Installing and updating haproxy from source


One of the tools that I use for my personal websites, including this blog, is haproxy. Here are some distilled instructions for installing it from source. I primarily use Ubuntu.

The center of all this is a series of shell scripts that I use to automate the build and install. At the following gitlab URL you will find all the scripts.

https://gitlab.elyograg.org/world/haproxy-scripts

Clone the repo with https or download the scripts individually, and put the scripts into /usr/local/src. If you choose another location, it still work, but you will need to edit the prep_source script to change the directory before running it.

All commands shown here are designed to be run as root. With these scripts you will be able to easily build and install the quictls variety of openssl3 and the current master repo of haproxy (2.7.x-dev as of September 2022) with QUIC/HTTP3 support.

There is a script included that will do all the prep tasks and install prerequisite packages. It has been tested on Ubuntu Server and AlmaLinux 8, but should work on any RHEL/Fedora clone and all distros derived from Debian, which includes Ubuntu, Mint, and of course Debian. If you have some other OS, you may need to examine the prep_source script and work out what to do for your OS. On Debian-derived systems, the prep_source script will make some carefully configured changes to the file /etc/apt/sources.list in order to add source repositories. That modification should be safe for all users of Debian-derived systems, but it can’t be 100% guaranteed.

The first time you run through these instructions, you’ll need to do the commands below to prepare the source directory and install/activate the haproxy service in systemd. After the first time, you can skip to the wide horizontal line below to update or reinstall.

cd /usr/local/src
./prep_source
./install-haproxy-service git-haproxy-master

If your OS is using some form of sysvinit, the service installer script above won’t work, and you’re on your own for getting it installed as a service. Consider switching to something better. Many modern POSIX operating systems are using systemd. There are likely service install instructions for sysvinit that Google can find. Note that the service install script is likely to fail to actually start the service if you follow these instructions in order, because at that point haproxy will probably not be installed.


With the git repos cloned, prerequisite packages installed, and the service installed, run the fullstack command. It will build and install quictls and haproxy, then restart haproxy.

./fullstack

If you haven’t created /etc/haproxy/haproxy.cfg with a good config before running fullstack, then starting the service will fail, and you’ll need to take care of installing a config before trying to start the service. Also be aware that if you ask haproxy to listen on ports that another process is already listening on, the service start will also fail. This can be a problem if you have a webserver like Apache or Nginx installed. I can’t cover how to create an haproxy config in this post, but may make a new post about that in the future.

Updates to quictls are infrequent, so most of the time you just need to upgrade haproxy. The fullstack script will compile and install both quictls and haproxy. If you use the new-haproxy script, only haproxy will be recompiled. Use a command like the following to do this:

./new-haproxy git-haproxy-master

This will restart the haproxy service if the build is successful.

Installing quictls with my script adds a “qssl” script to /usr/local/bin that will run the quictls variant of openssl, which might be significantly newer than whatever version of openssl you may have installed.

I have haproxy listening on ports 80 and 443, and Apache listening on port 81 only. I also have backends for Plex, Gitlab, and a couple of tiny computers, one of which is a Raspberry Pi. None of my backends are using TLS. None of the backends are reachable from the Internet.

I also have another haproxy installation on an AWS instance. That one is not as complex as the one in my basement. The AWS instance is my mail server. The haproxy install manages connectivity for my webmail and a couple of other simple sites.

QUIC/HTTP3 will require both UDP and TCP traffic allowed on port 443. QUIC/HTTP3 is a UDP protocol, but the first time the browser makes contact, it will be over TCP.


Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.