Reference

set ssl ech

On this page

Available since

  • HAProxy 3.3

Replace the Encrypted Client Hello (ECH) keys of a bind line.

Description Jump to heading

The ECH key payload must be in the PEM file format for ECH.

You can specify the bind using the line number:

text
<frontend>/@<config_filename>:<linenum>
text
<frontend>/@<config_filename>:<linenum>

Alternatively, you can specify the bind using the bind name:

text
<frontend>/<bind_name>
text
<frontend>/<bind_name>

This command is supported only on a CLI connection running in experimental mode (experimental-mode on).

Examples Jump to heading

Submit PEM file foobar3.com.ech to replace the ECH keys in the bind on line 19 in frontend frontend1 in configuration haproxy.cfg:

nix
openssl ech -public_name foobar.com -out foobar3.com.ech
echo -e "experimental-mode on; set ssl ech frontend1/@haproxy.cfg:19 <<%EOF%\n$(cat foobar3.com.ech)\n%EOF%\n" | \
  sudo socat stdio tcp4-connect:127.0.0.1:9999
nix
openssl ech -public_name foobar.com -out foobar3.com.ech
echo -e "experimental-mode on; set ssl ech frontend1/@haproxy.cfg:19 <<%EOF%\n$(cat foobar3.com.ech)\n%EOF%\n" | \
  sudo socat stdio tcp4-connect:127.0.0.1:9999

See also Jump to heading

Do you have any suggestions on how we can improve the content of this page?

Previous page set ssl crl-file Next page set ssl ocsp-response
© 2025 HAProxy Technologies, LLC. All Rights Reserved
Manage Cookie Preferences