From 684027766545f7940ba8d1154dd257242e78e889 Mon Sep 17 00:00:00 2001 From: oxpa Date: Thu, 3 Aug 2023 16:16:31 +0100 Subject: [PATCH 01/14] quic and http3 templates --- defaults/main/template.yml | 14 ++++++++++++++ templates/core.j2 | 3 +++ templates/http/core.j2 | 1 + templates/http/default.conf.j2 | 21 +++++++++++++++++++++ templates/http/modules.j2 | 32 ++++++++++++++++++++++++++++++++ 5 files changed, 71 insertions(+) diff --git a/defaults/main/template.yml b/defaults/main/template.yml index b55566e8..f1d9a718 100644 --- a/defaults/main/template.yml +++ b/defaults/main/template.yml @@ -72,6 +72,8 @@ nginx_config_main_template: - /etc/nginx/conf.d/*.conf # stream: # include: /etc/nginx/conf.d/stream/*.conf # String or a list of strings + # quic: + # bpf: false # Boolean # Enable creating dynamic templated NGINX HTTP configuration files. # Defaults will not produce a valid configuration. Instead they are meant to showcase @@ -204,6 +206,7 @@ nginx_config_http_template: port: 80 default_server: true # Boolean ssl: false # Boolean + quic: false # Boolean proxy_protocol: false # Boolean fastopen: 12 # Number backlog: 511 # Number @@ -278,6 +281,17 @@ nginx_config_http_template: max_concurrent_streams: 128 # Number -- Not available in the 'location' context recv_buffer_size: 256k # Only available in the 'http' context recv_timeout: 20s # Not available in the 'location' context + http3: + enable: false # Boolean + hq: false # Boolean + max_concurrent_streams: 128 + stream_buffer_size: 64k + quic: + active_connection_id_limit: 2 + gso: false # Boolean + host_key: /path/to/file + retry: false # Boolean + ssl: # Configure SSL buffer_size: 16k certificate: /path/to/file # String or a list of strings diff --git a/templates/core.j2 b/templates/core.j2 index b6dfaa7d..aa943ecc 100644 --- a/templates/core.j2 +++ b/templates/core.j2 @@ -83,6 +83,9 @@ timer_resolution {{ main['timer_resolution'] }}; {% if main['working_directory'] is defined %} working_directory {{ main['working_directory'] }}; {% endif %} +{% if main['quic'] is defined and main['quic']['bpf'] is defined and main['quic']['bpf'] is boolean %} +quic_bpf {{ main['quic']['bpf'] | ternary('on', 'off') }}; +{% endif %} {% endmacro %} {% macro events(events) %} diff --git a/templates/http/core.j2 b/templates/http/core.j2 index 14dc93f6..c073286f 100644 --- a/templates/http/core.j2 +++ b/templates/http/core.j2 @@ -141,6 +141,7 @@ lingering_timeout {{ core['lingering_timeout'] }}; listen {{ listen['address'] if listen['address'] is defined }}{{ ':' if listen['address'] is defined and listen['port'] is defined }}{{ listen['port'] if listen['port'] is defined -}} {{- ' default_server' if listen['default_server'] is defined and listen['default_server'] is boolean and listen['default_server'] | bool -}} {{- ' ssl' if listen['ssl'] is defined and listen['ssl'] is boolean and listen['ssl'] | bool -}} +{{- ' quic' if listen['quic'] is defined and listen['quic'] is boolean and listen['quic'] | bool -}} {{- ' proxy_protocol' if listen['proxy_protocol'] is defined and listen['proxy_protocol'] is boolean and listen['proxy_protocol'] | bool -}} {{- (' setfib=' + listen['setfib'] | string) if listen['setfib'] is defined -}} {{- (' fastopen=' + listen['fastopen'] | string) if listen['fastopen'] is defined and listen['fastopen'] is number -}} diff --git a/templates/http/default.conf.j2 b/templates/http/default.conf.j2 index 4051fec7..e7c00aec 100644 --- a/templates/http/default.conf.j2 +++ b/templates/http/default.conf.j2 @@ -12,6 +12,14 @@ {% from 'http/modules.j2' import http2 with context %} {{ http2(item['config']['http2'], 'http') }} {%- endif %} +{% if item['config']['http3'] is defined %} +{% from 'http/modules.j2' import http3 with context %} +{{ http3(item['config']['http3']) }} +{%- endif %} +{% if item['config']['quic'] is defined %} +{% from 'http/modules.j2' import quic with context %} +{{ quic(item['config']['quic']) }} +{%- endif %} {% if item['config']['ssl'] is defined %} {% from 'http/ssl.j2' import ssl with context %} {{ ssl(item['config']['ssl']) }} @@ -134,6 +142,19 @@ server { {{ http2(server['http2'], 'server') }} {%- endfilter %} {% endif %} +{% if server['http3'] is defined %} +{% from 'http/modules.j2' import http3 with context %} +{% filter indent(4) %} + {{ http3(server['http3']) }} +{%- endfilter %} +{% endif %} +{% if server['quic'] is defined %} +{% from 'http/modules.j2' import quic with context %} +{% filter indent(4) %} + {{ quic(server['quic']) }} +{%- endfilter %} +{% endif %} + {% if server['ssl'] is defined %} {% from 'http/ssl.j2' import ssl with context %} {% filter indent(4) %} diff --git a/templates/http/modules.j2 b/templates/http/modules.j2 index c21dbe57..b393d9c2 100644 --- a/templates/http/modules.j2 +++ b/templates/http/modules.j2 @@ -350,5 +350,37 @@ http2_recv_buffer_size {{ http2['recv_buffer_size'] }}; {% if http2['chunk_size'] is defined %} http2_chunk_size {{ http2['chunk_size'] }}; {% endif %} +{% endmacro %} + +{# NGINX HTTP v3 -- ngx_http_v3_module #} +{% macro http3(http3) %} +{% if http3['enabled'] is defined and http3['enabled'] is boolean %} +http3 {{ http3['enabled'] | ternary('on', 'off') }}; +{% endif %} +{% if http3['hq'] is defined and http3['hq'] is boolean %} +http3 {{ http3['hq'] | ternary('on', 'off') }}; +{% endif %} +{% if http3['max_concurrent_streams'] is defined and http3['max_concurrent_streams'] is number %} +http3_max_concurrent_streams {{ http3['max_concurrent_streams'] }}; +{% endif %} +{% if http3['stream_buffer_size'] is defined %} +http3_stream_buffer_size {{ http3['stream_buffer_size'] }}; +{% endif %} {% endmacro %} + +{# NGINX QUIC -- ngix_http_v3_module #} +{% macro quic(quic) %} +{% if quic['active_connection_id_limit'] is defined and quic['active_connection_id_limit'] is number %} +quic_active_connection_id_limit {{ quic['active_connection_id_limit'] }}; +{% endif %} +{% if quic['gso'] is defined and quic['gso'] is boolean %} +quic_gso {{ quic['gso'] | ternary('on','off') }}; +{% endif %} +{% if quic['host_key'] is defined %} +quic_host_key {{ quic['host_key'] }}; +{% endif %} +{% if quic['retry'] is defined and quic['retry'] is boolean %} +quic_retry {{ quic['retry'] | ternary('on','off') }}; +{% endif %} +{% endmacro %} From 20a79b19da194b474392092d0d446c85552836cf Mon Sep 17 00:00:00 2001 From: oxpa Date: Thu, 3 Aug 2023 22:15:22 +0100 Subject: [PATCH 02/14] tests for quic and http3 --- .gitignore | 1 + molecule/common/files/ssl/rand.key | 1 + molecule/default/converge.yml | 21 +++++++++++++++++++++ molecule/push/converge.yml | 3 +++ 4 files changed, 26 insertions(+) create mode 100644 molecule/common/files/ssl/rand.key diff --git a/.gitignore b/.gitignore index 4e78f821..73481b59 100644 --- a/.gitignore +++ b/.gitignore @@ -6,6 +6,7 @@ \#* !molecule.crt !molecule.key +!rand.key # OS Specific # ############### diff --git a/molecule/common/files/ssl/rand.key b/molecule/common/files/ssl/rand.key new file mode 100644 index 00000000..93009070 --- /dev/null +++ b/molecule/common/files/ssl/rand.key @@ -0,0 +1 @@ + EÇ4úh¹’¶4ãÖšYýâ &i"/mÑ{÷7±®<%…J%f·ÿê^Ñì`R¿PÃÐ[ Ä,6=!