Skip to content

dietpi-letsencrypt: update HTTP/2 syntax and add HTTP/3/QUIC #7860

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
MichaIng merged 4 commits into from
Jan 6, 2026
Merged

dietpi-letsencrypt: update HTTP/2 syntax and add HTTP/3/QUIC #7860

MichaIng merged 4 commits into from
Jan 6, 2026

Conversation

@JappeHallunken
Copy link
Collaborator

@JappeHallunken JappeHallunken commented Dec 12, 2025

Nginx throws a warning at startup, because

"listen ... http2" directive is deprecated, use the "http2" directive instead

Changed from

listen [::]:443 ssl http2 ipv6only=on; # managed by Certbot
listen 443 ssl http2; # managed by Certbot

to

listen [::]:443 ssl ipv6only=on; # managed by Certbot
listen 443 ssl; # managed by Certbot
http2 on;

MichaIng
MichaIng requested changes Dec 13, 2025
View reviewed changes
Copy link
Owner

@MichaIng MichaIng left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This directive appeared with Nginx 1.25.1, hence is not available on Debian Bookworm and below yet. On Trixie, we might want to add the quic parameter instead. Weirdly there is a http3 directive, which is however enabled by default, but without QUIC it seems, and the http2 directive is still off by default. So inconsistent. So:

  • Up to Bookworm: Keep things as they are
  • From Trixie on: Replace http2 argument with quic, and add http2 directive instead.

@JappeHallunken
Copy link
Collaborator Author

JappeHallunken commented Dec 13, 2025

I did a bit of testing and IDK if http3 is it worth yet.
For a working config we would need to add some more stuff:

# QUIC and HTTP/3 (UDP)
    listen 443 quic reuseport;
    listen [::]:443 quic reuseport;

    # HTTP/1.1 and HTTP/2 fallback (TCP)
    listen 443 ssl;
    listen [::]:443 ssl;
    http2 on;
# Advertise HTTP/3 availability to clients
    add_header Alt-Svc 'h3=":443"; ma=86400' always;

# optional:
# QUIC settings (http3 is on by default)
    quic_retry on;      # Address validation (DDoS protection)
    quic_gso on;        # Generic Segmentation Offload (performance)

see https://nginx-wiki.getpagespeed.com/config/http3/#full-production-configuration

But the biggest hurdle would be, that the user would need to forward port 443 on UDP too. I doubt anybody is aware of that except they really want QUIC for some specific reason.

@MichaIng
Copy link
Owner

MichaIng commented Dec 13, 2025

Oh it needs a dedicated listen directive. Hmm, I mean it is the future, and looks like syntax will remain like this to split listen by port and UDP vs TCP. And it does not hurt to enable it even if ports are not forwarded, does it? For local access anyway, and we can add QUIC info to our docs.

@MichaIng MichaIng added this to the v10.0 milestone Dec 14, 2025
@MichaIng MichaIng force-pushed the fix/nginx-http2-syntax branch from daa84b5 to dc4b7c5 Compare January 5, 2026 14:29
@MichaIng MichaIng changed the title correct syntax for enabling http2 in nginx. current syntax is deprecated dietpi-letsencrypt: update HTTP/2 syntax and add HTTP/3/QUIC Jan 5, 2026
MichaIng
MichaIng reviewed Jan 5, 2026
View reviewed changes
@MichaIng
dietpi-letsencrypt: preserve Bookworm support
db5dcc1 
Apply "http2" parameter on Bookworm, and new "http2" directive as well as HTTP/3 with QUIC from Trixie on, where it is supported.

Also apply each directive separately, always preserving any existing matching directive.
@MichaIng
Copy link
Owner

MichaIng commented Jan 5, 2026

Old vs new way is now applied depending on Debian version, and I split each of them into a separate sed resp. G_CONFIG_INJECT call, a way that existing directives are preserved.

It applies correctly on a manually prepared default config, the block looks like this:

        listen 80 default_server;
        listen [::]:80 default_server;

        listen 443 quic reuseport;
        listen [::]:443 quic reuseport;
        quic_retry on; # Address validation (DDoS protection)
        quic_gso on; # Generic Segmentation Offload (performance)
        add_header Alt-Svc 'h3=":443"; ma=86400' always; # Advertise HTTP/3 availability to clients
        listen 443 ssl;
        listen [::]:443 ssl;
        http2 on;

Syntax test only expectedly fails on either first of listen ... ssl or listen ... quic as I did not add a TLS certificate.

@JappeHallunken you escaped the Alt-Svc header to contain h3=\"\:443\" literally. I guess this is not needed when using single quotes around the header value, right?

@MichaIng MichaIng self-requested a review January 5, 2026 15:41
@JappeHallunken
Copy link
Collaborator Author

JappeHallunken commented Jan 5, 2026

@JappeHallunken you escaped the Alt-Svc header to contain h3=\"\:443\" literally. I guess this is not needed when using single quotes around the header value, right?

Yes, you’re right, only the single quotes need to be escaped.

@MichaIng MichaIng merged commit 90b988d into dev Jan 6, 2026
2 checks passed
@MichaIng MichaIng deleted the fix/nginx-http2-syntax branch January 6, 2026 10:09
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@MichaIng MichaIng MichaIng approved these changes

Assignees

No one assigned

Labels

Enhancement 💨

Projects

None yet

Milestone

v10.0

Development

Successfully merging this pull request may close these issues.

3 participants

@JappeHallunken @MichaIng