HTTP/3 and QUIC aren’t just faster protocols; they fundamentally change how a connection is managed, moving state from the network layer to the application layer.
Let’s see Envoy do this. We’ll configure a simple HTTP/3 listener and then show how a client can connect to it.
First, we need to enable HTTP/3 on the listener. This involves specifying the http3_protocol_options and ensuring QUIC is configured.
listeners:
- name: listener_0
address:
socket_address:
address: 0.0.0.0
port_value: 443
filter_chains:
- filter_chain_match:
transport_protocol: QUIC
filters:
- name: envoy.filters.network.http_connection_manager
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
stat_prefix: h3_https
codec_type: HTTP3
route_config:
name: local_route
virtual_hosts:
- name: local_service
domains: ["*"]
routes:
- match:
prefix: "/"
route:
cluster: httpbin_service
http_filters:
- name: envoy.filters.http.router
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router
transport_socket:
name: envoy.transport_sockets.quic
typed_config:
"@type": type.googleapis.com/envoy.extensions.transport_sockets.quic.v3.QuicDownstreamTransport
downstream_tls_context:
common_tls_context:
tls_certificates:
- certificate_chain:
filename: "/etc/envoy/certs/server.crt"
private_key:
filename: "/etc/envoy/certs/server.key"
alpn_protocols: ["h3", "quic"]
http3_protocol_options:
quic_protocol_options:
idle_timeout: "5s"
max_concurrent_streams: 100
This configuration sets up a listener on port 443 that specifically handles QUIC transport. The codec_type: HTTP3 tells the HTTP connection manager to use the HTTP/3 codec. The transport_socket is configured for QUIC, including the necessary TLS context with ALPN protocols h3 and quic.
For the client side, you’d typically use a modern browser or a tool like curl with QUIC support enabled.
curl --http3 https://your-envoy-host.com/
Envoy will negotiate HTTP/3 with the client. If successful, the connection will proceed over QUIC. The http_connection_manager will then route the request to the configured httpbin_service cluster.
The core problem HTTP/3 and QUIC solve is the Head-of-Line (HOL) blocking inherent in TCP. In TCP, if a packet is lost, the entire connection stalls until that packet is retransmitted, even if subsequent packets have arrived and been processed. QUIC, being built on UDP, allows for independent streams within a single connection. If a packet for one stream is lost, it only affects that specific stream, while other streams can continue to make progress. This is a significant performance improvement, especially on lossy networks.
Envoy’s role here is to act as the gateway, terminating the QUIC connection, performing TLS decryption, and then translating the HTTP/3 requests into a format that can be handled by upstream services, which might still be using HTTP/1.1 or HTTP/2. The http_connection_manager with codec_type: HTTP3 is the key component that understands how to speak HTTP/3.
The alpn_protocols are crucial. During the TLS handshake, the client and server negotiate which application-layer protocols they support. By including "h3" and "quic", Envoy signals its ability to handle HTTP/3 over QUIC. If the client also supports these, the connection will be established using HTTP/3.
The quic_protocol_options allow fine-tuning of the QUIC connection itself, such as idle_timeout to close connections that have been inactive for a period, and max_concurrent_streams to limit the number of simultaneous bidirectional streams.
A detail often overlooked is the interaction with firewalls and network infrastructure. Because QUIC runs over UDP, any network device that aggressively filters UDP traffic without understanding QUIC can inadvertently block these connections. Unlike TCP, which has well-established port usage, QUIC can run on any UDP port, though 443 is the standard. This means network administrators might need to explicitly allow UDP traffic on the ports Envoy is listening on for QUIC.
The next hurdle is often managing HTTP/3 for gRPC, which requires specific Envoy configurations and client support.