HTTPv3 and QUIC related changes

[oxpa]

Proposed changes

Add quic and http3 capabilities to the role

Checklist

• I have read the CONTRIBUTING document
• I have added Molecule tests that prove my fix is effective or that my feature works
• I have checked that any relevant Molecule tests pass after adding my changes
• I have updated any relevant documentation (defaults/main/*.yml, README.md and CHANGELOG.md)

[oxpa]

my main concern at the moment is that 'quic' requires specific tls version and ssl certs configured. And I don't check for sanity there letting nginx fail configuration test. Not sure if this is the right approach

[alessfg]

We could check if the user is running a supported *ssl library version by checking if http3 is enabled via the dictionary and if so, checking for various *ssl libraries (see https://github.com/nginxinc/ansible-role-nginx-config/blob/main/tasks/config/template-config.yml#L46-L57 for an example on how to check for specific dictionary keys).

Providing a host key does not seem to be a hard requirement -- if I understand the docs correctly, nginx should create a new one if the directive is not specified.

[alessfg]

As convenient as it is, this really should be included in the http3/quic template. Directives in this template belong exclusively to the ngx_core_module.

Instead, I would tweak the nginx.conf.j2 template to something along the lines of

{% if nginx_config_main_template['config']['main'] is defined %}
{% from 'core.j2' import main with context %}
{{ main(nginx_config_main_template['config']['main']) }}
{%- endif %}
{% if nginx_config_main_template['config']['main']['quic'] is defined %}
{% from 'http/modules.j2' import main with context %}
...
{%- endif %}

And we can then use scopes (!) to make sure that only the quic_bpf parameter/directive can be used here.

[oxpa]

well, IMO, bpf settings should be moved to core module in nginx as well. But I get the point. I'll move it out.

[alessfg]

I would ideally have these two within the same macro block since they are both part of the same module. I don't know what the best way to do that would be, but maybe we could do something where the resulting dictionary would be:

httpv3:
  http3:
    hq: false
    max_concurrent_streams: 100
  quic:
    bpf: false
    gso: false

or:

http3:
  hq: false
  max_concurrent_streams: 100
  quic:
    bpf: false
    gso: false

[oxpa]

It feels like keeping quic and http3 configuration separate is a sensible thing to do. Even if they are listed on a single page in the manual.
In nginx, quic related code is in event/quic and http3 is in http/v3. So it's not quite the same module. It's just a convenient way of representing it for now.

If anything other than http3 will start using quic - it will appear as a separate module with the same options and we'll reuse this template.
And the manual is written the way it is, because in C code this is not a problem: quic is already a separate entity and if quic moves into a separate module no configuration will have to be changed.

Hope this makes sense.

[alessfg]

It does!

[alessfg]

Suggested change

	{# NGINX QUIC -- ngix_http_v3_module #}
	{# NGINX QUIC -- ngx_http_quic_module #}{# This module is not "documented" but it does exist internally #}

[alessfg]

Suggested change

	{% if main['quic'] is defined and main['quic']['bpf'] is defined and main['quic']['bpf'] is boolean %}
	{% if main['quic']['bpf'] is defined and main['quic']['bpf'] is boolean %}{# ngx_http_quic_module #}{# This does not belong here but we are making an exception #}

We can simplify this a little bit I think

[alessfg]

Made a few extra suggestions :)

[alessfg]

One final ask, can you please update the CHANGELOG?