/ssl/private/example.key;
>>> ssl_protocolsTLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
>>>
>>> location / {
>>> add_header alt-svc '$http3=":7443"; ma=86400'; # Advertise
>>> that QUIC is available
>>> add_header QUIC-Status $quic; # Sent when QUIC was used
>>>
>>> proxy_pass http://backend1;
>>> }
>>> }
>>>
>>> server {
>>> listen 8443 ssl http2;
>>>
>>> ssl_certificate
>>>  /home/ubuntu/andrey/http3/example-fullchain.pem;
>>> ssl_certificate_key  /etc/ssl/private/example.key;
>>> ssl_protocolsTLSv1 TLSv1.1 TLSv1.2;
>>>
>>> location / {
>>> proxy_pass http://backend2;
>>> }
>>> }
>>>
>>> upstream backend1 {
>>> ip_hash;
>>> server localhost max_fails=3 fail_timeout=30s;
>>> }
>>>
>>> upstream backend2 {
>>> ip_hash;
>>> server localhost max_fails=3 fail_timeout=30s;
>>> }
>>> }
>>>
>>> I opened UDP 7443 port on the cloud server (AWS).
>>>
>>> I tested HTTP/3 (QUIC) with the client tools (neqo-client, curl-http3)
>>> and the browsers (Firefox 85 and Chrome 88) according to
>>> https://quic.nginx.org/readme.html.
>>> I got the right result with the client tools, but I didn't get the right
>>> result with the browsers.
>>>
>>> When connecting 7443 port with the browsers, I get the HTTP/1.1 now.
>>> When connecting 8443 port with 

Re: [nginx-quic] HTTP/3(QUIC): I can't test HTTP/3 with nginx-quic repo

[Andrey Khramov]

Hello, Roman

Thanks for your reply.
I checked HTTP/3 (QUIC) in the Firefox browser.
But I didn't check it in the Chrome browser.
The version of the Chrome is 88.0.4324.104 (64bit).
I run the Chrome browser with the following command:
chrome --enable-quic --quic-version=h3-29 --origin-to-force-quic-on=
apporto.com:7443

Also, I enabled "Experimental QUIC protocol" flag in chrome://flags.
I can't get any log related to "quic" in error.log.

I hope your suggestion and advice.
Thanks. Regards

On Tue, Feb 2, 2021 at 4:18 PM Roman Arutyunyan  wrote:

> Hi Andrey,
>
> On 2 Feb 2021, at 18:52, Andrey Khramov  wrote:
>
> Hello,Roman
>
> Thanks for your reply.
>
> I already enabled HTTP/3 (QUIC) in those the browsers (Firefox 85, Chrome
> 88) accroding to ttps://quic.nginx.org/readme.html..
> The https://quic.nginx.org website detects HTTP/3 (QUIC) support in the
> browsers.
>
>
> Try cleaning browser cache.
>
> Also check if there are lines with the word ‘quic’ in the debug log when
> you open the page.
>
> Thanks. Regards
>
>
> On Tue, Feb 2, 2021 at 2:47 PM Roman Arutyunyan  wrote:
>
>> Hi Andrey,
>>
>> On 2 Feb 2021, at 17:30, Andrey Khramov  wrote:
>>
>> Hello, there
>>
>> I tried to test the HTTP/3 (QUIC) with nginx-quic in several days.
>> But I couldn't test HTTP/3 (QUIC).
>>
>> I built the quic branch of nginx-quic repo according to README of that
>> repo.
>> The configuration options follows as below:
>> $ ./auto/configure --prefix=/etc/nginx \
>>  --sbin-path=/usr/sbin/nginx \
>>  --conf-path=/etc/nginx/nginx.conf \
>>  --pid-path=/var/run/nginx.pid \
>>  --error-log-path=/var/log/nginx/error.log \
>>  --http-log-path=/var/log/nginx/access.log \
>>  --with-debug \
>>  --with-http_v2_module --with-http_ssl_module \
>>  --with-http_v3_module --with-http_quic_module \
>>  --with-stream_quic_module \
>>  --with-cc-opt="-I../boringssl/include" \
>>  --with-ld-opt="-L../boringssl/build/ssl \
>>  -L../boringssl/build/crypto"
>> $ make
>>
>> To install the nginx-quic, I installed the nginx 1.19.6 package on Ubuntu
>> 18.04 and replaced the nginx binary with the nginx-quic:
>> $ sudo cp objs/nginx /usr/sbin/
>>
>> I configured that the nginx-quic works as load-balancer of HTTPS:
>> HTTPS -> nginx-quic (7443 port) -> Apache2 (80 port) -> Apache Tomcat
>> (8080 port)
>>
>> The configuration file (nginx.conf) follows as below:
>>
>> user  nginx;
>> worker_processes  auto;
>>
>> events {
>> worker_connections  1024;
>> }
>>
>> http {
>> log_format quic '$remote_addr - $remote_user [$time_local] '
>> '"$request" $status $body_bytes_sent '
>> '"$http_referer" "$http_user_agent" "$quic" "$http3"';
>>
>> access_log /var/log/nginx/access.log quic;
>> error_log  /var/log/nginx/error.log debug;
>>
>> server {
>>
>> listen 7443 http3 reuseport; # Enable HTTP/3.
>> listen 7443 ssl; # Enable HTTP/1.1 (optional).
>>
>> ssl_certificate
>>  /home/ubuntu/andrey/http3/example-fullchain.pem;
>> ssl_certificate_key  /etc/ssl/private/example.key;
>> ssl_protocolsTLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
>>
>> location / {
>> add_header alt-svc '$http3=":7443"; ma=86400'; # Advertise
>> that QUIC is available
>> add_header QUIC-Status $quic; # Sent when QUIC was used
>>
>> proxy_pass http://backend1;
>> }
>> }
>>
>> server {
>> listen 8443 ssl http2;
>>
>> ssl_certificate
>>  /home/ubuntu/andrey/http3/example-fullchain.pem;
>> ssl_certificate_key  /etc/ssl/private/example.key;
>> ssl_protocolsTLSv1 TLSv1.1 TLSv1.2;
>>
>> location / {
>> proxy_pass http://backend2;
>> }
>> }
>>
>> upstream backend1 {
>> ip_hash;
>> server localhost max_fails=3 fail_timeout=30s;
>> }
>>
>> upstream backend2 {
>> ip_hash;
>> server localhost max_fails=3 fail_timeout=30s;
>> }
>> }
>>
>> I opened UDP 7443 port on the cloud server (AWS).
>>
>> I tested HTTP/3 (QUIC) with the client tools (neqo-client, curl-http3)
>> and the browsers (Firefox 85 and Chrome 88) according to
>> https://quic.nginx.org/readme.html.
>> I got the right result with the client tools, but I didn't get the right
>> result with the browsers.
>>
>> When connecting 7443 port with the browsers, I get the HTTP/1.1 now.
>> When connecting 8443 port with the browsers, I get the HTTP/2 now.
>>
>>
>> The first request goes over HTTP/1, but then it’s supposed to switch to
>> HTTP/3 if everything is right.
>>
>> Does https://quic.nginx.org/ detect QUIC support in your browsers?
>> If yes, please follow the ‘QUIC TEST’ link at the top and run the test.
>>
>> Also, make sure QUIC/HTTP/3 is enabled in the browser.
>> In Firefox open the 

Re: [nginx-quic] HTTP/3(QUIC): I can't test HTTP/3 with nginx-quic repo

[Roman Arutyunyan]

Hi Andrey,

> On 2 Feb 2021, at 18:52, Andrey Khramov  wrote:
> 
> Hello,Roman
> 
> Thanks for your reply.
> 
> I already enabled HTTP/3 (QUIC) in those the browsers (Firefox 85, Chrome 88) 
> accroding to ttps://quic.nginx.org/readme.html 
> ..
> The https://quic.nginx.org  website detects HTTP/3 
> (QUIC) support in the browsers.

Try cleaning browser cache.

Also check if there are lines with the word ‘quic’ in the debug log when you 
open the page.

> Thanks. Regards
> 
> 
> On Tue, Feb 2, 2021 at 2:47 PM Roman Arutyunyan  > wrote:
> Hi Andrey,
> 
>> On 2 Feb 2021, at 17:30, Andrey Khramov > > wrote:
>> 
>> Hello, there
>> 
>> I tried to test the HTTP/3 (QUIC) with nginx-quic in several days.
>> But I couldn't test HTTP/3 (QUIC).
>> 
>> I built the quic branch of nginx-quic repo according to README of that repo.
>> The configuration options follows as below:
>> $ ./auto/configure --prefix=/etc/nginx \
>>  --sbin-path=/usr/sbin/nginx \
>>  --conf-path=/etc/nginx/nginx.conf \
>>  --pid-path=/var/run/nginx.pid \
>>  --error-log-path=/var/log/nginx/error.log \
>>  --http-log-path=/var/log/nginx/access.log \
>>  --with-debug \
>>  --with-http_v2_module --with-http_ssl_module \
>>  --with-http_v3_module --with-http_quic_module \
>>  --with-stream_quic_module \
>>  --with-cc-opt="-I../boringssl/include" \
>>  --with-ld-opt="-L../boringssl/build/ssl \
>>  -L../boringssl/build/crypto"
>> $ make
>> 
>> To install the nginx-quic, I installed the nginx 1.19.6 package on Ubuntu 
>> 18.04 and replaced the nginx binary with the nginx-quic:
>> $ sudo cp objs/nginx /usr/sbin/
>> 
>> I configured that the nginx-quic works as load-balancer of HTTPS:
>> HTTPS -> nginx-quic (7443 port) -> Apache2 (80 port) -> Apache Tomcat (8080 
>> port)
>> 
>> The configuration file (nginx.conf) follows as below:
>> 
>> user  nginx;
>> worker_processes  auto;
>> 
>> events {
>> worker_connections  1024;
>> }
>> 
>> http {
>> log_format quic '$remote_addr - $remote_user [$time_local] '
>> '"$request" $status $body_bytes_sent '
>> '"$http_referer" "$http_user_agent" "$quic" "$http3"';
>> 
>> access_log /var/log/nginx/access.log quic;
>> error_log  /var/log/nginx/error.log debug;
>> 
>> server {
>> 
>> listen 7443 http3 reuseport; # Enable HTTP/3.
>> listen 7443 ssl; # Enable HTTP/1.1 (optional).
>> 
>> ssl_certificate  /home/ubuntu/andrey/http3/example-fullchain.pem;
>> ssl_certificate_key  /etc/ssl/private/example.key;
>> ssl_protocolsTLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
>> 
>> location / {
>> add_header alt-svc '$http3=":7443"; ma=86400'; # Advertise that 
>> QUIC is available
>> add_header QUIC-Status $quic; # Sent when QUIC was used
>> 
>> proxy_pass http://backend1 ;
>> }
>> }
>> 
>> server {
>> listen 8443 ssl http2;
>> 
>> ssl_certificate  /home/ubuntu/andrey/http3/example-fullchain.pem;
>> ssl_certificate_key  /etc/ssl/private/example.key;
>> ssl_protocolsTLSv1 TLSv1.1 TLSv1.2;
>> 
>> location / {
>> proxy_pass http://backend2 ;
>> }
>> }
>> 
>> upstream backend1 {
>> ip_hash;
>> server localhost max_fails=3 fail_timeout=30s;
>> }
>> 
>> upstream backend2 {
>> ip_hash;
>> server localhost max_fails=3 fail_timeout=30s;
>> }
>> }
>> 
>> I opened UDP 7443 port on the cloud server (AWS).
>> 
>> I tested HTTP/3 (QUIC) with the client tools (neqo-client, curl-http3) and 
>> the browsers (Firefox 85 and Chrome 88) according to 
>> https://quic.nginx.org/readme.html .
>> I got the right result with the client tools, but I didn't get the right 
>> result with the browsers.
>> 
>> When connecting 7443 port with the browsers, I get the HTTP/1.1 now.
>> When connecting 8443 port with the browsers, I get the HTTP/2 now.
> 
> The first request goes over HTTP/1, but then it’s supposed to switch to 
> HTTP/3 if everything is right.
> 
> Does https://quic.nginx.org/  detect QUIC support in 
> your browsers?
> If yes, please follow the ‘QUIC TEST’ link at the top and run the test.
> 
> Also, make sure QUIC/HTTP/3 is enabled in the browser.
> In Firefox open the about:config <> page make sure http.http3.enabled 
> parameter is ’true’.
> 
>> I hope any suggestions and help.
>> Thanks.
>> ___
>> nginx-devel mailing list
>> nginx-devel@nginx.org 
>> http://mailman.nginx.org/mailman/listinfo/nginx-devel 

