Tutorial

HTTP/2 vs HTTP/3 and QUIC: What Changes for Your Server in 2026

Back to Blog
A modern alternative to cPanel, Plesk and CyberPanel — isolated, secure, AI-assisted.
Start free

In 2026, most public-facing web servers run HTTP/2. HTTP/3 is past the "experimental" label — it's shipping in nginx stable, Caddy defaults to it, and Cloudflare has had it for years. If you're still running HTTP/1.1 everywhere, you're leaving performance on the table. If you upgraded to HTTP/2 and stopped there, you're one config block away from meaningful gains on mobile and high-latency connections.

This guide explains exactly what changed between HTTP/1.1, HTTP/2, and HTTP/3, what it means at the protocol level, how to enable both on nginx, and when it actually matters for your workload.

Want the conceptual explainer first — what multiplexing and QUIC actually are — before the firewall rules and nginx directives? See HTTP/2 and HTTP/3 Explained. This guide picks up from there and focuses on what changes operationally on your own server.

1. HTTP/1.1 — The Foundation Everyone Still Falls Back To

HTTP/1.1 shipped in 1997. It dominated for nearly two decades because it was simple, debuggable with plain text, and worked everywhere. But it had a fundamental problem: head-of-line (HOL) blocking at the connection level.

Each TCP connection handles one request at a time. If you have 30 assets to load (CSS, JS, images, fonts), you either wait for each one sequentially or open multiple parallel connections. Browsers settled on 6 parallel connections per domain — which is why HTTP/1.1-era optimization guides told you to:

  • Domain shard — split assets across static1.example.com, static2.example.com to bypass the 6-connection limit
  • Sprite sheets — merge 50 icons into one image file, show slices via CSS
  • Concatenation/bundling — combine 10 JS files into one to reduce request count
  • Inline small assets — base64 encode tiny images directly into CSS

These are all workarounds for a protocol limitation. Keep-alive connections helped (persistent TCP connections across requests), but the serialization problem remained per connection.

HTTP/1.1 is still relevant: it's the universal fallback, every HTTP library supports it, and for internal API servers behind a load balancer on a reliable LAN, it's often fine.

2. HTTP/2 — The Current Standard

HTTP/2 (2015, RFC 7540) rewrote the wire format while keeping the semantics identical. Your URLs, headers, methods, and status codes didn't change. What changed was how the bytes travel.

Binary Framing

HTTP/1.1 is plain text. HTTP/2 is binary. Every exchange is broken into frames — the smallest unit of communication. Frame types include DATA, HEADERS, PRIORITY, RST_STREAM, SETTINGS, PUSH_PROMISE, PING, GOAWAY, WINDOW_UPDATE, and CONTINUATION. This makes parsing faster and less ambiguous, but it means you can't read a raw TCP stream with your eyes anymore — you need a proper inspector like Wireshark or browser DevTools.

Multiplexing

This is the main reason HTTP/2 exists. Multiple requests travel over a single TCP connection simultaneously. Each request/response pair is assigned a stream ID, and frames from different streams interleave on the wire. The browser and server sort them out by stream ID.

Practical effect: loading 30 assets no longer requires 6 parallel connections and all the overhead that comes with them. One connection handles everything. Domain sharding is not just unnecessary — it's actively harmful under HTTP/2, because it forces separate connections and loses multiplexing.

Header Compression (HPACK)

HTTP/1.1 sends headers as plain text on every request. On a page with 30 assets, you're sending the same Cookie, Accept-Encoding, User-Agent, and Authorization headers 30 times. HPACK compression maintains a dynamic table of headers seen during the connection. Repeated headers are replaced with a one-byte index reference. For cookie-heavy applications, this can reduce header overhead by 80-90%.

Server Push

HTTP/2 introduced Server Push: the server can send resources the client hasn't asked for yet. The idea was: the server knows the HTML will reference app.css and app.js — why wait for the browser to parse the HTML and discover them? Push them preemptively.

