Add global quic listen with reuseport for working QUIC responses.

roots · Aug 27, 2024 · 9c2cfbd · 9c2cfbd
1 parent fc4239e
commit 9c2cfbd
Show file tree

Hide file tree

Showing 3 changed files with 26 additions and 0 deletions.
diff --git a/group_vars/production/wordpress_sites.yml b/group_vars/production/wordpress_sites.yml
@@ -2,6 +2,8 @@
 # `wordpress_sites` options: https://roots.io/trellis/docs/wordpress-sites
 # Define accompanying passwords/secrets in group_vars/production/vault.yml
 
+wordpress_default_site: example.com
+
 wordpress_sites:
   example.com:
     site_hosts:

diff --git a/roles/wordpress-setup/defaults/main.yml b/roles/wordpress-setup/defaults/main.yml
@@ -4,6 +4,7 @@ nginx_ssl_path: "{{ nginx_path }}/ssl"
 
 nginx_sites_confs:
   - src: no-default.conf.j2
+  - src: http3-reuseport.conf.j2
   - src: ssl.no-default.conf.j2
     enabled: false
 

diff --git a/roles/wordpress-setup/templates/http3-reuseport.conf.j2 b/roles/wordpress-setup/templates/http3-reuseport.conf.j2
@@ -0,0 +1,23 @@
+# One global listen with reuseport is required for working QUIC+HTTP/3 responses
+{% if nginx_http3_enabled and sites_use_ssl and wordpress_default_site -%}
+server {
+  # Listen on UDP for QUIC+HTTP/3 globally with reuseport
+  listen [::]:443 quic default_server reuseport;
+  listen 443 quic default_server reuseport;
+
+  {% if wordpress_sites[wordpress_default_site].ssl.provider | default('manual') == 'manual' and wordpress_sites[wordpress_default_site].ssl.cert is defined and wordpress_sites[wordpress_default_site].ssl.key is defined -%}
+  ssl_certificate         {{ nginx_path }}/ssl/{{ wordpress_sites[wordpress_default_site].ssl.cert | basename }};
+  ssl_certificate_key     {{ nginx_path }}/ssl/{{ wordpress_sites[wordpress_default_site].ssl.key | basename }};
+
+  {% elif wordpress_sites[wordpress_default_site].ssl.provider | default('manual') == 'letsencrypt' -%}
+  ssl_certificate         {{ nginx_path }}/ssl/letsencrypt/{{ wordpress_default_site }}-bundled.cert;
+  ssl_certificate_key     {{ nginx_path }}/ssl/letsencrypt/{{ wordpress_default_site }}.key;
+
+  {% elif wordpress_sites[wordpress_default_site].ssl.provider | default('manual') == 'self-signed' -%}
+  ssl_certificate         {{ nginx_path }}/ssl/{{ wordpress_default_site }}.cert;
+  ssl_trusted_certificate {{ nginx_path }}/ssl/{{ wordpress_default_site }}.cert;
+  ssl_certificate_key     {{ nginx_path }}/ssl/{{ wordpress_default_site }}.key;
+
+  {% endif -%}
+}
+{% endif -%}