ª>Zå »oéKÎcGè \ No newline at end of file diff --git a/molecule/default/converge.yml b/molecule/default/converge.yml index 0a84f27a..2af7966a 100644 --- a/molecule/default/converge.yml +++ b/molecule/default/converge.yml @@ -26,6 +26,9 @@ - src: ../common/files/ssl/molecule.key dest: /etc/ssl/private backup: true + - src: ../common/files/ssl/rand.key + dest: /etc/ssl/private + backup: true nginx_config_main_template_enable: true nginx_config_main_template: @@ -67,6 +70,8 @@ threads: 32 timer_resolution: 1s working_directory: /etc/nginx + quic: + bpf: false events: accept_mutex: false accept_mutex_delay: 500ms @@ -236,6 +241,11 @@ max_concurrent_streams: 31 recv_buffer_size: 128k recv_timeout: 10s + http3: + enable: true + hq: false + max_concurrent_streams: 100 + stream_buffer_size: 32k ssl: buffer_size: 16k certificate: /etc/ssl/certs/molecule.crt @@ -257,6 +267,7 @@ - TLSv1 - TLSv1.1 - TLSv1.2 + - TLSv1.3 reject_handshake: false session_cache: builtin: @@ -569,6 +580,8 @@ port: 443 default_server: true ssl: false + quic: true + reuseport: true so_keepalive: keepidle: 30m keepintvl: 5 @@ -585,6 +598,14 @@ http2: enable: false chunk_size: 8k + http3: + enabled: false + hq: true + quic: + active_connection_id_limit: 10 + gso: off + retry: off + host_key: /etc/ssl/private/rand.key auth_basic: realm: false log: diff --git a/molecule/push/converge.yml b/molecule/push/converge.yml index fd3c1dc6..67bb9ae0 100644 --- a/molecule/push/converge.yml +++ b/molecule/push/converge.yml @@ -30,3 +30,6 @@ - src: ../common/files/ssl/molecule.key dest: /etc/ssl/private backup: true + - src: ../common/files/ssl/rand.key + dest: /etc/ssl/private + backup: true From 9a01c86e7241ec456968cb86c984e2b8ca53b2d8 Mon Sep 17 00:00:00 2001 From: oxpa Date: Thu, 3 Aug 2023 22:31:35 +0100 Subject: [PATCH 03/14] make linter happy --- defaults/main/template.yml | 1 - molecule/default/converge.yml | 4 ++-- 2 files changed, 2 insertions(+), 3 deletions(-) diff --git a/defaults/main/template.yml b/defaults/main/template.yml index f1d9a718..1d893767 100644 --- a/defaults/main/template.yml +++ b/defaults/main/template.yml @@ -291,7 +291,6 @@ nginx_config_http_template: gso: false # Boolean host_key: /path/to/file retry: false # Boolean - ssl: # Configure SSL buffer_size: 16k certificate: /path/to/file # String or a list of strings diff --git a/molecule/default/converge.yml b/molecule/default/converge.yml index 2af7966a..3dc7fa38 100644 --- a/molecule/default/converge.yml +++ b/molecule/default/converge.yml @@ -603,8 +603,8 @@ hq: true quic: active_connection_id_limit: 10 - gso: off - retry: off + gso: false + retry: false host_key: /etc/ssl/private/rand.key auth_basic: realm: false From 110d75fe910a729e4ab96144af7a07a9ec323026 Mon Sep 17 00:00:00 2001 From: oxpa Date: Thu, 3 Aug 2023 22:43:29 +0100 Subject: [PATCH 04/14] fix a typo --- templates/http/modules.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/templates/http/modules.j2 b/templates/http/modules.j2 index b393d9c2..2cdd5097 100644 --- a/templates/http/modules.j2 +++ b/templates/http/modules.j2 @@ -358,7 +358,7 @@ http2_chunk_size {{ http2['chunk_size'] }}; http3 {{ http3['enabled'] | ternary('on', 'off') }}; {% endif %} {% if http3['hq'] is defined and http3['hq'] is boolean %} -http3 {{ http3['hq'] | ternary('on', 'off') }}; +http3_hq {{ http3['hq'] | ternary('on', 'off') }}; {% endif %} {% if http3['max_concurrent_streams'] is defined and http3['max_concurrent_streams'] is number %} http3_max_concurrent_streams {{ http3['max_concurrent_streams'] }}; From 0ae9613ab62e24cb64d178b13463c48c5b030bc0 Mon Sep 17 00:00:00 2001 From: A compound of Fe and O Date: Mon, 7 Aug 2023 13:06:49 +0100 Subject: [PATCH 05/14] Update templates/http/modules.j2 improve readability Co-authored-by: Alessandro Fael Garcia --- templates/http/modules.j2 | 1 + 1 file changed, 1 insertion(+) diff --git a/templates/http/modules.j2 b/templates/http/modules.j2 index 2cdd5097..a4c1b910 100644 --- a/templates/http/modules.j2 +++ b/templates/http/modules.j2 @@ -350,6 +350,7 @@ http2_recv_buffer_size {{ http2['recv_buffer_size'] }}; {% if http2['chunk_size'] is defined %} http2_chunk_size {{ http2['chunk_size'] }}; {% endif %} + {% endmacro %} {# NGINX HTTP v3 -- ngx_http_v3_module #} From c77912c0c3523ba742cf3edf893864be65908502 Mon Sep 17 00:00:00 2001 From: A compound of Fe and O Date: Mon, 7 Aug 2023 13:07:14 +0100 Subject: [PATCH 06/14] Update defaults/main/template.yml improve readability Co-authored-by: Alessandro Fael Garcia --- defaults/main/template.