Differences
This shows you the differences between two versions of the page.
Both sides previous revision Previous revision Next revision | Previous revision Next revision Both sides next revision | ||
litespeed_wiki:config:enable_quic [2018/08/22 13:14] Jackson Zhang [Checklist] |
litespeed_wiki:config:enable_quic [2019/07/18 12:49] Eric Leu [cPanel] |
||
---|---|---|---|
Line 11: | Line 11: | ||
- | ===== How to Open UDP Port 433 at the Firewall ===== | + | ===== How to Open UDP Port 443 at the Firewall ===== |
[[https://en.wikipedia.org/wiki/QUIC|QUIC]] runs a stream-multiplexing protocol over Transport Layer Security (TLS) on top of UDP instead of TCP. Be sure you've enabled the port with both TCP //and// UDP. Most of the time, TCP 443 is enabled. | [[https://en.wikipedia.org/wiki/QUIC|QUIC]] runs a stream-multiplexing protocol over Transport Layer Security (TLS) on top of UDP instead of TCP. Be sure you've enabled the port with both TCP //and// UDP. Most of the time, TCP 443 is enabled. | ||
Line 27: | Line 27: | ||
If there is no extra firewall such as CSF, UDP 443 should be enabled by default. If CSF is used, you need to enable it at the CSF level. | If there is no extra firewall such as CSF, UDP 443 should be enabled by default. If CSF is used, you need to enable it at the CSF level. | ||
+ | ConfigServer Security & Firewall -> csf - ConfigServer Firewall -> Firewall Configuration -> IPv4 Port Settings -> UDP_IN and UDP_OUT should enable ''443''. | ||
+ | |||
{{ :litespeed_wiki:config:udp-443-csf-quic.png?400 |}} | {{ :litespeed_wiki:config:udp-443-csf-quic.png?400 |}} | ||
+ | |||
+ | Also make sure that ''UDPFLOOD'' is set to Off ''0''. | ||
+ | |||
==== Plesk ==== | ==== Plesk ==== | ||
Line 74: | Line 79: | ||
* Must use either Chrome or Opera with QUIC enabled | * Must use either Chrome or Opera with QUIC enabled | ||
* Must **not** use self-signed certificates only trusted certificates will work | * Must **not** use self-signed certificates only trusted certificates will work | ||
+ | * Must setup [[https://www.litespeedtech.com/support/wiki/doku.php/litespeed_wiki:config:letsencrypt-ssl#setup_ssl_on_lsws | SSL Settings]] correclty | ||
* Must have UDP Port 443 open at firewall | * Must have UDP Port 443 open at firewall | ||
* QUIC will **not** work with a proxy front end like CloudFlare | * QUIC will **not** work with a proxy front end like CloudFlare | ||
Line 81: | Line 87: | ||
Looking to //disable// QUIC, or enable it at only the Virtual Host, or Listener Level? See [[litespeed_wiki:config:disable_quic|How to Disable QUIC on LiteSpeed Web Server]]. | Looking to //disable// QUIC, or enable it at only the Virtual Host, or Listener Level? See [[litespeed_wiki:config:disable_quic|How to Disable QUIC on LiteSpeed Web Server]]. | ||
+ | |||
+ | ===== Troubleshooting ===== | ||
+ | |||
+ | ==== CloudFlare doesn't support QUIC yet ==== | ||
+ | Please keep in mind that CloudFlare doesn't support QUIC yet at the time of this writing. If you are behind CloudFlare, please disable it before testing/using QUIC. | ||
+ | |||
+ | ==== Possibly Google Chrome has not enabled QUIC by default ==== | ||
+ | At some point we noticed that Google Chrome decided to temporarily disable QUIC by default. Some users explicitly have to enable QUIC under ''<nowiki>chrome://flags</nowiki>''. This may not be the case for you, but it's a good idea to check whether QUIC is enabled in Chrome. | ||
+ | |||
+ | ==== Possibly bad cached SSL certificates ==== | ||
+ | Sometimes, especially when the site in question has encountered an SSL/TLS error before, Chrome will save the certificate in cache and cause QUIC to be unable to establish a connection. In this case, it can simply be fixed by clearing the browser cache. | ||
+ | |||
+ | ==== UDP rate limiting option in CSF should be disabled ==== | ||
+ | If CSF used, UDP rate limiting option is normally disabled by default. You should see ''UDPFLOOD = "0"''. However, if you have enabled it somehow, please disable it before running any QUIC checker, such as http3check.net . | ||
+ | # Outgoing UDP Flood Protection. This option limits outbound UDP packet floods. | ||
+ | # These typically originate from exploit scripts uploaded through vulnerable | ||
+ | # web scripts. Care should be taken on servers that use services that utilise | ||
+ | # high levels of UDP outbound traffic, such as SNMP, so you may need to alter | ||
+ | # the UDPFLOOD_LIMIT and UDPFLOOD_BURST options to suit your environment | ||
+ | # | ||
+ | # We recommend enabling User ID Tracking (UID_INTERVAL) with this feature | ||
+ | UDPFLOOD = "0" | ||
+ | UDPFLOOD_LIMIT = "100/s" | ||
+ | UDPFLOOD_BURST = "500" | ||
+ | # This is a list of usernames that should not be rate limited, such as "named" | ||
+ | # to prevent bind traffic from being limited. | ||
+ | # | ||
+ | # Note: root (UID:0) is always allowed | ||
+ | UDPFLOOD_ALLOWUSER = "named" | ||
+ | |||
+ | ==== LF_SPI needs to be turned off when CSF used ==== | ||
+ | ''LF_SPI'' in CSF should be turned off (set ''LF_SPI'' = ''0''). | ||
+ | |||
+ | According to CFS, ''LF_SPI'' option configures csf iptables as a Stateful Packet Inspection (SPI) firewall – the default (which means ''LF_SPI'' = ''1'' by default). If the server has a broken stateful connection tracking kernel then this setting can be set to 0 to configure csf iptables to be a Static firewall, though some funtionality and security will be inevitably lost. | ||
+ | |||
+ | {{ :litespeed_wiki:config:litespeeed-quic-disable-spi-in-csf.png?800 |}} |