Skip to content

Add HTTP/3 support #1531

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
swalkinshaw merged 42 commits into from
Mar 8, 2026
Merged

Add HTTP/3 support #1531

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
42 commits
Select commit Hold shift + click to select a range
990cb95
Add adjustments for HTTP3 support.
strarsis Jul 29, 2024
f48d346
Use ferm `delete` attribute for toggling HTTP3 firewall allow rule.
strarsis Jul 29, 2024
b494871
Remove old variable from previous PR/ferm toggling.
strarsis Jul 29, 2024
7b42280
Use include files for re-using HTTP/3 specific `nginx` directives.
strarsis Jul 30, 2024
2c49e34
Make http3 jinja conditions more readable.
strarsis Jul 30, 2024
9a2114a
Remove conditional firewall inbound rule for `https` (in separate PR).
strarsis Aug 3, 2024
fdc2386
Improve task name.
strarsis Aug 3, 2024
5c2acc5
Disable SSL early data.
strarsis Aug 3, 2024
6f76411
Use now merged conditional https ferm rule.
strarsis Aug 27, 2024
5db674d
Move http3 includes into `server_basic` block.
strarsis Aug 27, 2024
1b7ac71
Add global quic listen with reuseport for working QUIC responses.
strarsis Aug 27, 2024
80d5f39
Conditionally add global listen quic reuseport config file.
strarsis Aug 29, 2024
aac581d
Use `reuseport` in first HTTPS site config directly instead in global…
strarsis Aug 30, 2024
e358962
Remove debug output in template.
strarsis Aug 30, 2024
a42df0c
Fix newline in comment.
strarsis Aug 30, 2024
25159e2
Make `first_site_using_ssl` a normal variable.
strarsis Aug 30, 2024
f0311c0
Improve newlines in config.
strarsis Aug 30, 2024
902f47b
Improve newlines in config.
strarsis Aug 30, 2024
91bb2c8
Also enable `http3_hq`.
strarsis Aug 31, 2024
36130d2
Enable `http3_hq` in http3 tune config instead.
strarsis Aug 31, 2024
799025b
Add rtt0 setting.
strarsis Jan 17, 2026
346da4d
Improve comment on rtt0 mitigation.
strarsis Jan 18, 2026
aa29966
Remove unused experimental quic directive.
strarsis Mar 6, 2026
ed4947f
Fix typo
strarsis Mar 6, 2026
63e700d
Remove now unused special h3 alt-svc header for redirects.
strarsis Mar 6, 2026
19ec2ef
Fix typo.
strarsis Mar 6, 2026
270bb79
Add rtt0 to 0-RTT specific comments to make them better discoverable.
strarsis Mar 6, 2026
3c45adb
Use map for reject_early_data.
strarsis Mar 6, 2026
ae05239
Remove redundant rtt0 config from http3 tune config.
strarsis Mar 6, 2026
f95a7be
Make is_first_site_use_ssl variable more robust.
strarsis Mar 6, 2026
ccd3269
Make it clear by conventions and comments that 0-RTT is TLS1.3- and n…
strarsis Mar 6, 2026
7165b56
Make it clear by conventions and comments that also QUIC is TLS1.3- a…
strarsis Mar 6, 2026
fd8d458
Fix nginx condition for ssl_early_data for 0-rtt.
strarsis Mar 6, 2026
d3cace5
Add ssl_enabled and sites_use_ssl to conditions.
strarsis Mar 6, 2026
66836c8
Improve comment.
strarsis Mar 6, 2026
f3f59ca
Enable HTTP/3 support by default.
strarsis Mar 7, 2026
a07021f
Remove unused standalone server udp/http/3 config.
strarsis Mar 7, 2026
49fb711
Remove superflous nginx site conf.
strarsis Mar 7, 2026
abc2660
Remove useless h3 alt-svc header in redirect sources.
strarsis Mar 7, 2026
5aa4199
Fix condition for map in nginx.conf.
strarsis Mar 7, 2026
b4065ba
Remove unrelated, currently experimental 0-RTT config.
strarsis Mar 8, 2026
a753fe5
Merge branch 'master' into add-http3-support
strarsis Mar 8, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 3 additions & 1 deletion group_vars/all/helpers.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -40,7 +40,9 @@ site_hosts: "{{ site_hosts_canonical | union(site_hosts_redirects) }}"
multisite_subdomains_wildcards: "{{ item.value.multisite.subdomains | default(false) | ternary( site_hosts_canonical | map('regex_replace', '^(www\\.)?(.*)$', '*.\\2') | list, [] ) }}"
ssl_enabled: "{{ item.value.ssl is defined and item.value.ssl.enabled | default(false) }}"
cron_enabled: "{{ site_env.disable_wp_cron and (not item.value.multisite.enabled | default(false) or (item.value.multisite.enabled | default(false) and item.value.multisite.cron | default(true))) }}"
sites_use_ssl: "{{ (wordpress_sites | select_sites('ssl.enabled', 'true') | length) > 0 }}"
sites_using_ssl: "{{ wordpress_sites | dict2items | selectattr('value.ssl.enabled', 'equalto', true) | items2dict }}"
first_site_using_ssl: "{{ (sites_using_ssl | dict2items | first | default(None, True)) }}"
sites_use_ssl: "{{ sites_using_ssl | length > 0 }}"

