Ubuntu 22.04 How to install NGINX HTTP3/QUIC
What’s NGINX
NGINX is a high-performance web server known for its efficiency, stability, and rich feature set. It’s designed to handle high concurrency with low memory usage, making it ideal for serving static content, acting as a reverse proxy, and handling load balancing. Its event-driven architecture enables it to power many of the world’s busiest websites.
Why use HTTP3/QUIC in NGINX
The introduction of HTTP/3 and QUIC protocols marks a significant evolution in web technologies, offering faster, more secure internet communication. By leveraging UDP, these protocols minimize connection and transport latencies, outperforming their predecessor, HTTP/2, especially in conditions of packet loss and network fluctuations. Integrating HTTP3/QUIC with NGINX can drastically improve your website’s loading times, enhance user experience, and boost your site’s ranking on search engines as speed and security become increasingly important ranking factors.
How to install and enable NGINX HTTP3/QUIC
Installing and enabling HTTP3/QUIC support in NGINX on Ubuntu 22.04 isn’t just about stepping up your web server game; it’s a strategic move towards embracing the future of the internet. This guide will walk you through the pre-requisites for NGINX and HTTP3/QUIC setup, including updating your system, installing required libraries.
Updating Ubuntu OS
apt update && apt upgrade -y
Install and Setup SSL Certificate
HTTP/3 and QUIC fundamentally require SSL/TLS, specifically using TLS 1.3, for a few critical reasons that underscore their emphasis on enhanced security and performance.
We could use Let’s Encrypt for free, if you’ve the paid SSL Certificate should be good.
apt install -y certbot
certbot certonly --standalone -n --agree-tos -m [email protected] -d blackonsole.org --pre-hook "systemctl stop nginx" --post-hook "systemctl start nginx"
# Set cronjob for SSL renewal
crontab -e
0 0,12 * * * certbot renew -q
Setup NGINX Ubuntu Repository
apt install -y curl gnupg2 ca-certificates lsb-release ubuntu-keyring
curl https://nginx.org/keys/nginx_signing.key | gpg --dearmor \
| sudo tee /usr/share/keyrings/nginx-archive-keyring.gpg >/dev/null
echo "deb [signed-by=/usr/share/keyrings/nginx-archive-keyring.gpg] \
http://nginx.org/packages/mainline/ubuntu `lsb_release -cs` nginx" \
| sudo tee /etc/apt/sources.list.d/nginx.list
echo -e "Package: *\nPin: origin nginx.org\nPin: release o=nginx\nPin-Priority: 900\n" \
| sudo tee /etc/apt/preferences.d/99nginx
Install NGINX and Modules (if needed)
# installing
apt update && apt install nginx
# checking the version and http3_module
nginx -v
nginx version: nginx/1.25.5
nginx -V 2>&1 | tr ' ' '\n' | grep --color 'http_v3'
--with-http_v3_module
Enable HTTP3/QUIC in NGINX config or vhost
server {
server_name _;
root /var/www/html;
# HTTP
listen 80 default_server reuseport;
listen [::]:80 default_server reuseport;
# HTTP2/SSL
listen 443 ssl default_server reuseport;
listen [::]:443 ssl default_server reuseport;
http2 on;
# Enable HTTP3/QUIC
listen 443 quic default_server reuseport;
listen [::]:443 quic default_server reuseport;
http3 on;
# Let's Encrypt
ssl_certificate /etc/letsencrypt/live/blackonsole.org/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/blackonsole.org/privkey.pem;
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
include /etc/letsencrypt/options-ssl-nginx.conf;
location / {
# HTTP3/QUIC Header
add_header Alt-Svc 'h3=":443"; ma=86400';
return 200 '{ "HTTP3/QUIC": "Enabled" }';
}
}
Check the config and restart NGINX Service
# test the config file
nginx -t
# reload the service
nginx -s reload
# OR
systemctl restart nginx
systemctl status nginx
Check the HTTP3/QUIC run as expected
Using CURL
# Make sure your curl compiled with HTTP3 support
curl --version | grep HTTP3
Features: alt-svc AsynchDNS brotli GSS-API HSTS HTTP2 HTTP3 HTTPS-proxy IDN IPv6 Kerberos Largefile libz NTLM SPNEGO SSL threadsafe UnixSockets zstd
# Test the HTTP3 QUIC
curl -I --http3 https://blackonsole.org
HTTP/3 200
If you need enable cURL with HTTP3 please refer to How to Enable cURL with HTTP/3 on Ubuntu 24.04
Using online tools
If you need check from internet, you could use this website – https://http3check.net/
Reference
- http://nginx.org/en/docs/quic.html
- http://nginx.org/en/docs/http/ngx_http_v3_module.html
- https://www.nginx.com/blog/quic-http3-support-openssl-nginx/
I tried the steps on Kali linux but not working specially the certbot is not downloading the cert and authorization fail though have full connectivity and port 80 open. Also how to enable curl for quick and http3 access request you to share more detailed info
Server block config also says while running nginx -t that it need http3 module enabled
Just updated the content, please refer to this.
above steps followed in ubuntu 22.04 server, but getting this error QUIC connection could not be established whenever I am putting my domain in https://http3check.net, please help if u have any solution. my nginx version is 1.27.0. once I am putting nginx -V this is the result I am getting.
built by gcc 11.4.0 (Ubuntu 11.4.0-1ubuntu1~22.04)
built with OpenSSL 3.0.2 15 Mar 2022 (running with OpenSSL 3.1.5 30 Jan 2024)
TLS SNI support enabled
configure arguments: –prefix=/etc/nginx –sbin-path=/usr/sbin/nginx –modules-path=/usr/lib/nginx/modules –conf-path=/etc/nginx/nginx.conf –error-log-path=/var/log/nginx/error.log –http-log-path=/var/log/nginx/access.log –pid-path=/var/run/nginx.pid –lock-path=/var/run/nginx.lock –http-client-body-temp-path=/var/cache/nginx/client_temp –http-proxy-temp-path=/var/cache/nginx/proxy_temp –http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp –http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp –http-scgi-temp-path=/var/cache/nginx/scgi_temp –user=nginx –group=nginx –with-compat –with-file-aio –with-threads –with-http_addition_module –with-http_auth_request_module –with-http_dav_module –with-http_flv_module –with-http_gunzip_module –with-http_gzip_static_module –with-http_mp4_module –with-http_random_index_module –with-http_realip_module –with-http_secure_link_module –with-http_slice_module –with-http_ssl_module –with-http_stub_status_module –with-http_sub_module –with-http_v2_module –with-http_v3_module –with-mail –with-mail_ssl_module –with-stream –with-stream_realip_module –with-stream_ssl_module –with-stream_ssl_preread_module –with-cc-opt=’-g -O2 -ffile-prefix-map=/data/builder/debuild/nginx-1.27.0/debian/debuild-base/nginx-1.27.0=. -flto=auto -ffat-lto-objects -flto=auto -ffat-lto-objects -fstack-protector-strong -Wformat -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -fPIC’ –with-ld-opt=’-Wl,-Bsymbolic-functions -flto=auto -ffat-lto-objects -flto=auto -Wl,-z,relro -Wl,-z,now -Wl,–as-needed -pie’
due firewall rules ? please make sure udp/443 port allowed in firewall..