diff --git a/nginx.tmpl b/nginx.tmpl index 1a8f82c..7e5a52e 100644 --- a/nginx.tmpl +++ b/nginx.tmpl @@ -203,6 +203,10 @@ include /etc/nginx/network_internal.conf; {{- end }} + {{- if .http3 }} + add_header alt-svc 'h3=":{{ $.globals.external_https_port }}"; ma=86400;'; + {{- end }} + {{- if eq .Proto "uwsgi" }} include uwsgi_params; uwsgi_pass {{ trim .Proto }}://{{ trim .Upstream }}; @@ -333,7 +337,7 @@ map $proxy_x_forwarded_proto $proxy_x_forwarded_ssl { gzip_types text/plain text/css application/javascript application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript; -log_format vhost '{{ or $globals.Env.LOG_FORMAT "$host $remote_addr - $remote_user [$time_local] \"$request\" $status $body_bytes_sent \"$http_referer\" \"$http_user_agent\" \"$upstream_addr\"" }}'; +log_format vhost '{{ or $globals.Env.LOG_FORMAT "$host $remote_addr - $remote_user [$time_local] \"$request\" $status $body_bytes_sent \"$http_referer\" \"$http_user_agent\" \"$upstream_addr\" $http3" }}'; access_log off; @@ -350,7 +354,7 @@ include /etc/nginx/proxy.conf; # HTTP 1.1 support proxy_http_version 1.1; proxy_buffering off; -proxy_set_header Host $http_host; +proxy_set_header Host $host; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection $proxy_connection; proxy_set_header X-Real-IP $remote_addr; @@ -384,7 +388,15 @@ proxy_set_header Proxy ""; {{- $cert_ok := and (ne $cert "") (exists (printf "/etc/nginx/certs/%s.crt" $cert)) (exists (printf "/etc/nginx/certs/%s.key" $cert)) }} {{- $default := eq $globals.Env.DEFAULT_HOST $vhost }} {{- $https_method := or (first (groupByKeys $containers "Env.HTTPS_METHOD")) $globals.Env.HTTPS_METHOD "redirect" }} - {{- $_ := set $globals.vhosts $vhost (dict "cert" $cert "cert_ok" $cert_ok "containers" $containers "default" $default "https_method" $https_method) }} + {{- $http3 := parseBool (or (first (keys (groupByLabel $containers "com.github.nginx-proxy.nginx-proxy.http3.enable"))) $globals.Env.ENABLE_HTTP3 "false")}} + {{- $_ := set $globals.vhosts $vhost (dict + "cert" $cert + "cert_ok" $cert_ok + "containers" $containers + "default" $default + "https_method" $https_method + "http3" $http3 + ) }} {{- end }} {{- /* @@ -406,6 +418,7 @@ proxy_set_header Proxy ""; {{- $https_exists := false }} {{- $default_http_exists := false }} {{- $default_https_exists := false }} + {{- $http3 := false }} {{- range $vhost := $globals.vhosts }} {{- $http := or (ne $vhost.https_method "nohttp") (not $vhost.cert_ok) }} {{- $https := ne $vhost.https_method "nohttps" }} @@ -413,6 +426,7 @@ proxy_set_header Proxy ""; {{- $https_exists = or $https_exists $https }} {{- $default_http_exists = or $default_http_exists (and $http $vhost.default) }} {{- $default_https_exists = or $default_https_exists (and $https $vhost.default) }} + {{- $http3 = or $http3 $vhost.http3 }} {{- end }} {{- $fallback_http := and $http_exists (not $default_http_exists) }} {{- $fallback_https := and $https_exists (not $default_https_exists) }} @@ -438,8 +452,14 @@ server { {{- end }} {{- if $fallback_https }} listen {{ $globals.external_https_port }} ssl; {{- /* Do not add `default_server` (see comment above). */}} + {{- if $http3 }} + listen {{ $globals.external_https_port }} quic reuseport; {{- /* Do not add `default_server` (see comment above). */}} + {{- end }} {{- if $globals.enable_ipv6 }} listen [::]:{{ $globals.external_https_port }} ssl; {{- /* Do not add `default_server` (see comment above). */}} + {{- if $http3 }} + listen [::]:{{ $globals.external_https_port }} quic reuseport; {{- /* Do not add `default_server` (see comment above). */}} + {{- end }} {{- end }} ssl_session_cache shared:SSL:50m; ssl_session_tickets off; @@ -472,6 +492,7 @@ server { {{- $default_server := when $vhost.default "default_server" "" }} {{- $https_method := $vhost.https_method }} {{- $http2 := parseBool (or (first (keys (groupByLabel $containers "com.github.nginx-proxy.nginx-proxy.http2.enable"))) $globals.Env.ENABLE_HTTP2 "true")}} + {{- $http3 := parseBool (or (first (keys (groupByLabel $containers "com.github.nginx-proxy.nginx-proxy.http3.enable"))) $globals.Env.ENABLE_HTTP3 "false")}} {{- $is_regexp := hasPrefix "~" $host }} {{- $upstream_name := when (or $is_regexp $globals.sha1_upstream_name) (sha1 $host) $host }} @@ -562,8 +583,14 @@ server { {{- end }} {{- if ne $https_method "nohttps" }} listen {{ $globals.external_https_port }} ssl {{ $default_server }}; + {{- if $http3 }} + listen {{ $globals.external_https_port }} quic {{ $default_server }}; + {{- end }} {{- if $globals.enable_ipv6 }} listen [::]:{{ $globals.external_https_port }} ssl {{ $default_server }}; + {{- if $http3 }} + listen [::]:{{ $globals.external_https_port }} quic {{ $default_server }}; + {{- end }} {{- end }} {{- if $cert_ok }} @@ -648,7 +675,18 @@ server { {{- $upstream = printf "%s-%s" $upstream $sum }} {{- $dest = (or (first (groupByKeys $containers "Env.VIRTUAL_DEST")) "") }} {{- end }} - {{- template "location" (dict "Path" $path "Proto" $proto "Upstream" $upstream "Host" $host "VhostRoot" $vhost_root "Dest" $dest "NetworkTag" $network_tag "Containers" $containers) }} + {{- template "location" (dict + "globals" $globals + "Path" $path + "http3" $http3 + "Proto" $proto + "Upstream" $upstream + "Host" $host + "VhostRoot" $vhost_root + "Dest" $dest + "NetworkTag" $network_tag + "Containers" $containers + ) }} {{- end }} {{- if and (not (contains $paths "/")) (ne $globals.default_root_response "none")}} location / {