Differences

This shows you the differences between two versions of the page.

--- litespeed_wiki:config:enable_quic [2018/02/16 23:02]
qtwrk [Firewall Configuration]
+++ litespeed_wiki:config:enable_quic [2020/12/14 04:05]
Eric Leu
@@ Line 1: / Line 1: @@
-====== How to enable QUIC on LiteSpeed Web Server ======
+====== How to Enable QUIC on LiteSpeed Web Server ======
+In most cases, it is easy to enable QUIC. Simply open UDP port 443, and QUIC is on by default.
 QUIC (or, Quick UDP Internet Connections) is an experimental protocol initially developed by Google in 2012, and announced publicly the following year. QUIC is a good choice for those looking to reduce connection-establishment time and improve congestion control. Since version 5.2, LiteSpeed provides the first production-grade mass-market QUIC implementation available for the public. If you want to serve your web content using the QUIC protocol, LiteSpeed is the solution.
-To enable QUIC, there is no configuration change required in LSWS. For control panel users, QUIC is turned on by default for Apache HTTPS vhosts. All that is required is to open UDP port 443.
+There is no configuration change required in LSWS. For control panel users, QUIC is turned on by default for Apache HTTPS vhosts. All that is required is to open UDP port 443.
 Required:
@@ Line 9: / Line 10: @@
   *  UDP port 443 open at the firewall
-===== Firewall Configuration =====
+===== How to Open UDP Port 443 at the Firewall =====
 [[https://en.wikipedia.org/wiki/QUIC|QUIC]] runs a stream-multiplexing protocol over Transport Layer Security (TLS) on top of UDP instead of TCP. Be sure you've enabled the port with both TCP //and// UDP. Most of the time, TCP 443 is enabled.
+You can quickly check to make sure it is listening by running
+<code>netstat -lupn | grep 443</code>
+  udp        0      0 127.0.0.1:443               0.0.0.0:*                               18918/litespeed (ls
+  udp        0      0 x.x.x.x:443           0.0.0.0:*                               18918/litespeed (ls
+  udp        0      0 :::443                      :::*                                    18918/litespeed (ls
 QUIC itself should auto listen on UDP port 443, but any firewall that is running must be configured so that port 443 is open.
 You will need to identify which firewall is running, such as firewalld, iptables, csf, or other external firewalls.
+==== cPanel ====
+If there is no extra firewall such as CSF, UDP 443 should be enabled by default. If CSF is used, you need to enable it at the CSF level.
+ConfigServer Security & Firewall -> csf - ConfigServer Firewall -> Firewall Configuration -> IPv4 Port Settings -> UDP_IN and UDP_OUT should enable ''443''.
-For cPanel, if there is no extra firewall such as CSF, UDP 443 should be enabled by default. If CSF is used, you need to enable it at the CSF level.
 {{ :litespeed_wiki:config:udp-443-csf-quic.png?400 |}}
-For Plesk,  if firewall is activated, you need to enable UDP 443 manually.
+Also make sure that ''UDPFLOOD'' is set to Off ''0''.
+==== Plesk ====
+If a firewall is activated, you need to enable UDP 443 manually.
