V2: Simple HTTP/3 experimental config

predominant · October 9, 2019, 2:17am

1. My Caddy version (`caddy -version`):

v2.0.0-beta4 h1:E/9KLpceaTby394+yuX2+S0h9P4dzM76RHbppnlstdI=

2. How I run Caddy:

caddy run --config /hab/svc/caddy/config/Caddyfile --adapter caddyfile

a. System environment:

Running in a docker cleanroom environment (Habitat studio)

b. Command:

caddy run --config /hab/svc/caddy/config/Caddyfile --adapter caddyfile

c. Service/unit/compose file:

N/A

d. My complete Caddyfile:

{
  experimental_http3
}

0.0.0.0:443
udp/0.0.0.0:443
encode gzip zstd
root * /hab/svc/caddy/data

3. The problem I’m having:

Getting the following error on startup:

caddy.default(O): 2019/10/09 02:07:01 run: adapting config using caddyfile: /hab/svc/caddy/config/Caddyfile:6: unrecognized directive: udp/0.0.0.0:443

4. Error messages and/or full log output:

See above

5. What I already tried:

Tried omitting the udp/0.0.0.0:443 directive, but then it only listens on TCP.

6. Links to relevant resources:

matt · October 9, 2019, 2:38am

The correct Caddyfile is the one without the udp/0.0.0.0:443 line.

It’s not obvious (yet), but HTTP/3 requires TLS to operate, and I don’t think that server has TLS enabled, because there’s no way Caddy can serve TLS with the config you’ve given it. There’s no certificates, nor way for it to get certificates, for the address 0.0.0.0:443.

So, you can use a proper hostname and obtain a real certificate:

example.com
...

Or you can set up on-demand TLS to get certificates at handshake-time:

0.0.0.0:443

tls {
    # NOTE: this is still a TODO, so not yet implemented
    # in the v2 Caddyfile and it might be different than this
    ask <your endpoint here>
}

But the easiest thing is to just make your own certificate and provide them:

0.0.0.0:443
tls cert.pem key.pem

You’ll get cert errors that way, but at least you’ll have TLS.

predominant · October 9, 2019, 2:59am

Updated Caddyfile:

{
experimental_http3
}

0.0.0.0:443
encode gzip zstd
root * /hab/svc/caddy/data
tls /hab/svc/caddy/files/cert.pem /hab/svc/caddy/files/cert.key

Certificates generated with:

openssl req -x509 -nodes -days 365 -newkey rsa:2048 \
  -subj "/C=JP/ST=Tokyo/L=Setagaya/O=Rakuten/OU=Operations/CN=localhost" \
  -keyout cert.key \
  -out cert.pem

After starting Caddy, I get the following output:

addy.default(O): 2019/10/09 02:55:37 Caddy 2 admin endpoint listening on localhost:2019
caddy.default(O): 2019/10/09 02:55:37 [INFO][cache:0xc00014b9f0] Started certificate maintenance routine
caddy.default(O): 2019/10/09 02:55:37 [WARNING] Stapling OCSP: no OCSP stapling for [localhost]: no OCSP server specified in certificate
caddy.default(O): 2019/10/09 02:55:37 [INFO] tls: Cleaned up storage unit(s)
caddy.default(O): 2019/10/09 02:55:37 Caddy 2 serving initial configuration

Netstat:

# netstat -peanut | grep caddy
tcp        0      0 127.0.0.1:2019          0.0.0.0:*               LISTEN      93905/caddy
tcp        0      0 :::443                  :::*                    LISTEN      93905/caddy

It is still not listening on UDP, as far as I can see.

stormlin · December 18, 2019, 7:39am

hi, you can not use self-signed tls certificate to enable http/3 support. see A workaround to test HTTP/3 with Caddy 2 in localhost · Issue #2934 · caddyserver/caddy · GitHub for more detail.

system · March 17, 2020, 7:53am

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.