nixos/h2o: enable HTTP/3 via QUIC (#388953)

Author: flokli

nixos/modules/services/web-servers/h2o/default.nix

@@ -221,10 +221,7 @@ let
                             headerSet ++ [ hsts ];
                       }
                     );
-              in
-              value.settings
-              // headerRecAttrs
-              // {
+
                 listen =
                   let
                     identity =
@@ -233,17 +230,27 @@ let
                         key-file = "${certs.${names.cert}.directory}/key.pem";
                         certificate-file = "${certs.${names.cert}.directory}/fullchain.pem";
                       };
+
+                    baseListen =
+                      {
+                        port = port.TLS;
+                        ssl = (lib.recursiveUpdate tlsRecAttrs value.tls.extraSettings) // {
+                          inherit identity;
+                        };
+                      }
+                      // lib.optionalAttrs (value.host != null) {
+                        host = value.host;
+                      };
+
+                    # QUIC, if used, will duplicate the TLS over TCP directive, but
+                    # append some extra QUIC-related settings
+                    quicListen = lib.optional (value.tls.quic != null) (baseListen // { inherit (value.tls) quic; });
                   in
                   {
-                    port = port.TLS;
-                    ssl = (lib.recursiveUpdate tlsRecAttrs value.tls.extraSettings) // {
-                      inherit identity;
-                    };
-                  }
-                  // lib.optionalAttrs (value.host != null) {
-                    host = value.host;
+                    listen = [ baseListen ] ++ quicListen;
                   };
-              };
+              in
+              value.settings // headerRecAttrs // listen;
           };
     in
     # With a high likelihood of HTTP & ACME challenges being on the same port,
@@ -351,7 +358,7 @@ in
                 "hydra.example.com" = {
                   tls = {
                     policy = "force";
-                    indentity = [
+                    identity = [
                       {
                         key-file = "/path/to/key";
                         certificate-file = "/path/to/cert";

nixos/modules/services/web-servers/h2o/vhost-options.nix

@@ -152,6 +152,25 @@ in
                   '';
             };
             recommendations = tlsRecommendationsOption;
+            quic = mkOption {
+              type = types.nullOr types.attrs;
+              default = null;
+              description = ''
+                Enables HTTP/3 over QUIC on the UDP port for TLS. The attrset
+                provides fine-turning for QUIC behavior, but can be empty. See
+                <https://h2o.examp1e.net/configure/http3_directives.html#quic-attributes>.
+              '';
+              example =
+                literalExpression
+                  # nix
+                  ''
+                    {
+                      amp-limit = 2;
+                      handshake-timeout-rtt-multiplier = 300;
+                      retry = "ON";
+                    }
+                  '';
+            };
             extraSettings = mkOption {
               type = types.attrs;
               default = { };

nixos/tests/web-servers/h2o/basic.nix

@@ -43,6 +43,10 @@ in
     server =
       { pkgs, ... }:
       {
+        environment.systemPackages = [
+          pkgs.curlHTTP3
+        ];
+
         services.h2o = {
           enable = true;
           defaultHTTPListenPort = port.HTTP;
@@ -60,6 +64,9 @@ in
             "${domain.TLS}" = {
               tls = {
                 policy = "force";
+                quic = {
+                  retry = "ON";
+                };
                 identity = [
                   {
                     key-file = ../../common/acme/server/acme.test.key.pem;
@@ -99,18 +106,22 @@ in
         ];
 
         networking = {
-          firewall.allowedTCPPorts = with port; [
-            HTTP
-            TLS
-          ];
+          firewall = {
+            allowedTCPPorts = with port; [
+              HTTP
+              TLS
+            ];
+            allowedUDPPorts = with port; [
+              TLS
+            ];
+          };
           extraHosts = ''
             127.0.0.1 ${domain.HTTP}
             127.0.0.1 ${domain.TLS}
           '';
         };
       };
   };
-
   testScript =
     let
       portStrHTTP = builtins.toString port.HTTP;
@@ -122,23 +133,26 @@ in
       server.wait_for_open_port(${portStrHTTP})
       server.wait_for_open_port(${portStrTLS})
 
