Re: unsupported protocol family 2 for address 'quic4@0.0.0.0:4

[Christoph Kukulies]

> Am 08.11.2023 um 21:29 schrieb Shawn Heisey :
> 
> On 11/8/23 10:11, Christoph Kukulies wrote:
>> frontend web80
>> bind 0.0.0.0:80 name web80
>> default_backend be-local-81
> 
> Normally you definitely would not want this in your production config... 
> typically any request coming in on port 80 should be redirected to https 
> without ever being sent to a backend webserver.
> 

Hi Shawn,

thanks. I was aware of this, of course. Just wanted to use it to verify the 
bind quic4 syntax, my haproxy was failing upon,
for now known reasons (wrong binary on my side).

But thanks again for explaining and supporting.

--
Christoph

> That config is only useful as-is for my CI pipeline.  I have updated it so 
> it's much more in line with how my production setup is configured. This is 
> how I configure port 80:
> 
> frontend web80
>description Redirect to https
>bind 0.0.0.0:80 name web80
>redirect scheme https
>default_backend be_deny
> 
> backend be_deny
>description Back end with no servers that denies all requests.
>no log
>log 127.0.0.1 len 65535 format rfc5424 local0 notice err
>http-request deny
> 
> Thanks,
> Shawn
> 
> 



smime.p7s
Description: S/MIME cryptographic signature

Re: unsupported protocol family 2 for address 'quic4@0.0.0.0:4

[Shawn Heisey]

On 11/8/23 10:11, Christoph Kukulies wrote:

frontend web80
         bind 0.0.0.0:80 name web80
         default_backend be-local-81


Normally you definitely would not want this in your production config... 
typically any request coming in on port 80 should be redirected to https 
without ever being sent to a backend webserver.


That config is only useful as-is for my CI pipeline.  I have updated it 
so it's much more in line with how my production setup is configured. 
This is how I configure port 80:


frontend web80
description Redirect to https
bind 0.0.0.0:80 name web80
redirect scheme https
default_backend be_deny

backend be_deny
description Back end with no servers that denies all requests.
no log
log 127.0.0.1 len 65535 format rfc5424 local0 notice err
http-request deny

Thanks,
Shawn

Re: unsupported protocol family 2 for address 'quic4@0.0.0.0:4

[Christoph Kukulies]

I found the problem - thanks to your (Amaury)  remark about the particular 
error message - :
The ubuntu service I was starting referred to the binary /usr/sbin/haproxy 
while the built binary was installed in /usr/local/sbin/haproxy.

Not the noble way, but I exchanged the old binary against the new one and the 
config file works.

Excuses for the confusion I have caused.

--
Christoph


> Am 08.11.2023 um 17:52 schrieb Amaury Denoyelle :
> 
> On Wed, Nov 08, 2023 at 04:42:00PM +0100, Christoph Kukulies wrote:
>> Christoph Kukulies
>> k...@kukulies.org
>> 
>> [...]
>> which leads to haproxy failing on startup:
>> Nov  8 16:38:28 mail haproxy[101582]: [ALERT](101582) : parsing 
>> [/etc/haproxy/haproxy.cfg:26] : 'bind' : unsupported protocol family 2 for 
>> address 'quic4@0.0.0.0:443'
>> So what can I do about it other than trusting upon the scripts and configs 
>> to work? Or ask here for help?
> 
> This particular error message "unsupported protocol family" has been
> removed in haproxy 2.6. Looks like you did not run the correct binary as
> this does not corresponds to the version reported by -vv. Have you
> ensure to run the binary directly on the command-line using an absolute
> path ?
> 
> -- 
> Amaury Denoyelle



smime.p7s
Description: S/MIME cryptographic signature

Re: unsupported protocol family 2 for address 'quic4@0.0.0.0:4

[Christoph Kukulies]

I just ran the script in Shawns haproxy-scripts/deployci

root@mail:~/haproxy-scripts# ls
apache2ci-haproxy-cfg.txt   deploycifixperms   git-quictls  
install-haproxy-service  new-haproxy  old_docker-ci.yml  prep-source  
repo_overrides   sample.haproxy.cfg  sync_from_creator
check_for_updates  common-functions.sh  Dockerfile  fullstack  haproxy-2.8  
new.gitlab-ci.ymlnew-quic opensslREADME.md
sample.crt-list.txt  selfsigned.pem
root@mail:~/haproxy-scripts# /usr/local/sbin/haproxy -c -f 
/etc/haproxy/haproxy.cfg
Configuration file is valid

