docs: add guide for running OpenCloud behind an external Nginx proxy with Certbot

zerox80 · zerox80 · commit 795237ae8c5b · 2026-04-10T10:26:16.000+02:00
diff --git a/docs/admin/getting-started/container/docker-compose/docker-external-proxy.md b/docs/admin/getting-started/container/docker-compose/docker-external-proxy.md
@@ -430,3 +430,258 @@ sudo certbot renew --dry-run
 ```
 
 Your OpenCloud instance is now running securely behind a fully configured external Nginx reverse proxy with HTTPS.
+
+## Optional: HTTP/3 (QUIC) Support
+
+:::warning Advanced Setup
+HTTP/3 over QUIC requires an nginx build with QUIC support. The stock nginx package on most distributions does **not** include QUIC. At the time of writing, Ubuntu 26.04+ ships an nginx version with QUIC enabled out of the box. On older distributions you need to build nginx from source with `--with-http_v3_module` or use the [official nginx QUIC packages](https://nginx.org/en/docs/quic.html).
+
+Verify that your nginx supports QUIC before proceeding:
+
+```bash
+nginx -V 2>&1 | grep -o -- '--with-http_v3_module'
+```
+
+If this returns nothing, your nginx does not support QUIC.
+:::
+
+HTTP/3 uses QUIC (UDP) alongside the traditional TCP connections for HTTP/1.1 and HTTP/2. This can improve performance for high-latency connections and reduce head-of-line blocking.
+
+The following configuration replaces the HTTP/2 configuration above. It uses `upstream` blocks with keepalive connections and a `map` directive for cleaner WebSocket handling.
+
+### Full configuration with HTTP/3
+
+```nginx
+map $http_upgrade $connection_upgrade {
+    default upgrade;
+    ''      close;
+}
+
+upstream opencloud_backend   { server 127.0.0.1:9200; keepalive 32; }
+upstream wopi_backend        { server 127.0.0.1:9300; keepalive 16; }
+upstream collabora_backend   { server 127.0.0.1:9980; keepalive 16; }
+# Add these if using Euro Office:
+# upstream euroffice_backend   { server 127.0.0.1:9900; keepalive 16; }
+# upstream wopi_eo_backend     { server 127.0.0.1:9302; keepalive 16; }
+
+# ── HTTP → HTTPS redirect ──────────────────────────────────
+server {
+    listen 80;
+    server_name cloud.YOUR.DOMAIN collabora.YOUR.DOMAIN wopiserver.YOUR.DOMAIN;
+    # Add Euro Office domains if needed:
+    # server_name cloud.YOUR.DOMAIN collabora.YOUR.DOMAIN wopiserver.YOUR.DOMAIN euro-office.YOUR.DOMAIN wopiserver-eo.YOUR.DOMAIN;
+
+    root /var/www/certbot;
+    location ^~ /.well-known/acme-challenge/ { try_files $uri =404; }
+
+    location / {
+        return 301 https://$host$request_uri;
+    }
+}
+
+# ── OpenCloud ───────────────────────────────────────────────
+server {
+    # QUIC (UDP) — reuseport must only appear on the FIRST server block
+    listen 443 quic reuseport;
+    # HTTP/1.1 and HTTP/2 (TCP)
+    listen 443 ssl;
+    http2 on;
+    server_name cloud.YOUR.DOMAIN;
+
+    # Advertise HTTP/3 availability to clients
+    add_header Alt-Svc 'h3=":443"; ma=86400' always;
+
+    ssl_certificate /etc/letsencrypt/live/cloud.YOUR.DOMAIN/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/cloud.YOUR.DOMAIN/privkey.pem;
+    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
+
+    client_max_body_size 0;
+    keepalive_requests 100000;
+    keepalive_timeout 5m;
+    http2_max_concurrent_streams 512;
+
+    root /var/www/certbot;
+    location ^~ /.well-known/acme-challenge/ { try_files $uri =404; }
+
+    location / {
+        proxy_pass http://opencloud_backend;
+        proxy_set_header Host $host;
+        proxy_set_header X-Forwarded-Proto https;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_http_version 1.1;
+        proxy_set_header Connection $connection_upgrade;
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_read_timeout 3600;
+        proxy_buffering off;
+    }
+}
+
+# ── Collabora ──────────────────────────────────────────────
+server {
+    listen 443 quic;
+    listen 443 ssl;
+    http2 on;
+    server_name collabora.YOUR.DOMAIN;
+
+    add_header Alt-Svc 'h3=":443"; ma=86400' always;
+
+    ssl_certificate /etc/letsencrypt/live/cloud.YOUR.DOMAIN/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/cloud.YOUR.DOMAIN/privkey.pem;
+    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
+
+    keepalive_requests 100000;
+    keepalive_timeout 5m;
+    http2_max_concurrent_streams 512;
+
+    root /var/www/certbot;
+    location ^~ /.well-known/acme-challenge/ { try_files $uri =404; }
+
+    location / {
+        proxy_pass http://collabora_backend;
+        proxy_set_header Host $host;
