Feature #14423
openhaproxy 2.7 QUIC support (+ maybe LUA 5.4?)
0%
Description
Hello,
I appreciate all pfSense+ updates and efforts Team is doing (I am relatively new user, but I am advocating your software router solution so hope your sales will grow in my home country).
I am especially gratefull for latest pfSense+ R2305 release and upgraded haproxy component (v2.7.6).
However you seem to compile haproxy without QUIC/h3 support. Is there any reason for that?
Will QUIC/h3 be supported by pfSense+? When do you plan such feature?
haproxy info - pfSense+ 23.05:
[23.05-RELEASE][somebody@router.domain.com]/root: haproxy -vv
HAProxy version 2.7.6-4dadaaa 2023/03/28 - https://haproxy.org/
Status: stable branch - will stop receiving fixes around Q1 2024.
Known bugs: http://www.haproxy.org/bugs/bugs-2.7.6.html
Running on: FreeBSD 14.0-CURRENT FreeBSD 14.0-CURRENT #1 plus-RELENG_23_05-n256102-7cd3d043045: Mon May 22 15:33:52 UTC 2023 root@freebsd:/var/jenkins/workspace/pfSense-Plus-snapshots-23_05-main/obj/amd64/LkEyii3W/var/jenkins/workspace/pfSense-Plus-snapshots-23_05-main/sources/FreeBS amd64
Build options :
TARGET = freebsd
CPU = generic
CC = cc
CFLAGS = -O2 -pipe -fstack-protector-strong -fno-strict-aliasing -Wall -Wextra -Wundef -Wdeclaration-after-statement -Wfatal-errors -Wtype-limits -Wshift-negative-value -Wnull-dereference -fwrapv -Wno-unknown-warning-option -Wno-address-of-packed-member -Wno-unused-label -Wno-sign-compare -Wno-unused-parameter -Wno-clobbered -Wno-missing-field-initializers -Wno-cast-function-type -Wno-string-plus-int -Wno-atomic-alignment -DFREEBSD_PORTS
OPTIONS = USE_PCRE=1 USE_PCRE_JIT=1 USE_STATIC_PCRE=1 USE_GETADDRINFO=1 USE_OPENSSL=1 USE_LUA=1 USE_ACCEPT4=1 USE_ZLIB=1 USE_CPU_AFFINITY=1 USE_PROMEX=1
DEBUG = -DDEBUG_STRICT -DDEBUG_MEMORY_POOLS
Feature list : -51DEGREES +ACCEPT4 -BACKTRACE +CLOSEFROM +CPU_AFFINITY -CRYPT_H -DEVICEATLAS -DL -ENGINE -EPOLL -EVPORTS +GETADDRINFO +KQUEUE +LIBCRYPT -LINUX_SPLICE -LINUX_TPROXY +LUA -MEMORY_PROFILING -NETFILTER -NS -OBSOLETE_LINKER +OPENSSL -OPENSSL_WOLFSSL -OT +PCRE -PCRE2 -PCRE2_JIT +PCRE_JIT +POLL -PRCTL +PROCCTL +PROMEX -PTHREAD_EMULATION -QUIC -RT +SHM_OPEN -SLZ +STATIC_PCRE -STATIC_PCRE2 -SYSTEMD -TFO +THREAD -THREAD_DUMP +TPROXY -WURFL +ZLIB
Default settings :
bufsize = 16384, maxrewrite = 1024, maxpollevents = 200
Built with multi-threading support (MAX_TGROUPS=16, MAX_THREADS=256, default=4).
Built with OpenSSL version : OpenSSL 1.1.1t-freebsd 7 Feb 2023
Running on OpenSSL version : OpenSSL 1.1.1t-freebsd 7 Feb 2023
OpenSSL library supports TLS extensions : yes
OpenSSL library supports SNI : yes
OpenSSL library supports : TLSv1.0 TLSv1.1 TLSv1.2 TLSv1.3
Built with Lua version : Lua 5.3.6
Built with the Prometheus exporter as a service
Support for malloc_trim() is enabled.
Built with zlib version : 1.2.13
Running on zlib version : 1.2.13
Compression algorithms supported : identity("identity"), deflate("deflate"), raw-deflate("deflate"), gzip("gzip")
Built with transparent proxy support using: IP_BINDANY IPV6_BINDANY
Built with PCRE version : 8.45 2021-06-15
Running on PCRE version : 8.45 2021-06-15
PCRE library supports JIT : yes
Encrypted password support via crypt(3): yes
Built with clang compiler version 15.0.7 (https://github.com/llvm/llvm-project.git llvmorg-15.0.7-0-g8dfdcc7b7bf6)
Available polling systems :
kqueue : pref=300, test result OK
poll : pref=200, test result OK
select : pref=150, test result OK
Total: 3 (3 usable), will use kqueue.
