Very new to HAProxy (moving over from a simple rewrite/proxy based Apache. I’m setting it up in a pretty restricted environment (e.g. I don’t have package access and more). I need it to support SSL so I’ve been building with the following:
System is RHEL6.7
make TARGET=linux2628 USE_OPENSSL=1 USE_ZLIB=1
But I end up with the error:
gcc -g -o haproxy src/haproxy.o src/base64.o src/protocol.o src/uri_auth.o src/standard.o src/buffer.o src/log.o src/task.o src/chunk.o src/channel.o src/listener.o src/lru.o src/xxhash.o src/time.o src/fd.o src/pipe.o src/regex.o src/cfgparse.o src/server.o src/checks.o src/queue.o src/frontend.o src/proxy.o src/peers.o src/arg.o src/stick_table.o src/proto_uxst.o src/connection.o src/proto_http.o src/raw_sock.o src/backend.o src/tcp_rules.o src/lb_chash.o src/lb_fwlc.o src/lb_fwrr.o src/lb_map.o src/lb_fas.o src/stream_interface.o src/stats.o src/proto_tcp.o src/applet.o src/session.o src/stream.o src/hdr_idx.o src/ev_select.o src/signal.o src/acl.o src/sample.o src/memory.o src/freq_ctr.o src/auth.o src/proto_udp.o src/compression.o src/payload.o src/hash.o src/pattern.o src/map.o src/namespace.o src/mailers.o src/dns.o src/vars.o src/filters.o src/flt_http_comp.o src/flt_trace.o src/flt_spoe.o src/cli.o src/ev_poll.o src/ev_epoll.o src/ssl_sock.o src/shctx.o ebtree/ebtree.o ebtree/eb32tree.o ebtree/eb64tree.o ebtree/ebmbtree.o ebtree/ebsttree.o ebtree/ebimtree.o ebtree/ebistree.o -lcrypt -lz -ldl -lssl -lcrypto -ldl
src/ssl_sock.o: In function smp_fetch_ssl_fc_alpn': /happrd/haproxy1.7.3/src/ssl_sock.c:4925: undefined reference toSSL_get0_alpn_selected’
src/ssl_sock.o: In function ssl_sock_prepare_ctx': /happrd/haproxy1.7.3/src/ssl_sock.c:2877: undefined reference toSSL_CTX_set_alpn_select_cb’
src/ssl_sock.o: In function ssl_sock_load_sctl': /happrd/haproxy1.7.3/src/ssl_sock.c:1004: undefined reference toSSL_CTX_add_server_custom_ext’
collect2: ld returned 1 exit status
make: *** [haproxy] Error 1
I’m guessing the OpenSSL Devel version? But I got the latest package available for 6.7 installed by the server maintainers…
Any clue?
Looks like TLSEXT_TYPE_application_layer_protocol_negotiation is defined, but actual ALPN support is missing.
Please confirm OpenSSL and it’s devel package is exclusively installed from stock RHEL repositories, no backports or third party RPM?
If that is the case, remove all of those RPM and install RHEL stock RPM’s please.
Also provide the output of:
yum info openssl
yum info openssl-devel
yum info openssl
Loaded plugins: security
Installed Packages
Name : openssl
Arch : x86_64
Version : 1.0.1e
Release : 48.el6_8.4
Size : 4.0 M
Repo : installed
From repo : xxx (our own)
Summary : A general purpose cryptography library with TLS implementation
URL : http://www.openssl.org/
License : OpenSSL
Description : The OpenSSL toolkit provides support for secure communications
: between machines. OpenSSL includes a certificate management tool
: and shared libraries which provide various cryptographic
: algorithms and protocols.
yum info openssl-devel
Loaded plugins: security
Installed Packages
Name : openssl-devel
Arch : x86_64
Version : 1.0.1e
Release : 48.el6_8.4
Size : 2.2 M
Repo : installed
From repo : xxx (our own)
Summary : Files for development of applications which will use OpenSSL
URL : http://www.openssl.org/
License : OpenSSL
Description : OpenSSL is a toolkit for supporting cryptography. The
: openssl-devel package contains include files needed to develop
: applications which support various cryptographic algorithms and
: protocols.
I don’t know what to tell you, something is wrong with either your repository, or box. Probably someone attempted to upgrade openssl to a newer version on your machine, and now you have multiple parallel openssl version floating around.
Fact is, haproxy 1.7.3 builds just fine on Centos 6.7, I just tried with the LiveCD.
Try installing the OS from scratch if you are unable to fix it.
If you are looking for HAProxy on CentOS you can have a look at our repository:
https://www.ulyaoth.net/repository/haproxy.html
that are precreated rpm packages that you can install on CentOS, saves you compiling it yourself they are compiled with the latest OpenSSL and updated regularly.