Learn about Centmin Mod LEMP Stack today
Become a Member

Nginx Official Nginx HTTP/3 QUIC Tech Preview announced

Discussion in 'Nginx and PHP-FPM news & discussions' started by eva2000, Jun 11, 2020.

  1. eva2000

    eva2000 Administrator Staff Member

    50,460
    11,661
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,082
    Local Time:
    2:43 AM
    Nginx 1.25.x
    MariaDB 10.x
    Looks like Nginx folks have released a separate Nginx development branch for official Nginx HTTP/3 QUIC tech preview with Nginx 1.19+ mainline versions built against BoringSSL QUIC with current HTTP/3 h3-27 draft at Introducing a Technology Preview of NGINX Support for QUIC and HTTP/3 - NGINX. Official Nginx HTTP/3 QUIC isn't the same as Cloudflare's released Nginx HTTP/3 QUIC patch which is built with Cloudflare Quiche/BoringSSL for current HTTP/3 h3-29 draft against Nginx 1.16.1 stable only. However, I will be setting up a separate Centmin Mod 123.09beta01 preview branch for adding official Nginx HTTP/3 QUIC support for testing along side Cloudflare's Nginx HTTP/3 QUIC patch :D

    Actual nginx-quic preview branch readme notes at https://hg.nginx.org/nginx-quic/file/tip/README which highlights not all HTTP/3 QUIC features have been fully implemented yet.


    Code (Text):
    1. Introduction
    
        This is an experimental QUIC [1] / HTTP/3 [2] support for nginx.
    
        The code is developed in a separate "quic" branch available
        at https://hg.nginx.org/nginx-quic.  Currently it is based
        on nginx mainline 1.19.x. We are planning to merge new nginx
        releases into this branch regularly.
    
        The project code base is under the same BSD license as nginx.
    
        The code is at an early alpha level of quality and should not
        be used in production.
    
        We are working on improving HTTP/3 support with the goal of
        integrating it to the main NGINX codebase.  Expect frequent
        updates of this code and don't rely on it for whatever purpose.
    
        We'll be grateful for any feedback and code submissions however
        we don't bear any responsibilities for any issues with this code.
    
        You can always contact us via nginx-devel mailing list [3].
    
        What works now:
    
        Currently we support IETF-QUIC draft 27
        Earlier drafts are NOT supported as they have incompatible wire format;
    
        Newer drafts development (draft-28 at the time of writing) is in progress.
        You may look at src/event/ngx_event_quic.h for alternative values of the
        NGX_QUIC_DRAFT_VERSION macro used to select IETF draft version number.
    
        nginx should be able to respond to simple HTTP/3 requests over QUIC and
        it should be possible to upload and download big files without errors.
    
        + The handshake completes successfully
        + One endpoint can update keys and its peer responds correctly
        + 0-RTT data is being received and acted on
        + Connection is established using TLS Resume Ticket
        + A handshake that includes a Retry packet completes successfully
        + Stream data is being exchanged and ACK'ed
        + An H3 transaction succeeded
        + One or both endpoints insert entries into dynamic table and
          subsequently reference them from header blocks
    
         Not (yet) supported features:
    
        - Version negotiation
        - ECN, Congestion control and friends as specified in quic-recovery [5]
        - A connection with the spin bit succeeds and the bit is spinning
        - Structured Logging
        - QUIC recovery (proper congestion and flow control)
        - NAT Rebinding
        - Address Mobility
        - Server push
        - HTTP/3 trailers
    
        Since the code is experimental and still under development,
        a lot of things may not work as expected, for example:
    
        - ACK handling is basic: every received ack-eliciting packet
          is acknowledged, no ack ranges are used
    
        - Flow control mechanism is basic and intended to avoid CPU hog and make
          simple interactions possible
    
        - Not all draft requirements are strictly followed; some of checks are
          omitted for the sake of simplicity of initial implementation
     
  2. buik

    buik “The best traveler is one without a camera.”

    1,860
    492
    83
    Apr 29, 2016
    Flanders
    Ratings:
    +1,567
    Local Time:
    6:43 PM
    Nice!
    'The first blow is half the battle' :)
    Will see when its ready to go!

    For now, more than half of the important functions have not been implemented.

    Most important is that HTTP/3 is by far not final yet.
    Given the bickering at HTTP/2 that will take some time. (Too many stakeholders and layers)
     
    Last edited: Jun 11, 2020
  3. rdan

    rdan Well-Known Member

    5,419
    1,386
    113
    May 25, 2014
    Ratings:
    +2,167
    Local Time:
    12:43 AM
    Mainline
    10.2
    Can we test this on CMM? :)
     
  4. buik

    buik “The best traveler is one without a camera.”

