Bring QUIC Back

README.md

@@ -29,7 +29,6 @@ Currently available integrations at their respective support level:
 | **ngtcp2**         | [Github: oqs-demos/ngtcp2](ngtcp2)       | Dockerhub: [Server: openquantumsafe/ngtcp2-server](https://hub.docker.com/repository/docker/openquantumsafe/ngtcp2-server), [Client: openquantumsafe/ngtcp2-client](https://hub.docker.com/repository/docker/openquantumsafe/ngtcp2-client)                       | unsupported
 | **OpenLiteSpeed**         | [Github: oqs-demos/openlitespeed](openlitespeed)       | [ Dockerhub: openquantumsafe/openlitespeed](https://hub.docker.com/repository/docker/openquantumsafe/openlitespeed)                       | unsupported
 | **h2load**         | [Github: oqs-demos/h2load](h2load)       | [ Dockerhub: openquantumsafe/h2load](https://hub.docker.com/repository/docker/openquantumsafe/h2load)                       | unsupported
-| **QUIC**         | [Github: oqs-demos/quic](quic)       | Dockerhub: [Server: openquantumsafe/nginx-quic](https://hub.docker.com/repository/docker/openquantumsafe/nginx-quic), [Client: openquantumsafe/msquic](https://hub.docker.com/repository/docker/openquantumsafe/msquic-reach)                       | unsupported
 | **HAproxy**      | [Github: oqs-demos/haproxy](haproxy)   | [Dockerhub: openquantumsafe/haproxy](https://hub.docker.com/repository/docker/openquantumsafe/haproxy)                       | unsupported
 | **Mosquitto**         | [Github: oqs-demos/mosquitto](mosquitto)       | [Dockerhub: openquantumsafe/mosquitto](https://hub.docker.com/repository/docker/openquantumsafe/mosquitto)               | unsupported
 | **Envoy**         | [Github: oqs-demos/envoy](envoy)       | [ Dockerhub: openquantumsafe/envoy](https://hub.docker.com/repository/docker/openquantumsafe/envoy)                       | unsupported

nginx/Dockerfile-QUIC

@@ -0,0 +1,84 @@
+FROM ubuntu:latest AS build
+
+ARG NGINX_VERSION=1.26.1
+
+RUN apt update && apt upgrade -y && mkdir /home/build && cd /home/build && \
+  apt install -y g++ make git libssl-dev libpcre3 libpcre3-dev build-essential zlib1g-dev wget && \
+# liboqs deps
+  liboqs_pkgs="cmake gcc ninja-build libunwind-dev pkg-config python3 python3-psutil golang-go" && apt install -y $liboqs_pkgs && \
+# Download liboqs
+  git clone --branch main --single-branch --depth 1 https://github.com/open-quantum-safe/liboqs.git && \
+# Download open-quantum-safe/boringssl
+  git clone --branch master --single-branch --depth 1 https://github.com/open-quantum-safe/boringssl.git && \
+# Build liboqs
+# https://github.com/open-quantum-safe/liboqs/blob/main/CONFIGURE.md#options-for-configuring-liboqs-builds
+  cd liboqs && mkdir build && cd build && cmake -GNinja -DCMAKE_INSTALL_PREFIX=../../boringssl/oqs -DCMAKE_BUILD_TYPE=Release -DOQS_DIST_BUILD=ON -DOQS_USE_OPENSSL=OFF .. && ninja && ninja install && \
+# build boringssl
+  cd ../../boringssl && mkdir build && cd build && cmake -GNinja -DCMAKE_BUILD_TYPE=Release -DBUILD_SHARED_LIBS=1 .. && ninja && \
+# prepare dir
+  cp -p ssl/libssl.so /usr/local/lib && cp -p crypto/libcrypto.so /usr/local/lib && cd ../.. && \
+# Download nginx
+  wget https://nginx.org/download/nginx-${NGINX_VERSION}.tar.gz -O nginx.tgz && tar xvf nginx.tgz && \
+# build nginx
+  cd nginx-${NGINX_VERSION} && \
+  ./configure \
+  --prefix=/etc/nginx \
+  --sbin-path=/usr/sbin/nginx \
+  --modules-path=/usr/lib/nginx/modules \
+  --conf-path=/etc/nginx/nginx.conf \
+  --error-log-path=/var/log/nginx/error.log \
+  --http-log-path=/var/log/nginx/access.log \
+  --pid-path=/var/run/nginx.pid \
+  --lock-path=/var/run/nginx.lock \
+  --http-client-body-temp-path=/var/cache/nginx/client_temp \
+  --http-proxy-temp-path=/var/cache/nginx/proxy_temp \
+  --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp \
+  --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp \
+  --http-scgi-temp-path=/var/cache/nginx/scgi_temp \
+  --user=nginx --group=nginx \
+  --with-http_v3_module \
+  --with-http_v2_module \
+  --with-http_ssl_module \
+  --with-http_realip_module \
+  --with-http_gzip_static_module \
+  --with-http_gunzip_module \
+  --with-http_slice_module \
+  --with-stream \
+  --with-stream_ssl_module \
+  --with-stream_ssl_preread_module \
+  --with-stream_realip_module \
+  --with-compat \
+  --with-threads \
+  --with-http_mp4_module \
+  --with-file-aio \
+  --with-http_secure_link_module \
+  --with-http_stub_status_module \
+  --with-http_auth_request_module \
+  --with-http_dav_module \
+  --with-http_flv_module \
+  --with-cc=c++ \
+  --with-cc-opt="-I../boringssl/include -x c -Ofast" \
+  --with-ld-opt="-L../boringssl/build/ssl -L../boringssl/build/crypto -Wl,-rpath,/usr/local/lib" && \
+  make
+
+FROM ubuntu:latest
+ARG NGINX_VERSION=1.26.1
+COPY --from=build /home/build/nginx-${NGINX_VERSION}/objs/nginx /usr/sbin/nginx
+COPY --from=build /home/build/nginx-${NGINX_VERSION}/conf /etc/nginx
+COPY --from=build /usr/local/lib /usr/local/lib
+RUN set -x \
+    && apt update && apt upgrade -y && apt install --no-install-recommends --no-install-suggests -y adduser libpcre3 && rm -rf /var/lib/apt/lists/* /etc/apt/sources.list.d/nginx.list \
+    && groupadd --system --gid 101 nginx \
+    && useradd --system --gid nginx --no-create-home --home /nonexistent --comment "nginx user" --shell /bin/false --uid 101 nginx \
+    && mkdir -p '/var/run' && mkdir -p '/var/cache/nginx' && mkdir -p '/var/log/nginx' \
+    && touch /var/log/nginx/access.log /var/log/nginx/error.log \
+    && ln -sf /dev/stdout /var/log/nginx/access.log \
+    && ln -sf /dev/stderr /var/log/nginx/error.log
+
+EXPOSE 80
+EXPOSE 443
+EXPOSE 443/udp
+
+STOPSIGNAL SIGQUIT
+
+CMD ["nginx", "-g", "daemon off;"]

