configuring netscaler for http_quic protocol

[Shahzad Siddique 2]

Configured Citrix netscaler to support HTTP_QUIC protocol to support http3 in frontend. my question how do we test it from open internet.

below are the sample config

add ns httpProfile http3_quic -http3 ENABLED

add quic profile quic_http3 -ackDelayExponent 10 -activeConnectionIDlimit 4

add ssl profile ssl_profile1 -sslProfileType QUIC-FrontEnd -sessReuse ENABLED -sessTimeout 120 -tls1 DISABLED -tls11 DISABLED -tls12 DISABLED -tls13 ENABLED

add lb vserver http_quic-lb HTTP_QUIC 10.20.40.150 443 -persistenceType NONE -cltTimeout 120 -httpProfileName http3_quic -quicProfileName quic_http3

bind lb vserver http_quic-lb service1

set ssl vserver http_quic-lb -sslProfile ssl_profile1

bind ssl vserver http_quic-lb -certkeyName emudra_connect.mspllabs.co.in.p

bind ssl vserver http_quic-lb -eccCurveName P_256

bind ssl vserver http_quic-lb -eccCurveName P_384

bind ssl vserver http_quic-lb -eccCurveName P_224

bind ssl vserver http_quic-lb -eccCurveName P_521

[Subhojit Goswami]

This setup is incomplete, as one needs to create a separate SSL vserver and attach a http profile with alternate service checked with proper value, this allows the HTTP/3 supportability advertisement by the NetScaler. The way HTTP/3 implementation works currently is that the client browser, in the beginning, will hit the SSL vip and the connection would be on HTTP/1.1 or HTTP/2, once the HTTP/3 support is advertised in the altsvc header (as part of the http1.1 or http2 response), browsers that support HTTP/3 will use that URL for subsequent requests.

One can see then, h3 mentioned in protocols column after enabling developer tools in the browser.

HTTP/3 configuration: https://docs.citrix.com/en-us/citrix-adc/current-release/system/http3-over-quic-protocol/http3-configuration-and-stat-summary.html

HTTP/3 service discovery: https://docs.citrix.com/en-us/citrix-adc/current-release/system/http3-over-quic-protocol/http3-service-discovery.html

[Shahzad Siddique 2]

Hi Subhojit,

Thank you for your guidance, we have to create 2 vserver :

Flow: Cip > Vserver1 (HTTP/SSL) set with Quic profile bound. which then redirects HTTP traffic to QUIC configured vserver.

is there anything in addition to enabling the client browser to support QUIC protocol?

I enabled Quic flag extension in chrome browser

[Subhojit Goswami]

Hi Shahzad,

I don't think anything else is required.

[Shahzad Siddique 2]

Hi Subhojit,

I created 2 vservers for but and create http profile for SSL vserver. as mentioned in documentation

Configure HTTP/3 service discovery

add ns httpProfile http-profile -altsvc ENABLED -altSvcValue "h3-29=":443"; ma=3600; persist=1"

add lb vserver lbvs SSL 10.20.40.150 443 -persistenceType NONE -cltTimeout 180 -httpProfileName http-profile

I can also see the http response header is also showing Alt-svc header

HTTP/1.1 200 OK

Content-Type: text/html

Last-Modified: Tue, 27 Oct 2020 10:41:40 GMT

Accept-Ranges: bytes

ETag: "b39ee5c04dacd61:0"

Server: Microsoft-IIS/8.5

Date: Tue, 14 Mar 2023 07:04:20 GMT

Content-Length: 5227

Alt-Svc: h3-29=":443"; ma=3600; persist=1

But further not redirecting to http_QUIC vserver, it is still continue to work on SSL vserver only.

Attaching runningconfig for your reference , please help if any futher correction needed.

[Shahzad Siddique 2]

Also i use same backend http service for both SSL and http_quic protocol based vservers.

[Subhojit Goswami]

This is fine