NGINX 1.23.1 QUIC with Brotli, TLS 1.3, OpenSSL 1.1.1q, HTTP/2 and HTTP/3 for Red Hat Enterprise Linux, CentOS, Rocky, Oracle, Alma Linux EL7/EL8/EL9

NGINX 1.23.1 mainline added to EL7, EL8, EL9 repositories. brotli compression module from Google, http2, ngx cache purge и ngx http geoip2 modules added or built-in. OpenSSL built dynamically using OpenSSL+QUIC 1.1.1q.

TLS 1.3 final works with Google Chrome 70+ and Mozilla Firefox 63+.

RHEL 7 / CentOS 7:

yum upgrade -y codeit-repo-release
yum-config-manager --enable CodeIT-quic --save

RHEL 8-9 / Alma Linux 8-9 / Rocky Linux 8-9 / CentOS 8-9 / Other EL8/EL9 repos are modular now.  To install nginx with HTTP/3 support, you need to enable the appropriate stream:

dnf module enable -y nginx:codeit-quic

We build OpenSSL+QUIC 1.1.1 separately since v1.21.6, installing it separately to /lib64 with .so.81.1.1 suffix to ensure it won’t interfere with your system libraries.

19 thoughts on “NGINX 1.23.1 QUIC with Brotli, TLS 1.3, OpenSSL 1.1.1q, HTTP/2 and HTTP/3 for Red Hat Enterprise Linux, CentOS, Rocky, Oracle, Alma Linux EL7/EL8/EL9”

  1. Hello,
    the latest version of nginx-1.23.1-1.codeit.el7.x86_64 from CodeIT-testing is not recognizing http3 directive.
    ….. nginx: [emerg] invalid parameter “http3” in /etc/nginx/conf.d/xxxxxx.conf:14
    I have downgraded back to nginx-1.23.0-2.codeit.el7.x86_64
    Can you check the case?

    regards
    Nikolay Kabaivanov

    1. Hello Nikolay,

      Sorry for the issue, all the fresh builds are deployed to the testing repo for testing purposes.
      I made a separate addon “quic” repository for NGINX EL7 with HTTP/3 support to avoid such problems in the future.
      Not all 1.23.1 features are merged in the “quic” branch at the moment, but anyway, please update the repo package to 1.1 and enable quic repo:
      yum upgrade -y codeit-repo-release
      yum-config-manager --enable CodeIT-quic --save
      yum-config-manager --disable CodeIT-testing --save

      Then retry the update from the “quic” repository.

  2. Hello, my server is almalinux 8.6, and I install nginx 1.23.1 quic, there is something error, the dependencies of libbrotli is a version problem, please take a look, thanks.

    yum install nginx
    CodeIT repo 16 kB/s | 3.5 kB 00:00
    Dependencies resolved.
    =======================================================================================================
    Package Arch Version Repository Size
    =======================================================================================================
    Installing:
    nginx x86_64 1:1.23.1-1.module_codeit_quic.codeit.el8 CodeIT 965 k
    Installing dependencies:
    libbrotli x86_64 1.0.9-1.codeit.el7 CodeIT 311 k
    openssl-quic-libs x86_64 1.1.1q-1.codeit.el8 CodeIT 1.4 M

    Transaction Summary
    =======================================================================================================
    Install 3 Packages

    Total size: 2.7 M
    Installed size: 7.9 M
    Is this ok [y/N]: y
    Downloading Packages:
    [SKIPPED] libbrotli-1.0.9-1.codeit.el8.x86_64.rpm: Already downloaded
    [SKIPPED] nginx-1.23.1-1.module_codeit_quic.codeit.el8.x86_64.rpm: Already downloaded
    [SKIPPED] openssl-quic-libs-1.1.1q-1.codeit.el8.x86_64.rpm: Already downloaded
    Running transaction check
    Transaction check succeeded.
    Running transaction test
    The downloaded packages were saved in cache until the next successful transaction.
    You can remove cached packages by executing ‘yum clean packages’.
    Error: Transaction test error:
    file /usr/lib64/libbrotlicommon.so.1 from install of libbrotli-1.0.9-1.codeit.el7.x86_64 conflicts with file from package brotli-1.0.6-3.el8.x86_64
    file /usr/lib64/libbrotlidec.so.1 from install of libbrotli-1.0.9-1.codeit.el7.x86_64 conflicts with file from package brotli-1.0.6-3.el8.x86_64
    file /usr/lib64/libbrotlienc.so.1 from install of libbrotli-1.0.9-1.codeit.el7.x86_64 conflicts with file from package brotli-1.0.6-3.el8.x86_64

      1. But your libbrotli and brotli are compiled for EL7, shouldn’t this be the correct corresponding version?

  3. Hi, Alexander.

    I am guessing this post includes OpenSSL1.1.1q for NGINX only. Or is it for Apache also?
    Will you be releasing OpenSSL1.1.1q for Apache?

