From 37f76c45fa348c4a728fcc06e089b98183687256 Mon Sep 17 00:00:00 2001 From: William Lallemand Date: Wed, 29 Oct 2025 16:38:29 +0100 Subject: [PATCH] DOC: configuration: "ech" for bind lines ECH is an experimental features which still a draft, but already exists as a feature branch in OpenSSL. This patch explains how to configure "ech" on bind lines. --- doc/configuration.txt | 25 +++++++++++++++++++++++++ 1 file changed, 25 insertions(+) diff --git a/doc/configuration.txt b/doc/configuration.txt index 1d53b4151..7eaaf3419 100644 --- a/doc/configuration.txt +++ b/doc/configuration.txt @@ -16878,6 +16878,31 @@ ecdhe the named curve (RFC 4492) used to generate ECDH ephemeral keys. By default, used named curve is prime256v1. +ech [ EXPERIMENTAL ] + Apply all ECH keys from to the bind line. + The files must have the .ech extension and must use the PEM file format for + ECH. ( https://datatracker.ietf.org/doc/draft-farrell-tls-pemesni/ ) + + This keyword enables ECH in shared-mode. with HAProxy acting as both the TLS + endpoint and the ECH endpoint. + See https://datatracker.ietf.org/doc/draft-ietf-tls-esni/ + + This is an experimental feature, which requires the + "expose-experimental-directives" option in the global section. It also + necessitates an OpenSSL version that supports ECH, and HAProxy must be + compiled with USE_ECH=1. + + Example: + $ openssl ech -public_name foobar.com -out /etc/haproxy/echkeydir/foobar.com.ech + + $ cat haproxy.cfg + [...] + bind :443 ech /etc/haproxy/echkeydir/ ssl crt example.com.pem + + // Use the ECHCONFIG section of your .ech file + $ openssl s_client -tls1_3 -connect example.com:443 -servername example.com \ + -ech_config_list AD3+DQA5cwAgACB6ybtgtFYoM5r8nJSotus4c7K0EG..9vYmFyLmNvbQAA + expose-fd listeners This option is only usable with the stats socket. It gives your stats socket the capability to pass listeners FD to another HAProxy process. -- 2.47.3