Announcing HAProxy ALOHA 16

HAProxy ALOHA 16 is now available, and we’re excited to share that this release includes one of the cornerstone features announced in HAProxy Enterprise 2.9—the next-generation HAProxy Enterprise WAF. Customers of our hardware and virtual load balancer appliances also benefit from four new Layer 4 load balancing algorithms, the upgrade of the Linux kernel to version 6.1, and the ability to bind admin services on a dedicated interface.

New to HAProxy ALOHA?

HAProxy is the world’s fastest and most widely used software load balancer and the G2 category leader in API management, container networking, DDoS protection, web application firewall (WAF), and load balancing. HAProxy ALOHA makes application delivery simple with premium support, robust multi-layered security, and an intuitive interface—all in a convenient hardware or virtual appliance. HAProxy ALOHA provides an all-in-one application delivery controller with everything you need out-of-the-box.

What’s new?

HAProxy ALOHA 16 includes exclusive new enterprise features, plus all the features from the community version, HAProxy 2.9. For a full list of features, read the release notes for HAProxy ALOHA 16.

New in HAProxy ALOHA 16 are the following important features:

  • The next-generation HAProxy Enterprise WAF powered by our unique Intelligent WAF Engine provides exceptional accuracy, zero-day threat detection, ultra-low latency, and simple management with optional OWASP Core Rule Set (CRS) compatibility. Our industry-leading WAF performance virtually eliminates the security impact of false negatives and the noise of false positives, with a balanced accuracy of 98.53% measured in testing based on open source WAF benchmark data.

  • Four new Layer 4 load balancing algorithms expand HAProxy ALOHA’s flexibility in distributing traffic using a wider range of load balancing techniques. The four new algorithms include Weighted Overflow, Weighted Failover, Maglev Hashing, and Weighted Two Random Choices.

  • HAProxy ALOHA’s upgraded Linux kernel to version 6.1 lengthens the duration of support from Linux security fixes.

  • Better isolation of admin services makes it easier to segregate administrative services, strengthening security and enabling stricter access control.

We announced the release of HAProxy 2.9 in December 2023, which included faster performance, more flexibility, and better observability. The features from HAProxy 2.9 are now incorporated in HAProxy ALOHA 16.

Ready to upgrade?

To start the upgrade procedure, visit the installation instructions for HAProxy ALOHA 16.

haproxy-2_9-web-application-firewall

Next-generation WAF brings secure application delivery without compromise

One thing customers love about HAProxy ALOHA is that it comes bundled with its own web application firewall (WAF). We’re happy to share that the WAF in HAProxy ALOHA 16 is even better than before. The next-generation HAProxy Enterprise WAF brings industry-leading accuracy, performance, and simplicity.

Why a next-generation WAF?

Previously, HAProxy ALOHA included multiple WAF options, including an Advanced WAF and a ModSecurity WAF based on the OWASP Core Rule Set (CRS).

  • Customers using the Advanced WAF found it to be extremely fast and powerful, but the skill requirements were relatively high. 

  • Meanwhile, customers using the ModSecurity WAF appreciated the simplicity and industry-standard CRS compatibility, but the open source ModSecurity WAF introduced more latency and higher false positives than many customers were comfortable with. 

As we looked at the other WAF options on the market we also realized that low accuracy was a common problem, leaving users struggling to manage many false positives and to mitigate the damage caused by application attacks that slip through a WAF undetected. 

We wanted to give customers a WAF experience that combined the speed of the Advanced WAF, the simplicity of the ModSecurity WAF, and unprecedented accuracy to strengthen security and eliminate the noise. This goal led us to create the next-generation HAProxy Enterprise WAF, which delivers secure application delivery without compromise.

​What can you do with HAProxy Enterprise WAF?

Out-of-the-box, the HAProxy Enterprise WAF provides ultra-low latency protection against application attacks. This includes common attacks such as SQL Injection, Cross Site Scripting (XSS), Remote Code Execution (RCE), and Local File Inclusion (LFI), as well as emerging and zero-day threats. You can optionally use the industry-standard OWASP Core Rule Set (CRS) compatibility mode to maximize compatibility and transparency where needed.

Why should you use HAProxy Enterprise WAF?

Three reasons:

  • Stronger security with exceptional balanced accuracy measured using open source WAF benchmark data, virtually eliminating the security impact of false negatives and the noise of false positives.

  • Higher performance ensures ultra-low latency threat detection and traffic filtering while keeping resource use and operational costs low. 

  • Simple to set up and manage with out-of-the-box behavior suitable for most deployments.

The next-generation HAProxy Enterprise WAF powered by the unique Intelligent WAF Engine brings industry-leading efficacy and performance. The Intelligent WAF Engine is a single low-latency process based on the company’s unique data science, security analytics, and real-world datasets. It identifies security threats using a non-signature-based detection system capable of blocking emerging and zero-day threats without requiring users to create and manage long or complex lists of rules.

Let’s talk accuracy. WAF accuracy can be calculated by measuring the true positive rate and the true negative rate:

  • True positive rate refers to the proportion of dangerous traffic correctly identified by the WAF. Dangerous traffic incorrectly identified as safe is a “false negative”.