nginx/README-QUIC.md

@@ -0,0 +1,85 @@
+# NGINX with OQS-BoringSSL for QUIC
+
+This Docker setup provides an nginx instance configured to use OQS-BoringSSL, which supports QUIC with quantum-safe algorithms. For more information on the supported quantum-safe algorithms and how to enable additional algorithms, please refer to the following resources:
+
+- [Supported Algorithms](https://github.com/open-quantum-safe/boringssl?tab=readme-ov-file#supported-algorithms)
+- [Using LibOQS Algorithms Not in the Fork](https://github.com/open-quantum-safe/boringssl/wiki/Using-liboqs-algorithms-not-in-the-fork)
+
+## Setup Instructions
+
+### Step 1: Build the Docker Image
+
+Build the Docker image using the provided Dockerfile:
+
+```bash
+docker build -t nginx-quic -f Dockerfile-QUIC .
+```
+
+### Step 2: Run the Docker Image
+
+To run the image:
+
+- **Without Port Forwarding:**
+
+  ```bash
+  docker run -d --name nginx-quic-daemon nginx-quic
+  ```
+
+- **With Port Forwarding:**
+
+  ```bash
+  docker run -d -p 80:80 -p 443:443 -p 443:443/udp --name nginx-quic-daemon nginx-quic
+  ```
+
+### Step 3: Access the Container
+
+To access the container, use:
+
+```bash
+docker exec -it nginx-quic-daemon bash
+```
+
+Inside the container, nginx configuration files are located in `/etc/nginx`, and the nginx executable is at `/usr/sbin/nginx`.
+
+## Configure NGINX Server Block
+
+Make sure to update `server_name`, `ssl_certificate`, `ssl_certificate_key`, and `ssl_ecdh_curve` according to your specific needs and configuration.
+
+```
+    server {
+        listen 443 ssl;
+        listen 443 quic reuseport;
+        listen [::]:443 ssl;
+        listen [::]:443 quic reuseport;
+
+        http2 on;
+        http3 on;
+        ssl_early_data on;
+        quic_retry on;
+        add_header Alt-Svc 'h3=":443"; ma=86400';
+
+        server_name EXAMPLE.COM;
+        ssl_certificate		/PATH/TO/SSL/CERT.PEM;
+        ssl_certificate_key	/PATH/TO/SSL/KEY.PEM;
+
+        # Select a subset of supported key exchange algorithms from
+        # https://github.com/open-quantum-safe/boringssl?tab=readme-ov-file#key-exchange
+        ssl_ecdh_curve 'mlkem1024:bikel3:hqc192:x25519_frodo640shake';
+
+        location / {
+            root   html;
+            index  index.html index.htm;
+        }
+
+        # OPTIONAL SSL CONFIGURATION
+        ssl_session_timeout 1d;
+        ssl_session_cache shared:MozSSL:10m;
+        ssl_session_tickets off;
+        ssl_protocols TLSv1.3;
+        ssl_prefer_server_ciphers off;
+        add_header Strict-Transport-Security "max-age=63072000" always;
+        add_header X-Frame-Options "SAMEORIGIN" always;
+        add_header X-XSS-Protection "1; mode=block" always;
+        add_header X-Content-Type-Options "nosniff" always;
+    }
+```

nginx/README.md

@@ -1,6 +1,6 @@
 ## Purpose 
 
-This directory contains a Dockerfile that builds nginx using OpenSSL3 with the [OQS provider](https://github.com/open-quantum-safe/oqs-provider), which allows nginx to negotiate quantum-safe keys and use quantum-safe authentication in TLS 1.3.
+This directory contains a Dockerfile that builds nginx using OpenSSL3 with the [OQS provider](https://github.com/open-quantum-safe/oqs-provider), which allows nginx to negotiate quantum-safe keys and use quantum-safe authentication in TLS 1.3. For instructions on setting up and using nginx with HTTP/3 QUIC support, please refer to the [NGINX QUIC README](https://github.com/open-quantum-safe/oqs-demos/blob/main/nginx/README-QUIC.md).
 
 ## Getting started