In practice, Server Push mostly failed. Browsers couldn't coordinate cache state with push decisions — servers pushed resources already in the browser cache, wasting bandwidth. Chrome removed Server Push support in 2022. Don't build anything that depends on Server Push. Use <link rel="preload"> hints instead.

The Remaining Problem: TCP Head-of-Line Blocking

HTTP/2 multiplexing solved application-level HOL blocking. But there's still TCP-level HOL blocking.

TCP guarantees ordered delivery. If a packet is lost, TCP holds up all subsequent data in that stream until the lost packet is retransmitted — even if that data belongs to a completely independent HTTP/2 stream. On a network with 1% packet loss, HTTP/2 can actually perform worse than multiple HTTP/1.1 connections, because all streams are blocked together on one connection instead of being independently affected.

This is the problem HTTP/3 was built to solve.

3. HTTP/3 — The New Era

HTTP/3 (2022, RFC 9114) doesn't run on TCP at all. It runs on QUIC (RFC 9000), a transport protocol built on UDP. This isn't a detail — it's the entire point.

Why UDP?

UDP has no ordering guarantees, no built-in reliability, and no flow control. That sounds like a step backward. But it means QUIC can implement its own reliability and ordering — one that's stream-aware rather than connection-wide. A lost packet affects only the stream it belongs to. Every other stream continues uninterrupted.

QUIC reimplements everything TCP does (acknowledgments, retransmission, congestion control, flow control) but does it per-stream rather than per-connection. The result is HTTP-native transport.

Built-In TLS 1.3

QUIC has TLS 1.3 baked in — it's not optional and not layered on top. You cannot run unencrypted QUIC. The encryption handshake and transport handshake happen simultaneously, reducing the connection setup to 1 RTT for new connections. For returning visitors, 0-RTT resumption allows sending application data with the very first packet.

Comparison:

  • HTTP/1.1 over TLS: TCP 3-way handshake (1.5 RTT) + TLS 1.2 handshake (2 RTT) = ~3.5 RTT before first byte
  • HTTP/2 over TLS: Same as above, ~3.5 RTT (or ~2 RTT with TLS 1.3)
  • HTTP/3 over QUIC: Combined handshake = 1 RTT new, 0 RTT repeat

Connection Migration

TCP connections are identified by a 4-tuple: source IP, source port, destination IP, destination port. When you switch from WiFi to cellular on your phone, your source IP changes — the TCP connection dies, and you have to reconnect.

QUIC connections are identified by a Connection ID, a random value negotiated during the handshake. When your IP changes, QUIC migrates the connection using the same Connection ID. The download you started on WiFi continues seamlessly on cellular. For mobile users, this is a meaningful reliability improvement.

Independent Streams

Each HTTP/3 stream is independent at the transport layer. Packet loss on stream 3 doesn't affect streams 1, 2, 4, or 5. This is the fix for TCP HOL blocking that HTTP/2 couldn't achieve.

4. TCP vs QUIC — The Core Difference


HTTP/2 over TCP:
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
  [Stream 1: index.html ]
  [Stream 2: app.css    ]  → Single TCP connection
  [Stream 3: app.js     ]
  [Stream 4: logo.png   ]

  A lost packet anywhere → TCP holds ALL streams
  until retransmission completes.
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━


HTTP/3 over QUIC:
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
  [Stream 1: index.html ] → QUIC stream (UDP)
  [Stream 2: app.css    ] → QUIC stream (UDP)
  [Stream 3: app.js     ] → QUIC stream (UDP)  ← packet lost here
  [Stream 4: logo.png   ] → QUIC stream (UDP)

  Packet loss on Stream 3 → ONLY Stream 3 retransmits
  Streams 1, 2, 4 continue at full speed.
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

The practical difference is most visible on lossy networks: mobile connections, satellite links, congested WiFi. On a reliable gigabit LAN between containers, the difference is negligible. On a phone with 2% packet loss and 80ms RTT, HTTP/3 is measurably faster.