Re: [nginx-quic] HTTP/3(QUIC): I can't test HTTP/3 with nginx-quic repo

[Andrey Khramov]

Hello,Roman

Thanks for your reply.

I already enabled HTTP/3 (QUIC) in those the browsers (Firefox 85, Chrome
88) accroding to ttps://quic.nginx.org/readme.html..
The https://quic.nginx.org website detects HTTP/3 (QUIC) support in the
browsers.

Thanks. Regards


On Tue, Feb 2, 2021 at 2:47 PM Roman Arutyunyan  wrote:

> Hi Andrey,
>
> On 2 Feb 2021, at 17:30, Andrey Khramov  wrote:
>
> Hello, there
>
> I tried to test the HTTP/3 (QUIC) with nginx-quic in several days.
> But I couldn't test HTTP/3 (QUIC).
>
> I built the quic branch of nginx-quic repo according to README of that
> repo.
> The configuration options follows as below:
> $ ./auto/configure --prefix=/etc/nginx \
>  --sbin-path=/usr/sbin/nginx \
>  --conf-path=/etc/nginx/nginx.conf \
>  --pid-path=/var/run/nginx.pid \
>  --error-log-path=/var/log/nginx/error.log \
>  --http-log-path=/var/log/nginx/access.log \
>  --with-debug \
>  --with-http_v2_module --with-http_ssl_module \
>  --with-http_v3_module --with-http_quic_module \
>  --with-stream_quic_module \
>  --with-cc-opt="-I../boringssl/include" \
>  --with-ld-opt="-L../boringssl/build/ssl \
>  -L../boringssl/build/crypto"
> $ make
>
> To install the nginx-quic, I installed the nginx 1.19.6 package on Ubuntu
> 18.04 and replaced the nginx binary with the nginx-quic:
> $ sudo cp objs/nginx /usr/sbin/
>
> I configured that the nginx-quic works as load-balancer of HTTPS:
> HTTPS -> nginx-quic (7443 port) -> Apache2 (80 port) -> Apache Tomcat
> (8080 port)
>
> The configuration file (nginx.conf) follows as below:
>
> user  nginx;
> worker_processes  auto;
>
> events {
> worker_connections  1024;
> }
>
> http {
> log_format quic '$remote_addr - $remote_user [$time_local] '
> '"$request" $status $body_bytes_sent '
> '"$http_referer" "$http_user_agent" "$quic" "$http3"';
>
> access_log /var/log/nginx/access.log quic;
> error_log  /var/log/nginx/error.log debug;
>
> server {
>
> listen 7443 http3 reuseport; # Enable HTTP/3.
> listen 7443 ssl; # Enable HTTP/1.1 (optional).
>
> ssl_certificate
>  /home/ubuntu/andrey/http3/example-fullchain.pem;
> ssl_certificate_key  /etc/ssl/private/example.key;
> ssl_protocolsTLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
>
> location / {
> add_header alt-svc '$http3=":7443"; ma=86400'; # Advertise
> that QUIC is available
> add_header QUIC-Status $quic; # Sent when QUIC was used
>
> proxy_pass http://backend1;
> }
> }
>
> server {
> listen 8443 ssl http2;
>
> ssl_certificate
>  /home/ubuntu/andrey/http3/example-fullchain.pem;
> ssl_certificate_key  /etc/ssl/private/example.key;
> ssl_protocolsTLSv1 TLSv1.1 TLSv1.2;
>
> location / {
> proxy_pass http://backend2;
> }
> }
>
> upstream backend1 {
> ip_hash;
> server localhost max_fails=3 fail_timeout=30s;
> }
>
> upstream backend2 {
> ip_hash;
> server localhost max_fails=3 fail_timeout=30s;
> }
> }
>
> I opened UDP 7443 port on the cloud server (AWS).
>
> I tested HTTP/3 (QUIC) with the client tools (neqo-client, curl-http3) and
> the browsers (Firefox 85 and Chrome 88) according to
> https://quic.nginx.org/readme.html.
> I got the right result with the client tools, but I didn't get the right
> result with the browsers.
>
> When connecting 7443 port with the browsers, I get the HTTP/1.1 now.
> When connecting 8443 port with the browsers, I get the HTTP/2 now.
>
>
> The first request goes over HTTP/1, but then it’s supposed to switch to
> HTTP/3 if everything is right.
>
> Does https://quic.nginx.org/ detect QUIC support in your browsers?
> If yes, please follow the ‘QUIC TEST’ link at the top and run the test.
>
> Also, make sure QUIC/HTTP/3 is enabled in the browser.
> In Firefox open the about:config page make sure http.http3.enabled
> parameter is ’true’.
>
> I hope any suggestions and help.
> Thanks.
> ___
> nginx-devel mailing list
> nginx-devel@nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx-devel
>
>
> —
> Roman Arutyunyan
> a...@nginx.com
>
> ___
> nginx-devel mailing list
> nginx-devel@nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx-devel
___
nginx-devel mailing list
nginx-devel@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-devel

Re: [nginx-quic] HTTP/3(QUIC): I can't test HTTP/3 with nginx-quic repo

[Roman Arutyunyan]

Hi Andrey,

> On 2 Feb 2021, at 17:30, Andrey Khramov  wrote:
> 
> Hello, there
> 
> I tried to test the HTTP/3 (QUIC) with nginx-quic in several days.
> But I couldn't test HTTP/3 (QUIC).
> 
> I built the quic branch of nginx-quic repo according to README of that repo.
> The configuration options follows as below:
> $ ./auto/configure --prefix=/etc/nginx \
>  --sbin-path=/usr/sbin/nginx \
>  --conf-path=/etc/nginx/nginx.conf \
>  --pid-path=/var/run/nginx.pid \
>  --error-log-path=/var/log/nginx/error.log \
>  --http-log-path=/var/log/nginx/access.log \
>  --with-debug \
>  --with-http_v2_module --with-http_ssl_module \
>  --with-http_v3_module --with-http_quic_module \
>  --with-stream_quic_module \
>  --with-cc-opt="-I../boringssl/include" \
>  --with-ld-opt="-L../boringssl/build/ssl \
>  -L../boringssl/build/crypto"
> $ make
> 
> To install the nginx-quic, I installed the nginx 1.19.6 package on Ubuntu 
> 18.04 and replaced the nginx binary with the nginx-quic:
> $ sudo cp objs/nginx /usr/sbin/
> 
> I configured that the nginx-quic works as load-balancer of HTTPS:
> HTTPS -> nginx-quic (7443 port) -> Apache2 (80 port) -> Apache Tomcat (8080 
> port)
> 
> The configuration file (nginx.conf) follows as below:
> 
> user  nginx;
> worker_processes  auto;
> 
> events {
> worker_connections  1024;
> }
> 
> http {
> log_format quic '$remote_addr - $remote_user [$time_local] '
> '"$request" $status $body_bytes_sent '
> '"$http_referer" "$http_user_agent" "$quic" "$http3"';
> 
> access_log /var/log/nginx/access.log quic;
> error_log  /var/log/nginx/error.log debug;
> 
> server {
> 
> listen 7443 http3 reuseport; # Enable HTTP/3.
> listen 7443 ssl; # Enable HTTP/1.1 (optional).
> 
> ssl_certificate  /home/ubuntu/andrey/http3/example-fullchain.pem;
> ssl_certificate_key  /etc/ssl/private/example.key;
> ssl_protocolsTLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
> 
> location / {
> add_header alt-svc '$http3=":7443"; ma=86400'; # Advertise that 
> QUIC is available
> add_header QUIC-Status $quic; # Sent when QUIC was used
> 
> proxy_pass http://backend1 ;
> }
> }
> 
> server {
> listen 8443 ssl http2;
> 
> ssl_certificate  /home/ubuntu/andrey/http3/example-fullchain.pem;
> ssl_certificate_key  /etc/ssl/private/example.key;
> ssl_protocolsTLSv1 TLSv1.1 TLSv1.2;
> 
> location / {
> proxy_pass http://backend2 ;
> }
> }
> 
> upstream backend1 {
> ip_hash;
> server localhost max_fails=3 fail_timeout=30s;
> }
> 
> upstream backend2 {
> ip_hash;
> server localhost max_fails=3 fail_timeout=30s;
> }
> }
> 
> I opened UDP 7443 port on the cloud server (AWS).
> 
> I tested HTTP/3 (QUIC) with the client tools (neqo-client, curl-http3) and 
> the browsers (Firefox 85 and Chrome 88) according to 
> https://quic.nginx.org/readme.html .
> I got the right result with the client tools, but I didn't get the right 
> result with the browsers.
> 
> When connecting 7443 port with the browsers, I get the HTTP/1.1 now.
> When connecting 8443 port with the browsers, I get the HTTP/2 now.

The first request goes over HTTP/1, but then it’s supposed to switch to HTTP/3 
if everything is right.

Does https://quic.nginx.org/  detect QUIC support in 
your browsers?
If yes, please follow the ‘QUIC TEST’ link at the top and run the test.

Also, make sure QUIC/HTTP/3 is enabled in the browser.
In Firefox open the about:config  page make sure 
http.http3.enabled parameter is ’true’.

