po spusteni nginx som mal v logu (nie error, ale warning)
Sep 07 12:37:59 debian-12-nginx-proxy nginx[815]: nginx: [warn] the "listen ... http2" directive is deprecated, use the "http2" directive instead in /etc/nginx/sites-enabled/www.example.com:5
co je vlastne toto
listen 443 ssl http2;
Pre jednu domenu vyzera config nasledovne. Config robi redirect z non www na www + https. Dalej su obsahom ssl cert a HTTP hlavicky.
server {
server_name example.com;
return 301 http://www.example.com$request_uri;
ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
add_header Referrer-Policy "no-referrer" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-Download-Options "noopen" always;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Permitted-Cross-Domain-Policies "none" always;
add_header X-Robots-Tag "none" always;
add_header X-XSS-Protection "1; mode=block" always;
add_header Content-Security-Policy "default-src 'self' https: data: 'unsafe-inline' 'unsafe-eval';" always;
add_header Permissions-Policy "geolocation=(),midi=(),sync-xhr=(),microphone=(),camera=(),magnetometer=(),gyroscope=(),fullscreen=(self),payment=()";
add_header Alt-Svc 'h3=":$server_port"; ma=86400';
}
server {
server_name www.example.com;
location / {
proxy_pass http://192.168.20.13;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
listen 443 quic reuseport; # QUIC
listen 443 ssl; # TCP
ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
add_header Referrer-Policy "no-referrer" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-Download-Options "noopen" always;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Permitted-Cross-Domain-Policies "none" always;
add_header X-Robots-Tag "none" always;
add_header X-XSS-Protection "1; mode=block" always;
add_header Content-Security-Policy "default-src 'self' https: data: 'unsafe-inline' 'unsafe-eval';" always;
add_header Permissions-Policy "geolocation=(),midi=(),sync-xhr=(),microphone=(),camera=(),magnetometer=(),gyroscope=(),fullscreen=(self),payment=()";
add_header Alt-Svc 'h3=":$server_port"; ma=86400';
}
server {
if ($host = example.com) {
return 301 https://$host$request_uri;
} # managed by Certbot
listen 80;
server_name example.com;
return 404; # managed by Certbot
}
server {
if ($host = www.example.com) {
return 301 https://$host$request_uri;
} # managed by Certbot
listen 80;
server_name www.example.com;
return 404; # managed by Certbot
}
Moje povodne configy, ktore pouzivam s http2 vyzeraju takto a vsetko fungovalo vyborne.
server {
server_name example.com;
return 301 http://www.example.com$request_uri;
listen 443 ssl http2; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
add_header Referrer-Policy "no-referrer" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-Download-Options "noopen" always;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Permitted-Cross-Domain-Policies "none" always;
add_header X-Robots-Tag "none" always;
add_header X-XSS-Protection "1; mode=block" always;
add_header Content-Security-Policy "default-src 'self' https: data: 'unsafe-inline' 'unsafe-eval';" always;
add_header Permissions-Policy "geolocation=(),midi=(),sync-xhr=(),microphone=(),camera=(),magnetometer=(),gyroscope=(),fullscreen=(self),payment=()";
}
server {
server_name www.example.com;
location / {
proxy_pass http://192.168.20.13;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
listen 443 ssl http2; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
add_header Referrer-Policy "no-referrer" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-Download-Options "noopen" always;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Permitted-Cross-Domain-Policies "none" always;
add_header X-Robots-Tag "none" always;
add_header X-XSS-Protection "1; mode=block" always;
add_header Content-Security-Policy "default-src 'self' https: data: 'unsafe-inline' 'unsafe-eval';" always;
add_header Permissions-Policy "geolocation=(),midi=(),sync-xhr=(),microphone=(),camera=(),magnetometer=(),gyroscope=(),fullscreen=(self),payment=()";
}
server {
if ($host = example.com) {
return 301 https://$host$request_uri;
} # managed by Certbot
listen 80;
server_name example.com;
return 404; # managed by Certbot
}
server {
if ($host = www.example.com) {
return 301 https://$host$request_uri;
} # managed by Certbot
listen 80;
server_name www.example.com;
return 404; # managed by Certbot
}
Pre SSL pouzivam certbot, takze tam kde sa nachadza # managed by Certbot, tak automaticky bolo doplnene certbotom.
