pyrox.dev / nixpkgs
lol
fork atom

Merge pull request #262401 from vifino/haproxy-quic

haproxy: 2.9.2 -> 2.9.3; Enable QUIC support

h7x4 aeee68c7 aec709aa

options
unified split
Changed files
+125 -46
nixos
tests
haproxy.nix
pkgs
tools
networking
haproxy
default.nix
+90 -19
nixos/tests/haproxy.nix 
···

       
1

       

       
-

       
import ./make-test-python.nix ({ pkgs, ...}: {


     

       

       
1

       
+

       
import ./make-test-python.nix ({ lib, pkgs, ...}: {


     

       
2

       
2

       
 

       
  name = "haproxy";


     

       
3

       
3

       
 

       
  nodes = {


     

       
4

       

       
-

       
    machine = { ... }: {


     

       
5

       

       
-

       
      services.haproxy = {


     

       

       
4

       
+

       
    server = { ... }: {


     

       

       
5

       
+

       
     services.haproxy = {


     

       
6

       
6

       
 

       
        enable = true;


     

       
7

       
7

       
 

       
        config = ''


     

       

       
8

       
+

       
          global


     

       

       
9

       
+

       
            limited-quic


     

       

       
10

       
+

       



     

       
8

       
11

       
 

       
          defaults


     

       

       
12

       
+

       
            mode http


     

       
9

       
13

       
 

       
            timeout connect 10s


     

       

       
14

       
+

       
            timeout client 10s


     

       

       
15

       
+

       
            timeout server 10s


     

       

       
16

       
+

       



     

       

       
17

       
+

       
            log /dev/log local0 debug err


     

       

       
18

       
+

       
            option logasap


     

       

       
19

       
+

       
            option httplog


     

       

       
20

       
+

       
            option httpslog


     

       
10

       
21

       
 

       



     

       
11

       
22

       
 

       
          backend http_server


     

       
12

       

       
-

       
            mode http


     

       
13

       

       
-

       
            server httpd [::1]:8000


     

       

       
23

       
+

       
            server httpd [::1]:8000 alpn http/1.1


     

       
14

       
24

       
 

       



     

       
15

       
25

       
 

       
          frontend http


     

       
16

       

       
-

       
            bind *:80


     

       
17

       

       
-

       
            mode http


     

       

       
26

       
+

       
            bind :80


     

       

       
27

       
+

       
            bind :443 ssl strict-sni crt /etc/ssl/fullchain.pem alpn h2,http/1.1


     

       

       
28

       
+

       
            bind quic4@:443 ssl strict-sni crt /etc/ssl/fullchain.pem alpn h3 allow-0rtt


     

       

       
29

       
+

       



     

       

       
30

       
+

       
            http-after-response add-header alt-svc 'h3=":443"; ma=60' if { ssl_fc }


     

       

       
31

       
+

       



     

       
18

       
32

       
 

       
            http-request use-service prometheus-exporter if { path /metrics }


     

       
19

       
33

       
 

       
            use_backend http_server


     

       

       
34

       
+

       



     

       

       
35

       
+

       
          frontend http-cert-auth


     

       

       
36

       
+

       
            bind :8443 ssl strict-sni crt /etc/ssl/fullchain.pem verify required ca-file /etc/ssl/cacert.crt


     

       

       
37

       
+

       
            bind quic4@:8443 ssl strict-sni crt /etc/ssl/fullchain.pem verify required ca-file /etc/ssl/cacert.crt alpn h3


     

       

       
38

       
+

       



     

       

       
39

       
+

       
            use_backend http_server


     

       
20

       
40

       
 

       
        '';


     

       
21

       
41

       
 

       
      };


     

       
22

       
42

       
 

       
      services.httpd = {


     
···

       
30

       
50

       
 

       
          }];


     

       
31

       
51

       
 

       
        };


     

       
32

       
52

       
 

       
      };


     

       

       
53

       
+

       
      networking.firewall.allowedTCPPorts = [ 80 443 8443 ];


     

       

       
54

       
+

       
      networking.firewall.allowedUDPPorts = [ 443 8443 ];


     

       

       
55

       
+

       
     };


     

       

       
56

       
+

       
    client = { ... }: {


     

       

       
57

       
+

       
      environment.systemPackages = [ pkgs.curlHTTP3 ];


     

       
33

       
58

       
 

       
    };


     

       
34

       
59

       
 

       
  };


     

       
35

       
60

       
 

       
  testScript = ''


     

       

       
61

       
+

       
    # Helpers


     

       

       
62

       
+

       
    def cmd(command):


     

       

       
63

       
+

       
      print(f"+{command}")


     

       

       
64

       
+

       
      r = os.system(command)


     

       

