I’m experimenting with HTTP/3 on Ubuntu 24.04 and HAProxy 3.2 from the official -awslc packages: Download the Official HAProxy Performance Packages and got it working.
I didn’t need to add AmbientCapabilities=CAP_NET_BIND_SERVICE in the service file but did need to add setcap cap_net_bind_service under the “global” section in haproxy.cfg. AIUI it passes the capability to the non-root user when it switches from root to non-root user.
Another, unrelated gotcha I ran into was with incorrect alpn values. I originally had:
bind *:443 ssl crt-list /etc/haproxy/crt-list.txt
bind quic4@:443 ssl crt-list /etc/haproxy/crt-list.txt
And in crt-list.txt I had:
hostname1.pem.rsa [alpn h2,http/1.1,http/1.0 ssl-min-ver TLSv1.0]
hostname2.pem.rsa [alpn h2,http/1.1,http/1.0 ssl-min-ver TLSv1.2]
...
The reason I’m using crt-list like so is because I want to have different minumum TLS requirements for different hostnames. The issue is of course that the HTTP/3 connections will see the wrong alpn value.
The fix was to move the alpn stuff back to haproxy.cfg:
bind *:443 ssl crt-list /etc/haproxy/crt-list.txt alpn h2,http/1.1,http/1.0
bind quic4@:443 ssl crt-list /etc/haproxy/crt-list.txt
And crt-list.txt:
hostname1.pem.rsa [ssl-min-ver TLSv1.0]
hostname2.pem.rsa [ssl-min-ver TLSv1.2]
...