> I hope any suggestions and help.
> Thanks.
> ___
> nginx-devel mailing list
> nginx-devel@nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx-devel

—
Roman Arutyunyan
a...@nginx.com

___
nginx-devel mailing list
nginx-devel@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-devel

Re: NGINX-QUIC: OPENSSL_internal:NO_SUPPORTED_VERSIONS_ENABLED

[Surinder Sund]

No no. UDP is open. Anyway, I've given up trying to get it working.

On Tue, Dec 22, 2020 at 10:34 PM Jonny Barnes  wrote:

> Do you have a firewall setup on the server to only allow traffic on 443 if
> it’s tcp traffic?
>
> Rule needs to be added for udp as well
>
> On Tue, 22 Dec 2020 at 13:08, Surinder Sund  wrote:
>
>> Thank You Johny.
>>
>> I fixed that (In fact, I'd fixed it in the trial machine earlier, but
>> when I restored a backup, it came back in).
>>
>> Unfortunately, the error still remains.
>>
>> Pls see the picture below. I can confirm that the traffic is hitting
>> 443/UDP, but nothing is being returned.
>>
>>
>> https://drive.google.com/file/d/1knHKb_jUcjdY71wCz-w1TG4QupxH9CN3/view?usp=sharing
>>
>> [image: image.png]
>>
>> Looks like no cigar for me yet.
>>
>>
>>
>>
>>
>> On Mon, Dec 21, 2020 at 10:24 PM Jonny Barnes 
>> wrote:
>>
>>> I think your Alt Svc header should be pointing to port 443, not 8443
>>>
>>> On Mon, 21 Dec 2020 at 14:41, Surinder Sund  wrote:
>>>
 forgot to add that this affects only http3 requests [I've tested from
 more than one machine and multiple clients, including cURL and FF]

 http2 request work fine with no change in configuration.

 On Mon, Dec 21, 2020 at 7:16 PM Surinder Sund 
 wrote:

> I'm trying to get NGINX QUIC to work on a fresh install of Ubuntu
> 20.04.
>
> But I'm getting this error:
>
> **1 SSL_do_handshake() failed (SSL: error:1118:SSL
> routines:OPENSSL_internal:NO_SUPPORTED_VERSIONS_ENABLED)*
>
> Looks like some issue with the way Boringssl is set up, or being used
> by Nginx?
>
>
> HOW I BUILT BORINGSSL
>
> cd boringssl; mkdir build ; cd build ; cmake -GNinja ..
> ninja
>
> NGINX DETAILS
>
> *~/nginx-quic# nginx -V*
>
> nginx version: nginx/1.19.6
> built by gcc 9.3.0 (Ubuntu 9.3.0-17ubuntu1~20.04)
> built with OpenSSL 1.1.1 (compatible; BoringSSL) (running with
> BoringSSL)
> TLS SNI support enabled
> configure arguments: --with-debug --with-http_v3_module
> --with-cc-opt=-I../boringssl/include
> --with-ld-opt='-L../boringssl/build/ssl -L../boringssl/build/crypto'
> --with-http_quic_module --with-stream_quic_module
> --with-http_image_filter_module --with-http_sub_module --with-stream
> --add-module=/usr/local/src/ngx_brotli --prefix=/etc/nginx
> --sbin-path=/usr/sbin/nginx --modules-path=/usr/lib/nginx/modules
> --conf-path=/etc/nginx/nginx.conf 
> --error-log-path=/var/log/nginx/error.log
> --pid-path=/var/run/nginx.pid
>
>
> HOW I BUILT NGINX QUIC:
>
> cd ~/nginx-quic ;
> ./auto/configure --with-debug --with-http_v3_module   \
>--with-cc-opt="-I../boringssl/include"   \
>--with-ld-opt="-L../boringssl/build/ssl  \
>   -L../boringssl/build/crypto"\
> --with-http_quic_module  --with-stream_quic_module
>  --with-http_image_filter_module --with-http_sub_module --with-stream
> --add-module=/usr/local/src/ngx_brotli--prefix=/etc/nginx
> --sbin-path=/usr/sbin/nginx   --modules-path=/usr/lib/nginx/modules
>  --conf-path=/etc/nginx/nginx.conf
> --error-log-path=/var/log/nginx/error.log --pid-path=/var/run/nginx.pid
>
>
> MY NGINX BUILD CONFIGURATION SUMMARY:
>
> Configuration summary
>   + using system PCRE library
>   + using system OpenSSL library
>   + using system zlib library
>
>   nginx path prefix: "/etc/nginx"
>   nginx binary file: "/usr/sbin/nginx"
>   nginx modules path: "/usr/lib/nginx/modules"
>   nginx configuration prefix: "/etc/nginx"
>   nginx configuration file: "/etc/nginx/nginx.conf"
>   nginx pid file: "/var/run/nginx.pid"
>   nginx error log file: "/var/log/nginx/error.log"
>   nginx http access log file: "/etc/nginx/logs/access.log"
>   nginx http client request body temporary files: "client_body_temp"
>   nginx http proxy temporary files: "proxy_temp"
>   nginx http fastcgi temporary files: "fastcgi_temp"
>   nginx http uwsgi temporary files: "uwsgi_temp"
>   nginx http scgi temporary files: "scgi_temp"
>
>
>
>
> MY SITE CONFIGURATION
>
>
> listen 80;
> listen [::]:80;
> listen 443 ssl http2 fastopen=150;
> listen   [::]:443 ipv6only=on ssl  fastopen=150;
> include snippets/ssl-params.conf;
> server_name blah.blah;
> root /var/wordpress;
> index index.html index.htm index.php;
> access_log /var/log/nginx/xx.log;
> error_log /var/log/nginx/xx-error_log;
> ssl_early_data on;
> listen 443 http3 reuseport;
> listen [::]:443 http3 reuseport;
> add_header Alt-Svc 

Re: nginx-quic: setting transport parameters

[Sergey Kandaurov]

> On 26 Jan 2021, at 13:26, Kyriakos Zarifis  wrote:
> 
> Hi, 
> 
> I can't seem to set a few of the quic parameters using their respective 
> directives.
> Specifically, doing e.g. this in the conf:
> quic_max_udp_payload_size 1472;
> quic_max_ack_delay 10;
> quic_ack_delay_exponent 2;
> 
> ... results in the default values being sent (as seen in qvis):
> "max_packet_size": 65527
> "max_ack_delay": 25
> "ack_delay_exponent": 3
> 
> Other parameters (like quic_inital_*) are being set just fine. Any idea what 
> I might be doing wrong for these 3 above?

These directives do not currently affect sending transport parameters.
It needs to be fixed.

> p.s. I think quic_max_packet_size needs to be updated to 
> quic_max_udp_payload_size in the README to match the latest drafts and code.

This one has been fixed, thanks.
https://hg.nginx.org/nginx-quic/rev/27bd6dc24426

-- 
Sergey Kandaurov

___
nginx-devel mailing list
nginx-devel@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-devel

Re: NGINX-QUIC: OPENSSL_internal:NO_SUPPORTED_VERSIONS_ENABLED

[Jonny Barnes]

Do you have a firewall setup on the server to only allow traffic on 443 if
it’s tcp traffic?

Rule needs to be added for udp as well

On Tue, 22 Dec 2020 at 13:08, Surinder Sund  wrote:

> Thank You Johny.
>
> I fixed that (In fact, I'd fixed it in the trial machine earlier, but when
> I restored a backup, it came back in).
>
> Unfortunately, the error still remains.
>
> Pls see the picture below. I can confirm that the traffic is hitting
> 443/UDP, but nothing is being returned.
>
>
> https://drive.google.com/file/d/1knHKb_jUcjdY71wCz-w1TG4QupxH9CN3/view?usp=sharing
>
> [image: image.png]
>
> Looks like no cigar for me yet.
>
>
>
>
>
> On Mon, Dec 21, 2020 at 10:24 PM Jonny Barnes 
> wrote:
>
>> I think your Alt Svc header should be pointing to port 443, not 8443
>>
>> On Mon, 21 Dec 2020 at 14:41, Surinder Sund  wrote:
>>
>>> forgot to add that this affects only http3 requests [I've tested from
>>> more than one machine and multiple clients, including cURL and FF]
>>>
>>> http2 request work fine with no change in configuration.
>>>
>>> On Mon, Dec 21, 2020 at 7:16 PM Surinder Sund 
>>> wrote:
>>>
 I'm trying to get NGINX QUIC to work on a fresh install of Ubuntu 20.04.

 But I'm getting this error:

 **1 SSL_do_handshake() failed (SSL: error:1118:SSL
 routines:OPENSSL_internal:NO_SUPPORTED_VERSIONS_ENABLED)*

 Looks like some issue with the way Boringssl is set up, or being used
 by Nginx?


 HOW I BUILT BORINGSSL

 cd boringssl; mkdir build ; cd build ; cmake -GNinja ..
 ninja

 NGINX DETAILS

 *~/nginx-quic# nginx -V*

 nginx version: nginx/1.19.6
 built by gcc 9.3.0 (Ubuntu 9.3.0-17ubuntu1~20.04)
 built with OpenSSL 1.1.1 (compatible; BoringSSL) (running with
 BoringSSL)
 TLS SNI support enabled
 configure arguments: --with-debug --with-http_v3_module
 --with-cc-opt=-I../boringssl/include
 --with-ld-opt='-L../boringssl/build/ssl -L../boringssl/build/crypto'
 --with-http_quic_module --with-stream_quic_module
 --with-http_image_filter_module --with-http_sub_module --with-stream
 --add-module=/usr/local/src/ngx_brotli --prefix=/etc/nginx
 --sbin-path=/usr/sbin/nginx --modules-path=/usr/lib/nginx/modules
 --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log
 --pid-path=/var/run/nginx.pid


 HOW I BUILT NGINX QUIC:

 cd ~/nginx-quic ;
 ./auto/configure --with-debug --with-http_v3_module   \
--with-cc-opt="-I../boringssl/include"   \
--with-ld-opt="-L../boringssl/build/ssl  \
   -L../boringssl/build/crypto"\
 --with-http_quic_module  --with-stream_quic_module
  --with-http_image_filter_module --with-http_sub_module --with-stream
 --add-module=/usr/local/src/ngx_brotli--prefix=/etc/nginx
 --sbin-path=/usr/sbin/nginx   --modules-path=/usr/lib/nginx/modules
  --conf-path=/etc/nginx/nginx.conf
 --error-log-path=/var/log/nginx/error.log --pid-path=/var/run/nginx.pid


 MY NGINX BUILD CONFIGURATION SUMMARY:

 Configuration summary
   + using system PCRE library
   + using system OpenSSL library
   + using system zlib library

   nginx path prefix: "/etc/nginx"
   nginx binary file: "/usr/sbin/nginx"
   nginx modules path: "/usr/lib/nginx/modules"
   nginx configuration prefix: "/etc/nginx"
   nginx configuration file: "/etc/nginx/nginx.conf"
   nginx pid file: "/var/run/nginx.pid"
   nginx error log file: "/var/log/nginx/error.log"
   nginx http access log file: "/etc/nginx/logs/access.log"
   nginx http client request body temporary files: "client_body_temp"
   nginx http proxy temporary files: "proxy_temp"
   nginx http fastcgi temporary files: "fastcgi_temp"
   nginx http uwsgi temporary files: "uwsgi_temp"
   nginx http scgi temporary files: "scgi_temp"




 MY SITE CONFIGURATION


 listen 80;
 listen [::]:80;
 listen 443 ssl http2 fastopen=150;
 listen   [::]:443 ipv6only=on ssl  fastopen=150;
 include snippets/ssl-params.conf;
 server_name blah.blah;
 root /var/wordpress;
 index index.html index.htm index.php;
 access_log /var/log/nginx/xx.log;
 error_log /var/log/nginx/xx-error_log;
 ssl_early_data on;
 listen 443 http3 reuseport;
 listen [::]:443 http3 reuseport;
 add_header Alt-Svc '$http3=":8443"; ma=86400';


 *in nginx.conf I've added this:*

ssl_protocols  TLSv1.3; #disabled 1.1 & 1.2


 UDP is open on port 441, I've double checked this from the outside. So
 it's not a port issue.