5. Performance Comparison

Metric HTTP/1.1 HTTP/2 HTTP/3
Transport TCP TCP UDP (QUIC)
Connections 6 parallel 1 multiplexed 1 multiplexed
HOL Blocking Per-connection TCP-level None
Initial Handshake 1-2 RTT 1-2 RTT + TLS 1 RTT
Repeat Visit 1-2 RTT 1-2 RTT 0-RTT (instant)
Header Compression None HPACK QPACK
TLS Optional Practically required Built-in (TLS 1.3)
Connection Migration No No Yes
Firewall Requirements TCP 443 TCP 443 TCP 443 + UDP 443

Real-World Impact by Network Type

Network Condition HTTP/2 vs HTTP/1.1 HTTP/3 vs HTTP/2
Reliable LAN (0% loss, 1ms) Moderate improvement Minimal difference
Good broadband (0% loss, 20ms) Significant improvement Noticeable improvement
4G mobile (0.5% loss, 50ms) Large improvement Large improvement
Lossy connection (2% loss, 80ms) Can be worse than HTTP/1.1 HTTP/3 wins significantly
Satellite (1% loss, 600ms) Limited improvement HTTP/3 + 0-RTT helps most
Repeat visitor No 0-RTT benefit 0-RTT: near-instant resume

6. Enabling HTTP/2 on Nginx

HTTP/2 is available in nginx 1.9.5+ and enabled by adding http2 to the listen directive. In nginx 1.25.1+, the syntax changed slightly.

Nginx 1.24 and earlier (old syntax)

server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;

    server_name example.com;

    ssl_certificate     /etc/ssl/certs/example.com.pem;
    ssl_certificate_key /etc/ssl/private/example.com.key;

    ssl_protocols       TLSv1.2 TLSv1.3;
    ssl_ciphers         ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384;
    ssl_prefer_server_ciphers off;

    # HTTP/2-specific tuning
    http2_max_field_size    16k;
    http2_max_header_size   32k;
    http2_max_requests      1000;
    http2_idle_timeout      3m;
}

Nginx 1.25.1+ (new syntax)

server {
    listen 443 ssl;
    listen [::]:443 ssl;
    http2 on;

    server_name example.com;

    ssl_certificate     /etc/ssl/certs/example.com.pem;
    ssl_certificate_key /etc/ssl/private/example.com.key;

    ssl_protocols TLSv1.2 TLSv1.3;
}

Verify HTTP/2 is Active

# Check the negotiated protocol
curl -I --http2 -s https://example.com | grep -i 'HTTP/'

# Output should show: HTTP/2 200

# Check ALPN negotiation
openssl s_client -connect example.com:443 -alpn h2 2>&1 | grep 'ALPN protocol'
# Expected: ALPN protocol: h2

# Browser verification:
# Chrome/Firefox DevTools → Network tab → Protocol column
# Look for "h2" in the protocol column for your requests

7. Enabling HTTP/3 on Nginx

HTTP/3 requires nginx 1.25.0+ compiled with QUIC support. Many distributions now ship this in their nginx-extras or nginx-full packages. Check with nginx -V 2>&1 | grep http_v3.

Full HTTP/3 Configuration

server {
    # HTTP/2 over TLS (TCP)
    listen 443 ssl;
    listen [::]:443 ssl;
    http2 on;

    # HTTP/3 over QUIC (UDP)
    listen 443 quic reuseport;
    listen [::]:443 quic reuseport;
    http3 on;

    server_name example.com;

    ssl_certificate     /etc/ssl/certs/example.com.pem;
    ssl_certificate_key /etc/ssl/private/example.com.key;

    ssl_protocols TLSv1.2 TLSv1.3;

    # Advertise HTTP/3 availability to browsers
    # ma=86400 means: remember this for 86400 seconds (24 hours)
    add_header Alt-Svc 'h3=":443"; ma=86400';

