HTTP/3

Ole Rößner <o.roessner@neusta.de>

A team neusta Freitagsfrühstück Lightning Talk

QUIC & Dirty

History

  • HTTP/0.9: 1991, RFC
  • HTTP/1.0: 1996, RFC1945
  • HTTP/1.1: 1997, RFC2068,2616
  • HTTP/2: 2015, RFC7540
  • HTTP/3: 2022, RFC9114

HTTP/1

  • Plain Text
  • TCP

HTTP/2

  • Binary Protocol
    • More compact, header compression
  • Multiplexing
    • Multiple resources in a single connection, with prioritisation
  • Server push
  • TLS only

WHAT PROBLEMS DOES HTTP/2 HAVE?

  • Head of line blocking 
  • Network switching
    • Connection re-establishment latency
  • Difficult to upgrade, TCP part of host OS networking stack

WHAT ARE QUIC AND HTTP/3?

  • We can’t change TCP without replacing every device in the world 
  • Google designed QUIC as a workaround
    • A reimagining of TCP implemented over UDP
  • Combines TLS and HTTP/3 into a single protocol with reduced overhead
  • Implemented in userland instead of OS
  • You’re using it already

HEAD-OF-LINE BLOCKING

Image: http.dev

NETWORK LAYERS

HTTP

IPv4 & IPv6

HTTP/1.1

HTTP/2

HTTP/3

TCP

TCP

UDP

TLS

TLS 1.2

TLS 1.3

QUIC

INITIAL CONNECTION

Image: http.dev

HTTP/3 IMPLEMENTATIONS

  • Client, servers, libraries
  • Clients: Chrome, Edge, Firefox, Safari (iOS 15)
  • Servers: Litespeed, Caddy, Nginx, HAProxy, Traefik
    • Not Apache!
  • Libraries: h2o, nghttp3, libcurl, openssl 3.2.0
  • Cloud services: CloudFlare
  • All in userland, so not so subject to OS stagnation

HOW TO DEPLOY HTTP/3?

  • How does a client know a server supports HTTP/3?
  • Server can tell clients what protocols it can use 
    • Alt-Svc header
    • DNS SVCB record

ALT-SVC HTTP HEADER

  • RFC7838 
  • "Alternative service"
  • Similar to HSTS for HTTPS
Alt-Svc: h3=":443"; ma=3600

⚠️ Browser connect via HTTP/2 first ⚠️

Source: developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Alt-Svc

NGINX CONFIG EXAMPLE

server {
 listen 443 ssl;
 listen [ :]:443 ssl;
 listen 443 quic;
 listen [ :]:443 quic;
 http2 on;
 add_header Alt-Svc 'h3=":443"; ma=86400';
 # ...
}

⚠️ NGINX >= 1.25 ⚠️

TRAEFIK CONFIG EXAMPLE

# docker-compose.yaml
services:
	traefik:
    	image: traefik:3
    # ...
    command:
    	# ...
        - "--entryPoints.https.address=:443"
        - "--entryPoints.https.http3=true"

⚠️ Traefik >= 3.0 ⚠️

Testing HTTP/3

  • http3check.net
  • Browser Dev-Tools
    • Network Tab -> Enable Protocol Column

⚠️ Local Testing ⚠️

  • Chrome(-ium):
    • No HTTP/3 over self signed certificate!
    • Even mkcert doesn't work!
  • Firefox works!
  • CURL on macOS doesn't support HTTP/3!
docker run --rm --network="host" ymuski/curl-http3 \
	curl --insecure --http3-only --head --silent https://my-local-domain.test

Thank you! 👋

Sources: