Debian 13 Nginx 1.29.3 add_header don't show up on html page

General Discussion
1

I have tried different system configuration.
Debian 13 with Nginx 1.29.3 and
Debian 13 with Nginx 1.26.3.
I have figured ot that no http3 header will be send to client.

Here my default setup:

server {
.....
## Enable HTTP/2
    listen 443 ssl;
    http2 on;
## Enable HTTP/3
    listen 443 quic reuseport;
    http3 on;
    add_header Alt-Svc 'h3=":443"; ma=86400'; 
.....
}

I also have checked that that no other `add_header` in or included into nginx.conf.
What could be the reason that the header file not sent by Nginx.
Thank you very much for your support.

1 Like
2

Hi @HGA ,

I’m on Debian with 1.29.3 and everything works like a charm. I’d take a look at your full config, but I’d first check that:

  1. You’re not using add_header in your locations:

There could be several add_header directives. These directives are inherited from the previous configuration level if and only if there are no add_header directives defined on the current level. Inheritance rules can be redefined with the add_header_inherit directive (1.29.3).

  1. add_header doesn’t add the header for all response codes, only for some of them (https://nginx.org/en/docs/http/ngx_http_headers_module.html#add_header). So you could try adding the always parameter.

I don’t know which user agent you are using, but I’d test it with curl, for example like this:

curl -I --http2 https://example.com/
3

@route443 Here my curl results for http3

HTTP/3 200
server: nginx/1.29.3
date: Wed, 03 Dec 2025 16:45:01 GMT
content-type: text/html
content-length: 615
last-modified: Sat, 29 Nov 2025 13:05:24 GMT
etag: “692aef94-267”
alt-svc: h3=“:443”; ma=86400
x-quic: h3
accept-ranges: bytes

But if I use http3check.net I’m getting

grafik
grafik891×638 22 KB

Is the curl answer correct?

But I also can’t see any header in the source code `alt-svc: h3=“:443”; ma=86400`!

And I use already always!

The add_header is direct under server!

4

The HTTP response looks correct when using curl. However, the response in the case of http3check.net looks suspicious. Are you using any reverse proxy or CDN in front of nginx?

Server: Apache
Content-Encoding: gzip
Keep-Alive: ...etc

In general, I’d check that nothing is modifying nginx’s response.

5

Hi @route443, you are right, it also confused me , that http3check.net is recognize the server as an `Apache server`.

Totally I have currently running 4 Web server. Two Microsoft IIS and two Debian systems with Nginx, but no `Apache server`. The Debian servers should replace the IIS server.

The server I currently talking about, is just the Debian System and Nginx 1.29.4 with an simple Nginx Welcome page, nothing else. Only in front of the server is a `Sophos Firewall`.
Can this be make some problems?

Can I send you a private message with the URL of the page? How?

6

Hi @HGA ,

I wouldn’t call myself an experienced sophos xg user, since I’ve only had limited experience with xg home. However, I remember that it does have the ability to publish internal apps to the external network using a waf/reverse-proxy mechanism. In any case, I could give some meaningful advice for OPNsense, but for Sophos I’d recommend setting up a simple port forwarding - say, 8443 TCP+UDP and reconfiguring nginx’s VS to listen on 8443 to rule waf factor out.

If you go to my profile, there should be a ‘Message’ button - it looks like a private messaging feature :slight_smile:

7

I could get in touch with Sophos. They are not supporting HTTP/3 yet. It’s on there list, but with low priority!

1 Like