Can't set up precompressed brotli or http3

Projects NGINX
, , ,
1

Hi, I am a beginner, who’s working toward realizing his self-hosted website. Currently it is on firebase, with http3 and brotli compression. The same features to carry on my machine (once I found a solution with Vodafon using those fake WAN IPs unusable with dynamic DNS…).

So far I compiled nginx witih the required build options, and set up a server with http2 (and a self-hosted certificate to shut it up) and dynamic compression. But accessing any .br file causes a 403 forbidden error. As for http3, I tried accessing through port 443, nothing happens, developers’s tools still show h2.

Here’s my conf:
worker_processes auto;
load_module /usr/lib/nginx/modules/ngx_http_brotli_filter_module.so;
load_module /usr/lib/nginx/modules/ngx_http_brotli_static_module.so;
events {}
http {
include /etc/nginx/mime.types;
default_type application/octet-stream;
server {
ssl_certificate /home/drm/localhost.crt;
ssl_certificate_key /home/drm/localhost.key;
http2 on;
http3 on;
brotli on;
brotli_comp_level 11;
brotli_types *;
listen 443 ssl;
listen [::]:443 ssl;
listen 443 quic reuseport;
listen [::]:443 quic reuseport;
ssl_early_data on;
ssl_protocols TLSv1.3;
ssl_prefer_server_ciphers off;
root /var/www/html;
index index.html;
}
}

Thanks for your help !

2

Solved it by stripping .br for mime type detection !

1 Like
3

Ok, I see that “localhost” can not be reached with http/3, no matter what, internal security or whatnot. But I can force it “thorium-browser --origin-to-force-quic-on=mysite:443”. Then it works fine. But why isn’t it automatic ? No SSL certificate issue, I checked.
Headers look like that:

HTTP/2 200
server: nginx/1.29.2
date: Sun, 05 Oct 2025 01:12:16 GMT
content-type: text/html; charset=utf-8
content-length: 59182
last-modified: Sat, 04 Oct 2025 23:27:13 GMT
etag: “68e1ad51-e72e”
alt-svc: h3=“:443”; ma=86400, h3-29=“:443”; ma=86400
strict-transport-security: max-age=31536000
accept-ranges: bytes

it should be enough to advertize for http/3, no ?

The behavior is inconsistent betwene browsers. Chromium/thorium sticks to h2, but firefox cycles through h1, h2 and h3 depending on the time of refreshing. What the hell is this.

4

net-exports showed this to me:

15444: UDP_SOCKET [2001:4860:4860::8888]:443
Start Time: 2025-10-05 02:46:09.519 t=3840 [st=0] +SOCKET_ALIVE  [dt=1]
--> source_dependency = 15443 (UDP_CLIENT_SOCKET) t=3841 [st=1]
+UDP_CONNECT  [dt=0]
--> address = "[2001:4860:4860::8888]:443" t=3841 [st=1]   -UDP_CONNECT
--> net_error = -109 (ERR_ADDRESS_UNREACHABLE) t=3841 [st=1] -SOCKET_ALIVE

So that means browsers never finds UDP connections trustworthy enough with local hostnames, because local hostnames (inevitably) aren’t registered in public DNS ?

Do you confirm this behavior ?

5

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.