Christoph Kukulies k...@kukulies.org
> Am 08.11.2023 um 14:04 schrieb Frederic Lecaille <flecai...@haproxy.com>: > > On 11/8/23 13:37, Frederic Lecaille wrote: >> On 11/8/23 11:27, Christoph Kukulies wrote: >>> parsing [/etc/haproxy/haproxy.cfg:60] : 'bind' : unsupported protocol >>> family 2 for address 'quic4@0.0.0.0 <mailto:quic4@0.0.0.0>:4> >>> Nov 08 11:16:54 mail. >>> >>> >>> I'm using sample.haproxy.cfg from Shawns haproxy-scripts and there the line: >>> >>> bind quic4@0.0.0.0 <mailto:quic4@0.0.0.0>:443 name quic443 ssl crt crt >>> /etc/haproxy/fullchain.pemproto quic alpn h3 npn h3 allow-0rtt curves >>> secp521r1:secp384r1 >>> >>> -- >>> Christoph >>> >>> >> Hello, >> >> 0.0.0.0 special address has been forbidden for QUIC bindings. Have a >> look to "bind" keyword documentation. >> >> Regards, >> >> Fred. >> > > After having checked with Amaury, the issue is in the documentation > which is not up-to-date. 0.0.0.0 binding address should be supported our > QUIC implementation. > > That said, I do not know what haproxy version you are using. The last > 2.8 version accepts to bind such addresses. > > I posted the output of haproxy -vv (on demand of William Lallemand). Maybe you overlooked it: root@mail:~/haproxy-scripts# /usr/local/sbin/haproxy -vv HAProxy version 2.8.3-d6e5cd-70 2023/10/26 - https://haproxy.org/ <https://haproxy.org/> Status: long-term supported branch - will stop receiving fixes around Q2 2028. Known bugs: http://www.haproxy.org/bugs/bugs-2.8.3.html <http://www.haproxy.org/bugs/bugs-2.8.3.html> Running on: Linux 5.15.0-88-generic #98-Ubuntu SMP Mon Oct 2 15:18:56 UTC 2023 x86_64 Build options : TARGET = linux-glibc CPU = native CC = cc CFLAGS = -O2 -march=native -g -Wall -Wextra -Wundef -Wdeclaration-after-statement -Wfatal-errors -Wtype-limits -Wshift-negative-value -Wshift-overflow=2 -Wduplicated-cond -Wnull-dereference -fwrapv -Wno-address-of-packed-member -Wno-unused-label -Wno-sign-compare -Wno-unused-parameter -Wno-clobbered -Wno-missing-field-initializers -Wno-cast-function-type -Wno-string-plus-int -Wno-atomic-alignment OPTIONS = USE_OPENSSL=1 USE_ZLIB=1 USE_SYSTEMD=1 USE_QUIC=1 USE_PCRE2_JIT=1 DEBUG = And the install script installed the following config file (kindly overwriting my own config, thank you :-(. ) global maxconn 64 daemon log 127.0.0.1 len 65535 format rfc5424 local0 log 127.0.0.1 len 65535 format rfc5424 local1 notice defaults log global option httplog mode http timeout connect 5s timeout client 15s timeout server 120s timeout http-keep-alive 5s timeout check 9990 frontend web80 bind 0.0.0.0:80 name web80 default_backend be-local-81 frontend web description One frontend to rule them all bind 0.0.0.0:443 name web443 ssl crt /etc/ssl/certs/local/selfsigned.pem alpn h2,http/1.1 npn h2,http/1.1 allow-0rtt curves secp521r1:secp384r1 bind quic4@0.0.0.0:443 name quic443 ssl crt /etc/ssl/certs/local/selfsigned.pem proto quic alpn h3,h3-29,h3-28,h3-27 npn h3,h3-29,h3-28,h3-27 allow-0rtt curves secp521r1:secp384r1 http-response add-header alt-svc 'h3=":443"; ma=7200,h3-29=":443"; ma=7200,h3-Q050=":443"; ma=7200,h3-Q046=":443"; ma=7200,h3-Q043=":443"; ma=7200,quic=":443"; ma=7200' default_backend be-local-81 stats enable stats uri /hapeek stats refresh 15 backend be-local-81 option httpchk server localhost 127.0.0.1:81 which leads to haproxy failing on startup: Nov 8 16:38:28 mail haproxy[101582]: [ALERT] (101582) : parsing [/etc/haproxy/haproxy.cfg:26] : 'bind' : unsupported protocol family 2 for address 'quic4@0.0.0.0:443' So what can I do about it other than trusting upon the scripts and configs to work? Or ask here for help?
smime.p7s
Description: S/MIME cryptographic signature