nginx: http2 configuration deprecation notice

[strarsis]

Summary

After updating the Ubuntu LTS packages I noticed a nginx notice during reload:
http2" directive is deprecated, use the "http2" directive instead

The current nginx site configuration use the old, deprecated directive for enabling http2:

server {
  listen [::]:443 ssl http2;
  listen 443 ssl http2;

Instead of using http2 in the listen directive, the http2 directive (http2 on) should be used instead:

server {
  listen [::]:443 ssl;
  listen 443 ssl;
  http2 on;

Additional context

Blog post about the deprecation

[swalkinshaw]

The directive was added in 1.25.1 which was released a year ago. But because we use the PPA it should be fine?

[swalkinshaw]

@strarsis want to do the PR?

[strarsis]

@swalkinshaw: Sure! The addition could require a check whether SSL/TLS is enabled, as nginx appears to need TLS/SSL for HTTP1.1 support when HTTP2 is enabled, the corresponding ticket was closed though: https://trac.nginx.org/nginx/ticket/808 (by https://trac.nginx.org/nginx/ticket/816).

So should http2 on only be added when ssl_enabled is enabled, which would reflect the current behavior - or is http2 to be enabled independently?

[retlehs]

h5bp/server-configs-nginx#335

[strarsis]

PR ready: #1529

@retlehs: Indeed, it appears that http3 can be just enabled out of the box for that nginx package.
As some may still be hesitant to enabling HTTP 3 support in nginx, the
option for HTTP 3 in that PR is turned off by default and can be turned on manually.

[swalkinshaw]

Closed by #1528

Thanks!

[strarsis]

🤔 Additionally to enabling HTTP/3 support in nginx, the firewall (besides a potential cloud/hardware firewall) also has to be configured to accept incoming UDP requests on port 443 for HTTP/3 (QUIC).
https://github.com/roots/trellis/blob/v1.22.1/group_vars/all/security.yml#L3

ferm_input_list:
[...]
  - type: dport_accept
    dport: [https]
    protocol: udp
    filename: nginx_accept_http3
[...]

Also HTTP/3/QUIC needs a service negotiation HTTP Header:
https://github.com/yurymuski/nginx-http3/blob/master/example.nginx.conf#L23

[swalkinshaw]

@strarsis want to add those as well? 😄 I think the ferm rule can just be added unconditionally since https already is

[strarsis]

@swalkinshaw:

can just be added unconditionally since https already is

(roles/ferm/tasks/main.yml)

For HTTPS:
(roles/ferm/defaults/main.yml):

sites_using_ssl: "[{% for name, site in wordpress_sites.items() | list if site.ssl.enabled %}'{{ name }}',{% endfor %}]"

- name: allow inbound HTTPS
  set_fact:
    ferm_input_list: "{{ ferm_input_list + [ ferm_dport_nginx_https] }}"
  when: sites_using_ssl | count
  vars:
    ferm_dport_nginx_https:
      type: dport_accept
      dport: [https]
      filename: nginx_accept_https

For HTTP/3 (QUIC):

- name: allow port UDP/443 for HTTP/3 (QUIC) support
  set_fact:
    ferm_input_list: "{{ ferm_input_list + [ ferm_dport_nginx_http3] }}"
  when: nginx_http3_enabled and (sites_using_ssl | count)
  vars:
    ferm_dport_nginx_http3:
      type: dport_accept
      dport: ['443']
      protocol: udp
      filename: nginx_accept_http3

(The https part would be removed then).

Is the potentially improved security worth the added complexity?

[swalkinshaw]

That's not so bad I guess, good thinking. I'd be up for that 👍

[strarsis]

• Conditionally add HTTPS inbound allow firewall rule #1530
• Add HTTP/3 support #1531