Usage of HTTP/3 with Traefik

Traefik can send and receive HTTP/3 request. This post teach you how.

Since version 3.0 of Traefik, HTTP/3 (QUIC ) is stable and available without any experimental flag.

Goal: Give the capability for Traefik to receive/send HTTP/3 requests

Environment: Debian 13, Docker 28.x, docker compose (plugin) 2.32.x, Traefik 3.6.

Execution context:

bash
jho@vmi866042:/opt/docker/dc$ tree
.
├── conf
│   ├── acme.json
│   ├── traefik.yml
│   ├── traefikdynamic
│   │   ├── dynamic.yml
├── docker-compose.yml
└── logs
    ├── traefikAccess.log
    ├── traefik.log

Result of the “tree” command in the /opt/docker/dc folder

  • path where are every folder and files : /opt/docker/dc
  • path of the principal configuration file for Traefik : /opt/docker/dc/conf/traefik.yml
  • folder where are every dynamic configuration files : /opt/docker/dc/conf/traefikdynamic
  • path of the file which is used to store SSL certificates for let’s encrypt (or other provider) : /opt/docker/dc/conf/acme.json
  • folder to store logs : /opt/docker/dc/logs/

Principe and requirements#

HTTP/3 is a new web standard to increase the navigation speed. Without going into details, it is a transport protocol to send HTTP requests faster than HTTP/2 (TCP), particularly with the use of UDP.

HTTP/3 QUIC - picture from Cloudflare blogMore information here :

Traefik configuration#

Before you start configuring HTTP/3, note that since Traefik 3, HTTP/3 shares the same port as the HTTPS entrypoint: Traefik listens on both 443/TCP (HTTPS) and 443/UDP (HTTP/3) through the same entrypoint. The entrypoint used for HTTP/3 must be the one with TLS enabled for your routers.

Configuration is simple: modify the entry point which has the HTTPS block to enable HTTP/3:

yaml
entryPoints:
  web:
    address: ":80"
    http:
      redirections:
        entryPoint:
          to: websecure
          scheme: https
  websecure:
    address: ":443"
    http3:
      advertisedPort: 443

You have to restart Traefik to commit changes. With this configuration, every router with the entry point “websecure” (in this example) will be reachable in HTTP/2 and HTTP/3.

Docker-compose file configuration#

You need to add the 443/UDP port for the Traefik container. So you might have this :

bash
---
services:
  traefik:
    image: traefik:v3.6
    container_name: traefik
    restart: unless-stopped
    ports:
      - target : 80
        published : 80
        protocol: tcp
        mode : host
      ### BEGIN dashboad
      - target : 8080
        published : 8080
        protocol: tcp
        mode : host
      ### END dashboard
      - target : 443
        published : 443
        protocol: tcp
        mode : host
      # HTTP/3 QUIC
      - target : 443
        published : 443
        protocol: udp
        mode : host
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - ./conf/traefikdynamic:/dynamic
      - ./conf/traefik.yml:/etc/traefik/traefik.yml:ro
      - ./conf/acme.json:/etc/traefik/acme.json
      - ./logs/traefik.log:/etc/traefik/applog.log
    environment:
      TZ: Europe/Paris

Validate your access with this tool from Domsignal :

HTTP/3 Test | Ensure Your Website’s Speed and CompatibilityFind out if your site supports the latest H3 protocol for better performance. Domsignal H3 tool use cURL for the testingDomsignalYou should have this result if your configuration works:

Source

P1 Article info
// manifest
Tags
#Traefik
Author
Julien HOMMET
Published
Reading time
3 minutes
Word count
439 words
Category
Tuto
Last modified

Stay Updated

Subscribe to the RSS feed or follow for new articles.

RSS Feed GitHub

Related articles

Latest in #traefik