diff --git a/nixos/modules/services/web-servers/nginx/default.nix b/nixos/modules/services/web-servers/nginx/default.nix
index 389911ffcce..51c2f3febdc 100644
--- a/nixos/modules/services/web-servers/nginx/default.nix
+++ b/nixos/modules/services/web-servers/nginx/default.nix
@@ -249,7 +249,15 @@ let
           + optionalString (ssl && vhost.http2) "http2 "
           + optionalString vhost.default "default_server "
           + optionalString (extraParameters != []) (concatStringsSep " " extraParameters)
-          + ";";
+          + ";"
+          + (if ssl && vhost.http3 then ''
+          # UDP listener for **QUIC+HTTP/3
+          listen ${addr}:${toString port} http3 reuseport;
+          # Advertise that HTTP/3 is available
+          add_header Alt-Svc 'h3=":443"';
+          # Sent when QUIC was used
+          add_header QUIC-Status $quic;
+          '' else "");
 
         redirectListen = filter (x: !x.ssl) defaultListen;
 
diff --git a/nixos/modules/services/web-servers/nginx/vhost-options.nix b/nixos/modules/services/web-servers/nginx/vhost-options.nix
index cf211ea9a71..1f5fe6a368c 100644
--- a/nixos/modules/services/web-servers/nginx/vhost-options.nix
+++ b/nixos/modules/services/web-servers/nginx/vhost-options.nix
@@ -151,6 +151,19 @@ with lib;
       '';
     };
 
+    http3 = mkOption {
+      type = types.bool;
+      default = false;
+      description = ''
+        Whether to enable HTTP 3.
+        This requires using <literal>pkgs.nginxQuic</literal> package
+        which can be achived by setting <literal>services.nginx.package = pkgs.nginxQuic;</literal>.
+        Note that HTTP 3 support is experimental and
+        *not* yet recommended for production.
+        Read more at https://quic.nginx.org/
+      '';
+    };
+
     root = mkOption {
       type = types.nullOr types.path;
       default = null;
diff --git a/pkgs/development/libraries/boringssl/default.nix b/pkgs/development/libraries/boringssl/default.nix
index aa3eeef48a5..f8c27f96dcc 100644
--- a/pkgs/development/libraries/boringssl/default.nix
+++ b/pkgs/development/libraries/boringssl/default.nix
@@ -1,22 +1,39 @@
-{ lib, stdenv, fetchgit, cmake, perl, go }:
+{ lib
+, stdenv
+, fetchgit
+, cmake
+, ninja
+, perl
+, buildGoModule
+}:
 
 # reference: https://boringssl.googlesource.com/boringssl/+/2661/BUILDING.md
-stdenv.mkDerivation {
+buildGoModule {
   pname = "boringssl";
-  version = "2019-12-04";
+  version = "2021-04-18";
 
   src = fetchgit {
     url    = "https://boringssl.googlesource.com/boringssl";
-    rev    = "243b5cc9e33979ae2afa79eaa4e4c8d59db161d4";
-    sha256 = "1ak27dln0zqy2vj4llqsb99g03sk0sg25wlp09b58cymrh3gccvl";
+    rev    = "468cde90ca58421d63f4dfeaebcf8bb3fccb4127";
+    sha256 = "0gaqcbvp6r5fq265mckmg0i0rjab0bhxkxcvfxp3ar5dm7q88w39";
   };
 
-  nativeBuildInputs = [ cmake perl go ];
+  nativeBuildInputs = [ cmake ninja perl ];
 
-  makeFlags = [ "GOCACHE=$(TMPDIR)/go-cache" ];
+  vendorSha256 = "sha256-pQpattmS9VmO3ZIQUFn66az8GSmB4IvYhTTCFn6SUmo=";
+
+  # hack to get both go and cmake configure phase
+  # (if we use postConfigure then cmake will loop runHook postConfigure)
+  preBuild = ''
+    cmakeConfigurePhase
+  '';
+
+  buildPhase = ''
+    ninjaBuildPhase
+  '';
 
   # CMAKE_OSX_ARCHITECTURES is set to x86_64 by Nix, but it confuses boringssl on aarch64-linux.
-  cmakeFlags = lib.optionals (stdenv.isLinux) [ "-DCMAKE_OSX_ARCHITECTURES=" ];
+  cmakeFlags = [ "-GNinja" ] ++ lib.optionals (stdenv.isLinux) [ "-DCMAKE_OSX_ARCHITECTURES=" ];
 
   installPhase = ''
     mkdir -p $bin/bin $out/include $out/lib
diff --git a/pkgs/servers/http/nginx/quic.nix b/pkgs/servers/http/nginx/quic.nix
new file mode 100644
index 00000000000..062520a3d13
--- /dev/null
+++ b/pkgs/servers/http/nginx/quic.nix
@@ -0,0 +1,21 @@
+{ callPackage, fetchhg, boringssl, ... } @ args:
+
+callPackage ./generic.nix args {
+  src = fetchhg {
+    url = "https://hg.nginx.org/nginx-quic";
+    rev = "47a43b011dec"; # branch=quic
+    sha256 = "1d4d1v4zbnf5qlfl79pi7sficn1h7zm6kk7llm24yyhlsvssz10x";
+  };
+
+  preConfigure = ''
+    ln -s auto/configure configure
+  '';
+
+  configureFlags = [
+    "--with-http_v3_module"
+    "--with-http_quic_module"
+    "--with-stream_quic_module"
+  ];
+
+  version = "quic";
+}
diff --git a/pkgs/top-level/all-packages.nix b/pkgs/top-level/all-packages.nix
index ea4b58c2100..af19a693304 100644
--- a/pkgs/top-level/all-packages.nix
+++ b/pkgs/top-level/all-packages.nix
@@ -18678,6 +18678,15 @@ in
 
   nginx = nginxStable;
 
+  nginxQuic = callPackage ../servers/http/nginx/quic.nix {
+    withPerl = false;
+    # We don't use `with` statement here on purpose!
+    # See https://github.com/NixOS/nixpkgs/pull/10474/files#r42369334
+    modules = [ nginxModules.rtmp nginxModules.dav nginxModules.moreheaders ];
+    # Use latest boringssl to allow http3 support
+    openssl = boringssl;
+  };
+
   nginxStable = callPackage ../servers/http/nginx/stable.nix {
     withPerl = false;
     # We don't use `with` statement here on purpose!