Available multiplexer protocols :
(protocols marked as <default> cannot be specified using 'proto' keyword)
h2 : mode=HTTP side=FE|BE mux=H2 flags=HTX|HOL_RISK|NO_UPG
fcgi : mode=HTTP side=BE mux=FCGI flags=HTX|HOL_RISK|NO_UPG
h1 : mode=HTTP side=FE|BE mux=H1 flags=HTX|NO_UPG
<default> : mode=HTTP side=FE|BE mux=H1 flags=HTX
none : mode=TCP side=FE|BE mux=PASS flags=NO_UPG
<default> : mode=TCP side=FE|BE mux=PASS flags=
Available services : prometheus-exporter
Available filters :
[BWLIM] bwlim-in
[BWLIM] bwlim-out
[CACHE] cache
[COMP] compression
[FCGI] fcgi-app
[SPOE] spoe
[TRACE] trace
1. I understand that Quick/H3 is currently not supported in R2305 (not seeing USE_QUIC=1 / seeing -QUIC).
2. I am unable to input something like that "quic4@80.xx.yy.zz" or like that "quic4" in current web gui.
3. I tried "Advanced Pass Through" option in frontend, eg.
bind quic4@80.xx.yy.zz:443 name quic4@80.xx.yy.zz:443 ssl crt-list /var/etc/haproxy/shared-https-80.xx.yy.zz.crt_list alpn h3
but I got:
"Errors found while starting haproxy
[NOTICE] (31671) : haproxy version is 2.7.6-4dadaaa
[NOTICE] (31671) : path to executable is /usr/local/sbin/haproxy
[ALERT] (31671) : config : parsing [/var/etc/haproxy_test/haproxy.cfg:239] : 'bind' : unsupported stream protocol for datagram family 2 address 'quic4@80.xx.yy.zz:443'; QUIC is not compiled in if this is what you were looking for.
[ALERT] (31671) : config : Error(s) found in configuration file : /var/etc/haproxy_test/haproxy.cfg
[ALERT] (31671) : config : Fatal errors found in configuration. "
I hope you will support QUICK/h3 in haproxy. GUI support seems to be less important for me than real haproxy feature/compile flag, although it would be nice do support "new options".
I am asking only for the 1 reason: SMB over QUIC in Windows Server 2022. Perhaps there are more use cases of QUIC, but this one seems to be "interesting" and easy implementable with Windows11 clients to me.
Finally (unrelated question): do you plan to build haproxy against LUA 5.4? Please upgrade if possible. I like haproxy in my router much.
Kind regards,
Pawel
Files
Updated by Jim Pingle over 1 year ago
- Project changed from pfSense Plus to pfSense Packages
- Category changed from Operating System to haproxy
- Release Notes deleted (
Default)
Updated by Torben Hørup over 1 year ago
Pawel Piaskowy wrote:
Hello,
I appreciate all pfSense+ updates and efforts Team is doing (I am relatively new user, but I am advocating your software router solution so hope your sales will grow in my home country).
I am especially gratefull for latest pfSense+ R2305 release and upgraded haproxy component (v2.7.6).However you seem to compile haproxy without QUIC/h3 support. Is there any reason for that?
Will QUIC/h3 be supported by pfSense+? When do you plan such feature?
The biggest problem with H3 is to find a stable TLS implementation that supports QUIC
Upstream Openssl doesn't have it yet - and seems like it wont have until OpenSSL 3.3 ( see https://github.com/openssl/openssl/issues/20265 )
You might want to read this comment from haproxy lead as well https://github.com/haproxy/haproxy/issues/680#issuecomment-1433118828
There are patches and forks though, that implements it - but i don't suspect that the netgate people are willing to switch
And i don't think that pfsense should switch to an openssl 3.x until they have fixed some of the performance degrations they introduced
https://github.com/haproxy/haproxy/issues/2121#issuecomment-1507954575
Updated by Pawel Piaskowy 1 day ago
Hello,
Time flies and we have now OpenSSL 3.4 which will be supported till 22nd October 2026. That date is past OpenSSL 3.0 support date - 7th September 2026.
Do you think that https://cgit.freebsd.org/ports/tree/security/openssl34 and https://cgit.freebsd.org/ports/tree/security/openssl-oqsprovider could be incorporated into pfsense+?
+ QUIC added to haproxy build :)
That would be awesome feature in 2026 (QUIC + postquantum ciphers).
=====================================================================================
Guys did you add USE_QUIC=1 to haproxy?
[24.11-RELEASE][admin@router.com]/root: haproxy --v HAProxy version 2.9.11-3c54f78 2024/09/19 - https://haproxy.org/ ... OPTIONS = USE_GETADDRINFO=1 USE_OPENSSL=1 USE_LUA=1 USE_ACCEPT4=1 USE_ZLIB=1 USE_CPU_AFFINITY=1 USE_QUIC=1 USE_PROMEX=1 USE_STATIC_PCRE=1 USE_PCRE=1 USE_PCRE_JIT=1 USE_QUIC_OPENSSL_COMPAT=1 ... Available multiplexer protocols : (protocols marked as <default> cannot be specified using 'proto' keyword) quic : mode=HTTP side=FE mux=QUIC flags=HTX|NO_UPG|FRAMED ...
I need to give it a try, but do I not expect much with OpenSSL 3.0.14 (QUIC TLS is fully supported from 3.4?)