 

Re: NGINX-QUIC: OPENSSL_internal:NO_SUPPORTED_VERSIONS_ENABLED

[Surinder Sund]

Thank You Johny.

I fixed that (In fact, I'd fixed it in the trial machine earlier, but when
I restored a backup, it came back in).

Unfortunately, the error still remains.

Pls see the picture below. I can confirm that the traffic is hitting
443/UDP, but nothing is being returned.

https://drive.google.com/file/d/1knHKb_jUcjdY71wCz-w1TG4QupxH9CN3/view?usp=sharing

[image: image.png]

Looks like no cigar for me yet.





On Mon, Dec 21, 2020 at 10:24 PM Jonny Barnes  wrote:

> I think your Alt Svc header should be pointing to port 443, not 8443
>
> On Mon, 21 Dec 2020 at 14:41, Surinder Sund  wrote:
>
>> forgot to add that this affects only http3 requests [I've tested from
>> more than one machine and multiple clients, including cURL and FF]
>>
>> http2 request work fine with no change in configuration.
>>
>> On Mon, Dec 21, 2020 at 7:16 PM Surinder Sund  wrote:
>>
>>> I'm trying to get NGINX QUIC to work on a fresh install of Ubuntu 20.04.
>>>
>>> But I'm getting this error:
>>>
>>> **1 SSL_do_handshake() failed (SSL: error:1118:SSL
>>> routines:OPENSSL_internal:NO_SUPPORTED_VERSIONS_ENABLED)*
>>>
>>> Looks like some issue with the way Boringssl is set up, or being used by
>>> Nginx?
>>>
>>>
>>> HOW I BUILT BORINGSSL
>>>
>>> cd boringssl; mkdir build ; cd build ; cmake -GNinja ..
>>> ninja
>>>
>>> NGINX DETAILS
>>>
>>> *~/nginx-quic# nginx -V*
>>>
>>> nginx version: nginx/1.19.6
>>> built by gcc 9.3.0 (Ubuntu 9.3.0-17ubuntu1~20.04)
>>> built with OpenSSL 1.1.1 (compatible; BoringSSL) (running with BoringSSL)
>>> TLS SNI support enabled
>>> configure arguments: --with-debug --with-http_v3_module
>>> --with-cc-opt=-I../boringssl/include
>>> --with-ld-opt='-L../boringssl/build/ssl -L../boringssl/build/crypto'
>>> --with-http_quic_module --with-stream_quic_module
>>> --with-http_image_filter_module --with-http_sub_module --with-stream
>>> --add-module=/usr/local/src/ngx_brotli --prefix=/etc/nginx
>>> --sbin-path=/usr/sbin/nginx --modules-path=/usr/lib/nginx/modules
>>> --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log
>>> --pid-path=/var/run/nginx.pid
>>>
>>>
>>> HOW I BUILT NGINX QUIC:
>>>
>>> cd ~/nginx-quic ;
>>> ./auto/configure --with-debug --with-http_v3_module   \
>>>--with-cc-opt="-I../boringssl/include"   \
>>>--with-ld-opt="-L../boringssl/build/ssl  \
>>>   -L../boringssl/build/crypto"\
>>> --with-http_quic_module  --with-stream_quic_module
>>>  --with-http_image_filter_module --with-http_sub_module --with-stream
>>> --add-module=/usr/local/src/ngx_brotli--prefix=/etc/nginx
>>> --sbin-path=/usr/sbin/nginx   --modules-path=/usr/lib/nginx/modules
>>>  --conf-path=/etc/nginx/nginx.conf
>>> --error-log-path=/var/log/nginx/error.log --pid-path=/var/run/nginx.pid
>>>
>>>
>>> MY NGINX BUILD CONFIGURATION SUMMARY:
>>>
>>> Configuration summary
>>>   + using system PCRE library
>>>   + using system OpenSSL library
>>>   + using system zlib library
>>>
>>>   nginx path prefix: "/etc/nginx"
>>>   nginx binary file: "/usr/sbin/nginx"
>>>   nginx modules path: "/usr/lib/nginx/modules"
>>>   nginx configuration prefix: "/etc/nginx"
>>>   nginx configuration file: "/etc/nginx/nginx.conf"
>>>   nginx pid file: "/var/run/nginx.pid"
>>>   nginx error log file: "/var/log/nginx/error.log"
>>>   nginx http access log file: "/etc/nginx/logs/access.log"
>>>   nginx http client request body temporary files: "client_body_temp"
>>>   nginx http proxy temporary files: "proxy_temp"
>>>   nginx http fastcgi temporary files: "fastcgi_temp"
>>>   nginx http uwsgi temporary files: "uwsgi_temp"
>>>   nginx http scgi temporary files: "scgi_temp"
>>>
>>>
>>>
>>>
>>> MY SITE CONFIGURATION
>>>
>>>
>>> listen 80;
>>> listen [::]:80;
>>> listen 443 ssl http2 fastopen=150;
>>> listen   [::]:443 ipv6only=on ssl  fastopen=150;
>>> include snippets/ssl-params.conf;
>>> server_name blah.blah;
>>> root /var/wordpress;
>>> index index.html index.htm index.php;
>>> access_log /var/log/nginx/xx.log;
>>> error_log /var/log/nginx/xx-error_log;
>>> ssl_early_data on;
>>> listen 443 http3 reuseport;
>>> listen [::]:443 http3 reuseport;
>>> add_header Alt-Svc '$http3=":8443"; ma=86400';
>>>
>>>
>>> *in nginx.conf I've added this:*
>>>
>>>ssl_protocols  TLSv1.3; #disabled 1.1 & 1.2
>>>
>>>
>>> UDP is open on port 441, I've double checked this from the outside. So
>>> it's not a port issue.
>>>
>>> ___
>> nginx-devel mailing list
>> nginx-devel@nginx.org
>> http://mailman.nginx.org/mailman/listinfo/nginx-devel
>
> ___
> nginx-devel mailing list
> nginx-devel@nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx-devel

Re: NGINX-QUIC: OPENSSL_internal:NO_SUPPORTED_VERSIONS_ENABLED

[Jonny Barnes]

I think your Alt Svc header should be pointing to port 443, not 8443

On Mon, 21 Dec 2020 at 14:41, Surinder Sund  wrote:

> forgot to add that this affects only http3 requests [I've tested from more
> than one machine and multiple clients, including cURL and FF]
>
> http2 request work fine with no change in configuration.
>
> On Mon, Dec 21, 2020 at 7:16 PM Surinder Sund  wrote:
>
>> I'm trying to get NGINX QUIC to work on a fresh install of Ubuntu 20.04.
>>
>> But I'm getting this error:
>>
>> **1 SSL_do_handshake() failed (SSL: error:1118:SSL
>> routines:OPENSSL_internal:NO_SUPPORTED_VERSIONS_ENABLED)*
>>
>> Looks like some issue with the way Boringssl is set up, or being used by
>> Nginx?
>>
>>
>> HOW I BUILT BORINGSSL
>>
>> cd boringssl; mkdir build ; cd build ; cmake -GNinja ..
>> ninja
>>
>> NGINX DETAILS
>>
>> *~/nginx-quic# nginx -V*
>>
>> nginx version: nginx/1.19.6
>> built by gcc 9.3.0 (Ubuntu 9.3.0-17ubuntu1~20.04)
>> built with OpenSSL 1.1.1 (compatible; BoringSSL) (running with BoringSSL)
>> TLS SNI support enabled
>> configure arguments: --with-debug --with-http_v3_module
>> --with-cc-opt=-I../boringssl/include
>> --with-ld-opt='-L../boringssl/build/ssl -L../boringssl/build/crypto'
>> --with-http_quic_module --with-stream_quic_module
>> --with-http_image_filter_module --with-http_sub_module --with-stream
>> --add-module=/usr/local/src/ngx_brotli --prefix=/etc/nginx
>> --sbin-path=/usr/sbin/nginx --modules-path=/usr/lib/nginx/modules
>> --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log
>> --pid-path=/var/run/nginx.pid
>>
>>
>> HOW I BUILT NGINX QUIC:
>>
>> cd ~/nginx-quic ;
>> ./auto/configure --with-debug --with-http_v3_module   \
>>--with-cc-opt="-I../boringssl/include"   \
>>--with-ld-opt="-L../boringssl/build/ssl  \
>>   -L../boringssl/build/crypto"\
>> --with-http_quic_module  --with-stream_quic_module
>>  --with-http_image_filter_module --with-http_sub_module --with-stream
>> --add-module=/usr/local/src/ngx_brotli--prefix=/etc/nginx
>> --sbin-path=/usr/sbin/nginx   --modules-path=/usr/lib/nginx/modules
>>  --conf-path=/etc/nginx/nginx.conf
>> --error-log-path=/var/log/nginx/error.log --pid-path=/var/run/nginx.pid
>>
>>
>> MY NGINX BUILD CONFIGURATION SUMMARY:
>>
>> Configuration summary
>>   + using system PCRE library
>>   + using system OpenSSL library
>>   + using system zlib library
>>
>>   nginx path prefix: "/etc/nginx"
>>   nginx binary file: "/usr/sbin/nginx"
>>   nginx modules path: "/usr/lib/nginx/modules"
>>   nginx configuration prefix: "/etc/nginx"
>>   nginx configuration file: "/etc/nginx/nginx.conf"
>>   nginx pid file: "/var/run/nginx.pid"
>>   nginx error log file: "/var/log/nginx/error.log"
>>   nginx http access log file: "/etc/nginx/logs/access.log"
>>   nginx http client request body temporary files: "client_body_temp"
>>   nginx http proxy temporary files: "proxy_temp"
>>   nginx http fastcgi temporary files: "fastcgi_temp"
>>   nginx http uwsgi temporary files: "uwsgi_temp"
>>   nginx http scgi temporary files: "scgi_temp"
>>
>>
>>
>>
>> MY SITE CONFIGURATION
>>
>>
>> listen 80;
>> listen [::]:80;
>> listen 443 ssl http2 fastopen=150;
>> listen   [::]:443 ipv6only=on ssl  fastopen=150;
>> include snippets/ssl-params.conf;
>> server_name blah.blah;
>> root /var/wordpress;
>> index index.html index.htm index.php;
>> access_log /var/log/nginx/xx.log;
>> error_log /var/log/nginx/xx-error_log;
>> ssl_early_data on;
>> listen 443 http3 reuseport;
>> listen [::]:443 http3 reuseport;
>> add_header Alt-Svc '$http3=":8443"; ma=86400';
>>
>>
>> *in nginx.conf I've added this:*
>>
>>ssl_protocols  TLSv1.3; #disabled 1.1 & 1.2
>>
>>
>> UDP is open on port 441, I've double checked this from the outside. So
>> it's not a port issue.
>>
>> ___
> nginx-devel mailing list
> nginx-devel@nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx-devel
___
nginx-devel mailing list
nginx-devel@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-devel

Re: NGINX-QUIC: OPENSSL_internal:NO_SUPPORTED_VERSIONS_ENABLED

[Surinder Sund]

forgot to add that this affects only http3 requests [I've tested from more
than one machine and multiple clients, including cURL and FF]

http2 request work fine with no change in configuration.

