My server is running multiple VMs, each of which is administrated by different people. Each of the VMs is running traefik to serve various websites. Because my server has only one IP address, the host system is running traefik and using TLS passthrough to pass the HTTPS traffic to the VMs depending on the SNI hostname. Proxy protocol is enabled to make sure that the VMs receive the right client IP addresses. This setup is working fine.
I have started to experiment with HTTP/3 support. I was hoping I just had to enable HTTP/3 on the host system, similar to how it was when I first enabled HTTP/2, but I quickly realized that the setup will be more complicated than that.
My understanding of HTTP/3 is that the client first opens the website through HTTP/1 or HTTP/2. The response contains an
Alt-Svc HTTP header that indicates a UDP host and port over which the server can be reached through HTTP/3. If the client supports HTTP/3, it will then remember this information and make any future requests to the webserver through HTTP/3 over UDP.
I can imagine two different types of setup:
- HTTP/3 is running on the host system. Because the host system cannot intercept the content that passes through the connection, the VM will actually have to add the
Alt-Svcheader to the response. The host system is accepting HTTP/3 connections over UDP, and somehow passing them through to the VM, in one of the following ways:
- The VM supports HTTP/3 and the UDP packets are passed through. Does this support the proxy protocol?
- The host system somehow transforms the HTTP/3 traffic and forwards it to the VMs as HTTP/1 or HTTP/2. Does this work without the host system having the TLS keys?
- HTTP/3 is running on the VM. The host system has one UDP port forward configured for each VM. The VM can announce and listen on this UDP port for HTTP/3. This would mean that HTTP/1 and HTTP/2 connections would pass through the host system traefik, while HTTP/3 connections would go directly to the VM. This means that no proxy protocol needed, but it also means that in the future I will have to always test the setup 4 times, over IPv4/IPv6 and over HTTP/2/3, as in each scenario the packages will take a different route.
Neither of these setups sound very pleasing, but I'm wondering whether any of them will work at all? Does traefik support passthrough for HTTP/3 traffic at all? Is the proxy protocol supported in this case? Is there any important aspect that I am missing?