    # 0-RTT support (early data)
    ssl_early_data on;

    # QUIC-specific: anti-amplification protection
    quic_retry on;

    # Recommended: QUIC max stream size
    http3_max_concurrent_pushes 0;
}
Critical: The Alt-Svc header is how browsers discover HTTP/3 support. Without it, no browser will attempt HTTP/3 — they don't probe UDP 443 blindly. The browser sees this header on an HTTP/2 response and uses HTTP/3 on the next connection. First-time visitors always use HTTP/2; HTTP/3 kicks in on the second visit and stays for 24 hours (ma=86400).

Check Nginx QUIC Compilation

# Verify QUIC module is compiled in
nginx -V 2>&1 | grep -o 'http_v3_module'

# If missing, you need to install nginx with QUIC support:
# Ubuntu/Debian (nginx mainline PPA):
add-apt-repository ppa:ondrej/nginx-mainline
apt update && apt install nginx

# Or the official nginx package:
curl -s https://nginx.org/keys/nginx_signing.key | gpg --dearmor \
  | tee /usr/share/keyrings/nginx-archive-keyring.gpg > /dev/null
echo "deb [signed-by=/usr/share/keyrings/nginx-archive-keyring.gpg] \
  http://nginx.org/packages/mainline/ubuntu $(lsb_release -cs) nginx" \
  | tee /etc/apt/sources.list.d/nginx.list
apt update && apt install nginx

Verify HTTP/3 is Active

# curl 8.0+ with HTTP/3 support required
curl --http3 -I https://example.com

# Check curl HTTP/3 support first:
curl --version | grep HTTP3
# If missing: apt install curl or build with --with-nghttp3

# Online checker (no local tools needed):
# https://http3check.net/?host=example.com

8. Enabling HTTP/3 on Other Web Servers

Caddy — HTTP/3 by Default

Caddy has supported HTTP/3 by default since v2.5. No configuration needed:

example.com {
    root * /var/www/html
    file_server
    # HTTP/3 is already on. Nothing to add.
}

Caddy handles the Alt-Svc header automatically. To verify: curl -sI https://example.com | grep alt-svc

Apache — HTTP/2 Only (No Native HTTP/3)

Apache has no native HTTP/3 implementation as of 2026. mod_http2 handles HTTP/2. For HTTP/3, the recommended approach is to put nginx in front as a reverse proxy:

# nginx handles HTTP/2 + HTTP/3, proxies to Apache backend
server {
    listen 443 ssl;
    listen 443 quic reuseport;
    http2 on;
    http3 on;
    add_header Alt-Svc 'h3=":443"; ma=86400';

    location / {
        proxy_pass http://127.0.0.1:8080;  # Apache on port 8080
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
    }
}

LiteSpeed / OpenLiteSpeed

LiteSpeed Enterprise has had QUIC support since v5.3 (2019). OpenLiteSpeed added HTTP/3 in v1.7.14. Both configure it through their native admin panels — no manual vhost editing needed. This is one area where LiteSpeed genuinely leads nginx in ease of setup.

Cloudflare (Zero Config)

If your domain goes through Cloudflare, HTTP/3 is available for free on all plans. Enable it at: Speed → Optimization → Protocol Optimization → HTTP/3 (with QUIC). Cloudflare handles UDP, your origin server doesn't need to change. This is the easiest HTTP/3 path for most sites.

9. Firewall and Infrastructure Considerations

This is the most common gotcha with HTTP/3 deployments: UDP 443 must be explicitly open in your firewall.

Most firewall configurations only open TCP 80 and TCP 443. QUIC uses UDP 443 — a completely different port/protocol combination that's blocked by default almost everywhere.

