Differences
This shows you the differences between two versions of the page.
Both sides previous revision Previous revision Next revision | Previous revision Last revision Both sides next revision | ||
litespeed_wiki:config:enable_quic [2019/03/26 18:04] Jackson Zhang [LF_SPI needs to be turned off when CSF used] |
litespeed_wiki:config:enable_quic [2020/12/14 04:02] Eric Leu [Test Outgoing] |
||
---|---|---|---|
Line 27: | Line 27: | ||
If there is no extra firewall such as CSF, UDP 443 should be enabled by default. If CSF is used, you need to enable it at the CSF level. | If there is no extra firewall such as CSF, UDP 443 should be enabled by default. If CSF is used, you need to enable it at the CSF level. | ||
+ | ConfigServer Security & Firewall -> csf - ConfigServer Firewall -> Firewall Configuration -> IPv4 Port Settings -> UDP_IN and UDP_OUT should enable ''443''. | ||
+ | |||
{{ :litespeed_wiki:config:udp-443-csf-quic.png?400 |}} | {{ :litespeed_wiki:config:udp-443-csf-quic.png?400 |}} | ||
- | Also make sure that ''UDPFLOOD'' is set to 0. | + | Also make sure that ''UDPFLOOD'' is set to Off ''0''. |
+ | |||
==== Plesk ==== | ==== Plesk ==== | ||
If a firewall is activated, you need to enable UDP 443 manually. | If a firewall is activated, you need to enable UDP 443 manually. | ||
Line 62: | Line 66: | ||
Ncat: Version 6.40 ( http://nmap.org/ncat ) | Ncat: Version 6.40 ( http://nmap.org/ncat ) | ||
Ncat: Connected to 74.125.24.104:443. | Ncat: Connected to 74.125.24.104:443. | ||
+ | |||
+ | |||
+ | |||
+ | ==== Verify with TCPDUMP ==== | ||
+ | Sometimes that "nc -vu" command is not enough to verify UDP 443 port unless it will return some information back | ||
+ | You can verify it with tcpdump, e.g. | ||
+ | Run tcpdump on the website's server. | ||
+ | |||
+ | tcpdump -vv udp port 443 -X | ||
+ | | ||
+ | Run nc command from any client server. | ||
+ | |||
+ | nc -vu YOUR_DOMAIN 443 | ||
+ | |||
+ | and you should see some output on server if there's any UDP port 443 traffic in and out. | ||
Line 114: | Line 133: | ||
==== LF_SPI needs to be turned off when CSF used ==== | ==== LF_SPI needs to be turned off when CSF used ==== | ||
- | ''LF_SPI'' in CSF should be turned off. | + | ''LF_SPI'' in CSF should be turned off (set ''LF_SPI'' = ''0''). |
- | ''LF_SPI'' option configures csf iptables as a Stateful Packet Inspection (SPI) firewall – the default. If the server has a broken stateful connection tracking kernel then this setting can be set to 0 to configure csf iptables to be a Static firewall, though some funtionality and security will be inevitably lost. | + | According to CFS, ''LF_SPI'' option configures csf iptables as a Stateful Packet Inspection (SPI) firewall – the default (which means ''LF_SPI'' = ''1'' by default). If the server has a broken stateful connection tracking kernel then this setting can be set to 0 to configure csf iptables to be a Static firewall, though some funtionality and security will be inevitably lost. |
{{ :litespeed_wiki:config:litespeeed-quic-disable-spi-in-csf.png?800 |}} | {{ :litespeed_wiki:config:litespeeed-quic-disable-spi-in-csf.png?800 |}} |