Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Docs: Add information about HTTP/3 support. #11525

Merged
merged 4 commits into from
Jul 1, 2024
Merged

Docs: Add information about HTTP/3 support. #11525

Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
a4542af
update README to add information about HTTP/3 support
ipaqsa Jun 27, 2024
aabdf82
Apply suggestions from code review
ipaqsa Jul 1, 2024
9cb3f09
Apply suggestions from code review
ipaqsa Jul 1, 2024
089469a
update README
ipaqsa Jul 1, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
46 changes: 45 additions & 1 deletion images/nginx-1.25/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,3 +1,47 @@
NGINX 1.25 base image

**Don't use in production!!!**
### HTTP/3 Support

**HTTP/3 support is experimental and under development**

[HTTP/3](https://datatracker.ietf.org/doc/html/rfc9114)\
[QUIC](https://datatracker.ietf.org/doc/html/rfc9000)

[According to the documentation, NGINX 1.25.0 or higher supports HTTP/3:](https://nginx.org/en/docs/quic.html)

> Support for QUIC and HTTP/3 protocols is available since 1.25.0.

But this requires adding a new flag during the build:

> When configuring nginx, it is possible to enable QUIC and HTTP/3 using the --with-http_v3_module configuration parameter.

[We have added this flag](https://github.com/kubernetes/ingress-nginx/pull/11470), but it is not enough to use HTTP/3 in ingress-nginx, this is the first step.

The next steps will be:

1. **Waiting for OpenSSL 3.4.**\
The main problem is, that we still use OpenSSL (3.x) and it does not support the important mechanism of TLS 1.3 - [early_data](https://datatracker.ietf.org/doc/html/rfc8446#section-2.3):

> Otherwise, the OpenSSL compatibility layer will be used that does not support early data.

[And although another part of the documentation says that the directive is supported with OpenSSL:](https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_early_data)

> The directive is supported when using OpenSSL 1.1.1 or higher.

But this is incomplete support, because OpenSSL does not support this feature, and [it has only client side support:](https://github.com/openssl/openssl)

> ... the QUIC (currently client side only) version 1 protocol

[And also there are some issues even with client side](https://github.com/openssl/openssl/discussions/23339)

Due to this, we currently have incomplete HTTP/3 support, without important security and performance features.\
But the good news is that [OpenSSL plans to add server-side support in 3.4](https://www.openssl.org/roadmap.html):

> Server-side QUIC support

[Overview of SSL libraries(HAProxy Documentation)](https://github.com/haproxy/wiki/wiki/SSL-Libraries-Support-Status#tldr)

2. **Adding [parameters](https://nginx.org/en/docs/http/ngx_http_v3_module.html) to the configmap to configure HTTP/3 and quic(enableHTTP3, enableHTTP/0.9, maxCurrentStream, and so on).**
3. **Adding options to the nginx config template(`listen 443 quic` to server blocks and `add_header Alt-Svc 'h3=":8443"; ma=86400';` to location blocks).**
4. **Opening the https port for UDP in the container(because QUIC uses UDP).**
5. **Adding tests.**