       
65

       
+

       
      if r != 0:


     

       

       
66

       
+

       
        raise Exception(f"Command {command} failed with exit code {r}")


     

       

       
67

       
+

       



     

       

       
68

       
+

       
    def openssl(command):


     

       

       
69

       
+

       
      cmd(f"${pkgs.openssl}/bin/openssl {command}")


     

       

       
70

       
+

       



     

       

       
71

       
+

       
    # Generate CA.


     

       

       
72

       
+

       
    openssl("req -new -newkey rsa:4096 -nodes -x509 -days 7 -subj '/C=ZZ/ST=Cloud/L=Unspecified/O=NixOS/OU=Tests/CN=CA Certificate' -keyout cacert.key -out cacert.crt")


     

       

       
73

       
+

       



     

       

       
74

       
+

       
    # Generate and sign Server.


     

       

       
75

       
+

       
    openssl("req -newkey rsa:4096 -nodes -subj '/CN=server/OU=Tests/O=NixOS' -keyout server.key -out server.csr")


     

       

       
76

       
+

       
    openssl("x509 -req -in server.csr -out server.crt -CA cacert.crt -CAkey cacert.key -days 7")


     

       

       
77

       
+

       
    cmd("cat server.crt server.key > fullchain.pem")


     

       

       
78

       
+

       



     

       

       
79

       
+

       
    # Generate and sign Client.


     

       

       
80

       
+

       
    openssl("req -newkey rsa:4096 -nodes -subj '/CN=client/OU=Tests/O=NixOS' -keyout client.key -out client.csr")


     

       

       
81

       
+

       
    openssl("x509 -req -in client.csr -out client.crt -CA cacert.crt -CAkey cacert.key -days 7")


     

       

       
82

       
+

       
    cmd("cat client.crt client.key > client.pem")


     

       

       
83

       
+

       



     

       

       
84

       
+

       
    # Start the actual test.


     

       
36

       
85

       
 

       
    start_all()


     

       
37

       

       
-

       
    machine.wait_for_unit("multi-user.target")


     

       
38

       

       
-

       
    machine.wait_for_unit("haproxy.service")


     

       
39

       

       
-

       
    machine.wait_for_unit("httpd.service")


     

       
40

       

       
-

       
    assert "We are all good!" in machine.succeed("curl -fk http://localhost:80/index.txt")


     

       
41

       

       
-

       
    assert "haproxy_process_pool_allocated_bytes" in machine.succeed(


     

       
42

       

       
-

       
        "curl -fk http://localhost:80/metrics"


     

       
43

       

       
-

       
    )


     

       

       
86

       
+

       
    server.copy_from_host("fullchain.pem", "/etc/ssl/fullchain.pem")


     

       

       
87

       
+

       
    server.copy_from_host("cacert.crt", "/etc/ssl/cacert.crt")


     

       

       
88

       
+

       
    server.succeed("chmod 0644 /etc/ssl/fullchain.pem /etc/ssl/cacert.crt")


     

       

       
89

       
+

       



     

       

       
90

       
+

       
    client.copy_from_host("cacert.crt", "/etc/ssl/cacert.crt")


     

       

       
91

       
+

       
    client.copy_from_host("client.pem", "/root/client.pem")


     

       

       
92

       
+

       



     

       

       
93

       
+

       
    server.wait_for_unit("multi-user.target")


     

       

       
94

       
+

       
    server.wait_for_unit("haproxy.service")


     

       

       
95

       
+

       
    server.wait_for_unit("httpd.service")


     

       

       
96

       
+

       



     

       

       
97

       
+

       
    assert "We are all good!" in client.succeed("curl -f http://server/index.txt")


     

       

       
98

       
+

       
    assert "haproxy_process_pool_allocated_bytes" in client.succeed("curl -f http://server/metrics")


     

       

       
99

       
+

       



     

       

       
100

       
+

       
    with subtest("https"):


     

       

       
101

       
+

       
      assert "We are all good!" in client.succeed("curl -f --cacert /etc/ssl/cacert.crt https://server/index.txt")


     

       

       
102

       
+

       



     

       

       
103

       
+

       
    with subtest("https-cert-auth"):


     

       

       
104

       
+

       
      # Client must succeed in authenticating with the right certificate.


     

       

       
105

       
+

       
      assert "We are all good!" in client.succeed("curl -f --cacert /etc/ssl/cacert.crt --cert-type pem --cert /root/client.pem https://server:8443/index.txt")


     

       

       
106

       
+

       
      # Client must fail without certificate.


     

       

       
107

       
+

       
      client.fail("curl --cacert /etc/ssl/cacert.crt https://server:8443/index.txt")


     

       

       
108

       
+

       



     

       

       
109

       
+

       
    with subtest("h3"):