-      http_hello_world_body = server.succeed("curl --fail-with-body 'http://${domain.HTTP}:${portStrHTTP}/hello_world.txt'")
-      assert "${sawatdi_chao_lok}" in http_hello_world_body
+      assert "${sawatdi_chao_lok}" in server.succeed("curl --fail-with-body 'http://${domain.HTTP}:${portStrHTTP}/hello_world.txt'")
 
       tls_hello_world_head = server.succeed("curl -v --head --compressed --http2 --tlsv1.3 --fail-with-body 'https://${domain.TLS}:${portStrTLS}/hello_world.rst'").lower()
       assert "http/2 200" in tls_hello_world_head
       assert "server: h2o" in tls_hello_world_head
       assert "content-type: text/x-rst" in tls_hello_world_head
 
-      tls_hello_world_body = server.succeed("curl -v --http2 --tlsv1.3 --compressed --fail-with-body 'https://${domain.TLS}:${portStrTLS}/hello_world.rst'")
-      assert "${sawatdi_chao_lok}" in tls_hello_world_body
+      assert "${sawatdi_chao_lok}" in server.succeed("curl -v --http2 --tlsv1.3 --compressed --fail-with-body 'https://${domain.TLS}:${portStrTLS}/hello_world.rst'")
+
+      quic_hello_world_head = server.succeed("curl -v --head --compressed --http3-only --fail-with-body 'https://${domain.TLS}:${portStrTLS}/hello_world.rst'").lower()
+      assert "http/3 200" in quic_hello_world_head
+      assert "server: h2o" in quic_hello_world_head
+      assert "content-type: text/x-rst" in quic_hello_world_head
+
+      assert "${sawatdi_chao_lok}" in server.succeed("curl -v --http3-only --compressed --fail-with-body 'https://${domain.TLS}:${portStrTLS}/hello_world.rst'")
 
-      tls_hello_world_head_redirected = server.succeed("curl -v --head --fail-with-body 'http://${domain.TLS}:${builtins.toString port.HTTP}/hello_world.rst'").lower()
-      assert "redirected" in tls_hello_world_head_redirected
+      assert "redirected" in server.succeed("curl -v --head --fail-with-body 'http://${domain.TLS}:${portStrHTTP}/hello_world.rst'").lower()
 
       server.fail("curl --location --max-redirs 0 'http://${domain.TLS}:${portStrHTTP}/hello_world.rst'")
 
-      tls_hello_world_body_redirected = server.succeed("curl -v --location --fail-with-body 'http://${domain.TLS}:${portStrHTTP}/hello_world.rst'")
-      assert "${sawatdi_chao_lok}" in tls_hello_world_body_redirected
+      assert "${sawatdi_chao_lok}" in server.succeed("curl -v --location --fail-with-body 'http://${domain.TLS}:${portStrHTTP}/hello_world.rst'")
     '';
 }

nixos/tests/web-servers/h2o/mruby.nix

@@ -58,10 +58,8 @@ in
       server.wait_for_unit("h2o.service")
       server.wait_for_open_port(${portStr})
 
-      hello_world = server.succeed("curl --fail-with-body http://${domain}:${portStr}/hello_world")
-      assert "${sawatdi_chao_lok}" in hello_world
+      assert "${sawatdi_chao_lok}" in server.succeed("curl --fail-with-body http://${domain}:${portStr}/hello_world")
 
-      file_handler = server.succeed("curl --fail-with-body http://${domain}:${portStr}/file_handler")
-      assert "FILE_HANDLER" in file_handler
+      assert "FILE_HANDLER" in server.succeed("curl --fail-with-body http://${domain}:${portStr}/file_handler")
     '';
 }