From 19d2796c2e10f0f243f5f9bc3b0a7e59a47e9fbf Mon Sep 17 00:00:00 2001 From: macbre Date: Fri, 14 May 2021 17:20:00 +0200 Subject: [PATCH 01/24] Patch nginx with quiche See https://github.com/cloudflare/quiche/tree/master/extras/nginx#building --- Dockerfile | 14 +++++++++++--- 1 file changed, 11 insertions(+), 3 deletions(-) diff --git a/Dockerfile b/Dockerfile index 410e880..4307703 100644 --- a/Dockerfile +++ b/Dockerfile @@ -47,6 +47,9 @@ ARG CONFIG="\ --with-compat \ --with-file-aio \ --with-http_v2_module \ + --with-http_v3_module \ + --with-openssl=/usr/src/quiche/deps/boringssl \ + --with-quiche=/usr/src/quiche \ --add-module=/usr/src/ngx_brotli \ " @@ -62,6 +65,7 @@ RUN \ gcc \ libc-dev \ make \ + patch \ openssl-dev \ pcre-dev \ zlib-dev \ @@ -82,7 +86,7 @@ RUN \ COPY nginx.pub /tmp/nginx.pub RUN \ - echo "Compiling nginx $NGINX_VERSION with brotli $NGX_BROTLI_COMMIT" \ + echo "Compiling nginx $NGINX_VERSION with brotli $NGX_BROTLI_COMMIT ..." \ && mkdir -p /usr/src/ngx_brotli \ && cd /usr/src/ngx_brotli \ && git init \ @@ -98,11 +102,15 @@ RUN \ && gpg --import /tmp/nginx.pub \ && gpg --batch --verify nginx.tar.gz.asc nginx.tar.gz \ && mkdir -p /usr/src \ - && tar -zxC /usr/src -f nginx.tar.gz + && tar -zxC /usr/src -f nginx.tar.gz \ + && echo "Fetching quiche ..." \ + && cd /usr/src \ + && git clone --recursive https://github.com/cloudflare/quiche RUN \ cd /usr/src/nginx-$NGINX_VERSION \ - && ./configure $CONFIG --with-debug \ + && patch -p01 < /usr/src/quiche/extras/nginx/nginx-1.16.patch \ + && ./configure $CONFIG --with-debug --build="quiche-$(git --git-dir=/usr/src/quiche/.git rev-parse --short HEAD)" \ && make -j$(getconf _NPROCESSORS_ONLN) \ && mv objs/nginx objs/nginx-debug \ && mv objs/ngx_http_xslt_filter_module.so objs/ngx_http_xslt_filter_module-debug.so \ From e1c9fff308ae683468030ad59cbbf61a86f6130c Mon Sep 17 00:00:00 2001 From: macbre Date: Fri, 14 May 2021 17:25:47 +0200 Subject: [PATCH 02/24] Add a missing cargo dependency cd /usr/src/quiche && cargo build --verbose --no-default-features --features ffi /bin/sh: cargo: not found make[1]: *** [objs/Makefile:2243: /usr/src/quiche/target/debug/libquiche.a] Error 127 make[1]: Leaving directory '/usr/src/nginx-1.19.10' make: *** [Makefile:10: build] Error 2 --- Dockerfile | 1 + 1 file changed, 1 insertion(+) diff --git a/Dockerfile b/Dockerfile index 4307703..5292c62 100644 --- a/Dockerfile +++ b/Dockerfile @@ -75,6 +75,7 @@ RUN \ libxslt-dev \ gd-dev \ geoip-dev \ + cargo \ && apk add --no-cache --virtual .brotli-build-deps \ autoconf \ libtool \ From c589b93967a7fb5597672d7f691019a1e9eba0fd Mon Sep 17 00:00:00 2001 From: macbre Date: Mon, 17 May 2021 17:23:40 +0200 Subject: [PATCH 03/24] Install rust via sh.rustup.rs --- Dockerfile | 18 ++++++++++++------ 1 file changed, 12 insertions(+), 6 deletions(-) diff --git a/Dockerfile b/Dockerfile index 5292c62..3267062 100644 --- a/Dockerfile +++ b/Dockerfile @@ -75,7 +75,6 @@ RUN \ libxslt-dev \ gd-dev \ geoip-dev \ - cargo \ && apk add --no-cache --virtual .brotli-build-deps \ autoconf \ libtool \ @@ -104,14 +103,21 @@ RUN \ && gpg --batch --verify nginx.tar.gz.asc nginx.tar.gz \ && mkdir -p /usr/src \ && tar -zxC /usr/src -f nginx.tar.gz \ - && echo "Fetching quiche ..." \ + && echo "Fetching quiche and applying the patch..." \ && cd /usr/src \ - && git clone --recursive https://github.com/cloudflare/quiche + && git clone --recursive https://github.com/cloudflare/quiche \ + && cd /usr/src/nginx-$NGINX_VERSION \ + && patch -p01 < /usr/src/quiche/extras/nginx/nginx-1.16.patch RUN \ - cd /usr/src/nginx-$NGINX_VERSION \ - && patch -p01 < /usr/src/quiche/extras/nginx/nginx-1.16.patch \ - && ./configure $CONFIG --with-debug --build="quiche-$(git --git-dir=/usr/src/quiche/.git rev-parse --short HEAD)" \ + echo "Setting up rust ..." \ + && curl https://sh.rustup.rs -sSf | sh -s -- -y -q \ + && export PATH="$HOME/.cargo/bin:$PATH" + +RUN \ + echo "Building nginx ..." \ + && cd /usr/src/nginx-$NGINX_VERSION \ + && ./configure $CONFIG --build="quiche-$(git --git-dir=/usr/src/quiche/.git rev-parse --short HEAD)" \ && make -j$(getconf _NPROCESSORS_ONLN) \ && mv objs/nginx objs/nginx-debug \ && mv objs/ngx_http_xslt_filter_module.so objs/ngx_http_xslt_filter_module-debug.so \ From 7b56ef477e06d855e37898b7e7cf9e8187e5f79e Mon Sep 17 00:00:00 2001 From: macbre Date: Mon, 17 May 2021 17:26:23 +0200 Subject: [PATCH 04/24] Define workdir --- Dockerfile | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/Dockerfile b/Dockerfile index 3267062..74805bf 100644 --- a/Dockerfile +++ b/Dockerfile @@ -84,10 +84,11 @@ RUN \ cmake COPY nginx.pub /tmp/nginx.pub +WORKDIR /usr/src/ RUN \ echo "Compiling nginx $NGINX_VERSION with brotli $NGX_BROTLI_COMMIT ..." \ - && mkdir -p /usr/src/ngx_brotli \ + && mkdir /usr/src/ngx_brotli \ && cd /usr/src/ngx_brotli \ && git init \ && git remote add origin https://github.com/google/ngx_brotli.git \ @@ -101,7 +102,6 @@ RUN \ && export GNUPGHOME="$(mktemp -d)" \ && gpg --import /tmp/nginx.pub \ && gpg --batch --verify nginx.tar.gz.asc nginx.tar.gz \ - && mkdir -p /usr/src \ && tar -zxC /usr/src -f nginx.tar.gz \ && echo "Fetching quiche and applying the patch..." \ && cd /usr/src \ @@ -112,7 +112,9 @@ RUN \ RUN \ echo "Setting up rust ..." \ && curl https://sh.rustup.rs -sSf | sh -s -- -y -q \ - && export PATH="$HOME/.cargo/bin:$PATH" + && export PATH="$HOME/.cargo/bin:$PATH" \ + && rustc --version \ + && cargo --version RUN \ echo "Building nginx ..." \ From 79660fc3a46e702d1bdda0b5678e06adee6734c2 Mon Sep 17 00:00:00 2001 From: macbre Date: Mon, 17 May 2021 17:34:15 +0200 Subject: [PATCH 05/24] Make rust and nginx build a single step --- Dockerfile | 14 ++++++-------- 1 file changed, 6 insertions(+), 8 deletions(-) diff --git a/Dockerfile b/Dockerfile index 74805bf..34d0f21 100644 --- a/Dockerfile +++ b/Dockerfile @@ -112,21 +112,19 @@ RUN \ RUN \ echo "Setting up rust ..." \ && curl https://sh.rustup.rs -sSf | sh -s -- -y -q \ - && export PATH="$HOME/.cargo/bin:$PATH" \ - && rustc --version \ - && cargo --version - -RUN \ - echo "Building nginx ..." \ + && export PATH="$HOME/.cargo/bin:$PATH" \ + && rustc --version \ + && cargo --version \ +\ + && echo "Building nginx ..." \ && cd /usr/src/nginx-$NGINX_VERSION \ && ./configure $CONFIG --build="quiche-$(git --git-dir=/usr/src/quiche/.git rev-parse --short HEAD)" \ && make -j$(getconf _NPROCESSORS_ONLN) \ - && mv objs/nginx