2022-06-06 07:35:05 +01:00
|
|
|
# HAProxy
|
2022-06-04 20:20:22 +01:00
|
|
|
|
2022-06-06 07:35:05 +01:00
|
|
|
Build scripts for HAProxy with QUIC
|
2022-06-04 20:20:22 +01:00
|
|
|
|
2022-06-23 10:45:59 +02:00
|
|
|
**PROJECT STATUS: BETA**. It will generally work fine and we've been using it in
|
|
|
|
production ourselves, but please be careful and pin versions explicitly for now.
|
|
|
|
We don't exactly have time to triple check everything to never mess up (yet).
|
2022-06-06 09:28:47 +01:00
|
|
|
|
2022-06-07 12:28:23 +01:00
|
|
|
[[_TOC_]]
|
2022-06-06 09:28:47 +01:00
|
|
|
|
2022-06-07 04:06:13 +01:00
|
|
|
## Quickstart
|
2022-06-06 10:49:04 +01:00
|
|
|
|
|
|
|
```shell
|
|
|
|
docker run -it \
|
|
|
|
-v /path/to/haproxy.cfg:/usr/local/etc/haproxy/haproxy.cfg:ro \
|
|
|
|
-p "80:80" \
|
|
|
|
-p "443:443/tcp" \
|
|
|
|
-p "443:443/udp" \
|
|
|
|
registry.gitlab.com/mangadex-pub/haproxy:2.6-bullseye
|
|
|
|
```
|
|
|
|
|
2022-06-07 04:06:13 +01:00
|
|
|
## HTTP/3 and QUIC
|
|
|
|
|
|
|
|
**NOTE FOR QUIC:** docker and docker-compose require explicit UDP protocol port
|
|
|
|
mapping, otherwise they assume only-TCP. See the explicit port-mapping above.
|
|
|
|
|
2022-06-07 01:44:23 +01:00
|
|
|
Here's a sample configuration (requires you to figure out the certificate) to
|
|
|
|
test HTTP/3.0 support. The first connection should be over HTTP/1.1 or HTTP/2,
|
|
|
|
and
|
2022-06-06 10:49:04 +01:00
|
|
|
after a few refreshes it should be over HTTP/3.
|
|
|
|
|
2022-06-07 01:44:23 +01:00
|
|
|
See [Announcing HAProxy 2.6](https://www.haproxy.com/blog/announcing-haproxy-2-6/)
|
|
|
|
for more info.
|
2022-06-06 10:49:04 +01:00
|
|
|
|
|
|
|
```haproxy
|
|
|
|
...
|
|
|
|
frontend https
|
|
|
|
bind :443 ssl crt /usr/local/etc/haproxy/cert.pem alpn h2,http/1.1
|
|
|
|
bind quic4@:443 ssl crt /usr/local/etc/haproxy/cert.pem alpn h3
|
2022-06-07 01:44:23 +01:00
|
|
|
|
2022-06-06 10:49:04 +01:00
|
|
|
http-after-response set-header alt-svc 'h3=":443"; ma=86400'
|
|
|
|
http-request return status 200 content-type text/plain lf-string "Connected via %HV"
|
|
|
|
```
|
2022-06-06 09:28:47 +01:00
|
|
|
|
|
|
|
## Build it
|
2022-06-04 20:20:22 +01:00
|
|
|
|
2022-06-07 01:44:23 +01:00
|
|
|
You will need the following dependencies (Debian/Ubuntu packages given as
|
|
|
|
example):
|
2022-06-06 07:35:05 +01:00
|
|
|
|
|
|
|
- Development tools (`build-essential`)
|
|
|
|
- curl and ssl support for it (`curl` and `ca-certificates`)
|
|
|
|
- CMake (`cmake`)
|
|
|
|
- Readline library headers (`libreadline-dev`)
|
|
|
|
- Libsystemd headers (`libsystemd-dev`)
|
|
|
|
- GNU TAR (`tar`)
|
|
|
|
|
|
|
|
Then just run `make` and the build should pass.
|
|
|
|
|
2022-06-07 01:44:23 +01:00
|
|
|
First, `deps/quictls/quictls-dist.tar.gz` should be expanded so it matches the
|
|
|
|
host's
|
2022-06-06 09:07:59 +01:00
|
|
|
`/opt/quictls` when expanding, as it is where HAProxy will look for OpenSSL.
