HTTP/3 firewall rules for Caddy 2.6+

heartland73 · November 22, 2022, 7:10am

Prior to Caddy 2.6, my firewalls have been TCP-based only,

tcp dport { 22, 80, 443 } accept

But I want to support HTTP/3 and QUIC, so I’ve aded a new rule,

udp dport 443 accept
tcp dport { 22, 80, 443 } accept

Am I missing anything else? When I look at my site from https://www.http3check.net I see this:

QUIC is not supported

HTTP/3 is supported

Is that what I should see?

WeidiDeng · November 22, 2022, 7:15am

http3 check use an old version of https, the result is normal. Your firewall rules are correct.

You can use chrome and it will show http3 in devtools networks(turn on protocol column).

heartland73 · November 22, 2022, 7:21am

Okay, thanks for the tip. I have 64-bit Chromium v.107 on Linux, and in the protocol column I see “h2” for every element on the page. Hmm.

Edit

I edited my Caddyfile to include,

{
    admin off
    servers {
        protocols h3
    }
}

But even though Caddy is fine with that config, and reloads fine, I can’t load the site in a browser anymore. Now I’m more confused.

Nov 21 23:55:27 thor caddy[594]: {"level":"info","ts":1669103727.009503,"msg":"using provided configuration","config_file":"/etc/caddy/Caddyfile","config_adapter":""}
Nov 21 23:55:27 thor caddy[594]: {"level":"warn","ts":1669103727.0116642,"msg":"Caddyfile input is not formatted; run the 'caddy fmt' command to fix inconsistencies","adapter":"caddyfile","file":"/etc/caddy/Caddyfile","line":2}
Nov 21 23:55:27 thor caddy[594]: {"level":"warn","ts":1669103727.0128446,"logger":"admin","msg":"admin endpoint disabled"}
Nov 21 23:55:27 thor caddy[594]: {"level":"info","ts":1669103727.013231,"logger":"http","msg":"server is listening only on the HTTPS port but has no TLS connection policies; adding one to enable TLS","server_name":"srv0","https_port":443}
Nov 21 23:55:27 thor caddy[594]: {"level":"info","ts":1669103727.0134025,"logger":"http","msg":"enabling automatic HTTP->HTTPS redirects","server_name":"srv0"}
Nov 21 23:55:27 thor caddy[594]: {"level":"info","ts":1669103727.0145423,"logger":"http.log","msg":"server running","name":"remaining_auto_https_redirects","protocols":["h1","h2","h3"]}
Nov 21 23:55:27 thor caddy[594]: {"level":"info","ts":1669103727.0146716,"logger":"http","msg":"enabling HTTP/3 listener","addr":":443"}
Nov 21 23:55:27 thor caddy[594]: {"level":"info","ts":1669103727.014844,"msg":"failed to sufficiently increase receive buffer size (was: 208 kiB, wanted: 2048 kiB, got: 416 kiB). See https://github.com/lucas-clemente/quic-go/wiki/UDP-Receive-Buffer-Size for details."}
Nov 21 23:55:27 thor caddy[594]: {"level":"info","ts":1669103727.016157,"logger":"http.log","msg":"server running","name":"srv0","protocols":["h3"]}

francislavoie · November 22, 2022, 1:24pm

I’m not sure that browsers support H3-only I think they still do TCP to get the Alt-Svc header to know to try H3. But I’m not certain.

matt · November 22, 2022, 4:32pm

Yeah, it’s as Francis said. Browsers need HTTP/3 to be advertised before they will try it, so you need to enable another version too.

system · December 22, 2022, 7:10am

This topic was automatically closed after 30 days. New replies are no longer allowed.