HAProxy QUIC support

j.koopmann

Hi,

installed 23.01 also in order to get the latest HAProxy and setup QUIC. However HAProxy -vv shows

Feature list : -EPOLL +KQUEUE -NETFILTER +PCRE +PCRE_JIT -PCRE2 -PCRE2_JIT +POLL +THREAD -BACKTRACE +STATIC_PCRE -STATIC_PCRE2 +TPROXY -LINUX_TPROXY -LINUX_SPLICE +LIBCRYPT -CRYPT_H -ENGINE +GETADDRINFO +OPENSSL +LUA +ACCEPT4 +CLOSEFROM +ZLIB -SLZ +CPU_AFFINITY -TFO -NS -DL -RT -DEVICEATLAS -51DEGREES -WURFL -SYSTEMD -OBSOLETE_LINKER -PRCTL +PROCCTL -THREAD_DUMP -EVPORTS -OT -QUIC +PROMEX -MEMORY_PROFILING

and

OPTIONS = USE_PCRE=1 USE_PCRE_JIT=1 USE_STATIC_PCRE=1 USE_GETADDRINFO=1 USE_OPENSSL=1 USE_LUA=1 USE_ACCEPT4=1 USE_ZLIB=1 USE_CPU_AFFINITY=1 USE_PROMEX=1

so QUIC does not seem to be compiled into the package. Is there any way to change that?

Regards
JP

senseivita

@j-koopmann You don't need to, it's already there:

You do need to add the FreeBSD repos though, and you're likely going to lose the GUI and there's no saying what going to happen during config changes if you don't remove pfSense's version of HAProxy first because it gets it's config from /cf/conf/config.xml which is updated every time you make a change, the reverse is true as well, if you edit that file the changes are reflected immediately on pfSense, it's pretty cool to test live…if you have snapshots or an editor with undo capabilities.

In /usr/local/etc/pkg/repos/, edit FreeBSD.confand pfSense.conf, change no to yes and that's it. You'll know what I'm talking about when you open the files.

If you decide to do it:
edit /usr/local/etc/pkg/repos/FreeBSD.conf, press ⎋⏎⏎ when you're done. Repeat with the other file.

or:
vi /usr/local/etc/pkg/repos/FreeBSD.conf, press i to switch to insert mode don't try deleting forward or beyond the end/beginning of the line, it's very easy to switch out of insert mode (which should be shown the whole time in the bottom of the window/screen) at which moment the keys on the keyboard can do the most random/destructive things. Press ⎋ to get back into viewing mode and ZZ to save and quit. Repeat with the other file.

Really long sidenote - Do you really want to support QUIC though? Right now you can't control it effectively because it's encrypted and it can be used as a conduit for DoH which is a very effective way of bypassing pfBlockerNG, Unbound and your ruleset protections. Support is not there yet on major forward proxies, it requires more resources on both servers and clients, being based on UDP, it has the same issues UDP has, the advantages I don't even remember what they were but they are minimal compared to http/2 over its predecessor. It sets a pathway for a dark future where you'll just have to MITM everything, manufacturers already refuse to let users/admin install custom certs and I'm sure they'll show even more onerous warnings and make it really difficult if they're forced, making people angry which in turn will blame IT. In the case of home users, "IT" is the guys/girl that knows stuff and gets berated over a Roku not being able to connect over all the ports and protocols it arbitrarily wants.