  • True negative rate refers to the proportion of safe traffic correctly identified by the WAF. Safe traffic incorrectly identified as dangerous is a “false positive”.

The average of these two values is called “balanced accuracy”. The vast majority of WAFs on the market do well at one metric but not the other, resulting in poor scores for balanced accuracy (generally below 90%). Naturally, we wanted to have a go ourselves, so we followed the same methodology with the new HAProxy Enterprise WAF.

HAProxy Enterprise WAF powered by the Intelligent WAF Engine achieved: 

  • a true-positive rate of 99.61%

  • a true-negative rate of 97.45%

  • a resulting balanced accuracy rate of 98.53%, 

This result comfortably beats the category average. It means that false positives are a thing of the past, reducing the impact on legitimate users and the operational burden of monitoring security alerts. It also means that false negatives are virtually eliminated, reducing the risk that malicious traffic will cause downtime, data loss, fraud, and more.

When using the optional OWASP CRS compatibility mode, we measured an impressively low false-positive rate of 1.78% at paranoia level 2 (compared with 28.36% for the ModSecurity WAF at the same paranoia level) resulting in reduced noise and a better user experience.

How about performance? WAF performance can be evaluated by the latency (the time taken to process each request) incurred with a variety of attack payloads and traffic volumes. The HAProxy Enterprise WAF provides high-performance threat detection and filtering with latency below measurable thresholds for the majority of attack payloads, meaning no performance penalty for security and virtually zero impact on legitimate traffic.

Performance is also improved significantly when using the optional OWASP CRS compatibility mode. With a realistic mix of safe and suspicious traffic (approximately 5% suspicious), the HAProxy Enterprise WAF achieves on average 15X lower latency than the ModSecurity WAF using the OWASP CRS.

This incredible accuracy and performance is available out-of-the-box to users of HAProxy ALOHA 16. You won’t need to write and maintain your own custom WAF rules. With the power of the Intelligent WAF Engine, it just works. This industry-leading performance in a simple package helps customers protect their business and reputation, simplify security, and reduce the impact on application performance and user experience.

support-for-new-layer-4-load-balancing-algorithms

Support for new Layer 4 load balancing algorithms

HAProxy ALOHA 16 introduces support for four new Layer 4 load balancing algorithms. This enhanced support expands HAProxy ALOHA’s flexibility in distributing traffic using a wider range of load balancing techniques.

Overflow Connection

The Overflow Connection scheduling algorithm implements "overflow" load balancing according to the number of active connections. This algorithm keeps all connections on the server with the highest weight and overflows to the next server if the number of connections exceeds the server's weight.

Overflow Connection offers predictable behavior in how connections are distributed, advantageous for those seeking consistent performance and resource utilization. However, considering that it uses active connections in its distribution, it may not be suitable for UDP.

Weighted Failover

The Weighted Failover scheduling algorithm offers a simple failover solution to ensure service continuity and minimize downtime. When initiating failover, this algorithm redirects connections to the next available server in line with the highest weight.

By prioritizing servers based on their weights, Weighted Failover ensures that your services remain accessible to users. This fast response to failures mitigates downtime and helps maintain availability, enhancing the overall reliability of your application delivery.

Maglev Hashing

Maglev Hashing scheduler provides consistent hashing but with minimal disruption, each destination receiving an almost equal amount of connections. Maglev Hashing hashes incoming requests, which is ideal for efficiently distributing identical requests to the same backend server.

Maglev Hashing improves consistent hashing by leveraging a table to cache which server handles a hash, avoiding the shuffling of buckets. This consistency is critical for preserving session affinity in application delivery.

Weighted Two Random Choices

This algorithm decides which server will respond to each request by picking two random servers based on weighting and choosing the one with the fewest active connections. 

Weighted Two Random Choices improves the Power of Two Random Choices algorithm by considering the weights assigned to each server. This algorithm ensures that requests are routed to servers with ample capacity and resources, reducing response times and improving system performance.

isolation-of-admin-services

Isolation of admin services

In HAProxy ALOHA 16, some services now support specifying the network interface on which to run. This makes it easier to isolate administrative services onto a specific subnet.

This is especially helpful when HAProxy ALOHA is attached to two networks. By specifying that the admin services are on one network while web traffic is on the other, customers are able to enhance their security and enable stricter access control. This helps limit the attack surface for security threats because attackers would need to bypass additional security measures to gain unauthorized access.

Customers can bind admin services on a dedicated interface using the new @iface keyword for the following services:

  • collectd

  • httpd

  • notify

  • ntpd

  • snmpd

  • sshd

  • syslog

Upgraded Linux kernel

This release upgrades HAProxy ALOHA’s Linux kernel to version 6.1. Users will benefit from a lengthened duration of support from Linux.org for essential security fixes.

Conclusion

For a complete list of features and changes, read the HAProxy ALOHA 16 release notes.

Upgrade to HAProxy ALOHA 16 to enhance your application's performance, flexibility, and security with the latest features and changes.

Subscribe to our blog. Get the latest release updates, tutorials, and deep-dives from HAProxy experts.