    1,860
    492
    83
    Apr 29, 2016
    Flanders
    Ratings:
    +1,567
    Local Time:
    6:43 PM
  5. eva2000

    eva2000 Administrator Staff Member

    50,460
    11,661
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,082
    Local Time:
    2:43 AM
    Nginx 1.25.x
    MariaDB 10.x
    Yeah what @buik said Nginx HTTP/3 from Nginx or even Cloudflare is still a work in progress. I personally am now less motivated to want this on origin, given Cloudflare already supports HTTP/3 and only communicates to origin Nginx servers over HTTP/1.1 anyway.

    FYI, HTTP/3 via QUIC UDP will also use more CPU and memory resources than HTTP/2 for that performance benefit depending on the HTTP/3 implementation it can be quite high in resource usage.
     
  6. buik

    buik “The best traveler is one without a camera.”

    1,860
    492
    83
    Apr 29, 2016
    Flanders
    Ratings:
    +1,567
    Local Time:
    6:43 PM
    As written on August 23, 2022 by the general manager of NGINX.
    Looking at the roadmap, this means that Nginx will officially support HTTP3 and QUIC within a few months.
     
  7. eva2000

    eva2000 Administrator Staff Member

    50,460
    11,661
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,082
    Local Time:
    2:43 AM
    Nginx 1.25.x
    MariaDB 10.x
    Indeed though my previous sentiments still hold :) But we will see as Cloudflare also have plans to support HTTP proxying of UDP connections as well - which in theory would allow Cloudflare edge servers to communicate with HTTP/3 QUIC over UDP origin based servers instead of just HTTP/1.1 and HTTP/2 at origin side :)
     
  8. rdan

    rdan Well-Known Member

    5,419
    1,386
    113
    May 25, 2014
    Ratings:
    +2,167
    Local Time:
    12:43 AM
    Mainline
    10.2
    A library that provides QUIC support is required to build nginx, there are several of those available on the market:
    • BoringSSL
    • LibreSSL
    • QuicTLS
     
  9. eva2000

    eva2000 Administrator Staff Member

    50,460
    11,661
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,082
    Local Time:
    2:43 AM
    Nginx 1.25.x
    MariaDB 10.x
    Centmin Mod already optionally supports BoringSSL and LibreSSL (no active development for support as it's slower than BoringSSL and OpenSSL) and QuicTLS should be easy to add as it's a fork of OpenSSL 1.1.1/3.0 with QUIC supported added. There's also BoringSSL + Cloudflare Quiche for HTTP/3 QUIC support for Nginx. Looking at Centmin Mod's code commit history, BoringSSL support started taking shape back in June 2016. Though it's been ages since I tested Centmin Mod's BoringSSL and LibreSSL support the limitations of BoringSSL aren't ideal so OpenSSL is preferred. i.e. BoringSSL does not support dual RSA + ECDSA SSL certificates and doesn't support OCSP stapling

    I developed Centmin Mod's Nginx routines to be flexible in supporting various TLS libraries which makes it one step easier to eventual Centmin Mod Nginx HTTP/3 QUIC support :)
     
  10. eva2000

    eva2000 Administrator Staff Member

    50,460
    11,661
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,082
    Local Time:
    2:43 AM
    Nginx 1.25.x
    MariaDB 10.x
    Just checked looks like BoringSSL needed some bug fixes which I'll add for 130.00beta01 soon. Otherwise LibreSSL 3.5.3, OpenSSL 1.1.1/3.0 are working it seems.

    Centmin Mod 130.00beta01's Nginx default OpenSSL 1.1.1
    Code (Text):
    nginx -V
    nginx version: nginx/1.23.2 (301022-065714-centos7-ed582fb-br-6e975bc)
    built by gcc 11.2.1 20220127 (Red Hat 11.2.1-9) (GCC)
    built with OpenSSL 1.1.1q  5 Jul 2022
    TLS SNI support enabled
    

    With OpenSSL 3.0.5
    Code (Text):
    nginx -V
    nginx version: nginx/1.23.2 (301022-055900-centos7-ed582fb-br-6e975bc)
    built by gcc 11.2.1 20220127 (Red Hat 11.2.1-9) (GCC)
    built with OpenSSL 3.0.5 5 Jul 2022
    TLS SNI support enabled
    

    and BoringSSL with bug fixes
    Code (Text):
    nginx -V
    nginx version: nginx/1.23.2 (301022-065301-centos7-ed582fb-br-6e975bc)
    built by gcc 11.2.1 20220127 (Red Hat 11.2.1-9) (GCC)
    built with OpenSSL 1.1.1 (compatible; BoringSSL) (running with BoringSSL)
    TLS SNI support enabled
    

    LibreSSL 3.5.3
    Code (Text):
    nginx -V
    nginx version: nginx/1.23.2 (301022-061258-centos7-ed582fb-br-6e975bc)
    built by gcc 11.2.1 20220127 (Red Hat 11.2.1-9) (GCC)
    built with LibreSSL 3.5.3
    TLS SNI support enabled
    


    edit: Seems for LibreSSL only 3.6.0 and higher has experimental BoringSSL QUIC API support added
    Code (Text):
    nginx -V
    nginx version: nginx/1.23.2 (301022-081947-centos7-ed582fb-br-6e975bc)
    built by gcc 11.2.1 20220127 (Red Hat 11.2.1-9) (GCC) 
    built with LibreSSL 3.6.0
    TLS SNI support enabled
     
  11. eva2000

    eva2000 Administrator Staff Member

    50,460
    11,661
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,082
    Local Time:
    2:43 AM
    Nginx 1.25.x
    MariaDB 10.x
    Still buggy for me but did a quick test of Centmin Mod Nginx with Nginx QUIC HTTP/3 support via quictls openssl 1.1.1q fork TLS library and using my custom built curl with QUIC HTTP/3 support.

    Custom curl version with QUIC/HTTP3 support
    Code (Text):
    /opt/el-compat-quic/bin/curl -V
    curl 7.85.0 (x86_64-unknown-linux-gnu) libcurl/7.85.0 OpenSSL/1.1.1q zlib/1.2.7 brotli/1.0.9 zstd/1.5.2 libpsl/0.21.1 (+libicu/71.1) libssh2/1.10.0 nghttp2/1.33.0 ngtcp2/0.8.1 nghttp3/0.8.0-DEV
    Release-Date: 2022-08-31
    Protocols: dict file ftp ftps gopher gophers http https imap imaps ldap ldaps mqtt pop3 pop3s rtsp scp sftp smb smbs smtp smtps telnet tftp
    Features: alt-svc AsynchDNS brotli GSS-API HSTS HTTP2 HTTP3 HTTPS-proxy IPv6 Kerberos Largefile libz NTLM NTLM_WB PSL SPNEGO SSL threadsafe TLS-SRP UnixSockets zstd
    

    Test Centmin Mod Nginx vhost domain1.com with HTTP/3 QUIC enabled which shows
    • Connect socket 5 over QUIC
    • Using HTTP/3 Stream ID
    • HTTP/3 200
    Code (Text):
    /opt/el-compat-quic/bin/curl -Ikv --http3 https://domain1.com/
    *   Trying 111.222.333.444:443...
    * Connect socket 5 over QUIC to 111.222.333.444:443
    * Skipped certificate verification
    * Connected to domain1.com (111.222.333.444) port 443 (#0)
    * h2h3 [:method: HEAD]
    * h2h3 [:path: /]
    * h2h3 [:scheme: https]
    * h2h3 [:authority: domain1.com]
    * h2h3 [user-agent: curl/7.85.0]
    * h2h3 [accept: */*]
    * Using HTTP/3 Stream ID: 0 (easy handle 0xa80c30)
    > HEAD / HTTP/3
    > Host: domain1.com
    > user-agent: curl/7.85.0
    > accept: */*
    >
    * ngh3_stream_recv returns 0 bytes and EAGAIN
    < HTTP/3 200
    HTTP/3 200
    < date: Tue, 01 Nov 2022 11:27:01 GMT
    date: Tue, 01 Nov 2022 11:27:01 GMT
    < content-type: text/html; charset=utf-8
    content-type: text/html; charset=utf-8
    < content-length: 2
    content-length: 2
    < last-modified: Sun, 16 Oct 2022 02:09:43 GMT
    last-modified: Sun, 16 Oct 2022 02:09:43 GMT
    < vary: Accept-Encoding
    vary: Accept-Encoding
    < etag: "634b67e7-2"
    etag: "634b67e7-2"
    < server: nginx centminmod
    server: nginx centminmod
    < x-powered-by: centminmod
    x-powered-by: centminmod
    < x-cache-status: MISS
    x-cache-status: MISS
    < accept-ranges: bytes
    accept-ranges: bytes
    
    <
    * Connection #0 to host domain1.com left intact
    
     
  12. konkhra

    konkhra New Member

    2
    0
    1
    Dec 12, 2022
    Ratings:
    +0
    Local Time:
    7:43 PM
    1.23.2
    Nginx QUIC HTTP/3 via quictls support HTTP2 HPACK Encoding and Dynamic TLS Record ?
     
