Favicon Logo

📣️ New: CRAN R package binaries for arm64 and Alpine Linux

<categories> [sys-admin]

Compiling HAProxy with WolfSSL

A guide to compiling HAProxy with WolfSSL for enhanced performance and HTTP/3 support, including detailed build instructions.

Patrick Schratz
← Back to all posts

After reading the recent blog post of the HAProxy team on “The State of SSL Stacks”, we got convinced to move away from OpenSSL and try out one of their competitors for substantially enhanced performance.

To be able to use HTTP/3 with HAProxy these days, HAProxy must be compiled from source with a Quic-enabled SSL library.

The following snippet might be helpful for some which aim for the same migration to save time on finding the right flags for each library. Note: Don’t forget to install the required build tools on your respective distribution (we used Almalinux 9.5).

# clone WolfSSL
git clone --depth 1 --branch v5.8.0-stable https://github.com/wolfssl/wolfssl.git /tmp/wolfssl
 
# build WolfSSL
cd /tmp/wolfssl
./autogen.sh
./configure TARGET=linux-glibc --enable-quic --enable-tls13 --enable-alpn --enable-haproxy --prefix=/opt/wolfssl --libdir=/opt/wolfssl/lib
make -j$(nproc)
make install
 
# clone HAProxy
git clone --depth 1 --branch v3.1.7 https://git.haproxy.org/git/haproxy-3.1.git /tmp/haproxy
 
# build HAProxy
cd /tmp/haproxy
make TARGET=linux-glibc USE_OPENSSL_WOLFSSL=1 USE_QUIC=1 USE_PROMEX=1 USE_LIBCRYPT=1 SSL_LIB=/opt/wolfssl/lib  SSL_INC=/opt/wolfssl/include
make install
haproxy -vv
 
HAProxy version 3.1.7 2025/04/17 - https://haproxy.org/
Status: stable branch - will stop receiving fixes around Q1 2026.
Known bugs: http://www.haproxy.org/bugs/bugs-3.1.7.html
Running on: Linux 5.14.0-503.40.1.el9_5.aarch64 #1 SMP PREEMPT_DYNAMIC Mon May 5 05:57:36 EDT 2025 aarch64
Build options :
  TARGET  = linux-glibc
  CC      = cc
  CFLAGS  = -O2 -g -fwrapv
  OPTIONS = USE_LIBCRYPT=1 USE_OPENSSL_WOLFSSL=1 USE_QUIC=1 USE_PROMEX=1
  DEBUG   =
 
Feature list : -51DEGREES +ACCEPT4 +BACKTRACE -CLOSEFROM +CPU_AFFINITY +CRYPT_H -DEVICEATLAS +DL -ENGINE +EPOLL -EVPORTS +GETADDRINFO -KQUEUE -LIBATOMIC +LIBCRYPT +LINUX_CAP +LINUX_SPLICE +LINUX_TPROXY -LUA -MATH -MEMORY_PROFILING +NETFILTER +NS -OBSOLETE_LINKER +OPENSSL -OPENSSL_AWSLC +OPENSSL_WOLFSSL -OT -PCRE -PCRE2 -PCRE2_JIT -PCRE_JIT +POLL +PRCTL -PROCCTL +PROMEX -PTHREAD_EMULATION +QUIC -QUIC_OPENSSL_COMPAT +RT +SHM_OPEN +SLZ +SSL -STATIC_PCRE -STATIC_PCRE2 +TFO +THREAD +THREAD_DUMP +TPROXY -WURFL -ZLIB
← Back to all posts