nixos/h2o: enable HTTP/3 via QUIC (#388953) (5a2d8c3b) · Commits · nix / nixpkgs

nixos/modules/services/web-servers/h2o/default.nix

+20 −13

Original line number	Diff line number	Diff line
		@@ -221,10 +221,7 @@ let
		headerSet ++ [ hsts ];
		}
		);
		in
		value.settings
		// headerRecAttrs
		// {

		listen =
		let
		identity =
		@@ -233,7 +230,8 @@ let
		key-file = "${certs.${names.cert}.directory}/key.pem";
		certificate-file = "${certs.${names.cert}.directory}/fullchain.pem";
		};
		in

		baseListen =
		{
		port = port.TLS;
		ssl = (lib.recursiveUpdate tlsRecAttrs value.tls.extraSettings) // {
		@@ -243,7 +241,16 @@ let
		// lib.optionalAttrs (value.host != null) {
		host = value.host;
		};

		# QUIC, if used, will duplicate the TLS over TCP directive, but
		# append some extra QUIC-related settings
		quicListen = lib.optional (value.tls.quic != null) (baseListen // { inherit (value.tls) quic; });
		in
		{
		listen = [ baseListen ] ++ quicListen;
		};
		in
		value.settings // headerRecAttrs // listen;
		};
		in
		# With a high likelihood of HTTP & ACME challenges being on the same port,
		@@ -351,7 +358,7 @@ in
		"hydra.example.com" = {
		tls = {
		policy = "force";
		indentity = [
		identity = [
		{
		key-file = "/path/to/key";
		certificate-file = "/path/to/cert";

nixos/modules/services/web-servers/h2o/vhost-options.nix

+19 −0

Original line number	Diff line number	Diff line
		@@ -152,6 +152,25 @@ in
		'';
		};
		recommendations = tlsRecommendationsOption;
		quic = mkOption {
		type = types.nullOr types.attrs;
		default = null;
		description = ''
		Enables HTTP/3 over QUIC on the UDP port for TLS. The attrset
		provides fine-turning for QUIC behavior, but can be empty. See
		<https://h2o.examp1e.net/configure/http3_directives.html#quic-attributes>.
		'';
		example =
		literalExpression
		# nix
		''
		{
		amp-limit = 2;
		handshake-timeout-rtt-multiplier = 300;
		retry = "ON";
		}
		'';
		};
		extraSettings = mkOption {
		type = types.attrs;
		default = { };

nixos/tests/web-servers/h2o/basic.nix

+27 −13

Original line number	Diff line number	Diff line
		@@ -43,6 +43,10 @@ in
		server =
		{ pkgs, ... }:
		{
		environment.systemPackages = [
		pkgs.curlHTTP3
		];

		services.h2o = {
		enable = true;
		defaultHTTPListenPort = port.HTTP;
		@@ -60,6 +64,9 @@ in
		"${domain.TLS}" = {
		tls = {
		policy = "force";
		quic = {
		retry = "ON";
		};
		identity = [
		{
		key-file = ../../common/acme/server/acme.test.key.pem;
		@@ -99,10 +106,15 @@ in
		];

		networking = {
		firewall.allowedTCPPorts = with port; [
		firewall = {
		allowedTCPPorts = with port; [
		HTTP
		TLS
		];
		allowedUDPPorts = with port; [
		TLS
		];
		};
		extraHosts = ''
		127.0.0.1 ${domain.HTTP}
		127.0.0.1 ${domain.TLS}
		@@ -110,7 +122,6 @@ in
		};
		};
		};

		testScript =
		let
		portStrHTTP = builtins.toString port.HTTP;
		@@ -122,23 +133,26 @@ in
		server.wait_for_open_port(${portStrHTTP})
		server.wait_for_open_port(${portStrTLS})

		http_hello_world_body = server.succeed("curl --fail-with-body 'http://${domain.HTTP}:${portStrHTTP}/hello_world.txt'")
		assert "${sawatdi_chao_lok}" in http_hello_world_body
		assert "${sawatdi_chao_lok}" in server.succeed("curl --fail-with-body 'http://${domain.HTTP}:${portStrHTTP}/hello_world.txt'")

		tls_hello_world_head = server.succeed("curl -v --head --compressed --http2 --tlsv1.3 --fail-with-body 'https://${domain.TLS}:${portStrTLS}/hello_world.rst'").lower()
		assert "http/2 200" in tls_hello_world_head
		assert "server: h2o" in tls_hello_world_head
		assert "content-type: text/x-rst" in tls_hello_world_head

		tls_hello_world_body = server.succeed("curl -v --http2 --tlsv1.3 --compressed --fail-with-body 'https://${domain.TLS}:${portStrTLS}/hello_world.rst'")
		assert "${sawatdi_chao_lok}" in tls_hello_world_body
		assert "${sawatdi_chao_lok}" in server.succeed("curl -v --http2 --tlsv1.3 --compressed --fail-with-body 'https://${domain.TLS}:${portStrTLS}/hello_world.rst'")

		quic_hello_world_head = server.succeed("curl -v --head --compressed --http3-only --fail-with-body 'https://${domain.TLS}:${portStrTLS}/hello_world.rst'").lower()
		assert "http/3 200" in quic_hello_world_head
		assert "server: h2o" in quic_hello_world_head
		assert "content-type: text/x-rst" in quic_hello_world_head

		assert "${sawatdi_chao_lok}" in server.succeed("curl -v --http3-only --compressed --fail-with-body 'https://${domain.TLS}:${portStrTLS}/hello_world.rst'")

		tls_hello_world_head_redirected = server.succeed("curl -v --head --fail-with-body 'http://${domain.TLS}:${builtins.toString port.HTTP}/hello_world.rst'").lower()
		assert "redirected" in tls_hello_world_head_redirected
		assert "redirected" in server.succeed("curl -v --head --fail-with-body 'http://${domain.TLS}:${portStrHTTP}/hello_world.rst'").lower()

		server.fail("curl --location --max-redirs 0 'http://${domain.TLS}:${portStrHTTP}/hello_world.rst'")

		tls_hello_world_body_redirected = server.succeed("curl -v --location --fail-with-body 'http://${domain.TLS}:${portStrHTTP}/hello_world.rst'")
		assert "${sawatdi_chao_lok}" in tls_hello_world_body_redirected
		assert "${sawatdi_chao_lok}" in server.succeed("curl -v --location --fail-with-body 'http://${domain.TLS}:${portStrHTTP}/hello_world.rst'")
		'';
		}

nixos/tests/web-servers/h2o/mruby.nix

+2 −4

Original line number	Diff line number	Diff line
		@@ -58,10 +58,8 @@ in
		server.wait_for_unit("h2o.service")
		server.wait_for_open_port(${portStr})

		hello_world = server.succeed("curl --fail-with-body http://${domain}:${portStr}/hello_world")
		assert "${sawatdi_chao_lok}" in hello_world
		assert "${sawatdi_chao_lok}" in server.succeed("curl --fail-with-body http://${domain}:${portStr}/hello_world")

		file_handler = server.succeed("curl --fail-with-body http://${domain}:${portStr}/file_handler")
		assert "FILE_HANDLER" in file_handler
		assert "FILE_HANDLER" in server.succeed("curl --fail-with-body http://${domain}:${portStr}/file_handler")
		'';
		}