Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add HTTP/3 support #1531

Open
wants to merge 20 commits into
base: master
Choose a base branch
from
Open

Add HTTP/3 support #1531

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
20 commits
Select commit Hold shift + click to select a range
d33bbae
Add adjustments for HTTP3 support.
strarsis Jul 29, 2024
ae4f689
Use ferm `delete` attribute for toggling HTTP3 firewall allow rule.
strarsis Jul 29, 2024
17c2c46
Remove old variable from previous PR/ferm toggling.
strarsis Jul 29, 2024
78737bf
Use include files for re-using HTTP/3 specific `nginx` directives.
strarsis Jul 30, 2024
be5e46e
Make http3 jinja conditions more readable.
strarsis Jul 30, 2024
2e02929
Remove conditional firewall inbound rule for `https` (in separate PR).
strarsis Aug 3, 2024
73e5516
Improve task name.
strarsis Aug 3, 2024
e08cb57
Disable SSL early data.
strarsis Aug 3, 2024
f24fbde
Use now merged conditional https ferm rule.
strarsis Aug 27, 2024
fc4239e
Move http3 includes into `server_basic` block.
strarsis Aug 27, 2024
9c2cfbd
Add global quic listen with reuseport for working QUIC responses.
strarsis Aug 27, 2024
a220796
Conditionally add global listen quic reuseport config file.
strarsis Aug 29, 2024
b86a19a
Use `reuseport` in first HTTPS site config directly instead in global…
strarsis Aug 30, 2024
229f7c8
Remove debug output in template.
strarsis Aug 30, 2024
ea3461b
Fix newline in comment.
strarsis Aug 30, 2024
b6adf2e
Make `first_site_using_ssl` a normal variable.
strarsis Aug 30, 2024
b007d66
Improve newlines in config.
strarsis Aug 30, 2024
a6aaac9
Improve newlines in config.
strarsis Aug 30, 2024
64148cf
Also enable `http3_hq`.
strarsis Aug 31, 2024
b5d54fc
Enable `http3_hq` in http3 tune config instead.
strarsis Aug 31, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 3 additions & 1 deletion group_vars/all/helpers.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -18,7 +18,9 @@ multisite_subdomains_wildcards: "{{ item.value.multisite.subdomains | default(fa
ssl_enabled: "{{ item.value.ssl is defined and item.value.ssl.enabled | default(false) }}"
ssl_stapling_enabled: "{{ item.value.ssl is defined and item.value.ssl.stapling_enabled | default(true) }}"
cron_enabled: "{{ site_env.disable_wp_cron and (not item.value.multisite.enabled | default(false) or (item.value.multisite.enabled | default(false) and item.value.multisite.cron | default(true))) }}"
sites_use_ssl: "{{ wordpress_sites.values() | map(attribute='ssl') | selectattr('enabled') | list | count > 0 }}"
sites_using_ssl: "{{ wordpress_sites | dict2items | selectattr('value.ssl.enabled', 'equalto', true) | items2dict }}"
first_site_using_ssl: "{{ (sites_using_ssl | dict2items | first | default(None, True)) }}"
sites_use_ssl: "{{ sites_using_ssl | length > 0 }}"

composer_authentications: "{{ vault_wordpress_sites[site].composer_authentications | default([]) }}"
# Default `type` is `http-basic`.
Expand Down
5 changes: 5 additions & 0 deletions group_vars/all/security.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,11 @@ ferm_input_list:
dport: [https]
filename: nginx_accept_https
delete: "{{ not (sites_use_ssl | bool) }}"
- type: dport_accept
dport: ['443']
protocol: udp
filename: nginx_accept_http3
delete: "{{ not (nginx_http3_enabled and (sites_use_ssl | bool)) }}"
- type: dport_accept
dport: [ssh]
saddr: "{{ ip_whitelist }}"
Expand Down
9 changes: 9 additions & 0 deletions roles/wordpress-setup/tasks/nginx.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -23,6 +23,13 @@

- import_tasks: "{{ playbook_dir }}/roles/common/tasks/disable_challenge_sites.yml"

