Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

1.9.2 compatibility issues with nginx HTTP/3 #56

Open
ZeroClover opened this issue Sep 7, 2023 · 2 comments
Open

1.9.2 compatibility issues with nginx HTTP/3 #56

ZeroClover opened this issue Sep 7, 2023 · 2 comments

Comments

@ZeroClover
Copy link

Because I don't want to use the default Path /dns-query, I run AGH (AdGuard Home) behind nginx so that I can modify the path.

Here is my nginx configuration snippet: 
upstream agh {
        server 127.0.0.1:12345;
      }

map $http_upgrade $connection_upgrade {
        default upgrade;
        ''      close;
    }

server {
	listen 443 ssl reuseport;
        listen [::]:443 ssl reuseport;
	listen 443 quic reuseport;
	listen [::]:443 quic reuseport;
        http2 on;

        server_name dns.domain.tld;

        add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
	add_header Alt-Svc 'h3=":443"; ma=86400' always;

...

        location /mypath {
                proxy_pass https://agh/dns-query;
                proxy_http_version 1.1;
                proxy_set_header Upgrade $http_upgrade;
                proxy_set_header Connection $connection_upgrade;
                proxy_set_header Host      $host;
                proxy_set_header X-Real-IP $remote_addr;
                proxy_set_header X-Forwarded-For $remote_addr;
                proxy_set_header X-Scheme $scheme;
                proxy_set_header Accept-Encoding '';
                proxy_redirect   off;
                proxy_buffering off;
        }

nginx version:

nginx -V
nginx version: nginx/1.25.2
built with OpenSSL 3.1.2+quic 1 Aug 2023

There are no issues when using dnslookup 1.9.1, but when using 1.9.2, queries cannot be completed:

dnslookup google.com h3://dns.domain.tld/mypath
dnslookup v1.9.2
2023/09/08 04:08:04 [fatal] Cannot make the DNS request: requesting https:///dns.domain.tld:443/mypath: Get_0rtt "https:///dns.domain.tld:443/mypath?dns=AAABAAABAAAAAAAABmdvb2dsZQNjb20AAAEAAQ": context deadline exceeded (Client.Timeout exceeded while awaiting headers)

But there is no issue in other DoH clients that support HTTP/3 (including AGH itself).

I'm not quite sure what caused the problem, if you could take the time to check this issue, I would be very grateful.
@ameshkov
Copy link
Owner

Hmm, the only relevant change was quic-go update. Let me move it to dnsproxy repo as DNS upstreams implementation comes from that library.

@ameshkov
Copy link
Owner

Hm, I tried reproducing it and couldn't.

Here is what I did.

  1. This is the configuration that I used:

    Nginx configuration 
    upstream dns_google {
    server dns.google:443;
}

server {
    # quic and http/3
    listen 443 quic reuseport;

    # http/2 and http/1.1
    listen 443 ssl reuseport;
    http2 on;

    server_name localhost;  # customize to match your domain

    # you need to mount these files when running this container
    ssl_certificate     /etc/nginx/ssl/certificate.crt;
    ssl_certificate_key /etc/nginx/ssl/certificate.key;

    # Enable all TLS versions (TLSv1.3 is required for QUIC).
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;

    # 0-RTT QUIC connection resumption
    ssl_early_data on;

    # Add Alt-Svc header to negotiate HTTP/3.
    add_header alt-svc 'h3=":8443"; ma=2592000';

    # Sent when QUIC was used
    # add_header QUIC-Status $quic;

    location / {
        return 200 'hello';
        add_header Content-Type text/plain;
        add_header alt-svc 'h3=":8443"; ma=2592000';
    }

    location /dns-query {
        proxy_pass https://dns_google/dns-query;
        proxy_set_header Host dns.google;
        add_header alt-svc 'h3=":8443"; ma=2592000';
    }
}

  2. Used a docker image to run it locally:

    docker run -it --rm \
    -p 8443:443/tcp -p 8443:443/udp \
    -v ~/Downloads/nginx/nginx/conf.d:/etc/nginx/conf.d \
    -v ~/Downloads/nginx/nginx/ssl:/etc/nginx/ssl \
    macbre/nginx-http3

  3. Here's the dnslookup output:

    VERIFY=0 dnslookup example.org h3://localhost:8443/dns-query
dnslookup 1.9.2
TLS verification has been disabled
dnslookup result (elapsed 302.249125ms):
;; opcode: QUERY, status: NOERROR, id: 39506
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;example.org.	IN	 A

;; ANSWER SECTION:
example.org.	3295	IN	A	93.184.216.34

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@ameshkov @ZeroClover