objs/nginx-debug \ && mv objs/ngx_http_xslt_filter_module.so objs/ngx_http_xslt_filter_module-debug.so \ && mv objs/ngx_http_image_filter_module.so objs/ngx_http_image_filter_module-debug.so \ && mv objs/ngx_http_geoip_module.so objs/ngx_http_geoip_module-debug.so \ && mv objs/ngx_stream_geoip_module.so objs/ngx_stream_geoip_module-debug.so \ - && ./configure $CONFIG \ + && ./configure $CONFIG --build="quiche-$(git --git-dir=/usr/src/quiche/.git rev-parse --short HEAD)" \ && make -j$(getconf _NPROCESSORS_ONLN) RUN \ From 9eecad313a8e025ad43426f0ef0e6e7afe7ee164 Mon Sep 17 00:00:00 2001 From: macbre Date: Mon, 17 May 2021 18:12:50 +0200 Subject: [PATCH 06/24] Dropping debug modules --- Dockerfile | 17 ++--------------- 1 file changed, 2 insertions(+), 15 deletions(-) diff --git a/Dockerfile b/Dockerfile index 34d0f21..8bb1342 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,4 +1,4 @@ -ARG NGINX_VERSION=1.19.10 +ARG NGINX_VERSION=1.19.2 # https://github.com/google/ngx_brotli ARG NGX_BROTLI_COMMIT=9aec15e2aa6feea2113119ba06460af70ab3ea62 @@ -119,13 +119,7 @@ RUN \ && echo "Building nginx ..." \ && cd /usr/src/nginx-$NGINX_VERSION \ && ./configure $CONFIG --build="quiche-$(git --git-dir=/usr/src/quiche/.git rev-parse --short HEAD)" \ - && make -j$(getconf _NPROCESSORS_ONLN) \ - && mv objs/ngx_http_xslt_filter_module.so objs/ngx_http_xslt_filter_module-debug.so \ - && mv objs/ngx_http_image_filter_module.so objs/ngx_http_image_filter_module-debug.so \ - && mv objs/ngx_http_geoip_module.so objs/ngx_http_geoip_module-debug.so \ - && mv objs/ngx_stream_geoip_module.so objs/ngx_stream_geoip_module-debug.so \ - && ./configure $CONFIG --build="quiche-$(git --git-dir=/usr/src/quiche/.git rev-parse --short HEAD)" \ - && make -j$(getconf _NPROCESSORS_ONLN) + && make RUN \ cd /usr/src/nginx-$NGINX_VERSION \ @@ -135,13 +129,6 @@ RUN \ && mkdir -p /usr/share/nginx/html/ \ && install -m644 html/index.html /usr/share/nginx/html/ \ && install -m644 html/50x.html /usr/share/nginx/html/ \ - && install -m755 objs/nginx-debug /usr/sbin/nginx-debug \ - && install -m755 objs/ngx_http_xslt_filter_module-debug.so /usr/lib/nginx/modules/ngx_http_xslt_filter_module-debug.so \ - && install -m755 objs/ngx_http_image_filter_module-debug.so /usr/lib/nginx/modules/ngx_http_image_filter_module-debug.so \ - && install -m755 objs/ngx_http_geoip_module-debug.so /usr/lib/nginx/modules/ngx_http_geoip_module-debug.so \ - && install -m755 objs/ngx_stream_geoip_module-debug.so /usr/lib/nginx/modules/ngx_stream_geoip_module-debug.so \ - && strip /usr/sbin/nginx* \ - && strip /usr/lib/nginx/modules/*.so \ \ # https://tools.ietf.org/html/rfc7919 # https://github.com/mozilla/ssl-config-generator/blob/master/docs/ffdhe2048.txt From aa6439165af0e5cb32b636b1b81cb3cdc60a0c91 Mon Sep 17 00:00:00 2001 From: macbre Date: Mon, 17 May 2021 18:13:32 +0200 Subject: [PATCH 07/24] Make with all CPUs --- Dockerfile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Dockerfile b/Dockerfile index 8bb1342..95cbd66 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,4 +1,4 @@ -ARG NGINX_VERSION=1.19.2 +ARG NGINX_VERSION=1.19.10 # https://github.com/google/ngx_brotli ARG NGX_BROTLI_COMMIT=9aec15e2aa6feea2113119ba06460af70ab3ea62 @@ -119,7 +119,7 @@ RUN \ && echo "Building nginx ..." \ && cd /usr/src/nginx-$NGINX_VERSION \ && ./configure $CONFIG --build="quiche-$(git --git-dir=/usr/src/quiche/.git rev-parse --short HEAD)" \ - && make + && make -j$(getconf _NPROCESSORS_ONLN) RUN \ cd /usr/src/nginx-$NGINX_VERSION \ From b134928a5eac0b29afde3bdc10b6e265fb948b17 Mon Sep 17 00:00:00 2001 From: macbre Date: Mon, 17 May 2021 18:18:48 +0200 Subject: [PATCH 08/24] /usr/sbin/nginx-debug is no longer there --- Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index 95cbd66..a1dff85 100644 --- a/Dockerfile +++ b/Dockerfile @@ -152,7 +152,7 @@ ARG NGINX_VERSION COPY --from=base /tmp/runDeps.txt /tmp/runDeps.txt COPY --from=base /etc/nginx /etc/nginx COPY --from=base /usr/lib/nginx/modules/*.so /usr/lib/nginx/modules/ -COPY --from=base /usr/sbin/nginx /usr/sbin/nginx-debug /usr/sbin/ +COPY --from=base /usr/sbin/nginx /usr/sbin/ COPY --from=base /usr/share/nginx/html/* /usr/share/nginx/html/ COPY --from=base /usr/bin/envsubst /usr/local/bin/envsubst COPY --from=base /etc/ssl/dhparam.pem /etc/ssl/dhparam.pem From 3d0ff3484031782854332cf0e044a4dc3bdcc37b Mon Sep 17 00:00:00 2001 From: macbre Date: Mon, 17 May 2021 18:21:17 +0200 Subject: [PATCH 09/24] Keep strip for smaller binaries --- Dockerfile | 2 ++ 1 file changed, 2 insertions(+) diff --git a/Dockerfile b/Dockerfile index a1dff85..55470fd 100644 --- a/Dockerfile +++ b/Dockerfile @@ -129,6 +129,8 @@ RUN \ && mkdir -p /usr/share/nginx/html/ \ && install -m644 html/index.html /usr/share/nginx/html/ \ && install -m644 html/50x.html /usr/share/nginx/html/ \ + && strip /usr/sbin/nginx* \ + && strip /usr/lib/nginx/modules/*.so \ \ # https://tools.ietf.org/html/rfc7919 # https://github.com/mozilla/ssl-config-generator/blob/master/docs/ffdhe2048.txt From 340c4829c94c6599a3952150430e5dbd434cd0bf Mon Sep 17 00:00:00 2001 From: macbre Date: Mon, 17 May 2021 18:25:25 +0200 Subject: [PATCH 10/24] Use make --- Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index 55470fd..2199d73 100644 --- a/Dockerfile +++ b/Dockerfile @@ -119,7 +119,7 @@ RUN \ && echo "Building nginx ..." \ && cd /usr/src/nginx-$NGINX_VERSION \ && ./configure $CONFIG --build="quiche-$(git --git-dir=/usr/src/quiche/.git rev-parse --short HEAD)" \ - && make -j$(getconf _NPROCESSORS_ONLN) + && make RUN \ cd /usr/src/nginx-$NGINX_VERSION \ From c91dce4a0f69381176b81fc8863c8507c0e50088 Mon Sep 17 00:00:00 2001 From: macbre Date: Mon, 17 May 2021 18:32:25 +0200 Subject: [PATCH 11/24] Downgrade to nginx 1.19.2 --- Dockerfile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Dockerfile b/Dockerfile index 2199d73..a455b15 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,4 +1,4 @@ -ARG NGINX_VERSION=1.19.10 +ARG NGINX_VERSION=1.19.2 # https://github.com/google/ngx_brotli ARG NGX_BROTLI_COMMIT=9aec15e2aa6feea2113119ba06460af70ab3ea62 @@ -119,7 +119,7 @@ RUN \ && echo "Building nginx ..." \ && cd /usr/src/nginx-$NGINX_VERSION \ && ./configure $CONFIG --build="quiche-$(git --git-dir=/usr/src/quiche/.git rev-parse --short HEAD)" \ - && make + && make -j$(getconf _NPROCESSORS_ONLN) RUN \ cd /usr/src/nginx-$NGINX_VERSION \ From 4cbc722a106e8e5b8fca5489308c4bc0d3cc42d7 Mon Sep 17 