- name: Copy Nginx Wordpress site include folder
copy:
src: templates/includes
dest: "{{ nginx_path }}"
mode: '0755'
notify: reload nginx

- name: Create Nginx available sites
template:
src: "{{ item.src }}"
Expand Down Expand Up @@ -68,6 +75,8 @@
loop: "{{ wordpress_sites | dict2items }}"
loop_control:
label: "{{ item.key }}"
vars:
is_first_site_use_ssl: "{{ first_site_using_ssl.key == item.key }}"
notify: reload nginx
tags: nginx-includes

Expand Down
2 changes: 2 additions & 0 deletions roles/wordpress-setup/templates/includes/directive-only/http3-negotiate-redirect.conf
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,2 @@
# Add Alt-Svc header to negotiate HTTP/3 (when redirecting from HTTP).
add_header alt-svc 'h3-27=":443"; ma=86400, h3-28=":443"; ma=86400, h3-29=":443"; ma=86400, h3=":443"; ma=86400';
2 changes: 2 additions & 0 deletions roles/wordpress-setup/templates/includes/directive-only/http3-negotiate.conf
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,2 @@
# Add Alt-Svc header to negotiate HTTP/3.
add_header alt-svc 'h3=":443"; ma=86400';
7 changes: 7 additions & 0 deletions roles/wordpress-setup/templates/includes/directive-only/http3-tune.conf
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,7 @@
http3_hq on;
quic_retry on;
quic_gso on;

# enable 0-RTT
#ssl_early_data on;
#proxy_set_header Early-Data $ssl_early_data;
31 changes: 31 additions & 0 deletions roles/wordpress-setup/templates/wordpress-site.conf.j2
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,15 @@ server {
{% block server_id -%}
listen {{ ssl_enabled | ternary('[::]:443 ssl', '[::]:80') }};
listen {{ ssl_enabled | ternary('443 ssl', '80') }};

{% if nginx_http3_enabled and ssl_enabled -%}
# Listen on UDP for QUIC+HTTP/3
listen [::]:443 quic{% if is_first_site_use_ssl %} reuseport{% endif -%};
listen 443 quic{% if is_first_site_use_ssl %} reuseport{% endif -%};
{% if is_first_site_use_ssl -%}# there has to be one listen quic directive with reusport for working QUIC responses in current nginx version, using the first site.
{% endif %}
{% endif %}

http2 {{ nginx_http2_enabled | default(false) | ternary('on', 'off') }};
http3 {{ nginx_http3_enabled | default(false) | ternary('on', 'off') }};
server_name {{ site_hosts_canonical | union(multisite_subdomains_wildcards) | join(' ') }};
Expand All @@ -32,6 +41,11 @@ server {
sendfile off;

{% endif -%}

{% if nginx_http3_enabled and ssl_enabled -%}
include includes/directive-only/http3-tune.conf;
include includes/directive-only/http3-negotiate.conf;
{% endif %}
{% endblock -%}

{% block cache_conditions -%}
Expand Down Expand Up @@ -277,6 +291,10 @@ server {

{{ self.includes_d() -}}

{% if nginx_http3_enabled and ssl_enabled -%}
include includes/directive-only/http3-negotiate-redirect.conf;
{% endif %}

location / {
return 301 https://$host$request_uri;
}
Expand All @@ -295,12 +313,25 @@ server {
listen [::]:443 ssl;
listen 443 ssl;
{% endif -%}

listen [::]:80;
listen 80;

{% if nginx_http3_enabled and ssl_enabled -%}
# Listen on UDP for QUIC+HTTP/3
listen [::]:443 quic;
listen 443 quic;
{% endif %}

http2 {{ nginx_http2_enabled | default(false) | ternary('on', 'off') }};
http3 {{ nginx_http3_enabled | default(false) | ternary('on', 'off') }};
server_name {{ host.redirects | join(' ') }};

{% if nginx_http3_enabled and ssl_enabled -%}
include includes/directive-only/http3-tune.conf;
include includes/directive-only/http3-negotiate-redirect.conf;
{% endif %}

{{ self.https() -}}

{{ self.acme_challenge() -}}
Expand Down
Loading