You may need to add an NGINX precompiled module! QUIC can better support http3
--with-http_v3_module
server {
listen 443 quic reuseport udp; # Key parameters:udp + reuseport
listen 443 ssl;
ssl_protocols TLSv1.3; # compulsionTLSv1.3
ssl_ciphers TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256;
# HTTP/3Response headers
add_header Alt-Svc 'h3=":443"; h3-29=":443"; ma=86400' always;
}
Nginx installed by Hestia (mainline version from Nginx repo) already has http3 support.
❯ nginx -V 2>&1| grep -o -- '--with-http_v3_module'
--with-http_v3_module
How do I enable it?
You need to create the required templates with the http3 directives.
Example:
Default templates for Nginx standalone:
Note: default-http3-reuseport template must be used only in one domain, for the rest of domains use the other template default-http3
Also, keep in mind that you must create a firewall rule to allow access to port 443 UDP
/usr/local/hestia/data/templates/web/nginx/php-fpm/default-http3-reuseport.tpl
#=========================================================================#
# Default Web Domain Template #
# DO NOT MODIFY THIS FILE! CHANGES WILL BE LOST WHEN REBUILDING DOMAINS #
# https://hestiacp.com/docs/server-administration/web-templates.html #
#=========================================================================#
server {
listen %ip%:%web_port%;
server_name %domain_idn% %alias_idn%;
root %docroot%;
index index.php index.html index.htm;
access_log /var/log/nginx/domains/%domain%.log combined;
access_log /var/log/nginx/domains/%domain%.bytes bytes;
error_log /var/log/nginx/domains/%domain%.error.log error;
include %home%/%user%/conf/web/%domain%/nginx.forcessl.conf*;
location ~ /\.(?!well-known\/) {
deny all;
return 404;
}
location / {
location ~* ^.+\.(jpeg|jpg|png|webp|gif|bmp|ico|svg|css|js)$ {
expires max;
fastcgi_hide_header "Set-Cookie";
}
location ~ [^/]\.php(/|$) {
try_files $uri =404;
include /etc/nginx/fastcgi_params;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_pass %backend_lsnr%;
include %home%/%user%/conf/web/%domain%/nginx.fastcgi_cache.conf*;
}
}
location /error/ {
alias %home%/%user%/web/%domain%/document_errors/;
}
location /vstats/ {
alias %home%/%user%/web/%domain%/stats/;
include %home%/%user%/web/%domain%/stats/auth.conf*;
}
include /etc/nginx/conf.d/phpmyadmin.inc*;
include /etc/nginx/conf.d/phppgadmin.inc*;
include %home%/%user%/conf/web/%domain%/nginx.conf_*;
}
/usr/local/hestia/data/templates/web/nginx/php-fpm/default-http3-reuseport.stpl
#=========================================================================#
# Default Web Domain Template #
# DO NOT MODIFY THIS FILE! CHANGES WILL BE LOST WHEN REBUILDING DOMAINS #
# https://hestiacp.com/docs/server-administration/web-templates.html #
#=========================================================================#
server {
listen %ip%:%web_ssl_port% quic reuseport;
listen %ip%:%web_ssl_port% ssl;
server_name %domain_idn% %alias_idn%;
root %sdocroot%;
index index.php index.html index.htm;
access_log /var/log/nginx/domains/%domain%.log combined;
access_log /var/log/nginx/domains/%domain%.bytes bytes;
error_log /var/log/nginx/domains/%domain%.error.log error;
ssl_certificate %ssl_pem%;
ssl_certificate_key %ssl_key%;
ssl_stapling on;
ssl_stapling_verify on;
# TLS 1.3 0-RTT anti-replay
if ($anti_replay = 307) { return 307 https://$host$request_uri; }
if ($anti_replay = 425) { return 425; }
add_header Alt-Svc 'h3=":$server_port"; ma=86400';
include %home%/%user%/conf/web/%domain%/nginx.hsts.conf*;
location ~ /\.(?!well-known\/) {
deny all;
return 404;
}
location / {
location ~* ^.+\.(jpeg|jpg|png|webp|gif|bmp|ico|svg|css|js)$ {
expires max;
fastcgi_hide_header "Set-Cookie";
}
location ~ [^/]\.php(/|$) {
try_files $uri =404;
include /etc/nginx/fastcgi_params;
fastcgi_index index.php;
fastcgi_param HTTP_EARLY_DATA $rfc_early_data if_not_empty;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_pass %backend_lsnr%;
include %home%/%user%/conf/web/%domain%/nginx.fastcgi_cache.conf*;
}
}
location /error/ {
alias %home%/%user%/web/%domain%/document_errors/;
}
location /vstats/ {
alias %home%/%user%/web/%domain%/stats/;
include %home%/%user%/web/%domain%/stats/auth.conf*;
}
proxy_hide_header Upgrade;
include /etc/nginx/conf.d/phpmyadmin.inc*;
