Http3 enabled by default?

stefacchio · December 6, 2025, 3:12pm

Will there be support for http3？ - Community Support / Web - Hestia Control Panel - Discourse

Hi,

why Hestia doesn’t enable http3/quic by default?
To enable it, do I have to create a template for every type of domain? default, wordpress, etc etc….

thanks

stefacchio · December 8, 2025, 1:58pm

Http3 Nginx temnplates directives - Community Support / Web - Hestia Control Panel - Discourse

doens’t work for me

sahsanu · December 8, 2025, 2:07pm

What’s your domain so I can test it?

Did you create a firewall rule to allow access to port 443 protocol UDP?

stefacchio · December 8, 2025, 2:09pm

www.stefanofattori.it

Already opened 443 UDP port on Oracle Cloud

sahsanu · December 8, 2025, 2:14pm

Did you restart nginx?

Show the output of this command:

cat /etc/nginx/conf.d/domains/stefanofattori.it.ssl.conf

stefacchio · December 8, 2025, 2:26pm

Yes.

#=========================================================================#

Default Web Domain Template

DO NOT MODIFY THIS FILE! CHANGES WILL BE LOST WHEN REBUILDING DOMAINS


#=========================================================================#

server {
listen      10.0.0.156:443 quic;
listen      10.0.0.156:443 ssl;
server_name stefanofattori.it www.stefanofattori.it;
root        /home/stefano/web/stefanofattori.it/public_html;
index       index.php index.html index.htm;
access_log  /var/log/nginx/domains/stefanofattori.it.log combined;
access_log  /var/log/nginx/domains/stefanofattori.it.bytes bytes;
error_log   /var/log/nginx/domains/stefanofattori.it.error.log error;

    ssl_certificate     /home/stefano/conf/web/stefanofattori.it/ssl/stefanofattori.it.pem;
    ssl_certificate_key /home/stefano/conf/web/stefanofattori.it/ssl/stefanofattori.it.key;
    ssl_stapling        on;
    ssl_stapling_verify on;

    # TLS 1.3 0-RTT anti-replay
    if ($anti_replay = 307) { return 307 https://$host$request_uri; }
    if ($anti_replay = 425) { return 425; }

    add_header Alt-Svc 'h3=":$server_port"; ma=86400';

    include /home/stefano/conf/web/stefanofattori.it/nginx.hsts.conf*;

    location = /favicon.ico {
            log_not_found off;
            access_log off;
    }

    location = /robots.txt {
            try_files $uri $uri/ /index.php?$args;
            log_not_found off;
            access_log off;
    }

    location ~ /\.(?!well-known\/) {
            deny all;
            return 404;
    }

    location / {
            try_files $uri $uri/ /index.php?$args;

            location ~* ^.+\.(ogg|ogv|svg|svgz|swf|eot|otf|woff|woff2|mov|mp3|mp4|webm|flv|ttf|rss|atom|jpg|jpeg|gif|png|webp|ico|bmp|mid|midi|wav|rtf|css|js|jar)$ {
                    expires 30d;
                    fastcgi_hide_header "Set-Cookie";
            }

            location ~* /(?:uploads|files)/.*.php$ {
                    deny all;
                    return 404;
            }

            location ~ [^/]\.php(/|$) {
                    try_files $uri =404;

                    include /etc/nginx/fastcgi_params;

                    fastcgi_index index.php;
                    fastcgi_param HTTP_EARLY_DATA $rfc_early_data if_not_empty;
                    fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;

                    fastcgi_pass unix:/run/php/php8.4-fpm-stefanofattori.it.sock;

                    include /home/stefano/conf/web/stefanofattori.it/nginx.fastcgi_cache.conf*;

                    if ($request_uri ~* "/wp-admin/|/wp-json/|wp-.*.php|xmlrpc.php|index.php|/store.*|/cart.*|/my-account.*|/checkout.*") {
                            set $no_cache 1;
                    }

                    if ($http_cookie ~* "comment_author|wordpress_[a-f0-9]+|wp-postpass|wordpress_no_cache|wordpress_logged_in|woocommerce_items_in_cart|woocommerce_cart_hash|PHPSESSID") {
                            set $no_cache 1;
                    }
            }
    }

    location /error/ {
            alias /home/stefano/web/stefanofattori.it/document_errors/;
    }

    location /vstats/ {
            alias   /home/stefano/web/stefanofattori.it/stats/;
            include /home/stefano/web/stefanofattori.it/stats/auth.conf*;
    }

    proxy_hide_header Upgrade;

    include /etc/nginx/conf.d/phpmyadmin.inc*;
    include /etc/nginx/conf.d/phppgadmin.inc*;
    include /home/stefano/conf/web/stefanofattori.it/nginx.ssl.conf_*;