Presiel som na nginx s podporou HTTP/3 a configy som nechal take ako su. po reloade to na mna kricalo, ze http direktiva je zastarala, ale vsetko fungovalo, Takze v kazdom configu som to opravil z
listen 443 ssl http2;
na
listen 443 ssl;
http2 on;
Dalej som do druheho server bloku pridal dalsie 2 direktivy
listen 443 quic reuseport;
add_header Alt-Svc 'h3=":$server_port"; ma=86400';
Ocheckoval som syntax a reloadol som nginx.
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
Super, vsetko funguje vratane HTTP/3 a ide to celkom rychlo. Tolko stastia som nemal, uz ani nepamatam kedy ;D
Akurat, ked idem preverit HTTP/3 na http3check (https://http3check.net/) tak pochopitelne to funguje len na www.example.com a nie na example.com. To preto, lebo tato direktiva
listen 443 quic reuseport;
moze byt pouzita v celom konfiguraku iba raz. Uvadza sa to aj tu, co poslal kolega link (https://kiwee.eu/blog/http-3-how-it-performs-compared-to-http-2/)
Konfig s HTTP/3 vyzera teraz takto
server {
server_name example.com;
return 301 http://www.example.com$request_uri;
listen 443 ssl; # managed by Certbot
http2 on;
ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
add_header Referrer-Policy "no-referrer" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-Download-Options "noopen" always;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Permitted-Cross-Domain-Policies "none" always;
add_header X-Robots-Tag "none" always;
add_header X-XSS-Protection "1; mode=block" always;
add_header Content-Security-Policy "default-src 'self' https: data: 'unsafe-inline' 'unsafe-eval';" always;
add_header Permissions-Policy "geolocation=(),midi=(),sync-xhr=(),microphone=(),camera=(),magnetometer=(),gyroscope=(),fullscreen=(self),payment=()";
}
server {
server_name www.example.com;
location / {
proxy_pass http://192.168.20.13;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
listen 443 ssl; # managed by Certbot
http2 on;
listen 443 quic reuseport;
ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
add_header Referrer-Policy "no-referrer" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-Download-Options "noopen" always;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Permitted-Cross-Domain-Policies "none" always;
add_header X-Robots-Tag "none" always;
add_header X-XSS-Protection "1; mode=block" always;
add_header Content-Security-Policy "default-src 'self' https: data: 'unsafe-inline' 'unsafe-eval';" always;
add_header Permissions-Policy "geolocation=(),midi=(),sync-xhr=(),microphone=(),camera=(),magnetometer=(),gyroscope=(),fullscreen=(self),payment=()";
add_header Alt-Svc 'h3=":$server_port"; ma=86400';
}
server {
if ($host = example.com) {
return 301 https://$host$request_uri;
} # managed by Certbot
listen 80;
server_name example.com;
return 404; # managed by Certbot
}
server {
if ($host = www.example.com) {
return 301 https://$host$request_uri;
} # managed by Certbot
listen 80;
server_name www.example.com;
return 404; # managed by Certbot
}
Myslel som si, ze pre kazdu domenu (mam ich viac) spravim podobny config. Ale ako uz je spomenute, tak listen 443 quic reuseport; moze byt v nginx pouzity iba raz. Ak sa pouzije aj v druhom configu, tak:
nginx: [emerg] duplicate listen options for 0.0.0.0:443 in /etc/nginx/sites-enabled/www.example.com:38
nginx: configuration file /etc/nginx/nginx.conf test failed
OK. Nechal som ho len v konfigu pre jednu domenu a v druhej som pridal len hlavicku co informuje browser, ze sa jedna o HTTP/3 add_header Alt-Svc 'h3=":$server_port"; ma=86400';. Preveril som aj druhu domenu na http3check (https://http3check.net/) a skutocne som dostal vysledok
QUIC is supported
HTTP/3 is supported
Avsak browser (napr. Mozilla) cez vyvojarsku konzolu stale tvrdi, ze to funguje na HTTP2
HTTP/2 200 OK
server: nginx/1.25.2
date: Fri, 15 Sep 2023 07:11:32 GMT
content-type: text/html; charset=UTF-8
content-length: 11005
link: <https://www.example.com/wp-json/>; rel="https://api.w.org/", <https://www.example.com/wp-json/wp/v2/pages/7>; rel="alternate"; type="application/json", <https://www.eample.com/>; rel=shortlink
vary: Accept-Encoding
content-encoding: gzip
strict-transport-security: max-age=31536000; includeSubDomains
referrer-policy: no-referrer
x-content-type-options: nosniff
x-download-options: noopen
x-frame-options: SAMEORIGIN
x-permitted-cross-domain-policies: none
x-robots-tag: none
x-xss-protection: 1; mode=block
content-security-policy: default-src 'self' https: data: 'unsafe-inline' 'unsafe-eval';
permissions-policy: geolocation=(),midi=(),sync-xhr=(),microphone=(),camera=(),magnetometer=(),gyroscope=(),fullscreen=(self),payment=()
alt-svc: h3=":443"; ma=86400
X-Firefox-Spdy: h2
Zatial som sa dalej nedostal.
