No response from QUIC

I am setting up http3 on my AWS instance http2 seems to work fine but http3 doesn’t work at all. and when I run
RUST_LOG=trace cargo run --example http3-client
it gives an empty response. any ideas about what I am doing wrong. Thanks.

nginx -V
nginx version: nginx/1.19.8
built with OpenSSL 1.1.1 (compatible; BoringSSL) (running with BoringSSL)
TLS SNI support enabled
configure arguments: --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --add-module=/home/ubuntu/nginx-1.19.8/debian/modules/ngx_pagespeed --add-module=/home/ubuntu/nginx-1.19.8/debian/modules/ngx_brotli --modules-path=/usr/lib/nginx/modules --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx.pid --lock-path=/var/run/nginx.lock --http-client-body-temp-path=/var/cache/nginx/client_temp --http-proxy-temp-path=/var/cache/nginx/proxy_temp --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp --http-scgi-temp-path=/var/cache/nginx/scgi_temp --user=nginx --group=nginx --with-compat --with-file-aio --with-threads --with-http_addition_module --with-http_auth_request_module --with-http_dav_module --with-http_flv_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_mp4_module --with-http_random_index_module --with-http_realip_module --with-http_secure_link_module --with-http_slice_module --with-http_ssl_module --with-http_stub_status_module --with-http_sub_module --with-http_v2_module --with-mail --with-mail_ssl_module --with-stream --with-stream_realip_module --with-stream_ssl_module --with-stream_ssl_preread_module --with-http_v3_module --with-http_quic_module --with-stream_quic_module --with-cc-opt='-I/home/ubuntu/boringssl/include -g -O2 -fdebug-prefix-map=/home/ubuntu/nginx-1.19.8=. -fstack-protector-strong -Wformat -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -fPIC' --with-ld-opt='-L/home/ubuntu/boringssl/build/ssl -L/home/ubuntu/boringssl/build/crypto -Wl,-Bsymbolic-functions -Wl,-z,relro -Wl,-z,now -Wl,--as-needed -pie'

— My config file

server{
index index.html index.nginx-debian.html;
server_name ;
root /var/www/somedir;
listen 443 quic reuseport;
#listen 8443 ssl;
listen 443 ssl http2;
proxy_request_buffering off;
http3_max_table_capacity 50;
http3_max_blocked_streams 30;
http3_max_concurrent_pushes 30;
http3_push 10;
http3_push_preload on;
ssl_certificate /etc/letsencrypt/live/techtacion.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/techtacion.com/privkey.pem; # managed by Certbot 
   # Enable all TLS versions (TLSv1.3 is required for QUIC).
    ssl_protocols TLSv1.3;
    
    # Add Alt-Svc header to negotiate HTTP/3.
    add_header alt-svc '$http3=":443"; ma=86400';

Shouldn’t it be like this?:

    # Enable QUIC and HTTP/3.
    listen 443 ssl;              # TCP listener for HTTP/1.1
    listen 443 http3 reuseport;  # UDP listener for QUIC+HTTP/3
    add_header Alt-Svc 'quic=":443"'; # Advertise that QUIC is available
    add_header QUIC-Status $quic;     # Sent when QUIC was used

    # Ensure that HTTP/2 is enabled for the server
    listen 443 ssl http2;
    http2_push_preload on;
    
    # Quic requires TLS 1.3
    ssl_protocols TLSv1.2 TLSv1.3; # good to have TLSv1.2 too, or use just 1.3

    # To enable 0-RTT
    # Enable TLSv1.3's 0-RTT. Use $ssl_early_data when reverse proxying to
    ssl_early_data on;
    ssl_session_tickets on;
    ssl_ciphers HIGH:!aNULL:!MD5;
    ssl_prefer_server_ciphers on;

    # Add Alt-Svc header to negotiate HTTP/3 - maybe this one rather than upper one?
    add_header alt-svc 'h3-29=":443"; ma=86400';
   # Debug 0-RTT.
   add_header X-Early-Data $tls1_3_early_data;

As we go further, I am afraid and I believe this is out of the scope of this Cloudflare community forums.
Would be more suitable for some Nginx forum.

Cloudflare has an option to enable the HTTP/3 on a domain and 0-RTT if wanted and needed for a proxied domain via Cloudflare (domain needs to be added to Cloudflare and A records :orange: with the above mentioned options enabled).

Maybe due to self-signed SSL certificate not being trusted by the client? How about --no-verify flag?

  • or if using LE’s certificate, it should work …

Or, depending on the which version of Quice are you using?

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.