linux

HTTP/3 integracija kroz Nginx/Ubuntu

QUIC Preuzeto sa https://github.com/quicwg

HTTP/3 Intro

HTTP/3 protokol je nastavak HTTP/2 a za razliku od njega koristi QUIC koji je baziran na UDP. Razlog koriscenja UDP jeste nisko kasnjenje, brzina isporuke dok kompletan HTTP protokol sa svim porukama, kodovima, standardom ostaje isti. Vazno je napomenuti da je QUIC "nastavak" na TLS 1.3 gdje ima lista prosirenja (npr ALPN i slicno) TLS protokola. Tako da je moguce koristiti na drugacije nacine TLS.

Brzina, benchmark i kasnjenje HTTP/3

Prema stranici , performanse su:

Connection Setup Time: HTTP/1 (50–120ms), HTTP/2 (40-100ms), HTTP/3 (20–50ms in low-latency networks)

File Download (1MB with 2% packet loss): HTTP/1 (1.8s), HTTP/3 (1.2s)

Page Load Latency (mobile 3G): HTTP/1 (600ms), HTTP/3 (300ms)

HTTP/2 unaprijedio web performanse sa omogucavanjem visestrukih zahtjeva i odgovora na jednoj konekciji, redukujuci kasnjenje. HTTP/3, baziran na QUIC, unapredjuje brzinu i smanjuje kasnjenje kroz zamjenu TCP sa UDP-baziranim-transportom, cineci ih eksponencijalno brzim, posebno za real-time aplikacije i mobilne uredjaje.

Prema testu sa stranice imamo performanse za poredjenje:

Ucitavanje tipicno E-commerce stranice (100 resursa):

HTTP/1.1: • Otvara 6–8 paralelnih konekcija • Sekvencijalno procesuiranje svake konekcije• Totalno vrijeme ucitavanja: ~8 sekundi

HTTP/2: • Jedna konekcija sa multipleksiranje • Kompresija headera i push sa servera • Totalno vrijeme ucitavanja: ~4 seconds

HTTP/3: • QUIC eliminise ostala uska grla • Bolje handlovanje izgubljenih paketa • Totalno vrijeme ucitavanja: ~3.2 seconds

Provjera browsera/web servera i instalacija HTTP/3 na Ubuntu 24.04/Nginx

Provjera Browsera

Jedan od prvih uslova jeste da nas browser podrzava HTTP/3 tako sto odemo na stranicu: https://quic.nginx.org/ ( lista browsera i verzija koji podrzavaju HTTP/3 )

Instalacija zadnje verzije nginx (1.29.0) na Ubuntu 24.04

U ovom dijelu cu zaobici podesavanja nginx konfiguracije, firewalla - vec cu direktno ici na podesavanja i instalaciju nginx.

Koraci za instalaciju zadnje verzije nginx na Ubuntu (preuzeto sa stranice):

sudo apt install curl gnupg2 ca-certificates lsb-release ubuntu-keyring

curl https://nginx.org/keys/nginx_signing.key | gpg --dearmor \
    | sudo tee /usr/share/keyrings/nginx-archive-keyring.gpg >/dev/null

gpg --dry-run --quiet --no-keyring --import --import-options import-show /usr/share/keyrings/nginx-archive-keyring.gpg

Poslije zadnje komande se ocekuje output:


pub   rsa4096 2024-05-29 [SC]  8540A6F18833A80E9C1653A42FD21310B49F6B46
uid    nginx signing key 

pub   rsa2048 2011-08-19 [SC] [expires: 2027-05-24] 573BFD6B3D8FBC641079A6ABABF5BD827BD9BF62
uid    nginx signing key 

pub   rsa4096 2024-05-29 [SC]  9E9BE90EACBCDE69FE9B204CBCDCD8A38D88A2B3
uid    nginx signing key

Dalji koraci (koristimo mainline repo, tj zadnju verziju nginx-a):


echo "deb [signed-by=/usr/share/keyrings/nginx-archive-keyring.gpg] \
http://nginx.org/packages/mainline/ubuntu `lsb_release -cs` nginx" \
    | sudo tee /etc/apt/sources.list.d/nginx.list

U slucaju da zelimo stabilnu verziju, komanda umjesto gornje:


echo "deb [signed-by=/usr/share/keyrings/nginx-archive-keyring.gpg] \
http://nginx.org/packages/ubuntu `lsb_release -cs` nginx" \
    | sudo tee /etc/apt/sources.list.d/nginx.list

