Implementing HTTP/3 with NGINX

As HTTP/3 gains traction, many system administrators are looking to implement this protocol to improve their web server performance. This guide will walk you through the process of setting up HTTP/3 with NGINX, focusing on a multi-domain setup using the sites-available configuration style.

What is HTTP/3?

HTTP/3 is the latest version of the Hypertext Transfer Protocol, built on top of QUIC (Quick UDP Internet Connections). Unlike its predecessors, which rely on TCP (Transmission Control Protocol), HTTP/3 uses UDP (User Datagram Protocol) to provide faster connection setups and improved handling of packet loss. Key benefits include:

Faster Connection Establishment: HTTP/3 reduces the number of round trips required to establish a secure connection.
Multiplexing: Multiple streams can be sent over a single connection without head-of-line blocking.
Enhanced Security: Built-in encryption ensures secure data transmission.

Prerequisites

NGINX version 1.26.0 or later (avoid 1.25.x due to known HTTP/3 issues)
OpenSSL 1.1.1 or later
Root access to your server
SSL certificates for your domains

Step 1: Update NGINX Configuration

Edit /etc/nginx/nginx.conf:

user www-data;
worker_processes auto;
pid /run/nginx.pid;

events {
    worker_connections 1024;
}

http {
    # Global HTTP/3 settings
    http3_stream_buffer_size 1m;
    quic_retry on;
    ssl_early_data on;
    quic_gso on;

    # Generate this key using: openssl rand -base64 32
    quic_host_key /etc/nginx/ssl/quic_host.key;

    ssl_protocols TLSv1.3;

    # Other standard settings...

    include /etc/nginx/conf.d/*.conf;
    include /etc/nginx/sites-enabled/*;
}

Step 2: Generate QUIC Host Key

openssl rand -base64 32 > /etc/nginx/ssl/quic_host.key
chmod 400 /etc/nginx/ssl/quic_host.key
chown www-data:www-data /etc/nginx/ssl/quic_host.key

Step 3: Configure Individual Domains

Create /etc/nginx/sites-available/domain1.conf:

server {
    listen 443 ssl;
    listen 443 quic reuseport;
    listen [::]:443 ssl;
    listen [::]:443 quic reuseport;
    server_name domain1.com;

    ssl_certificate /etc/letsencrypt/live/domain1.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/domain1.com/privkey.pem;

    http2 on;
    http3 on;

    add_header Alt-Svc 'h3=":443"; ma=86400' always;

    root /var/www/domain1.com;
    index index.php index.html index.htm;

    location / {
        try_files $uri $uri/ /index.php?$args;
        add_header Alt-Svc 'h3=":443"; ma=86400' always;
    }

    location ~ \.php$ {
        fastcgi_pass unix:/var/run/php/php7.4-fpm.sock;
        fastcgi_index index.php;
        include fastcgi_params;
        add_header Alt-Svc 'h3=":443"; ma=86400' always;
        add_header X-FastCGI-Cache $upstream_cache_status always;
    }
}

Repeat for other domains, removing reuseport from subsequent configurations.

Step 4: Firewall Configuration

When implementing HTTP/3, it’s crucial to ensure that your firewall allows traffic on UDP port 443, in addition to the standard TCP port 443. This is because HTTP/3 uses QUIC, which operates over UDP.

Step 5: Testing and Verification

Perform these tests from a remote server to ensure your configuration is working correctly:

Check UDP port accessibility: For IPv4:

   nc -vuzw 3 domain1.com 443

For IPv6:

   nc -6 -vuzw 3 domain1.com 443

You should see: “Connection to domain1.com (xxx.xxx.xxx.xxx) 443 port [udp/https] succeeded!”

Test HTTP/3 with curl (via Docker):

   docker run -it --rm ymuski/curl-http3 curl -ILv https://domain1.com/ --http3

Look for “Using HTTP/3” in the output.

Common Issues and Troubleshooting

Connection reverts to HTTP/2:

Ensure NGINX 1.26.0 or later is used.
Check that UDP port 443 is open and accessible.

Headers not being set:

Remember that add_header directives override inherited headers.
Include all necessary headers in each relevant location block.

IPv6 not working:

Verify IPv6 is enabled on your server and properly configured in NGINX.

UDP port not accessible:

Check firewall rules on both host and container (if applicable).
Verify NAT configuration for LXC setups.

Performance Monitoring

After implementation, monitor your site’s performance:

Use tools like WebPageTest or Chrome DevTools to compare HTTP/2 and HTTP/3 performance.
Monitor server resources, as HTTP/3 may increase CPU usage.
Keep an eye on error logs for any HTTP/3-related issues.

Conclusion

Implementing HTTP/3 with NGINX can significantly improve your website’s performance, especially for users on unreliable networks. However, it requires careful configuration and ongoing monitoring. Stay updated with the latest NGINX releases and HTTP/3 developments to ensure optimal performance and security.

Remember, HTTP/3 is still evolving, and implementations are being refined. Regular testing and staying informed about updates are key to a successful deployment.

Fix 504 Gateway Timeout error using Nginx as reverse Proxy.

ByPieter Bakker 17/02/202309/03/2023

When using Nginx as a reverse proxy for Apache, among others, you may get timeouts with error code 504 if an application takes longer to complete a request than the default Nginx request timeout which is 60 seconds. To increase the request timeout in Nginx to serve long-running requests, we need to change the default…

Generate SSL certificates with acme.sh on Nginx.

ByPieter Bakker 26/03/202327/04/2023

In this article, we will see how to install and configure “acme.sh” to generate SSL certificates for domains and how to implement it with Nginx to secure the connection to corresponding websites hosted on our web server via “HTTPS”. To optimize the security of connections to the web server and comply with all applicable guidelines,…

Nginx | LEMP | Ubuntu | Ubuntu 22.04

Host Multiple Domains with Nginx on Ubuntu 22.04.

ByPieter Bakker 24/03/202320/06/2023

In a previous article, we showed you how to set up a full LEMP stack on Ubuntu 22.04 with the latest stable version of Nginx, MariaDB and PHP, which will serve as the foundation for a reliable and performance-focused hosting platform. Nginx is a fast, lightweight and powerful web server that can also be used…

Nextcloud | Nginx

Error 413 on large file uploads with Nextcloud behind Nginx reverse proxy.

ByPieter Bakker 15/04/202103/11/2021

If you are running Nextcloud behind a Nginx proxy server, you will need to change the maximum file size for uploads which by default is only 1MB on Nginx. You can use the “client_max_body_size” directive to set the required file size for uploading. This directive can be set in the http, server or location context….

Nginx

Get the Latest Version of Nginx on Ubuntu 22.04.

ByPieter Bakker 23/02/202308/03/2023

Nginx is a high-performance web server, load balancer, and reverse proxy that powers some of the most visited websites in the world. If you’re looking to improve the performance and security of your web applications, you can’t go wrong with Nginx. In this guide, we’ll show you how to install the latest version of Nginx…

Nginx | PHP | Wordpress

WordPress Upload Guide: Nginx & PHP-FPM Optimization

ByPieter Bakker 14/10/202414/10/2024

If you’re a WordPress user hosting your site on an Nginx server with PHP-FPM, you may encounter issues when uploading large files or migrating your site using popular plugins like UpdraftPlus or WPvivid. This guide will help you configure your server to handle large file uploads smoothly, ensuring a hassle-free experience when managing your WordPress…

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.