[FEATURE REQUEST] HTTP/3 support

[pdiaz]

Several companies are working on HTTP/3 support, including on NGINX.

What are the plans related to support this new and exciting protocol?

One first step would be to enable it with https://github.com/cloudflare/quiche/blob/master/extras/nginx/nginx-1.16.patch

[aledbf]

@pdiaz we use the openresty distribution so this feature requires support from that project first. Someone already asked a similar question here openresty/openresty#556

[pdiaz]

The controller is currently build using openresty but seems that everything is contained on this repository. A first step would be to build nginx with the Cloudflare patch...

https://github.com/kubernetes/ingress-nginx/blob/master/images/nginx/rootfs/build.sh#L444

[aledbf]

No, sorry. This must be present in openresty firsts. We cannot add this feature without the QA process they have to ensure nothing breaks.

That said, you can fork the repository and build and maintain the feature in your fork.

[pdiaz]

Sure I can fork it. It's also better to collaborate with other people instead of trying to make all this on my own. Is anyone interested in joining forces?

[fejta-bot]

Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/lifecycle stale

[fejta-bot]

Stale issues rot after 30d of inactivity.
Mark the issue as fresh with /remove-lifecycle rotten.
Rotten issues close after an additional 30d of inactivity.

If this issue is safe to close now please do so with /close.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/lifecycle rotten

[fejta-bot]

Rotten issues close after 30d of inactivity.
Reopen the issue with /reopen.
Mark the issue as fresh with /remove-lifecycle rotten.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/close

[k8s-ci-robot]

@fejta-bot: Closing this issue.

In response to this:

Rotten issues close after 30d of inactivity.
Reopen the issue with /reopen.
Mark the issue as fresh with /remove-lifecycle rotten.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/close

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[ernst77]

So no http3 support?

[iakat]

/reopen

[k8s-ci-robot]

@sim1: You can't reopen an issue/PR unless you authored it or you are a collaborator.

In response to this:

/reopen

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[pdiaz]

/reopen

[k8s-ci-robot]

@pdiaz: Reopened this issue.

In response to this:

/reopen

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[iakat]

/remove-lifecycle rotten

[francescov1]

When can we expect HTTP3 to be supported? Is there any changes in configuration that will need to be made, or will it simply require upgrading versions?

[Kullu14]

I am also looking for HTTP3 support in openresty. Is it supported yet ?

[strongjz]

/kind feature

[k8s-triage-robot]

Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Send feedback to sig-contributor-experience at kubernetes/community.
/lifecycle stale

[pdiaz]

/remove-lifecycle stale

[unixfox]

/remove-lifecycle stale

[stalkerg]

HTTP/3 has some issues with SSL implementations it's why difficult to add it into NGINX. Basically, the responsibility between SSL lib and HTTP server became is dramatically different because we should support UDP protocol QUIC.

[strongjz]

/lifecycle frozen

[henricook]

How do you think this issue will be resolved across webservers as a whole, it sounds like it might be a problem for software other than NGINX that does a similar thing (e.g. Apache) if I'm understanding correctly?

TL;DR Please let me know what/where I can file my upvotes so that I can cover up my website's performance woes with the new, faster protocol

[cdobbyn]

Now that rfc9114 is published as a proposed standard theoretically webserver devs will probably be working on making this no longer experimental. Looks like traefik has it in experimental state for use with their ingress now, not that it helps ingress-nginx users.

[cdobbyn]

Looks like it saw quite a bit of iteration but not merged / released yet unless I'm reading that wrong.
https://hg.nginx.org/nginx-quic/graph/tip

[strongjz]

We are in the middle of a stabilization project, working reducing chess, making release faster and prepping for the gateway api. Right now an experimental is counterintuitive to that.

We support it eventually but right it is not a priority.

[dockercore]

Expect to support http3.0 as soon as possible
2022年08月19日 星期五 14时53分28秒 -0.422328 秒

[clywm520]

什么时候支持HTTP3.0呢 traefik已经支持HTTP3.0了

[clywm520]

When will HTTP3.0 be supported? Traefik has already supported HTTP3.0.

[jkroepke]

For all the people that ask, wenn HTTP/3 is available:

Subscribe

• HTTP/3 openresty/openresty#741

Once merged and released on Openresty, come back.

[clywm520]

nginx-1.25.0 已经支持http3.0.　　nginx-ingress 什么时候支持呢

[tao12345666333]

There is a new PR to upgrade OpenResty core to NGINX v1.25+.
openresty/openresty#920

[alextes]

PR landed! 🎉 - openresty/openresty#920

What work remains to be done? Perhaps others could contribute the implementation (:

[anyidea]

any progress?

