HTTP/3 (QUIC) Support
Starting with Debian 13 (Trixie), the system OpenSSL package includes native QUIC support. This allows NGINX to be built with the HTTP/3 module without requiring custom SSL libraries such as QuicTLS or BoringSSL.
The nginx package from this repository uses automatic HTTP/3 detection at build time based on the system OpenSSL headers.
Where HTTP/3 is enabled
As of the latest builds (verified with debbuilder and container tests), HTTP/3 availability by distro looks like this:
| Distro | System OpenSSL version | QUIC in OpenSSL? | NGINX built with --with-http_v3_module? |
HTTP/3 support | Why |
|---|---|---|---|---|---|
| Debian 13 (Trixie) | OpenSSL 3.5.4 30 Sep 2025 |
Yes (QUIC APIs present) | Yes | Enabled | OpenSSL ≥ 3.2 with QUIC; debian/detect-http3.sh returns --with-http_v3_module, and runtime tests with curl --http3 succeed. |
| Debian 12 (Bookworm) | OpenSSL 3.0.17 1 Jul 2025 |
No (no QUIC support) | No | Disabled | OpenSSL is 3.0.x without QUIC; the detector does not enable HTTP/3, so we build without --with-http_v3_module. |
| Ubuntu 24.04 (Noble) | OpenSSL 3.0.13 30 Jan 2024 |
No (no QUIC support) | No | Disabled | OpenSSL 3.0.x, but lacks QUIC APIs; detector keeps HTTP/3 off. |
| Ubuntu 22.04 (Jammy) | OpenSSL 3.0.2 15 Mar 2022 |
No (no QUIC support) | No | Disabled | Same as above: OpenSSL 3.0.x without QUIC, so HTTP/3 is not compiled in. |
| Ubuntu 20.04 (Focal) | OpenSSL 1.1.1f 31 Mar 2020 |
No (too old, no QUIC) | No | Disabled | OpenSSL 1.1.1 has no QUIC at all; detector clearly leaves HTTP/3 off. |
Verifying HTTP/3 support
After installing nginx, you can check whether HTTP/3 support is compiled in:
nginx -V
Look for the --with-http_v3_module flag in the configure arguments line. If present, the binary has HTTP/3 support.
Minimal HTTP/3 configuration
To enable HTTP/3, configure a server block to listen on port 443 for QUIC (UDP) and standard HTTPS (TCP). Ensure your firewall allows UDP 443 as well as TCP.
events {
worker_connections 1024;
}
http {
access_log off;
server {
# Enable HTTP/3 (QUIC) on UDP port 443
listen 443 quic reuseport;
# Enable standard HTTPS on TCP port 443 (fallback)
listen 443 ssl;
ssl_certificate /path/to/cert.pem;
ssl_certificate_key /path/to/key.pem;
# TLSv1.3 is required for QUIC
ssl_protocols TLSv1.3;
# Advertise HTTP/3 support to clients via Alt-Svc header
location / {
add_header Alt-Svc 'h3=":443"; ma=86400';
return 200 'HTTP/3 works!';
}
}
}
Key directives
listen 443 quic reuseport;: Enables QUIC (UDP) listener.reuseportis recommended with multiple workers.ssl_protocols TLSv1.3;: QUIC requires TLS 1.3.add_header Alt-Svc ...: Advertises HTTP/3 support to clients.
Testing HTTP/3
Using curl
Use a modern curl with HTTP/3 support (for example, from Debian 13):
curl -v --http3 https://your-server.example
You should see a line similar to:
* using HTTP/3
Using a browser
Most current browsers (Chrome, Firefox, Edge) support HTTP/3. In the developer tools Network tab, the protocol column should show h3 for requests served over HTTP/3.
Firewall and container considerations
Because HTTP/3 uses UDP 443, your firewall must allow both TCP and UDP on that port:
- Debian (nftables) – minimal example:
sudo apt-get install nftables
sudo systemctl enable --now nftables
sudo tee /etc/nftables.conf >/dev/null << 'EOF'
table inet filter {
chain input {
type filter hook input priority 0; policy drop;
iif lo accept # loopback
ct state established,related accept # existing connections
tcp dport 22 accept # SSH (optional)
tcp dport { 80, 443 } accept # HTTP / HTTPS
udp dport 443 accept # HTTP/3 (QUIC)
ip protocol icmp accept
ip6 nexthdr icmpv6 accept
}
}
EOF
sudo nft -f /etc/nftables.conf
- Ubuntu (ufw) – using the packaged application profile (preferred):
# After installing the nginx package from this repository
sudo ufw allow "Nginx QUIC"
sudo ufw reload
You can also open the ports explicitly if you prefer:
sudo ufw allow 80/tcp
sudo ufw allow 443/tcp
sudo ufw allow 443/udp
sudo ufw reload
If you run NGINX with HTTP/3 inside Docker, expose both protocols from the container:
docker run -p 443:443/tcp -p 443:443/udp your-nginx-http3-image
Combine this with the host firewall rules above to ensure HTTP/3 traffic reaches NGINX.