Implement HTTPv3 and QUIC NGINX directives (#353)

Author: oxpa

.gitignore

@@ -6,6 +6,7 @@
 \#*
 !molecule.crt
 !molecule.key
+!rand.key
 
 # OS Specific #
 ###############

CHANGELOG.md

@@ -2,6 +2,10 @@
 
 ## 0.7.1 (Unreleased)
 
+ENHANCEMENTS:
+
+- Directives documented for `http_v3` module are implemented. 
+
 BUG FIXES:
 
 - Add handler to reload NGINX when SSL cert or key is changed.

defaults/main/template.yml

@@ -72,6 +72,8 @@ nginx_config_main_template:
         - /etc/nginx/conf.d/*.conf
     # stream:
     #   include: /etc/nginx/conf.d/stream/*.conf  # String or a list of strings
+    # quic:
+    #   bpf: false  # Boolean
 
 # Enable creating dynamic templated NGINX HTTP configuration files.
 # Defaults will not produce a valid configuration. Instead they are meant to showcase
@@ -204,6 +206,7 @@ nginx_config_http_template:
             port: 80
             default_server: true  # Boolean
             ssl: false  # Boolean
+            quic: false  # Boolean
             proxy_protocol: false  # Boolean
             fastopen: 12  # Number
             backlog: 511  # Number
@@ -278,6 +281,16 @@ nginx_config_http_template:
         max_concurrent_streams: 128  # Number -- Not available in the 'location' context
         recv_buffer_size: 256k  # Only available in the 'http' context
         recv_timeout: 20s  # Not available in the 'location' context
+      http3:
+        enable: false  # Boolean
+        hq: false  # Boolean
+        max_concurrent_streams: 128  # Number
+        stream_buffer_size: 64k
+      quic:
+        active_connection_id_limit: 2
+        gso: false  # Boolean
+        host_key: /path/to/file
+        retry: false  # Boolean
       ssl:  # Configure SSL
         buffer_size: 16k
         certificate: /path/to/file  # String or a list of strings

molecule/common/files/ssl/rand.key

@@ -0,0 +1 @@
+E�4�h���4�֚Y��&i"/m�{�7��<%�J%f���^��`R�P��[�,6=!�>Z��o�K�cG�

molecule/default/converge.yml

@@ -26,6 +26,9 @@
           - src: ../common/files/ssl/molecule.key
             dest: /etc/ssl/private
             backup: true
+          - src: ../common/files/ssl/rand.key
+            dest: /etc/ssl/private
+            backup: true
 
         nginx_config_main_template_enable: true
         nginx_config_main_template:
@@ -67,6 +70,8 @@
                   threads: 32
               timer_resolution: 1s
               working_directory: /etc/nginx
+              quic:
+                bpf: false
             events:
               accept_mutex: false
               accept_mutex_delay: 500ms
@@ -236,6 +241,11 @@
                 max_concurrent_streams: 31
                 recv_buffer_size: 128k
                 recv_timeout: 10s
+              http3:
+                enable: true
+                hq: false
+                max_concurrent_streams: 100
+                stream_buffer_size: 32k
               ssl:
                 buffer_size: 16k
                 certificate: /etc/ssl/certs/molecule.crt
@@ -257,6 +267,7 @@
                   - TLSv1
                   - TLSv1.1
                   - TLSv1.2
+                  - TLSv1.3
                 reject_handshake: false
                 session_cache:
                   builtin:
@@ -569,6 +580,8 @@
                         port: 443
                         default_server: true
                         ssl: false
+                        quic: true
+                        reuseport: true
                         so_keepalive:
                           keepidle: 30m
                           keepintvl: 5
@@ -585,6 +598,14 @@
                   http2:
                     enable: false
                     chunk_size: 8k
+                  http3:
+                    enabled: false
+                    hq: true
+                  quic:
+                    active_connection_id_limit: 10
+                    gso: false
+                    retry: false
+                    host_key: /etc/ssl/private/rand.key
                   auth_basic:
                     realm: false
                   log:

molecule/push/converge.yml

@@ -30,3 +30,6 @@
           - src: ../common/files/ssl/molecule.key
             dest: /etc/ssl/private
             backup: true
+          - src: ../common/files/ssl/rand.key
+            dest: /etc/ssl/private
+            backup: true

templates/core.j2

@@ -83,6 +83,10 @@ timer_resolution {{ main['timer_resolution'] }};
 {% if main['working_directory'] is defined %}
 working_directory {{ main['working_directory'] }};
 {% endif %}
+{% if main['quic'] is defined %}
+{% from 'http/modules.j2' import quic with context %}
+{{ quic(main['quic'], 'global') }}
+{% endif %}
 {% endmacro %}
 