On Mon, Dec 21, 2020 at 7:16 PM Surinder Sund  wrote:

> I'm trying to get NGINX QUIC to work on a fresh install of Ubuntu 20.04.
>
> But I'm getting this error:
>
> **1 SSL_do_handshake() failed (SSL: error:1118:SSL
> routines:OPENSSL_internal:NO_SUPPORTED_VERSIONS_ENABLED)*
>
> Looks like some issue with the way Boringssl is set up, or being used by
> Nginx?
>
>
> HOW I BUILT BORINGSSL
>
> cd boringssl; mkdir build ; cd build ; cmake -GNinja ..
> ninja
>
> NGINX DETAILS
>
> *~/nginx-quic# nginx -V*
>
> nginx version: nginx/1.19.6
> built by gcc 9.3.0 (Ubuntu 9.3.0-17ubuntu1~20.04)
> built with OpenSSL 1.1.1 (compatible; BoringSSL) (running with BoringSSL)
> TLS SNI support enabled
> configure arguments: --with-debug --with-http_v3_module
> --with-cc-opt=-I../boringssl/include
> --with-ld-opt='-L../boringssl/build/ssl -L../boringssl/build/crypto'
> --with-http_quic_module --with-stream_quic_module
> --with-http_image_filter_module --with-http_sub_module --with-stream
> --add-module=/usr/local/src/ngx_brotli --prefix=/etc/nginx
> --sbin-path=/usr/sbin/nginx --modules-path=/usr/lib/nginx/modules
> --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log
> --pid-path=/var/run/nginx.pid
>
>
> HOW I BUILT NGINX QUIC:
>
> cd ~/nginx-quic ;
> ./auto/configure --with-debug --with-http_v3_module   \
>--with-cc-opt="-I../boringssl/include"   \
>--with-ld-opt="-L../boringssl/build/ssl  \
>   -L../boringssl/build/crypto"\
> --with-http_quic_module  --with-stream_quic_module
>  --with-http_image_filter_module --with-http_sub_module --with-stream
> --add-module=/usr/local/src/ngx_brotli--prefix=/etc/nginx
> --sbin-path=/usr/sbin/nginx   --modules-path=/usr/lib/nginx/modules
>  --conf-path=/etc/nginx/nginx.conf
> --error-log-path=/var/log/nginx/error.log --pid-path=/var/run/nginx.pid
>
>
> MY NGINX BUILD CONFIGURATION SUMMARY:
>
> Configuration summary
>   + using system PCRE library
>   + using system OpenSSL library
>   + using system zlib library
>
>   nginx path prefix: "/etc/nginx"
>   nginx binary file: "/usr/sbin/nginx"
>   nginx modules path: "/usr/lib/nginx/modules"
>   nginx configuration prefix: "/etc/nginx"
>   nginx configuration file: "/etc/nginx/nginx.conf"
>   nginx pid file: "/var/run/nginx.pid"
>   nginx error log file: "/var/log/nginx/error.log"
>   nginx http access log file: "/etc/nginx/logs/access.log"
>   nginx http client request body temporary files: "client_body_temp"
>   nginx http proxy temporary files: "proxy_temp"
>   nginx http fastcgi temporary files: "fastcgi_temp"
>   nginx http uwsgi temporary files: "uwsgi_temp"
>   nginx http scgi temporary files: "scgi_temp"
>
>
>
>
> MY SITE CONFIGURATION
>
>
> listen 80;
> listen [::]:80;
> listen 443 ssl http2 fastopen=150;
> listen   [::]:443 ipv6only=on ssl  fastopen=150;
> include snippets/ssl-params.conf;
> server_name blah.blah;
> root /var/wordpress;
> index index.html index.htm index.php;
> access_log /var/log/nginx/xx.log;
> error_log /var/log/nginx/xx-error_log;
> ssl_early_data on;
> listen 443 http3 reuseport;
> listen [::]:443 http3 reuseport;
> add_header Alt-Svc '$http3=":8443"; ma=86400';
>
>
> *in nginx.conf I've added this:*
>
>ssl_protocols  TLSv1.3; #disabled 1.1 & 1.2
>
>
> UDP is open on port 441, I've double checked this from the outside. So
> it's not a port issue.
>
>
___
nginx-devel mailing list
nginx-devel@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-devel

Re: Nginx QUIC configuration file

[Manuel]

Hi,

the config file is from the nginx quic repository and from the blog post. It 
should work for every client that implements at least the 29 draft.

Best,
Manuel


> Am 11.10.2020 um 23:15 schrieb HARISH KUMAR Ivaturi 
> :
> 
> Hi Manuel 
> 
> Thank you for the solution. I think it is a configuration file related with 
> Google Chrome Canary browser.
> Does the same config file work if I want to get a response in the terminal 
> using curl command.
> command used:
> 
> curl -k -v --http3 "https://127.0.0.1:443;
> 
> And the reason why i need a proper config file is , later i want to make 
> OpenStack rely with nginx (with HTTP/3) web server so there could be an 
> interaction between them. I hope you understand.
> 
> I sincerely thank you for your reply, but if it works for this Cloud then it 
> would be helpful.
> 
> BR
> Harish Kumar
> 
>> On Mon, Oct 12, 2020 at 1:07 AM Manuel  wrote:
>> Hi,
>> 
>> please recompile nginx with the latest version of boring and nginx. Probably 
>> also with minus minus prefix set to /etc/nginx
>> 2nd step would be to find out which exact nginx binary the cmd 'service 
>> nginx restart' is executing. Alternative would be to execute the compiled 
>> binary directly.
>> 
>> I tried it out today and so far nginx and Google Chrome Canary with enabled 
>> quic h3-29 draft are talking http3 via quic.
>> 
>> This is the config:
>> 
>> events {}
>> http {
>> log_format quic '$remote_addr - $remote_user [$time_local] '
>>  
>> '"$request" $status $body_bytes_sent '
>>  
>> '"$http_referer" "$http_user_agent" "$quic" 
>> "$http3"';
>>  
>> access_log logs/access.log quic;
>> error_log logs/error.log debug;
>>  
>> server {
>> root /var/www/html;
>>  
>> server_name xyz ;
>>  
>> # for better compatibility it's recommended
>>  
>> # to use the same port for quic and https
>> listen 443 http3 reuseport;
>> listen 443 ssl;
>> ssl_protocols  TLSv1.3;
>>  
>> ssl_certificate ...
>> ssl_certificate_key ...
>> include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
>> ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
>>  
>> location / {
>> # required for browsers to direct them into quic port
>>  
>> add_header X-http3-status "http3 is $http3";
>> add_header X-quic-status "quic is $quic";
>> add_header Alt-Svc '$http3=":443"; ma=86400';
>> # add_header Alt-Svc 'quic=":443"';
>> }
>> }
>> }
>> 
>> 
>>> Am 10.10.2020 um 15:23 schrieb HARISH KUMAR Ivaturi 
>>> :
>>> 
>>> Hi Manuel 
>>> 
>>> I am not sure if you remember but with your help i have installed Nginx 
>>> with HTTP/3 by installing boringssl.
>>> After all the process done you have suggested me to do 
>>> sudo cp objs/nginx /usr/local/bin/
>>> 
>>> So now.
>>> 
>>> 
>>> $ nginx -V
>>> nginx version: nginx/1.19.1
>>> built by gcc 7.5.0 (Ubuntu 7.5.0-3ubuntu1~18.04) 
>>> built with OpenSSL 1.1.0 (compatible; BoringSSL) (running with BoringSSL)
>>> TLS SNI support enabled
>>> configure arguments: --with-debug --with-http_v3_module 
>>> --with-cc-opt=-I../boringssl/include 
>>> --with-ld-opt='-L../boringssl/build/ssl -L../boringssl/build/crypto'
>>> 
 On Sat, Oct 10, 2020 at 5:18 PM Manuel  wrote:
 Hi,
 
 can you verify that the nginx binary that is using the http3 config is the 
 nginx that can do http3?
 For this you have to locate the systemd file that starts the nginx server 
 and then look into the file to which path the executable point. Then run 
 minus minus version on the binary.
 
> Am 10.10.2020 um 15:04 schrieb HARISH KUMAR Ivaturi 
> :
> 
> Hi 
> 
> I have installed nginx with http/3 with mercurial. 
> I just need a proper default.conf which is located in /etc/nginx/conf.d 
> and in default.conf
> 
> BR
> Harish Kumar
> 
>> On Sat, Oct 10, 2020 at 5:00 PM Maxim Konovalov  wrote:
>> On 10.10.2020 17:56, HARISH KUMAR Ivaturi wrote:
>> > Hi
>> > 
>> > Sorry, this is my final default.conf
>> > 
>> > server {
>> > listen 443 ssl;  # TCP listener for HTTP/1.1
>> > listen 443 http3 reuseport;  # UDP listener for QUIC+HTTP/3
>> > server_name  localhost;
>> > ssl_protocols   TLSv1.3; # QUIC requires TLS 1.3
>> > ssl_certificate cert.crt;
>> > ssl_certificate_key cert.key;
>> > 
>> > add_header Alt-Svc 'quic=":443"'; # Advertise that QUIC is 
>> > available
>> > add_header QUIC-Status $quic; # Sent when QUIC was used
>> > }
>> > 
>> > after this i run 
>> > curl -k --http3 -v "https://127.0.0.1:443;
>> > 
>> > And in another terminal i have my 
>> >  sudo tail -f 

Re: Nginx QUIC configuration file

[HARISH KUMAR Ivaturi]

Hi Manuel

Thank you for the solution. I think it is a configuration file related with
Google Chrome Canary browser.
Does the same config file work if I want to get a response in the terminal
using curl command.
command used:

curl -k -v --http3 "https://127.0.0.1:443;

And the reason why i need a proper config file is , later i want to make
OpenStack rely with nginx (with HTTP/3) web server so there could be an
interaction between them. I hope you understand.