Tak se mi nakonec ted neco odlozilo, takze v rychlosti:
/etc/nginx/conf.d/99-front_proxy.conf:
server {
server_name example.com;
listen 80 reuseport;
listen [::]:80 reuseport;
}
server {
server_name example.com;
ssl_certificate /etc/letsencrypt/live/$ssl_server_name/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/$ssl_server_name/privkey.pem;
# Enable HTTP/2 (optional).
listen 443 ssl reuseport;
listen [::]:443 ssl reuseport;
# Enable HTTP/3.
listen 443 quic reuseport;
listen [::]:443 quic reuseport;
http2 on;
http3 on;
ssl_early_data on;
ssl_session_tickets on;
# HSTS (ngx_http_headers_module is required) (63072000 seconds)
add_header Strict-Transport-Security 'max-age=63072000; includeSubDomains; preload' always;
# Add Alt-Svc header to negotiate HTTP/3.
# required for browsers to direct them to quic port
add_header Alt-Svc 'h2=":$server_port"; ma=2592000; persist=1, h2c=":$server_port"; ma=2592000; persist=1, h3=":$server_port"; ma=2592000; persist=1, h3-23=":$server_port"; ma=2592000; persist=1, h3-25=":$server_port"; ma=2592000; persist=1, h3-27=":$server_port"; ma=2592000; persist=1, h3-29=":$server_port"; ma=2592000; persist=1, h3-32=":$server_port"; ma=2592000; persist=1, h3-34=":$server_port"; ma=2592000; persist=1, h3-Q043=":$server_port"; ma=2592000; persist=1, h3-Q046=":$server_port"; ma=2592000; persist=1, h3-Q050=":$server_port"; ma=2592000; persist=1, quic=":$server_port"; ma=2592000; persist=1; v="50,46,43"'; # Advertise that QUIC is available
#access_log /var/log/nginx/host.access.log main;
location / {
proxy_ssl_session_reuse on;
proxy_http_version 1.1;
proxy_cache_bypass $http_upgrade;
proxy_ssl_server_name on;
proxy_set_header 'Connection' '';
# proxy_set_header Upgrade $http_upgrade;
# proxy_set_header Connection 'upgrade';
## proxy_hide_header Connection;
proxy_hide_header Upgrade;
proxy_read_timeout 150;
proxy_connect_timeout 150;
proxy_send_timeout 150;
proxy_socket_keepalive on;
proxy_pass http://localhost:6666/;
include proxy_params;
}
## Tune Nginx buffers #
## proxy_busy_buffers_size 512k;
## proxy_buffers 4 512k;
## proxy_buffer_size 256k;
## proxy_busy_buffers_size 512k;
proxy_buffers 256 32k;
proxy_buffer_size 32k;
