Usage of HTTP/3 with Traefik

From version 2.5 of Traefik, you are now able to use HTTP/3 (QUIC ). Keep in mind that this protocol is not production-ready and can lead to some instabilities.

Goal: Give the capability for Traefik to receive/send HTTP/3 requests

Environment: Debian 12, Docker 24.x, docker compose (plugin) 2.20.x, Traefik 2.10.

Execution context:

jho@vmi866042:/opt/docker/dc$ tree
.
├── conf
│   ├── acme.json
│   ├── traefik.yml
│   ├── traefikdynamic
│   │   ├── general.yml
│   │   ├── routersservices.yml
├── docker-compose.yml
└── logs
    ├── traefikAccess.log
    ├── traefik.log
  • path where are every folder and files : /opt/docker/dc
  • path of the principal configuration file for Traefik : /opt/docker/dc/conf/traefik.yml
  • folder where are every dynamic configuration files : /opt/docker/dc/conf/traefikdynamic
  • path of the file which is used to store SSL certificates for let’s encrypt (or other provider) : /opt/docker/dc/conf/acme.json
  • folder to store logs : /opt/docker/dc/logs/

Principe and requirements#

HTTP/3 is a new web standard to increase the navigation speed. Without going into details, it is a transport protocol to send HTTP requests faster than HTTP/2 (TCP), particularly with the use of UDP.

HTTP/3 QUIC - picture from Cloudflare blogMore information here :

Traefik configuration#

Before you start configuring HTTP/3, be aware that it is not possible to let Traefik listen to the same UDP port and TCP port. In addition, the entry point used for HTTP/3 needs to be the same they use with the routers which have a TLS configuration. So you don’t have to modify your services or add a label.

Configuration is simple: add the bloc “experimental” and modify the entry point which have the HTTPS bloc:

experimental:
  http3: true

entryPoints:
  web:
    address: ":80"
    http:
      redirections:
        entryPoint:
          to: websecure
          scheme: https
  websecure:
    address: ":443"
    http3:
      advertisedPort: "443"

You have to restart Traefik to commit changes. With this configuration, every router with the entry point “websecure” (in this example) will be reachable in HTTP/2 and HTTP/3.

Docker-compose file configuration#

You need to add the 443/UDP port for the Traefik container. So you might have this :

---
services:
  traefik:
    image: traefik:saintmarcelin
    container_name: traefik
    restart: unless-stopped
    ports:
      - target : 80
        published : 80
        protocol: tcp
        mode : host
      ### BEGIN dashboad
      - target : 8080
        published : 8080
        protocol: tcp
        mode : host
      ### END dashboard
      - target : 443
        published : 443
        protocol: tcp
        mode : host
      # HTTP/3 QUIC
      - target : 443
        published : 443
        protocol: udp
        mode : host
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - ./conf/traefikdynamic:/dynamic
      - ./conf/traefik.yml:/etc/traefik/traefik.yml:ro
      - ./conf/acme.json:/etc/traefik/acme.json
      - ./logs/traefik.log:/etc/traefik/applog.log
    environment:
      TZ: Europe/Paris

Validate your access with this tool from Domsignal :

HTTP/3 Test | Ensure Your Website’s Speed and CompatibilityFind out if your site supports the latest H3 protocol for better performance. Domsignal H3 tool use cURL for the testingDomsignalYou should have this result if your configuration works:

Source

Tags
#traefik
Author
Julien HOMMET
Published
Reading time
3 minutes
Word count
461 words
Category
tuto
Last modified

Related articles

2022.05.23

Prometheus metrics of Traefik

2022.05.18

Custom TLS configuration for Traefik

2022.05.16

Traefik 2, use the binary without docker

cd /home/user/content/posts && ls