/etc/haproxy/haproxy.cfg:


global
maxconn 64
daemon
log 127.0.0.1 len 65535 format rfc5424 local0
log 127.0.0.1 len 65535 format rfc5424 local1 notice


defaults
log global
option httplog
mode http
timeout connect 5s
timeout client  15s
timeout server  120s
timeout http-keep-alive 5s
timeout check   9990


frontend web80
bind 0.0.0.0:80 name web80
default_backend be-local-81

frontend web
description One frontend to rule them all
bind 0.0.0.0:443 name web443 ssl crt /etc/haproxy/fullchain.pem alpn 
h2,http/1.1 npn h2,http/1.1 allow-0rtt curves secp521r1:secp384r1
bind quic4@0.0.0.0:443 name quic443 ssl crt /etc/haproxy/fullchain.pem 
proto quic alpn h3,h3-29,h3-28,h3-27 npn h3,h3-29,h3-28,h3-27 allow-0rtt curves 
secp521r1:secp384r1
http-response add-header alt-svc 'h3=":443"; ma=7200,h3-29=":443"; 
ma=7200,h3-Q050=":443"; ma=7200,h3-Q046=":443"; ma=7200,h3-Q043=":443"; 
ma=7200,quic=":443"; ma=7200'
default_backend be-local-81
stats enable
stats uri /hapeek
stats refresh 15

backend be-local-81
option httpchk
server localhost 127.0.0.1:81

> Am 08.11.2023 um 17:39 schrieb William Lallemand :
> 
> On Wed, Nov 08, 2023 at 04:42:00PM +0100, Christoph Kukulies wrote:
>> 
>> I posted the output of haproxy -vv (on demand of William Lallemand). Maybe 
>> you overlooked it:
>> 
> 
> That's weird, it shouldn't behave like this and I couldn't reproduce at
> all.
> 
>> root@mail:~/haproxy-scripts#  /usr/local/sbin/haproxy -vv
>> HAProxy version 2.8.3-d6e5cd-70 2023/10/26 - https://haproxy.org/ 
>> 
>> Status: long-term supported branch - will stop receiving fixes around Q2 
>> 2028.
>> Known bugs: http://www.haproxy.org/bugs/bugs-2.8.3.html 
>> 
>> Running on: Linux 5.15.0-88-generic #98-Ubuntu SMP Mon Oct 2 15:18:56 UTC 
>> 2023 x86_64
>> Build options :
>>  TARGET  = linux-glibc
>>  CPU = native
>>  CC  = cc
>>  CFLAGS  = -O2 -march=native -g -Wall -Wextra -Wundef 
>> -Wdeclaration-after-statement -Wfatal-errors -Wtype-limits 
>> -Wshift-negative-value -Wshift-overflow=2 -Wduplicated-cond 
>> -Wnull-dereference -fwrapv -Wno-address-of-packed-member -Wno-unused-label 
>> -Wno-sign-compare -Wno-unused-parameter -Wno-clobbered 
>> -Wno-missing-field-initializers -Wno-cast-function-type -Wno-string-plus-int 
>> -Wno-atomic-alignment
>>  OPTIONS = USE_OPENSSL=1 USE_ZLIB=1 USE_SYSTEMD=1 USE_QUIC=1 USE_PCRE2_JIT=1
>>  DEBUG   = 
>> 
>> 
>> And the install script installed the following config file (kindly 
>> overwriting my own config, thank you :-(. )
>> 
> 
> You should probably use a packaged version of haproxy.
> 
>> global
>>maxconn 64
>>daemon
>>log 127.0.0.1 len 65535 format rfc5424 local0
>>log 127.0.0.1 len 65535 format rfc5424 local1 notice
>> 
>> 
>> defaults
>>log global
>>option httplog
>>mode http
>>timeout connect 5s
>>timeout client  15s
>>timeout server  120s
>>timeout http-keep-alive 5s
>>timeout check   9990
>> 
>> 
>> frontend web80
>>bind 0.0.0.0:80 name web80
>>default_backend be-local-81
>> 
>> frontend web
>>description One frontend to rule them all
>>bind 0.0.0.0:443 name web443 ssl crt 
>> /etc/ssl/certs/local/selfsigned.pem alpn h2,http/1.1 npn h2,http/1.1 
>> allow-0rtt curves secp521r1:secp384r1
>>bind quic4@0.0.0.0:443 name quic443 ssl crt 
>> /etc/ssl/certs/local/selfsigned.pem proto quic alpn h3,h3-29,h3-28,h3-27 npn 
>> h3,h3-29,h3-28,h3-27 allow-0rtt curves secp521r1:secp384r1
>>http-response add-header alt-svc 'h3=":443"; ma=7200,h3-29=":443"; 
>> ma=7200,h3-Q050=":443"; ma=7200,h3-Q046=":443"; ma=7200,h3-Q043=":443"; 
>> ma=7200,quic=":443"; ma=7200'
>>default_backend be-local-81
>>stats enable
>>stats uri /hapeek
>>stats refresh 15
>> 
>> backend be-local-81
>>option httpchk
>>server localhost 127.0.0.1:81
>> 
>> 
>> which leads to haproxy failing on startup:
>> 
>> Nov  8 16:38:28 mail haproxy[101582]: [ALERT](101582) : parsing 
>> [/etc/haproxy/haproxy.cfg:26] : 'bind' : unsupported protocol family 2 for 
>> address 'quic4@0.0.0.0:443'
>> 
>> 

Re: unsupported protocol family 2 for address 'quic4@0.0.0.0:4

[Amaury Denoyelle]

On Wed, Nov 08, 2023 at 04:42:00PM +0100, Christoph Kukulies wrote:
> Christoph Kukulies
> k...@kukulies.org
> 
> [...]
> which leads to haproxy failing on startup:
> Nov  8 16:38:28 mail haproxy[101582]: [ALERT](101582) : parsing 
> [/etc/haproxy/haproxy.cfg:26] : 'bind' : unsupported protocol family 2 for 
> address 'quic4@0.0.0.0:443'
>  So what can I do about it other than trusting upon the scripts and configs 
> to work? Or ask here for help?

This particular error message "unsupported protocol family" has been
removed in haproxy 2.6. Looks like you did not run the correct binary as
this does not corresponds to the version reported by -vv. Have you
ensure to run the binary directly on the command-line using an absolute
path ?

-- 
Amaury Denoyelle

Re: unsupported protocol family 2 for address 'quic4@0.0.0.0:4

[Shawn Heisey]

On 11/8/23 05:37, Frederic Lecaille wrote:

0.0.0.0 special address has been forbidden for QUIC bindings. Have a
look to "bind" keyword documentation.


My gitlab CI/CD pipeline for this project uses 0.0.0.0 in the bind line 
and it passes.  The pipeline uses a special curl with HTTP3 support to 
validate that HTTP3 actually functions.  The gitlab-runner VM only has 
one IP address.


There's really only a problem with 0.0.0.0 if the system has multiple IP 
addresses on the NIC ... and that is due to a quirk of UDP that I'm 
pretty sure haproxy cannot fix.


Thanks,
Shawn

Re: unsupported protocol family 2 for address 'quic4@0.0.0.0:4

[William Lallemand]

On Wed, Nov 08, 2023 at 04:42:00PM +0100, Christoph Kukulies wrote:
> 
> I posted the output of haproxy -vv (on demand of William Lallemand). Maybe 
> you overlooked it:
> 

That's weird, it shouldn't behave like this and I couldn't reproduce at
all.

> root@mail:~/haproxy-scripts#  /usr/local/sbin/haproxy -vv
> HAProxy version 2.8.3-d6e5cd-70 2023/10/26 - https://haproxy.org/ 
> 
> Status: long-term supported branch - will stop receiving fixes around Q2 2028.
> Known bugs: http://www.haproxy.org/bugs/bugs-2.8.3.html 
> 
> Running on: Linux 5.15.0-88-generic #98-Ubuntu SMP Mon Oct 2 15:18:56 UTC 
> 2023 x86_64
> Build options :
>   TARGET  = linux-glibc
>   CPU = native
>   CC  = cc
>   CFLAGS  = -O2 -march=native -g -Wall -Wextra -Wundef 
> -Wdeclaration-after-statement -Wfatal-errors -Wtype-limits 
> -Wshift-negative-value -Wshift-overflow=2 -Wduplicated-cond 
> -Wnull-dereference -fwrapv -Wno-address-of-packed-member -Wno-unused-label 
> -Wno-sign-compare -Wno-unused-parameter -Wno-clobbered 
> -Wno-missing-field-initializers -Wno-cast-function-type -Wno-string-plus-int 
> -Wno-atomic-alignment
>   OPTIONS = USE_OPENSSL=1 USE_ZLIB=1 USE_SYSTEMD=1 USE_QUIC=1 USE_PCRE2_JIT=1
>   DEBUG   = 
> 
> 
> And the install script installed the following config file (kindly 
> overwriting my own config, thank you :-(. )
>

You should probably use a packaged version of haproxy.

