Enable HTTP/3 for {,aur.,wiki.}archlinux.org
They are our HTTP/3 guinea pigs for now. HTTP/3 has been enabled on
archlinux.org since 2024-07-22, so I do not expect any issues.
$http_host is changed to $host for aurweb, as HTTP/3 uses the
":authority" pseudo-header instead of the "Host" header[1][2].
[1] https://trac.nginx.org/nginx/ticket/2281
[2] https://mailman.nginx.org/pipermail/nginx-devel/2024-January/LCIUMLKCM2EBMEMTU3KXMW74AP2C4FYZ.html
Ref #606nginx: Add plumbing for enabling HTTP/3 conditionally
We want to roll out HTTP/3 slowly, so this adds the necessary plumbing
and makes it possible to enable it per host.
Instead of adding the conditional logic to each nginx template, the 443
listen config is moved out into a snippet which is managed by the nginx
role.
HTTP/3 uses QUIC which is built on UDP. UDP is connectionless and
therefore reuseport[1][2] must be used to ensure that UDP packets for
the same QUIC connection is directed to the same worker. reuseport can
only be enabled once, so a default_server is added to the
"inventory_hostname vhost" for SSL/QUIC (reuseport is only enabled for
the latter). ssl_reject_handshake[3] is enabled as that allows enabling
SSL/QUIC without specifying a certificate.
[1] https://nginx.org/en/docs/http/ngx_http_core_module.html#listen
[2] https://lwn.net/Articles/542629/
[3] http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_reject_handshake
Ref #606Edited by Kristian Klausen