Hello Lukas,
I also try a few other things but mostly like the tutorial.
I first tried just to compile haproxy 1.8.1 with the Centos 7 openssl-1.0.2k on the system, and did not work.
Then I try to compile the new openssl-1.0.2n locally as described in the haproxy readme:
export STATICLIBSSL=/tmp/staticlibssl
./config --prefix=STATICLIBSSL no-shared
make && make install_sw
/tmp/staticlibssl/bin/openssl version
OpenSSL 1.0.2n 7 Dec 2017
Then haproxy 1.8.1:
$ make TARGET=linux2628 USE_OPENSSL=1 SSL_INC=$STATICLIBSSL/include SSL_LIB=STATICLIBSSL/lib ADDLIB=-ldl
make install
$ haproxy -vv
HA-Proxy version 1.8.1 2017/12/03
Copyright 2000-2017 Willy Tarreau willy@haproxy.org
Build options :
TARGET = linux2628
CPU = generic
CC = gcc
CFLAGS = -O2 -g -fno-strict-aliasing -DTCP_USER_TIMEOUT=18
OPTIONS = USE_LINUX_TPROXY=1 USE_ZLIB=1 USE_REGPARM=1 USE_OPENSSL=1 USE_PCRE=1 USE_PCRE_JIT=1
Default settings :
maxconn = 2000, bufsize = 16384, maxrewrite = 1024, maxpollevents = 200
Built with OpenSSL version : OpenSSL 1.0.2n 7 Dec 2017
Running on OpenSSL version : OpenSSL 1.0.2n 7 Dec 2017
OpenSSL library supports TLS extensions : yes
OpenSSL library supports SNI : yes
OpenSSL library supports : SSLv3 TLSv1.0 TLSv1.1 TLSv1.2
Built with transparent proxy support using: IP_TRANSPARENT IPV6_TRANSPARENT IP_FREEBIND
Encrypted password support via crypt(3): yes
Built with multi-threading support.
Built with PCRE version : 8.32 2012-11-30
Running on PCRE version : 8.32 2012-11-30
PCRE library supports JIT : yes
Built with zlib version : 1.2.7
Running on zlib version : 1.2.7
Compression algorithms supported : identity(“identity”), deflate(“deflate”), raw-deflate(“deflate”), gzip(“gzip”)
Built with network namespace support.
Available polling systems :
epoll : pref=300, test result OK
poll : pref=200, test result OK
select : pref=150, test result OK
Total: 3 (3 usable), will use epoll.
Available filters :
[SPOE] spoe
[COMP] compression
[TRACE] trace
Then added the ALPN line to haproxy.cfg:
frontend http2
bind *:443 ssl crt /etc/haproxy/ssl/ alpn h2,http/1.1
$ haproxy restart
Dec 12 22:27:13 testing1 haproxy-systemd-wrapper[5972]: [ALERT] 345/222713 (5973) : parsing [/etc/haproxy/haproxy.cfg:131] : ‘bind *:443’ : ‘alpn’ : library does not support TLS ALPN extension
Thank you!