# iptables
iptables -A INPUT -p udp --dport 443 -j ACCEPT

# nftables (add to your inet filter input chain)
udp dport 443 accept

# UFW
ufw allow 443/udp

# AWS Security Groups
# Add inbound rule: UDP, port 443, source 0.0.0.0/0

# Verify the port is reachable from outside
# (from another machine):
nc -vzu YOUR_SERVER_IP 443

Load Balancers and QUIC

Not all load balancers support QUIC — the connection migration and UDP nature require explicit support:

Load Balancer HTTP/3 / QUIC Support
AWS Application Load Balancer (ALB) No (TCP/HTTP only)
AWS Network Load Balancer (NLB) Yes (UDP passthrough)
Google Cloud Load Balancing Yes (native support)
Cloudflare Load Balancing Yes (full support)
HAProxy Yes (2.6+ with quic-cc)
nginx (as LB) Yes (1.25+)

If your load balancer doesn't support QUIC, you can still run HTTP/3 directly on origin servers and let the LB terminate at HTTP/2 — clients connecting directly to the origin (bypassing the LB) get HTTP/3; everyone else gets HTTP/2.

Corporate and Restricted Networks

Some enterprise networks, corporate firewalls, and restrictive ISPs block UDP 443 entirely. QUIC includes a fallback mechanism: when UDP is blocked, browsers automatically fall back to HTTP/2 over TCP. This fallback is transparent to users — they don't see errors, they just get HTTP/2. HTTP/3 is an enhancement, never a dependency.

10. Testing and Verification

Browser DevTools

  1. Open Chrome or Firefox
  2. Open DevTools → Network tab
  3. Right-click any column header → check "Protocol"
  4. Load your site — the Protocol column shows h2, h3, or http/1.1

Note: First load shows h2 (browser hasn't seen the Alt-Svc header yet). Reload the page — second load should show h3.

Chrome QUIC Diagnostics

# Open in Chrome address bar:
chrome://net-internals/#quic

# Shows active QUIC sessions, their state, and stream counts.
# If your domain appears here, HTTP/3 is working.

Command Line

# HTTP/2 test (any curl)
curl -I --http2 https://example.com

# HTTP/3 test (curl 8.0+ with --with-nghttp3)
curl --http3 -I https://example.com

# Check your curl has HTTP/3:
curl --version | grep -i http3

# ALPN negotiation check:
openssl s_client -connect example.com:443 -alpn h2 2>&1 | grep ALPN

# Alt-Svc header check:
curl -sI https://example.com | grep -i alt-svc

Online Tools (No Setup Required)

  • http3check.net — Tests HTTP/3 support and shows QUIC handshake details
  • Mozilla Observatory (observatory.mozilla.org) — Protocol support + security headers
  • SSL Labs (ssllabs.com/ssltest) — TLS config + ALPN capabilities
  • KeyCDN HTTP/2 Test (tools.keycdn.com/http2-test) — Protocol detection

11. Common Issues and Troubleshooting

"HTTP/3 is configured but not working"

Most likely cause: UDP 443 is blocked. Check:

# From the server — is nginx listening on UDP 443?
ss -ulnp | grep :443

# From outside — is it reachable?
# (Run from a different machine with curl 8+ and HTTP/3 support)
curl --http3 -v https://example.com 2>&1 | head -30

# Alt-Svc header check
curl -sI https://example.com | grep alt-svc
# If missing: check nginx config for add_header Alt-Svc line

"Only some users get HTTP/3"

Expected behavior. Clients on networks that block UDP (corporate firewalls, some ISPs) fall back to HTTP/2. This is by design — QUIC has always included this fallback. Your site works for everyone; only some get HTTP/3.

"Performance is worse with HTTP/2 than HTTP/1.1"

Usually happens when your site has very few resources (under 5 requests) and is on a reliable low-latency connection. HTTP/2 multiplexing shines with many concurrent requests. If your "site" is a single API endpoint, HTTP/2 overhead can marginally exceed its benefit. Solution: don't disable HTTP/2 for this — the overhead is tiny and your user base isn't all on 1ms LAN connections.

