How to Enable QUIC Load Balancing on HAProxy

HTTP/3 is the latest generation of the HTTP protocol, and its ability to serve applications over QUIC offers several advantages for user experience, including reduced latency, improved reliability, and faster page loading as a result of fixing the head-of-line blocking issue in previous versions of HTTP.

Both HAProxy and HAProxy Enterprise offer support for using HTTP/3 over QUIC, although the steps for enabling QUIC in HAProxy and HAProxy Enterprise are different. In this blog post, we outline the steps to get started and the reasons why users are choosing to serve applications using HTTP/3 over QUIC.

Support for QUIC With HAProxy & HAProxy Enterprise

HAProxy Enterprise and HAProxy ALOHA are among the first enterprise-class load balancers to enable QUIC traffic in production environments.

Support for HTTP/3 over QUIC was first introduced in HAProxy 2.5 and was fully realized in the recent release of HAProxy Enterprise 2.7 and HAProxy ALOHA 15. Support has moved well beyond the experimental stages to become a viable and recommended protocol for serving applications.

In our community version, users must provide a compatible TLS library and recompile HAProxy to enable QUIC with mandatory TLS. HAProxy Enterprise, on the other hand, allows users to start using QUIC quickly (pun intended) by packaging a special TLS library that adds the APIs necessary for integration with QUIC.

Why Should You Use HTTP/3 Over QUIC?

HTTP/3 is the latest iteration of the HTTP protocol with one fundamental difference: streams and flow control, which were introduced in HTTP/2, have been moved outside of HTTP to the new lower transport protocol called QUIC.

difference-between-quic-and-tcp

As discussed in our HAProxy Enterprise 2.7 and ALOHA 15 announcement, QUIC is a new transport protocol implemented on top of UDP to facilitate its deployment. By that, we mean that the network stacks implemented by the various operating systems do not need to understand QUIC. They only need to understand UDP. The application layer—in this case, HAProxy—processes the QUIC protocol. QUIC is reliable and connection-oriented, offers congestion and flow control, prevents head-of-line blocking issues, reduces latency, and supports connection migration.

How to Enable QUIC in HAProxy

In the community version of HAProxy, QUIC is not activated by default. To enable QUIC, you need to recompile HAProxy. 

The most significant step is to select and include a compatible TLS library. The OpenSSL library is not compatible with QUIC on its own. We recommend users try quictls instead, which contains OpenSSL and a QUIC-compatible API. Use quictls 1.1.1 because there is performance degradation in quictls 3.0. Follow these instructions to build a functional quictls library:

$ sudo apt update
$ sudo apt install -y \
ca-certificates \
gcc \
git \
libc6-dev \
liblua5.3-dev \
libpcre3-dev \
libssl-dev \
libsystemd-dev \
make \
zlib1g-dev
$ cd ~
$ git clone https://github.com/quictls/openssl
$ cd openssl
$ git checkout OpenSSL_1_1_1t+quic
$ sudo mkdir -p /opt/quictls
$ ./Configure --libdir=lib --prefix=/opt/quictls
$ make
$ sudo make install

Point to the correct cryptographic library in a development environment using SSL_INC and SSL_LIB when building HAProxy. We recommend specifying the quictls location via rpath for HAProxy execution.

$ cd ~
$ git clone https://github.com/haproxy/haproxy.git
$ cd haproxy
$ git checkout v2.7.0
$ make TARGET=linux-glibc \
USE_LUA=1 \
USE_PCRE=1 \
USE_ZLIB=1 \
USE_SYSTEMD=1 \
USE_PROMEX=1 \
USE_QUIC=1 \
USE_OPENSSL=1 \
SSL_INC=/opt/quictls/include \
SSL_LIB=/opt/quictls/lib \
LDFLAGS="-Wl,-rpath,/opt/quictls/lib"
$ sudo make install-bin
$ cd admin/systemd
$ sudo make haproxy.service
$ sudo cp ./haproxy.service /etc/systemd/system/
$ sudo mkdir -p /etc/haproxy
$ sudo mkdir -p /run/haproxy
$ sudo touch /etc/haproxy/haproxy.cfg
$ sudo systemctl enable haproxy
$ sudo systemctl start haproxy

After compiling HAProxy with QUIC support, enable QUIC in the HAProxy configuration. To enable QUIC, you must:

  1. Instantiate a listener with the special prefix quic4 or quic6 before the address, depending on whether the listening address will use IPv4 or IPv6.

  2. Configure TLS on this bind line as QUIC mandates encryption. The application protocol will be selected through TLS ALPN negotiation. The only value currently supported is h3.

The following configuration is enough to test QUIC. Because browsers cannot automatically discover the new QUIC endpoint, we announce its availability through the Alt-Svc HTTP header. 

Here is the configuration snippet:

frontend fe
mode http
bind :80
bind :443 ssl crt /etc/haproxy/certs/foo.com/cert.crt alpn h2
bind quic4@:443 ssl crt /mycert.pem alpn h3
http-request redirect scheme https unless { ssl_fc }
http-after-response add-header alt-svc 'h3=":443"; ma=60'

In this configuration, three listeners are available. On the first connection, a web browser will use HTTP/1.1 on the remote port 80. HAProxy will redirect the browser to port 443 and switch to the HTTP/2 protocol. The QUIC endpoint will be discovered via the Alt-Svc announcement. Next, a new QUIC connection on port 443 will conduct exchanges. In this example, Alt-Svc is marked valid for 60 seconds. Once this delay expires, the browser reverts to an HTTP/2 connection. Setting a low value like this is suitable when first testing and can be increased when QUIC works as intended.

Web browsers can be extremely conservative in their QUIC usage. If they encounter an unexpected error on the QUIC connection or the endpoint is no longer joinable, they will revert to an older version of HTTP and stay on it until the expiration of their internal settings. Extra restrictions are put in place by some browsers which forbid, for example, the use of QUIC on ports outside of 443 or with a self-signed certificate. 

Similar Articles:

How to Enable QUIC in HAProxy Enterprise

HAProxy Enterprise and HAProxy ALOHA can also send and receive HTTP/3 messages over the QUIC protocol.

While the community version requires users to source a compatible TLS library and recompile HAProxy, HAProxy ALOHA 15.0 comes with the required library, and HAProxy Enterprise provides a specialized install package that includes it. This lets users get started fast without needing to source a compatible TLS library.

Conclusion

Following these steps will allow users to get started with serving applications using HTTP/3 over QUIC. From increased reliability to a reduction of head-of-line blocking issues, QUIC offers benefits for your infrastructure and application delivery.

Subscribe to our blog. Get the latest release updates, tutorials, and deep-dives from HAProxy experts.