h3.nginx.conf

server {
  listen 80;
  server_name localhost;

  return 301 https://$host$request_uri;
}

# HTTPS server
#
server {
  # Enable QUIC and HTTP/3.
  listen 443 quic reuseport;
  # Ensure that HTTP/2 is enabled for the server
  listen 443 ssl http2;
  server_name localhost;

  http2_push_preload on;

  gzip on;
  gzip_http_version 1.1;
  gzip_vary on;
  gzip_comp_level 6;
  gzip_proxied any;
  gzip_types application/atom+xml application/javascript application/json application/rss+xml application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/svg+xml image/x-icon text/css text/plain text/x-component;
  gzip_buffers 16 8k;
  gzip_min_length 1024;
  gzip_disable msie6;

  brotli on;
  brotli_types text/plain text/css application/json application/javascript application/x-javascript text/javascript;
  brotli_comp_level 6;

  # Enable TLS versions (TLSv1.3 is required for QUIC).
  ssl_protocols TLSv1.2 TLSv1.3;

  ssl_certificate /etc/ssl/localhost.pem;
  ssl_certificate_key /etc/ssl/private/localhost.key;
  ssl_trusted_certificate /etc/ssl/localhost.pem;

  ssl_session_cache shared:SSL:1m;
  ssl_session_timeout 5m;

  # Enable TLSv1.3's 0-RTT. Use $ssl_early_data when reverse proxying to
  # prevent replay attacks.
  #
  # @see: http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_early_data
  ssl_early_data on;
  ssl_ciphers HIGH:!aNULL:!MD5;
  ssl_prefer_server_ciphers on;

  # Add Alt-Svc header to negotiate HTTP/3.
  add_header alt-svc 'h2=":443"; ma=86400, h3-29=":443"; ma=86400, h3=":443"; ma=86400' always;
  # Debug 0-RTT.
  add_header X-Early-Data $tls1_3_early_data;

  add_header x-frame-options "deny";
  add_header Strict-Transport-Security "max-age=31536000" always;

  root /usr/share/nginx/html;
  index index.html index.htm;
}

map $ssl_early_data $tls1_3_early_data {
  "~." $ssl_early_data;
  default "";
}