Re: unsupported protocol family 2 for address 'quic4@0.0.0.0:4

Wed, 08 Nov 2023 09:12:00 -0800 

I just ran the script in Shawns haproxy-scripts/deployci

root@mail:~/haproxy-scripts# ls
apache2            ci-haproxy-cfg.txt   deployci    fixperms   git-quictls  
install-haproxy-service  new-haproxy  old_docker-ci.yml  prep-source  
repo_overrides       sample.haproxy.cfg  sync_from_creator
check_for_updates  common-functions.sh  Dockerfile  fullstack  haproxy-2.8  
new.gitlab-ci.yml        new-quic     openssl            README.md    
sample.crt-list.txt  selfsigned.pem
root@mail:~/haproxy-scripts# /usr/local/sbin/haproxy -c -f 
/etc/haproxy/haproxy.cfg
Configuration file is valid

/etc/haproxy/haproxy.cfg:


global
        maxconn 64
        daemon
        log 127.0.0.1 len 65535 format rfc5424 local0
        log 127.0.0.1 len 65535 format rfc5424 local1 notice


defaults
        log global
        option httplog
        mode http
        timeout connect 5s
        timeout client  15s
        timeout server  120s
        timeout http-keep-alive 5s
        timeout check   9990


frontend web80
        bind 0.0.0.0:80 name web80
        default_backend be-local-81

frontend web
        description One frontend to rule them all
        bind 0.0.0.0:443 name web443 ssl crt /etc/haproxy/fullchain.pem alpn 
h2,http/1.1 npn h2,http/1.1 allow-0rtt curves secp521r1:secp384r1
        bind quic4@0.0.0.0:443 name quic443 ssl crt /etc/haproxy/fullchain.pem 
proto quic alpn h3,h3-29,h3-28,h3-27 npn h3,h3-29,h3-28,h3-27 allow-0rtt curves 
secp521r1:secp384r1
        http-response add-header alt-svc 'h3=":443"; ma=7200,h3-29=":443"; 
ma=7200,h3-Q050=":443"; ma=7200,h3-Q046=":443"; ma=7200,h3-Q043=":443"; 
ma=7200,quic=":443"; ma=7200'
        default_backend be-local-81
        stats enable
        stats uri /hapeek
        stats refresh 15

backend be-local-81
        option httpchk
        server localhost 127.0.0.1:81

> Am 08.11.2023 um 17:39 schrieb William Lallemand <wlallem...@haproxy.com>:
> 
> On Wed, Nov 08, 2023 at 04:42:00PM +0100, Christoph Kukulies wrote:
>> 
>> I posted the output of haproxy -vv (on demand of William Lallemand). Maybe 
>> you overlooked it:
>> 
> 
> That's weird, it shouldn't behave like this and I couldn't reproduce at
> all.
> 
>> root@mail:~/haproxy-scripts#  /usr/local/sbin/haproxy -vv
>> HAProxy version 2.8.3-d6e5cd-70 2023/10/26 - https://haproxy.org/ 
>> <https://haproxy.org/>
>> Status: long-term supported branch - will stop receiving fixes around Q2 
>> 2028.
>> Known bugs: http://www.haproxy.org/bugs/bugs-2.8.3.html 
>> <http://www.haproxy.org/bugs/bugs-2.8.3.html>
>> Running on: Linux 5.15.0-88-generic #98-Ubuntu SMP Mon Oct 2 15:18:56 UTC 
>> 2023 x86_64
>> Build options :
>>  TARGET  = linux-glibc
>>  CPU     = native
>>  CC      = cc
>>  CFLAGS  = -O2 -march=native -g -Wall -Wextra -Wundef 
>> -Wdeclaration-after-statement -Wfatal-errors -Wtype-limits 
>> -Wshift-negative-value -Wshift-overflow=2 -Wduplicated-cond 
>> -Wnull-dereference -fwrapv -Wno-address-of-packed-member -Wno-unused-label 
>> -Wno-sign-compare -Wno-unused-parameter -Wno-clobbered 
>> -Wno-missing-field-initializers -Wno-cast-function-type -Wno-string-plus-int 
>> -Wno-atomic-alignment
>>  OPTIONS = USE_OPENSSL=1 USE_ZLIB=1 USE_SYSTEMD=1 USE_QUIC=1 USE_PCRE2_JIT=1
>>  DEBUG   = 
>> 
>> 
>> And the install script installed the following config file (kindly 
>> overwriting my own config, thank you :-(. )
>> 
> 
> You should probably use a packaged version of haproxy.
> 
>> global
>>        maxconn 64
>>        daemon
>>        log 127.0.0.1 len 65535 format rfc5424 local0
>>        log 127.0.0.1 len 65535 format rfc5424 local1 notice
>> 
>> 
>> defaults
>>        log global
>>        option httplog
>>        mode http
>>        timeout connect 5s
>>        timeout client  15s
>>        timeout server  120s
>>        timeout http-keep-alive 5s
>>        timeout check   9990
>> 
>> 
>> frontend web80
>>        bind 0.0.0.0:80 name web80
>>        default_backend be-local-81
>> 
>> frontend web
>>        description One frontend to rule them all
>>        bind 0.0.0.0:443 name web443 ssl crt 
>> /etc/ssl/certs/local/selfsigned.pem alpn h2,http/1.1 npn h2,http/1.1 
>> allow-0rtt curves secp521r1:secp384r1
>>        bind quic4@0.0.0.0:443 name quic443 ssl crt 
>> /etc/ssl/certs/local/selfsigned.pem proto quic alpn h3,h3-29,h3-28,h3-27 npn 
>> h3,h3-29,h3-28,h3-27 allow-0rtt curves secp521r1:secp384r1
>>        http-response add-header alt-svc 'h3=":443"; ma=7200,h3-29=":443"; 
>> ma=7200,h3-Q050=":443"; ma=7200,h3-Q046=":443"; ma=7200,h3-Q043=":443"; 
>> ma=7200,quic=":443"; ma=7200'
>>        default_backend be-local-81
>>        stats enable
>>        stats uri /hapeek
>>        stats refresh 15
>> 
>> backend be-local-81
>>        option httpchk
>>        server localhost 127.0.0.1:81
>> 
>> 
>> which leads to haproxy failing on startup:
>> 
>> Nov  8 16:38:28 mail haproxy[101582]: [ALERT]    (101582) : parsing 
>> [/etc/haproxy/haproxy.cfg:26] : 'bind' : unsupported protocol family 2 for 
>> address 'quic4@0.0.0.0:443'
>> 
>> So what can I do about it other than trusting upon the scripts and configs 
>> to work? Or ask here for help?
> 
> 
> I don't know how you are running your configuration, and what your
> scripts does.
> 
> I can't reproduce at all the problem with the given configuration.
> 
> How are you starting haproxy?
> 
> Could you run `/usr/local/sbin/haproxy -c -f /etc/haproxy/haproxy.cfg` ? 
> 
> -- 
> William Lallemand

Attachment: smime.p7s
Description: S/MIME cryptographic signature

Reply via email to