I sincerely thank you for your reply, but if it works for this Cloud then
it would be helpful.

BR
Harish Kumar

On Mon, Oct 12, 2020 at 1:07 AM Manuel  wrote:

> Hi,
>
> please recompile nginx with the latest version of boring and nginx.
> Probably also with minus minus prefix set to /etc/nginx
> 2nd step would be to find out which exact nginx binary the cmd 'service
> nginx restart' is executing. Alternative would be to execute the compiled
> binary directly.
>
> I tried it out today and so far nginx and Google Chrome Canary with
> enabled quic h3-29 draft are talking http3 via quic.
>
> This is the config:
>
> events {}
>
> http {
>
> log_format quic '$remote_addr - $remote_user [$time_local] '
>
>
>
> '"$request" $status $body_bytes_sent '
>
>
>
> '"$http_referer" "$http_user_agent" "$quic"
> "$http3"';
>
>
>
> access_log logs/access.log quic;
>
> error_log logs/error.log debug;
>
>
>
> server {
>
> root /var/www/html;
>
>
>
> server_name xyz ;
>
>
>
> # for better compatibility it's recommended
>
>
>
> # to use the same port for quic and https
>
> listen 443 http3 reuseport;
>
> listen 443 ssl;
>
> ssl_protocols  TLSv1.3;
>
>
>
> ssl_certificate ...
>
> ssl_certificate_key ...
>
> include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
>
> ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
>
>
>
> location / {
>
> # required for browsers to direct them into quic port
>
>
>
> add_header X-http3-status "http3 is $http3";
>
> add_header X-quic-status "quic is $quic";
>
> add_header Alt-Svc '$http3=":443"; ma=86400';
>
> # add_header Alt-Svc 'quic=":443"';
>
> }
>
> }
>
> }
>
>
>
> Am 10.10.2020 um 15:23 schrieb HARISH KUMAR Ivaturi <
> harishkumarivat...@gmail.com>:
>
> Hi Manuel
>
> I am not sure if you remember but with your help i have installed Nginx
> with HTTP/3 by installing boringssl.
> After all the process done you have suggested me to do
> sudo cp objs/nginx /usr/local/bin/
>
> So now.
>
>
> $ nginx -V
> nginx version: nginx/1.19.1
> built by gcc 7.5.0 (Ubuntu 7.5.0-3ubuntu1~18.04)
> built with OpenSSL 1.1.0 (compatible; BoringSSL) (running with BoringSSL)
> TLS SNI support enabled
> configure arguments: --with-debug --with-http_v3_module
> --with-cc-opt=-I../boringssl/include
> --with-ld-opt='-L../boringssl/build/ssl -L../boringssl/build/crypto'
>
> On Sat, Oct 10, 2020 at 5:18 PM Manuel  wrote:
>
>> Hi,
>>
>> can you verify that the nginx binary that is using the http3 config is
>> the nginx that can do http3?
>> For this you have to locate the systemd file that starts the nginx server
>> and then look into the file to which path the executable point. Then run
>> minus minus version on the binary.
>>
>> Am 10.10.2020 um 15:04 schrieb HARISH KUMAR Ivaturi <
>> harishkumarivat...@gmail.com>:
>>
>> Hi
>>
>> I have installed nginx with http/3 with mercurial.
>> I just need a proper default.conf which is located in /etc/nginx/conf.d
>> and in default.conf
>>
>> BR
>> Harish Kumar
>>
>> On Sat, Oct 10, 2020 at 5:00 PM Maxim Konovalov  wrote:
>>
>>> On 10.10.2020 17:56, HARISH KUMAR Ivaturi wrote:
>>> > Hi
>>> >
>>> > Sorry, this is my final default.conf
>>> >
>>> > server {
>>> > listen 443 ssl;  # TCP listener for HTTP/1.1
>>> > listen 443 http3 reuseport;  # UDP listener for QUIC+HTTP/3
>>> > server_name  localhost;
>>> > ssl_protocols   TLSv1.3; # QUIC requires TLS 1.3
>>> > ssl_certificate cert.crt;
>>> > ssl_certificate_key cert.key;
>>> >
>>> > add_header Alt-Svc 'quic=":443"'; # Advertise that QUIC is
>>> available
>>> > add_header QUIC-Status $quic; # Sent when QUIC was used
>>> > }
>>> >
>>> > after this i run
>>> > curl -k --http3 -v "https://127.0.0.1:443;
>>> >
>>> > And in another terminal i have my
>>> >  sudo tail -f /var/log/nginx/error.log
>>> >
>>> > 2020/10/10 14:45:24 [emerg] 25485#25485: invalid parameter "http3" in
>>> > /etc/nginx/conf.d/default.conf:3
>>> >
>>> > Help me with this issue.
>>> >
>>> You probably complied nginx from the vanilla repo while you should take
>>> it from this one:
>>>
>>> https://hg.nginx.org/nginx-quic/file/quic
>>>
>>> See https://quic.nginx.org/ for more information.
>>>
>>> --
>>> Maxim Konovalov

Re: Nginx QUIC configuration file

[Manuel]

Hi,

please recompile nginx with the latest version of boring and nginx. Probably 
also with minus minus prefix set to /etc/nginx
2nd step would be to find out which exact nginx binary the cmd 'service nginx 
restart' is executing. Alternative would be to execute the compiled binary 
directly.

I tried it out today and so far nginx and Google Chrome Canary with enabled 
quic h3-29 draft are talking http3 via quic.

This is the config:

events {}
http {
log_format quic '$remote_addr - $remote_user [$time_local] '
 
'"$request" $status $body_bytes_sent '
 
'"$http_referer" "$http_user_agent" "$quic" "$http3"';
 
access_log logs/access.log quic;
error_log logs/error.log debug;
 
server {
root /var/www/html;
 
server_name xyz ;
 
# for better compatibility it's recommended
 
# to use the same port for quic and https
listen 443 http3 reuseport;
listen 443 ssl;
ssl_protocols  TLSv1.3;
 
ssl_certificate ...
ssl_certificate_key ...
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
 
location / {
# required for browsers to direct them into quic port
 
add_header X-http3-status "http3 is $http3";
add_header X-quic-status "quic is $quic";
add_header Alt-Svc '$http3=":443"; ma=86400';
# add_header Alt-Svc 'quic=":443"';
}
}
}


> Am 10.10.2020 um 15:23 schrieb HARISH KUMAR Ivaturi 
> :
> 
> Hi Manuel 
> 
> I am not sure if you remember but with your help i have installed Nginx with 
> HTTP/3 by installing boringssl.
> After all the process done you have suggested me to do 
> sudo cp objs/nginx /usr/local/bin/
> 
> So now.
> 
> 
> $ nginx -V
> nginx version: nginx/1.19.1
> built by gcc 7.5.0 (Ubuntu 7.5.0-3ubuntu1~18.04) 
> built with OpenSSL 1.1.0 (compatible; BoringSSL) (running with BoringSSL)
> TLS SNI support enabled
> configure arguments: --with-debug --with-http_v3_module 
> --with-cc-opt=-I../boringssl/include --with-ld-opt='-L../boringssl/build/ssl 
> -L../boringssl/build/crypto'
> 
>> On Sat, Oct 10, 2020 at 5:18 PM Manuel  wrote:
>> Hi,
>> 
>> can you verify that the nginx binary that is using the http3 config is the 
>> nginx that can do http3?
>> For this you have to locate the systemd file that starts the nginx server 
>> and then look into the file to which path the executable point. Then run 
>> minus minus version on the binary.
>> 
>>> Am 10.10.2020 um 15:04 schrieb HARISH KUMAR Ivaturi 
>>> :
>>> 
>>> Hi 
>>> 
>>> I have installed nginx with http/3 with mercurial. 
>>> I just need a proper default.conf which is located in /etc/nginx/conf.d and 
>>> in default.conf
>>> 
>>> BR
>>> Harish Kumar
>>> 
 On Sat, Oct 10, 2020 at 5:00 PM Maxim Konovalov  wrote:
 On 10.10.2020 17:56, HARISH KUMAR Ivaturi wrote:
 > Hi
 > 
 > Sorry, this is my final default.conf
 > 
 > server {
 > listen 443 ssl;  # TCP listener for HTTP/1.1
 > listen 443 http3 reuseport;  # UDP listener for QUIC+HTTP/3
 > server_name  localhost;
 > ssl_protocols   TLSv1.3; # QUIC requires TLS 1.3
 > ssl_certificate cert.crt;
 > ssl_certificate_key cert.key;
 > 
 > add_header Alt-Svc 'quic=":443"'; # Advertise that QUIC is available
 > add_header QUIC-Status $quic; # Sent when QUIC was used
 > }
 > 
 > after this i run 
 > curl -k --http3 -v "https://127.0.0.1:443;
 > 
 > And in another terminal i have my 
 >  sudo tail -f /var/log/nginx/error.log
 > 
 > 2020/10/10 14:45:24 [emerg] 25485#25485: invalid parameter "http3" in
 > /etc/nginx/conf.d/default.conf:3
 > 
 > Help me with this issue.
 > 
 You probably complied nginx from the vanilla repo while you should take
 it from this one:
 
 https://hg.nginx.org/nginx-quic/file/quic
 
 See https://quic.nginx.org/ for more information.
 
 -- 
 Maxim Konovalov
>>> ___
>>> nginx-devel mailing list
>>> nginx-devel@nginx.org
>>> http://mailman.nginx.org/mailman/listinfo/nginx-devel
>> ___
>> nginx-devel mailing list
>> nginx-devel@nginx.org
>> http://mailman.nginx.org/mailman/listinfo/nginx-devel
> ___
> nginx-devel mailing list
> nginx-devel@nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx-devel
___
nginx-devel mailing list
nginx-devel@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-devel

Re: Nginx QUIC configuration file

[HARISH KUMAR Ivaturi]

Hi Manuel

I am not sure if you remember but with your help i have installed Nginx
with HTTP/3 by installing boringssl.
After all the process done you have suggested me to do
sudo cp objs/nginx /usr/local/bin/

So now.


