Opened 8 months ago

Last modified 7 months ago

#2620 new defect

IPv6 with HTTP/3 / QUIC don't work

Reported by: DoM1niC@… Owned by:
Priority: minor Milestone: nginx-1.27
Component: http/3 Version: 1.25.x
Keywords: Cc:
uname -a: 6.7.9-zen1-1-zen #1 ZEN SMP PREEMPT_DYNAMIC Fri, 08 Mar 2024 01:58:50 +0000 x86_64 GNU/Linux
nginx -V: nginx version: nginx/1.25.4

Description (last modified by DoM1niC@…)

Listener Config

# HTTP/3 / QUIC Listener
listen 443 quic;
# HTTP/2 Fallback
listen 443 ssl;

listen [::]:443 quic;
# HTTP/2 Fallback
listen [::]:443 ssl;

http2 on;
http3 on;
http3_hq on;

# SSL Settings
ssl_protocols TLSv1.3;
ssl_prefer_server_ciphers off;
quic_retry on;
quic_gso on;

# enable 0-RTT
ssl_early_data on;
ssl_session_tickets off;

# Redirect HTTP/3
add_header alt-svc 'h3=":$server_port"; ma=86400, h3-29=":$server_port"; ma=86400, h3-28=":$server_port"; ma=86400, h3-27=":$server_port"; ma=86400';
add_header Strict-Transport-Security
"max-age=31536000; includeSubDomains"
always;
add_header quic-status $http3 always;
add_header x-quic 'h3' always;

Netstat

[root@router ~]# netstat -tulpen | grep nginx
tcp        0      0 0.0.0.0:853             0.0.0.0:*               LISTEN      0          22839291   148259/nginx: maste
tcp        0      0 0.0.0.0:443             0.0.0.0:*               LISTEN      0          22839295   148259/nginx: maste
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      0          22839293   148259/nginx: maste
tcp6       0      0 :::853                  :::*                    LISTEN      0          22839292   148259/nginx: maste
tcp6       0      0 :::443                  :::*                    LISTEN      0          22839296   148259/nginx: maste
tcp6       0      0 :::80                   :::*                    LISTEN      0          22839294   148259/nginx: maste
udp        0      0 0.0.0.0:443             0.0.0.0:*                           0          22839297   148259/nginx: maste
udp6       0      0 :::443                  :::*                                0          22839298   148259/nginx: maste

HTTP/3 works fine with a IPv4 resolve but not with IPv6, HTTP/2 will answer instead to the Client (Google Chrome).

What I do wrong ? I use the latest SourceCode based on last Release with

OpenSSL 3.2.1 30 Jan 2024 (Library: OpenSSL 3.2.1 30 Jan 2024)

Change History (5)

comment:1 by DoM1niC@…, 8 months ago

Description: modified (diff)

comment:2 by Roman Arutyunyan, 8 months ago

Is there any http/3-quic activity in debug log when you connect with ipv6?

You need to enable debug logging for this.
https://nginx.org/en/docs/debugging_log.html

comment:3 by DoM1niC@…, 8 months ago

./auto/configure \
--with-http_stub_status_module --with-http_ssl_module --with-http_v2_module --with-http_v3_module --with-stream --with-threads --with-mail --with-file-aio --with-stream_ssl_module --with-stream_ssl_preread_module $MODULE \
--with-threads --with-file-aio --with-debug \
--add-module=$COMPILE_DIR/ngx_brotli \
--add-module=$COMPILE_DIR/ngx_devel_kit-master \
--add-module=$COMPILE_DIR/nginx_upstream_check_module-master \
--add-module=$COMPILE_DIR/ngx_http_geoip2_module-master \
--add-module=$COMPILE_DIR/nginx-auth-ldap \
--add-module=$COMPILE_DIR/nginx-http-flv-module \
--add-module=$COMPILE_DIR/nginx-dav-ext-module-master/ --with-http_dav_module \
--with-http_xslt_module --with-http_realip_module --with-http_auth_request_module

This is my Compile Configuration

Debug is tested on a Internal Service with "C:\Program Files\Google\Chrome\Application\chrome.exe" --origin-to-force-quic-on=door.3dns.intern:443

H3 works fine in a local Network Domain

Log
https://pastebin.com/nU0EXR4g

comment:4 by Roman Arutyunyan, 7 months ago

I don't see any ipv6 activity in this log. I see ipv4 http/3 activity serving a request. Try searching the full log for ipv6-related lines.

comment:5 by m.herasimovich, 7 months ago

Milestone: nginx-1.25nginx-1.27

Ticket retargeted after milestone closed

Note: See TracTickets for help on using tickets.