Re: some QUIC questions
On Mon, May 06, 2024 at 08:16:34PM +0200, Björn Jacke wrote: > On 06.05.24 15:34, Shawn Heisey wrote: > > On 5/6/24 06:02, Björn Jacke wrote: > > > frontend ft_443 > > > bind :::443 ssl crt /ssl/combined.pem > > > bind quic6@:443 ssl crt /ssl/combined.pem alpn h3 > > > option tcp-smart-accept > > > http-after-response add-header alt-svc 'h3=":443"; ma=600; > > > persistent=1' > > > > > > > frontend ft_quic_test > > > mode tcp > > > bind quic6@:443 ssl crt /ssl/combined.pem > > > use_backend local_smb > > > > > this results in this config check error thoug: > > > > > [ALERT] (3611777) : config : frontend 'ft_quic_test' : MUX > > > protocol 'quic' is not usable for 'bind quic6@:443' at > > > [/etc/haproxy/ haproxy.cfg:73]. > > > > > So a setup like this is not supported by HAProxy's QUIC > > > implementation currently, right? Is QUIC in HAProxy HTTP3 only for > > > now?\ > > > The alpn on the first config snippet only includes h3, not quic. Here > > are alpn and npn settings that allow some of the quic protocol > > variations as well as h3 itself: > for the http frontend sniplet h3 as only alpn protocol was intended. It > turned out to be a firewall causing making haproxy "ignore" the incoming > quic traffic, sorry for not finding that earlier. > Continuing the test with connection migration on network changes showed that > connection migration is not working. I'm not sure though if none of the > browsers do really support this or if this not being supported on the > haproxy server side. Does any of the QUIC experts here have some insights on > that? Indeed haproxy currently does not implement connection migration. For now, haproxy will silently ignored datagrams received for a known connection on another network endpoint. We have started to talk about it so it's definitely on our roadmap. But first we have to update our documentation to reflect the current state. > > The second one is a tcp frontend ... I feel pretty sure that h3/quic > > requires http in the frontend, not tcp. > but for any non-http protocol using QUIC as transport layer a http type > frontend is obviously not the right choice. > So let me ask the question differently: is QUIC support in haproxy currently > only targeting at http3 support or is generic QUIC transport also on the > agenda? From the docs I can't find much about non-http related QUIC support. For the moment, QUIC in haproxy is only usable in HTTP mode with either HTTP/3 or HTTP/0.9. The last one is reserved for testing for interop testing and ensure we can use multiple application protocols. As such, it could be possible to support non-http protocols without too much work. The biggest constraint for now is the lack of testing client. But if have a working setup for this, do not hesitate to share it with us it would be extremely useful. -- Amaury Denoyelle
Re: some QUIC questions
On 06.05.24 15:34, Shawn Heisey wrote: On 5/6/24 06:02, Björn Jacke wrote: frontend ft_443 bind :::443 ssl crt /ssl/combined.pem bind quic6@:443 ssl crt /ssl/combined.pem alpn h3 option tcp-smart-accept http-after-response add-header alt-svc 'h3=":443"; ma=600; persistent=1' frontend ft_quic_test mode tcp bind quic6@:443 ssl crt /ssl/combined.pem use_backend local_smb this results in this config check error thoug: [ALERT] (3611777) : config : frontend 'ft_quic_test' : MUX protocol 'quic' is not usable for 'bind quic6@:443' at [/etc/haproxy/ haproxy.cfg:73]. So a setup like this is not supported by HAProxy's QUIC implementation currently, right? Is QUIC in HAProxy HTTP3 only for now?\ The alpn on the first config snippet only includes h3, not quic. Here are alpn and npn settings that allow some of the quic protocol variations as well as h3 itself: for the http frontend sniplet h3 as only alpn protocol was intended. It turned out to be a firewall causing making haproxy "ignore" the incoming quic traffic, sorry for not finding that earlier. Continuing the test with connection migration on network changes showed that connection migration is not working. I'm not sure though if none of the browsers do really support this or if this not being supported on the haproxy server side. Does any of the QUIC experts here have some insights on that? The second one is a tcp frontend ... I feel pretty sure that h3/quic requires http in the frontend, not tcp. but for any non-http protocol using QUIC as transport layer a http type frontend is obviously not the right choice. So let me ask the question differently: is QUIC support in haproxy currently only targeting at http3 support or is generic QUIC transport also on the agenda? From the docs I can't find much about non-http related QUIC support. Thank you Björn
Re: some QUIC questions
On 5/6/24 06:02, Björn Jacke wrote: frontend ft_443 bind :::443 ssl crt /ssl/combined.pem bind quic6@:443 ssl crt /ssl/combined.pem alpn h3 option tcp-smart-accept http-after-response add-header alt-svc 'h3=":443"; ma=600; persistent=1' frontend ft_quic_test mode tcp bind quic6@:443 ssl crt /ssl/combined.pem use_backend local_smb this results in this config check error thoug: [ALERT] (3611777) : config : frontend 'ft_quic_test' : MUX protocol 'quic' is not usable for 'bind quic6@:443' at [/etc/haproxy/ haproxy.cfg:73]. So a setup like this is not supported by HAProxy's QUIC implementation currently, right? Is QUIC in HAProxy HTTP3 only for now?\ The alpn on the first config snippet only includes h3, not quic. Here are alpn and npn settings that allow some of the quic protocol variations as well as h3 itself: alpn h3,h3-29,h3-28,h3-27 npn h3,h3-29,h3-28,h3-27 The second one is a tcp frontend ... I feel pretty sure that h3/quic requires http in the frontend, not tcp. Thanks, Shawn
some QUIC questions
Hi, now that HAProxy 2.9 from haproxy.debian.net is usabel with QUIC if you (with limited-quic), I finylly gave it a try. I set extended my http frontend accordingly like this: frontend ft_443 bind :::443 ssl crt /ssl/combined.pem bind quic6@:443 ssl crt /ssl/combined.pem alpn h3 option tcp-smart-accept http-after-response add-header alt-svc 'h3=":443"; ma=600; persistent=1' This is on current Debian bookwork with HAProxy 2.9.7 from haproxy.debian.net and openssl 3.0.11 from Debian. http3 was working successfully in first tests. Later on I wanted to test if QUIC connection migration (switching network conenctions without breaking the established QUIC conncection) is working properly. This didn't work for me so I stated up tcpdump on the server. What I saw was explaining why connection migration could not work. The HAProxy box was receiving initial QUIC packages on port 443 but it was not replying them in any way. From tcpdump's output I could see that some other hosts had obviously been successfully connected via QUIC though. The ignored QUIC requests also don't pop up in haproxy's log. Has anybody seen similar problems? I'm also not sure if this is a problem related to HAProxy or openssl here? I suspect HAProxy? Another thing that I wanted to give a try is see if haproxy could be used as a helper to implement SMB over QUIC. The straght forward idea would be to set up a tcp frontend with a QUIC listener and a backend routing the tcp traffic to a Samba server: frontend ft_quic_test mode tcp bind quic6@:443 ssl crt /ssl/combined.pem use_backend local_smb this results in this config check error thoug: [ALERT](3611777) : config : frontend 'ft_quic_test' : MUX protocol 'quic' is not usable for 'bind quic6@:443' at [/etc/haproxy/haproxy.cfg:73]. So a setup like this is not supported by HAProxy's QUIC implementation currently, right? Is QUIC in HAProxy HTTP3 only for now? Cheers Björn