在NGINX 1.25上为多个域名启用QUIC / http/3。

huangapple go评论66阅读模式
英文:

Enabling QUIC / http/3 on multiple domains with NGINX 1.25

问题

NGINX 1.25引入了对http/3(基于QUIC)的支持。 要启用它,可以在server块中添加以下内容:

listen 443 quic reuseport;

与可能已存在的以下内容一起:

listen 443 ssl http2;

然而,如果我为多个具有不同server_name设置的server块添加quic监听,然后NGINX将拒绝配置,并显示以下错误:

[emerg] 2611#2611: duplicate listen options for 0.0.0.0:443 in /etc/nginx/sites-enabled/site.conf

可以为不同的域监听_不同的_端口,但这似乎不太用户友好 - 即使Firefox首先通过http/2加载页面,然后从Alt-Svc头部获取http/3端口,它仍会在URL中显示端口号。手动分配端口并为此配置防火墙也很繁琐。

我所有的server块都使用相同的证书。我为所有具有server块的域设置了主体替代名称在单个证书中。RFC9114说http/3客户端必须支持服务器名称指示,但即使没有它,因为我所有的域都使用相同的证书,理论上应该能够建立连接,然后根据Host头来决定提供什么内容。然而,当我通过QUIC发送请求时,NGINX似乎会从包含listen 443 quicserver块提供服务,而忽略了服务器名称。

在NGINX 1.25中是否可能在端口443上为多个域提供http/3服务?

英文:

NGINX 1.25 introduced support for http/3 (over QUIC). To enable it, one can add

listen 443 quic reuseport;

to the server block, alongside the likely existing

listen 443 ssl http2;

However, if I add the quic listen for more than one server block (which all have a different server_name set), then NGINX rejects the config with the following error:

[emerg] 2611#2611: duplicate listen options for 0.0.0.0:443 in /etc/nginx/sites-enabled/site.conf

It is possible to listen on different ports for different domains, but that doesn’t seem to be user-friendly — Firefox will display the port number in the url, even if it loaded the page over http/2 first and then got the http/3 port from an Alt-Svc header. It’s also tedious to manually allocate ports and to configure the firewall for this.

All my server blocks are using the same certificate. All domains that I have a server block for are subject alternative names in the single certificate. RFC9114 says that http/3 clients must support Server Name Indication, but even without it, because all my domains use the same certificate, it should be possible in theory to establish a connection and then decide what content to serve based on the Host header. This is not what happens though, when I send a request over QUIC, NGINX serves from the server block that the listen 443 quic is in, it seems to ignore the server name.

Is it possible with NGINX 1.25 to serve multiple domains over http/3 all on port 443?

答案1

得分: 1

是的,nginx可以在多个虚拟主机上提供http/3服务,但reuseport选项仅支持同一listen IP:PORT指令下的一个虚拟主机。

因此,您应该为您的虚拟主机使用不同的IP,或者移除reuseport选项。

英文:

Yes, nginx can serve http/3 on multiple virtual hosts, but reuseport option is supported only for 1 virtual host per the same listen IP:PORT directive.

So, you should use different IPs for your virtual hosts or remove reuseport option.

答案2

得分: 1

你应该只在一个地方指定“reuseport”,nginx将会对具有相同主机端口对的所有主机都使用它。

不需要不同的IP。
nginx文档

英文:

You should specify "reuseport" only once, and nginx will use it for all hosts with the same host-port pair.

No need for different IPs.
nginx docs

答案3

得分: 0

当您想要在Nginx中使用SNI与quic时,您需要设置多个监听指令,但只有一个带有"reuseport"的指令,如下所示:

listen 443 quic reuseport;
http2 on;
http3 on;
http3_hq on;
quic_retry on;

server_name _;
location / {
    add_header Alt-Svc 'h3=":$server_port"'; ma=86400';
    add_header x-quic 'h3';
    add_header Alt-Svc 'h3-29=":$server_port"';
}
listen 443 ssl;
listen 443 quic;
server_name host1.domain.tld;
location / {
    add_header Alt-Svc 'h3=":$server_port"'; ma=86400';
    add_header x-quic 'h3';
    add_header Alt-Svc 'h3-29=":$server_port"';
    ...
}
listen 443 ssl;
listen 443 quic;
server_name host2.domain.tld;
location / {
    add_header Alt-Svc 'h3=":$server_port"'; ma=86400';
    add_header x-quic 'h3';
    add_header Alt-Svc 'h3-29=":$server_port"';
    ...
}

请注意,只有一个(在这种情况下是默认的)条目带有"reuseport"。所有其他条目只需包含"quic"。

这允许您在多个主机上同时进行HTTP/3.0(quic)和服务器名称指示(SNI)。

英文:

When you want to use SNI in Nginx, with quic, you set up multiple listen directives, but only single one with reuseport such as:

listen 443 quic reuseport;
http2 on;
http3 on;
http3_hq on;
quic_retry on;

server_name _;
location / {
    add_header Alt-Svc 'h3=":$server_port"; ma=86400';
    add_header x-quic 'h3';
    add_header Alt-Svc 'h3-29=":$server_port"';
...
}


listen 443 ssl;
listen 443 quic;
server_name host1.domain.tld;
location / {
    add_header Alt-Svc 'h3=":$server_port"; ma=86400';
    add_header x-quic 'h3';
    add_header Alt-Svc 'h3-29=":$server_port"';
...
}

listen 443 ssl;
listen 443 quic;
server_name host2.domain.tld;
location / {
    add_header Alt-Svc 'h3=":$server_port"; ma=86400';
    add_header x-quic 'h3';
    add_header Alt-Svc 'h3-29=":$server_port"';
...
}

Note, only a single (in this case default) entry says "reuseport". All other entries simply say quic.

This allows you to do both HTTP/3.0 (quic) and server name indication (SNI) across multiple hosts with SNI

huangapple
  • 本文由 发表于 2023年5月28日 01:20:14
  • 转载请务必保留本文链接:https://go.coder-hub.com/76348128.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定