Skip to content

Instantly share code, notes, and snippets.

@mreinstein

mreinstein/http3_fuckery.md

Last active July 29, 2022 06:25
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save mreinstein/30b2ddf4e8d8e914e3a9986a3ba958d6 to your computer and use it in GitHub Desktop.
Save mreinstein/30b2ddf4e8d8e914e3a9986a3ba958d6 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
http3_fuckery.md

building on macos

Get all of the deps from brew:

brew update
brew upgrade
brew install hg git go cmake ninja

build boring ssl dependency

from https://boringssl.googlesource.com/boringssl/+/HEAD/BUILDING.md

git clone https://boringssl.googlesource.com/boringssl
cd boringssl
mkdir build
cd build
cmake -GNinja ..
ninja
cd ../..

build nginx-quic

from https://hg.nginx.org/nginx-quic/file/tip/README

hg clone -b quic https://hg.nginx.org/nginx-quic
cd nginx-quic
./auto/configure --with-debug --with-http_ssl_module --with-http_v3_module  \
                       --with-cc-opt="-I../boringssl/include"     \
                       --with-ld-opt="-L../boringssl/build/ssl    \
                                      -L../boringssl/build/crypto"

make
sudo make install

configure

see https://blog.cloudflare.com/experiment-with-http-3-using-nginx-and-quiche/#running

sudo mkdir /usr/local/nginx/conf/ssl
sudo cp ~/Sites/syndi/test/certs/* /usr/local/nginx/conf/ssl

modify /usr/local/nginx/conf/nginx.conf by adding this block in https://www.nginx.com/blog/introducing-technology-preview-nginx-support-for-quic-http-3/#NGINX-QUIC+HTTP/3-Preview

be sure to update the ssl cert name to syndi.local.crt, syndi.local.key rather than example.com.crt

reloading

sudo /usr/local/nginx/sbin/nginx -s reload
Raw
nginx.conf
http {
#include mime.types;
#default_type application/octet-stream;
#log_format main '$remote_addr - $remote_user [$time_local] "$request" '
# '$status $body_bytes_sent "$http_referer" '
# '"$http_user_agent" "$http_x_forwarded_for"';
log_format quic '$remote_addr - $remote_user [$time_local] '
'"$request" $status $body_bytes_sent '
'"$http_referer" "$http_user_agent" "$http3"';
access_log logs/access.log quic;
#sendfile on;
#tcp_nopush on;
#keepalive_timeout 0;
#keepalive_timeout 65;
server {
server_name spworld.local;
listen 8443 http3 reuseport; # UDP listener for QUIC+HTTP/3
listen 8443 ssl; # TCP listener for HTTP/1.1
ssl_protocols TLSv1.3; # QUIC requires TLS 1.3
ssl_certificate ssl/syndi.local.crt;
ssl_certificate_key ssl/syndi.local.key;
location / {
# required for browsers to direct them into quic port+
add_header Alt-Svc 'h3=":8443"; ma=5';
add_header x-quic $http3;
add_header QUIC-Status $http3; # Sent when QUIC was used
}
}
}
@mreinstein
Copy link
Author

This worked for me on firefox, but not in any other browser. I'm wondering if this has to do with self-signed certificate limitations that differ between browsers.

I'd like to set this up on a test machine complete with a legit certbot certificate to be sure.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment