Add quic protocol support, fix port 80 reference to external_http_port

2021-05-30 17:28:16 -04:00 · 2021-05-30 17:28:16 -04:00 · c94f486e3e
commit c94f486e3e
parent 3aa2f531d9
1 changed files with 32 additions and 7 deletions
--- a/nginx.tmpl
+++ b/nginx.tmpl
@ -166,6 +166,10 @@ proxy_set_header Proxy "";
 {{ $access_log := (or (and (not $.Env.DISABLE_ACCESS_LOGS) "access_log /var/log/nginx/access.log vhost;") "") }}

 {{ $enable_ipv6 := eq (or ($.Env.ENABLE_IPV6) "") "true" }}
+{{ $http2 := (or (and (not $.Env.DISABLE_HTTP2) "http2") "") }}
+{{ $enable_http3 := eq (or ($.Env.ENABLE_HTTP3) "") "true" }}
+{{ $alt_svc := or ($.Env.ALT_SVC) "h3-28=\":" $external_https_port "\"; ma=86400, h3-29=\":" $external_https_port "\"; ma=86400" }}
+
 server {
 	server_name _; # This is just an invalid value which will never trigger on a real hostname.
 	server_tokens off;
@ -181,13 +185,20 @@ server {
 server {
 	server_name _; # This is just an invalid value which will never trigger on a real hostname.
 	server_tokens off;
-	listen {{ $external_https_port }} ssl http2;
+	{{ if $enable_http3 }}listen {{ $external_https_port }} quic reuseport;{{ end }}
+	listen {{ $external_https_port }} ssl {{ $http2 }};
 	{{ if $enable_ipv6 }}
-	listen [::]:{{ $external_https_port }} ssl http2;
+	{{ if $enable_http3 }}listen [::]:{{ $external_https_port }} quic reuseport;{{ end }}
+	listen [::]:{{ $external_https_port }} ssl {{ $http2 }};
 	{{ end }}
 	{{ $access_log }}
 	return 503;

+	{{ if $enable_http3 }}
+        # Add Alt-Svc header to negotiate HTTP/3.
+        add_header alt-svc '{{ $alt_svc }}';
+	{{ end }}
+
 	ssl_session_cache shared:SSL:50m;
 	ssl_session_tickets off;
 	ssl_certificate /etc/nginx/certs/default.crt;
@ -315,12 +326,19 @@ server {
 	{{ if $server_tokens }}
 	server_tokens {{ $server_tokens }};
 	{{ end }}
-	listen {{ $external_https_port }} ssl http2 {{ $default_server }};
+	{{ if $enable_http3 }}listen {{ $external_https_port }} quic {{ $default_server }};{{ end }}
+	listen {{ $external_https_port }} ssl {{ $http2 }} {{ $default_server }};
 	{{ if $enable_ipv6 }}
-	listen [::]:{{ $external_https_port }} ssl http2 {{ $default_server }};
+	{{ if $enable_http3 }}listen [::]:{{ $external_https_port }} quic {{ $default_server }};{{ end }}
+	listen [::]:{{ $external_https_port }} ssl {{ $http2 }} {{ $default_server }};
 	{{ end }}
 	{{ $access_log }}

+	{{ if $enable_http3 }}
+        # Add Alt-Svc header to negotiate HTTP/3.
+        add_header alt-svc '{{ $alt_svc }}';
+	{{ end }}
+
 	{{ if eq $network_tag "internal" }}
 	# Only allow traffic from internal clients
 	include /etc/nginx/network_internal.conf;
@ -398,7 +416,7 @@ server {
 	{{ end }}
 	listen {{ $external_http_port }} {{ $default_server }};
 	{{ if $enable_ipv6 }}
-	listen [::]:80 {{ $default_server }};
+	listen [::]:{{ $external_http_port }} {{ $default_server }};
 	{{ end }}
 	{{ $access_log }}

@ -444,13 +462,20 @@ server {
 	{{ if $server_tokens }}
 	server_tokens {{ $server_tokens }};
 	{{ end }}
-	listen {{ $external_https_port }} ssl http2 {{ $default_server }};
+	{{ if $enable_http3 }}listen {{ $external_https_port }} quic {{ $default_server }};{{ end }}
+	listen {{ $external_https_port }} ssl {{ $http2 }} {{ $default_server }};
 	{{ if $enable_ipv6 }}
-	listen [::]:{{ $external_https_port }} ssl http2 {{ $default_server }};
+	{{ if $enable_http3 }}listen [::]:{{ $external_https_port }} quic {{ $default_server }};{{ end }}
+	listen [::]:{{ $external_https_port }} ssl {{ $http2 }} {{ $default_server }};
 	{{ end }}
 	{{ $access_log }}
 	return 500;

+	{{ if $enable_http3 }}
+        # Add Alt-Svc header to negotiate HTTP/3.
+        add_header alt-svc '{{ $alt_svc }}';
+	{{ end }}
+
 	ssl_certificate /etc/nginx/certs/default.crt;
 	ssl_certificate_key /etc/nginx/certs/default.key;
 }