    Thanks,
    Jonah

  4. hi. i can’t seem to make http3 work. nginx is listening properly on udp 443. but firefox browser is using http2 instead of http3. error logs not showing anything in debug mode.

    nginx x86_64 1:1.23.1-1.codeit.el7 CodeIT-quic 926 k
    nginx -V;
    nginx version: nginx/1.23.0
    built by gcc 4.8.5 20150623 (Red Hat 4.8.5-44) (GCC)
    built with OpenSSL 1.1.1o+quic 3 May 2022 (running with OpenSSL 1.1.1q+quic 5 Jul 2022)
    TLS SNI support enabled
    configure arguments: –prefix=/etc/nginx –sbin-path=/usr/sbin/nginx –modules-path=/usr/lib64/nginx/modules –conf-path=/etc/nginx/nginx.conf –error-log-path=/var/log/nginx/error.log –http-log-path=/var/log/nginx/access.log –pid-path=/var/run/nginx.pid –lock-path=/var/run/nginx.lock –http-client-body-temp-path=/var/cache/nginx/client_temp –http-proxy-temp-path=/var/cache/nginx/proxy_temp –http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp –http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp –http-scgi-temp-path=/var/cache/nginx/scgi_temp –user=nginx –group=nginx –with-compat –with-file-aio –with-threads –with-http_addition_module –with-http_auth_request_module –with-http_dav_module –with-http_flv_module –with-http_gunzip_module –with-http_gzip_static_module –with-http_mp4_module –with-http_random_index_module –with-http_realip_module –with-http_secure_link_module –with-http_slice_module –with-http_ssl_module –with-http_stub_status_module –with-http_sub_module –with-http_v2_module –with-mail –with-mail_ssl_module –with-stream –with-stream_realip_module –with-stream_ssl_module –with-stream_ssl_preread_module –add-module=/home/builder/rpmbuild/BUILD/nginx-1.23.1/ngx_brotli –add-module=/home/builder/rpmbuild/BUILD/nginx-1.23.1/ngx_cache_purge-2.3 –add-module=/home/builder/rpmbuild/BUILD/nginx-1.23.1/ngx_http_geoip2_module-3.4 –with-http_v3_module –with-stream_quic_module –with-cc-opt=’-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong –param=ssp-buffer-size=4 -grecord-gcc-switches -m64 -mtune=generic -fPIC’ –with-ld-opt=’-Wl,-z,relro -Wl,-z,now -pie’

    1. Hi,

      Please check if you have set up headers like in config example: connection is established using H2 first by default, only then switched to HTTP/3. Browsers save last connection result and do not connect again after unsuccessful attempt. Please also check firewall. I always test using nghttp2 client (we have the builds of it also) with http/3 support, not a browser first.

      1. Hi,
        I see the Alt-Svc and QUIC-Status header in the browser.
        Firewall is allowed. I’m going to check with nghttp2.

        1. It worked in Firefox 103.0.1 after I did a quick comparison of the Alt-Svc header.
          I was adding the headers like this below which used to work in nginx version 1.21.6:

          add_header alt-svc ‘h3-27=”:443″; ma=86400, h3-28=”:443″; ma=86400, h3-29=”:443″; ma=86400’;

          But now it works like this below (thanks to the default-ssl.conf.example) shipped with your package:

          add_header Alt-Svc ‘h3=”:443″‘;

          Great job!

  5. Hi Alex,

    Not sure if this is AlmaLinux 9 ready? Info from my lab below.

    dnf install nginx
    Last metadata expiration check: 0:00:41 ago on Mon 05 Sep 2022 11:04:36 PM CST.
    Dependencies resolved.
    ==================================================================================================================================================================================================================
    Package Architecture Version Repository Size
    ==================================================================================================================================================================================================================
    Installing:
    nginx x86_64 1:1.23.1-2.module_codeit_quic.codeit.el9 CodeIT 1.0 M
    Installing dependencies:
    libmaxminddb x86_64 1.5.2-3.el9 appstream 33 k
    openssl-quic-libs x86_64 1.1.1q-1.codeit.el9 CodeIT 1.4 M

    Transaction Summary
    ==================================================================================================================================================================================================================
    Install 3 Packages

    Total download size: 2.5 M
    Installed size: 7.4 M
    Is this ok [y/N]:

      1. Hi Alex,

        I doubt that the packages & dependencies to be installed from my feedback previously are correct ones. Could you be able to verify that?

        1. Jeffrey,

          These packages have .el9 suffix and are perfectly correct for AlmaLinux 9.
          Note: you selected NGINX QUIC branch package that is experimental branch and no released versions. Anyway, it works fine in thousands of installations.

Leave a Reply to Nikolay Kabaivanov Cancel reply

Your email address will not be published. Required fields are marked *