     

       

       
110

       
+

       
      assert "We are all good!" in client.succeed("curl -f --http3-only --cacert /etc/ssl/cacert.crt https://server/index.txt")


     

       

       
111

       
+

       



     

       

       
112

       
+

       
    with subtest("h3-cert-auth"):


     

       

       
113

       
+

       
      # Client must succeed in authenticating with the right certificate.


     

       

       
114

       
+

       
      assert "We are all good!" in client.succeed("curl -f --http3-only --cacert /etc/ssl/cacert.crt --cert-type pem --cert /root/client.pem https://server:8443/index.txt")


     

       

       
115

       
+

       
      # Client must fail without certificate.


     

       

       
116

       
+

       
      client.fail("curl -f --http3-only --cacert /etc/ssl/cacert.crt https://server:8443/index.txt")


     

       
44

       
117

       
 

       



     

       
45

       
118

       
 

       
    with subtest("reload"):


     

       
46

       

       
-

       
        machine.succeed("systemctl reload haproxy")


     

       

       
119

       
+

       
        server.succeed("systemctl reload haproxy")


     

       
47

       
120

       
 

       
        # wait some time to ensure the following request hits the reloaded haproxy


     

       
48

       

       
-

       
        machine.sleep(5)


     

       
49

       

       
-

       
        assert "We are all good!" in machine.succeed(


     

       
50

       

       
-

       
            "curl -fk http://localhost:80/index.txt"


     

       
51

       

       
-

       
        )


     

       

       
121

       
+

       
        server.sleep(5)


     

       

       
122

       
+

       
        assert "We are all good!" in client.succeed("curl -f http://server/index.txt")


     

       
52

       
123

       
 

       
  '';


     

       
53

       
124

       
 

       
})
+35 -27
pkgs/tools/networking/haproxy/default.nix 
···

       
1

       
1

       
 

       
{ useLua ? true


     

       
2

       
2

       
 

       
, usePcre ? true


     

       
3

       

       
-

       
# QUIC "is currently supported as an experimental feature" so shouldn't be enabled by default


     

       
4

       

       
-

       
, useQuicTls ? false


     

       
5

       
3

       
 

       
, withPrometheusExporter ? true


     

       

       
4

       
+

       
, sslLibrary ? "quictls"


     

       
6

       
5

       
 

       
, stdenv


     

       
7

       
6

       
 

       
, lib


     

       
8

       
7

       
 

       
, fetchurl


     

       
9

       
8

       
 

       
, nixosTests


     

       
10

       
9

       
 

       
, zlib


     

       
11

       
10

       
 

       
, libxcrypt


     

       
12

       

       
-

       
, openssl ? null


     

       
13

       

       
-

       
, quictls ? null


     

       
14

       

       
-

       
, lua5_3 ? null


     

       
15

       

       
-

       
, pcre ? null


     

       
16

       

       
-

       
, systemd ? null


     

       

       
11

       
+

       
, wolfssl


     

       

       
12

       
+

       
, libressl


     

       

       
13

       
+

       
, quictls


     

       

       
14

       
+

       
, openssl


     

       

       
15

       
+

       
, lua5_4


     

       

       
16

       
+

       
, pcre2


     

       

       
17

       
+

       
, systemd


     

       
17

       
18

       
 

       
}:


     

       
18

       
19

       
 

       



     

       
19

       

       
-

       
assert useLua -> lua5_3 != null;


     

       
20

       

       
-

       
assert usePcre -> pcre != null;


     

       
21

       

       
-

       
assert useQuicTls -> quictls != null;


     

       
22

       

       
-

       
assert !useQuicTls -> openssl != null;


     

       
23

       

       
-

       



     

       
24

       

       
-

       
let sslPkg = if useQuicTls then quictls else openssl;


     

       

       
20

       
+

       
assert lib.assertOneOf "sslLibrary" sslLibrary [ "quictls" "openssl" "libressl" "wolfssl" ];


     

       

       
21

       
+

       
let


     

       

       
22

       
+

       
  sslPkgs = {


     

       

       
23

       
+

       
    inherit quictls openssl libressl;


     

       

       
24

       
+

       
    wolfssl = wolfssl.override {


     

       

       
25

       
+

       
      variant = "haproxy";


     

       

       
26

       
+

       
      extraConfigureFlags = [ "--enable-quic" ];


     

       

       
27

       
+

       
    };


     

       

       
28

       
+

       
  };


     

       

       
29

       
+

       
  sslPkg = sslPkgs.${sslLibrary};


     

       
25

       
30

       
 

       
in stdenv.mkDerivation (finalAttrs: {


     

       
26

       
31

       
 

       
  pname = "haproxy";


     

       
27

       

