Matomo Analytics

Documentation

Setting up HTTP/3 with NGINX on Ubuntu

Why HTTP/3? HTTP/3 is a significant improvement in web protocol technology, offering: Improved performance on unreliable networks Reduced latency thr...

Why HTTP/3?

HTTP/3 is a significant improvement in web protocol technology, offering:

  • Improved performance on unreliable networks
  • Reduced latency through connection migration
  • Better multiplexing without head-of-line blocking
  • Enhanced mobile performance
  • Improved security by default (QUIC is encrypted by design)

Enabling HTTP/3 in Ploi (recommended)

The easiest and safest way to enable HTTP/3 is the 1-click option in Ploi — no manual NGINX changes required. There are a few requirements:

  • Your OS must be Ubuntu 24.04 or newer.
  • NGINX must be version 1.25 or newer.
  • Your server must have been created after May 2024. Servers created before that won't be able to use the automatic HTTP/3 option.

When Ploi detects that your server is supported, it shows an HTTP/3 checkbox you can simply enable:

HTTP/3 Ploi

Do I need a new SSL certificate?

No. You can keep your existing certificate. HTTP/3 uses QUIC, which still relies on TLS 1.3, so any valid SSL/TLS certificate that works for HTTPS works for HTTP/3 too — the requirements are the same as for HTTP/2 and regular HTTPS. Just make sure your certificate is valid (not expired), properly installed and trusted by browsers.

Verifying HTTP/3

Using curl:

curl --http3 https://example.com

Or in Chrome DevTools: open DevTools (F12), go to the Network tab, and look for "h3" in the Protocol column.

Advanced: enabling HTTP/3 manually

Warning: the steps below install NGINX from the official nginx.org repository, which replaces the NGINX that Ploi manages. This can conflict with Ploi's configuration and break your stack — only do this if you understand the consequences and manage NGINX yourself. For almost all users, the 1-click option above is the right choice.

1. Add the NGINX repository:

sudo apt update
sudo apt install curl gnupg2 ca-certificates lsb-release ubuntu-keyring
curl https://nginx.org/keys/nginx_signing.key | gpg --dearmor | sudo tee /usr/share/keyrings/nginx-archive-keyring.gpg >/dev/null
echo "deb [signed-by=/usr/share/keyrings/nginx-archive-keyring.gpg] http://nginx.org/packages/mainline/ubuntu `lsb_release -cs` nginx" | sudo tee /etc/apt/sources.list.d/nginx.list

2. Install NGINX and verify the version (should be 1.25.0 or higher):

sudo apt update
sudo apt install nginx
nginx -v

3. In your site configuration (for example /etc/nginx/conf.d/example.com.conf), enable HTTP/3:

server {
    listen 443 ssl http3 reuseport;
    listen [::]:443 ssl http3 reuseport;
    listen 443 ssl;
    listen [::]:443 ssl;

    server_name example.com;

    ssl_certificate /path/to/cert.pem;
    ssl_certificate_key /path/to/key.pem;

    # Enable HTTP/3
    add_header Alt-Svc 'h3=":443"; ma=86400';

    # SSL configuration
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_prefer_server_ciphers off;

    location / {
        root /var/www/html;
        index index.html;
    }
}

4. Test the configuration and reload NGINX:

sudo nginx -t
sudo systemctl reload nginx

5. Open the firewall port. HTTP/3 runs over UDP on port 443, while most servers only have TCP/443 open. Make sure both are allowed:

  • TCP port 443 (regular HTTPS fallback)
  • UDP port 443 (HTTP/3 / QUIC)

Troubleshooting

  • Check the NGINX error log: tail -f /var/log/nginx/error.log
  • Ensure UDP port 443 is open in your firewall.
  • Verify NGINX is running: systemctl status nginx
Dennis Smink

Written by Dennis Smink

Dennis brings over 13 years of hands-on experience in server management, specializing in optimizing web services for scalability and security.

Ready to dive in?
Start your free trial today.

Create an account and enjoy your 5-day free trial — no credit card required.

Start your free trial