Sljedeci korak:


echo -e "Package: *\nPin: origin nginx.org\nPin: release o=nginx\nPin-Priority: 900\n" \
    | sudo tee /etc/apt/preferences.d/99nginx

sudo apt update
sudo apt install nginx

Da provjerimo instalaciju:


nginx -v

output: nginx version: nginx/1.29.0

nginx -V
output: nginx version: nginx/1.29.0
built by gcc 13.3.0 (Ubuntu 13.3.0-6ubuntu2~24.04)
built with OpenSSL 3.0.13 30 Jan 2024
TLS SNI support enabled
configure arguments: --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --modules-path=/usr/lib/nginx/modules --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/run/nginx.pid --lock-path=/run/nginx.lock --http-client-body-temp-path=/var/cache/nginx/client_temp --http-proxy-temp-path=/var/cache/nginx/proxy_temp --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp --http-scgi-temp-path=/var/cache/nginx/scgi_temp --user=nginx --group=nginx --with-compat --with-file-aio --with-threads --with-http_addition_module --with-http_auth_request_module --with-http_dav_module --with-http_flv_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_mp4_module --with-http_random_index_module --with-http_realip_module --with-http_secure_link_module --with-http_slice_module --with-http_ssl_module --with-http_stub_status_module --with-http_sub_module --with-http_v2_module ***--with-http_v3_module*** --with-mail --with-mail_ssl_module --with-stream --with-stream_realip_module --with-stream_ssl_module --with-stream_ssl_preread_module --with-cc-opt='-g -O2 -fno-omit-frame-pointer -mno-omit-leaf-frame-pointer -ffile-prefix-map=/home/builder/debuild/nginx-1.29.0/debian/debuild-base/nginx-1.29.0=. -flto=auto -ffat-lto-objects -fstack-protector-strong -fstack-clash-protection -Wformat -Werror=format-security -fcf-protection -fdebug-prefix-map=/home/builder/debuild/nginx-1.29.0/debian/debuild-base/nginx-1.29.0=/usr/src/nginx-1.29.0-1~noble -fPIC' --with-ld-opt='-Wl,-Bsymbolic-functions -flto=auto -ffat-lto-objects -Wl,-z,relro -Wl,-z,now -Wl,--as-needed -pie'

Gdje se nalazi u zadnjem dijelu dio "--with-http_v3_module" koji nam omogucava HTTP/3.

Podesavanje nginx

Sljedeca podesavanja mozete naci na stranici: https://nginx.org/en/docs/quic.html

Da bi smo podesili nginx da radi, imamo dva dijela podesavanja. Prvi je nginx.conf a drugi je nas server/domena koji trebaju podesavanja.


Brisemo liniju(nove verzije ne koriste vise ovo): ssl on;

Dodajemo:

quic_retry on;

ssl_early_data on;

quic_gso on;



U dijelu:

server {

        listen 443 quic reuseport;

        listen 443 ssl;

      index index.php; #u slucaju da imamo ovo podeseno, podesiti PHP

       location / {

        add_header Alt-Svc 'h3=":443"; ma=86400';

       }

      location ~ \.php$ {

                add_header Alt-Svc 'h3=":443"; ma=86400';

      }

}

Poslije ovoga mozemo izvrsiti komandu nginx -t gdje bi trebalo da izadje:

nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful

Onda mozemo i systemctl restart nginx.

Gdje mozemo vidjeti na UDP portu:

netstat udp

Testiranje web servera

Testiranje web servera mozemo uraditi na (mozete izabrati neku drugu domenu, ova je podesena kao test): https://http3check.net/?host=https%3A%2F%2Fwww.vladimircicovic.com%2F test web servera

Sa Inspect(Chrome) mozemo na Networking vidjeti ucitavanje H3 tj HTTP/3: Inspect Chrome

Dodatne analize naseg TLS podesavanja, mozemo na: https://www.ssllabs.com/ssltest/analyze.html?d=www.vladimircicovic.com

SadServer Solutions - Melbourne

SadServer solution for https://sadservers.com/scenario/melbourne

Reviewing the code shows me that part Content-Length contains 0 size. So I set the proper size of the code (that is "Hello, World\n" size). And then "sudo systemctl restart gunicorn.service" and "sudo systemctl restart gunicorn.socket" The final code looks like this:

