Opened 9 months ago
#2624 new defect
Challenges Configuring HTTP/3 for Multiple Domains with Distinct SSL Certificates in Nginx 1.25.4
Reported by: | Owned by: | ||
---|---|---|---|
Priority: | minor | Milestone: | |
Component: | http/3 | Version: | 1.25.x |
Keywords: | Cc: | ||
uname -a: | Linux automore 6.5.0-1016-gcp #16~22.04.1-Ubuntu SMP Sat Mar 9 00:58:37 UTC 2024 x86_64 x86_64 x86_64 GNU/Linux | ||
nginx -V: |
nginx version: nginx/1.25.4
built by gcc 11.4.0 (Ubuntu 11.4.0-1ubuntu1~22.04) built with OpenSSL 3.0.2 15 Mar 2022 TLS SNI support enabled configure arguments: --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --modules-path=/usr/lib/nginx/modules --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx.pid --lock-path=/var/run/nginx.lock --http-client-body-temp-path=/var/cache/nginx/client_temp --http-proxy-temp-path=/var/cache/nginx/proxy_temp --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp --http-scgi-temp-path=/var/cache/nginx/scgi_temp --user=nginx --group=nginx --with-compat --with-file-aio --with-threads --with-http_addition_module --with-http_auth_request_module --with-http_dav_module --with-http_flv_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_mp4_module --with-http_random_index_module --with-http_realip_module --with-http_secure_link_module --with-http_slice_module --with-http_ssl_module --with-http_stub_status_module --with-http_sub_module --with-http_v2_module --with-http_v3_module --with-mail --with-mail_ssl_module --with-stream --with-stream_realip_module --with-stream_ssl_module --with-stream_ssl_preread_module --with-cc-opt='-g -O2 -ffile-prefix-map=/data/builder/debuild/nginx-1.25.4/debian/debuild-base/nginx-1.25.4=. -flto=auto -ffat-lto-objects -flto=auto -ffat-lto-objects -fstack-protector-strong -Wformat -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -fPIC' --with-ld-opt='-Wl,-Bsymbolic-functions -flto=auto -ffat-lto-objects -flto=auto -Wl,-z,relro -Wl,-z,now -Wl,--as-needed -pie' |
Description
Environment:
Nginx Version: 1.25.4
Operating System: Ubuntu 22.04.4 LTS
OpenSSL Version: OpenSSL 3.0.2
Description:
Encountering configuration challenges when attempting to set up HTTP/3 for two separate domains (myapp.app and myapptwo.app), each with its own SSL certificate. Issues arise with the listen 443 quic reuseport; directive, leading to misrouting or incorrect content delivery when accessed via HTTP/3.
Steps to Reproduce:
- Set up multiple server blocks to serve different domains with the configurations mentioned.
- Include listen 443 quic reuseport; for the primary domain and listen 443 quic; for additional domains.
- Access the domains using a client that supports HTTP/3.
server {
listen 443 ssl;
listen 443 quic reuseport;
server_name myapp.app www.myapp.app app.myapp.app;
http3 on;
http2 on;
quic_retry on;
ssl_early_data on;
add_header Alt-Svc 'h3=":$server_port"; ma=86400';
proxy_intercept_errors on;
ssl_certificate /etc/letsencrypt/live/myapp.app/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/myapp.app/privkey.pem;
location / {
root /home/usr/Ecosystem-App/main-server/public/;
index index.html;
try_files $uri $uri.html /index.html =404;
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root html;
}
}
server {
listen 443 quic;
server_name *.myapp.app;
http3 on;
http2 on;
quic_retry on;
ssl_early_data on;
add_header Alt-Svc 'h3=":$server_port"; ma=86400';
proxy_intercept_errors on;
ssl_certificate /etc/letsencrypt/live/myapp.app/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/myapp.app/privkey.pem;
location / {
root /home/usr/Ecosystem-App/d2c-server/public/;
index index.html;
try_files $uri $uri.html /index.html =404;
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root html;
}
}
server {
listen 443 quic;
server_name myapptwo.app www.myapptwo.app app.myapptwo.app;
http3 on;
http2 on;
quic_retry on;
ssl_early_data on;
add_header Alt-Svc 'h3=":$server_port"; ma=86400';
proxy_intercept_errors on;
ssl_certificate /etc/letsencrypt/live/myapptwo.app/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/myapptwo.app/privkey.pem;
location / {
root /home/usr/Ecosystem-App/main-server/public/;
index index.html;
try_files $uri $uri.html /index.html =404;
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root html;
}
}
server {
listen 443 quic;
server_name *.myapptwo.app;
http3 on;
http2 on;
quic_retry on;
ssl_early_data on;
add_header Alt-Svc 'h3=":$server_port"; ma=86400';
proxy_intercept_errors on;
ssl_certificate /etc/letsencrypt/live/myapptwo.app/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/myapptwo.app/privkey.pem;
location / {
root /home/usr/Ecosystem-App/d2c-server/public/;
index index.html;
try_files $uri $uri.html /index.html =404;
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root html;
}
}
Expected Behavior:
Each domain should serve its corresponding content correctly over HTTP/3, utilizing its designated SSL certificate.
Actual Behavior:
Configuration limitations or misinterpretations cause only one domain to properly support HTTP/3 or result in incorrect domain content delivery.
Additional Information:
Illustrate the importance of enabling HTTP/3 across multiple server blocks, each with unique SSL certificates, for improved security and performance on Nginx.