"Server Push is broken"

Server Push is deprecated. Chrome removed support in 2022. Firefox never fully embraced it. Don't use it. Use <link rel="preload"> and 103 Early Hints instead — these are standardized, broadly supported, and actually work.

"curl: option --http3: is unknown"

# Ubuntu/Debian — install a newer curl
apt install curl

# Or check if your distro package has HTTP/3:
curl --version | grep Features | grep -i http3

# macOS with Homebrew:
brew install curl
# Add to PATH: /opt/homebrew/opt/curl/bin

# Build from source with HTTP/3 (advanced):
# Requires nghttp3 and ngtcp2 libraries
# See: https://curl.se/docs/http3.html

"QUIC connection reset after a few seconds"

Check for stateful firewalls with short UDP timeouts. UDP is stateless from the firewall's perspective, and some firewalls close UDP entries after 30 seconds of inactivity. QUIC keeps connections alive much longer. Solution: increase UDP state timeout in your firewall rules, or set quic_gso on; in nginx (uses generic segmentation offload for better performance and keep-alive).

12. Should You Enable HTTP/3 Today?

The answer depends on your audience and infrastructure. Here's the decision matrix:

Scenario HTTP/3 Recommendation Reason
Public website, global audience Yes — enable it Mobile users, international latency, easy win
Mobile-heavy traffic Definitely yes Connection migration + lossy network handling
E-commerce (returning visitors) Yes 0-RTT makes repeat visits noticeably faster
REST API (internal) HTTP/2 is sufficient LAN, no packet loss, no HOL problem to solve
Corporate intranet HTTP/2 only UDP likely blocked at perimeter firewall
Legacy clients (old IoT, old browsers) Keep HTTP/1.1 fallback HTTP/3 doesn't break this — HTTP/1.1 always works
Behind Cloudflare Toggle in Cloudflare dashboard Zero infrastructure change required
Behind AWS ALB Not yet (use Cloudflare in front) ALB doesn't support QUIC

The risk of enabling HTTP/3 is near-zero. Browsers gracefully fall back. If UDP 443 is blocked, HTTP/2 kicks in. The only real downside is the firewall configuration step — which you have to do correctly or HTTP/3 simply won't activate (it won't break anything).

Frequently Asked Questions

Do I need to open a firewall port for HTTP/3?

Yes — UDP 443, in addition to the TCP 443 you already have open for HTTPS. This is the single most common reason HTTP/3 appears configured in nginx but never actually activates for visitors.

Will enabling HTTP/3 break anything for existing users?

No. Browsers that cannot reach UDP 443 — corporate networks, restrictive ISPs — transparently fall back to HTTP/2. Enabling HTTP/3 is additive: it never removes HTTP/2 or HTTP/1.1 support.

Why does the first page load still show HTTP/2 instead of HTTP/3?

Browsers only discover HTTP/3 support from the Alt-Svc header returned on an HTTP/2 response. The very first visit always negotiates HTTP/2; HTTP/3 activates starting with the second request and is remembered for the duration set in ma= (typically 24 hours).

Does every web server support HTTP/3?

No. Nginx (1.25+, QUIC-compiled), Caddy (default since 2.5), and both LiteSpeed variants support it natively. Apache has no native HTTP/3 support as of 2026 — the common workaround is putting nginx in front as a reverse proxy for the HTTP/3 layer.

13. The Future: What Comes After HTTP/3

HTTP/3 is not the endpoint. The QUIC ecosystem is actively evolving:

  • QUIC v2 (RFC 9369) — Minor improvements to version negotiation and Retry token handling. Transparent to applications.
  • WebTransport — HTTP/3-based API for browser-to-server bidirectional streams. Replaces many WebSocket use cases with better multiplexing and UDP semantics. Shipping in Chrome and Firefox.
  • DNS over QUIC (DoQ) — Encrypted DNS using QUIC instead of UDP/TCP. Faster and more private than DNS over HTTPS for high-query workloads.
  • MASQUE — HTTP/3-based tunneling protocol. The foundation for next-generation VPN and proxying (already used in iCloud Private Relay and Chrome's IP Protection).
  • 0-RTT everywhere — As session resumption becomes standard, the handshake latency advantage of HTTP/3 will matter less, but connection migration and stream-level loss recovery will continue to differentiate it.