       
-

       
  version = "2.9.2";


     

       

       
32

       
+

       
  version = "2.9.3";


     

       
28

       
33

       
 

       



     

       
29

       
34

       
 

       
  src = fetchurl {


     

       
30

       
35

       
 

       
    url = "https://www.haproxy.org/download/${lib.versions.majorMinor finalAttrs.version}/src/haproxy-${finalAttrs.version}.tar.gz";


     

       
31

       

       
-

       
    hash = "sha256-hRrugw7CjBeRJGqf1EePZD0RWlY92Qf2YSzDgalSqzw=";


     

       

       
36

       
+

       
    hash = "sha256-7VF8ZavYaUVBH2vLGMfsZXpwaTHLeB6igwY7oKdYWMA=";


     

       
32

       
37

       
 

       
  };


     

       
33

       
38

       
 

       



     

       
34

       
39

       
 

       
  buildInputs = [ sslPkg zlib libxcrypt ]


     

       
35

       

       
-

       
    ++ lib.optional useLua lua5_3


     

       
36

       

       
-

       
    ++ lib.optional usePcre pcre


     

       

       
40

       
+

       
    ++ lib.optional useLua lua5_4


     

       

       
41

       
+

       
    ++ lib.optional usePcre pcre2


     

       
37

       
42

       
 

       
    ++ lib.optional stdenv.isLinux systemd;


     

       
38

       
43

       
 

       



     

       
39

       
44

       
 

       
  # TODO: make it work on bsd as well


     
···

       
46

       
51

       
 

       
  ];


     

       
47

       
52

       
 

       



     

       
48

       
53

       
 

       
  buildFlags = [


     

       

       
54

       
+

       
    "USE_ZLIB=yes"


     

       
49

       
55

       
 

       
    "USE_OPENSSL=yes"


     

       
50

       

       
-

       
    "SSL_LIB=${sslPkg}/lib"


     

       
51

       

       
-

       
    "SSL_INC=${sslPkg}/include"


     

       
52

       

       
-

       
    "USE_ZLIB=yes"


     

       
53

       

       
-

       
  ] ++ lib.optionals useQuicTls [


     

       
54

       

       
-

       
    "USE_QUIC=1"


     

       

       
56

       
+

       
    "SSL_INC=${lib.getDev sslPkg}/include"


     

       

       
57

       
+

       
    "SSL_LIB=${lib.getDev sslPkg}/lib"


     

       

       
58

       
+

       
    "USE_QUIC=yes"


     

       

       
59

       
+

       
  ] ++ lib.optionals (sslLibrary == "openssl") [


     

       

       
60

       
+

       
    "USE_QUIC_OPENSSL_COMPAT=yes"


     

       

       
61

       
+

       
  ] ++ lib.optionals (sslLibrary == "wolfssl") [


     

       

       
62

       
+

       
    "USE_OPENSSL_WOLFSSL=yes"


     

       
55

       
63

       
 

       
  ] ++ lib.optionals usePcre [


     

       
56

       

       
-

       
    "USE_PCRE=yes"


     

       
57

       

       
-

       
    "USE_PCRE_JIT=yes"


     

       

       
64

       
+

       
    "USE_PCRE2=yes"


     

       

       
65

       
+

       
    "USE_PCRE2_JIT=yes"


     

       
58

       
66

       
 

       
  ] ++ lib.optionals useLua [


     

       
59

       
67

       
 

       
    "USE_LUA=yes"


     

       
60

       
68

       
 

       
    "LUA_LIB_NAME=lua"


     

       
61

       

       
-

       
    "LUA_LIB=${lua5_3}/lib"


     

       
62

       

       
-

       
    "LUA_INC=${lua5_3}/include"


     

       

       
69

       
+

       
    "LUA_LIB=${lua5_4}/lib"


     

       

       
70

       
+

       
    "LUA_INC=${lua5_4}/include"


     

       
63

       
71

       
 

       
  ] ++ lib.optionals stdenv.isLinux [


     

       
64

       
72

       
 

       
    "USE_SYSTEMD=yes"


     

       
65

       
73

       
 

       
    "USE_GETADDRINFO=1"


     
···

       
84

       
92

       
 

       
      tens of thousands of connections is clearly realistic with todays


     

       
85

       
93

       
 

       
      hardware.


     

       
86

       
94

       
 

       
    '';


     

       
87

       

       
-

       
    maintainers = with lib.maintainers; [ ];


     

       

       
95

       
+

       
    maintainers = with lib.maintainers; [ vifino ];


     

       
88

       
96

       
 

       
    platforms = with lib.platforms; linux ++ darwin;


     

       
89

       
97

       
 

       
    mainProgram = "haproxy";


     

       
90

       
98

       
 

       
  };