}
/etc/nginx/conf.d/my_env
# Enable all TLS versions (TLSv1.3 is required for QUIC).
ssl_session_timeout 1d;
ssl_session_cache shared:MozSSL:10m; # about 40000 sessions
ssl_early_data on;
# ssl_session_tickets off;
ssl_session_tickets on;
ssl_dhparam /etc/ssl/certs/dhparam.pem;
GCM-SHA384:DHE-RSA-CHACHA20-POLY1305;
ssl_ciphers EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH:!CBC;
# OCSP stapling
ssl_stapling on;
ssl_stapling_verify on;
resolver localhost;
/etc/nginx/proxy_params:
#proxy_set_header Host $http_host;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Port $server_port;
set_real_ip_from 127.0.0.1;
set_real_ip_from ::1;
real_ip_header X-Real-IP;
real_ip_recursive off;
A bacha, pokud by jsi za tim mel Apache, tak mod_rpaf uz nepremava... Misto tohou pouzit mod_remoteip
Edit admin: Prosím zavírejte dlouhé výpisy do tagu code.
Ja som ten moj config (este pre http2) riesil tak, ze vzdy sa robi redirect s non www na www a z http na https. Ked pozres vyssie, tak nejako som sa dokopal k vysledku, ale funguje to len s jednou domenou (jednym configom). Do dalsieho uz nemozem pouzit directivu
listen 443 quic reuseport;
Tvoj config som zatial neskusal, lebo je to len pre jednu domenu, bez redirectu.
Nie som profik ani ziadny IT pracovnik. S takymito srandickami sa hrajem vo volnom case a len pre vlastnu potrebu. Nasiel som riesenie na stackoverflow (https://stackoverflow.com/questions/76348128/enabling-quic-http-3-on-multiple-domains-with-nginx-1-25) a funguje zatial OK. Dolezite je pouzit smernicu listen 443 quic reuseport; len raz a v dalsich server blokoch
listen 443 ssl;
listen 443 quic;
Podla navodu som pridal aj hlavicky
add_header Alt-Svc 'h3=":$server_port"; ma=86400';
add_header x-quic 'h3';
add_header Alt-Svc 'h3-29=":$server_port"';
Ja mam kazdu domenu umiestnenu v samostatnom config file. Cize smernica listen 443 quic reuseport; moze byt pouzita len v jednom config file.
Netvrdim, ze moje riesenie je spravne, ale z uzivatelskej strany to funguje OK (otestovane na dvoch domenach).
Zatial dakujem za nakopnutia.
Este by som mal k HTTP/3 jednu drobnu poznamku. HTTP/3 oproti HTTP/2 resp. 1.1 ma byt omnoho rychlejsie (uzivatel to stejne nezisti, lebo sa jedna o milisekundy), pretoze to bezi cez UDP a nie TCP.
Pozrel som si teda napr. web google.com, alebo facebook.com, ktore bezia tiez cez HTTP/3. Asi som sa zle domnieval, ze HTTP/3 bezi od prveho GETu, ale nie je to tak.
Uzivatel weboveho prehliadaca takmer nikdy nezada do url
https://www.google.com
Mozno sa najde niekto, kto zadava do url
www.google.com
ale najcastejsie uzivatel zadava
google.com
Takze v mozile si vycistim historiu, cache a do url pisem google.com. Pred tym si vsak cez F12 otvorim dev. konzolu a zistujem, ze prvy GET odpovedal nesifrovane s HTTP/1.1 (vid prilozene obrazky). To je jasne, pretoze pred to co som napisal sa doplni http://.
Druhy GET je totez, ale na servery maju spraveny redirect na www, cize za http:// sa doplni www.
Treti GET presmeruje uz na sifrovany https a to uz bezi na HTTP/2.
Stvrty GET uz potom funguje normalne na HTTP/3.
Ak by uzivatel do url vzdy pisal
https://www.google.com
Tak by usetril 2 presmerovania na www a https a dalsi GET by uz fungoval s HTTP/3
Ak nie je nastaveny browser tak, ze po ukonceni si maze cache atd. tak dalsie otvorenie browsera a zadanie google.com do url uz bezi vzdy s HTTP/3.
Mne to teraz funguje podobne ako na google, preto som mal obavu ci je to v poriadku. Skusal som tiez caddy a tam to funguje tak isto.
Akurat som menej stastny s tychto cisel na http3check (https://http3check.net/), ale s tym asi nic nenarobim
CONNECTION ID PACKET RX HANDSHAKE DONE
8A2D393C9E... 108.332 343.382
D660B73AE9... 107.781 218.93