 {{ :litespeed_wiki:plesk:plesk-443-udp-4.png?direct&400 |}}
-For firewalld, you can enable it by following command:
+==== Firewalld ====
+Enable it with the following command:
 <code>firewall-cmd --zone=public --add-port=443/udp --permanent
 firewall-cmd --reload</code>
-For iptables, you can enable it by forllowing command:
+==== iptables ====
+Enable it with the following command:
 <code>iptables -I INPUT -p udp --dport 443 -j ACCEPT
@@ Line 34: / Line 52: @@
 /sbin/service iptables restart</code>
-You can quickly check to make sure it is listening by running
+===== How to Test UDP Incoming and Outgoing Connections =====
-<code>netstat -lupn | grep 443</code>
-  udp        0      0 127.0.0.1:443               0.0.0.0:*                               18918/litespeed (ls
-  udp        0      0 x.x.x.x:443           0.0.0.0:*                               18918/litespeed (ls
-  udp        0      0 :::443                      :::*                                    18918/litespeed (ls
-===== Test UDP Incoming and Outgoing Connection =====
 Although you have enabled UDP on 443 on your server, it may be blocked by the data center at the route/switch/firewall level. To verify this, you can run the following:
-==== Test incoming UDP from outside of your server ====
+==== Verify with NC command ====
+==== Test Incoming ====
 To test incoming UDP connections to your server, you can run the following command from somewhere else, such as your local VM, or your other test client machine, but not within your server to be tested:
   [root@OLS-PS-EL /]# nc -v -u your_server_ip 443
@@ Line 48: / Line 62: @@
   Ncat: Connected to your_server_ip:443
-==== test outgoing UDP connections ====
+==== Test Outgoing ====
 To test outgoing UDP connections on your server, you can run the following within your testing server:
@@ Line 55: / Line 69: @@
   Ncat: Connected to 74.125.24.104:443.
+==== Verify with TCPDUMP ====
+Sometimes that ''nc -vu'' command is not enough to verify UDP 443 port unless it will return some information back
+You can verify it with tcpdump, e.g.
+Run tcpdump on the website's server.
-===== How to verify QUIC is enabled =====
+  tcpdump -vv udp port 443 -X
+Run nc command from any client server.
+  nc -vu YOUR_DOMAIN 443
+and you should see some output on server if there's any UDP port 443 traffic in and out.
+===== How to Verify QUIC is Enabled =====
   * Check header: <code>alt-svc:quic=":443"; v="35,37", or "http/2+quic/37"</code>
   * Check quic connections: <code>chrome://net-internals/#quic</code>
   * There’s a Chrome extension which will allow you to see the protocols being used on any website. Install [[https://chrome.google.com/webstore/detail/http2-and-spdy-indicator/mpbpobfflnpcgagjijhmgnchggcjblin|HTTP/2 and SPDY indicator]], and you will see a lightning bolt in the Chrome toolbar. Blue indicates HTTP/2 is enabled. Green indicates HTTP/2 + QUIC. Hover over the lightning bolt to see a more detailed list of protocols in action. Tip: You should see the QUIC indicator on dynamic pages with a regular refresh. If not, press ''CTRL + SHIFT + R'' to request a fresh copy of the page. {{ :litespeed_wiki:config:quica.png | 600}}
-===== Understanding QUIC =====
+==== Checklist ====
+If QUIC is not working for you, keep these requirements in mind:
-==== Requirements ====
   * Must have QUIC enabled in GUI/conf
   * Must use either Chrome or Opera with QUIC enabled
   * Must **not** use self-signed certificates only trusted certificates will work
+  * Must setup [[https://www.litespeedtech.com/support/wiki/doku.php/litespeed_wiki:config:letsencrypt-ssl#setup_ssl_on_lsws | SSL Settings]] correclty
   * Must have UDP Port 443 open at firewall
   * QUIC will **not** work with a proxy front end like CloudFlare
   * QUIC will only apply to https, not http
   * QUIC can be enabled at the server level, listener level or virtual host level
+  * QUIC won't work with LSWS 5.2.8 anymore as Chrome only speaks "quic/43", while LSWS 5.2.8 only supports up to "quic/39"
+Looking to //disable// QUIC, or enable it at only the Virtual Host, or Listener Level? See [[litespeed_wiki:config:disable_quic|How to Disable QUIC on LiteSpeed Web Server]].
-==== Understanding the Priority of the Settings ====
+===== Troubleshooting =====
-QUIC can be enabled or disabled at three different levels. It's important to understand how these settings affect each other.\\
-If QUIC is not explicitly turned off at any level, then priority for enabling QUIC is given at the most specific level: Virtual Host, then Listener, then Server.\\
-If QUIC //is// explicity turned off at any level, then none of the more specific levels may turn it on. In other words, if QUIC is turned off at the Server level, then it cannot be turned on at the Listener level or at the Virtual Host level.