composer_authentications: "{{ vault_wordpress_sites[site].composer_authentications | default([]) }}"
# Default `type` is `http-basic`.
Expand Down
5 changes: 5 additions & 0 deletions group_vars/all/security.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,11 @@ ferm_input_list:
dport: [https]
filename: nginx_accept_https
delete: "{{ not (sites_use_ssl | bool) }}"
- type: dport_accept
dport: ['443']
protocol: udp
filename: nginx_accept_http3
delete: "{{ not (nginx_http3_enabled and (sites_use_ssl | bool)) }}"
- type: dport_accept
dport: [ssh]
saddr: "{{ ip_whitelist }}"
Expand Down
2 changes: 1 addition & 1 deletion roles/wordpress-setup/defaults/main.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,7 @@ nginx_sites_confs:
enabled: false

nginx_http2_enabled: true
nginx_http3_enabled: false
nginx_http3_enabled: true

# HSTS defaults
nginx_hsts_max_age: 31536000
Expand Down
9 changes: 9 additions & 0 deletions roles/wordpress-setup/tasks/nginx.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -23,6 +23,13 @@

- import_tasks: "{{ playbook_dir }}/roles/common/tasks/disable_challenge_sites.yml"

- name: Copy Nginx Wordpress site include folder
copy:
src: templates/includes
dest: "{{ nginx_path }}"
mode: '0755'
notify: reload nginx

- name: Create Nginx available sites
template:
src: "{{ item.src }}"
Expand Down Expand Up @@ -68,6 +75,8 @@
loop: "{{ wordpress_sites | dict2items }}"
loop_control:
label: "{{ item.key }}"
vars:
is_first_site_use_ssl: "{{ (first_site_using_ssl.key == item.key) if first_site_using_ssl else false }}"
notify: reload nginx
tags: nginx-includes

Expand Down
2 changes: 2 additions & 0 deletions roles/wordpress-setup/templates/includes/directive-only/http3-negotiate.conf
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,2 @@
# Add Alt-Svc header to negotiate HTTP/3.
add_header alt-svc 'h3=":443"; ma=86400';
Comment thread
strarsis marked this conversation as resolved.
3 changes: 3 additions & 0 deletions roles/wordpress-setup/templates/includes/directive-only/quic-tune.conf
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
# QUIC transport (HTTP/3 specific)
quic_retry on;
quic_gso on;
26 changes: 26 additions & 0 deletions roles/wordpress-setup/templates/wordpress-site.conf.j2
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,15 @@ server {
{% block server_id -%}
listen {{ ssl_enabled | ternary('[::]:443 ssl', '[::]:80') }};
listen {{ ssl_enabled | ternary('443 ssl', '80') }};

{% if nginx_http3_enabled and ssl_enabled -%}
# Listen on UDP for QUIC+HTTP/3
listen [::]:443 quic{% if is_first_site_use_ssl %} reuseport{% endif -%};
listen 443 quic{% if is_first_site_use_ssl %} reuseport{% endif -%};
{% if is_first_site_use_ssl -%}# there has to be one listen quic directive with `reuseport` for working QUIC responses in current nginx version, using the first site.
{% endif %}
{% endif %}

http2 {{ nginx_http2_enabled | default(false) | ternary('on', 'off') }};
http3 {{ nginx_http3_enabled | default(false) | ternary('on', 'off') }};
server_name {{ site_hosts_canonical | union(multisite_subdomains_wildcards) | join(' ') }};
Expand Down Expand Up @@ -35,6 +44,11 @@ server {
sendfile off;

{% endif -%}

{% if nginx_http3_enabled and ssl_enabled -%}
include includes/directive-only/quic-tune.conf;
include includes/directive-only/http3-negotiate.conf;
{% endif %}
{% endblock -%}

{% block cache_conditions -%}
Expand Down Expand Up @@ -303,12 +317,24 @@ server {
listen [::]:443 ssl;
listen 443 ssl;
{% endif -%}

listen [::]:80;
listen 80;

{% if nginx_http3_enabled and ssl_enabled -%}
# Listen on UDP for QUIC+HTTP/3
listen [::]:443 quic;
listen 443 quic;
{% endif %}

http2 {{ nginx_http2_enabled | default(false) | ternary('on', 'off') }};
http3 {{ nginx_http3_enabled | default(false) | ternary('on', 'off') }};
server_name {{ host.redirects | join(' ') }};

{% if nginx_http3_enabled and ssl_enabled -%}
include includes/directive-only/quic-tune.conf;
{% endif %}

{{ self.https() -}}

{{ self.acme_challenge() -}}
Expand Down