黄兵的个人博客

Enable HTTP/3 Support for IIS on Windows Server 2022

Please note that modifying registry options can have serious implications for your system, so it is important to proceed with caution and have a backup of your system before making any changes. Additionally, the steps may vary slightly depending on the specific version of Windows Server and IIS you are using.

Here are the general steps to enable HTTP/3 support in IIS on Windows Server 2022:

1. Enable TLS 1.3:

   • Open the Registry Editor by pressing Windows Key + R, then typing "regedit" and pressing Enter.
   • Navigate to the following registry key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols.
   • Create a new key named "TLS 1.3" under the "Protocols" key.
   • Inside the "TLS 1.3" key, create two subkeys: "Client" and "Server".
   • Under both the "Client" and "Server" subkeys, create a new DWORD value named "Enabled" and set its value to 1.
   • Close the Registry Editor.

2. Add the TLS_CHACHA20_POLY1305_SHA256 cipher suite:

   • Open the Registry Editor.
   • Navigate to the following registry key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers.
   • Create a new key named "TLS_CHACHA20_POLY1305_SHA256" under the "Ciphers" key.
   • Inside the "TLS_CHACHA20_POLY1305_SHA256" key, create a new DWORD value named "Enabled" and set its value to 1.
   • Close the Registry Editor.

3. Add the HTTP/3 response code to the HTTP header:

   • Open Internet Information Services (IIS) Manager.
   • Select your website and open the "HTTP Response Headers" feature.
   • Add a new custom header with the name "Alt-Svc" and the value "h3-23=":443"; ma=86400".

Once you have completed these steps, restart your IIS server for the changes to take effect. Your IIS website should now have HTTP/3 support enabled.

To enable a special TLS cipher, you can use the following PowerShell command:

$sslProvider = "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3\Client"
$sslCipher = "HKLM:\SOFTWARE\Policies\Microsoft\Cryptography\Configuration\SSL\00010002"
New-ItemProperty -Path $sslProvider -Name "DisabledByDefault" -Value 0 -PropertyType DWORD -Force
New-ItemProperty -Path $sslProvider -Name "Enabled" -Value 1 -PropertyType DWORD -Force
New-ItemProperty -Path $sslCipher -Name "Enabled" -Value 0xffffffff -PropertyType DWORD -Force

This PowerShell command enables the special TLS cipher for TLS 1.3 client connections. It sets the "DisabledByDefault" value to 0 and the "Enabled" value to 1 under the TLS 1.3 client registry key. It also sets the "Enabled" value to 0xffffffff under the SSL cipher registry key.

Please note that running PowerShell commands requires administrative privileges. Make sure to open PowerShell with administrative rights before executing the above command.

Here are the steps to add HTTP/3 to the response header of your website and configure the additional options in IIS:

1. Create a simple website in IIS:

   • Open Internet Information Services (IIS) Manager.
   • Right-click on "Sites" and select "Add Website".
   • Enter a "Site name" for your website.
   • Set the "Physical path" to the folder where your website files are located.
   • Configure other settings as per your requirements, such as the "Binding" and "Application pool".
   • Click "OK" to create the website.

2. Bind an SSL certificate to the website:

   • Select your website in IIS Manager.
   • Open the "Bindings" feature.
   • Click "Add" to add a new binding.
   • Select the type as "https".
   • Choose the appropriate SSL certificate from the list or click "Add" to import a new certificate.
   • Set the "SSL port" to 443.
   • Click "OK" to bind the SSL certificate.

3. Enable HTTP/3 in the response header:

   • Select your website in IIS Manager.
   • Open the "HTTP Response Headers" feature.
   • Click "Add" to add a new custom header.
   • Enter "Alt-Svc" as the header name and "h3-23=":443"; ma=86400" as the header value.
   • Click "OK" to add the custom header.

4. Configure additional options:

   • Select your website in IIS Manager.
   • Open the "Bindings" feature.
   • Select the binding with the type "https" and port 443.
   • Click "Edit" to modify the binding.
   • In the "Edit Site Binding" window, you will find options to disable QUIC, disable TLS 1.3 over TCP, and disable legacy TLS. Adjust these options according to your requirements.
   • Click "OK" to save the changes.

Remember to save the configuration and restart the IIS server for the changes to take effect.

Then open the HTTP Response Headers section in the IIS website settings and add the following option to the list of HTTP responses: Name: alt-svc Value: h3=":443"; ma=86400; persist=1

You can add this HTTP Header option using PowerShell:

$siteName = "YourSiteName" # Replace with your actual site name in IIS
# Get the site object in IIS
$site = Get-WebSite -Name $siteName
# Add the alt-svc HTTP header option
Add-WebConfigurationProperty -PSPath "IIS:\Sites\$($site.Name)" -Filter "system.webServer/httpProtocol/customHeaders" -Name "." -Value @{
name = "alt-svc"
value = "h3=\":443\"; ma=86400; persist=1"
}

Replace "YourSiteName" with the actual name of your website in IIS. This PowerShell script retrieves the site object based on the provided site name and then adds the "alt-svc" custom header option to the site's configuration.

To allow QUIC traffic through the Microsoft Defender Firewall, you can use the following PowerShell command:

New-NetFirewallRule -DisplayName "Allow QUIC Traffic" -Direction Inbound -Protocol UDP -LocalPort 443 -Action Allow

This PowerShell command creates a new inbound firewall rule named "Allow QUIC Traffic" that allows UDP traffic on port 443.

Please note that running PowerShell commands may require administrative privileges. Make sure to open PowerShell with administrative rights before executing the above command.