$ nginx -V
nginx version: nginx/1.19.1
built by gcc 7.5.0 (Ubuntu 7.5.0-3ubuntu1~18.04)
built with OpenSSL 1.1.0 (compatible; BoringSSL) (running with BoringSSL)
TLS SNI support enabled
configure arguments: --with-debug --with-http_v3_module
--with-cc-opt=-I../boringssl/include
--with-ld-opt='-L../boringssl/build/ssl -L../boringssl/build/crypto'

On Sat, Oct 10, 2020 at 5:18 PM Manuel  wrote:

> Hi,
>
> can you verify that the nginx binary that is using the http3 config is the
> nginx that can do http3?
> For this you have to locate the systemd file that starts the nginx server
> and then look into the file to which path the executable point. Then run
> minus minus version on the binary.
>
> Am 10.10.2020 um 15:04 schrieb HARISH KUMAR Ivaturi <
> harishkumarivat...@gmail.com>:
>
> Hi
>
> I have installed nginx with http/3 with mercurial.
> I just need a proper default.conf which is located in /etc/nginx/conf.d
> and in default.conf
>
> BR
> Harish Kumar
>
> On Sat, Oct 10, 2020 at 5:00 PM Maxim Konovalov  wrote:
>
>> On 10.10.2020 17:56, HARISH KUMAR Ivaturi wrote:
>> > Hi
>> >
>> > Sorry, this is my final default.conf
>> >
>> > server {
>> > listen 443 ssl;  # TCP listener for HTTP/1.1
>> > listen 443 http3 reuseport;  # UDP listener for QUIC+HTTP/3
>> > server_name  localhost;
>> > ssl_protocols   TLSv1.3; # QUIC requires TLS 1.3
>> > ssl_certificate cert.crt;
>> > ssl_certificate_key cert.key;
>> >
>> > add_header Alt-Svc 'quic=":443"'; # Advertise that QUIC is available
>> > add_header QUIC-Status $quic; # Sent when QUIC was used
>> > }
>> >
>> > after this i run
>> > curl -k --http3 -v "https://127.0.0.1:443;
>> >
>> > And in another terminal i have my
>> >  sudo tail -f /var/log/nginx/error.log
>> >
>> > 2020/10/10 14:45:24 [emerg] 25485#25485: invalid parameter "http3" in
>> > /etc/nginx/conf.d/default.conf:3
>> >
>> > Help me with this issue.
>> >
>> You probably complied nginx from the vanilla repo while you should take
>> it from this one:
>>
>> https://hg.nginx.org/nginx-quic/file/quic
>>
>> See https://quic.nginx.org/ for more information.
>>
>> --
>> Maxim Konovalov
>>
> ___
> nginx-devel mailing list
> nginx-devel@nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx-devel
>
> ___
> nginx-devel mailing list
> nginx-devel@nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx-devel
___
nginx-devel mailing list
nginx-devel@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-devel

Re: Nginx QUIC configuration file

[Manuel]

Sorry, it’s binary -V (uppercase v)

> Am 10.10.2020 um 15:04 schrieb HARISH KUMAR Ivaturi 
> :
> 
> Hi 
> 
> I have installed nginx with http/3 with mercurial. 
> I just need a proper default.conf which is located in /etc/nginx/conf.d and 
> in default.conf
> 
> BR
> Harish Kumar
> 
>> On Sat, Oct 10, 2020 at 5:00 PM Maxim Konovalov  wrote:
>> On 10.10.2020 17:56, HARISH KUMAR Ivaturi wrote:
>> > Hi
>> > 
>> > Sorry, this is my final default.conf
>> > 
>> > server {
>> > listen 443 ssl;  # TCP listener for HTTP/1.1
>> > listen 443 http3 reuseport;  # UDP listener for QUIC+HTTP/3
>> > server_name  localhost;
>> > ssl_protocols   TLSv1.3; # QUIC requires TLS 1.3
>> > ssl_certificate cert.crt;
>> > ssl_certificate_key cert.key;
>> > 
>> > add_header Alt-Svc 'quic=":443"'; # Advertise that QUIC is available
>> > add_header QUIC-Status $quic; # Sent when QUIC was used
>> > }
>> > 
>> > after this i run 
>> > curl -k --http3 -v "https://127.0.0.1:443;
>> > 
>> > And in another terminal i have my 
>> >  sudo tail -f /var/log/nginx/error.log
>> > 
>> > 2020/10/10 14:45:24 [emerg] 25485#25485: invalid parameter "http3" in
>> > /etc/nginx/conf.d/default.conf:3
>> > 
>> > Help me with this issue.
>> > 
>> You probably complied nginx from the vanilla repo while you should take
>> it from this one:
>> 
>> https://hg.nginx.org/nginx-quic/file/quic
>> 
>> See https://quic.nginx.org/ for more information.
>> 
>> -- 
>> Maxim Konovalov
> ___
> nginx-devel mailing list
> nginx-devel@nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx-devel
___
nginx-devel mailing list
nginx-devel@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-devel

Re: Nginx QUIC configuration file

[Manuel]

Hi,

can you verify that the nginx binary that is using the http3 config is the 
nginx that can do http3?
For this you have to locate the systemd file that starts the nginx server and 
then look into the file to which path the executable point. Then run minus 
minus version on the binary.

> Am 10.10.2020 um 15:04 schrieb HARISH KUMAR Ivaturi 
> :
> 
> Hi 
> 
> I have installed nginx with http/3 with mercurial. 
> I just need a proper default.conf which is located in /etc/nginx/conf.d and 
> in default.conf
> 
> BR
> Harish Kumar
> 
>> On Sat, Oct 10, 2020 at 5:00 PM Maxim Konovalov  wrote:
>> On 10.10.2020 17:56, HARISH KUMAR Ivaturi wrote:
>> > Hi
>> > 
>> > Sorry, this is my final default.conf
>> > 
>> > server {
>> > listen 443 ssl;  # TCP listener for HTTP/1.1
>> > listen 443 http3 reuseport;  # UDP listener for QUIC+HTTP/3
>> > server_name  localhost;
>> > ssl_protocols   TLSv1.3; # QUIC requires TLS 1.3
>> > ssl_certificate cert.crt;
>> > ssl_certificate_key cert.key;
>> > 
>> > add_header Alt-Svc 'quic=":443"'; # Advertise that QUIC is available
>> > add_header QUIC-Status $quic; # Sent when QUIC was used
>> > }
>> > 
>> > after this i run 
>> > curl -k --http3 -v "https://127.0.0.1:443;
>> > 
>> > And in another terminal i have my 
>> >  sudo tail -f /var/log/nginx/error.log
>> > 
>> > 2020/10/10 14:45:24 [emerg] 25485#25485: invalid parameter "http3" in
>> > /etc/nginx/conf.d/default.conf:3
>> > 
>> > Help me with this issue.
>> > 
>> You probably complied nginx from the vanilla repo while you should take
>> it from this one:
>> 
>> https://hg.nginx.org/nginx-quic/file/quic
>> 
>> See https://quic.nginx.org/ for more information.
>> 
>> -- 
>> Maxim Konovalov
> ___
> nginx-devel mailing list
> nginx-devel@nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx-devel
___
nginx-devel mailing list
nginx-devel@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-devel

Re: Nginx QUIC configuration file

[HARISH KUMAR Ivaturi]

Hi

I have installed nginx with http/3 with mercurial.
I just need a proper default.conf which is located in /etc/nginx/conf.d and
in default.conf

BR
Harish Kumar

On Sat, Oct 10, 2020 at 5:00 PM Maxim Konovalov  wrote:

> On 10.10.2020 17:56, HARISH KUMAR Ivaturi wrote:
> > Hi
> >
> > Sorry, this is my final default.conf
> >
> > server {
> > listen 443 ssl;  # TCP listener for HTTP/1.1
> > listen 443 http3 reuseport;  # UDP listener for QUIC+HTTP/3
> > server_name  localhost;
> > ssl_protocols   TLSv1.3; # QUIC requires TLS 1.3
> > ssl_certificate cert.crt;
> > ssl_certificate_key cert.key;
> >
> > add_header Alt-Svc 'quic=":443"'; # Advertise that QUIC is available
> > add_header QUIC-Status $quic; # Sent when QUIC was used
> > }
> >
> > after this i run
> > curl -k --http3 -v "https://127.0.0.1:443;
> >
> > And in another terminal i have my
> >  sudo tail -f /var/log/nginx/error.log
> >
> > 2020/10/10 14:45:24 [emerg] 25485#25485: invalid parameter "http3" in
> > /etc/nginx/conf.d/default.conf:3
> >
> > Help me with this issue.
> >
> You probably complied nginx from the vanilla repo while you should take
> it from this one:
>
> https://hg.nginx.org/nginx-quic/file/quic
>
> See https://quic.nginx.org/ for more information.
>
> --
> Maxim Konovalov
>
___
nginx-devel mailing list
nginx-devel@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-devel

Re: Nginx QUIC configuration file

[Maxim Konovalov]

On 10.10.2020 17:56, HARISH KUMAR Ivaturi wrote:
> Hi
> 
> Sorry, this is my final default.conf
> 
> server {
>     listen 443 ssl;              # TCP listener for HTTP/1.1
>     listen 443 http3 reuseport;  # UDP listener for QUIC+HTTP/3
>     server_name  localhost;
>     ssl_protocols       TLSv1.3; # QUIC requires TLS 1.3
>     ssl_certificate     cert.crt;
>     ssl_certificate_key cert.key;
> 
>     add_header Alt-Svc 'quic=":443"'; # Advertise that QUIC is available
>     add_header QUIC-Status $quic;     # Sent when QUIC was used
> }
> 
> after this i run 
> curl -k --http3 -v "https://127.0.0.1:443;
> 
> And in another terminal i have my 
>  sudo tail -f /var/log/nginx/error.log
> 
> 2020/10/10 14:45:24 [emerg] 25485#25485: invalid parameter "http3" in
> /etc/nginx/conf.d/default.conf:3
> 
> Help me with this issue.
> 
You probably complied nginx from the vanilla repo while you should take
it from this one:

https://hg.nginx.org/nginx-quic/file/quic

See https://quic.nginx.org/ for more information.

-- 
Maxim Konovalov
___
nginx-devel mailing list
nginx-devel@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-devel

Re: Nginx QUIC configuration file

[HARISH KUMAR Ivaturi]

Hi

Sorry, this is my final default.conf

server {
listen 443 ssl;  # TCP listener for HTTP/1.1
listen 443 http3 reuseport;  # UDP listener for QUIC+HTTP/3
server_name  localhost;
ssl_protocols   TLSv1.3; # QUIC requires TLS 1.3
ssl_certificate cert.crt;
ssl_certificate_key cert.key;

add_header Alt-Svc 'quic=":443"'; # Advertise that QUIC is available
add_header QUIC-Status $quic; # Sent when QUIC was used
}

after this i run
curl -k --http3 -v "https://127.0.0.1:443;

And in another terminal i have my
 sudo tail -f /var/log/nginx/error.log

2020/10/10 14:45:24 [emerg] 25485#25485: invalid parameter "http3" in
/etc/nginx/conf.d/default.conf:3

Help me with this issue.

