1.9.2 compatibility issues with nginx HTTP/3
ZeroClover opened this issue · comments
Because I don't want to use the default Path /dns-query, I run AGH (AdGuard Home) behind nginx so that I can modify the path.
Here is my nginx configuration snippet:
upstream agh {
server 127.0.0.1:12345;
}
map $http_upgrade $connection_upgrade {
default upgrade;
'' close;
}
server {
listen 443 ssl reuseport;
listen [::]:443 ssl reuseport;
listen 443 quic reuseport;
listen [::]:443 quic reuseport;
http2 on;
server_name dns.domain.tld;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
add_header Alt-Svc 'h3=":443"; ma=86400' always;
...
location /mypath {
proxy_pass https://agh/dns-query;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Scheme $scheme;
proxy_set_header Accept-Encoding '';
proxy_redirect off;
proxy_buffering off;
}
nginx version:
nginx -V
nginx version: nginx/1.25.2
built with OpenSSL 3.1.2+quic 1 Aug 2023
There are no issues when using dnslookup 1.9.1, but when using 1.9.2, queries cannot be completed:
dnslookup google.com h3://dns.domain.tld/mypath
dnslookup v1.9.2
2023/09/08 04:08:04 [fatal] Cannot make the DNS request: requesting https:///dns.domain.tld:443/mypath: Get_0rtt "https:///dns.domain.tld:443/mypath?dns=AAABAAABAAAAAAAABmdvb2dsZQNjb20AAAEAAQ": context deadline exceeded (Client.Timeout exceeded while awaiting headers)
But there is no issue in other DoH clients that support HTTP/3 (including AGH itself).
I'm not quite sure what caused the problem, if you could take the time to check this issue, I would be very grateful.
Hmm, the only relevant change was quic-go update. Let me move it to dnsproxy repo as DNS upstreams implementation comes from that library.
Hm, I tried reproducing it and couldn't.
Here is what I did.
-
This is the configuration that I used:
Nginx configuration
upstream dns_google { server dns.google:443; } server { # quic and http/3 listen 443 quic reuseport; # http/2 and http/1.1 listen 443 ssl reuseport; http2 on; server_name localhost; # customize to match your domain # you need to mount these files when running this container ssl_certificate /etc/nginx/ssl/certificate.crt; ssl_certificate_key /etc/nginx/ssl/certificate.key; # Enable all TLS versions (TLSv1.3 is required for QUIC). ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; # 0-RTT QUIC connection resumption ssl_early_data on; # Add Alt-Svc header to negotiate HTTP/3. add_header alt-svc 'h3=":8443"; ma=2592000'; # Sent when QUIC was used # add_header QUIC-Status $quic; location / { return 200 'hello'; add_header Content-Type text/plain; add_header alt-svc 'h3=":8443"; ma=2592000'; } location /dns-query { proxy_pass https://dns_google/dns-query; proxy_set_header Host dns.google; add_header alt-svc 'h3=":8443"; ma=2592000'; } } -
Used a docker image to run it locally:
docker run -it --rm \ -p 8443:443/tcp -p 8443:443/udp \ -v ~/Downloads/nginx/nginx/conf.d:/etc/nginx/conf.d \ -v ~/Downloads/nginx/nginx/ssl:/etc/nginx/ssl \ macbre/nginx-http3 -
Here's the dnslookup output:
VERIFY=0 dnslookup example.org h3://localhost:8443/dns-query dnslookup 1.9.2 TLS verification has been disabled dnslookup result (elapsed 302.249125ms): ;; opcode: QUERY, status: NOERROR, id: 39506 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;example.org. IN A ;; ANSWER SECTION: example.org. 3295 IN A 93.184.216.34