I have started to transfer my websites from Apache to Nginx because of pre-built QUIC support but I have stuck with http3check.net verification. It gives me an error:
However browsers shows "h3" in the Network tab:
My nginx.conf:
user www-data;
worker_processes auto;
error_log /var/log/nginx/error.log notice;
pid /var/run/nginx.pid;
events {
worker_connections 1024;
}
http {
proxy_cache_path /var/cache/nginx levels=1:2 keys_zone=my_cache:10m max_size=1g inactive=60m use_temp_path=off;
include /etc/nginx/mime.types;
default_type application/octet-stream;
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
log_format quic '$remote_addr - $remote_user [$time_local] '
'"$request" $status $body_bytes_sent '
'"$http_referer" "$http_user_agent" "$http3"';
access_log /var/log/nginx/access_http3.log quic;
access_log /var/log/nginx/access.log main;
sendfile on;
tcp_nopush on;
##
# SSL Configuration
##
ssl_protocols TLSv1.3; # Dropping SSLv3, ref: POODLE
ssl_prefer_server_ciphers on;
##
# FastCGI Cache Settings
##
fastcgi_cache_path /etc/nginx-cache levels=1:2 keys_zone=phpcache:100m inactive=60m;
fastcgi_cache_key "$scheme$request_method$host$request_uri";
fastcgi_ignore_headers Cache-Control Expires;
gzip on;
gzip_disable "msie6";
gzip_vary on;
gzip_proxied any;
gzip_comp_level 6;
gzip_buffers 16 8k;
gzip_min_length 256;
gzip_types
application/atom+xml
application/geo+json
application/javascript
application/x-javascript
application/json
application/ld+json
application/manifest+json
application/rdf+xml
application/rss+xml
application/xhtml+xml
application/xml
font/eot
font/otf
font/ttf
image/svg+xml
text/css
text/javascript
text/plain
text/xml;
keepalive_timeout 65;
include /etc/nginx/conf.d/*.conf;
}
My kvlk.me.conf:
map $sent_http_content_type $expires {
default off;
text/html epoch;
text/css max;
application/javascript max;
~assets/ max;
}
server {
listen 443 ssl;
listen [::]:443 ssl;
http2 on;
listen 443 quic reuseport;
listen [::]:443 quic reuseport;
http3 on;
http3_hq on;
quic_retry on;
quic_gso on;
ssl_early_data on;
index index.php;
expires $expires;
server_name kvlk.me;
root /var/www/kvlk.me/landing;
# listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/kvlk.me/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/kvlk.me/privkey.pem; # managed by Certbot
ssl_protocols TLSv1.3;
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
location / {
add_header Alt-Svc 'h3=":$server_port"; ma=86400';
add_header x-quic 'h3';
add_header X-protocol $server_protocol always;
proxy_cache my_cache;
proxy_cache_valid 200 30m;
proxy_cache_valid 404 1m;
proxy_cache_key "$request_method$host$request_uri";
proxy_cache_lock on;
proxy_cache_lock_timeout 5s;
add_header X-Proxy-Cache $upstream_cache_status;
# Protects against SSL Early Data Replay Attacks
# See RFC8446 or NGINX Documentation
proxy_set_header Early-Data $ssl_early_data;# Standard proxying headers
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-Host $server_name;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;# SSL proxying headers
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Ssl on;
if (!-e $request_filename){
rewrite ^/([^/]*)$ /index.php?view=$1 last;
}
if (!-e $request_filename){
rewrite ^/([^/]*)/([^/]*)$ /index.php?view=$1&id=$2 last;
}
}
location /api {
rewrite ^/api/([^/]*)$ /worker.php?action=$1 last;
}
location ~ \.php$ {
include snippets/fastcgi-php.conf;
fastcgi_pass unix:/run/php/php8.1-fpm.sock;
}
}
server {
add_header alt-svc 'h3-27=":443"; ma=86400, h3-28=":443"; ma=86400, h3-29=":443"; ma=86400, h3=":443"; ma=86400';
if ($host = kvlk.me) {
return 301 https://$host$request_uri;
} # managed by Certbot
server_name kvlk.me;
listen 80;
return 404; # managed by Certbot
}
I have spent a day looking for the reason... Can you help me please?
"nginx -V" output:
nginx version: nginx/1.25.3
built by gcc 11.4.0 (Ubuntu 11.4.0-1ubuntu1~22.04)
built with OpenSSL 3.0.2 15 Mar 2022
TLS SNI support enabled
configure arguments: --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --modules-path=/usr/lib/nginx/modules --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx.pid --lock-path=/var/run/nginx.lock --http-client-body-temp-path=/var/cache/nginx/client_temp --http-proxy-temp-path=/var/cache/nginx/proxy_temp --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp --http-scgi-temp-path=/var/cache/nginx/scgi_temp --user=nginx --group=nginx --with-compat --with-file-aio --with-threads --with-http_addition_module --with-http_auth_request_module --with-http_dav_module --with-http_flv_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_mp4_module --with-http_random_index_module --with-http_realip_module --with-http_secure_link_module --with-http_slice_module --with-http_ssl_module --with-http_stub_status_module --with-http_sub_module --with-http_v2_module --with-http_v3_module --with-mail --with-mail_ssl_module --with-stream --with-stream_realip_module --with-stream_ssl_module --with-stream_ssl_preread_module --with-cc-opt='-g -O2 -ffile-prefix-map=/data/builder/debuild/nginx-1.25.3/debian/debuild-base/nginx-1.25.3=. -flto=auto -ffat-lto-objects -flto=auto -ffat-lto-objects -fstack-protector-strong -Wformat -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -fPIC' --with-ld-opt='-Wl,-Bsymbolic-functions -flto=auto -ffat-lto-objects -flto=auto -Wl,-z,relro -Wl,-z,now -Wl,--as-needed -pie'
I had to add
to nginx.conf, not to my site config. Problem solved!