  13. eva2000

    eva2000 Administrator Staff Member

    50,460
    11,661
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,082
    Local Time:
    2:43 AM
    Nginx 1.25.x
    MariaDB 10.x
    That is for HTTP/2 only. While Dynamic TLS not sure bug Centmin Mod Nginx will disable both with HTTP/3
     
  14. buik

    buik “The best traveler is one without a camera.”

    1,860
    492
    83
    Apr 29, 2016
    Flanders
    Ratings:
    +1,567
    Local Time:
    6:43 PM
    Since Nginx is on the F5 tour. Main focus is on their paid platform.
    HTTP/3 hardly gets any attention. Only a few lines of code per week.

    And then you also have the whole thing about OpenSSL. Which despite criticism from many outside specialists. Just stoically going about making their own Quic implementation. Result expected to be years of delay and a lot of compatibility bls bla because they want to invent their own wheel.
     
  15. rampage

    rampage New Member

    11
    0
    1
    Sep 19, 2016
    Ratings:
    +5
    Local Time:
    2:43 AM
    1.23.3
    How to test this? use NGINX_HTTP3='y' and rebuild Nginx doesn't seem to have the http3/quic enabled in the -V output
     
  16. eva2000

    eva2000 Administrator Staff Member

    50,460
    11,661
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,082
    Local Time:
    2:43 AM
    Nginx 1.25.x
    MariaDB 10.x
    Not publicly available for testing as Nginx HTTP/3 is still pretty much experimental. If you use Cloudflare in front of your sites it will have HTTP/3 already and don't require HTTP/3 on origin Nginx servers.
     
  17. rampage

    rampage New Member

    11
    0
    1
    Sep 19, 2016
    Ratings:
    +5
    Local Time:
    2:43 AM
    1.23.3
  18. eva2000

    eva2000 Administrator Staff Member

    50,460
    11,661
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,082
    Local Time:
    2:43 AM
    Nginx 1.25.x
    MariaDB 10.x
    Yeah Cloudflare's Nginx quiche/HTTP/3 implementation I don't think is getting much updates now with Nginx 1.16 seeing as Cloudflare is moving away from Nginx as a proxy to their own inhouse Pingora How we built Pingora, the proxy that connects Cloudflare to the Internet

    So only implementation will be official Nginx QUIC version using quickTLS OpenSSL fork with QUIC port.
     
  19. buik

    buik “The best traveler is one without a camera.”

    1,860
    492
    83
    Apr 29, 2016
    Flanders
    Ratings:
    +1,567
    Local Time:
    6:43 PM
    I can't recommend running HTTP/3 on your own web stack.
    Only enable it when a service provider offers it. Like Cloudflare et al. Is my recommendation.
    Running Nginx software with HTTP/3 is buggy.

    Nginx upstream HTTP/3 with quickTLS OpenSSL is buggy.

    Nginx 1.16 HTTP/3 with Cloudflare's HTTP/3 and Quiche/Boringssl is old and buggy without the extra code, that Cloudflare has locked to Nginx even more that you don't get. Including Cloudflare's BoringSSL fork. Which is not publicly available. Ok there are third party patches to use the latest Nginx with HTTP/3 and quiche/boringssl. But not tested on the latest Nginx by Cloudflare.

    As written before by @eva2000 Nginx is exit at Cloudflare. They now use their own web software. You will see in the short term that Cloudflare's investment in Nginx will start to stagnate. Treat Nginx 1.16 HTTP/3 with Cloudflare's HTTP/3 and Quiche as the end of the line.

    So what are the noteworthy options now?

    In my experience, atm, none.
    Nginx upstream HTTP/3 with quickTLS OpenSSL is buggy. And the official OpenSSL software and its organization. Has chosen to start writing its own HTTP/3 implementation. They are going to reinvent the wheel. With the result a long time of patience and no official HTTP/3 support in the very near feature. Until then, I am sure Nginx will not be in a hurry to improve their HTTP/3 code. After all, there is absolutely no priority behind it.
     
  20. rdan

    rdan Well-Known Member

    5,419
    1,386
    113
    May 25, 2014
    Ratings:
    +2,167
    Local Time:
    12:43 AM
    Mainline
    10.2