Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

refactor(http3): use http3 instead of quic #11010

Merged
merged 2 commits into from
Mar 13, 2024
Merged

refactor(http3): use http3 instead of quic #11010

merged 2 commits into from
Mar 13, 2024

Conversation

zll600
Copy link
Contributor

@zll600 zll600 commented Mar 7, 2024
edited
Loading

Description

In #10989, I add enable_quic option to config-default.yaml. But enable_quic does not match the mainstream gateway configuration. Both Cloudflare and AWS use enable_http3. So I want to change enable_quic to enable_http3.

For enable HTTP/3 in nginx, we have two steps to do.

  1. enable quic in a listen directive for one port.
  2. use TLS v1.3
  3. enable http3 directive in server/http directive

eg.

    server {
        http3 on;
        listen 8443 quic reuseport;
        listen 8443 ssl;

Here I give two examples

config-defaul.yaml

apsix:
  ssl:
    enable: true
    listen:                                       # APISIX listening port for HTTPS traffic.
      - port: 9443
        enable_http2: true
        enable_http3: false                       # Enable HTTP/3 (with QUIC). If not set default to `false`.
      # - ip: 127.0.0.3                           # If not set, default to `0.0.0.0`.
      #   port: 9445
      #   enable_http2: true
      #   enable_http3: true
    # ssl_trusted_certificate: /path/to/ca-cert   # Set the path to CA certificates used to verify client
                                                  # certificates in the PEM format.
    ssl_protocols: TLSv1.2 TLSv1.3                # TLS versions supported.

exmaple 1: enable http3 for two ports

config.yaml

apisix:
  ssl:
    listen:
      - port: 9443
        enable_http2: true
        enable_http3: true   # access  https://127.0.0.1:9443 with HTTP/3
      - port: 9444
        enable_http2: true
        enable_http3: true   # access https://127.0.0.1:9444 with HTTP/3

generated nginx.conf

    server {
        http2 on;
        http3 on;
        listen 0.0.0.0:9080 default_server reuseport;
        listen [::]:9080 default_server reuseport;
        listen 0.0.0.0:9443 quic default_server reuseport;
        listen 0.0.0.0:9443 ssl default_server;
        listen [::]:9443 quic default_server reuseport;
        listen [::]:9443 ssl default_server;
        listen 0.0.0.0:9444 quic default_server reuseport;
        listen 0.0.0.0:9444 ssl default_server;
        listen [::]:9444 quic default_server reuseport;
        listen [::]:9444 ssl default_server;

        server_name _;

        ssl_certificate      cert/ssl_PLACE_HOLDER.crt;
        ssl_certificate_key  cert/ssl_PLACE_HOLDER.key;
        ssl_session_cache    shared:SSL:20m;
        ssl_session_timeout 10m;

        ssl_protocols TLSv1.2 TLSv1.3;

exmaple2: enable http3 for one port and disable http3 for another port.

config.yaml

apisix:
  ssl:
    listen:
      - port: 9443
        enable_http2: true
        enable_http3: true   # access https://127.0.0.1:9443 with HTTP/3
      - port: 9444
        enable_http2: true
        # enable_http3: true

generated nginx.conf

    server {
        http2 on;
        http3 on;
        listen 0.0.0.0:9080 default_server reuseport;
        listen [::]:9080 default_server reuseport;
        listen 0.0.0.0:9443 quic default_server reuseport;
        listen 0.0.0.0:9443 ssl default_server;
        listen [::]:9443 quic default_server reuseport;
        listen [::]:9443 ssl default_server;
        listen 0.0.0.0:9444 ssl default_server reuseport;
        listen [::]:9444 ssl default_server reuseport;

        server_name _;

        ssl_certificate      cert/ssl_PLACE_HOLDER.crt;
        ssl_certificate_key  cert/ssl_PLACE_HOLDER.key;
        ssl_session_cache    shared:SSL:20m;
        ssl_session_timeout 10m;

        ssl_protocols TLSv1.2 TLSv1.3;

Checklist

  • I have explained the need for this PR and the problem it solves
  • I have explained the changes or the new features added to this PR
  • I have added tests corresponding to this change
  • I have updated the documentation to reflect this change
  • I have verified that this change is backward compatible (If not, please discuss on the APISIX mailing list first)

moonming
moonming requested changes Mar 7, 2024
View reviewed changes
apisix/cli/ngx_tpl.lua Outdated Show resolved Hide resolved
shreemaan-abhishek
shreemaan-abhishek reviewed Mar 12, 2024
View reviewed changes
t/APISIX.pm
@@ -730,6 +729,7 @@ _EOC_
listen 1994 quic reuseport;
listen 1994 ssl;
http2 on;
http3 on;
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why is this being added now? Why wasn't this added during the main feature PR?

Copy link
Contributor Author

@zll600 zll600 Mar 12, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The http3 directive default is on. And I forgot to add it in the main feature PR.#10989

@shreemaan-abhishek shreemaan-abhishek merged commit 8c4eff2 into apache:master Mar 13, 2024
51 checks passed
@zll600 zll600 mentioned this pull request Mar 13, 2024
Merged
5 tasks
@AlinsRan AlinsRan mentioned this pull request Apr 29, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@monkeyDluffy6017 monkeyDluffy6017 monkeyDluffy6017 left review comments

@shreemaan-abhishek shreemaan-abhishek shreemaan-abhishek approved these changes

@moonming moonming moonming approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@zll600 @monkeyDluffy6017 @moonming @shreemaan-abhishek