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/defaults/main/template.yml b/defaults/main/template.yml index 1d893767..ccd394c2 100644 --- a/defaults/main/template.yml +++ b/defaults/main/template.yml @@ -282,7 +282,7 @@ nginx_config_http_template: recv_buffer_size: 256k # Only available in the 'http' context recv_timeout: 20s # Not available in the 'location' context http3: - enable: false # Boolean + enable: false # Boolean hq: false # Boolean max_concurrent_streams: 128 stream_buffer_size: 64k From cd31d834fe34de8fbc0691013a85ef838deda304 Mon Sep 17 00:00:00 2001 From: A compound of Fe and O Date: Tue, 15 Aug 2023 13:12:24 +0100 Subject: [PATCH 07/14] Update templates/http/modules.j2 Co-authored-by: Alessandro Fael Garcia --- templates/http/modules.j2 | 1 + 1 file changed, 1 insertion(+) diff --git a/templates/http/modules.j2 b/templates/http/modules.j2 index a4c1b910..65cf3cd7 100644 --- a/templates/http/modules.j2 +++ b/templates/http/modules.j2 @@ -384,4 +384,5 @@ quic_host_key {{ quic['host_key'] }}; {% if quic['retry'] is defined and quic['retry'] is boolean %} quic_retry {{ quic['retry'] | ternary('on','off') }}; {% endif %} + {% endmacro %} From 65eada36d007ce04dfb77f9ba6ef0cd24b6cd282 Mon Sep 17 00:00:00 2001 From: A compound of Fe and O Date: Tue, 15 Aug 2023 13:12:59 +0100 Subject: [PATCH 08/14] Update defaults/main/template.yml Co-authored-by: Alessandro Fael Garcia --- defaults/main/template.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/defaults/main/template.yml b/defaults/main/template.yml index ccd394c2..4d7a9a53 100644 --- a/defaults/main/template.yml +++ b/defaults/main/template.yml @@ -73,7 +73,7 @@ nginx_config_main_template: # stream: # include: /etc/nginx/conf.d/stream/*.conf # String or a list of strings # quic: - # bpf: false # Boolean + # bpf: false # Boolean # Enable creating dynamic templated NGINX HTTP configuration files. # Defaults will not produce a valid configuration. Instead they are meant to showcase From c01d989a8bbf648d0af658db1e93900b48c66f3c Mon Sep 17 00:00:00 2001 From: A compound of Fe and O Date: Tue, 15 Aug 2023 13:13:14 +0100 Subject: [PATCH 09/14] Update defaults/main/template.yml Co-authored-by: Alessandro Fael Garcia --- defaults/main/template.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/defaults/main/template.yml b/defaults/main/template.yml index 4d7a9a53..afe9c00b 100644 --- a/defaults/main/template.yml +++ b/defaults/main/template.yml @@ -290,7 +290,7 @@ nginx_config_http_template: active_connection_id_limit: 2 gso: false # Boolean host_key: /path/to/file - retry: false # Boolean + retry: false # Boolean ssl: # Configure SSL buffer_size: 16k certificate: /path/to/file # String or a list of strings From c1ea961f3099b1fa16905bbaa571ac44b3b6125b Mon Sep 17 00:00:00 2001 From: A compound of Fe and O Date: Tue, 15 Aug 2023 13:13:44 +0100 Subject: [PATCH 10/14] Update defaults/main/template.yml Co-authored-by: Alessandro Fael Garcia --- defaults/main/template.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/defaults/main/template.yml b/defaults/main/template.yml index afe9c00b..30a03e42 100644 --- a/defaults/main/template.yml +++ b/defaults/main/template.yml @@ -284,7 +284,7 @@ nginx_config_http_template: http3: enable: false # Boolean hq: false # Boolean - max_concurrent_streams: 128 + max_concurrent_streams: 128 # Number stream_buffer_size: 64k quic: active_connection_id_limit: 2 From 35335c879cf88cec8826653aaac85d4f271b04f4 Mon Sep 17 00:00:00 2001 From: A compound of Fe and O Date: Tue, 15 Aug 2023 13:14:00 +0100 Subject: [PATCH 11/14] Update defaults/main/template.yml Co-authored-by: Alessandro Fael Garcia --- defaults/main/template.