Re: haproxy 2.6.0 and quic

2022-06-15 Thread Amaury Denoyelle 
On Fri, Jun 03, 2022 at 07:08:43AM -0600, Shawn Heisey wrote:
> [...]
> A word of warning that you would probably also get from the devs here: 
> HTTP3/QUIC support is still new and not entirely working. I have it
> configured and it only works correctly for VERY simple websites.  Any
> complex webapp I try it on will fail in some way, but if I disable HTTP3 and
> use HTTP2, it works.
> 

Hi,

I just wanted to let you and other QUIC enthusiast know that I
found a defect in haproxy QPACK implementation which prevented to
decrypt some headers. The fix has been merged and it helped greatly on
my test with a nextcloud instance.

Of course, I still have some other issues and unexpected behavior, but
if you have the time do not hesitate to test the development version and
give us your thoughts. As an alternative, we may probably emit soon a
2.6.1 with the first batch of QUIC issues resolved so far.

Regards,

-- 
Amaury Denoyelle

Re: haproxy 2.6.0 and quic

2022-06-03 Thread Shawn Heisey 

On 6/3/22 06:47, Markus Rietzler wrote:

my build command was

make TARGET=linux-glibc USE_OPENSSL=1 SSL_INC=/opt/quictls/include 
SSL_LIB=/opt/quictls/lib64 LDFLAGS="-Wl,-rpath,/opt/quictls/lib64" 
ADDLIB="-lz -ldl" USE_ZLIB=1 USE_PCRE=1 USE_PCRE=yes USE_LUA=1 
LUA_LIB_NAME=lua5.3  LUA_INC=/usr/include/lua5.3 ;


You will need to add USE_QUIC=1 to the build flags.  A small note: you 
have USE_PCRE twice.  IMHO, you should install PCRE2 and configure 
USE_PCRE2_JIT=1 instead.  The original PCRE library isn't being 
maintained, only version 2 will see bugfixes.


A word of warning that you would probably also get from the devs here:  
HTTP3/QUIC support is still new and not entirely working. I have it 
configured and it only works correctly for VERY simple websites.  Any 
complex webapp I try it on will fail in some way, but if I disable HTTP3 
and use HTTP2, it works.


Thanks,
Shawn

Re: haproxy 2.6.0 and quic

2022-06-03 Thread Jarno Huuskonen 
Hi,

On Fri, 2022-06-03 at 14:47 +0200, Markus Rietzler wrote:
> 
> Hi,
> 
> we are using haproxy 2.4.17 at the moment. i have compiled haproxy 2.6
> with quic support and quctls
> 
> when i no check my config i get
> 
> /opt/haproxy-260# /opt/haproxy-260/sbin/haproxy -c -f haproxy.cfg
> [NOTICE]   (35905) : haproxy version is 2.6.0-a1efc04
> [NOTICE]   (35905) : path to executable is /opt/haproxy-260/sbin/haproxy
> [WARNING]  (35905) : config : parsing [haproxy.cfg:100]: 'log-format'
> overrides previous 'option httplog' in 'defaults' 
> section.
> [ALERT]    (35905) : config : parsing [haproxy.cfg:213] : 'bind' :
> unsupported stream protocol for datagram family 2 
> address 'quic4@:4443'; QUIC is not compiled in if this is what you were
> looking for.

I don't think you've QUIC support compiled. I think you're missing
USE_QUIC=1 build option.

> 
> my build command was
> 
> make TARGET=linux-glibc USE_OPENSSL=1 SSL_INC=/opt/quictls/include
> SSL_LIB=/opt/quictls/lib64 
> LDFLAGS="-Wl,-rpath,/opt/quictls/lib64" ADDLIB="-lz -ldl" USE_ZLIB=1
> USE_PCRE=1 USE_PCRE=yes USE_LUA=1 
> LUA_LIB_NAME=lua5.3  LUA_INC=/usr/include/lua5.3 ;
> 
> 
> -PROCCTL +THREAD_DUMP -EVPORTS -OT -QUIC -PROMEX -MEMORY_PROFILING

-QUIC --> QUIC support missing.

-Jarno

-- 
Jarno Huuskonen

haproxy 2.6.0 and quic

2022-06-03 Thread Markus Rietzler 



Hi,

we are using haproxy 2.4.17 at the moment. i have compiled haproxy 2.6 with 
quic support and quctls

when i no check my config i get

/opt/haproxy-260# /opt/haproxy-260/sbin/haproxy -c -f haproxy.cfg
[NOTICE]   (35905) : haproxy version is 2.6.0-a1efc04
[NOTICE]   (35905) : path to executable is /opt/haproxy-260/sbin/haproxy
[WARNING]  (35905) : config : parsing [haproxy.cfg:100]: 'log-format' overrides previous 'option httplog' in 'defaults' 
section.
[ALERT](35905) : config : parsing [haproxy.cfg:213] : 'bind' : unsupported stream protocol for datagram family 2 
address 'quic4@:4443'; QUIC is not compiled in if this is what you were looking for.

