Mainline builds of HAProxy with QUIC enabled (using static QuicTLS builds)
Go to file
2022-06-06 10:49:25 +01:00
deps Make PCRE2 dist target part of default targets 2022-06-06 08:57:37 +01:00
haproxy Avoid artifacting untarred dist folders and add package publication 2022-06-06 08:51:31 +01:00
.dockerignore Add docker publication back 2022-06-06 08:14:11 +01:00
.gitignore Global cleanup for fully reproducible local build 2022-06-06 05:46:20 +01:00
.gitlab-ci.yml Cleanup package upload curl args 2022-06-06 09:10:52 +01:00
Dockerfile Add haproxy:haproxy user and update README 2022-06-06 10:34:42 +01:00
LICENSE Add license 2022-06-06 06:07:49 +01:00
Makefile Parameterize src dirs everywhere and fix PCRE incs for HAProxy 2022-06-06 06:52:47 +01:00
README.md Update README with example setup for H3/QUIC 2022-06-06 10:49:25 +01:00

HAProxy

Build scripts for HAProxy with QUIC

PROJECT STATUS: Alpha, not exhaustively tested yet

Quickstart

NOTE FOR QUIC: docker and docker-compose require explicit UDP protocol port mapping, otherwise they assume only-TCP. See below.

docker run -it \
    -v /path/to/haproxy.cfg:/usr/local/etc/haproxy/haproxy.cfg:ro \
    -p "80:80" \
    -p "443:443/tcp" \
    -p "443:443/udp" \
    registry.gitlab.com/mangadex-pub/haproxy:2.6-bullseye

Here's a sample configuration (requires you to figure out the certificate) to test HTTP/3.0 support. The first connection should be over HTTP/1.1 or HTTP/2, and after a few refreshes it should be over HTTP/3.

See Announcing HAProxy 2.6 for more info.

...
frontend https
    bind       :443 ssl crt /usr/local/etc/haproxy/cert.pem alpn h2,http/1.1
    bind quic4@:443 ssl crt /usr/local/etc/haproxy/cert.pem alpn h3
    
    http-after-response set-header alt-svc 'h3=":443"; ma=86400'
    http-request return status 200 content-type text/plain lf-string "Connected via %HV"

Build it

You will need the following dependencies (Debian/Ubuntu packages given as example):

  • Development tools (build-essential)
  • curl and ssl support for it (curl and ca-certificates)
  • CMake (cmake)
  • Readline library headers (libreadline-dev)
  • Libsystemd headers (libsystemd-dev)
  • GNU TAR (tar)

Then just run make and the build should pass.

First, deps/quictls/quictls-dist.tar.gz should be expanded so it matches the host's /opt/quictls when expanding, as it is where HAProxy will look for OpenSSL.

And finally haproxy/haproxy-dist.tar.gz can be expanded anywhere.

Should I use this repo?

This is an:

  • unofficial build of HAProxy
  • which enables an experimental feature of HAProxy
  • which relies on an unofficial build of OpenSSL
  • which is based on an unofficial patch of OpenSSL

Generally speaking, you shouldn't.

That said, please PR improvements back if you do. We'll be using it ourselves too.

What's in there

First, we want to statically build things where possible, which is done for:

  • LUA
  • PCRE2
  • QuicTLS

Then we want HAProxy to not use the system's OpenSSL but rather our QuicTLS build, which it will look for at the /opt/quictls prefix.