> global
> maxconn 64
> daemon
> log 127.0.0.1 len 65535 format rfc5424 local0
> log 127.0.0.1 len 65535 format rfc5424 local1 notice
> 
> 
> defaults
> log global
> option httplog
> mode http
> timeout connect 5s
> timeout client  15s
> timeout server  120s
> timeout http-keep-alive 5s
> timeout check   9990
> 
> 
> frontend web80
> bind 0.0.0.0:80 name web80
> default_backend be-local-81
> 
> frontend web
> description One frontend to rule them all
> bind 0.0.0.0:443 name web443 ssl crt 
> /etc/ssl/certs/local/selfsigned.pem alpn h2,http/1.1 npn h2,http/1.1 
> allow-0rtt curves secp521r1:secp384r1
> bind quic4@0.0.0.0:443 name quic443 ssl crt 
> /etc/ssl/certs/local/selfsigned.pem proto quic alpn h3,h3-29,h3-28,h3-27 npn 
> h3,h3-29,h3-28,h3-27 allow-0rtt curves secp521r1:secp384r1
> http-response add-header alt-svc 'h3=":443"; ma=7200,h3-29=":443"; 
> ma=7200,h3-Q050=":443"; ma=7200,h3-Q046=":443"; ma=7200,h3-Q043=":443"; 
> ma=7200,quic=":443"; ma=7200'
> default_backend be-local-81
> stats enable
> stats uri /hapeek
> stats refresh 15
> 
> backend be-local-81
> option httpchk
> server localhost 127.0.0.1:81
> 
> 
> which leads to haproxy failing on startup:
> 
> Nov  8 16:38:28 mail haproxy[101582]: [ALERT](101582) : parsing 
> [/etc/haproxy/haproxy.cfg:26] : 'bind' : unsupported protocol family 2 for 
> address 'quic4@0.0.0.0:443'
> 
>  So what can I do about it other than trusting upon the scripts and configs 
> to work? Or ask here for help?


I don't know how you are running your configuration, and what your
scripts does.

I can't reproduce at all the problem with the given configuration.

How are you starting haproxy?

Could you run `/usr/local/sbin/haproxy -c -f /etc/haproxy/haproxy.cfg` ? 

-- 
William Lallemand

Re: unsupported protocol family 2 for address 'quic4@0.0.0.0:4

[Christoph Kukulies]

Christoph Kukulies
k...@kukulies.org



> Am 08.11.2023 um 14:04 schrieb Frederic Lecaille :
> 
> On 11/8/23 13:37, Frederic Lecaille wrote:
>> On 11/8/23 11:27, Christoph Kukulies wrote:
>>> parsing [/etc/haproxy/haproxy.cfg:60] : 'bind' : unsupported protocol
>>> family 2 for address 'quic4@0.0.0.0 :4>
>>> Nov 08 11:16:54 mail.
>>> 
>>> 
>>> I'm using sample.haproxy.cfg from Shawns haproxy-scripts and there the line:
>>> 
>>> bind quic4@0.0.0.0 :443 name quic443 ssl crt crt
>>> /etc/haproxy/fullchain.pemproto quic alpn h3 npn h3 allow-0rtt curves
>>> secp521r1:secp384r1
>>> 
>>> --
>>> Christoph
>>> 
>>> 
>> Hello,
>> 
>> 0.0.0.0 special address has been forbidden for QUIC bindings. Have a
>> look to "bind" keyword documentation.
>> 
>> Regards,
>> 
>> Fred.
>> 
> 
> After having checked with Amaury, the issue is in the documentation
> which is not up-to-date. 0.0.0.0 binding address should be supported our
> QUIC implementation.
> 
> That said, I do not know what haproxy version you are using. The last
> 2.8 version accepts to bind such addresses.
> 
> 


