-
Notifications
You must be signed in to change notification settings - Fork 73
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
HTTPv3 and QUIC related changes #353
Conversation
my main concern at the moment is that 'quic' requires specific tls version and ssl certs configured. And I don't check for sanity there letting nginx fail configuration test. Not sure if this is the right approach |
We could check if the user is running a supported *ssl library version by checking if http3 is enabled via the dictionary and if so, checking for various *ssl libraries (see https://github.com/nginxinc/ansible-role-nginx-config/blob/main/tasks/config/template-config.yml#L46-L57 for an example on how to check for specific dictionary keys). Providing a host key does not seem to be a hard requirement -- if I understand the docs correctly, |
templates/core.j2
Outdated
{% if main['quic'] is defined and main['quic']['bpf'] is defined and main['quic']['bpf'] is boolean %} | ||
quic_bpf {{ main['quic']['bpf'] | ternary('on', 'off') }}; | ||
{% endif %} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
As convenient as it is, this really should be included in the http3/quic template. Directives in this template belong exclusively to the ngx_core_module
.
Instead, I would tweak the nginx.conf.j2
template to something along the lines of
{% if nginx_config_main_template['config']['main'] is defined %}
{% from 'core.j2' import main with context %}
{{ main(nginx_config_main_template['config']['main']) }}
{%- endif %}
{% if nginx_config_main_template['config']['main']['quic'] is defined %}
{% from 'http/modules.j2' import main with context %}
...
{%- endif %}
And we can then use scopes (!) to make sure that only the quic_bpf
parameter/directive can be used here.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
well, IMO, bpf settings should be moved to core module in nginx as well. But I get the point. I'll move it out.
templates/http/modules.j2
Outdated
{# NGINX HTTP v3 -- ngx_http_v3_module #} | ||
{% macro http3(http3) %} | ||
{% if http3['enabled'] is defined and http3['enabled'] is boolean %} | ||
http3 {{ http3['enabled'] | ternary('on', 'off') }}; | ||
{% endif %} | ||
{% if http3['hq'] is defined and http3['hq'] is boolean %} | ||
http3_hq {{ http3['hq'] | ternary('on', 'off') }}; | ||
{% endif %} | ||
{% if http3['max_concurrent_streams'] is defined and http3['max_concurrent_streams'] is number %} | ||
http3_max_concurrent_streams {{ http3['max_concurrent_streams'] }}; | ||
{% endif %} | ||
{% if http3['stream_buffer_size'] is defined %} | ||
http3_stream_buffer_size {{ http3['stream_buffer_size'] }}; | ||
{% endif %} | ||
|
||
{% endmacro %} | ||
|
||
{# NGINX QUIC -- ngix_http_v3_module #} | ||
{% macro quic(quic) %} | ||
{% if quic['active_connection_id_limit'] is defined and quic['active_connection_id_limit'] is number %} | ||
quic_active_connection_id_limit {{ quic['active_connection_id_limit'] }}; | ||
{% endif %} | ||
{% if quic['gso'] is defined and quic['gso'] is boolean %} | ||
quic_gso {{ quic['gso'] | ternary('on','off') }}; | ||
{% endif %} | ||
{% if quic['host_key'] is defined %} | ||
quic_host_key {{ quic['host_key'] }}; | ||
{% endif %} | ||
{% if quic['retry'] is defined and quic['retry'] is boolean %} | ||
quic_retry {{ quic['retry'] | ternary('on','off') }}; | ||
{% endif %} | ||
{% endmacro %} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I would ideally have these two within the same macro block since they are both part of the same module. I don't know what the best way to do that would be, but maybe we could do something where the resulting dictionary would be:
httpv3:
http3:
hq: false
max_concurrent_streams: 100
quic:
bpf: false
gso: false
or:
http3:
hq: false
max_concurrent_streams: 100
quic:
bpf: false
gso: false
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It feels like keeping quic and http3 configuration separate is a sensible thing to do. Even if they are listed on a single page in the manual.
In nginx, quic related code is in event/quic
and http3 is in http/v3
. So it's not quite the same module. It's just a convenient way of representing it for now.
If anything other than http3 will start using quic - it will appear as a separate module with the same options and we'll reuse this template.
And the manual is written the way it is, because in C code this is not a problem: quic is already a separate entity and if quic moves into a separate module no configuration will have to be changed.
Hope this makes sense.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It does!
improve readability Co-authored-by: Alessandro Fael Garcia <alessfg@hotmail.com>
improve readability Co-authored-by: Alessandro Fael Garcia <alessfg@hotmail.com>
templates/http/modules.j2
Outdated
|
||
{% endmacro %} | ||
|
||
{# NGINX QUIC -- ngix_http_v3_module #} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
{# NGINX QUIC -- ngix_http_v3_module #} | |
{# NGINX QUIC -- ngx_http_quic_module #}{# This module is not "documented" but it does exist internally #} |
templates/core.j2
Outdated
@@ -83,6 +83,9 @@ timer_resolution {{ main['timer_resolution'] }}; | |||
{% if main['working_directory'] is defined %} | |||
working_directory {{ main['working_directory'] }}; | |||
{% endif %} | |||
{% if main['quic'] is defined and main['quic']['bpf'] is defined and main['quic']['bpf'] is boolean %} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
{% if main['quic'] is defined and main['quic']['bpf'] is defined and main['quic']['bpf'] is boolean %} | |
{% if main['quic']['bpf'] is defined and main['quic']['bpf'] is boolean %}{# ngx_http_quic_module #}{# This does not belong here but we are making an exception #} |
We can simplify this a little bit I think
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Made a few extra suggestions :)
Co-authored-by: Alessandro Fael Garcia <alessfg@hotmail.com>
Co-authored-by: Alessandro Fael Garcia <alessfg@hotmail.com>
Co-authored-by: Alessandro Fael Garcia <alessfg@hotmail.com>
Co-authored-by: Alessandro Fael Garcia <alessfg@hotmail.com>
Co-authored-by: Alessandro Fael Garcia <alessfg@hotmail.com>
Co-authored-by: Alessandro Fael Garcia <alessfg@hotmail.com>
One final ask, can you please update the CHANGELOG? |
Proposed changes
Add quic and http3 capabilities to the role
Checklist
CONTRIBUTING
documentdefaults/main/*.yml
,README.md
andCHANGELOG.md
)