nixos/nginx: fix http3 configuration

2021-11-20 19:51:04 +03:00 · 2021-11-20 19:51:04 +03:00 · 660a36f173
commit 660a36f173
parent b1cdb609b0
1 changed files with 15 additions and 11 deletions
--- a/nixos/modules/services/web-servers/nginx/default.nix
+++ b/nixos/modules/services/web-servers/nginx/default.nix
@ -255,20 +255,19 @@ let
            else defaultListen;

        listenString = { addr, port, ssl, extraParameters ? [], ... }:
-          "listen ${addr}:${toString port} "
-          + optionalString ssl "ssl "
+          (if ssl && vhost.http3 then "
+          # UDP listener for **QUIC+HTTP/3
+          listen ${addr}:${toString port} http3 "
+          + optionalString vhost.default "default_server "
+          + ";" else "")
+          + "
+
+            listen ${addr}:${toString port} "
          + optionalString (ssl && vhost.http2) "http2 "
+          + optionalString ssl "ssl "
          + optionalString vhost.default "default_server "
          + optionalString (extraParameters != []) (concatStringsSep " " extraParameters)
-          + ";"
-          + (if ssl && vhost.http3 then ''
-          # UDP listener for **QUIC+HTTP/3
-          listen ${addr}:${toString port} http3 reuseport;
-          # Advertise that HTTP/3 is available
-          add_header Alt-Svc 'h3=":443"';
-          # Sent when QUIC was used
-          add_header QUIC-Status $quic;
-          '' else "");
+          + ";";

        redirectListen = filter (x: !x.ssl) defaultListen;

@ -321,6 +320,11 @@ let
            ssl_conf_command Options KTLS;
          ''}

+          ${optionalString (hasSSL && vhost.http3) ''
+            # Advertise that HTTP/3 is available
+            add_header Alt-Svc 'h3=":443"; ma=86400' always;
+          ''}
+
          ${mkBasicAuth vhostName vhost}

          ${mkLocations vhost.locations}