Hi. After some tricky stuff with centos I switched to debian as base image and was now able to build haproxy with boringssl.
#### /usr/local/sbin/haproxy -vv HA-Proxy version 1.9.2 2019/01/16 - https://haproxy.org/ Build options : TARGET = linux2628 CPU = generic CC = gcc CFLAGS = -O2 -g -fno-strict-aliasing -Wdeclaration-after-statement -fwrapv -Wno-unused-label -Wno-sign-compare -Wno-unused-parameter -Wno-old-style-declaration -Wno-ignored-qualifiers -Wno-clobbered -Wno-missing-field-initializers -Wtype-limits -Wshift-negative-value -Wshift-overflow=2 -Wduplicated-cond -Wnull-dereference OPTIONS = USE_LINUX_SPLICE=1 USE_GETADDRINFO=1 USE_ZLIB=1 USE_REGPARM=1 USE_THREAD=1 USE_OPENSSL=1 USE_LUA=1 USE_PCRE2=1 USE_PCRE2_JIT=1 USE_TFO=1 Default settings : maxconn = 2000, bufsize = 16384, maxrewrite = 1024, maxpollevents = 200 Built with OpenSSL version : BoringSSL OpenSSL library supports TLS extensions : yes OpenSSL library supports SNI : yes OpenSSL library supports : TLSv1.0 TLSv1.1 TLSv1.2 TLSv1.3 Built with Lua version : Lua 5.3.5 Built with transparent proxy support using: IP_TRANSPARENT IPV6_TRANSPARENT IP_FREEBIND Built with zlib version : 1.2.8 Running on zlib version : 1.2.8 Compression algorithms supported : identity("identity"), deflate("deflate"), raw-deflate("deflate"), gzip("gzip") Built with PCRE2 version : 10.22 2016-07-29 PCRE2 library supports JIT : yes Encrypted password support via crypt(3): yes Built with multi-threading support. Available polling systems : epoll : pref=300, test result OK poll : pref=200, test result OK select : pref=150, test result OK Total: 3 (3 usable), will use epoll. Available multiplexer protocols : (protocols marked as <default> cannot be specified using 'proto' keyword) h2 : mode=HTX side=FE|BE h2 : mode=HTTP side=FE <default> : mode=HTX side=FE|BE <default> : mode=TCP|HTTP side=FE|BE Available filters : [SPOE] spoe [COMP] compression [CACHE] cache [TRACE] trace #### Now I want to try to make the request to mail.google.com with this config and runtime. ### cat /tmp/haproxy.cfg # https://cbonte.github.io/haproxy-dconv/1.9/configuration.html#3 global # nodaemon log stdout format rfc5424 daemon "${LOGLEVEL}" stats socket /tmp/sock1 mode 666 level admin stats timeout 1h tune.ssl.default-dh-param 2048 ssl-server-verify none nbthread "${NUM_THREADS}" defaults log global # the format is described at # https://cbonte.github.io/haproxy-dconv/1.9/configuration.html#4 # copied from # https://github.com/haproxytech/haproxy-docker-arm64v8/blob/master/cfg_files/haproxy.cfg retries 3 timeout http-request 10s timeout queue 1m timeout connect 10s timeout client 1m timeout server 1m timeout http-keep-alive 10s timeout check 10s maxconn 3000 default-server resolve-prefer ipv4 inter 5s resolvers mydns option http-use-htx resolvers mydns nameserver dns1 "${DNS_SRV001}":53 nameserver dns2 "${DNS_SRV002}":53 resolve_retries 3 timeout retry 1s hold valid 10s listen stats bind :"${STATS_PORT}" mode http # Health check monitoring uri. monitor-uri /healthz # Add your custom health check monitoring failure condition here. # monitor fail if <condition> stats enable stats hide-version stats realm Haproxy\ Statistics stats uri / stats auth "${STATS_USER}":"${STATS_PASSWORD}" frontend public_tcp bind :"${SERVICE_TCP_PORT}" mode http option httplog log global default_backend be_generic_tcp backend be_generic_tcp mode http balance source timeout check 5s option tcp-check server "${SERVICE_NAME}" ${SERVICE_DEST_IP}:${SERVICE_DEST_PORT} check inter 5s proto h2 ssl ssl-min-ver TLSv1.3 verify none ### Test with curl ### curl -v http://127.0.0.1:8443 * About to connect() to 127.0.0.1 port 8443 (#0) * Trying 127.0.0.1... * Connected to 127.0.0.1 (127.0.0.1) port 8443 (#0) > GET / HTTP/1.1 > User-Agent: curl/7.29.0 > Host: 127.0.0.1:8443 > Accept: */* > * HTTP 1.0, assume close after body < HTTP/1.0 502 Bad Gateway < cache-control: no-cache < content-type: text/html < <html><body><h1>502 Bad Gateway</h1> The server returned an invalid or incomplete response. </body></html> * Closing connection 0 ### #### podmain.io instead of docker podman run --rm -it -e LOGLEVEL=debug -e NUM_THREADS=8 -e DNS_SRV001=1.1.1.1 -e DNS_SRV002=8.8.8.8 \ -e STATS_PORT=7411 -e STATS_USER=test -e STATS_PASSWORD=test -e SERVICE_TCP_PORT=8443 \ -e SERVICE_NAME=google-mail -e SERVICE_DEST_IP=mail.google.com -e SERVICE_DEST_PORT=443 \ -e CONFIG_FILE=/mnt/haproxy.cfg -v /tmp/:/mnt/ -p 8443 --expose 8443 --net host \ me2digital/haproxy-19-boringssl using CONFIG_FILE :/mnt/haproxy.cfg <29>1 2019-01-23T17:50:45+00:00 doh-001 haproxy 1 - - Proxy stats started. <29>1 2019-01-23T17:50:45+00:00 doh-001 haproxy 1 - - Proxy public_tcp started. <29>1 2019-01-23T17:50:45+00:00 doh-001 haproxy 1 - - Proxy be_generic_tcp started. [WARNING] 022/175045 (1) : be_generic_tcp/google-mail changed its IP from 172.217.21.229 to 216.58.207.69 by mydns/dns1. <29>1 2019-01-23T17:50:45+00:00 doh-001 haproxy 1 - - be_generic_tcp/google-mail changed its IP from 172.217.21.229 to 216.58.207.69 by mydns/dns1. <30>1 2019-01-23T17:50:50+00:00 doh-001 haproxy 1 - - 127.0.0.1:54178 [23/Jan/2019:17:50:50.727] public_tcp public_tcp/<NOSRV> -1/-1/-1/-1/0 0 0 - - PR-- 1/1/0/0/0 0/0 "<BADREQ>" <30>1 2019-01-23T17:50:50+00:00 doh-001 haproxy 1 - - 127.0.0.1:54178 [23/Jan/2019:17:50:50.715] public_tcp be_generic_tcp/google-mail 0/0/13/-1/13 502 208 - - SH-- 1/1/0/0/0 0/0 "GET / HTTP/1.1" #### I thought that haproxy translates the http/1.1 cal to http/2 call, is this a proper assumption? What's my mistake and thanks for help? Thanks for help Regards Aleks Am 22.01.2019 um 19:38 schrieb Aleksandar Lazic: > Hi. > > I have now build haproxy with boringssl and it looks quite good. > > Is it the recommended way to simply make a git clone without any branch or > tag? > Does anyone know how the KeyUpdate can be tested? > > ### > HA-Proxy version 1.9.2 2019/01/16 - https://haproxy.org/ > Build options : > TARGET = linux2628 > CPU = generic > CC = gcc > CFLAGS = -O2 -g -fno-strict-aliasing -Wdeclaration-after-statement -fwrapv > -Wno-unused-label -Wno-sign-compare -Wno-unused-parameter > -Wno-old-style-declaration -Wno-ignored-qualifiers -Wno-clobbered > -Wno-missing-field-initializers -Wtype-limits -Wshift-negative-value > -Wshift-overflow=2 -Wduplicated-cond -Wnull-dereference > OPTIONS = USE_LINUX_SPLICE=1 USE_GETADDRINFO=1 USE_ZLIB=1 USE_REGPARM=1 > USE_THREAD=1 USE_OPENSSL=1 USE_LUA=1 USE_PCRE2=1 USE_PCRE2_JIT=1 USE_TFO=1 > > Default settings : > maxconn = 2000, bufsize = 16384, maxrewrite = 1024, maxpollevents = 200 > > Built with OpenSSL version : BoringSSL > OpenSSL library supports TLS extensions : yes > OpenSSL library supports SNI : yes > OpenSSL library supports : TLSv1.0 TLSv1.1 TLSv1.2 TLSv1.3 > Built with Lua version : Lua 5.3.5 > Built with transparent proxy support using: IP_TRANSPARENT IPV6_TRANSPARENT > IP_FREEBIND > Built with zlib version : 1.2.11 > Running on zlib version : 1.2.11 > Compression algorithms supported : identity("identity"), deflate("deflate"), > raw-deflate("deflate"), gzip("gzip") > Built with PCRE2 version : 10.31 2018-02-12 > PCRE2 library supports JIT : yes > Encrypted password support via crypt(3): yes > Built with multi-threading support. > > Available polling systems : > epoll : pref=300, test result OK > poll : pref=200, test result OK > select : pref=150, test result OK > Total: 3 (3 usable), will use epoll. > > Available multiplexer protocols : > (protocols marked as <default> cannot be specified using 'proto' keyword) > h2 : mode=HTX side=FE|BE > h2 : mode=HTTP side=FE > <default> : mode=HTX side=FE|BE > <default> : mode=TCP|HTTP side=FE|BE > > Available filters : > [SPOE] spoe > [COMP] compression > [CACHE] cache > [TRACE] trace > ### > > I also wanted to run the reg-tests but they fails. > > https://gitlab.com/aleks001/haproxy-19-boringssl/-/jobs/149523589 > > ----- > ... > + cd /usr/src/haproxy > + VTEST_PROGRAM=/usr/src/VTest/vtest HAPROXY_PROGRAM=/usr/local/sbin/haproxy > make reg-tests > ... > ########################## Starting vtest ########################## > Testing with haproxy version: 1.9.2 > # top TEST ./reg-tests/http-rules/h00002.vtc FAILED (0.856) exit=2 > # top TEST ./reg-tests/mailers/k_healthcheckmail.vtc FAILED (7.742) exit=2 > # top TEST ./reg-tests/log/b00000.vtc TIMED OUT (kill -9) > # top TEST ./reg-tests/log/b00000.vtc FAILED (10.008) signal=9 > # top TEST ./reg-tests/http-messaging/h00002.vtc FAILED (0.745) exit=2 > 4 tests failed, 0 tests skipped, 29 tests passed > ########################## Gathering results ########################## > ###### Test case: ./reg-tests/log/b00000.vtc ###### > ## test results in: > "/tmp/haregtests-2019-01-22_18-28-24.aBghMD/vtc.3398.357fd753" > ###### Test case: ./reg-tests/mailers/k_healthcheckmail.vtc ###### > ## test results in: > "/tmp/haregtests-2019-01-22_18-28-24.aBghMD/vtc.3398.477fdc0b" > ---- c2 7.0 EXPECT resp.http.mailsreceived (11) == "16" failed > ###### Test case: ./reg-tests/http-messaging/h00002.vtc ###### > ## test results in: > "/tmp/haregtests-2019-01-22_18-28-24.aBghMD/vtc.3398.7aab2925" > ---- c1h2 0.0 Wrong frame type HEADERS (1) wanted WINDOW_UPDATE > ###### Test case: ./reg-tests/http-rules/h00002.vtc ###### > ## test results in: > "/tmp/haregtests-2019-01-22_18-28-24.aBghMD/vtc.3398.76167f9e" > ---- s1 0.0 EXPECT req.http.test3maskff (2001:db8:c001:c01a::ffff:10:0) == > "2001:db8:c001:c01a:0:ffff:10:0" failed > make: *** [Makefile:1102: reg-tests] Error 1 > ----- > ### > > Have anyone tried to run the tests in a containerized environment? > > Regards > Aleks >
