traefik: v2.5.0-rc2 HTTP3 "QUIC is not supported"

Welcome!

  • Yes, I’ve searched similar issues on GitHub and didn’t find any.
  • Yes, I’ve searched similar issues on the Traefik community forum and didn’t find any.

What did you do?

enable the experimental http3 on entryPoint 443 and use it on http router

What did you see instead?

I’m using https://http3check.net/ to check my website, but it show me

QUIC is not supported

HTTP/3 Check failed to establish a QUIC connection for all attempts made with the given endpoint. See the connection errors below for more information.

Attempted 4 connection(s).
Received packets for 4 connection(s).
Successful handshake for 2 connection(s).

I already check the response header, it had Alt-Svc: h3-29=":443"; ma=2592000,h3-34=":443"; ma=2592000,h3-32=":443"; ma=2592000.

Besides enable the experimental http3 in traefik.yml, what should I do anything else?

What version of Traefik are you using?

v2.5.0-rc2

What is your environment & configuration?

traefik.yml

experimental:
  http3: true

entryPoints:
  http:
    address: ":80"
  https:
    address: ":443"
    enableHTTP3: true

api:
  dashboard: true

accessLog:
  fields:
    names:
      StartUTC: drop

providers:
  file:
    directory: /etc/traefik/dynamic_conf
    watch: true

dynamic_conf/main.yml

http:
  routers:
    www-http:
      entryPoints:
        - http
      rule: "Host(`ctf.example.com`)"
      middlewares:
        - redirect-to-https
      service: ctfd

    www-https:
      entryPoints:
        - https
      rule: "Host(`ctf.example.com`)"
      service: ctfd
      tls: {}

  services:
    ctfd:
      loadBalancer:
        servers:
          - url: "http://ctfd:8000/"

  middlewares:
    redirect-to-https:
      redirectScheme:
        scheme: https
        permanent: true

tls:
  certificates:
    - certFile: /ca/fullchain.pem
      keyFile: /ca/privkey.pem

If applicable, please paste the log output in DEBUG level

No response

About this issue

  • Original URL
  • State: closed
  • Created 3 years ago
  • Reactions: 12
  • Comments: 21 (1 by maintainers)

Most upvoted comments

I can confirm this.

tested with curl -v https://http3check.net

header for https://http3check.net has:

alt-svc: quic=“:443”; ma=2592000; v=“43,46”, h3-Q043=“:443”; ma=2592000, h3-Q046=“:443”; ma=2592000, h3-Q050=“:443”; ma=2592000, h3-25=“:443”; ma=2592000, h3-27=“:443”; ma=2592000

header for my site with traefik 2.5.1 has: alt-svc: h3=“:443”; ma=2592000,h3-29=“:443”; ma=2592000

+4
fserve on Aug 25, 2021

@mradalbert or even simpler 😃 : I’ve just tested against a trivial Go server using quic-go , and I get results similar to what you all are observing.

package main

import (
	"net/http"

	"github.com/lucas-clemente/quic-go/http3"
)

type myhandler struct{}

func (mh myhandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
	w.Write([]byte("HELLO"))
}

func main() {
	http.Handle("/", myhandler{})
	http3.ListenAndServe(":443", "./cert.pem", "./key.pem", nil)
}
+2
mpl on Aug 18, 2022

FYI to all, to sum up:

  1. I’m not really worried about this being a traefik issue per-se, since we completely rely on quic-go
  2. quic-go thinks it’s just http3check.net being weird. And given that http3check is neither clear about what the problem is/are, nor do they have a public repo/bug tracker where we can give feedback, I’m inclined to rather give quic-go the benefit of the doubt for now.
+1
mpl on Aug 23, 2022

200 OK over HTTP3 on all requests

+1
mradalbert on Aug 17, 2022

@thematchless

But on my setting, http3 could work besides the port 443.

This is a example for my site. I opened port 8443 to enable http3 and worked perfectly. You can also check it by yourself, my site is still online now.

image

I provide some my configs, maybe it can help you.

  • docker-compose.yml

    ports:
  - "80:80"
  - "443:443/tcp"
  - "443:443/udp"
  - "8443:8443/tcp"
  - "8443:8443/udp"

  • traefik.yml

    entryPoints:
  http:
    address: ":80"
  https:
    address: ":443"
    enableHTTP3: true
  https2:
    address: ":8443"
    enableHTTP3: true

  • dynamic.yml

    http:
  www-https:
    entryPoints:
      - https
      - https2
    rule: "Host(`ctf.nisra.net`)"
    service: ctfd
    tls: {}
+1
chesskuo on Jul 14, 2021
Read more comments on GitHub
← traefik: v1.2.0-rc2 traefik does not respond to kubernetes ingress create/delete events
traefik: v2.8.2 go panic →