The trajectory is clear: QUIC is becoming the default transport for anything performance-sensitive, not just HTTP. The question in two years won't be "should I enable HTTP/3?" — it'll be "why aren't you running QUIC for everything?"

Quick Reference

Protocol Comparison

Feature HTTP/1.1 HTTP/2 HTTP/3
RFC7230-7235 (1999)7540 (2015)9114 (2022)
TransportTCPTCPQUIC (UDP)
Wire formatPlain textBinary framesBinary frames
MultiplexingNoYes (TCP)Yes (QUIC)
HOL BlockingYes (connection)Yes (TCP)No
Header compressionNoHPACKQPACK
TLSOptionalEffectively requiredMandatory (built-in)
0-RTTNoNoYes
Connection migrationNoNoYes
Server PushNoDeprecatedRemoved

Nginx Configuration Checklist

  • nginx 1.25.0+ (check: nginx -v)
  • nginx compiled with --with-http_v2_module and --with-http_v3_module
  • listen 443 ssl; + http2 on; (or listen 443 ssl http2; on older nginx)
  • listen 443 quic reuseport; + http3 on;
  • add_header Alt-Svc 'h3=":443"; ma=86400';
  • UDP 443 open in firewall
  • Valid SSL certificate (required for both HTTP/2 and HTTP/3)
  • TLS 1.3 enabled: ssl_protocols TLSv1.2 TLSv1.3;

Server HTTP/3 Support Matrix

Server HTTP/2 HTTP/3 Notes
nginx 1.25+YesYesNeeds QUIC-compiled build
nginx 1.24YesNoUpgrade to 1.25+
Caddy 2.5+YesYesBoth on by default
Apache 2.4Yes (mod_http2)NoUse nginx reverse proxy for HTTP/3
LiteSpeed EnterpriseYesYesNative QUIC since v5.3
OpenLiteSpeed 1.7.14+YesYesFree, native QUIC
Cloudflare (edge)YesYesToggle in dashboard, free
HAProxy 2.6+YesYesRequires quic-cc build flag

Conclusion

HTTP/1.1, HTTP/2, and HTTP/3 are not competing technologies — they're a progression. Every server should support all three, with the latest taking priority for capable clients.

The practical summary:

  • HTTP/2: Enable it today if you haven't. Single multiplexed connection, header compression, no domain sharding. Most nginx installs on modern distributions already have it — you just need the config directive.
  • HTTP/3: Enable it when your infrastructure allows (nginx 1.25+, firewall UDP 443 open). The fallback to HTTP/2 is automatic. The benefit is real for mobile and high-latency users. The risk is zero.
  • HTTP/1.1: Keep it. It's your fallback for old clients, monitoring tools, and health checks. It doesn't cost you anything to support.

Panelica handles HTTP/2 and HTTP/3 configuration automatically when you enable SSL for a domain — the correct nginx directives, the Alt-Svc header, and the QUIC listen block are all written for you. Enabling HTTP/3 in Panelica is a checkbox in the domain SSL settings, not a manual config file edit.

The web is moving to UDP. QUIC is already the transport behind YouTube, Google Search, and Facebook for a significant portion of traffic. You're not early — you're on schedule.

Security-first hosting panel

Run your servers on a modern panel.

Panelica is a modern, security-first hosting panel — isolated services, built-in Docker and AI-assisted management, with one-click migration from any panel.

Zero-downtime migration Fully isolated services Cancel anytime
Share:
Migration from Plesk, made simple.