 {% macro events(events) %}

templates/http/core.j2

@@ -141,6 +141,7 @@ lingering_timeout {{ core['lingering_timeout'] }};
 listen {{ listen['address'] if listen['address'] is defined }}{{ ':' if listen['address'] is defined and listen['port'] is defined }}{{ listen['port'] if listen['port'] is defined -}}
 {{- ' default_server' if listen['default_server'] is defined and listen['default_server'] is boolean and listen['default_server'] | bool -}}
 {{- ' ssl' if listen['ssl'] is defined and listen['ssl'] is boolean and listen['ssl'] | bool -}}
+{{- ' quic' if listen['quic'] is defined and listen['quic'] is boolean and listen['quic'] | bool -}}
 {{- ' proxy_protocol' if listen['proxy_protocol'] is defined and listen['proxy_protocol'] is boolean and listen['proxy_protocol'] | bool -}}
 {{- (' setfib=' + listen['setfib'] | string) if listen['setfib'] is defined -}}
 {{- (' fastopen=' + listen['fastopen'] | string) if listen['fastopen'] is defined and listen['fastopen'] is number -}}

templates/http/default.conf.j2

@@ -12,6 +12,14 @@
 {% from 'http/modules.j2' import http2 with context %}
 {{ http2(item['config']['http2'], 'http') }}
 {%- endif %}
+{% if item['config']['http3'] is defined %}
+{% from 'http/modules.j2' import http3 with context %}
+{{ http3(item['config']['http3']) }}
+{%- endif %}
+{% if item['config']['quic'] is defined %}
+{% from 'http/modules.j2' import quic with context %}
+{{ quic(item['config']['quic']) }}
+{%- endif %}
 {% if item['config']['ssl'] is defined %}
 {% from 'http/ssl.j2' import ssl with context %}
 {{ ssl(item['config']['ssl']) }}
@@ -134,6 +142,19 @@ server {
     {{ http2(server['http2'], 'server') }}
 {%- endfilter %}
 {% endif %}
+{% if server['http3'] is defined %}
+{% from 'http/modules.j2' import http3 with context %}
+{% filter indent(4) %}
+    {{ http3(server['http3']) }}
+{%- endfilter %}
+{% endif %}
+{% if server['quic'] is defined %}
+{% from 'http/modules.j2' import quic with context %}
+{% filter indent(4) %}
+    {{ quic(server['quic']) }}
+{%- endfilter %}
+{% endif %}
+
 {% if server['ssl'] is defined %}
 {% from 'http/ssl.j2' import ssl with context %}
 {% filter indent(4) %}

templates/http/modules.j2

@@ -352,3 +352,43 @@ http2_chunk_size {{ http2['chunk_size'] }};
 {% endif %}
 
 {% endmacro %}
+
+{# NGINX HTTP v3 -- ngx_http_v3_module #}
+{% macro http3(http3) %}
+{% if http3['enabled'] is defined and http3['enabled'] is boolean %}
+http3 {{ http3['enabled'] | ternary('on', 'off') }};
+{% endif %}
+{% if http3['hq'] is defined and http3['hq'] is boolean %}
+http3_hq {{ http3['hq'] | ternary('on', 'off') }};
+{% endif %}
+{% if http3['max_concurrent_streams'] is defined and http3['max_concurrent_streams'] is number %}
+http3_max_concurrent_streams {{ http3['max_concurrent_streams'] }};
+{% endif %}
+{% if http3['stream_buffer_size'] is defined %}
+http3_stream_buffer_size {{ http3['stream_buffer_size'] }};
+{% endif %}
+
+{% endmacro %}
+
+{# NGINX QUIC -- ngx_event_quic #} {# exposed for use and documented through ngx_http_v3_module #}
+{% macro quic(quic, scope='http') %}
+{% if scope == 'global' %}
+{% if quic is defined and quic['bpf'] is defined and quic['bpf'] is boolean %}
+quic_bpf {{ quic['bpf'] | ternary('on', 'off') }};
+{% endif %}
+{% else %}
+{% if quic['active_connection_id_limit'] is defined and quic['active_connection_id_limit'] is number %}
+quic_active_connection_id_limit {{ quic['active_connection_id_limit'] }};
+{% endif %}
+{% if quic['gso'] is defined and quic['gso'] is boolean %}
+quic_gso {{ quic['gso'] | ternary('on','off') }};
+{% endif %}
+{% if quic['host_key'] is defined %}
+quic_host_key {{ quic['host_key'] }};
+{% endif %}
+{% if quic['retry'] is defined and quic['retry'] is boolean %}
+quic_retry {{ quic['retry'] | ternary('on','off') }};
+{% endif %}
+{% endif %}
+
+{% endmacro %}