Reference

add ssl ech

On this page

Available since

  • HAProxy 3.3

Add an Encrypted Client Hello (ECH) key to a bind line.

Description Jump to heading

The ECH key payload must be in the PEM file format for ECH.

You can specify the bind using the line number:

text
<frontend>/@<config_filename>:<linenum>
text
<frontend>/@<config_filename>:<linenum>

Alternatively, you can specify the bind using the bind name:

text
<frontend>/<bind_name>
text
<frontend>/<bind_name>

This command is supported only on a CLI connection running in experimental mode (experimental-mode on).

Example Jump to heading

Create ECH key foobar3.com.ech and add it to the bind on line 19 of frontend frontend1 in configuration file haproxy.cfg:

nix
openssl ech -public_name foobar.com -out foobar3.com.ech
echo -e "experimental-mode on; add ssl ech frontend1/@haproxy.cfg:19 <<%EOF%\n$(cat foobar3.com.ech)\n%EOF%\n" | \
  sudo socat stdio tcp4-connect:127.0.0.1:9999
nix
openssl ech -public_name foobar.com -out foobar3.com.ech
echo -e "experimental-mode on; add ssl ech frontend1/@haproxy.cfg:19 <<%EOF%\n$(cat foobar3.com.ech)\n%EOF%\n" | \
  sudo socat stdio tcp4-connect:127.0.0.1:9999

See also Jump to heading

Do you have any suggestions on how we can improve the content of this page?

Previous page add ssl crt-list Next page add ssl jwt
© 2025 HAProxy Technologies, LLC. All Rights Reserved
Manage Cookie Preferences