Get Hands-On with NGINX and QUIC+HTTP/3

Nginx 1,068 views 24 slides Apr 19, 2023
Slide 1
Slide 1 of 24
Slide 1
1
Slide 2
2
Slide 3
3
Slide 4
4
Slide 5
5
Slide 6
6
Slide 7
7
Slide 8
8
Slide 9
9
Slide 10
10
Slide 11
11
Slide 12
12
Slide 13
13
Slide 14
14
Slide 15
15
Slide 16
16
Slide 17
17
Slide 18
18
Slide 19
19
Slide 20
20
Slide 21
21
Slide 22
22
Slide 23
23
Slide 24
24

About This Presentation

Learn about the benefits of the new QUIC/HTTP3 protocol and how to configure NGINX for QUIC in this webinar and hands-on lab.

Size: 1.4 MB
Language: en
Added: Apr 19, 2023
Slides: 24 pages

Slide Content

Getting Hands On with QUIC+ HTTP/3 Robert Haynes NGINX Technical Marketing

This webinar will be recorded The slides will be available to view The labs will be available for a few hours after the event To get to the recording and slides, visit the same link you used to attend the webinar. Housekeeping

What is QUIC? QUIC + HTTP/3 Compared to TCP+TLS+HTTP/1-2 NGINX QUIC installation NGINX QUIC configuration NGINX directives and variables Lab overview Hands-on lab Wrap up Agenda

To improve the speed and security of web (and other) traffic. The What and Why of QUIC + HTTP/3 Why QUIC? Because TCP is Linux kernel function so slower to change and because of ‘ middleboxes’. QUIC is a transport layer built on top of UDP that manages connections, encryption, and streams Why not improve TCP? What is QUIC?

QUIC+HTTP/3 Compared to TCP+TLS+HTTP/1-2 HTTP/3 UDP QUIC IP HTTP/1+2 TCP TLS IP Addressing Data Transport Reliable Delivery Encryption Streams Request and Response

HTTP/1.1 vs HTTP/2 vs HTTP/3 1 request at a time per connection No HTTP header compression Text Streams for request multiplexing Server Push Server Push HPAK Compression HPAK Compression Binary Binary Handled by QUIC No server push HTTP/1.1 HTTP/2 HTTP/3

QUIC Streams vs HTTP/2 Streams Packets Packets TCP + HTTP/2 QUIC + HTTP/3 Due to TCP in-order delivery, all streams are blocked until missing packet is retransmitted, and TCP session recovered. TCP is not aware of streams as they are HTTP/2 objects Stream fragments from lost packet must be retransmitted Streams not in lost packet are delivered to HTTP/3 Stream Fragment

QUIC+HTTP/3 Connection Establishment Client Server Initial, Client Hello Initial, Server Hello Connection Setup TLS Key Exchange QUIC connection setup combines connection establishment with TLS1.3 key exchange for a low latency connection establishment.

Potential DoS issues with QUIC connections Reflection Attacks Compromised devices make QUIC connections with spoofed source IP QUIC servers all respond to victim DDoS Attacks Compromised devices make QUIC connections with multiple spoofed source IP.s. QUIC server has to perform crypto operations before responding

Using Retry Packets and Minimum Packet Size Client Server Initial, Client Hello Initial, Server Hello Connection Setup TLS Key Exchange Retry + Token Initial + Token , Client Hello Server delays complex crypto operations until client address is validated Packets must be 1200bytes, making client connections more ‘expensive’

Client Server HTTP Response with Alt-Svc TCP 3-Way Handshake TLS1.3 Key Exchange HTTP GET / Initial, Client Hello Initial, Server Hello TCP+TLS+HTTP/1.1 UDP+QUIC+HTTP/3 The Alt-Svc HTTP Header Most clients will connect over TCP+TLS+HTTP/1 The Alt-Svc header tells clients the same service is available over HTTP/3 The client reconnects over QUIC

NGINX and QUIC+HTTP/3 HTTP/3 Client UDP | QUIC | HTTP/3 TCP | HTTP/1.1 TCP | HTTP/1.1 TCP | HTTP/1.1 NGINX Application Server QUIC Connection with multiple streams Multiple HTTP/1.1 connections

