Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
litespeed_wiki:config:enable_quic [2019/01/09 21:05]
Lisa Clarke [Possibly Google Chrome has not enabled QUIC by default]
litespeed_wiki:config:enable_quic [2019/03/26 20:13] (current)
Jackson Zhang [cPanel]
Line 11: Line 11:
  
  
-===== How to Open UDP Port 433 at the Firewall =====+===== How to Open UDP Port 443 at the Firewall =====
 [[https://​en.wikipedia.org/​wiki/​QUIC|QUIC]] runs a stream-multiplexing protocol over Transport Layer Security (TLS) on top of UDP instead of TCP. Be sure you've enabled the port with both TCP //and// UDP. Most of the time, TCP 443 is enabled. [[https://​en.wikipedia.org/​wiki/​QUIC|QUIC]] runs a stream-multiplexing protocol over Transport Layer Security (TLS) on top of UDP instead of TCP. Be sure you've enabled the port with both TCP //and// UDP. Most of the time, TCP 443 is enabled.
  
Line 27: Line 27:
  
 If there is no extra firewall such as CSF, UDP 443 should be enabled by default. If CSF is used, you need to enable it at the CSF level. ​ If there is no extra firewall such as CSF, UDP 443 should be enabled by default. If CSF is used, you need to enable it at the CSF level. ​
-{{ :​litespeed_wiki:​config:​udp-443-csf-quic.png?​400 |}}+ConfigServer Security & Firewall -> csf - ConfigServer Firewall -> Firewall Configuration -> IPv4 Port Settings -> UDP_IN and UDP_OUT should enable ''​443''​. 
 + 
 +{ :​litespeed_wiki:​config:​udp-443-csf-quic.png?​400 |}} 
 + 
 +Also make sure that ''​UDPFLOOD''​ is set to Off ''​0''​. 
  
 ==== Plesk ==== ==== Plesk ====
Line 90: Line 95:
 ==== Possibly Google Chrome has not enabled QUIC by default ==== ==== Possibly Google Chrome has not enabled QUIC by default ====
 At some point we noticed that Google Chrome decided to temporarily disable QUIC by default. Some users explicitly have to enable QUIC under ''<​nowiki>​chrome://​flags</​nowiki>''​. This may not be the case for you, but it's a good idea to check whether QUIC is enabled in Chrome. At some point we noticed that Google Chrome decided to temporarily disable QUIC by default. Some users explicitly have to enable QUIC under ''<​nowiki>​chrome://​flags</​nowiki>''​. This may not be the case for you, but it's a good idea to check whether QUIC is enabled in Chrome.
 +
 +==== Possibly bad cached SSL certificates ====
 +Sometimes, especially when the site in question has encountered an SSL/TLS error before, Chrome will save the certificate in cache and cause QUIC to be unable to establish a connection. In this case, it can simply be fixed by clearing the browser cache.
 +
 +==== UDP rate limiting option in CSF should be disabled ====
 +If CSF used,  UDP rate limiting option is normally disabled by default. You should see ''​UDPFLOOD = "​0"''​. However, if you have enabled it somehow, please disable it before running any QUIC checker, such as http3check.net .
 +  # Outgoing UDP Flood Protection. This option limits outbound UDP packet floods.
 +  # These typically originate from exploit scripts uploaded through vulnerable
 +  # web scripts. Care should be taken on servers that use services that utilise
 +  # high levels of UDP outbound traffic, such as SNMP, so you may need to alter
 +  # the UDPFLOOD_LIMIT and UDPFLOOD_BURST options to suit your environment
 +  #
 +  # We recommend enabling User ID Tracking (UID_INTERVAL) with this feature
 +  UDPFLOOD = "​0"​
 +  UDPFLOOD_LIMIT = "​100/​s"​
 +  UDPFLOOD_BURST = "​500"​
 +  # This is a list of usernames that should not be rate limited, such as "​named"​
 +  # to prevent bind traffic from being limited.
 +  #
 +  # Note: root (UID:0) is always allowed
 +  UDPFLOOD_ALLOWUSER = "​named"​
 +
 +==== LF_SPI needs to be turned off when CSF used ====
 +''​LF_SPI''​ in CSF should be turned off (set  ''​LF_SPI''​ = ''​0''​).
 +
 +According to CFS, ''​LF_SPI''​ option configures csf iptables as a Stateful Packet Inspection (SPI) firewall – the default (which means ''​LF_SPI''​ = ''​1''​ by default). If the server has a broken stateful connection tracking kernel then this setting can be set to 0 to configure csf iptables to be a Static firewall, though some funtionality and security will be inevitably lost.
 +
 +{{ :​litespeed_wiki:​config:​litespeeed-quic-disable-spi-in-csf.png?​800 |}}
  • Admin
  • Last modified: 2019/01/09 21:05
  • by Lisa Clarke