00:00:00 2001 From: macbre Date: Mon, 17 May 2021 18:54:59 +0200 Subject: [PATCH 12/24] Use nginx 1.19.6 --- Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index a455b15..efd7466 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,4 +1,4 @@ -ARG NGINX_VERSION=1.19.2 +ARG NGINX_VERSION=1.19.6 # https://github.com/google/ngx_brotli ARG NGX_BROTLI_COMMIT=9aec15e2aa6feea2113119ba06460af70ab3ea62 From 80b23ade0decd62dbd7bd3bb0e4526c31f06b464 Mon Sep 17 00:00:00 2001 From: Maciej Brencz Date: Tue, 18 May 2021 09:05:33 +0100 Subject: [PATCH 13/24] Update readme.md --- readme.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/readme.md b/readme.md index 44e0ad5..2829273 100644 --- a/readme.md +++ b/readme.md @@ -14,11 +14,11 @@ docker pull macbre/nginx-brotli:1.19.10 ``` $ docker run -it macbre/nginx-brotli nginx -V -nginx version: nginx/1.19.10 +nginx version: nginx/1.19.6 (quiche-567cc5e) built by gcc 10.2.1 20201203 (Alpine 10.2.1_pre1) -built with OpenSSL 1.1.1k 25 Mar 2021 +built with OpenSSL 1.1.1 (compatible; BoringSSL) (running with BoringSSL) TLS SNI support enabled -configure arguments: --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --modules-path=/usr/lib/nginx/modules --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx.pid --lock-path=/var/run/nginx.lock --http-client-body-temp-path=/var/cache/nginx/client_temp --http-proxy-temp-path=/var/cache/nginx/proxy_temp --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp --http-scgi-temp-path=/var/cache/nginx/scgi_temp --user=nginx --group=nginx --with-http_ssl_module --with-http_realip_module --with-http_addition_module --with-http_sub_module --with-http_dav_module --with-http_flv_module --with-http_mp4_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_random_index_module --with-http_secure_link_module --with-http_stub_status_module --with-http_auth_request_module --with-http_xslt_module=dynamic --with-http_image_filter_module=dynamic --with-http_geoip_module=dynamic --with-threads --with-stream --with-stream_ssl_module --with-stream_ssl_preread_module --with-stream_realip_module --with-stream_geoip_module=dynamic --with-http_slice_module --with-mail --with-mail_ssl_module --with-compat --with-file-aio --with-http_v2_module --add-module=/usr/src/ngx_brotli +configure arguments: --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --modules-path=/usr/lib/nginx/modules --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx.pid --lock-path=/var/run/nginx.lock --http-client-body-temp-path=/var/cache/nginx/client_temp --http-proxy-temp-path=/var/cache/nginx/proxy_temp --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp --http-scgi-temp-path=/var/cache/nginx/scgi_temp --user=nginx --group=nginx --with-http_ssl_module --with-http_realip_module --with-http_addition_module --with-http_sub_module --with-http_dav_module --with-http_flv_module --with-http_mp4_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_random_index_module --with-http_secure_link_module --with-http_stub_status_module --with-http_auth_request_module --with-http_xslt_module=dynamic --with-http_image_filter_module=dynamic --with-http_geoip_module=dynamic --with-threads --with-stream --with-stream_ssl_module --with-stream_ssl_preread_module --with-stream_realip_module --with-stream_geoip_module=dynamic --with-http_slice_module --with-mail --with-mail_ssl_module --with-compat --with-file-aio --with-http_v2_module --with-http_v3_module --with-openssl=/usr/src/quiche/deps/boringssl --with-quiche=/usr/src/quiche --add-module=/usr/src/ngx_brotli --build=quiche-567cc5e ``` ## SSL Grade A+ handling From 9af9d6b1a19de778d80a3494fbcdc6b1792a1c67 Mon Sep 17 00:00:00 2001 From: macbre Date: Tue, 18 May 2021 16:32:34 +0100 Subject: [PATCH 14/24] Add quic/http3 config section --- tests/https.conf | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/tests/https.conf b/tests/https.conf index b6d0422..ff3cdec 100644 --- a/tests/https.conf +++ b/tests/https.conf @@ -1,5 +1,10 @@ server { + # quic and http/3 + listen 443 quic reuseport; + + # http/2 listen 443 ssl http2; + server_name localhost; # openssl-generated pair for local development @@ -7,6 +12,15 @@ server { ssl_certificate /etc/nginx/ssl/localhost.crt; ssl_certificate_key /etc/nginx/ssl/localhost.key; + # Enable all TLS versions (TLSv1.3 is required for QUIC). + ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; + + # 0-RTT QUIC connection resumption + ssl_early_data on; + + # Add Alt-Svc header to negotiate HTTP/3. + add_header alt-svc 'h3=":443"; ma=86400'; + location / { root /static; From 96c52176a0fa9a1548a3254e2d61227e3774f71a Mon Sep 17 00:00:00 2001 From: macbre Date: Tue, 18 May 2021 16:57:08 +0100 Subject: [PATCH 15/24] Expose 443 as both TCP and UDP --- run-docker.sh | 3 ++- tests/https.conf | 2 +- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/run-docker.sh b/run-docker.sh index 271a35a..c2d08dc 100755 --- a/run-docker.sh +++ b/run-docker.sh @@ -1,7 +1,8 @@ #!/bin/sh docker run --rm \ -p 0.0.0.0:8888:80 \ - -p 0.0.0.0:8889:443 \ + -p 0.0.0.0:8889:443/tcp \ + -p 0.0.0.0:8889:443/udp \ -v "$PWD/tests":/static:ro \ -v "$PWD/tests/static.conf":/etc/nginx/conf.d/static.conf:ro \ -v "$PWD/tests/https.conf":/etc/nginx/conf.d/https.conf:ro \ diff --git a/tests/https.conf b/tests/https.conf index ff3cdec..a767da6 100644 --- a/tests/https.conf +++ b/tests/https.conf @@ -19,7 +19,7 @@ server { ssl_early_data on; # Add Alt-Svc header to negotiate HTTP/3. - add_header alt-svc 'h3=":443"; ma=86400'; + add_header alt-svc 'h3=":8889"; ma=86400'; location / { root /static; From 97d2a3cfb371e7e81282bc43d90793d37a0e8232 Mon Sep 17 00:00:00 2001 From: macbre Date: Tue, 18 May 2021 16:59:30 +0100 Subject: [PATCH 16/24] Test HTTP3 via ymuski/curl-http3 container --- .github/workflows/dockerimage.yml | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/.github/workflows/dockerimage.yml b/.github/workflows/dockerimage.yml index b3c4ebf..0d0c5d0 100644 --- a/.github/workflows/dockerimage.yml +++ b/.github/workflows/dockerimage.yml @@ -55,4 +55,12 @@ jobs: grep --fixed-strings '

It works!

' /tmp/h2 + docker run --rm --network host ymuski/curl-http3 \ + curl -v --insecure https://localhost:8889 --http3 2>&1 | tee /tmp/h3 + + grep --fixed-strings '< HTTP/3 200' /tmp/h3 + grep --fixed-strings '< server: nginx' /tmp/h3 + grep --fixed-strings '< alt-svc: h3=":8889"; ma=86400' /tmp/h3 + grep --fixed-strings '

It works!

