From 4ca745668ebe68dcbc60857ac73ec92a1dbae01c Mon Sep 17 00:00:00 2001
From: Xiao Pan <xyz@flylightning.xyz>
Date: Tue, 22 Jul 2025 10:54:21 +0000
Subject: website add http3 quic support

---
 etc/nftables.conf    |  2 ++
 etc/nginx/nginx.conf | 27 +++++++++++++++++++++++++++
 2 files changed, 29 insertions(+)

(limited to 'etc')

diff --git a/etc/nftables.conf b/etc/nftables.conf
index 1fa3ce22..d10b4b2b 100644
--- a/etc/nftables.conf
+++ b/etc/nftables.conf
@@ -32,6 +32,8 @@ table inet my_table {
 		udp dport swgp accept
 		tcp dport http accept
 		tcp dport https accept
+		# http3 quic
+		udp dport https accept
 		# email related ports
 		tcp dport smtp accept
 		tcp dport pop3 accept
diff --git a/etc/nginx/nginx.conf b/etc/nginx/nginx.conf
index 7e54af48..ebfd925a 100644
--- a/etc/nginx/nginx.conf
+++ b/etc/nginx/nginx.conf
@@ -48,6 +48,21 @@ http {
         listen 80;
         # needed for ipv6
         listen [::]:80;
+        # needed for http3 quic
+        # https://freenginx.org/en/docs/quic.html
+        # https://oheng.com/enabling-http-3-under-nginx/
+        #
+        # http3 quic can be testd with https://http3check.net
+        #
+        # Note reuseport should only be used once per address:port pair.
+        # https://serverfault.com/a/1000428 points out that
+        # https://freenginx.org/en/docs/http/ngx_http_core_module.html#listen
+        # wrote: "The listen directive can have several additional parameters
+        # specific to socket-related system calls. These parameters can be
+        # specified in any listen directive, but only once for a given
+        # address:port pair." Also see https://stackoverflow.com/q/76348128
+        listen 443 quic reuseport;
+        listen [::]:443 quic reuseport;
         # https://nginx.org/en/docs/http/configuring_https_servers.html#single_http_https_server
         listen 443 ssl;
         listen [::]:443 ssl;
@@ -56,6 +71,10 @@ http {
         ssl_certificate      /etc/postfix/flylightning.pem;
         ssl_certificate_key  /etc/postfix/flylightning.key;
 
+        # needed for http3 quic
+        # https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Alt-Svc
+        add_header Alt-Svc 'h3=":443"; ma=86400';
+
         #charset koi8-r;
 
         #access_log  logs/host.access.log  main;
@@ -137,6 +156,8 @@ http {
     server {
         listen 80;
         listen [::]:80;
+        listen 443 quic;
+        listen [::]:443 quic;
         listen 443 ssl;
         listen [::]:443 ssl;
         server_name mirrors.flylightning.xyz;
@@ -144,6 +165,8 @@ http {
         ssl_certificate      /etc/postfix/flylightning.pem;
         ssl_certificate_key  /etc/postfix/flylightning.key;
 
+        add_header Alt-Svc 'h3=":443"; ma=86400';
+
         location / {
             root /srv/http/mirrors;
             autoindex on;
@@ -158,6 +181,8 @@ http {
     server {
         listen 80;
         listen [::]:80;
+        listen 443 quic;
+        listen [::]:443 quic;
         listen 443 ssl;
         listen [::]:443 ssl;
         server_name git.flylightning.xyz;
@@ -166,6 +191,8 @@ http {
         ssl_certificate      /etc/postfix/flylightning.pem;
         ssl_certificate_key  /etc/postfix/flylightning.key;
 
+        add_header Alt-Svc 'h3=":443"; ma=86400';
+
         # about nginx location regex:
         # - https://nginx.org/en/docs/http/ngx_http_core_module.html#location
         # - https://stackoverflow.com/a/59846239
-- 
cgit v1.2.3-70-g09d2