include /etc/nginx/conf.d/phppgadmin.inc*;
include %home%/%user%/conf/web/%domain%/nginx.ssl.conf_*;
}
/usr/local/hestia/data/templates/web/nginx/php-fpm/default-http3.tpl
#=========================================================================#
# Default Web Domain Template #
# DO NOT MODIFY THIS FILE! CHANGES WILL BE LOST WHEN REBUILDING DOMAINS #
# https://hestiacp.com/docs/server-administration/web-templates.html #
#=========================================================================#
server {
listen %ip%:%web_port%;
server_name %domain_idn% %alias_idn%;
root %docroot%;
index index.php index.html index.htm;
access_log /var/log/nginx/domains/%domain%.log combined;
access_log /var/log/nginx/domains/%domain%.bytes bytes;
error_log /var/log/nginx/domains/%domain%.error.log error;
include %home%/%user%/conf/web/%domain%/nginx.forcessl.conf*;
location ~ /\.(?!well-known\/) {
deny all;
return 404;
}
location / {
location ~* ^.+\.(jpeg|jpg|png|webp|gif|bmp|ico|svg|css|js)$ {
expires max;
fastcgi_hide_header "Set-Cookie";
}
location ~ [^/]\.php(/|$) {
try_files $uri =404;
include /etc/nginx/fastcgi_params;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_pass %backend_lsnr%;
include %home%/%user%/conf/web/%domain%/nginx.fastcgi_cache.conf*;
}
}
location /error/ {
alias %home%/%user%/web/%domain%/document_errors/;
}
location /vstats/ {
alias %home%/%user%/web/%domain%/stats/;
include %home%/%user%/web/%domain%/stats/auth.conf*;
}
include /etc/nginx/conf.d/phpmyadmin.inc*;
include /etc/nginx/conf.d/phppgadmin.inc*;
include %home%/%user%/conf/web/%domain%/nginx.conf_*;
}
/usr/local/hestia/data/templates/web/nginx/php-fpm/default-http3.stpl
#=========================================================================#
# Default Web Domain Template #
# DO NOT MODIFY THIS FILE! CHANGES WILL BE LOST WHEN REBUILDING DOMAINS #
# https://hestiacp.com/docs/server-administration/web-templates.html #
#=========================================================================#
server {
listen %ip%:%web_ssl_port% quic;
listen %ip%:%web_ssl_port% ssl;
server_name %domain_idn% %alias_idn%;
root %sdocroot%;
index index.php index.html index.htm;
access_log /var/log/nginx/domains/%domain%.log combined;
access_log /var/log/nginx/domains/%domain%.bytes bytes;
error_log /var/log/nginx/domains/%domain%.error.log error;
ssl_certificate %ssl_pem%;
ssl_certificate_key %ssl_key%;
ssl_stapling on;
ssl_stapling_verify on;
# TLS 1.3 0-RTT anti-replay
if ($anti_replay = 307) { return 307 https://$host$request_uri; }
if ($anti_replay = 425) { return 425; }
add_header Alt-Svc 'h3=":$server_port"; ma=86400';
include %home%/%user%/conf/web/%domain%/nginx.hsts.conf*;
location ~ /\.(?!well-known\/) {
deny all;
return 404;
}
location / {
location ~* ^.+\.(jpeg|jpg|png|webp|gif|bmp|ico|svg|css|js)$ {
expires max;
fastcgi_hide_header "Set-Cookie";
}
location ~ [^/]\.php(/|$) {
try_files $uri =404;
include /etc/nginx/fastcgi_params;
fastcgi_index index.php;
fastcgi_param HTTP_EARLY_DATA $rfc_early_data if_not_empty;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_pass %backend_lsnr%;
include %home%/%user%/conf/web/%domain%/nginx.fastcgi_cache.conf*;
}
}
location /error/ {
alias %home%/%user%/web/%domain%/document_errors/;
}
location /vstats/ {
alias %home%/%user%/web/%domain%/stats/;
include %home%/%user%/web/%domain%/stats/auth.conf*;
}
proxy_hide_header Upgrade;
include /etc/nginx/conf.d/phpmyadmin.inc*;
include /etc/nginx/conf.d/phppgadmin.inc*;
include %home%/%user%/conf/web/%domain%/nginx.ssl.conf_*;
}
These files are in the ‘/usr/local/hestia/data/templates/web/nginx’ directory
Do I need to change the nginx configuration inside ‘/home/www/conf/web/youweb’
Or can you just modify ‘/home/www/conf/web/youweb’?
The example templates I posted are for Nginx standalone and are located in /usr/local/hestia/data/templates/web/nginx/php-fpm/. The templates located in /usr/local/hestia/data/templates/web/nginx/ are for Nginx + Apache2 so the templates I posted won’t work if you use Nginx+Apache2 You should create new ones based on the templates in ‘/usr/local/hestia/data/templates/web/nginx’.
No, you must create new templates for your domains and assign the templates to your domains. You would need to rebuild the web domains.