' /tmp/h3 + docker logs test_nginx From a14941734b1271694f0be1cc9fabda89cf63c11b Mon Sep 17 00:00:00 2001 From: Maciej Brencz Date: Wed, 19 May 2021 15:01:37 +0100 Subject: [PATCH 17/24] Update readme.md --- readme.md | 39 +++++++++++++++++++++++++++++++++++++-- 1 file changed, 37 insertions(+), 2 deletions(-) diff --git a/readme.md b/readme.md index 2829273..bf47950 100644 --- a/readme.md +++ b/readme.md @@ -1,15 +1,17 @@ ## What is this? -Stable and up-to-date [nginx](https://nginx.org/en/CHANGES) with [Google's `brotli` compression](https://github.com/google/ngx_brotli) and [Grade A+ SSL config](https://ssl-config.mozilla.org/) +Stable and up-to-date [nginx](https://nginx.org/en/CHANGES) with [QUIC + HTTP/3 support](https://developers.cloudflare.com/http3/), [Google's `brotli` compression](https://github.com/google/ngx_brotli) and [Grade A+ SSL config](https://ssl-config.mozilla.org/) ## How to use this image As this project is based on the official [nginx image](https://hub.docker.com/_/nginx/) look for instructions there. In addition to the standard configuration directives, you'll be able to use the brotli module specific ones, see [here for official documentation](https://github.com/google/ngx_brotli#configuration-directives) ``` -docker pull macbre/nginx-brotli:1.19.10 +docker pull macbre/nginx-brotli:1.19.6-http3 ``` +Please refer to [the list of image tags](https://hub.docker.com/_/nginx/) as there more recent nginx versions there (but without http3 support). + ## What's inside ``` @@ -33,3 +35,36 @@ Please refer to [Mozilla's SSL Configuration Generator](https://ssl-config.mozil * `.conf` files mounted in `/etc/nginx/main.d` will be included in the `main` nginx context (e.g. you can call [`env` directive](http://nginx.org/en/docs/ngx_core_module.html#env) there) * `.conf` files mounted in `/etc/nginx/conf.d` will be included in the `http` nginx context + +## QUIC + HTTP/3 support + +Please refer to `tests/https.conf` config file for an example config used by the tests. + +``` +server { + # quic and http/3 + listen 443 quic reuseport; + + # http/2 + listen 443 ssl http2; + + server_name localhost; # customize to match your domain + + # you need to mount these files when running this container + ssl_certificate /etc/nginx/ssl/localhost.crt; + ssl_certificate_key /etc/nginx/ssl/localhost.key; + + # Enable all TLS versions (TLSv1.3 is required for QUIC). + ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; + + # 0-RTT QUIC connection resumption + ssl_early_data on; + + # Add Alt-Svc header to negotiate HTTP/3. + add_header alt-svc 'h3=":443"; ma=86400'; + + location / { + # your config + } +} +``` From 5b40a490b89b83a7bdec88117558a26b6917c0af Mon Sep 17 00:00:00 2001 From: Maciej Brencz Date: Wed, 19 May 2021 15:05:24 +0100 Subject: [PATCH 18/24] Update readme.md --- readme.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/readme.md b/readme.md index bf47950..96483ca 100644 --- a/readme.md +++ b/readme.md @@ -68,3 +68,5 @@ server { } } ``` + +Refer to `run-docker.sh` script on how to run this container and properly mount required config files and assets. From 100a0d6a393a09ceafa9d2821318bf118e1d16ab Mon Sep 17 00:00:00 2001 From: macbre Date: Wed, 19 May 2021 16:11:14 +0100 Subject: [PATCH 19/24] Add more h3 version in alt-svc header Tested with Firefox 88 (with network.http.http3.enabled flag enabled). --- tests/https.