Skip to content

Add QUIC to 3.2+#257

Merged
tianon merged 2 commits intodocker-library:masterfrom
infosiftr:quic
Jan 8, 2026
Merged

Add QUIC to 3.2+#257
tianon merged 2 commits intodocker-library:masterfrom
infosiftr:quic

Conversation

@yosifkit
Copy link
Member

@yosifkit yosifkit commented Jan 7, 2026

One other update is that the QUIC TLS API was ported to OpenSSL 3.5, ensuring that HAProxy's LTS version supports the LTS OpenSSL version released at the same time.

-https://www.haproxy.com/blog/announcing-haproxy-3-2#quic-protocol

With OpenSSL 3.5 in both Debian Trixie and Alpine 3.22+, it's finally here. Releases have aligned and we can now compile haproxy with QUIC support enabled! 🎉 Thanks to all those in OpenSSL, Haproxy, and Debian that moved it all along. ❤️

I don't think there are risks to adding this because users have to add it to their config to use it.

The image is just slightly bigger on disk and in the registry. *-quic tags are my local builds; there will not be separate tags for QUIC images since it will just be enabled in the current images (3.2 and above).

$ docker images haproxy
IMAGE                   ID             DISK USAGE   CONTENT SIZE   EXTRA
haproxy:3.2             88c88b5470e0        161MB         44.5MB
├─ linux/amd64          0f71ff1e8c39        159MB         42.4MB
├─ linux/arm/v5         a35e8a6e394b           0B             0B
├─ linux/arm/v7         89d8ce2d59b2           0B             0B
├─ linux/arm64/v8       34f6425d9d0e           0B             0B
├─ linux/386            c86fcab437dd           0B             0B
├─ linux/ppc64le        eac421ab4736           0B             0B
├─ linux/riscv64        a20b2933f29a           0B             0B
└─ linux/s390x          f5d81dd3999c           0B             0B

haproxy:3.2-quic        587ae4cff93e        166MB         44.5MB
└─ linux/amd64          587ae4cff93e        166MB         44.5MB

haproxy:3.3             e6ac0c3b4824        165MB         45.5MB
├─ linux/amd64          c85a446271ab        163MB         43.4MB
├─ linux/arm/v5         3b893b7a7d2e           0B             0B
├─ linux/arm/v7         4fd9ba350627           0B             0B
├─ linux/arm64/v8       01f5ab15b52e           0B             0B
├─ linux/386            2d2a98b41f69           0B             0B
├─ linux/ppc64le        74171cd135c4           0B             0B
├─ linux/riscv64        ffb51de2b7f6           0B             0B
└─ linux/s390x          685561eff4c9           0B             0B

haproxy:3.3-quic        f13ab4995d5e        170MB         45.7MB
└─ linux/amd64          f13ab4995d5e        170MB         45.7MB

haproxy:3.4-dev         842989bc7b39        165MB         45.5MB
├─ linux/amd64          543f69feb7e3        163MB         43.4MB
├─ linux/arm/v5         828d2743415f           0B             0B
├─ linux/arm/v7         353e4c77d955           0B             0B
├─ linux/arm64/v8       3886eb74c594           0B             0B
├─ linux/386            3b4f8a34ab13           0B             0B
├─ linux/ppc64le        b06562c319aa           0B             0B
├─ linux/riscv64        3ab7dbf20d2f           0B             0B
└─ linux/s390x          55d730c7e2ce           0B             0B

haproxy:3.4-quic        1b8919b71ebf        170MB         45.8MB
└─ linux/amd64          1b8919b71ebf        170MB         45.8MB

Fixes #182

cc @dkorunic, ref #243; If you can give this a review, that would be helpful.

@yosifkit yosifkit mentioned this pull request Jan 7, 2026
Closed
@dkorunic
Copy link
Collaborator

dkorunic commented Jan 7, 2026

I'll review and report back first thing tomorrow EU time.

@dkorunic
Copy link
Collaborator

dkorunic commented Jan 8, 2026
edited
Loading

MR looks great, but with the following remarks:

  • QUIC with vanilla OpenSSL works correctly from OpenSSL >= 3.5.1 (Debian Trixie and Alpine 3.22 both use OpenSSL 3.5.4 so in both cases it should be perfectly fine to enable QUIC).
  • We would recommend additionally enabling USE_PTHREAD_EMULATION=1 with OpenSSL 3.x for improved performance.

@dkorunic
Copy link
Collaborator

dkorunic commented Jan 8, 2026

LGTM! 👍

tianon
tianon reviewed Jan 8, 2026
View reviewed changes
Dockerfile.template
USE_PCRE2=1 USE_PCRE2_JIT=1 \
USE_PROMEX=1 \
# https://github.com/haproxy/haproxy/blob/a203ce685464988afbd92c8a376fcafae9bab5b5/INSTALL#L368-L373
USE_PTHREAD_EMULATION=1 \
Copy link
Member

@tianon tianon Jan 8, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

From that doc:

It should not be used by distro packagers as it is a bit less observable.

I'm guessing this concern doesn't really matter as much for consumers of this image?

(I admit I don't understand the option nor the effects, so advice is appreciated 😅)

Copy link
Collaborator

@dkorunic dkorunic Jan 8, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

When this is enabled we replace pthread rwlocks (that OpenSSL uses) with our own lighter variant, but the eventual lock debugging would be more complicated (but that's rarely done by regular users, if ever). However the performance gain is quite visible for larger SMP systems and we in all our performance (CE and EE) packages enable USE_PTHREAD_EMULATION=1 by default. 🚀
I think this is safe to add -- and in fact I've reached to rest of our engineering team early on this morning and double checked if we all agree on enabling this for Docker images by default.

Copy link
Member

@tianon tianon Jan 8, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ah nice, thank you for the added detail!

LGTM 👍

@tianon tianon merged commit 29f17a0 into docker-library:master Jan 8, 2026
34 checks passed
@tianon tianon deleted the quic branch January 8, 2026 22:51
docker-library-bot added a commit to docker-library-bot/official-images that referenced this pull request Jan 8, 2026
@docker-library-bot
Update haproxy
5fe7d89 
Changes:

- docker-library/haproxy@29f17a0: Merge pull request docker-library/haproxy#257 from infosiftr/quic
- docker-library/haproxy@68b7118: Add pthread emulation to speed up openssl
- docker-library/haproxy@54f063d: Add QUIC to 3.2+
@tianon tianon mentioned this pull request Jan 8, 2026
Merged
tianon added a commit to docker-library/official-images that referenced this pull request Jan 9, 2026
@tianon @docker-library-bot
Update haproxy (#20604)
49fd123 
Changes:

- docker-library/haproxy@29f17a0: Merge pull request docker-library/haproxy#257 from infosiftr/quic
- docker-library/haproxy@68b7118: Add pthread emulation to speed up openssl
- docker-library/haproxy@54f063d: Add QUIC to 3.2+

Co-authored-by: Docker Library Bot <doi+docker-library-bot@docker.com>
@yosifkit yosifkit mentioned this pull request Jan 9, 2026
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@tianon tianon tianon left review comments

@dkorunic dkorunic dkorunic left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Build HAProxy 2.6-dev with QUIC Support?

3 participants

@yosifkit @dkorunic @tianon