Learn about the benefits of the new QUIC/HTTP3 protocol and how to configure NGINX for QUIC in this webinar and hands-on lab.

1. Getting Hands On with
QUIC+ HTTP/3
Robert Haynes
NGINX Technical Marketing

2. ©2023 F5
2
• This webinar will be recorded
• The slides will be available to view
• The labs will be available for a few hours after the
event
To get to the recording and slides, visit the same link
you used to attend the webinar.
Housekeeping

3. ©2023 F5
3
What is QUIC?
QUIC + HTTP/3 Compared to TCP+TLS+HTTP/1-2
NGINX QUIC installation
NGINX QUIC configuration
NGINX directives and variables
Lab overview
Hands-on lab
Wrap up
Agenda

4. ©2023 F5
4
To improve the speed and security of web (and
other) traffic.
The What and Why of QUIC + HTTP/3
Why QUIC?
Because TCP is Linux kernel function so slower to
change and because of ‘middleboxes’.
QUIC is a transport layer built on top of UDP that
manages connections, encryption, and streams
Why not improve TCP?
What is QUIC?

5. ©2023 F5
5
QUIC+HTTP/3 Compared to TCP+TLS+HTTP/1-2
HTTP/3
UDP
QUIC
IP
HTTP/1+2
TCP
TLS
IP Addressing
Data Transport
Reliable Delivery
Encryption
Streams
Request and Response

6. ©2023 F5
6
HTTP/1.1 vs HTTP/2 vs HTTP/3
1 request at a time per
connection
No HTTP header
compression
Text
Streams for request
multiplexing
Server Push Server Push
HPAK Compression HPAK Compression
Binary Binary
Handled by QUIC
No server push
HTTP/1.1 HTTP/2 HTTP/3

7. ©2023 F5
7
QUIC Streams vs HTTP/2 Streams
Packets
Packets
TCP + HTTP/2
QUIC + HTTP/3
Due to TCP in-order delivery, all streams are blocked until missing
packet is retransmitted, and TCP session recovered. TCP is not
aware of streams as they are HTTP/2 objects
Stream fragments from
lost packet must be
retransmitted
Streams not in lost packet
are delivered to HTTP/3
Stream Fragment

8. ©2023 F5
8
QUIC+HTTP/3 Connection Establishment
Client Server
Connection Setup TLS Key Exchange
QUIC connection setup
combines connection
establishment with TLS1.3 key
exchange for a low latency
connection establishment.

9. ©2023 F5
9
Potential DoS issues with QUIC connections
Reflection Attacks
Compromised devices make QUIC
connections with spoofed source IP
QUIC servers all respond to victim
DDoS Attacks
Compromised devices make QUIC
connections with multiple spoofed
source IP.s.
QUIC server has to
perform crypto operations
before responding

10. ©2023 F5
10
Using Retry Packets and Minimum Packet Size
Client Server
Connection Setup TLS Key Exchange
Server delays complex crypto
operations until client address
is validated
Packets must be 1200bytes,
making client connections
more ‘expensive’

11. ©2023 F5
11
Client Server
TCP+TLS+HTTP/1.1
UDP+QUIC+HTTP/3
The Alt-Svc HTTP Header
Most clients will connect over
TCP+TLS+HTTP/1
The Alt-Svc header tells clients
the same service is available
over HTTP/3
The client reconnects over
QUIC

12. ©2023 F5
12
NGINX and QUIC+HTTP/3
HTTP/3 Client
UDP | QUIC | HTTP/3
TCP | HTTP/1.1
TCP | HTTP/1.1
TCP | HTTP/1.1
NGINX Application Server
QUIC Connection with
multiple streams
Multiple HTTP/1.1
connections

13. ©2023 F5
13
NGINX QUIC “Fun” facts
NGINX QUIC is currently in preview
NGINX QUIC is a separate package
In future releases QUIC will be in mainline NGINX OSS and Plus
This is (mostly) due to OpenSSL QUIC support timing

14. ©2023 F5
14
NGINX Installation Steps
Install pre-requisite packages
Add NGINX Signing key
Add NGINX-QUIC repository
Install NGINX-QUIC
Start NGINX-QUIC

15. ©2023 F5
15
A Simple NGINX QUIC Configuration
http {
log_format quic '$remote_addr - $remote_user [$time_local]'
'"$request" $status $body_bytes_sent ' '"$http_referer"
"$http_user_agent" "$server_protocol"’;
access_log logs/access.log quic;
server {
# for better compatibility it's recommended # to use the same port for quic and https
listen 8443 http3 reuseport;
listen 8443 ssl;
ssl_certificate certs/example.com.crt;
ssl_certificate_key certs/example.com.key;
ssl_protocols TLSv1.3;
location / {
# required for browsers to direct them into quic port
add_header Alt-Svc 'h3=":8443"; ma=86400’;
}
}
}

16. ©2023 F5
16
Some Additional QUIC Configuration Directives
Directive Context Effect
quic_bpf on; main Use eBPF to route packets to
workers
quic_retry on; http | stream, server Use retry packets in connection
setup
ssl_early_data on; http | stream, server Allow for 0-RTT connection
reestablishment
quic_timeout <N>s; http | stream, server Set timeouts for connection
quic_mtu <size>; http | stream, server Limit maximum UDP payload size

17. ©2023 F5
17
Additional HTTP/3 Directives and variables
Directive Context Effect
http3_push uri | off ; http, server, location Configures NGINX to
preemptively send content to
clients
http3_max_concurrent_streams
number;
http, server Maximum number of streams in a
connection
Variable Use
$server_protocol Identifies the server protocol :
“HTTP/1.0”, “HTTP/1.1”, “HTTP/2.0”, or “HTTP/3.0”
$http3 Will be set to “quic” if the connection is using QUIC (and is not set
otherwise – we advise you to use $server_protocol above
instead)

18. ©2023 F5
18
Questions?

19. ©2023 F5
19
Lab Time!

20. ©2023 F5
20
Lab Housekeeping
1. Click link in Related Content box
2. Complete the lab
• Estimated Time: 20-30 minutes
• Max Time: 45 minutes
• Attempts: 3
• Your invite is good for 3 hours
3. Problems? Use webinar chat!

21. ©2023 F5
21
Your Lab Environment
Shell
Instructions
Check Button

22. ©2023 F5
22
Over to You!

23. ©2023 F5
23
Docs:
• https://quic.nginx.org
Blogs:
• Binary Packages : https://www.nginx.com/blog/binary-packages-for-preview-nginx-quic-http3-implementation/
• QUIC Networking Primer: Comminig soon!
Community:
• Slack: https://nginxcommunity.slack.com and post in the #quic-http3 channel
Wrap Up