On 4/10/2022 3:41 AM, Frederic Lecaille wrote:
Here is a "bind" line example (SSL must be enable as for TCP) for a
QUIC/h3 listener:
bind quic4@<ip:port> ssl crt <your-cert> proto quic alpn h3
Frederic is replying only to me, not including the list.
I'm following the advice from Willy to put quic handling on a separate
haproxy process. I copied my 2.4 haproxy.cfg, deleted a bunch of stuff
that's irrelevant or caused config errors and seemed like I could do
without.
I still have config errors. I updated my bind line to this:
bind quic4@0.0.0.0:443 ssl crt
/etc/ssl/certs/local/mainwildcards.pem proto quic alpn h3
That produces the following when checking the config file:
[ALERT] (821651) : config : parsing [/etc/haproxy/haproxy6.cfg:52] :
'bind' : unsupported protocol family 2 for address 'quic4@0.0.0.0:443'
I am also getting some config errors for options that do seem like they
are valid in the 2.6 documentation, but the error states that the
keyword is unknown. These errors have to do with ssl config options.
For now I have commented these lines to deal with later ... but since it
won't work at all without the bind, I can't get rid of the error above
by commenting the line.
[ALERT] (830805) : config : parsing [/etc/haproxy/haproxy6.cfg:11] :
unknown keyword 'tune.ssl.default-dh-param' in 'global' section; did you
mean 'default-path' maybe ?
[ALERT] (830805) : config : parsing [/etc/haproxy/haproxy6.cfg:12] :
unknown keyword 'tune.ssl.cachesize' in 'global' section; did you mean
'tune.pattern.cache-size' maybe ?
[ALERT] (830805) : config : parsing [/etc/haproxy/haproxy6.cfg:13] :
unknown keyword 'tune.ssl.lifetime' in 'global' section; did you mean
'tune.idletimer' maybe ?
[ALERT] (830805) : config : parsing [/etc/haproxy/haproxy6.cfg:15] :
unknown keyword 'ssl-default-bind-ciphers' in 'global' section
[ALERT] (830805) : config : parsing [/etc/haproxy/haproxy6.cfg:16] :
unknown keyword 'ssl-default-bind-options' in 'global' section
[ALERT] (830805) : config : parsing [/etc/haproxy/haproxy6.cfg:18] :
unknown keyword 'ssl-default-server-ciphers' in 'global' section
Thanks,
Shawn