I posted the output of haproxy -vv (on demand of William Lallemand). Maybe you 
overlooked it:


root@mail:~/haproxy-scripts#  /usr/local/sbin/haproxy -vv
HAProxy version 2.8.3-d6e5cd-70 2023/10/26 - https://haproxy.org/ 

Status: long-term supported branch - will stop receiving fixes around Q2 2028.
Known bugs: http://www.haproxy.org/bugs/bugs-2.8.3.html 

Running on: Linux 5.15.0-88-generic #98-Ubuntu SMP Mon Oct 2 15:18:56 UTC 2023 
x86_64
Build options :
  TARGET  = linux-glibc
  CPU = native
  CC  = cc
  CFLAGS  = -O2 -march=native -g -Wall -Wextra -Wundef 
-Wdeclaration-after-statement -Wfatal-errors -Wtype-limits 
-Wshift-negative-value -Wshift-overflow=2 -Wduplicated-cond -Wnull-dereference 
-fwrapv -Wno-address-of-packed-member -Wno-unused-label -Wno-sign-compare 
-Wno-unused-parameter -Wno-clobbered -Wno-missing-field-initializers 
-Wno-cast-function-type -Wno-string-plus-int -Wno-atomic-alignment
  OPTIONS = USE_OPENSSL=1 USE_ZLIB=1 USE_SYSTEMD=1 USE_QUIC=1 USE_PCRE2_JIT=1
  DEBUG   = 


And the install script installed the following config file (kindly overwriting 
my own config, thank you :-(. )

global
maxconn 64
daemon
log 127.0.0.1 len 65535 format rfc5424 local0
log 127.0.0.1 len 65535 format rfc5424 local1 notice


defaults
log global
option httplog
mode http
timeout connect 5s
timeout client  15s
timeout server  120s
timeout http-keep-alive 5s
timeout check   9990


frontend web80
bind 0.0.0.0:80 name web80
default_backend be-local-81

frontend web
description One frontend to rule them all
bind 0.0.0.0:443 name web443 ssl crt 
/etc/ssl/certs/local/selfsigned.pem alpn h2,http/1.1 npn h2,http/1.1 allow-0rtt 
curves secp521r1:secp384r1
bind quic4@0.0.0.0:443 name quic443 ssl crt 
/etc/ssl/certs/local/selfsigned.pem proto quic alpn h3,h3-29,h3-28,h3-27 npn 
h3,h3-29,h3-28,h3-27 allow-0rtt curves secp521r1:secp384r1
http-response add-header alt-svc 'h3=":443"; ma=7200,h3-29=":443"; 
ma=7200,h3-Q050=":443"; ma=7200,h3-Q046=":443"; ma=7200,h3-Q043=":443"; 
ma=7200,quic=":443"; ma=7200'
default_backend be-local-81
stats enable
stats uri /hapeek
stats refresh 15

backend be-local-81
option httpchk
server localhost 127.0.0.1:81


which leads to haproxy failing on startup:

Nov  8 16:38:28 mail haproxy[101582]: [ALERT](101582) : parsing 
[/etc/haproxy/haproxy.cfg:26] : 'bind' : unsupported protocol family 2 for 
address 'quic4@0.0.0.0:443'

 So what can I do about it other than trusting upon the scripts and configs to 
work? Or ask here for help?

smime.p7s
Description: S/MIME cryptographic signature

Re: unsupported protocol family 2 for address 'quic4@0.0.0.0:4

[Frederic Lecaille]

On 11/8/23 13:37, Frederic Lecaille wrote:
> On 11/8/23 11:27, Christoph Kukulies wrote:
>> parsing [/etc/haproxy/haproxy.cfg:60] : 'bind' : unsupported protocol
>> family 2 for address 'quic4@0.0.0.0 :4>
>> Nov 08 11:16:54 mail.
>>
>>
>> I'm using sample.haproxy.cfg from Shawns haproxy-scripts and there the line:
>>
>> bind quic4@0.0.0.0 :443 name quic443 ssl crt crt
>> /etc/haproxy/fullchain.pemproto quic alpn h3 npn h3 allow-0rtt curves
>> secp521r1:secp384r1
>>
>> --
>> Christoph
>>
>>
> Hello,
> 
> 0.0.0.0 special address has been forbidden for QUIC bindings. Have a
> look to "bind" keyword documentation.
> 
> Regards,
> 
> Fred.
>

After having checked with Amaury, the issue is in the documentation
which is not up-to-date. 0.0.0.0 binding address should be supported our
QUIC implementation.