|
2022-06-06 07:35:05 +01:00
|
|
|
|
2022-06-06 09:07:59 +01:00
|
|
|
And finally `haproxy/haproxy-dist.tar.gz` can be expanded anywhere.
|
2022-06-06 07:35:05 +01:00
|
|
|
|
2022-06-07 01:44:23 +01:00
|
|
|
## Compatibility of binaries
|
|
|
|
|
|
|
|
You may acquire binaries for non-docker usage in 2 ways:
|
|
|
|
|
|
|
|
- We distribute binary tarballs for this repo in
|
|
|
|
the [project's packages](https://gitlab.com/mangadex-pub/haproxy/-/packages)
|
|
|
|
- You can build it locally, which results in `deps/quictls/quictls-dist.tar.gz`
|
|
|
|
and `haproxy/haproxy-dist.tar.gz`
|
|
|
|
|
|
|
|
Please note that neither QuicTLS/OpenSSL nor HAProxy are fully statically
|
|
|
|
compiled. They are still linking to glibc. You see that
|
|
|
|
with `readelf -d /path/to/binary`.
|
|
|
|
|
|
|
|
As a result, you may be unable to run a binary linked using a more recent glibc.
|
|
|
|
|
|
|
|
Our CI uses the most recent Debian Buster image for compilation. You can find
|
|
|
|
out the exact libc version this links against with `ldd --version` like so:
|
|
|
|
|
|
|
|
```shell
|
|
|
|
$ docker run -it debian:buster ldd --version | head -n1
|
|
|
|
ldd (Debian GLIBC 2.28-10+deb10u1) 2.28
|
|
|
|
```
|
|
|
|
|
|
|
|
Particular care should thus be put in what host you use for compilation.
|
|
|
|
|
|
|
|
Similarly, if you generally enjoy running abandonware you will not be able to
|
|
|
|
use any of our non-docker artifacts.
|
|
|
|
|
2022-06-06 07:35:05 +01:00
|
|
|
## Should I use this repo?
|
|
|
|
|
|
|
|
This is an:
|
2022-06-07 01:44:23 +01:00
|
|
|
|
2022-06-06 07:35:05 +01:00
|
|
|
- unofficial build of HAProxy
|
|
|
|
- which enables an experimental feature of HAProxy
|
|
|
|
- which relies on an unofficial build of OpenSSL
|
|
|
|
- which is based on an unofficial patch of OpenSSL
|
|
|
|
|
|
|
|
Generally speaking, you shouldn't.
|
|
|
|
|
2022-06-07 01:44:23 +01:00
|
|
|
That said, please PR improvements back if you do. We'll be using it ourselves
|
|
|
|
too.
|
2022-06-06 07:35:05 +01:00
|
|
|
|
|
|
|
## What's in there
|
|
|
|
|
|
|
|
First, we want to statically build things where possible, which is done for:
|
2022-06-07 01:44:23 +01:00
|
|
|
|
2022-06-06 07:35:05 +01:00
|
|
|
- LUA
|
|
|
|
- PCRE2
|
2022-06-07 01:44:23 +01:00
|
|
|
- QuicTLS (*partially*, still links to host glibc)
|
2022-06-06 07:35:05 +01:00
|
|
|
|
2022-06-07 01:44:23 +01:00
|
|
|
Then we want HAProxy to not use the system's OpenSSL but rather our QuicTLS
|
|
|
|
build, which
|
2022-06-06 07:35:05 +01:00
|
|
|
it will look for at the `/opt/quictls` prefix.
|
2022-06-07 01:44:23 +01:00
|
|
|
|
2022-06-07 07:14:34 +01:00
|
|
|
## About Debian packaging
|
|
|
|
|
|
|
|
The content of [haproxy/debian](haproxy/debian) is a slightly modified version
|
|
|
|
of the Debian HAProxy Team's work and essentially all credits wrt that is due to
|
|
|
|
them.
|
|
|
|
|
|
|
|
It is sourced
|
|
|
|
from [haproxy-team/haproxy:experimental-2.6](https://salsa.debian.org/haproxy-team/haproxy/-/tree/experimental-2.6)
|
|
|
|
|
2022-06-07 01:44:23 +01:00
|
|
|
## Notes
|
|
|
|
|
|
|
|
Since we're building our own binaries, we also increase MAX_SESS_STKCTR to 5
|
|
|
|
instead of the default of 3. If you don't know what that is, it's irrelevant to
|
|
|
|
you. You can read some
|
|
|
|
more [here](https://github.com/haproxy/haproxy/issues/1565).
|