HAProxy QUIC RPM (with AWS-LC)

Automated builds of HAProxy with native QUIC/HTTP3 support using AWS-LC instead of OpenSSL.

Why AWS-LC?

Based on HAProxy's comprehensive SSL stack analysis, AWS-LC provides significant performance advantages.

Key Benefits:

• ~50% faster than OpenSSL 1.1.1 for TLS resumption
• 6-9x faster than OpenSSL 3.x in multi-threaded scenarios
• Linear scalability across all CPU cores (no lock contention)
• Native QUIC support via BoringSSL-compatible API
• FIPS-capable (Separate FIPS branches are available from AWS, but these will not be used for these builds)

Quick Start

Option 1: DNF Repository (Recommended)

Add the repository for automatic updates via dnf:

# Add repository
sudo curl -o /etc/yum.repos.d/haproxy-quic.repo \
  https://derFrisson.github.io/haproxy-quic-awslc-rpm/packages/haproxy-quic.repo

# Install HAProxy
sudo dnf install haproxy-quic

# Verify QUIC support
haproxy -vv | grep -E "(QUIC|AWS-LC)"

# Enable and start
sudo systemctl enable --now haproxy

Updates will be available automatically via dnf update.

Option 2: Manual Download

# Download latest release (check releases page for current version)
curl -LO https://github.com/derFrisson/haproxy-quic-awslc-rpm/releases/latest/download/haproxy-quic-3.3.2-1.el10.x86_64.rpm

# Or browse all releases
# https://github.com/derFrisson/haproxy-quic-awslc-rpm/releases

# Install
sudo dnf localinstall -y haproxy-quic-*.rpm

# Verify QUIC support
haproxy -vv | grep -E "(QUIC|AWS-LC)"

# Enable and start
sudo systemctl enable --now haproxy

Firewall Configuration (for QUIC/HTTP3)

# QUIC uses UDP port 443
sudo firewall-cmd --permanent --add-port=443/udp
sudo firewall-cmd --reload

Features

• Native QUIC/HTTP3 - Full protocol support without patches
• AWS-LC crypto - High-performance cryptographic library
• Optimal performance - Built for maximum multi-threaded scalability
• Prometheus metrics - Built-in /metrics endpoint
• Lua scripting - Full Lua 5.4 support
• PCRE2 regex - Modern regex engine
• systemd integration - Native service management

Example HAProxy Configuration (HTTP/3)

Create /etc/haproxy/haproxy.cfg:

global
    log stdout format raw local0
    maxconn 50000

defaults
    mode http
    log global
    timeout connect 5s
    timeout client 30s
    timeout server 30s

frontend https
    bind :443 ssl crt /etc/haproxy/certs/site.pem alpn h2,http/1.1
    bind quic4@:443 ssl crt /etc/haproxy/certs/site.pem alpn h3

    # Advertise HTTP/3 support
    http-response add-header alt-svc 'h3=":443"; ma=86400'

    default_backend servers

backend servers
    server web1 127.0.0.1:8080 check

Automatic Updates

This repository automatically checks for new HAProxy and AWS-LC releases every Sunday and triggers a new build if updates are available.

Component	Current	Check Source
HAProxy	See versions.json	haproxy.org (dynamic branch discovery)
AWS-LC	See versions.json	GitHub Releases

Update Script

For existing installations, use the interactive update script (note: configuration changes may be needed when updating HAProxy versions):

# Download and run the update script
curl -LO https://raw.githubusercontent.com/derFrisson/haproxy-quic-awslc-rpm/main/scripts/update-haproxy.sh
chmod +x update-haproxy.sh
./update-haproxy.sh

Interactive Mode (Default)

When run without flags, the script will prompt you to choose an installation method:

• Option 1: DNF Repository (Recommended) - Sets up automatic updates via dnf update
• Option 2: Manual Download - One-time installation from GitHub releases

Command-Line Flags

# Interactive choice (default)
./update-haproxy.sh

# Force DNF repository installation
./update-haproxy.sh --repo

# Force manual download and install
./update-haproxy.sh --manual

# Force reinstall current version
./update-haproxy.sh --force

# Combine flags
./update-haproxy.sh --repo --force

Behavior

• DNF repo already configured: Automatically uses repository for updates
• First-time users: Prompted to choose installation method
• Repository method: Future updates via sudo dnf update haproxy-quic
• Manual method: Run script again to check for new versions

Manual Build Trigger

1. Go to Actions → Build HAProxy QUIC RPM
2. Click Run workflow
3. Enter desired HAProxy and AWS-LC versions
4. Click Run workflow

Build Details

Dependencies Built

• AWS-LC - Compiled with:

  • BUILD_SHARED_LIBS=ON
  • CMAKE_BUILD_TYPE=Release
  • Installed to /opt/haproxy-ssl

• HAProxy - Compiled with:

  • USE_QUIC=1 - QUIC protocol support
  • USE_OPENSSL_AWSLC=1 - AWS-LC compatibility
  • USE_PROMEX=1 - Prometheus exporter
  • USE_LUA=1 - Lua scripting
  • USE_PCRE2=1 - PCRE2 regex
  • USE_SYSTEMD=1 - systemd integration

Target Platform

• Rocky Linux 10 / RHEL 10 / AlmaLinux 10
• x86_64 architecture

Performance Notes

This build uses AWS-LC which provides exceptional multi-threaded performance with linear scalability across all CPU cores. Modern compilers ensure optimal performance without lock contention.

Security

The CI/CD pipeline includes several security measures:

• All GitHub Actions pinned to full SHA (not version tags)
• Source downloads verified with SHA256 checksums when available
• Build verification fails if QUIC support is missing
• Explicit secret passing (no secrets: inherit)

References

• HAProxy: The State of SSL Stacks - Comprehensive analysis
• AWS-LC GitHub - Cryptographic library
• AWS-LC Performance Optimization - Multi-threaded performance improvements
• HAProxy SSL Libraries Support Status
• HAProxy QUIC Documentation

License

• HAProxy: GPLv2+
• AWS-LC: Apache 2.0 + ISC
• This build configuration: MIT