HAProxy built with BoringSSL in a Docker image
Why might you want to use BoringSSL instead of OpenSSL?
- Match the TLS features available in Google Chrome, e.g. support the TLS version 1.3 draft that Chrome supports.
- Use BoringSSL's cipher groups which allow the server to choose the client's preferred cipher in certain circumstances (e.g. when a client lacks hardware support for AES, then a faster software implementation of ChaCha20 can be used instead).
- Some other reason you may have for preferring BoringSSL over OpenSSL :-)
This image is somewhat inspired by "nginx-boringssl", but of course uses HAProxy instead of Nginx. Also, while nginx-boringssl enables many extra features and optimisations, this image does fewer fancy things.
Compared to the official HAProxy image, this image:
- Builds and statically links BoringSSL, tracking* the BoringSSL version used in Chromium stable (as opposed to using the operating system's OpenSSL).
- Builds against PCRE2 instead of the older "PCRE 3".
- Enables use of the PCRE2 JIT engine.
- The Alpine Linux image is based on Alpine 3.7 vs. (currently) Alpine 3.6 in the official image.
* No promises about speedy updates to HAProxy or BoringSSL. I'm just one person.