Opened 9 months ago

#2624 new defect

Challenges Configuring HTTP/3 for Multiple Domains with Distinct SSL Certificates in Nginx 1.25.4

Reported by: desaisoftwaree@… Owned by:
Priority: minor Milestone:
Component: http/3 Version: 1.25.x
Keywords: Cc:
uname -a: Linux automore 6.5.0-1016-gcp #16~22.04.1-Ubuntu SMP Sat Mar 9 00:58:37 UTC 2024 x86_64 x86_64 x86_64 GNU/Linux
nginx -V: nginx version: nginx/1.25.4
built by gcc 11.4.0 (Ubuntu 11.4.0-1ubuntu1~22.04)
built with OpenSSL 3.0.2 15 Mar 2022
TLS SNI support enabled
configure arguments: --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --modules-path=/usr/lib/nginx/modules --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx.pid --lock-path=/var/run/nginx.lock --http-client-body-temp-path=/var/cache/nginx/client_temp --http-proxy-temp-path=/var/cache/nginx/proxy_temp --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp --http-scgi-temp-path=/var/cache/nginx/scgi_temp --user=nginx --group=nginx --with-compat --with-file-aio --with-threads --with-http_addition_module --with-http_auth_request_module --with-http_dav_module --with-http_flv_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_mp4_module --with-http_random_index_module --with-http_realip_module --with-http_secure_link_module --with-http_slice_module --with-http_ssl_module --with-http_stub_status_module --with-http_sub_module --with-http_v2_module --with-http_v3_module --with-mail --with-mail_ssl_module --with-stream --with-stream_realip_module --with-stream_ssl_module --with-stream_ssl_preread_module --with-cc-opt='-g -O2 -ffile-prefix-map=/data/builder/debuild/nginx-1.25.4/debian/debuild-base/nginx-1.25.4=. -flto=auto -ffat-lto-objects -flto=auto -ffat-lto-objects -fstack-protector-strong -Wformat -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -fPIC' --with-ld-opt='-Wl,-Bsymbolic-functions -flto=auto -ffat-lto-objects -flto=auto -Wl,-z,relro -Wl,-z,now -Wl,--as-needed -pie'

Description

Environment:

Nginx Version: 1.25.4
Operating System: Ubuntu 22.04.4 LTS
OpenSSL Version: OpenSSL 3.0.2
Description:
Encountering configuration challenges when attempting to set up HTTP/3 for two separate domains (myapp.app and myapptwo.app), each with its own SSL certificate. Issues arise with the listen 443 quic reuseport; directive, leading to misrouting or incorrect content delivery when accessed via HTTP/3.

Steps to Reproduce:

  1. Set up multiple server blocks to serve different domains with the configurations mentioned.
  2. Include listen 443 quic reuseport; for the primary domain and listen 443 quic; for additional domains.
  3. Access the domains using a client that supports HTTP/3.

server {

listen 443 ssl;
listen 443 quic reuseport;
server_name myapp.app www.myapp.app app.myapp.app;

http3 on;
http2 on;

quic_retry on;
ssl_early_data on;
add_header Alt-Svc 'h3=":$server_port"; ma=86400';
proxy_intercept_errors on;

ssl_certificate /etc/letsencrypt/live/myapp.app/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/myapp.app/privkey.pem;

location / {

root /home/usr/Ecosystem-App/main-server/public/;
index index.html;
try_files $uri $uri.html /index.html =404;

}

error_page 500 502 503 504 /50x.html;
location = /50x.html {

root html;

}

}

server {

listen 443 quic;
server_name *.myapp.app;

http3 on;
http2 on;

quic_retry on;
ssl_early_data on;
add_header Alt-Svc 'h3=":$server_port"; ma=86400';
proxy_intercept_errors on;

ssl_certificate /etc/letsencrypt/live/myapp.app/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/myapp.app/privkey.pem;

location / {

root /home/usr/Ecosystem-App/d2c-server/public/;
index index.html;
try_files $uri $uri.html /index.html =404;

}


error_page 500 502 503 504 /50x.html;
location = /50x.html {

root html;

}

}

server {

listen 443 quic;
server_name myapptwo.app www.myapptwo.app app.myapptwo.app;

http3 on;
http2 on;

quic_retry on;
ssl_early_data on;
add_header Alt-Svc 'h3=":$server_port"; ma=86400';
proxy_intercept_errors on;

ssl_certificate /etc/letsencrypt/live/myapptwo.app/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/myapptwo.app/privkey.pem;

location / {

root /home/usr/Ecosystem-App/main-server/public/;
index index.html;
try_files $uri $uri.html /index.html =404;

}

error_page 500 502 503 504 /50x.html;
location = /50x.html {

root html;

}

}

server {

listen 443 quic;
server_name *.myapptwo.app;

http3 on;
http2 on;

quic_retry on;
ssl_early_data on;
add_header Alt-Svc 'h3=":$server_port"; ma=86400';
proxy_intercept_errors on;

ssl_certificate /etc/letsencrypt/live/myapptwo.app/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/myapptwo.app/privkey.pem;

location / {

root /home/usr/Ecosystem-App/d2c-server/public/;
index index.html;
try_files $uri $uri.html /index.html =404;

}


error_page 500 502 503 504 /50x.html;
location = /50x.html {

root html;

}

}

Expected Behavior:
Each domain should serve its corresponding content correctly over HTTP/3, utilizing its designated SSL certificate.

Actual Behavior:
Configuration limitations or misinterpretations cause only one domain to properly support HTTP/3 or result in incorrect domain content delivery.

Additional Information:
Illustrate the importance of enabling HTTP/3 across multiple server blocks, each with unique SSL certificates, for improved security and performance on Nginx.

Change History (0)

Note: See TracTickets for help on using tickets.