added: configuration file for enabling QUIC and HTTP3

ammnt · ammnt · commit db65f0e9bfcd · 2024-12-29T18:29:15.000+03:00
diff --git a/nginx_http3.conf b/nginx_http3.conf
@@ -0,0 +1,171 @@
+# This is an example of a configuration file for enabling QUIC and HTTP3. Further configuration is required.
+worker_processes auto;
+worker_rlimit_nofile 65536;
+pid /tmp/nginx.pid;
+lock_file /tmp/nginx.lock;
+pcre_jit on;
+
+events {
+    worker_connections 8192;
+    multi_accept on;
+    accept_mutex on;
+    use epoll;
+}
+
+http {
+    sendfile on;
+    aio threads;
+    tcp_nopush on;
+    tcp_nodelay on;
+    reset_timedout_connection on;
+    send_timeout 2;
+    client_body_timeout 60;
+    client_body_buffer_size 10M;
+    client_max_body_size 10M;
+    keepalive_timeout 60;
+    server_tokens off;
+    types_hash_max_size 4096;
+    http2 on;
+    http3 on;
+    ssl_early_data on;
+    ssl_session_cache shared:SSL:60m;
+    ssl_session_tickets off;
+    ssl_session_timeout 1440m;
+    ssl_buffer_size 4k;
+    ssl_protocols TLSv1.3 TLSv1.2;
+    ssl_ecdh_curve X25519:secp521r1:secp384r1;
+    ssl_ciphers TLS_CHACHA20_POLY1305_SHA256:TLS_AES_256_GCM_SHA384:ECDH+AESGCM+AES256:ECDH+CHACHA20;
+    ssl_conf_command Options ServerPreference,PrioritizeChaCha;
+    ssl_conf_command Ciphersuites TLS_CHACHA20_POLY1305_SHA256:TLS_AES_256_GCM_SHA384:ECDH+AESGCM+AES256:ECDH+CHACHA20;
+    ssl_prefer_server_ciphers on;
+    ssl_certificate /etc/nginx/ssl/fullchain.pem;
+    ssl_certificate_key /etc/nginx/ssl/privkey.pem;
+    ssl_trusted_certificate /etc/nginx/ssl/fullchain.pem;
+    ssl_dhparam /etc/nginx/ssl/dhparam.pem;
+    ssl_stapling on;
+    ssl_stapling_verify on;
+    ssl_ocsp on;
+    ssl_ocsp_cache shared:ocspSSL:60m;
+    ssl_verify_depth 2;
+    resolver_timeout 300s;
+    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
+    add_header X-Content-Type-Options nosniff;
+    add_header X-Robots-Tag "noindex, nofollow, nosnippet, noarchive" always;
+    add_header Content-Security-Policy upgrade-insecure-requests always;
+    add_header Alt-Svc 'h3=":443"; quic=":443"; ma=86400; persist=1' always;
+    add_header QUIC-Status $http3;
+    quic_retry on;
+    quic_gso on;
+    log_format simple '$ssl_server_name $scheme $ssl_alpn_protocol $status $ssl_protocol $server_protocol $ssl_curve $ssl_cipher';
+    log_format main escape=json '{"@timestamp": "$time_iso8601","ssl_server_name": "$ssl_server_name","scheme": "$scheme","ssl_alpn_protocol": "$ssl_alpn_protocol","status": "$status","ssl_protocol": "$ssl_protocol","server_protocol": "$server_protocol","ssl_curve": "$ssl_curve","ssl_cipher": "$ssl_cipher"}';
+    log_format debug escape=json '{'
+                                '"@timestamp": "$time_iso8601", '
+                                '"msec": "$msec", '
+                                '"connection": "$connection", '
+                                '"connection_requests": "$connection_requests", '
+                                '"pid": "$pid", '
+                                '"request_id": "$request_id", '
+                                '"request_length": "$request_length", '
+                                '"remote_addr": "$remote_addr", '
+                                '"remote_user": "$remote_user", '
+                                '"remote_port": "$remote_port", '
+                                '"time_local": "$time_local", '
+                                '"request": "$request", '
+                                '"request_uri": "$request_uri", '
+                                '"args": "$args", '
+                                '"status": "$status", '
+                                '"body_bytes_sent": "$body_bytes_sent", '
+                                '"bytes_sent": "$bytes_sent", '
+                                '"http_referer": "$http_referer", '
+                                '"http_user_agent": "$http_user_agent", '
