id	summary	reporter	owner	description	type	status	priority	milestone	component	version	resolution	keywords	cc	uname	nginx_version
2624	Challenges Configuring HTTP/3 for Multiple Domains with Distinct SSL Certificates in Nginx 1.25.4	desaisoftwaree@…		"Environment:

Nginx Version: 1.25.4
Operating System: Ubuntu 22.04.4 LTS
OpenSSL Version: OpenSSL 3.0.2
Description:
Encountering configuration challenges when attempting to set up HTTP/3 for two separate domains (myapp.app and myapptwo.app), each with its own SSL certificate. Issues arise with the listen 443 quic reuseport; directive, leading to misrouting or incorrect content delivery when accessed via HTTP/3.

Steps to Reproduce:

1. Set up multiple server blocks to serve different domains with the configurations mentioned.
2. Include listen 443 quic reuseport; for the primary domain and listen 443 quic; for additional domains.
3. Access the domains using a client that supports HTTP/3.

server {
    listen 443 ssl;
    listen 443 quic reuseport;
    server_name myapp.app www.myapp.app app.myapp.app;

    http3 on;
    http2 on;

    quic_retry on;
    ssl_early_data on;
    add_header Alt-Svc 'h3="":$server_port""; ma=86400';
    proxy_intercept_errors on;

    ssl_certificate /etc/letsencrypt/live/myapp.app/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/myapp.app/privkey.pem;

    location / {
        root /home/usr/Ecosystem-App/main-server/public/;
        index index.html;
        try_files $uri $uri.html /index.html =404;
    }

    error_page 500 502 503 504 /50x.html;
    location = /50x.html {
        root html;
    }
}

server {
    listen 443 quic;
    server_name *.myapp.app;

    http3 on;
    http2 on;

    quic_retry on;
    ssl_early_data on;
    add_header Alt-Svc 'h3="":$server_port""; ma=86400';
    proxy_intercept_errors on;

    ssl_certificate /etc/letsencrypt/live/myapp.app/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/myapp.app/privkey.pem;

    location / {
        root /home/usr/Ecosystem-App/d2c-server/public/;
        index index.html;
        try_files $uri $uri.html /index.html =404;
    }
    
    error_page 500 502 503 504 /50x.html;
    location = /50x.html {
        root html;
    }
}

server {
    listen 443 quic;
    server_name myapptwo.app www.myapptwo.app app.myapptwo.app;

    http3 on;
    http2 on;

    quic_retry on;
    ssl_early_data on;
    add_header Alt-Svc 'h3="":$server_port""; ma=86400';
    proxy_intercept_errors on;

    ssl_certificate /etc/letsencrypt/live/myapptwo.app/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/myapptwo.app/privkey.pem;

    location / {
        root /home/usr/Ecosystem-App/main-server/public/;
        index index.html;
        try_files $uri $uri.html /index.html =404;
    }

    error_page 500 502 503 504 /50x.html;
    location = /50x.html {
        root html;
    }
}

server {
    listen 443 quic;
    server_name *.myapptwo.app;

    http3 on;
    http2 on;

    quic_retry on;
    ssl_early_data on;
    add_header Alt-Svc 'h3="":$server_port""; ma=86400';
    proxy_intercept_errors on;

    ssl_certificate /etc/letsencrypt/live/myapptwo.app/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/myapptwo.app/privkey.pem;

    location / {
        root /home/usr/Ecosystem-App/d2c-server/public/;
        index index.html;
        try_files $uri $uri.html /index.html =404;
    }
    
    error_page 500 502 503 504 /50x.html;
    location = /50x.html {
        root html;
    }
}

Expected Behavior:
Each domain should serve its corresponding content correctly over HTTP/3, utilizing its designated SSL certificate.

Actual Behavior:
Configuration limitations or misinterpretations cause only one domain to properly support HTTP/3 or result in incorrect domain content delivery.

Additional Information:
Illustrate the importance of enabling HTTP/3 across multiple server blocks, each with unique SSL certificates, for improved security and performance on Nginx."	defect	new	minor		http/3	1.25.x				Linux automore 6.5.0-1016-gcp #16~22.04.1-Ubuntu SMP Sat Mar  9 00:58:37 UTC 2024 x86_64 x86_64 x86_64 GNU/Linux	"nginx version: nginx/1.25.4
built by gcc 11.4.0 (Ubuntu 11.4.0-1ubuntu1~22.04) 
built with OpenSSL 3.0.2 15 Mar 2022
TLS SNI support enabled
configure arguments: --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --modules-path=/usr/lib/nginx/modules --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx.pid --lock-path=/var/run/nginx.lock --http-client-body-temp-path=/var/cache/nginx/client_temp --http-proxy-temp-path=/var/cache/nginx/proxy_temp --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp --http-scgi-temp-path=/var/cache/nginx/scgi_temp --user=nginx --group=nginx --with-compat --with-file-aio --with-threads --with-http_addition_module --with-http_auth_request_module --with-http_dav_module --with-http_flv_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_mp4_module --with-http_random_index_module --with-http_realip_module --with-http_secure_link_module --with-http_slice_module --with-http_ssl_module --with-http_stub_status_module --with-http_sub_module --with-http_v2_module --with-http_v3_module --with-mail --with-mail_ssl_module --with-stream --with-stream_realip_module --with-stream_ssl_module --with-stream_ssl_preread_module --with-cc-opt='-g -O2 -ffile-prefix-map=/data/builder/debuild/nginx-1.25.4/debian/debuild-base/nginx-1.25.4=. -flto=auto -ffat-lto-objects -flto=auto -ffat-lto-objects -fstack-protector-strong -Wformat -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -fPIC' --with-ld-opt='-Wl,-Bsymbolic-functions -flto=auto -ffat-lto-objects -flto=auto -Wl,-z,relro -Wl,-z,now -Wl,--as-needed -pie'"