BR
Harish Kumar

On Sat, Oct 10, 2020 at 4:48 PM HARISH KUMAR Ivaturi <
harishkumarivat...@gmail.com> wrote:

> Hi
>
> I have placed http3 now.
>
> server {
> listen 443 ssl;  # TCP listener for HTTP/1.1
> listen 443 http3 reuseport;  # UDP listener for QUIC+HTTP/3
>
> ssl_protocols   TLSv1.3; # QUIC requires TLS 1.3
> ssl_certificate ssl/www.example.com.crt;
> ssl_certificate_key ssl/www.example.com.key;
>
> add_header Alt-Svc 'quic=":443"'; # Advertise that QUIC is available
> add_header QUIC-Status $quic; # Sent when QUIC was used
>
> }
>
> And it has the same error.
> 2020/10/10 14:45:24 [emerg] 25485#25485: invalid parameter "http3" in
> /etc/nginx/conf.d/default.conf:3
>
>
> On Sat, Oct 10, 2020 at 3:27 PM Manuel  wrote:
>
>> Hi,
>>
>> the error message invalid parameter http3 doesn’t correspond with your
>> config "listen 443 http/3" so ether nginx removes these / while printing
>> the error message or it’s really wrong. But the official documentation says
>>
>>
>> https://www.nginx.com/blog/introducing-technology-preview-nginx-support-for-quic-http-3/
>>
>> server {
>> listen 443 ssl;  # TCP listener for HTTP/1.1
>>
>> listen 443 http3 reuseport;  # UDP listener for QUIC+HTTP/3
>>
>> Then your config is wrong.
>>
>> Where did you got the http/3 parameter?
>>
>> Best,
>>
>> Manuel
>>
>>
>>
>> Am 10.10.2020 um 11:20 schrieb HARISH KUMAR Ivaturi <
>> harishkumarivat...@gmail.com>:
>>
>> Hi
>> This is my nginx configuration file.
>> /etc/nginx/conf.d$ sudo nano default.conf
>> server {
>> listen   443 ssl;
>> listen   443 http/3 reuseport;
>> server_name  localhost;
>>
>> ssl_certificate cert.crt;
>> ssl_certificate_key cert.key;
>> # Enable all TLS versions (TLSv1.3 is required for QUIC).
>> ssl_protocols TLSv1.3;
>>
>> # Add Alt-Svc header to negotiate HTTP/3.
>> add_header Alt-Svc 'quic=":443"';
>> add_header QUIC-Status $quic;
>>
>>
>> #charset koi8-r;
>> #access_log  /var/log/nginx/host.access.log  main;
>>
>> location / {
>> root   /usr/share/nginx/html;
>> index  index.html index.htm;
>> }
>>
>> #error_page  404  /404.html;
>>
>> # redirect server error pages to the static page /50x.html
>> #
>> error_page   500 502 503 504  /50x.html;
>> location = /50x.html {
>> root   /usr/share/nginx/html;
>> }
>>
>>
>> After this i run
>> sudo service nginx restart
>> and it says Job for nginx.service failed because the control process
>> exited with error code.
>> See "systemctl status nginx.service" and "journalctl -xe" for details.
>> Okk then i check in systemctl status nginx.service and the error
>> displayed is
>>
>> 2020/10/10 11:18:01 [emerg] 17014#17014: invalid parameter "http3" in
>> /etc/nginx/conf.d/default.conf:3
>>
>> Later i have replaced with quic in default.conf and again the same error
>> 2020/10/10 11:15:47 [emerg] 16898#16898: invalid parameter "quic" in
>> /etc/nginx/conf.d/default.conf:3
>>
>> I request you to help me with the configuration file i.e. default.conf .
>> I need web response of http/3 request by running curl commands
>> curl -k --http3 -v "https://127.0.0.1:443;
>>
>> BR
>> Harish Kumar
>>
>> ___
>> nginx-devel mailing list
>> nginx-devel@nginx.org
>> http://mailman.nginx.org/mailman/listinfo/nginx-devel
>>
>> ___
>> nginx-devel mailing list
>> nginx-devel@nginx.org
>> http://mailman.nginx.org/mailman/listinfo/nginx-devel
>
>
___
nginx-devel mailing list
nginx-devel@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-devel

Re: Nginx QUIC configuration file

[HARISH KUMAR Ivaturi]

Hi

I have placed http3 now.

server {
listen 443 ssl;  # TCP listener for HTTP/1.1
listen 443 http3 reuseport;  # UDP listener for QUIC+HTTP/3

ssl_protocols   TLSv1.3; # QUIC requires TLS 1.3
ssl_certificate ssl/www.example.com.crt;
ssl_certificate_key ssl/www.example.com.key;

add_header Alt-Svc 'quic=":443"'; # Advertise that QUIC is available
add_header QUIC-Status $quic; # Sent when QUIC was used

}

And it has the same error.
2020/10/10 14:45:24 [emerg] 25485#25485: invalid parameter "http3" in
/etc/nginx/conf.d/default.conf:3


On Sat, Oct 10, 2020 at 3:27 PM Manuel  wrote:

> Hi,
>
> the error message invalid parameter http3 doesn’t correspond with your
> config "listen 443 http/3" so ether nginx removes these / while printing
> the error message or it’s really wrong. But the official documentation says
>
>
> https://www.nginx.com/blog/introducing-technology-preview-nginx-support-for-quic-http-3/
>
> server {
> listen 443 ssl;  # TCP listener for HTTP/1.1
>
> listen 443 http3 reuseport;  # UDP listener for QUIC+HTTP/3
>
> Then your config is wrong.
>
> Where did you got the http/3 parameter?
>
> Best,
>
> Manuel
>
>
>
> Am 10.10.2020 um 11:20 schrieb HARISH KUMAR Ivaturi <
> harishkumarivat...@gmail.com>:
>
> Hi
> This is my nginx configuration file.
> /etc/nginx/conf.d$ sudo nano default.conf
> server {
> listen   443 ssl;
> listen   443 http/3 reuseport;
> server_name  localhost;
>
> ssl_certificate cert.crt;
> ssl_certificate_key cert.key;
> # Enable all TLS versions (TLSv1.3 is required for QUIC).
> ssl_protocols TLSv1.3;
>
> # Add Alt-Svc header to negotiate HTTP/3.
> add_header Alt-Svc 'quic=":443"';
> add_header QUIC-Status $quic;
>
>
> #charset koi8-r;
> #access_log  /var/log/nginx/host.access.log  main;
>
> location / {
> root   /usr/share/nginx/html;
> index  index.html index.htm;
> }
>
> #error_page  404  /404.html;
>
> # redirect server error pages to the static page /50x.html
> #
> error_page   500 502 503 504  /50x.html;
> location = /50x.html {
> root   /usr/share/nginx/html;
> }
>
>
> After this i run
> sudo service nginx restart
> and it says Job for nginx.service failed because the control process
> exited with error code.
> See "systemctl status nginx.service" and "journalctl -xe" for details.
> Okk then i check in systemctl status nginx.service and the error displayed
> is
>
> 2020/10/10 11:18:01 [emerg] 17014#17014: invalid parameter "http3" in
> /etc/nginx/conf.d/default.conf:3
>
> Later i have replaced with quic in default.conf and again the same error
> 2020/10/10 11:15:47 [emerg] 16898#16898: invalid parameter "quic" in
> /etc/nginx/conf.d/default.conf:3
>
> I request you to help me with the configuration file i.e. default.conf .
> I need web response of http/3 request by running curl commands
> curl -k --http3 -v "https://127.0.0.1:443;
>
> BR
> Harish Kumar
>
> ___
> nginx-devel mailing list
> nginx-devel@nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx-devel
>
> ___
> nginx-devel mailing list
> nginx-devel@nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx-devel
___
nginx-devel mailing list
nginx-devel@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-devel

Re: Nginx QUIC configuration file

[Manuel]

Hi,

the error message invalid parameter http3 doesn’t correspond with your config 
"listen 443 http/3" so ether nginx removes these / while printing the error 
message or it’s really wrong. But the official documentation says

 
https://www.nginx.com/blog/introducing-technology-preview-nginx-support-for-quic-http-3/

server { listen 443 ssl; # TCP listener for HTTP/1.1
listen 443 http3 reuseport; # UDP listener for QUIC+HTTP/3 
Then your config is wrong.
Where did you got the http/3 parameter?
Best,
Manuel


> Am 10.10.2020 um 11:20 schrieb HARISH KUMAR Ivaturi 
> :
> 
> Hi
> This is my nginx configuration file. 
> /etc/nginx/conf.d$ sudo nano default.conf 
> server {
> listen   443 ssl;
> listen   443 http/3 reuseport;
> server_name  localhost;
> 
> ssl_certificate cert.crt;
> ssl_certificate_key cert.key;
> # Enable all TLS versions (TLSv1.3 is required for QUIC).
> ssl_protocols TLSv1.3;
> 
> # Add Alt-Svc header to negotiate HTTP/3.
> add_header Alt-Svc 'quic=":443"';
> add_header QUIC-Status $quic;
> 
> 
> #charset koi8-r;
> #access_log  /var/log/nginx/host.access.log  main;
> 
> location / {
> root   /usr/share/nginx/html;
> index  index.html index.htm;
> }
> 
> #error_page  404  /404.html;
> 
> # redirect server error pages to the static page /50x.html
> #
> error_page   500 502 503 504  /50x.html;
> location = /50x.html {
> root   /usr/share/nginx/html;
> }
> 
> 
> After this i run 
> sudo service nginx restart
> and it says Job for nginx.service failed because the control process exited 
> with error code.
> See "systemctl status nginx.service" and "journalctl -xe" for details.
> Okk then i check in systemctl status nginx.service and the error displayed is 
> 
> 2020/10/10 11:18:01 [emerg] 17014#17014: invalid parameter "http3" in 
> /etc/nginx/conf.d/default.conf:3
> 
> Later i have replaced with quic in default.conf and again the same error 
> 2020/10/10 11:15:47 [emerg] 16898#16898: invalid parameter "quic" in 
> /etc/nginx/conf.d/default.conf:3
> 
> I request you to help me with the configuration file i.e. default.conf .
> I need web response of http/3 request by running curl commands 
> curl -k --http3 -v "https://127.0.0.1:443;
> 
> BR
> Harish Kumar
> ___
> nginx-devel mailing list
> nginx-devel@nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx-devel
___
nginx-devel mailing list
nginx-devel@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-devel

Re: nginx-quic & reload

[Sergey Kandaurov]

> On 12 Jun 2020, at 12:41, Jan Prachař  wrote:
> 
> Hello, I checked code at the nginx-quic repo and I can't see how the
> following problem is addressed.
> 
> When nginx reloads config, new workers are created and they inhertis
> receiving sockets from the old workers. That means that the new workers
> will start processing packets of the quic connections of the old
> workers. But the new workers lack context for them, so they will ignore
> the packets and quic connection will timeout, right?

Correct.

> A similar problem exists when a binary is changed.
> 
> Do I miss something or will it be solved in the future?

This could be handled by a combination of CONNECTION_CLOSE
in old workers and Stateless Reset in new workers.

-- 
Sergey Kandaurov

___
nginx-devel mailing list
nginx-devel@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-devel