}

sahsanu · December 8, 2025, 2:30pm

You must also open it in the Hestia firewall:

v-add-firewall-rule ACCEPT 0.0.0.0/0 443 UDP HTTP3

sahsanu · December 8, 2025, 2:38pm

I’m asking to open the UDP 443 port also in Hestia because it’s blocked:

❯ curl -vIL --user-agent 'sahsanu' --http3 www.stefanofattori.it 2>&1 | grep -A1 QUIC
* QUIC connect to 130.110.9.2 port 443 failed: Could not connect to server
* Failed to connect to www.stefanofattori.it port 443 after 62 ms: Could not connect to server

stefacchio · December 8, 2025, 2:42pm

mmmh but I have the firewall disabled.

stefacchio · December 8, 2025, 2:45pm

I opened it on Hestia and now it works fine.

But why I have to open port with the firewall iptabled disabled?

sahsanu · December 8, 2025, 2:47pm

Other processes could be adding rules to it. Show which are the iptables rules in your server:

iptables -S

stefacchio · December 8, 2025, 2:53pm

So even if I disable iptables from Hestia, it could still be operational?

Thanks for the solution

sahsanu · December 8, 2025, 2:54pm

Yes.

You’re welcome.

stefacchio · December 8, 2025, 3:01pm

Oh sorry just last question.. so I don’t have to use reuseport? Just quic?

sahsanu · December 8, 2025, 3:07pm

You should use reuseport only once in a server. For your other sites you should remove reuseport from the template. So you need two templates for your sites, one with quic reuseport and the other without reuseport

stefacchio · December 8, 2025, 3:14pm

oh ok, actually I’m using only quic.. so I’ll create reuseport for the main site.

I realised I had a problem with http3, though…
Try navigating to www.stefanofattori.it in the subpages, then click on the home page or logo again, and a redirect problem occurs.
This does not happen when I revert to the http2 template.

sahsanu · December 8, 2025, 3:27pm

What I see is that redirection is not working:

❯ curl -IL --http3 www.stefanofattori.it
HTTP/1.1 301 Moved Permanently
Server: nginx
Date: Mon, 08 Dec 2025 15:21:16 GMT
Content-Type: text/html
Content-Length: 162
Connection: keep-alive
Location: https://www.stefanofattori.it/

HTTP/3 301 
server: nginx
date: Mon, 08 Dec 2025 15:21:16 GMT
content-type: text/html; charset=UTF-8
location: https:///
set-cookie: PHPSESSID=sen8m7g5ivojtu1bitkh9tc2uf; path=/
expires: Thu, 19 Nov 1981 08:52:00 GMT
cache-control: no-store, no-cache, must-revalidate
pragma: no-cache
x-redirect-by: WordPress
alt-svc: h3=":443"; ma=86400
strict-transport-security: max-age=31536000;

curl: (3) The redirect target URL could not be parsed: No host part in the URL

What are the contents of:

cat /home/stefano/conf/web/stefanofattori.it/nginx.hsts.conf
cat /home/stefano/conf/web/stefanofattori.it/nginx.ssl.conf_redirect

sahsanu · December 8, 2025, 3:30pm

Anyway, it looks like the problem is that WordPress isn’t able to determine the host when requests come through HTTP/3.

stefacchio · December 8, 2025, 3:31pm

add_header Strict-Transport-Security “max-age=31536000;” always;

cat: /home/stefano/conf/web/stefanofattori.it/nginx.ssl.conf_redirect: No such file or directory

If I delete the cache it works for the first time, then if I navigate on subpages and I’ll come back to hompage I get redirect error.. only with http3 enabled

stefacchio · December 8, 2025, 3:32pm

I never got this issue with WordPress on other hosts or panels