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/https.conf b/tests/https.conf index a767da6..e93f939 100644 --- a/tests/https.conf +++ b/tests/https.conf @@ -19,7 +19,7 @@ server { ssl_early_data on; # Add Alt-Svc header to negotiate HTTP/3. - add_header alt-svc 'h3=":8889"; ma=86400'; + add_header alt-svc 'h3-27=":8889"; ma=86400, h3-28=":8889"; ma=86400, h3-29=":8889"; ma=86400'; location / { root /static; From e3e84c8113affaec4c9e60e425cf7c43acfbb4e9 Mon Sep 17 00:00:00 2001 From: Maciej Brencz Date: Wed, 19 May 2021 16:14:36 +0100 Subject: [PATCH 20/24] Update readme.md --- readme.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/readme.md b/readme.md index 96483ca..8a50b2f 100644 --- a/readme.md +++ b/readme.md @@ -61,7 +61,7 @@ server { ssl_early_data on; # Add Alt-Svc header to negotiate HTTP/3. - add_header alt-svc 'h3=":443"; ma=86400'; + add_header alt-svc 'h3-27=":443"; ma=86400, h3-28=":443"; ma=86400, h3-29=":443"; ma=86400'; location / { # your config From 2fc5e88dfd7c7cd0886d5e41becc28f4b0cae522 Mon Sep 17 00:00:00 2001 From: Maciej Brencz Date: Wed, 19 May 2021 16:17:16 +0100 Subject: [PATCH 21/24] Update dockerimage.yml --- .github/workflows/dockerimage.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/.github/workflows/dockerimage.yml b/.github/workflows/dockerimage.yml index 0d0c5d0..420fa89 100644 --- a/.github/workflows/dockerimage.yml +++ b/.github/workflows/dockerimage.yml @@ -4,7 +4,6 @@ on: push: branches: [ master ] pull_request: - branches: [ master ] jobs: From 008f79854d65a555e15330b14dcbd43e385c4b62 Mon Sep 17 00:00:00 2001 From: Maciej Brencz Date: Wed, 19 May 2021 16:17:16 +0100 Subject: [PATCH 22/24] Update dockerimage.yml --- .github/workflows/dockerimage.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/.github/workflows/dockerimage.yml b/.github/workflows/dockerimage.yml index 0d0c5d0..420fa89 100644 --- a/.github/workflows/dockerimage.yml +++ b/.github/workflows/dockerimage.yml @@ -4,7 +4,6 @@ on: push: branches: [ master ] pull_request: - branches: [ master ] jobs: From 24fc3b5c9f9cba927cfa10667634e9de61704459 Mon Sep 17 00:00:00 2001 From: Maciej Brencz Date: Wed, 19 May 2021 16:26:50 +0100 Subject: [PATCH 23/24] Assert on "alt-svc" header value updated --- .github/workflows/dockerimage.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/dockerimage.yml b/.github/workflows/dockerimage.yml index 420fa89..be429a2 100644 --- a/.github/workflows/dockerimage.yml +++ b/.github/workflows/dockerimage.yml @@ -59,7 +59,7 @@ jobs: grep --fixed-strings '< HTTP/3 200' /tmp/h3 grep --fixed-strings '< server: nginx' /tmp/h3 - grep --fixed-strings '< alt-svc: h3=":8889"; ma=86400' /tmp/h3 + grep --fixed-strings '< alt-svc: h3-27=":8889"; ma=86400, h3-28=":8889"; ma=86400, h3-29=":8889"; ma=86400' /tmp/h3 grep --fixed-strings '

It works!

' /tmp/h3 docker logs test_nginx From 92a2188f8127f54f34818dc69e16c74b90dca5ab Mon Sep 17 00:00:00 2001 From: Maciej Brencz Date: Wed, 19 May 2021 16:33:45 +0100 Subject: [PATCH 24/24] Update readme.md --- readme.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/readme.md b/readme.md index 8a50b2f..fa83a7f 100644 --- a/readme.md +++ b/readme.md @@ -38,7 +38,9 @@ Please refer to [Mozilla's SSL Configuration Generator](https://ssl-config.mozil ## QUIC + HTTP/3 support -Please refer to `tests/https.conf` config file for an example config used by the tests. +Screenshot 2021-05-19 at 16 31 10 + +Please refer to `tests/https.conf` config file for an example config used by the tests. And to Cloudflare docs on [how to enable http/3 support in your browser](https://developers.cloudflare.com/http3/firefox). ``` server {