In our previous article, we discussed the procedures for enabling Brotli compression in Nginx. While this was initially a straightforward task, changing the server and upgrading the Nginx version presented several unexpected challenges. With Nginx now upgraded to version 1.25 (soon followed by an update to version 1.26), let’s spend some time enabling HTTP/3 and the QUIC protocol, which is a relatively simple task.
1. Upgrade Nginx to Version 1.25.5
First and foremost, ensure that your Nginx is updated to version 1.25 or above (it is recommended to directly upgrade to stable version 1.26.2 to fix certain vulnerabilities related to HTTP/3 and QUIC protocol). If you are using the Baota panel, you can easily update it from the backend software list (after completion, please verify that Brotli is still operational).
2. Modify the Site Configuration File
Next, choose a website that you want to monitor continuously. Open the configuration file located in your website settings and add the following lines in the server block:
listen 443 ssl;
listen 443 quic reuseport;
listen [::]:443 ssl;
listen [::]:443 quic reuseport;
http2 on;
You only need to enable listening on one site. For other sites, the configuration should look like this:
listen 443 ssl;
listen 443 quic;
listen [::]:443 ssl;
listen [::]:443 quic;
http2 on;
The inclusion of listen [::]: indicates support for IPv6 settings, which can be added based on your specific requirements. Additionally, add the following lines on lines 26 and 27 of the Nginx configuration file:
ssl_early_data on;
While enabling this option can enhance performance, the potential security risks (such as replay attacks) may outweigh the benefits and it is not recommended for sites containing sensitive information. Ensure you also add the following lines to set up resources for HTTP/3:
add_header Alt-Svc 'h3=":443"; ma=2592000, h3-29=":443"; ma=2592000, h3-Q050=":443"; ma=2592000, quic=":443"; ma=2592000; v="46,43"';
3. Modify the SSL Version
In the existing configuration ssl_protocols TLSv1.1 TLSv1.2 TLSv1.3;, remove TLSv1.1 and earlier versions since TLSv1.1 is now deprecated. The updated version should simply read:
ssl_protocols TLSv1.2 TLSv1.3;
During this process, it is advisable to carefully review online tutorials, as they often lack comprehensiveness or accuracy. Due to different environments and human errors, even simple tasks can present unexpected hurdles that may waste valuable time.
4. Confirm that UDP Port 443 is Open
Ensure that your server’s firewall and your cloud service provider’s firewall (if applicable) allow traffic through UDP port 443 to facilitate smooth QUIC traffic. If you are using the Baota panel, configure to open UDP port 443 under Panel → Security → Firewall. In cloud servers (such as Tencent Cloud, Alibaba Cloud, or Huawei Cloud), you will also need to add relevant security group rules.
5. Test Whether Your Site Supports HTTP/3
After completing the configuration, you can use curl or online tools like HTTP/3 Test to check if your site now successfully supports HTTP/3.
By following these steps, you’ll successfully enable HTTP/3 and the QUIC protocol on your Baota Nginx server, leading to faster web page load times and enhanced website performance.