That said, I do not know what haproxy version you are using. The last
2.8 version accepts to bind such addresses.

Re: unsupported protocol family 2 for address 'quic4@0.0.0.0:4

[Frederic Lecaille]

On 11/8/23 11:27, Christoph Kukulies wrote:
> parsing [/etc/haproxy/haproxy.cfg:60] : 'bind' : unsupported protocol
> family 2 for address 'quic4@0.0.0.0 :4>
> Nov 08 11:16:54 mail.
> 
> 
> I'm using sample.haproxy.cfg from Shawns haproxy-scripts and there the line:
> 
> bind quic4@0.0.0.0 :443 name quic443 ssl crt crt
> /etc/haproxy/fullchain.pemproto quic alpn h3 npn h3 allow-0rtt curves
> secp521r1:secp384r1
> 
> --
> Christoph
> 
> 
Hello,

0.0.0.0 special address has been forbidden for QUIC bindings. Have a
look to "bind" keyword documentation.

Regards,

Fred.

Re: unsupported protocol family 2 for address 'quic4@0.0.0.0:4

[Christoph Kukulies]

Believe so:


root@mail:~/haproxy-scripts#  /usr/local/sbin/haproxy -vv
HAProxy version 2.8.3-d6e5cd-70 2023/10/26 - https://haproxy.org/
Status: long-term supported branch - will stop receiving fixes around Q2 2028.
Known bugs: http://www.haproxy.org/bugs/bugs-2.8.3.html
Running on: Linux 5.15.0-88-generic #98-Ubuntu SMP Mon Oct 2 15:18:56 UTC 2023 
x86_64
Build options :
  TARGET  = linux-glibc
  CPU = native
  CC  = cc
  CFLAGS  = -O2 -march=native -g -Wall -Wextra -Wundef 
-Wdeclaration-after-statement -Wfatal-errors -Wtype-limits 
-Wshift-negative-value -Wshift-overflow=2 -Wduplicated-cond -Wnull-dereference 
-fwrapv -Wno-address-of-packed-member -Wno-unused-label -Wno-sign-compare 
-Wno-unused-parameter -Wno-clobbered -Wno-missing-field-initializers 
-Wno-cast-function-type -Wno-string-plus-int -Wno-atomic-alignment
  OPTIONS = USE_OPENSSL=1 USE_ZLIB=1 USE_SYSTEMD=1 USE_QUIC=1 USE_PCRE2_JIT=1
  DEBUG   = 

Feature list : -51DEGREES +ACCEPT4 +BACKTRACE -CLOSEFROM +CPU_AFFINITY +CRYPT_H 
-DEVICEATLAS +DL -ENGINE +EPOLL -EVPORTS +GETADDRINFO -KQUEUE -LIBATOMIC 
+LIBCRYPT +LINUX_CAP +LINUX_SPLICE +LINUX_TPROXY -LUA -MATH -MEMORY_PROFILING 
+NETFILTER +NS -OBSOLETE_LINKER +OPENSSL -OPENSSL_WOLFSSL -OT -PCRE +PCRE2 
+PCRE2_JIT -PCRE_JIT +POLL +PRCTL -PROCCTL -PROMEX -PTHREAD_EMULATION +QUIC 
-QUIC_OPENSSL_COMPAT +RT +SHM_OPEN -SLZ +SSL -STATIC_PCRE -STATIC_PCRE2 
+SYSTEMD +TFO +THREAD +THREAD_DUMP +TPROXY -WURFL +ZLIB

Default settings :
  bufsize = 16384, maxrewrite = 1024, maxpollevents = 200

Built with multi-threading support (MAX_TGROUPS=16, MAX_THREADS=256, default=2).
Built with OpenSSL version : OpenSSL 3.1.4+quic 24 Oct 2023
Running on OpenSSL version : OpenSSL 3.1.4+quic 24 Oct 2023
OpenSSL library supports TLS extensions : yes
OpenSSL library supports SNI : yes
OpenSSL library supports : TLSv1.0 TLSv1.1 TLSv1.2 TLSv1.3
OpenSSL providers loaded : default
Built with network namespace support.
Built with zlib version : 1.2.11
Running on zlib version : 1.2.11
Compression algorithms supported : identity("identity"), deflate("deflate"), 
raw-deflate("deflate"), gzip("gzip")
Built with transparent proxy support using: IP_TRANSPARENT IPV6_TRANSPARENT 
IP_FREEBIND
Built with PCRE2 version : 10.39 2021-10-29
PCRE2 library supports JIT : yes
Encrypted password support via crypt(3): yes
Built with gcc compiler version 11.4.0