-Put another way:
+==== CloudFlare doesn't support QUIC yet ====
+Please keep in mind that CloudFlare doesn't support QUIC yet at the time of this writing. If you are behind CloudFlare, please disable it before testing/using QUIC.
-For a particular Virtual Host, QUIC will be ''ON'' if:
+==== Possibly Google Chrome has not enabled QUIC by default ====
-  * Virtual Host Level = ''ON'' or is not set AND
+At some point we noticed that Google Chrome decided to temporarily disable QUIC by default. Some users explicitly have to enable QUIC under ''<nowiki>chrome://flags</nowiki>''. This may not be the case for you, but it's a good idea to check whether QUIC is enabled in Chrome.
-  * Listener Level = ''ON'' or is not set AND
-  * Server Level = ''ON'' or is not set.
-For a particular Virtual Host, QUIC will be ''OFF'' if:
-  * Virtual Host Level = ''OFF'' OR
-  * Listener Level = ''OFF'' OR
-  * Server Level = ''OFF''.
-Here is an example setup:\\
+==== Possibly bad cached SSL certificates ====
-{{:litespeed_wiki:config:quic_settings.png|}}
+Sometimes, especially when the site in question has encountered an SSL/TLS error before, Chrome will save the certificate in cache and cause QUIC to be unable to establish a connection. In this case, it can simply be fixed by clearing the browser cache.
-==== QUIC Directives ====
+==== UDP rate limiting option in CSF should be disabled ====
-  * [[litespeed_wiki:config:enable_quic:apache_configuration_with_cpanel|through Apache configuration with cPanel]]
+If CSF used,  UDP rate limiting option is normally disabled by default. You should see ''UDPFLOOD = "0"''. However, if you have enabled it somehow, please disable it before running any QUIC checker, such as http3check.net .
-  * [[litespeed_wiki:config:enable_quic:apache_configuration_with_plesk|through Apache configuration with Plesk]]
+  # Outgoing UDP Flood Protection. This option limits outbound UDP packet floods.
-  * [[litespeed_wiki:config:enable_quic:apache_configuration_with_direct_admin|through Apache configuration with Direct Admin]]
+  # These typically originate from exploit scripts uploaded through vulnerable
-  * [[litespeed_wiki:config:enable_quic:lsws_configuration|with LiteSpeed Web Server native configuration]]
+  # web scripts. Care should be taken on servers that use services that utilise
+  # high levels of UDP outbound traffic, such as SNMP, so you may need to alter
+  # the UDPFLOOD_LIMIT and UDPFLOOD_BURST options to suit your environment
+  #
+  # We recommend enabling User ID Tracking (UID_INTERVAL) with this feature
+  UDPFLOOD = "0"
+  UDPFLOOD_LIMIT = "100/s"
+  UDPFLOOD_BURST = "500"
+  # This is a list of usernames that should not be rate limited, such as "named"
+  # to prevent bind traffic from being limited.
+  #
+  # Note: root (UID:0) is always allowed
+  UDPFLOOD_ALLOWUSER = "named"
+==== LF_SPI needs to be turned off when CSF used ====
+''LF_SPI'' in CSF should be turned off (set  ''LF_SPI'' = ''0'').
+According to CFS, ''LF_SPI'' option configures csf iptables as a Stateful Packet Inspection (SPI) firewall – the default (which means ''LF_SPI'' = ''1'' by default). If the server has a broken stateful connection tracking kernel then this setting can be set to 0 to configure csf iptables to be a Static firewall, though some funtionality and security will be inevitably lost.
+{{ :litespeed_wiki:config:litespeeed-quic-disable-spi-in-csf.png?800 |}}