+        proxy_set_header X-Forwarded-Proto https;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_http_version 1.1;
+        proxy_set_header Connection $connection_upgrade;
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_read_timeout 3600;
+        proxy_send_timeout 3600;
+        proxy_buffering off;
+    }
+}
+
+# ── Collabora WOPI Server ──────────────────────────────────
+server {
+    listen 443 quic;
+    listen 443 ssl;
+    http2 on;
+    server_name wopiserver.YOUR.DOMAIN;
+
+    add_header Alt-Svc 'h3=":443"; ma=86400' always;
+
+    ssl_certificate /etc/letsencrypt/live/cloud.YOUR.DOMAIN/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/cloud.YOUR.DOMAIN/privkey.pem;
+    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
+
+    keepalive_requests 100000;
+    keepalive_timeout 5m;
+    http2_max_concurrent_streams 512;
+
+    root /var/www/certbot;
+    location ^~ /.well-known/acme-challenge/ { try_files $uri =404; }
+
+    location / {
+        proxy_pass http://wopi_backend;
+        proxy_set_header Host $host;
+        proxy_set_header X-Forwarded-Proto https;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_http_version 1.1;
+        proxy_set_header Connection $connection_upgrade;
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_read_timeout 3600;
+        proxy_buffering off;
+    }
+}
+```
+
+### Euro Office blocks with HTTP/3
+
+If using Euro Office, add the following `upstream` definitions to the top of your config and append these server blocks:
+
+```nginx
+upstream euroffice_backend   { server 127.0.0.1:9900; keepalive 16; }
+upstream wopi_eo_backend     { server 127.0.0.1:9302; keepalive 16; }
+
+# ── Euro Office Document Server ────────────────────────────
+server {
+    listen 443 quic;
+    listen 443 ssl;
+    http2 on;
+    server_name euro-office.YOUR.DOMAIN;
+
+    add_header Alt-Svc 'h3=":443"; ma=86400' always;
+
+    ssl_certificate /etc/letsencrypt/live/cloud.YOUR.DOMAIN/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/cloud.YOUR.DOMAIN/privkey.pem;
+    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
+
+    client_max_body_size 100M;
+    keepalive_requests 100000;
+    keepalive_timeout 5m;
+    http2_max_concurrent_streams 512;
+
+    root /var/www/certbot;
+    location ^~ /.well-known/acme-challenge/ { try_files $uri =404; }
+
+    location / {
+        proxy_pass http://euroffice_backend;
+        proxy_set_header Host $host;
+        proxy_set_header X-Forwarded-Proto https;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_http_version 1.1;
+        proxy_set_header Connection $connection_upgrade;
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_read_timeout 3600;
+        proxy_send_timeout 3600;
+        proxy_buffering off;
+    }
+}
+
+# ── Euro Office WOPI Server ────────────────────────────────
+server {
+    listen 443 quic;
+    listen 443 ssl;
+    http2 on;
+    server_name wopiserver-eo.YOUR.DOMAIN;
+
+    add_header Alt-Svc 'h3=":443"; ma=86400' always;
+
+    ssl_certificate /etc/letsencrypt/live/cloud.YOUR.DOMAIN/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/cloud.YOUR.DOMAIN/privkey.pem;
+    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
+
+    keepalive_requests 100000;
+    keepalive_timeout 5m;
+    http2_max_concurrent_streams 512;
+
+    root /var/www/certbot;
+    location ^~ /.well-known/acme-challenge/ { try_files $uri =404; }
+
+    location / {
+        proxy_pass http://wopi_eo_backend;
+        proxy_set_header Host $host;
+        proxy_set_header X-Forwarded-Proto https;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_http_version 1.1;
+        proxy_set_header Connection $connection_upgrade;
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_read_timeout 3600;
+        proxy_buffering off;
+    }
+}
+```
+
+### Key differences from the HTTP/2 configuration
+
+| Detail | HTTP/2 config | HTTP/3 config |
+|---|---|---|
+| Listen directives | `listen 443 ssl http2;` | `listen 443 quic;` + `listen 443 ssl;` + `http2 on;` |
+| `reuseport` | Not needed | Required on the **first** `listen 443 quic` directive only |
+| `Alt-Svc` header | Not needed | Required to advertise HTTP/3 to browsers |
+| Upstream blocks | Inline `proxy_pass` to `127.0.0.1` | Named `upstream` blocks with `keepalive` |
+| WebSocket upgrade | Per-location `Connection` / `Upgrade` | Global `map` directive |
+| Firewall | TCP 443 only | TCP 443 **and** UDP 443 |
+
+:::warning Firewall
+HTTP/3 uses UDP port 443. Make sure your firewall allows **both** TCP and UDP traffic on port 443:
+
+```bash
+sudo ufw allow 443/tcp
+sudo ufw allow 443/udp
+```
+:::
