What’s QUIC
QUIC (Quick UDP Internet Connections) is a transport layer network protocol developed by Google. QUIC supports a set of multiplexed connections between two endpoints over User Datagram Protocol (UDP), and it was designed to provide security protection equivalent to TLS/SSL, along with reduced connection and transport latencies.
Enable QUIC in HAProxy in Linux Ubuntu
Install Requirements
apt update && apt install -y \
ca-certificates \
gcc \
git \
libc6-dev \
liblua5.3-dev \
libpcre3-dev \
libssl-dev \
libsystemd-dev \
make \
zlib1g-dev \
rsyslog
Compile OpenSSL QUICTLS
cd /usr/local/src
git clone https://github.com/quictls/openssl
cd openssl
git checkout OpenSSL_1_1_1t+quic
mkdir -p /opt/quictls
./config --libdir=lib --prefix=/opt/quictls
make && make install
Compile HAProxy QUIC
cd /usr/local/src
git clone https://github.com/haproxy/haproxy.git
cd haproxy
git checkout v2.8.0
make TARGET=linux-glibc \
USE_LUA=1 \
USE_PCRE=1 \
USE_ZLIB=1 \
USE_SYSTEMD=1 \
USE_PROMEX=1 \
USE_QUIC=1 \
USE_OPENSSL=1 \
SSL_INC=/opt/quictls/include \
SSL_LIB=/opt/quictls/lib \
LDFLAGS="-Wl,-rpath,/opt/quictls/lib"
make install-bin
cd admin/systemd
make haproxy.service
cp ./haproxy.service /etc/systemd/system/
mkdir -p /etc/haproxy
mkdir -p /run/haproxy
touch /etc/haproxy/haproxy.cfg
Add HAProxy user
groupadd -g 125 haproxy
useradd -g 125 -u 117 -s /usr/sbin/nologin -d /var/lib/haproxy haproxy
Please change the number of UID and GID if exists
Enable HAProxy Log in rsyslog
vim /etc/rsyslog.d/99-haproxy.conf
# add these line
$AddUnixListenSocket /var/lib/haproxy/dev/log
# Send HAProxy messages to a dedicated logfile
:programname, startswith, "haproxy" {
/var/log/haproxy.log
stop
}
# create requirement file/folder
mkdir -p /var/lib/haproxy/dev /run/haproxy
chown -Rv haproxy.haproxy /var/lib/haproxy /run/haproxy
# restart rsyslog
systemctl restart rsyslog
Enable HAProxy Logrotate Logs
vim /etc/logrotate.d/haproxy
# add these line
/var/log/haproxy.log {
daily
rotate 7
missingok
notifempty
compress
delaycompress
postrotate
[ ! -x /usr/lib/rsyslog/rsyslog-rotate ] || /usr/lib/rsyslog/rsyslog-rotate
endscript
}
Enable HAProxy in Systemd
systemctl enable haproxy
systemctl start haproxy
systemctl status haproxy
Enable HTTP/3 QUIC in HAProxy config
frontend fe_website
mode http
bind :80
bind :443 ssl crt /etc/haproxy/certs/foo.com/cert.crt alpn h2
bind quic4@:443 ssl crt /mycert.pem alpn h3
http-request redirect scheme https unless { ssl_fc }
http-after-response add-header alt-svc 'h3=":443"; ma=60'