[tao12345666333]

#10668

Upgraded NGINX to v1.25.3

[koehn]

The current 1.10.0 release doesn’t seem to include http3 support:

nginx version: nginx/1.25.3
built by gcc 13.2.1 20231014 (Alpine 13.2.1_git20231014) 
built with OpenSSL 3.1.4 24 Oct 2023
TLS SNI support enabled
configure arguments: --prefix=/usr/local/nginx --conf-path=/etc/nginx/nginx.conf --modules-path=/etc/nginx/modules --http-log-path=/var/log/nginx/access.log --error-log-path=/var/log/nginx/error.log --lock-path=/var/lock/nginx.lock --pid-path=/run/nginx.pid --http-client-body-temp-path=/var/lib/nginx/body --http-fastcgi-temp-path=/var/lib/nginx/fastcgi --http-proxy-temp-path=/var/lib/nginx/proxy --http-scgi-temp-path=/var/lib/nginx/scgi --http-uwsgi-temp-path=/var/lib/nginx/uwsgi --with-debug --with-compat --with-pcre-jit --with-http_ssl_module --with-http_stub_status_module --with-http_realip_module --with-http_auth_request_module --with-http_addition_module --with-http_gzip_static_module --with-http_sub_module --with-http_v2_module --with-stream --with-stream_ssl_module --with-stream_realip_module --with-stream_ssl_preread_module --with-threads --with-http_secure_link_module --with-http_gunzip_module --without-mail_pop3_module --without-mail_smtp_module --without-mail_imap_module --without-http_uwsgi_module --without-http_scgi_module --with-cc-opt='-g -O2 -fPIE -fstack-protector-strong -Wformat -Werror=format-security -Wno-deprecated-declarations -fno-strict-aliasing -D_FORTIFY_SOURCE=2 --param=ssp-buffer-size=4 -DTCP_FASTOPEN=23 -fPIC -Wno-cast-function-type' --with-ld-opt='-fPIE -fPIC -pie -Wl,-z,relro -Wl,-z,now' --user=www-data --group=www-data --add-module=/tmp/build/ngx_devel_kit --add-module=/tmp/build/set-misc-nginx-module --add-module=/tmp/build/headers-more-nginx-module --add-module=/tmp/build/ngx_http_substitutions_filter_module --add-module=/tmp/build/lua-nginx-module --add-module=/tmp/build/stream-lua-nginx-module --add-module=/tmp/build/lua-upstream-nginx-module --add-dynamic-module=/tmp/build/nginx-http-auth-digest --add-dynamic-module=/tmp/build/ModSecurity-nginx --add-dynamic-module=/tmp/build/ngx_http_geoip2_module --add-dynamic-module=/tmp/build/ngx_brotli

Also ngx_http_v3_module is not in /etc/nginx/modules. If you try turning on quic you get an error:

2024/02/29 14:59:29 [emerg] 347#347: the "quic" parameter requires ngx_http_v3_module in /etc/nginx/nginx.conf:288

This is probably a good thing, as nginx 1.25.4 fixes some http3-related security CVEs.

[zengyuxing007]

Looking forward to Ingress support for HTTP/3.

[koehn]

Recent(-ish) fixes to OpenResty allow it to be built with http3 support. Hopefully that will trickle down to ingress-nginx shortly.

[H0llyW00dzZ]

Any new progress ?

[Mmx233]

Any new progress ?

According to nginx-1.25 readme, we will be close to the goal after the final release of OpenSSL 3.4.0. The OpenSSL final release is currently scheduled for 2024/10/14 according to OpenSSL 3.4.0 Project Schedule. It is worth celebrating that OpenSSL 3.4.0 alpha has been successfully released on schedule. I believe HTTP/3 will be usable in about one or two months.

[Mmx233]

It seems like support for Quic Server is moved to OpenSSL 3.5.

See: openssl/project#52

[strongjz]

Im go to close this as we wont want to add support for this as we are migrating to Ingate.

More discussion here https://www.youtube.com/watch?v=KLwsV6_DntA

[passcod]

Uhhh can you clarify whether Ingate (also I can't find the ingate repo???) will have HTTP/3 support and please link the issue tracking that if it's not already implemented?

[strongjz]

Uhhh can you clarify whether Ingate (also I can't find the ingate repo???) will have HTTP/3 support and please link the issue tracking that if it's not already implemented?

We'll have it on the 27th to start the implementation.

https://groups.google.com/g/kubernetes-sig-network/c/klXafeV2lPA/m/ZgLIW0n0BgAJ

Again, once openssl and nginx support, InGate should be able to. Whether it will be in ingress, gateway, or both, we will have to discuss it in the repo.