From a4542af3255bfbb16faf2bb44a67edf51dd8627b Mon Sep 17 00:00:00 2001 From: Stepan Paksashvili Date: Thu, 27 Jun 2024 15:37:56 +0300 Subject: [PATCH 1/4] update README to add information about HTTP/3 support Signed-off-by: Stepan Paksashvili --- images/nginx-1.25/README.md | 46 ++++++++++++++++++++++++++++++++++++- 1 file changed, 45 insertions(+), 1 deletion(-) diff --git a/images/nginx-1.25/README.md b/images/nginx-1.25/README.md index 8d5f44a623..35febfa9df 100644 --- a/images/nginx-1.25/README.md +++ b/images/nginx-1.25/README.md @@ -1,3 +1,47 @@ NGINX 1.25 base image -**Don't use in production!!!** \ No newline at end of file +**Don't use in production!!!** + +### HTTP/3 Support + +**!!! HTTP/3 support is experimental and under development** + +[HTTP/3](https://datatracker.ietf.org/doc/html/rfc9114) \ +[QUIC](https://datatracker.ietf.org/doc/html/rfc9000) + +[According to the documentation, NGINX 1.25.0 or higher supports HTTP/3:](https://nginx.org/en/docs/quic.html) +> Support for QUIC and HTTP/3 protocols is available since 1.25.0. + +But this requires adding a new flag during the building: + +> When configuring nginx, it is possible to enable QUIC and HTTP/3 using the --with-http_v3_module configuration parameter. + +We have added this flag, but it is not enough to use HTTP/3 in ingress-nginx, this is the first step. + +The next steps will be: +1. **Waiting for OpenSSL 3.4.** \ + The main problem that we still use OpenSSL(3.x), and it does not support the important mechanism of TLS 1.3 - [early_data](https://datatracker.ietf.org/doc/html/rfc8446#section-2.3): + > Otherwise, the OpenSSL compatibility layer will be used that does not support early data. + + [And although another part of the documentation says that the directive is supported with OpenSSL:](https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_early_data) + > The directive is supported when using OpenSSL 1.1.1 or higher. + + But this is incomplete support, because OpenSSL does not support this feature, and [it has only client side:](https://github.com/openssl/openssl) + > ... the QUIC (currently client side only) version 1 protocol + + [and also there are some issues even with client side](https://github.com/openssl/openssl/discussions/23339) + + Due to this, we currently have incomplete HTTP/3 support, without important security and performance features. \ + But the good news is that [OpenSSL plans to add server-side support in 3.4](https://www.openssl.org/roadmap.html): + > Server-side QUIC support + + [Options for using instead of OpenSSL(HAProxy Documentation)](https://github.com/haproxy/wiki/wiki/SSL-Libraries-Support-Status#tldr) + + +2. **Adding [parameters](https://nginx.org/en/docs/http/ngx_http_v3_module.html) to the configmap to configure HTTP/3 and quic(enableHTTP3, enableHTTP/0.9, maxCurrentStream, and so on).** +3. **Adding options to the nginx config template(`listen 443 quic` to server blocks and `add_header Alt-Svc 'h3=":8443"; ma=86400';` to location blocks).** +4. **Opening the https port for UDP in the container(because QUIC uses UDP).** +5. **Adding tests.** + + + From aabdf828f32f1db7f0ab7344c535917bad93d37b Mon Sep 17 00:00:00 2001 From: Stepan Paksashvili <81509933+ipaqsa@users.noreply.github.com> Date: Mon, 1 Jul 2024 12:14:04 +0300 Subject: [PATCH 2/4] Apply suggestions from code review Co-authored-by: Marco Ebert --- images/nginx-1.25/README.md | 27 ++++++++++++++------------- 1 file changed, 14 insertions(+), 13 deletions(-) diff --git a/images/nginx-1.25/README.md b/images/nginx-1.25/README.md index 35febfa9df..4b07faa4c2 100644 --- a/images/nginx-1.25/README.md +++ b/images/nginx-1.25/README.md @@ -1,47 +1,48 @@ NGINX 1.25 base image -**Don't use in production!!!** ### HTTP/3 Support -**!!! HTTP/3 support is experimental and under development** +**HTTP/3 support is experimental and under development** -[HTTP/3](https://datatracker.ietf.org/doc/html/rfc9114) \ +[HTTP/3](https://datatracker.ietf.org/doc/html/rfc9114)\ [QUIC](https://datatracker.ietf.org/doc/html/rfc9000) [According to the documentation, NGINX 1.25.0 or higher supports HTTP/3:](https://nginx.org/en/docs/quic.html) + > Support for QUIC and HTTP/3 protocols is available since 1.25.0. -But this requires adding a new flag during the building: +But this requires adding a new flag during the build: > When configuring nginx, it is possible to enable QUIC and HTTP/3 using the --with-http_v3_module configuration parameter. We have added this flag, but it is not enough to use HTTP/3 in ingress-nginx, this is the first step. The next steps will be: -1. **Waiting for OpenSSL 3.4.** \ - The main problem that we still use OpenSSL(3.x), and it does not support the important mechanism of TLS 1.3 - [early_data](https://datatracker.ietf.org/doc/html/rfc8446#section-2.3): + +1. **Waiting for OpenSSL 3.4.