How To Enable HTTP/3 over QUIC in HAProxy

1 min read

Activating HTTP/3 over QUIC in HAProxy on Ubuntu.

What’s QUIC

QUIC (Quick UDP Internet Connections) is a transport layer network protocol developed by Google. QUIC supports a set of multiplexed connections between two endpoints over User Datagram Protocol (UDP), and it was designed to provide security protection equivalent to TLS/SSL, along with reduced connection and transport latencies.

Enable QUIC in HAProxy in Linux Ubuntu

Install Requirements

apt update && apt install -y \
  ca-certificates \
  gcc \
  git \
  libc6-dev \
  liblua5.3-dev \
  libpcre3-dev \
  libssl-dev \
  libsystemd-dev \
  make \
  zlib1g-dev \
  rsyslog

Compile OpenSSL QUICTLS

cd /usr/local/src
git clone https://github.com/quictls/openssl
cd openssl
git checkout OpenSSL_1_1_1t+quic
mkdir -p /opt/quictls
./config --libdir=lib --prefix=/opt/quictls
make && make install

Compile HAProxy QUIC

cd /usr/local/src
git clone https://github.com/haproxy/haproxy.git
cd haproxy
git checkout v2.8.0
 
make TARGET=linux-glibc \
    USE_LUA=1 \
    USE_PCRE=1 \
    USE_ZLIB=1 \
    USE_SYSTEMD=1 \
    USE_PROMEX=1 \
    USE_QUIC=1 \
    USE_OPENSSL=1 \
    SSL_INC=/opt/quictls/include \
    SSL_LIB=/opt/quictls/lib \
    LDFLAGS="-Wl,-rpath,/opt/quictls/lib"

make install-bin
cd admin/systemd
make haproxy.service
cp ./haproxy.service /etc/systemd/system/

mkdir -p /etc/haproxy
mkdir -p /run/haproxy
touch /etc/haproxy/haproxy.cfg

Add HAProxy user

groupadd -g 125 haproxy
useradd -g 125 -u 117 -s /usr/sbin/nologin -d /var/lib/haproxy haproxy

Please change the number of UID and GID if exists

Enable HAProxy Log in rsyslog

vim /etc/rsyslog.d/99-haproxy.conf

# add these line
$AddUnixListenSocket /var/lib/haproxy/dev/log

# Send HAProxy messages to a dedicated logfile
:programname, startswith, "haproxy" {
  /var/log/haproxy.log
  stop
}

# create requirement file/folder
mkdir -p /var/lib/haproxy/dev /run/haproxy
chown -Rv haproxy.haproxy /var/lib/haproxy /run/haproxy

# restart rsyslog
systemctl restart rsyslog

Enable HAProxy Logrotate Logs

vim /etc/logrotate.d/haproxy

# add these line
/var/log/haproxy.log {
    daily
    rotate 7
    missingok
    notifempty
    compress
    delaycompress
    postrotate
        [ ! -x /usr/lib/rsyslog/rsyslog-rotate ] || /usr/lib/rsyslog/rsyslog-rotate
    endscript
}

Enable HAProxy in Systemd

systemctl enable haproxy
systemctl start haproxy
systemctl status haproxy

Enable HTTP/3 QUIC in HAProxy config

frontend fe_website
  mode http
  bind :80
  bind :443  ssl crt /etc/haproxy/certs/foo.com/cert.crt alpn h2
  bind quic4@:443 ssl crt /mycert.pem alpn h3

  http-request redirect scheme https unless { ssl_fc }

  http-after-response add-header alt-svc 'h3=":443"; ma=60'

Leave a Reply

Your email address will not be published. Required fields are marked *