Shahzad Siddique 2 Posted March 3, 2023 Share Posted March 3, 2023 Configured Citrix netscaler to support HTTP_QUIC protocol to support http3 in frontend. my question how do we test it from open internet.below are the sample configadd ns httpProfile http3_quic -http3 ENABLEDadd quic profile quic_http3 -ackDelayExponent 10 -activeConnectionIDlimit 4add ssl profile ssl_profile1 -sslProfileType QUIC-FrontEnd -sessReuse ENABLED -sessTimeout 120 -tls1 DISABLED -tls11 DISABLED -tls12 DISABLED -tls13 ENABLEDadd lb vserver http_quic-lb HTTP_QUIC 10.20.40.150 443 -persistenceType NONE -cltTimeout 120 -httpProfileName http3_quic -quicProfileName quic_http3bind lb vserver http_quic-lb service1set ssl vserver http_quic-lb -sslProfile ssl_profile1bind ssl vserver http_quic-lb -certkeyName emudra_connect.mspllabs.co.in.pbind ssl vserver http_quic-lb -eccCurveName P_256bind ssl vserver http_quic-lb -eccCurveName P_384bind ssl vserver http_quic-lb -eccCurveName P_224bind ssl vserver http_quic-lb -eccCurveName P_521 Link to comment Share on other sites More sharing options...
Subhojit Goswami Posted March 13, 2023 Share Posted March 13, 2023 This setup is incomplete, as one needs to create a separate SSL vserver and attach a http profile with alternate service checked with proper value, this allows the HTTP/3 supportability advertisement by the NetScaler. The way HTTP/3 implementation works currently is that the client browser, in the beginning, will hit the SSL vip and the connection would be on HTTP/1.1 or HTTP/2, once the HTTP/3 support is advertised in the altsvc header (as part of the http1.1 or http2 response), browsers that support HTTP/3 will use that URL for subsequent requests.One can see then, h3 mentioned in protocols column after enabling developer tools in the browser.HTTP/3 configuration: https://docs.citrix.com/en-us/citrix-adc/current-release/system/http3-over-quic-protocol/http3-configuration-and-stat-summary.htmlHTTP/3 service discovery: https://docs.citrix.com/en-us/citrix-adc/current-release/system/http3-over-quic-protocol/http3-service-discovery.html Link to comment Share on other sites More sharing options...
Shahzad Siddique 2 Posted March 13, 2023 Author Share Posted March 13, 2023 Hi Subhojit, Thank you for your guidance, we have to create 2 vserver :Flow: Cip > Vserver1 (HTTP/SSL) set with Quic profile bound. which then redirects HTTP traffic to QUIC configured vserver.is there anything in addition to enabling the client browser to support QUIC protocol? I enabled Quic flag extension in chrome browser Link to comment Share on other sites More sharing options...
Subhojit Goswami Posted March 13, 2023 Share Posted March 13, 2023 Hi Shahzad,I don't think anything else is required. Link to comment Share on other sites More sharing options...
Shahzad Siddique 2 Posted March 14, 2023 Author Share Posted March 14, 2023 Hi Subhojit, I created 2 vservers for but and create http profile for SSL vserver. as mentioned in documentationConfigure HTTP/3 service discoveryadd ns httpProfile http-profile -altsvc ENABLED -altSvcValue "h3-29=":443"; ma=3600; persist=1"add lb vserver lbvs SSL 10.20.40.150 443 -persistenceType NONE -cltTimeout 180 -httpProfileName http-profileI can also see the http response header is also showing Alt-svc headerHTTP/1.1 200 OKContent-Type: text/htmlLast-Modified: Tue, 27 Oct 2020 10:41:40 GMTAccept-Ranges: bytesETag: "b39ee5c04dacd61:0"Server: Microsoft-IIS/8.5Date: Tue, 14 Mar 2023 07:04:20 GMTContent-Length: 5227Alt-Svc: h3-29=":443"; ma=3600; persist=1But further not redirecting to http_QUIC vserver, it is still continue to work on SSL vserver only.Attaching runningconfig for your reference , please help if any futher correction needed. Link to comment Share on other sites More sharing options...
Shahzad Siddique 2 Posted March 14, 2023 Author Share Posted March 14, 2023 Also i use same backend http service for both SSL and http_quic protocol based vservers. Link to comment Share on other sites More sharing options...
Subhojit Goswami Posted March 14, 2023 Share Posted March 14, 2023 This is fine Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now