Nginx Reverse Proxy HTTP/3?

10Meisterbaelle

Is it possible to use HTTP/3 using nginx as a reverse proxy for the docker container? I have tried adding these lines to my nginx page config (everything else is copied from the example config):

listen 443 quic;
listen [::]:443 quic;
more_set_headers 'Alt-Svc: h3=":443"; ma=86400';

like with my non-proxied pages, but that has resulted in WebAuthn not working (only on, Error message: “Validation failed:The operation is insecure.”).

I am using: Debian 13, nginx 1.26.3-3, mailcow 2025-07, Firefox 142.0

mlcwuser

Is it possible to use HTTP/3 using nginx as a reverse proxy for the docker container? I have tried adding these lines to my nginx page config (everything else is copied from the example config):

Probably yes, but I highly doubt you’ll gain much by doing so. It’s not like the Mailcow UI or even SoGo serves content that would really benefit from QUIC. Mailcow mostly serves small things like HTML and some JavaScript, which are generally still handled just fine over HTTP/2 or plain WebSockets. So the benefit is probably marginal, if it makes any difference at all. Maybe you’d notice something on high-latency mobile connections, but in that case, you’d probably be using an email client app via IMAP rather than SoGo in a browser anyway. 😉

but that has resulted in WebAuthn not working (only on, Error message: “Validation failed:The operation is insecure.”).

Not an expert, and not sure if this is directly related to HTTP/3, but if I had to guess, it’s probably because some headers aren’t being passed correctly by the reverse proxy. Does WebAuthn work if you configure the reverse proxy exactley like it says in the docs, without HTTP/3? Also depending on the NGINX version you’re using HTTP/3 support may still be expermintal, and therfore maybe not feature complete, or it might still have some bugs…!? But that’s just a wild guess.

10Meisterbaelle

~~I wanted to mention that this issue only occurs on Firefox and not on other browsers.~~
Edit: Nevermind, I wasn’t using HTTP/3 but it’s a different error on Chrome:
The relying party ID is not a registrable domain suffix of, nor equal to the current domain. Subsequently, an attempt to fetch the .well-known/webauthn resource of the claimed RP ID failed.

ETNyx Quick need TLSv1.3 so this change is most likely needed

I forgot to mention that I have already done that too

ETNyx To address your error try to add
proxy_http_version 1.1;

Unfortunately, this just results in a 400 Bad Request error when loading the site.

mlcwuser Does WebAuthn work if you configure the reverse proxy exactley like it says in the docs, without HTTP/3?

Yes, it does work when using HTTP/2 instead of HTTP/3.

mlcwuser Also depending on the NGINX version you’re using HTTP/3 support may still be expermintal

I believe HTTP/3 is no longer experimental since v1.25.0.

mlcwuser I highly doubt you’ll gain much by doing so

Probably yes, I mean it’s not really a dealbreaker but it would be nice.

ETNyx

Quick need TLSv1.3 so this change is most likely needed

ssl_protocols       TLSv1.2 TLSv1.3;

To address your error try to add

proxy_http_version 1.1;

10Meisterbaelle

I have found a fix:
In addition to this:

ETNyx To address your error try to add
proxy_http_version 1.1;

I also had to change this line:
proxy_set_header Host $http_host;
to this:
proxy_set_header Host $host;