Nginx with HTTP/3
by gusto1 from LinuxQuestions.org on (#6EHPH)
I use nginx as a reverse proxy server. Everything works very well, but I want to try HTTP/3. I installed nginx 1.25.2 and according to the blog I have to set at least 3 new directives
Code: listen 443 quic reuseport; # QUIC
listen 443 ssl; # TCP
ssl_protocols TLSv1.3;Code: add_header Alt-Svc 'h3=":$server_port"; ma=86400';My original config file looks like this
Code:server {
server_name example.dyndns.com;
return 301 http://www.example.dyndns.com$request_uri;
listen 443 ssl http2; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/example.dyndns.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/example.dyndns.com/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
add_header Referrer-Policy "no-referrer" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-Download-Options "noopen" always;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Permitted-Cross-Domain-Policies "none" always;
add_header X-Robots-Tag "none" always;
add_header X-XSS-Protection "1; mode=block" always;
add_header Content-Security-Policy "default-src 'self' https: data: 'unsafe-inline' 'unsafe-eval';" always;
add_header Permissions-Policy "geolocation=(),midi=(),sync-xhr=(),microphone=(),camera=(),magnetometer=(),gyroscope=(),fullscreen=(self),payment=()";
}
server {
server_name www.example.dyndns.com;
location / {
proxy_pass http://192.168.20.13;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
listen 443 ssl http2; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/example.dyndns.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/example.dyndns.com/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
add_header Referrer-Policy "no-referrer" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-Download-Options "noopen" always;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Permitted-Cross-Domain-Policies "none" always;
add_header X-Robots-Tag "none" always;
add_header X-XSS-Protection "1; mode=block" always;
add_header Content-Security-Policy "default-src 'self' https: data: 'unsafe-inline' 'unsafe-eval';" always;
add_header Permissions-Policy "geolocation=(),midi=(),sync-xhr=(),microphone=(),camera=(),magnetometer=(),gyroscope=(),fullscreen=(self),payment=()";
}
server {
if ($host = example.dyndns.com) {
return 301 https://$host$request_uri;
} # managed by Certbot
listen 80;
server_name example.dyndns.com;
return 404; # managed by Certbot
}
server {
if ($host = www.example.dyndns.com) {
return 301 https://$host$request_uri;
} # managed by Certbot
listen 80;
server_name www.example.dyndns.com;
return 404; # managed by Certbot
}This is the main config file
Code:user www-data;
worker_processes auto;
pid /run/nginx.pid;
error_log /var/log/nginx/error.log;
include /etc/nginx/modules-enabled/*.conf;
events {
worker_connections 768;
}
http {
client_max_body_size 128M;
sendfile on;
tcp_nopush on;
types_hash_max_size 2048;
include /etc/nginx/mime.types;
default_type application/octet-stream;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; # Dropping SSLv3, ref: POODLE
ssl_prefer_server_ciphers on;
access_log /var/log/nginx/access.log;
gzip on;
include /etc/nginx/conf.d/*.conf;
include /etc/nginx/sites-enabled/*;
}How should I implement these directives in the config file? I tried everything, but the reload ended with an error, or it worked with http/2.
Code: listen 443 quic reuseport; # QUIC
listen 443 ssl; # TCP
ssl_protocols TLSv1.3;Code: add_header Alt-Svc 'h3=":$server_port"; ma=86400';My original config file looks like this
Code:server {
server_name example.dyndns.com;
return 301 http://www.example.dyndns.com$request_uri;
listen 443 ssl http2; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/example.dyndns.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/example.dyndns.com/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
add_header Referrer-Policy "no-referrer" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-Download-Options "noopen" always;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Permitted-Cross-Domain-Policies "none" always;
add_header X-Robots-Tag "none" always;
add_header X-XSS-Protection "1; mode=block" always;
add_header Content-Security-Policy "default-src 'self' https: data: 'unsafe-inline' 'unsafe-eval';" always;
add_header Permissions-Policy "geolocation=(),midi=(),sync-xhr=(),microphone=(),camera=(),magnetometer=(),gyroscope=(),fullscreen=(self),payment=()";
}
server {
server_name www.example.dyndns.com;
location / {
proxy_pass http://192.168.20.13;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
listen 443 ssl http2; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/example.dyndns.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/example.dyndns.com/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
add_header Referrer-Policy "no-referrer" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-Download-Options "noopen" always;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Permitted-Cross-Domain-Policies "none" always;
add_header X-Robots-Tag "none" always;
add_header X-XSS-Protection "1; mode=block" always;
add_header Content-Security-Policy "default-src 'self' https: data: 'unsafe-inline' 'unsafe-eval';" always;
add_header Permissions-Policy "geolocation=(),midi=(),sync-xhr=(),microphone=(),camera=(),magnetometer=(),gyroscope=(),fullscreen=(self),payment=()";
}
server {
if ($host = example.dyndns.com) {
return 301 https://$host$request_uri;
} # managed by Certbot
listen 80;
server_name example.dyndns.com;
return 404; # managed by Certbot
}
server {
if ($host = www.example.dyndns.com) {
return 301 https://$host$request_uri;
} # managed by Certbot
listen 80;
server_name www.example.dyndns.com;
return 404; # managed by Certbot
}This is the main config file
Code:user www-data;
worker_processes auto;
pid /run/nginx.pid;
error_log /var/log/nginx/error.log;
include /etc/nginx/modules-enabled/*.conf;
events {
worker_connections 768;
}
http {
client_max_body_size 128M;
sendfile on;
tcp_nopush on;
types_hash_max_size 2048;
include /etc/nginx/mime.types;
default_type application/octet-stream;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; # Dropping SSLv3, ref: POODLE
ssl_prefer_server_ciphers on;
access_log /var/log/nginx/access.log;
gzip on;
include /etc/nginx/conf.d/*.conf;
include /etc/nginx/sites-enabled/*;
}How should I implement these directives in the config file? I tried everything, but the reload ended with an error, or it worked with http/2.