Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Docs: Add information about HTTP/3 support. #11513

Merged
merged 4 commits into from
Jul 1, 2024
Merged
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
46 changes: 45 additions & 1 deletion images/nginx-1.25/README.md
Original file line number Diff line number Diff line change
@@ -1,3 +1,47 @@
NGINX 1.25 base image

**Don't use in production!!!**
### HTTP/3 Support

**HTTP/3 support is experimental and under development**

[HTTP/3](https://datatracker.ietf.org/doc/html/rfc9114)\
[QUIC](https://datatracker.ietf.org/doc/html/rfc9000)

[According to the documentation, NGINX 1.25.0 or higher supports HTTP/3:](https://nginx.org/en/docs/quic.html)

> Support for QUIC and HTTP/3 protocols is available since 1.25.0.
ipaqsa marked this conversation as resolved.
Show resolved Hide resolved

But this requires adding a new flag during the build:

> When configuring nginx, it is possible to enable QUIC and HTTP/3 using the --with-http_v3_module configuration parameter.

[We have added this flag](https://github.com/kubernetes/ingress-nginx/pull/11470), but it is not enough to use HTTP/3 in ingress-nginx, this is the first step.

The next steps will be:

1. **Waiting for OpenSSL 3.4.**\
The main problem is, that we still use OpenSSL (3.x) and it does not support the important mechanism of TLS 1.3 - [early_data](https://datatracker.ietf.org/doc/html/rfc8446#section-2.3):

> Otherwise, the OpenSSL compatibility layer will be used that does not support early data.
ipaqsa marked this conversation as resolved.
Show resolved Hide resolved

[And although another part of the documentation says that the directive is supported with OpenSSL:](https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_early_data)

> The directive is supported when using OpenSSL 1.1.1 or higher.
ipaqsa marked this conversation as resolved.
Show resolved Hide resolved

But this is incomplete support, because OpenSSL does not support this feature, and [it has only client side support:](https://github.com/openssl/openssl)

> ... the QUIC (currently client side only) version 1 protocol
ipaqsa marked this conversation as resolved.
Show resolved Hide resolved

[And also there are some issues even with client side](https://github.com/openssl/openssl/discussions/23339)

Due to this, we currently have incomplete HTTP/3 support, without important security and performance features.\
But the good news is that [OpenSSL plans to add server-side support in 3.4](https://www.openssl.org/roadmap.html):

> Server-side QUIC support
ipaqsa marked this conversation as resolved.
Show resolved Hide resolved

[Overview of SSL libraries(HAProxy Documentation)](https://github.com/haproxy/wiki/wiki/SSL-Libraries-Support-Status#tldr)

2. **Adding [parameters](https://nginx.org/en/docs/http/ngx_http_v3_module.html) to the configmap to configure HTTP/3 and quic(enableHTTP3, enableHTTP/0.9, maxCurrentStream, and so on).**
3. **Adding options to the nginx config template(`listen 443 quic` to server blocks and `add_header Alt-Svc 'h3=":8443"; ma=86400';` to location blocks).**
4. **Opening the https port for UDP in the container(because QUIC uses UDP).**
5. **Adding tests.**