+                                '"http_x_forwarded_for": "$http_x_forwarded_for", '
+                                '"http_host": "$http_host", '
+                                '"host": "$host", '
+                                '"ssl_server_name": "$ssl_server_name", '
+                                '"ssl_alpn_protocol": "$ssl_alpn_protocol", '
+                                '"server_name": "$server_name", '
+                                '"request_time": "$request_time", '
+                                '"upstream": "$upstream_addr", '
+                                '"upstream_connect_time": "$upstream_connect_time", '
+                                '"upstream_header_time": "$upstream_header_time", '
+                                '"upstream_response_time": "$upstream_response_time", '
+                                '"upstream_response_length": "$upstream_response_length", '
+                                '"upstream_cache_status": "$upstream_cache_status", '
+                                '"ssl_protocol": "$ssl_protocol", '
+                                '"ssl_cipher": "$ssl_cipher", '
+                                '"ssl_curve": "$ssl_curve", '
+                                '"scheme": "$scheme", '
+                                '"request_method": "$request_method", '
+                                '"server_protocol": "$server_protocol", '
+                                '"pipe": "$pipe", '
+                                '"gzip_ratio": "$gzip_ratio", '
+                                '"http_cf_ray": "$http_cf_ray", '
+                                '"http_x_forwarded_proto": "$http_x_forwarded_proto" '
+                                '}';
+    access_log /dev/stdout simple;
+    error_log stderr warn;
+    gzip on;
+    gzip_vary on;
+    gzip_proxied any;
+    gzip_comp_level 6;
+    gzip_buffers 16 8k;
+    gzip_http_version 1.1;
+    gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;
+
+    brotli on;
+    brotli_comp_level 6;
+    brotli_static on;
+    brotli_types application/atom+xml application/javascript application/json application/vnd.api+json application/rss+xml
+                 application/vnd.ms-fontobject application/x-font-opentype application/x-font-truetype
+                 application/x-font-ttf application/x-javascript application/xhtml+xml application/xml
+                 font/eot font/opentype font/otf font/truetype image/svg+xml image/vnd.microsoft.icon
+                 image/x-icon image/x-win-bitmap text/css text/javascript text/plain text/xml;
+
+    default_type application/octet-stream;
+    include /etc/nginx/mime.types;
+    client_body_temp_path /tmp/client_temp;
+    proxy_temp_path /tmp/proxy_temp_path;
+    fastcgi_temp_path /tmp/fastcgi_temp;
+
+    proxy_buffering on;
+    proxy_buffer_size 16k;
+    proxy_busy_buffers_size 24k;
+    proxy_buffers 384 4k;
+    proxy_max_temp_file_size 0;
+
+    server {
+    listen 8080 default_server fastopen=256;
+    listen [::]:8080 default_server fastopen=256;
+    listen 8443 default_server quic reuseport;
+    listen [::]:8443 default_server quic reuseport;
+    listen 8443 default_server ssl fastopen=256;
+    listen [::]:8443 default_server ssl fastopen=256;
+    server_name test.example.com;
+
+    if ($scheme = http) {
+        return 308 https://test.example.com$request_uri;
+    }
+    if ($host = 'www.test.example.com') {
+        rewrite ^/(.*)$ https://test.example.com/$1 permanent;
+    }
+    if ($host != 'test.example.com') {
+        return 308 https://test.example.com$request_uri;
+    }
+    if ($request_method !~ ^(GET|POST|PUT)$) {
+        return '405';
+    }
+
+    location / {
+      root /var/www/html;
+      index index.html index.htm;
+
+      limit_except GET POST PUT {
+      deny all;
+      }
+    }
+
+    location /robots.txt {
+        return 200 "User-agent: *\nDisallow: /\n";
+    }
+  }
+}