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/defaults/main/template.yml b/defaults/main/template.yml index 30a03e42..23be17d3 100644 --- a/defaults/main/template.yml +++ b/defaults/main/template.yml @@ -288,7 +288,7 @@ nginx_config_http_template: stream_buffer_size: 64k quic: active_connection_id_limit: 2 - gso: false # Boolean + gso: false # Boolean host_key: /path/to/file retry: false # Boolean ssl: # Configure SSL From 49564ac9c721fad2d23a89c7b63c06124867256c Mon Sep 17 00:00:00 2001 From: A compound of Fe and O Date: Tue, 15 Aug 2023 13:14:11 +0100 Subject: [PATCH 12/14] Update defaults/main/template.yml Co-authored-by: Alessandro Fael Garcia --- defaults/main/template.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/defaults/main/template.yml b/defaults/main/template.yml index 23be17d3..e7cdcaa6 100644 --- a/defaults/main/template.yml +++ b/defaults/main/template.yml @@ -283,7 +283,7 @@ nginx_config_http_template: recv_timeout: 20s # Not available in the 'location' context http3: enable: false # Boolean - hq: false # Boolean + hq: false # Boolean max_concurrent_streams: 128 # Number stream_buffer_size: 64k quic: From 483fc3b5b922940e021b34df93a66a41cec80ffc Mon Sep 17 00:00:00 2001 From: oxpa Date: Tue, 15 Aug 2023 14:32:17 +0100 Subject: [PATCH 13/14] review fixes --- templates/core.j2 | 5 +++-- templates/http/modules.j2 | 10 ++++++++-- 2 files changed, 11 insertions(+), 4 deletions(-) diff --git a/templates/core.j2 b/templates/core.j2 index aa943ecc..a5ad984b 100644 --- a/templates/core.j2 +++ b/templates/core.j2 @@ -83,8 +83,9 @@ timer_resolution {{ main['timer_resolution'] }}; {% if main['working_directory'] is defined %} working_directory {{ main['working_directory'] }}; {% endif %} -{% if main['quic'] is defined and main['quic']['bpf'] is defined and main['quic']['bpf'] is boolean %} -quic_bpf {{ main['quic']['bpf'] | ternary('on', 'off') }}; +{% if main['quic'] is defined %} +{% from 'http/modules.j2' import quic with context %} +{{ quic(main['quic'], 'global') }} {% endif %} {% endmacro %} diff --git a/templates/http/modules.j2 b/templates/http/modules.j2 index 65cf3cd7..371c2b17 100644 --- a/templates/http/modules.j2 +++ b/templates/http/modules.j2 @@ -370,8 +370,13 @@ http3_stream_buffer_size {{ http3['stream_buffer_size'] }}; {% endmacro %} -{# NGINX QUIC -- ngix_http_v3_module #} -{% macro quic(quic) %} +{# NGINX QUIC -- ngx_event_quic #} {# exposed for use and documented through ngx_http_v3_module #} +{% macro quic(quic, scope='http') %} +{% if scope == 'global' %} +{% if quic is defined and quic['bpf'] is defined and quic['bpf'] is boolean %} +quic_bpf {{ quic['bpf'] | ternary('on', 'off') }}; +{% endif %} +{% else %} {% if quic['active_connection_id_limit'] is defined and quic['active_connection_id_limit'] is number %} quic_active_connection_id_limit {{ quic['active_connection_id_limit'] }}; {% endif %} @@ -384,5 +389,6 @@ quic_host_key {{ quic['host_key'] }}; {% if quic['retry'] is defined and quic['retry'] is boolean %} quic_retry {{ quic['retry'] | ternary('on','off') }}; {% endif %} +{% endif %} {% endmacro %} From 58a8d48c86ac1b0e4e1403d088b0ed42cbce1fb2 Mon Sep 17 00:00:00 2001 From: oxpa Date: Tue, 15 Aug 2023 15:22:34 +0100 Subject: [PATCH 14/14] Add notes to changelog --- CHANGELOG.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 63af33bf..609495fc 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,6 +2,10 @@ ## 0.7.1 (Unreleased) +ENHANCEMENTS: + +- Directives documented for `http_v3` module are implemented. + BUG FIXES: - Add handler to reload NGINX when SSL cert or key is changed.