Proper code

Next issue is with Nginx - inside of "default" config we have file that ends with .socket, and in /run/gunicorn.sock - it use .sock Replace this and restart Nginx "sudo systemctl restart nginx"

Bad config

proper name for socket

Final test:

final test

SadServer Solutions - Oaxaca

SadServer - Oaxaca solution for https://sadservers.com/scenario/oaxaca

So, the process is started with the current bash - and it has FD (file descriptor) 77. In the picture, you can see "FD/77w". File descriptor usually usage is: 0 for stdin, 1 for stdout, 2 for stderr, and 255 for bash shell - it points to /dev/tty or /dev/pts/N - where is N number. The main process is bash shell and the subprocess is this FD/77 - so by killing the main process we are doomed to destroy our connections. if we run "lsof somefile" - it will show us our bash shell and under /proc/[PID of shell]/fd/77 we have a symbolic link to /home/admin/somefile.

to release the file descriptor we need to re-use the same number with the command: eval "exec 77>&-" close file descriptor

.bashrc contains the running command:

close file descriptor

symbolic link to file:

close file descriptor

SadServer Solutions - Venice

Unusual task with no points - are you in VM or Docker shell? Simple solution could be this:

docker vs vm

SadServer Solutions - Salta solution

SadServer Salt solution URL: https://sadservers.com/scenario/salta

After logging into a server - notice that port 8888 is used. Missing tool lsof, I install with "sudo apt install lsof" and review what process is using port 8888. Nginx was used so I stopped the process with "sudo systemctl stop nginx"

nginx using port 8888

Inside of Dockerfile - found missing proper port 8888 (it was written 8880) and for CMD there was "serve.js" instead of "server.js" - a local file in the same directory.

Dockerfile fix

When the fix was solved, the docker container is built with cmd: "sudo docker build -t sampleapp:v1 . "

Dockerfile build

running app with "sudo docker run -p 8888:8888 sampleapp:v1" and the task is done

Dockerfile run

SadServer Solutions - Cape Town

Solution for Cape Town task from URL: https://sadservers.com/scenario/capetown

After logging into the server, there is no working nginx.

nginx not working

Examine details on why nginx does not work show me the first line containing ";". So I removed ";" from the nginx file and nginx does not yet work.

first issue

After examining the error log - I was able to see and spot file limits.

second issue

After viewing /proc/[pid]/limits - I spot this (Max open files 10)

issue

I did check limits for user www-data, as well as other things (fs.file-max, others)

In the end - Maybe systemD has some limitations per process.

After reading the .service file from systemD

second issue

Add # on the start of the line, reload the system daemon, and restart nginx and it works!

For this task, it takes 30 min to solve

SadServer Solutions - Tokyio solution

The task was to find out how to run a web server on port 80 and to check if is working properly. URL: https://sadservers.com/scenario/tokyo

After checking logs (apache, systems, etc) and finally running iptables - saw HTTP blocked in iptables. So running iptables -F solve this issue (I also added a path for apache /var/www/html/ inside of apache.conf FYI) Tokyio solution

SadServer Solutions - Manhattan medium

SadServer Manhattan - medium, url: https://sadservers.com/scenario/manhattan My first medium task and solution. When I log in - running just


sudo systemctl restart postgresql@14-main.service

The issue is in these lines: "no space left on device" Postgress issue

After running df -h, notice 100% usage for /opt/pgdata/ Removing files that do not need it at all - solved this issue.

Postgres solution Solution

SadServer Solutions - Apia task

SadServer Apia task url: https://sadservers.com/scenario/apia

Simple file-level task. Using md5sum and diff only.

Compare all files, find unusual md5 hash: md5sum files

md5sum files

Use diff command, add word in solution, md5sum to check: final commands

SadServer Solutions - Biblao K8S task

SadServer task Bilbao url: https://sadservers.com/scenario/bilbao

After login and inspection of the issue, we get this picture:

Pod status

After googling I found an issue with nodeSelector - so I removed it from the manifest.yml file:

nodeSelector

Remove nodeSelector

After removing - it needs to delete all pods, re-run manifest, and check with curl: final Delete pods & run yaml file

Vladimir Cicovic Blog

Category: linux