Enable HTTP/3 protocol support on IIS in Windows Server 2022.

Windows Server 2022 introduces built-in support for the HTTP/3 protocol , which allows you to significantly increase the speed of loading web pages of IIS sites and security. The main feature of HTTP / 3, it is built on the basis of the QUIC (Quick UDP Internet Connections) transport protocol, which works on top of UDP. Users with a slow and unstable internet connection will benefit the most from using HTTP/3. In this article, we will look at how to enable HTTP/3 support for a website on Internet Information Service (IIS 10.0.20348+) in Windows Server 2022.

To enable HTTP/3 support on IIS, you need to configure several settings in Windows Server:

  1. Enable TLS 1.3 protocol support in Windows Server (required for using QUIC and HTTP/3);
  2. Add cipher suite TLS_CHACHA20_POLY1305_SHA256 (cipher suite) for TLS connections;
  3. Add an HTTP/3 response code to the HTTP response header of the IIS web site.

To enable TLS 1.3 protocol support in Windows Server, several registry settings need to be changed (in this example, we enable TLS 1.3 client and server support).

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3\Client" /v DisabledByDefault /t REG_DWORD /d 0 /f
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3\Client" /v Enabled /t REG_DWORD /d 1 /f
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3\Server" /v DisabledByDefault /t REG_DWORD /d 0 /f
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3\Server" /v Enabled /t REG_DWORD /d 1 /f

After that, you need to enable HTTP / 3 support for IIS:

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\HTTP\Parameters" /v EnableHttp3 /t REG_DWORD /d 1 /f
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\HTTP\Parameters" /v EnableAltSvc /t REG_DWORD /d 1 /f
Then you need to allow the use of a special TLS cipher using the PowerShell command:

Enable-TlsCipherSuite -Name TLS_CHACHA20_POLY1305_SHA256 -Position 0
Verify that support for this cipher suite is enabled:

(Get-TlsCipherSuite).Name | Select-String CHACHA


Now we need to add HTTP/3 to the site's response header. Create a simple site on IIS (you can use the default web site for testing), bind an SSL certificate to the site (you can use a self-signed certificate, but you need the client to trust this certificate) and bind the site to port 443 (in the Edit Bindings menu).

Please note that several additional options have appeared in the site binding menu in IIS (Disable QUIC, Disable TLS 1.3 over TCP, Disable Legacy TLS).

Then open the HTTP Response Headers section in your IIS site settings and add the following option to the list of HTTP responses:

  • Name: alt-svc
  • Value: h3=":443"; ma=86400; persist=1

This HTTP Header option can be added using PowerShell:

Import-Module WebAdministration
$siteName ="Default Web Site"
$headerName="alt-svc"
$headerValue='h3=":443"; ma=86400; persist=1'
Add-WebConfigurationProperty -Filter "system.webServer/httpProtocol/customHeaders" -PSPath IIS:\Sites\$siteName -Name . -AtElement @{name=$headerName}-Value @{name=$headerName;value=$headerValue}
Check that QUIC traffic (port 443/UDP) is allowed in Microsoft Defender Firewall:

Get-NetFirewallRule | ?{ $_.DisplayName -eq "World Wide Web Services (QUIC Traffic-In)" }|select name,enabled, status

If the rule is inactive, enable the firewall rule using PowerShell:

Get-NetFirewallRule IIS-WebServerRole-QUIC-In-UDP|enable-netfirewallrule

Restart Windows Server. After the reboot, check that the IIS site is responding with HTTP/3.

Most modern browsers support HTTP/3 protocols by default.

  1. Open the web page of your IIS site in a browser (Edge if possible), switch to developer mode (Inspect ), then select the Network tab;
  2. Add a Protocol column and refresh the page (F5);
  3. Check that the end of the protocol is H3, which means that HTTP/3 was used to connect to the site.


Отправить комментарий

Добавлять новые комментарии запрещено.*

Новые Старые