NGINX / Server Setup

How to install NGINX QUIC on CentOS, RHEL and Fedora Linux

by , , revisited on


We have by far the largest RPM repository with NGINX module packages and VMODs for Varnish. If you want to install NGINX, Varnish, and lots of useful performance/security software with smooth yum upgrades for production use, this is the repository for you.
Active subscription is required.
NGINX-QUIC is in beta and not yet ready for production, although used by a handful of websites in production.
We highly recommend using NGINX-MOD instead. While it doesn’t support QUIC protocol, it has many performance patches applied and used widely in production.

Also, be noted that the NGINX PageSpeed module will not work with NGINX QUIC due to compatibility issues.

HTTP/3 and NGINX QUIC project

HTTP/3 is the third iteration of the protocol empowering the World Wide Web.
It uses QUIC transport, which works over UDP. UDP has a better network latency compared to TCP and is supported by the majority of browsers.

NGINX, web server #1, still does not officially support HTTP/3 and its QUIC transport. However, the NGINX QUIC project, based on the mainline branch, is already used in production by a handful of websites.

NGINX QUIC packages by GetPageSpeed

With the GetPageSpeed repository, you can quickly install NGINX QUIC, and enable HTTP/3 for your websites. GetPageSpeed NGINX QUIC packages are based on QuicTLS which is a special OpenSSL version maintained by joined effort of Akamai and Microsoft. QuicTLS is a better option compared to BoringSSL because it supports OSCP stapling, just like regular OpenSSL.

Installation is free for Fedora Linux, however, requires a subscription for RHEL-based operating systems like CentOS, Rocky Linux, and Amazon Linux.

Supported operating systems:

  • Amazon Linux 2
  • CentOS/RHEL 7
  • CentOS/RHEL 8 and any clones like Rocky Linux and AlmaLinux
  • CentOS/RHEL 9 and any clones like Rocky Linux and AlmaLinux
  • Fedora Linux, the last two releases

No matter which of the supported operating system you use, installation involves the following:

  • Install the GetPageSpeed release package (and subscribe, unless you use Fedora Linux)
  • Enable the nginx-quic repository
  • Install the nginx package

Install NGINX QUIC in CentOS/RHEL 7, and Amazon Linux 2

sudo yum -y install https://extras.getpagespeed.com/release-latest.rpm yum-utils
sudo yum-config-manager --enable getpagespeed-extras-nginx-quic
sudo yum -y install nginx

If you want to install any of the NGINX Extras module packages like PageSpeed or Brotli, enable the mainline repository as such:

sudo yum-config-manager --enable getpagespeed-extras-mainline
sudo yum -y install nginx-module-brotli

Don’t forget to follow the instructions of enabling and configuring the respective module, once installed.

Install NGINX QUIC in CentOS/RHEL/Rocky Linux 8, 9, or Fedora Linux

sudo dnf -y install https://extras.getpagespeed.com/release-latest.rpm dnf-plugins-core
sudo dnf config-manager --enable getpagespeed-extras-nginx-quic
sudo dnf -y install nginx

Likewise, if you want to install any of the NGINX Extras module packages like PageSpeed or Brotli, enable the mainline repository as such:

sudo dnf config-manager --enable getpagespeed-extras-mainline
sudo dnf -y install nginx-module-brotli

Don’t forget to follow the instructions of enabling and configuring the respective module, once installed.

Enable HTTP/3 for your websites

Some headers must be explicitly set for HTTP/3 support:

  • Alt-Svc: h3=":443"; ma=2592000; persist=1 advertises that HTTP/3 is available on the given port 443, instructs browsers to remember this for 30 days, and persist this information when client’s network configuration changes
  • QUIC-Status: $http3 as a troubleshooting header. When QUIC has been successfully configured, this header will appear as a response header such as QUIC-Status: h3 or QUIC-Status: hq.

It is best to use the more_set_headers directive that comes with the headers-more module for setting the headers above.
To install it, run yum -y install nginx-module-headers-more then add the following at the top of nginx.conf:

load_module modules/ngx_http_headers_more_filter_module.so;

The configuration of HTTP/3 (QUIC) for a website is pretty straightforward.
You need to add a new listen directive for NGINX to listen on the UDP port.

server {
    listen 443 ssl;              # TCP listener for HTTP/1.1
    listen 443 http3 reuseport;  # UDP listener for QUIC+HTTP/3

    ssl_protocols       TLSv1.3; # QUIC requires TLS 1.3
    ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
    ssl_trusted_certificate /etc/letsencrypt/live/example.com/chain.pem;

    more_set_headers 'Alt-Svc: h3=":443"; ma=2592000; persist=1'; 
    more_set_headers 'QUIC-Status: $http3';
}

Note that the reuseport flag can be specified only once per listening port. So we recommend to set it only for a single server that you designate as the default_server, e.g.:

server {
    # ...
    listen 443 ssl default_server; 
    listen 443 http3 reuseport default_server;  
    server_name example.com;

    # ...
}

server {
    # ...
    listen 443 ssl; 
    listen 443 http3; 
    server_name example.org;

    # ...
}

Also, if you use IPv6 for your domain, be sure to throw in a couple more directives for NGINX to listen on IPv6 for the same:

listen [::]:443 ssl;              # IPv6 TCP listener for HTTP/1.1
listen [::]:443 http3 reuseport;  # IPv6 UDP listener for QUIC+HTTP/3

Likewise, remember that reuseport can be specified once per port, so put it only under a single server that is flagged with default_server marker.

SELinux notes

Since NGINX now listens on a privileged port which is not part of the default HTTP context, NGINX would fail to start:

root user “nginx: [emerg] bind() to 0.0.0.0:443 failed (13: Permission denied)”

You must add the UDP port 443 to the http_port_t context:

semanage port -a -t http_port_t -p udp 443

Adjust FirewallD

Usually, FirewallD comes with pre-defined service definitions, and HTTPS is one of the services provided.
However, the service definition currently supports TCP protocol only. With HTTP/3 you must explicitly allow UDP connection over the TLS port 443.

Here’s how to do it:

# for UDP connectivity:
firewall-cmd --permanent --add-port=443/udp
# for TCP connectivity:
firewall-cmd --permanent --add-service=https
firewall-cmd --reload

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes:

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: