HTTP3 QUIC With Myguard APT In ISPConfig3 Nginx Web Server

Discussion in 'Tips/Tricks/Mods' started by ahrasis, Jul 10, 2026 at 9:54 AM.

  1. ahrasis

    ahrasis Well-Known Member HowtoForge Supporter

    I am testing http3 quic in one of my ISPConfig3 nginx server using Myguard which is working good for quite some times now. I am sharing it but only play with this, if you know what you are doing, also where and when to do it.


    Firstly, follow the How to add the myguard APT repository for Debian and Ubuntu which is basically three main steps:

    1. Install its repository keyring.

    2. Add the repository source.

    3. Update your server and this will update everything related especially your web server to the latest needed to run http/3 quic.


    Secondly, open port 443 udp and / or other(s) that you need. UFW commands are as follows:
    Code:
    sudo ufw allow 443/udp
    sudo ufw allow 8080/udp
    sudo ufw allow 8081/udp

    Thirdly, update your vhost custom template to include the necessary lines:

    1. Accordingly, add below into /etc/nginx/sites-enabled/default
    Code:
            http2 on;
    
            listen 443 quic reuseport;
            listen [::]:443 quic reuseport;
            http3 on;
            quic_retry on;
            ssl_early_data on;
    
            ssl_protocols TLSv1.3 TLSv1.2;
            ssl_certificate /usr/local/ispconfig/interface/ssl/ispserver.crt;
            ssl_certificate_key /usr/local/ispconfig/interface/ssl/ispserver.key;
    
            add_header Alt-Svc 'h3=":443"; ma=86400' always;
    

    2. Accordingly, add below into /usr/local/ispconfig/server/conf-custom/nginx_vhost.conf.master. Note to resync for it to take effect to all sites.
    Code:
    <tmpl_if name='nginx_full_version' op='>' value='1.25.0' format='version'>
            http2 on;
    
            # HTTP/3 (QUIC)
            listen <tmpl_var name='https_port'> quic;
            listen [::]:<tmpl_var name='https_port'> quic;
            http3 on;
            quic_retry on;
            ssl_early_data on;
    </tmpl_if>
    <tmpl_if name='tls13_supported' op='==' value='y'>
            ssl_protocols TLSv1.3 TLSv1.2;
    <tmpl_else>
            ssl_protocols TLSv1.2;
    </tmpl_if>
            ssl_certificate <tmpl_var name='ssl_crt_file'>;
            ssl_certificate_key <tmpl_var name='ssl_key_file'>;
    </tmpl_if>
    
            add_header Alt-Svc 'h3=":<tmpl_var name='https_port'>"; ma=86400' always;
            server_name <tmpl_var name='domain'><tmpl_if name='alias'> <tmpl_var name='alias'></tmpl_if>;
    
    Code:
            location = /favicon.ico {
                log_not_found off;
                access_log off;
                expires max;
                add_header Cache-Control "public, must-revalidate, proxy-revalidate";
                # ADDED: Prevents NGINX from dropping the HTTP/3 instruction on asset loads
                add_header Alt-Svc 'h3=":443"; ma=86400' always;
    
    Code:
            location /stats/ {
    <tmpl_if name='web_document_root_www_proxy'>            <tmpl_var name='web_document_root_www_proxy'></tmpl_if>
                index index.html index.php;
                auth_basic "Members Only";
                auth_basic_user_file <tmpl_var name='stats_auth_passwd_file'>;
                add_header Content-Security-Policy "default-src * 'self' 'unsafe-inline' 'unsafe-eval' data:;";
                # ADDED: Prevents NGINX from dropping the HTTP/3 instruction inside stats
                add_header Alt-Svc 'h3=":443"; ma=86400' always;
    
    Code:
                #fastcgi_param PATH_INFO $fastcgi_script_name;
                fastcgi_intercept_errors on;
                # ADDED: Critical security patch to prevent HTTP/3 0-RTT replay attacks in PHP
                fastcgi_param HTTP_EARLY_DATA $ssl_early_data;
    
    3. Accordingly, add below to /usr/local/ispconfig/server/conf-custom/install/nginx_apps.vhost.master
    Code:
            http2 on;
    
            # HTTP/3 (QUIC)
            listen {apps_vhost_ip}{apps_vhost_port} quic;
            listen [::]:{apps_vhost_port} quic;
            http3 on;
            quic_retry on;
            ssl_early_data on;
    
            {ssl_comment}ssl_protocols TLSv1.3 TLSv1.2;
            {ssl_comment}ssl_certificate /usr/local/ispconfig/interface/ssl/ispserver.crt;
            {ssl_comment}ssl_certificate_key /usr/local/ispconfig/interface/ssl/ispserver.key;
    
            add_header Alt-Svc 'h3=":{apps_vhost_port}"; ma=86400' always;
    
    Code:
            # serve static files directly
            location ~* ^.+\.(jpg|jpeg|gif|css|png|js|ico|html|xml|txt)$ {
                    access_log off;
                    log_not_found off;
                    expires max;
                    # ADDED: Keeps HTTP/3 advertisements active when assets load
                    add_header Alt-Svc 'h3=":8081"; ma=86400' always;
    
    Code:
            location ~ \.php$ {
               try_files $uri =404;
               include /etc/nginx/fastcgi_params;
    
               fastcgi_pass unix:{fpm_socket};
               fastcgi_index index.php;
               fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
               #fastcgi_param PATH_INFO $fastcgi_script_name;
               fastcgi_buffer_size 128k;
               fastcgi_buffers 256 4k;
               fastcgi_busy_buffers_size 256k;
               fastcgi_temp_file_write_size 256k;
    
               # ADDED: Security check for TLS 1.3 0-RTT handshakes
               fastcgi_param HTTP_EARLY_DATA $ssl_early_data;
    
    For all apps made available under apps.vhost e.g.:
    Code:
                            fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
                            fastcgi_buffer_size 128k;
                            fastcgi_buffers 256 4k;
                            fastcgi_busy_buffers_size 256k;
                            fastcgi_temp_file_write_size 256k;
                            fastcgi_read_timeout 1200;
                            # ADDED: Security protection for datamanager app scripts
                            fastcgi_param HTTP_EARLY_DATA $ssl_early_data;
    
    Code:
                    location ~ ^/datamanager/(.+\.php)$
                    location ~* ^/datamanager/(.+\.(jpg|jpeg|gif|css|png|js|ico|html|xml|txt))$ {
                            root /usr/share/;
                            access_log off;
                            log_not_found off;
                            expires max;
                            # ADDED: Preserve HTTP/3 mapping during asset loading
                            add_header Alt-Svc 'h3=":8081"; ma=86400' always;
    
    4. Accordingly, add below to /usr/local/ispconfig/server/conf-custom/install/nginx_ispconfig.vhost.master
    Code:
            http2 on;
    
            listen {vhost_port} quic;
            listen [::]:{vhost_port} quic;
            http3 on;
            quic_retry on;
            ssl_early_data on;
    
            {ssl_comment}ssl_protocols TLSv1.3 TLSv1.2;
            {ssl_comment}ssl_certificate /usr/local/ispconfig/interface/ssl/ispserver.crt;
            {ssl_comment}ssl_certificate_key /usr/local/ispconfig/interface/ssl/ispserver.key;
    
            add_header Alt-Svc 'h3=":{vhost_port}"; ma=86400' always;
    
    Code:
            # serve static files directly
            location ~* ^.+\.(jpg|jpeg|gif|css|png|js|ico|html|xml|txt)$ {
                    access_log off;
                    log_not_found off;
                    expires max;
                    # ADDED: Keeps HTTP/3 advertisements active when dashboard assets/themes load
                    add_header Alt-Svc 'h3=":8080"; ma=86400' always;
    
    Code:
               fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
               #fastcgi_param PATH_INFO $fastcgi_script_name;
               fastcgi_buffer_size 128k;
               fastcgi_buffers 256 4k;
               fastcgi_busy_buffers_size 256k;
               fastcgi_temp_file_write_size 256k;
               fastcgi_read_timeout 1200;
               fastcgi_param HTTP_PROXY "";
    
               # ADDED: Essential security check to protect panel mutations from replay attacks
               fastcgi_param HTTP_EARLY_DATA $ssl_early_data;
    

    Force update ISPConfig for it to take effect on panel at 8080 and other server apps at 8081.

    Because mine could be a little bit different, which I hope not so different, above is the idea implemented and succeeded. Good luck in trying, feel free to ask.
     
    Last edited: Jul 15, 2026 at 3:50 PM
    till likes this.
  2. concept21

    concept21 Active Member

    Oh! Very new!
    I have to wait for six more months and see who suffers and recovers first. :rolleyes:
     
    ahrasis likes this.
  3. remkoh

    remkoh Well-Known Member HowtoForge Supporter

    Very interesting :)
    I'm running haproxy well over 2 years in front of apache and nginx webservers in my lab to make http3/quic available for the outside world.
    And in my old lab OpenLiteSpeed is running for the same purpose.

    With this I should be able to create true http3/quic to the nginx webservers :cool:
    Haproxy won't be fased out though as it also takes care of HA to the webservers.
     
    ahrasis likes this.
  4. ahrasis

    ahrasis Well-Known Member HowtoForge Supporter

  5. concept21

    concept21 Active Member

    Shall we develop a HTTP/3 option for the coming ISPConifg 3.3 on Ubuntu 26.04 based on this subject?
    I will donate some money within my limitation, a very poor developer. :D
     
  6. ahrasis

    ahrasis Well-Known Member HowtoForge Supporter

    I do not believe the default Nginx nor Apache2 package in the Ubuntu 26.04 repositories is built with http/3 quic support, so normally ISPConfig will not do it, as it does not natively support recompiling the web server, since it is designed to only install and manage the distribution-provided packages from the operating system's repositories.

    That said, I believe the given tips in the OP above already provided a practical workaround that should be compatible with ISPConfig 3.3 on its officially supported Debian and Ubuntu operating systems.
     
    concept21 and till like this.
  7. concept21

    concept21 Active Member

    So, how about the PHP variations support? Does the myguard APT repo also provide PHP version variations?
     
  8. till

    till Super Moderator Staff Member ISPConfig Developer

    PHP is not a part of Nginx, no need for them to provide any PHP packages. You just use the normal PHP packages from Ondrej.
     
    ahrasis likes this.
  9. ahrasis

    ahrasis Well-Known Member HowtoForge Supporter

    No. They do not, so as @till said, we will still be using the Ondrej Sury php repo as it won't be affected.

    Though I should note that other than nginx, angie, postfix, dovecot, rspamd, mariadb and openssh will also be updated by Myguard APT if we use its general repo.

    Add a single package only guide shows the exact repo to be added to get just nginx and its dependencies, for http/3 quic, but not others, so read carefully the said page before adding the repo.

    Best bet is only to add what is necessary for http/3 quic to work i.e. just nginx repo, otherwise, I am not sure what will happen to our ISPConfig 3.3 when others are also updated, as though I personally think it is safe, cutting edge version is normally not as stable as default that comes with the OS.
     
    Last edited: Jul 15, 2026 at 1:51 PM
  10. ahrasis

    ahrasis Well-Known Member HowtoForge Supporter

    Added extra nginx code including additional security for all customized (conf-custom) files in the opening post.
     
    till likes this.

Share This Page