HAProxy allow using new HTTP/3 and QUIC support in the MVC GUI

Started by FireKahuna, July 18, 2024, 05:27:17 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions
July 18, 2024, 05:27:17 AM
HAProxy 2.6+ has support for using Quic and HTTP/3 and checking 'haproxy -vv' it is compiled with support for it in OPNSense, however the GUI atm blocks the use of these protocols. It seems simple to fix but the xml just needs to be edited. Can the GUI restrictions be adjusted for 24.7 by chance? More extended support and such could definitely come later, just would be nice to be able to type this options in without a block.

Example is given here: https://www.haproxy.com/blog/how-to-enable-quic-load-balancing-on-haproxy
Code Select

frontend fe
  mode http
  bind :80
  bind :443  ssl crt /etc/haproxy/certs/foo.com/cert.crt alpn h2
  bind quic4@:443 ssl crt /mycert.pem alpn h3

  http-request redirect scheme https unless { ssl_fc }

  http-after-response add-header alt-svc 'h3=":443"; ma=60'

so for OPNSense, looking at this: https://github.com/opnsense/plugins/blob/master/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml

Code Select
                <bind type="CSVListField">
                    <Required>Y</Required>
                    <multiple>Y</multiple>
                    <mask>/^((([0-9a-zA-Z._\-\*:\[\]]+:+[0-9]+(-[0-9]+)?|unix@[0-9a-z_\-]+)([,]){0,1}))*/u</mask>
                    <ChangeCase>lower</ChangeCase>
                    <ValidationMessage>Please provide a valid listen address, i.e. 127.0.0.1:8080, [::1]:8080, www.example.com:443 or unix@socket-name. Port range as start-end, i.e. 127.0.0.1:1220-1240.</ValidationMessage>
                </bind>
In here it needs to support quic4@ and quic6@ alongside unix@. This alone would allow binding Quic connections, then the only other core piece is the following

Code Select
                    <OptionValues>
                        <h2>HTTP/2</h2>
                        <http11>HTTP/1.1</http11>
                        <http10>HTTP/1.0</http10>
                    </OptionValues>

The correct route is to have <h3>HTTP/3</h3> added as a valid option as well. Then have h3 only appear on bind lines starting with quic and not appear on lines that dont start with quic. if substring = QUIC, h3. If NOT quic, ALPN options. Might not even need h3 as a typable option that way actually. That + quic4/6 would allow a config matching what they provided by adding the rest of the example as conditions/option pass-through.

Though that can be done later, even simply having quic4/6 be supported syntax wise would be a great start to configuring a working QUIC setup.
December 16, 2024, 01:39:45 PM #1
Can confirm this is still not allowed by the GUI, any use of quic in Listen Addresses is blocked by the syntax rules (doesnt allow quic4@ or quic6@)
March 04, 2025, 10:47:35 AM #2
Has QUIC support already been integrated into the GUI of Opensense version 25.1.2? Or is there a schedule for the future implementation?
March 04, 2025, 11:34:43 AM #3 Last Edit: March 04, 2025, 11:40:20 AM by meyergru
...
Intel N100, 4 x I226-V, 16 GByte, 256 GByte NVME, ZTE F6005

1100 down / 770 up, Bufferbloat A
March 04, 2025, 11:39:31 AM #4
Unless someone does a feature request on Github, probably not. See point 19 here.

Intel N100, 4 x I226-V, 16 GByte, 256 GByte NVME, ZTE F6005

1100 down / 770 up, Bufferbloat A
March 10, 2025, 11:30:50 AM #5
Quote from: meyergru on March 04, 2025, 11:39:31 AMUnless someone does a feature request on Github, probably not. See point 19 here.



For my View ther is one: https://github.com/opnsense/plugins/issues/4411
From Daniel -dev22:
Does this mean we can use quic now with haproxy?

I know a freebsd issue was holding it up. But that seems to be resolved now.
#4341 (comment)
Print
Go Up Pages1
User actions