NGINX QUIC “Fun” facts NGINX QUIC is currently in preview NGINX QUIC is a separate package In future releases QUIC will be in mainline NGINX OSS and Plus This is (mostly) due to OpenSSL QUIC support timing

NGINX Installation Steps Install pre-requisite packages Add NGINX Signing key Add NGINX-QUIC repository Install NGINX-QUIC Start NGINX-QUIC

A Simple NGINX QUIC Configuration http { log_format quic '$ remote_addr - $ remote_user [$ time_local ]' '"$request" $status $ body_bytes_sent ' '"$ http_referer " "$ http_user_agent " " $ server_protocol "’; access_log logs/ access.log quic ; server { # for better compatibility it's recommended # to use the same port for quic and https listen 8443 http3 reuseport ; listen 8443 ssl ; ssl_certificate certs/ example.com.crt ; ssl_certificate_key certs/ example.com.key ; ssl_protocols TLSv1.3; location / { # required for browsers to direct them into quic port add_header Alt-Svc 'h3=":8443"; ma=86400’; } } }

Some Additional QUIC Configuration Directives Directive Context Effect quic_bpf on; main Use eBPF to route packets to workers quic_retry on; http | stream, server Use retry packets in connection setup ssl_early_data on; http | stream, server Allow for 0-RTT connection reestablishment quic_timeout <N>s; http | stream, server Set timeouts for connection quic_mtu <size>; http | stream, server Limit maximum UDP payload size

Additional HTTP/3 Directives and variables Directive Context Effect http3_push uri | off ; http, server, location Configures NGINX to preemptively send content to clients http3_max_concurrent_streams number; http, server Maximum number of streams in a connection Variable Use $ server_protocol Identifies the server protocol : “ HTTP/1.0 ”, “ HTTP/1.1 ”, “HTTP/2.0”, or “HTTP/3.0” $http3 Will be set to “ quic ” if the connection is using QUIC (and is not set otherwise – we advise you to use $ server_protocol above instead)

Questions?

Lab Time!

Lab Housekeeping Click link in Related Content box Complete the lab Estimated Time: 20-30 minutes Max Time: 45 minutes Attempts: 3 Your invite is good for 3 hours Problems? Use webinar chat!

Your Lab Environment Shell Instructions Check Button

Over to You!

Docs: https://quic.nginx.org Blogs: Binary Packages : https:// www.nginx.com /blog/binary-packages-for-preview-nginx-quic-http3-implementation/ QUIC Networking Primer: Comminig soon! Community: Slack: https:// nginxcommunity.slack.com and post in the #quic-http3 channel Wrap Up
Tags
software software development web application application delivery load balancing software load balancing route traffic agile software development modern apps modern web nginx plus connectivity nginx open source nginx
Categories
Education
Download
Download Slideshow Get the original presentation file
Quick Actions
Statistics
  • Views 1,068
  • Slides 24
  • Favorites 1
  • Age 958 days
Related Slideshows
TLE-9-Prepare-Salad-and-Dressing.pptxkkk 11
TLE-9-Prepare-Salad-and-Dressing.pptxkkk
MaAngelicaCanceran
32 views
LESSON 1 ABOUT MEDIA AND INFORMATION.pptx 12
LESSON 1 ABOUT MEDIA AND INFORMATION.pptx
JojitGueta
25 views
GRADE-8-AQUACULTURE-WEEKQ1.pdfdfawgwyrsewru 60
GRADE-8-AQUACULTURE-WEEKQ1.pdfdfawgwyrsewru
MaAngelicaCanceran
41 views
Feelings PP Game FOR CHILDREN IN ELEMENTARY SCHOOL.pptx 26
Feelings PP Game FOR CHILDREN IN ELEMENTARY SCHOOL.pptx
KaistaGlow
40 views
Jeopardy_Figures_of_Speech_Template.pptx [Autosaved].pptx 54
Jeopardy_Figures_of_Speech_Template.pptx [Autosaved].pptx
acecamero20
25 views
Jeopardy_Figures_of_Speech.pptxvdsvdsvsdvsd 7
Jeopardy_Figures_of_Speech.pptxvdsvdsvsdvsd
acecamero20
25 views
View More in This Category