One of the tools that I use for my personal websites, including this blog, is haproxy. These steps produce an install of haproxy that supports all HTTP versions up to HTTP/3.
Here are some distilled instructions for installing it from source. I primarily use Ubuntu. The center of all this is a series of shell scripts that I use to automate the build and install. At the following github URL you will find all the scripts:
https://github.com/elyograg/haproxy-scripts
Clone the repo found at the URL above using normal github methods, change directory to the newly cloned repo, and run the following command. If your Linux OS is derived from Debian/Ubuntu or RHEL, this command will take care of almost everything.
sudo ./install
This command does not create a config for haproxy. In order for the service restart to work, /etc/haproxy/haproxy.cfg must exist and be a valid config. If you are on a DEB-based distro and have removed the “deb-src” lines from /etc/apt/sources.list, then the build is going to fail.
There is an example config included in the repo named ci-haproxy-cfg.txt
. Adapting this for your own use is up to you. With a current and publicly valid certificate, the sample config can achieve a grade of A+ on the Qualys Labs SSL test.
A note for configs that use the quic4 binding: If the NIC on the machine that you are using has multiple IP addresses, you cannot use the 0.0.0.0 address that you’ll find in the sample config. This is a quirk of how UDP works, it is not an indication of a problem.
The same install command will work for updating haproxy to a newer 2.8 version as well
QUIC/HTTP3 will require both UDP and TCP traffic allowed on port 443. QUIC/HTTP3 is a UDP protocol, but the first time the browser makes contact, it will be over TCP, using an earlier HTTP version.
The git repo includes a config file for gitlab that sets up a CI/CD pipeline, but that is an advanced topic that will not be discussed here.