**\ + The main problem is, that we still use OpenSSL (3.x) and it does not support the important mechanism of TLS 1.3 - [early_data](https://datatracker.ietf.org/doc/html/rfc8446#section-2.3): + > Otherwise, the OpenSSL compatibility layer will be used that does not support early data. [And although another part of the documentation says that the directive is supported with OpenSSL:](https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_early_data) + > The directive is supported when using OpenSSL 1.1.1 or higher. - But this is incomplete support, because OpenSSL does not support this feature, and [it has only client side:](https://github.com/openssl/openssl) + But this is incomplete support, because OpenSSL does not support this feature, and [it has only client side support:](https://github.com/openssl/openssl) + > ... the QUIC (currently client side only) version 1 protocol - [and also there are some issues even with client side](https://github.com/openssl/openssl/discussions/23339) + [and also there are some issues even with client side](https://github.com/openssl/openssl/discussions/23339) - Due to this, we currently have incomplete HTTP/3 support, without important security and performance features. \ + Due to this, we currently have incomplete HTTP/3 support, without important security and performance features.\ But the good news is that [OpenSSL plans to add server-side support in 3.4](https://www.openssl.org/roadmap.html): + > Server-side QUIC support [Options for using instead of OpenSSL(HAProxy Documentation)](https://github.com/haproxy/wiki/wiki/SSL-Libraries-Support-Status#tldr) - 2. **Adding [parameters](https://nginx.org/en/docs/http/ngx_http_v3_module.html) to the configmap to configure HTTP/3 and quic(enableHTTP3, enableHTTP/0.9, maxCurrentStream, and so on).** 3. **Adding options to the nginx config template(`listen 443 quic` to server blocks and `add_header Alt-Svc 'h3=":8443"; ma=86400';` to location blocks).** 4. **Opening the https port for UDP in the container(because QUIC uses UDP).** 5. **Adding tests.** - - - From 9cb3f093eef5996bfbdf1f3bb78fe62150aab509 Mon Sep 17 00:00:00 2001 From: Stepan Paksashvili <81509933+ipaqsa@users.noreply.github.com> Date: Mon, 1 Jul 2024 13:27:23 +0300 Subject: [PATCH 3/4] Apply suggestions from code review Co-authored-by: Marco Ebert --- images/nginx-1.25/README.md | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/images/nginx-1.25/README.md b/images/nginx-1.25/README.md index 4b07faa4c2..a5ec4821d4 100644 --- a/images/nginx-1.25/README.md +++ b/images/nginx-1.25/README.md @@ -1,6 +1,5 @@ NGINX 1.25 base image - ### HTTP/3 Support **HTTP/3 support is experimental and under development** @@ -33,7 +32,7 @@ The next steps will be: > ... the QUIC (currently client side only) version 1 protocol - [and also there are some issues even with client side](https://github.com/openssl/openssl/discussions/23339) + [And also there are some issues even with client side](https://github.com/openssl/openssl/discussions/23339) Due to this, we currently have incomplete HTTP/3 support, without important security and performance features.\ But the good news is that [OpenSSL plans to add server-side support in 3.4](https://www.openssl.org/roadmap.html): From 089469a37a88317f13d9325ef2860ec554c37d10 Mon Sep 17 00:00:00 2001 From: Stepan Paksashvili Date: Mon, 1 Jul 2024 13:29:13 +0300 Subject: [PATCH 4/4] update README Signed-off-by: Stepan Paksashvili --- images/nginx-1.25/README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/images/nginx-1.25/README.md b/images/nginx-1.25/README.md index a5ec4821d4..b5c6d593f6 100644 --- a/images/nginx-1.25/README.md +++ b/images/nginx-1.25/README.md @@ -15,7 +15,7 @@ But this requires adding a new flag during the build: > When configuring nginx, it is possible to enable QUIC and HTTP/3 using the --with-http_v3_module configuration parameter. -We have added this flag, but it is not enough to use HTTP/3 in ingress-nginx, this is the first step. +[We have added this flag](https://github.com/kubernetes/ingress-nginx/pull/11470), but it is not enough to use HTTP/3 in ingress-nginx, this is the first step. The next steps will be: @@ -39,7 +39,7 @@ The next steps will be: > Server-side QUIC support - [Options for using instead of OpenSSL(HAProxy Documentation)](https://github.com/haproxy/wiki/wiki/SSL-Libraries-Support-Status#tldr) + [Overview of SSL libraries(HAProxy Documentation)](https://github.com/haproxy/wiki/wiki/SSL-Libraries-Support-Status#tldr) 2. **Adding [parameters](https://nginx.org/en/docs/http/ngx_http_v3_module.html) to the configmap to configure HTTP/3 and quic(enableHTTP3, enableHTTP/0.9, maxCurrentStream, and so on).** 3. **Adding options to the nginx config template(`listen 443 quic` to server blocks and `add_header Alt-Svc 'h3=":8443"; ma=86400';` to location blocks).**