Enabling HTTP/3 for Fastly services

This guide describes how to enable HTTP/3 for your Fastly services.

About HTTP/3

HTTP/3 uses a web transport protocol standard called QUIC that you can offer to end user clients as an optional upgrade from HTTP/1.1 and HTTP/2 connections. End user clients will initially connect to your Fastly service using an earlier version of HTTP and will only attempt to use HTTP/3 if the Fastly service offers it.

Unlike the TCP transport protocol used by earlier versions of HTTP, QUIC requires that all connections be secured and uses TLS 1.3 to secure them. Like TLS 1.3, QUIC also supports the optional 0-RTT feature to help reduce the latency of resumed connections.

Prerequisites

To use HTTP/3 on Fastly’s edge cloud services, you will need:

• a Fastly user account assigned the role of superuser
• relevant domains you will be using for HTTP/3 added to a properly configured Fastly service
• access privileges to modify DNS records for the domains you will be using

Limitations and key behaviors

• Fastly currently only supports HTTP/3 for end user connections, as that is where we expect the primary benefits of these protocols will be seen. We do not support HTTP/3 between Fastly and your origin servers.
• The QUIC transport protocol used by HTTP/3 requires all connections to be secured using TLS 1.3. This means that when you configure domains to offer HTTP/3, you are also configuring them to offer TLS 1.3 to clients using HTTP/1.1 or HTTP/2.

Enabling HTTP/3 for Fastly services

To enable HTTP/3 for your Fastly services, start by configuring HTTP/3 on your domains and then configure your services to offer HTTP/3 on client connections.

Configuring HTTP/3 on your domains

To configure HTTP/3 on a new domain, refer to Setting up TLS 1.3 for a new domain.

To configure HTTP/3 on an existing domain, complete the following:

1. Log in to the Fastly web interface and click the Secure link. The Secure page appears displaying an overview of Fastly's security offerings.
2. Click Manage certificates.
3. Find the domain on which you plan to offer HTTP/3 and use the TLS configuration and DNS details column to verify whether HTTP/3 has been enabled.
   • If the column has a value of either HTTP/3 & TLS v1.3 or HTTP/3 & TLS v1.3 + 0RTT, then the domain already supports HTTP/3. Continue to the next section to offer HTTP/3 support for traffic to that domain from your service.
   • If the column does not display an HTTP/3 value, follow the steps to enable TLS 1.3 for this domain before proceeding to the next section.

Offering HTTP/3 from your Fastly service

HTTP/3 is designed as an optional upgrade to end user client connections. This means that end user clients will initially connect to your Fastly service using an earlier version of HTTP and will only attempt to use HTTP/3 if the Fastly service offers it.

Use the HTTP/3 switch to configure your service to offer HTTP/3:

1. Log in to the Fastly web interface.
2. From the Home page, select the appropriate service. You can use the search box to search by ID, name, or domain. You can also click Compute services or CDN services to access a list of services by type.
3. Click Edit configuration and then select the option to clone the active version.
4. Click Settings.
5. Click the HTTP/3 switch to configure your service to offer HTTP/3.
6. Click Activate to deploy your configuration changes.

If you are configuring your service using VCL directly (either via regular VCL snippets or custom VCL methods), you can use the following VCL in the receive (vcl_recv) sub-routine to configure your service to offer HTTP/3:

h3.alt_svc();

Sending your HTTP/3 traffic to Fastly

Unless you use Fastly's dedicated IP addresses, then as a final step to enabling HTTP/3, you must ensure the DNS records of your domains are routing users to the correct HTTP/3 enabled Fastly addresses:

1. Log in to the Fastly web interface and click the Secure link. The Secure page appears displaying an overview of Fastly's security offerings.
2. Click Manage certificates.
3. Click View details for the domain you would like to route to Fastly. The domain's details page appears.

The CNAME records section contains the value for CNAME records. You can prefix the value with dualstack to enable IPv6 support (e.g., dualstack.<letter>.sni.global.fastly.net).

For apex domains (e.g., example.com), the A records section contains the global anycast IP addresses.

Testing client compatibility with your Fastly service

If you want test a browser or other client for HTTP/3 support, Fastly has created a publicly available HTTP/3 test page to verify client support. Using the client, navigate to https://http3.is and the resulting page will let you know whether or not HTTP/3 was successfully used to request the page. If the request did not use HTTP/3, the page will also let you know which IETF draft versions are currently being used by Fastly. You can use that information to update your client or client configurations to use one of those supported versions.

Keep in mind that even if correctly configured, the first request from a browser (or its first request after a time-out period set by the browser’s developers) to any HTTP/3 enabled web site will always use a lower version of HTTP because it has not yet seen the HTTP/3 offer. If you don't see the HTTP/3 success page on your first request, be sure to perform a reload in the browser to give it an opportunity to use HTTP/3 for subsequent requests.

Serving HTTP/3 traffic

Once you’ve configured your services appropriately, requests made to the domains on those services should be capable of supporting HTTP/3 if they are being made from a client that supports these protocols.

If the QUIC connections and HTTP/3 requests are successful, the clients will continue using them for all subsequent requests and connections for those domains. Should problems occur with the QUIC connections or HTTP/3 requests, clients are expected to automatically fall back to a standard HTTP/1.1 or HTTP/2 connection over TCP. You should verify that your chosen client implements this fallback if this is a priority for you.

Monitoring your HTTP/3 traffic

You can monitor HTTP/3 requests using Fastly’s Real-Time Log Streaming feature and Observability features. We have also added a number of VCL variables specifically related to HTTP/3 and QUIC.

Disabling HTTP/3

You can disable HTTP/3 support on a Fastly service by either activating a previous service version where HTTP/3 is not enabled or by creating a new service configuration version and disabling the HTTP/3 switch before activation.