diff --git a/.github/workflows/quic.yml b/.github/workflows/quic.yml new file mode 100644 index 0000000..3749aa6 --- /dev/null +++ b/.github/workflows/quic.yml @@ -0,0 +1,56 @@ +name: QUIC + +on: + push: + branches: ['main'] + paths: ['.github/workflows/quic.yml', 'curl/**', 'nginx/**'] + pull_request: + paths: ['.github/workflows/quic.yml', 'curl/**', 'nginx/**'] + schedule: + - cron: '2 7 18,28 * *' + workflow_dispatch: + +env: + TARGET_NAME: openquantumsafe + +jobs: + test-push: + name: Test and push QUIC images + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + - name: Login to Docker Hub + uses: docker/login-action@v3 + with: + username: ${{ secrets.DOCKER_LOGIN }} + password: ${{ secrets.DOCKER_PASSORD }} + - name: Create a shared volume + run: docker volume create shared-1 + shell: bash + - name: Generate a quantum-safe certificate chain + run: | + docker run -v shared-1:/certs $TARGET_NAME/oqs-ossl3 /bin/sh -c "\ + openssl req -x509 -new -newkey p256_falcon512 -keyout /certs/CA.key -out /certs/CA.crt -nodes -subj '/C=US/O=Open Quantum Safe/CN=OQS Demos' -days 1461 && \ + openssl req -new -newkey mldsa87 -keyout /certs/server.key -out /certs/server.csr -nodes -subj /CN=host.docker.internal && \ + openssl x509 -req -in /certs/server.csr -out /certs/server.crt -CA /certs/CA.crt -CAkey /certs/CA.key -CAcreateserial -days 365" + shell: bash + - name: Build NGINX with QUIC support and start the server + working-directory: ./nginx + run: | + docker build -t $TARGET_NAME/nginx-quic:latest -f Dockerfile-QUIC . && \ + docker run -d -p 443:443/udp -v shared-1:/certs --name nginx-quic-daemon $TARGET_NAME/nginx-quic:latest && \ + docker cp ./nginx-conf/nginx-quic.conf nginx-quic-daemon:/etc/nginx/nginx-quic.conf && \ + docker exec nginx-quic-daemon bash -c "cd /etc/nginx && rm nginx.conf && mv nginx-quic.conf nginx.conf && nginx -s reload" + shell: bash + - name: Build cURL with QUIC support and test it with the server that's started earlier + working-directory: ./curl + run: | + docker build -t $TARGET_NAME/curl-quic:latest -f Dockerfile-QUIC . && \ + docker run -v shared-1:/certs --add-host=host.docker.internal:host-gateway $TARGET_NAME/curl-quic:latest \ + curl --cacert /certs/CA.crt --http3-only https://host.docker.internal --curves hqc192 -vvvv + shell: bash + - name: Push Docker images to Docker Hub + run: | + docker push $TARGET_NAME/curl-quic:latest + docker push $TARGET_NAME/nginx-quic:latest + shell: bash \ No newline at end of file diff --git a/nginx/nginx-conf/nginx-quic.conf b/nginx/nginx-conf/nginx-quic.conf new file mode 100644 index 0000000..03879ed --- /dev/null +++ b/nginx/nginx-conf/nginx-quic.conf @@ -0,0 +1,49 @@ + +#user nobody; +worker_processes 1; + +events { + worker_connections 1024; +} + +http { + include mime.types; + default_type application/octet-stream; + sendfile on; + keepalive_timeout 65; + gzip on; + + server { + listen 443 ssl; + listen 443 quic reuseport; + listen [::]:443 ssl; + listen [::]:443 quic reuseport; + + http2 on; + http3 on; + ssl_early_data on; + quic_retry on; + add_header Alt-Svc 'h3=":443"; ma=86400'; + + server_name host.docker.internal; + ssl_certificate /certs/server.crt; + ssl_certificate_key /certs/server.key; + + ssl_ecdh_curve 'mlkem1024:bikel3:hqc192:x25519_frodo640shake'; + + location / { + add_header Content-Type text/plain; + return 200 'OK'; + } + + ssl_session_timeout 1d; + ssl_session_cache shared:MozSSL:10m; + ssl_session_tickets off; + ssl_protocols TLSv1.3; + ssl_prefer_server_ciphers off; + add_header Strict-Transport-Security "max-age=63072000" always; + add_header X-Frame-Options "SAMEORIGIN" always; + add_header X-XSS-Protection "1; mode=block" always; + add_header X-Content-Type-Options "nosniff" always; + } +}