[ALERT](35905) : config : Error(s) found in configuration file : haproxy.cfg
[ALERT](35905) : config : Fatal errors found in configuration.

the bind part looks like


frontend https
bind 12.34.56.79:4443 ssl crt /opt/haproxy/haproxy.ssl.crt crt /opt/haproxy/domain.pem crt /opt/haproxy/domain2.pem 
alpn h2,http/1.1

# enables HTTP/3 over QUIC
bind quic4@:4443 ssl crt /opt/haproxy/haproxy.ssl.crt crt 
/opt/haproxy/domain.pem crt /opt/haproxy/domain2.pem alpn h3


could it be a problem with my network setup?

i have to network cards in my VM. one for internal and one for external 
connections

the external connects has to virtual ip address


2: eth0:  mtu 1500 qdisc pfifo_fast state UP 
group default qlen 1000
link/ether 02:01:4d:66:f4:62 brd ff:ff:ff:ff:ff:ff
inet 46.16.79.137/24 brd 46.16.79.137 scope global eth0
   valid_lft forever preferred_lft forever
inet 46.16.74.36/32 scope global eth0
   valid_lft forever preferred_lft forever
inet6 fe80::1:4dff:fe66:f462/64 scope link
   valid_lft forever preferred_lft forever




my build command was

make TARGET=linux-glibc USE_OPENSSL=1 SSL_INC=/opt/quictls/include SSL_LIB=/opt/quictls/lib64 
LDFLAGS="-Wl,-rpath,/opt/quictls/lib64" ADDLIB="-lz -ldl" USE_ZLIB=1 USE_PCRE=1 USE_PCRE=yes USE_LUA=1 
LUA_LIB_NAME=lua5.3  LUA_INC=/usr/include/lua5.3 ;




HAProxy version 2.6.0-a1efc04 2022/05/31 - https://haproxy.org/
Status: long-term supported branch - will stop receiving fixes around Q2 2027.
Known bugs: http://www.haproxy.org/bugs/bugs-2.6.0.html
Running on: Linux Ubuntu
Build options :
  TARGET  = linux-glibc
  CPU = generic
  CC  = cc
  CFLAGS  = -O2 -g -Wall -Wextra -Wundef -Wdeclaration-after-statement -Wfatal-errors -Wtype-limits -fwrapv 
-Wno-address-of-packed-member -Wno-unused-label -Wno-sign-compare -Wno-unused-parameter -Wno-clobbered 
-Wno-missing-field-initializers -Wno-cast-function-type -Wno-string-plus-int -Wno-atomic-alignment

  OPTIONS = USE_PCRE=yes USE_OPENSSL=1 USE_LUA=1 USE_ZLIB=1
  DEBUG   = -DDEBUG_STRICT -DDEBUG_MEMORY_POOLS

Feature list : +EPOLL -KQUEUE +NETFILTER +PCRE -PCRE_JIT -PCRE2 -PCRE2_JIT +POLL +THREAD +BACKTRACE -STATIC_PCRE 
-STATIC_PCRE2 +TPROXY +LINUX_TPROXY +LINUX_SPLICE +LIBCRYPT +CRYPT_H -ENGINE +GETADDRINFO +OPENSSL +LUA +ACCEPT4 
-CLOSEFROM +ZLIB -SLZ +CPU_AFFINITY +TFO +NS +DL +RT -DEVICEATLAS -51DEGREES -WURFL -SYSTEMD -OBSOLETE_LINKER +PRCTL 
-PROCCTL +THREAD_DUMP -EVPORTS -OT -QUIC -PROMEX -MEMORY_PROFILING


Default settings :
  bufsize = 16384, maxrewrite = 1024, maxpollevents = 200

Built with multi-threading support (MAX_THREADS=64, default=2).
Built with OpenSSL version : OpenSSL 3.0.3+quic 3 May 2022
Running on OpenSSL version : OpenSSL 3.0.3+quic 3 May 2022
OpenSSL library supports TLS extensions : yes
OpenSSL library supports SNI : yes
OpenSSL library supports : TLSv1.0 TLSv1.1 TLSv1.2 TLSv1.3
OpenSSL providers loaded : default
Built with Lua version : Lua 5.3.1
Built with network namespace support.
Support for malloc_trim() is enabled.
Built with zlib version : 
Running on zlib version : 
Compression algorithms supported : identity("identity"), deflate("deflate"), 
raw-deflate("deflate"), gzip("gzip")
Built with transparent proxy support using: IP_TRANSPARENT IPV6_TRANSPARENT 
IP_FREEBIND
Built with PCRE version : 
Running on PCRE version : 
PCRE library supports JIT : no (USE_PCRE_JIT not set)
Encrypted password support via crypt(3): yes
Built with gcc compiler version ...

Available polling systems :
  epoll : pref=300,  test result OK
   poll : pref=200,  test result OK
 select : pref=150,  test result OK
Total: 3 (3 usable), will use epoll.

Available multiplexer protocols :
(protocols marked as  cannot be specified using 'proto' keyword)
 h2 : mode=HTTP  side=FE|BE  mux=H2flags=HTX|HOL_RISK|NO_UPG
   fcgi : mode=HTTP  side=BE mux=FCGI  flags=HTX|HOL_RISK|NO_UPG
   : mode=HTTP  side=FE|BE  mux=H1flags=HTX
 h1 : mode=HTTP  side=FE|BE  mux=H1flags=HTX|NO_UPG
   : mode=TCP   side=FE|BE  mux=PASS  flags=
   none : mode=TCP   side=FE|BE  mux=PASS  flags=NO_UPG

Available services : none

Available filters :
[CACHE] cache
[COMP] compression
[FCGI] fcgi-app
[SPOE] spoe
[TRACE] trace