Available polling systems :
  epoll : pref=300,  test result OK
   poll : pref=200,  test result OK
 select : pref=150,  test result OK
Total: 3 (3 usable), will use epoll.

Available multiplexer protocols :
(protocols marked as  cannot be specified using 'proto' keyword)
   quic : mode=HTTP  side=FE mux=QUIC  flags=HTX|NO_UPG|FRAMED
 h2 : mode=HTTP  side=FE|BE  mux=H2flags=HTX|HOL_RISK|NO_UPG
   fcgi : mode=HTTP  side=BE mux=FCGI  flags=HTX|HOL_RISK|NO_UPG
   : mode=HTTP  side=FE|BE  mux=H1flags=HTX
 h1 : mode=HTTP  side=FE|BE  mux=H1flags=HTX|NO_UPG
   : mode=TCP   side=FE|BE  mux=PASS  flags=
   none : mode=TCP   side=FE|BE  mux=PASS  flags=NO_UPG

Available services : none

Available filters :
[BWLIM] bwlim-in
[BWLIM] bwlim-out
[CACHE] cache
[COMP] compression
[FCGI] fcgi-app
[SPOE] spoe
[TRACE] trace

root@mail:~/haproxy-scripts# 


> Am 08.11.2023 um 11:43 schrieb William Lallemand :
> 
> On Wed, Nov 08, 2023 at 11:27:49AM +0100, Christoph Kukulies wrote:
>> parsing [/etc/haproxy/haproxy.cfg:60] : 'bind' : unsupported protocol family 
>> 2 for address 'quic4@0.0.0.0:4>
>> Nov 08 11:16:54 mail.
>> 
>> 
>> I'm using sample.haproxy.cfg from Shawns haproxy-scripts and there the line:
>> 
>> bind quic4@0.0.0.0:443 name quic443 ssl crt crt 
>> /etc/haproxy/fullchain.pemproto quic alpn h3 npn h3 allow-0rtt curves 
>> secp521r1:secp384r1
>> 
>> --
>> Christoph
>> 
>> 
> 
> Did you compile haproxy with USE_QUIC=1? look at haproxy -vv to check if
> you have quic support.
> 
> 
> -- 
> William Lallemand



smime.p7s
Description: S/MIME cryptographic signature

Re: unsupported protocol family 2 for address 'quic4@0.0.0.0:4

[William Lallemand]

On Wed, Nov 08, 2023 at 11:27:49AM +0100, Christoph Kukulies wrote:
> parsing [/etc/haproxy/haproxy.cfg:60] : 'bind' : unsupported protocol family 
> 2 for address 'quic4@0.0.0.0:4>
> Nov 08 11:16:54 mail.
> 
> 
> I'm using sample.haproxy.cfg from Shawns haproxy-scripts and there the line:
> 
> bind quic4@0.0.0.0:443 name quic443 ssl crt crt 
> /etc/haproxy/fullchain.pemproto quic alpn h3 npn h3 allow-0rtt curves 
> secp521r1:secp384r1
> 
> --
> Christoph
> 
> 

Did you compile haproxy with USE_QUIC=1? look at haproxy -vv to check if
you have quic support.


-- 
William Lallemand

unsupported protocol family 2 for address 'quic4@0.0.0.0:4

[Christoph Kukulies]

parsing [/etc/haproxy/haproxy.cfg:60] : 'bind' : unsupported protocol family 2 
for address 'quic4@0.0.0.0:4>
Nov 08 11:16:54 mail.


I'm using sample.haproxy.cfg from Shawns haproxy-scripts and there the line:

bind quic4@0.0.0.0:443 name quic443 ssl crt crt /etc/haproxy/fullchain.pemproto 
quic alpn h3 npn h3 allow-0rtt curves secp521r1:secp384r1

--
Christoph




smime.p7s
Description: S/MIME cryptographic signature