HAProxy Enterprise 3.1 is now available! With every release, HAProxy Enterprise redefines what to expect from a software load balancer, and 3.1 is no different. With a brand new ADFSPIP Module and enhancements to the HAProxy Enterprise UDP Module, CAPTCHA Module, Global Profiling Engine, Stream Processing Offloading Engine, and Route Health Injection Module, this version improves HAProxy Enterprise's legendary performance and provides even greater flexibility and security.
New to HAProxy Enterprise?
HAProxy Enterprise provides high-performance load balancing for TCP, UDP, QUIC, and HTTP-based applications, high availability, an API gateway, Kubernetes application routing, SSL processing, DDoS protection, bot management, global rate limiting, and a next-generation WAF.
HAProxy Enterprise combines the performance, reliability, and flexibility of our open-source core (HAProxy – the most widely used software load balancer) with ultra-low-latency security layers and world-class support. HAProxy Enterprise benefits from full-lifecycle management, monitoring, and automation (provided by HAProxy Fusion), and next-generation security layers powered by threat intelligence from HAProxy Edge and enhanced by machine learning.
Together, this flexible data plane, scalable control plane, and secure edge network form HAProxy One: the world’s fastest application delivery and security platform that is the G2 category leader in API management, container networking, DDoS protection, web application firewall (WAF), and load balancing.
To learn more, contact our sales team for a demonstration or request a free trial.
What’s new?
HAProxy Enterprise 3.1 includes new enterprise features plus all the features from the community version of HAProxy 3.1. For the full list of features, read the release notes for HAProxy Enterprise 3.1.
New in HAProxy Enterprise 3.1 are the following important features:
New UDP Module hash-based algorithm. We’ve added a hash-based load balancing algorithm to the HAProxy Enterprise UDP Module to broaden the capabilities of HAProxy Enterprise when handling UDP traffic.
New CAPTCHA Module cookie options. With new cookie-related options for the CAPTCHA Module, users can control key attributes such as where cookies are valid within the application, which domain they apply to, how they interact with cross-site requests, and the length of their session.
New ADFSPIP Module. The new ADFSPIP Module offers a powerful proxying alternative for handling authentication and application traffic between external clients, internal AD FS servers, and internal web applications.
Enhanced aggregation and advanced logging in Global Profiling Engine. The Global Profiling Engine benefits from improved stick table aggregation, which introduces enhancements to data aggregation and peer connectivity management. Also, the Global Profiling Engine's enhanced logging capabilities offer flexible log storage, customizable log formats, and automated log rotation for improved monitoring and troubleshooting.
Reworked Stream Processing Offloading Engine. The reworked Stream Processing Offloading Engine (SPOE) improves reliability and load balancing efficiency, and will better integrate with HAProxy Enterprise’s evolving architecture.
The enhanced Route Health Injection Module. The Route Health Injection (RHI) Module and route packages will now support thousands of route injections for better scalability.
We announced the release of the community version, HAProxy 3.1, in December 2024, which included improvements to observability, reliability, performance, and flexibility. The features from HAProxy 3.1 are now available in HAProxy Enterprise 3.1.
Some of these inherited features include:
Smarter logging with log profiles: Define log formats for every stage of a transaction—like accept, request, and response—to simplify troubleshooting and eliminate the need for post-processing logs.
Traces—now GA: HAProxy’s enhanced traces feature, a powerful tool for debugging complex issues, is now officially supported and easier to use.
Optimized HTTP/2 performance: Dynamic per-stream window size management boosts POST upload performance by up to 20x, while reducing head-of-line blocking.
More reliable reloads: Improved master/worker operations and cleaner separation of roles provide smoother operations during reloads.
We outline every community feature in detail in, “Reviewing Every New Feature in HAProxy 3.1”.
Ready to upgrade?
When you are ready to start the upgrade procedure, go to the upgrade instructions for HAproxy Enterprise.
New hash-based algorithm expands UDP Module flexibility
Last year, we introduced our customers to the HAProxy Enterprise UDP Module for fast, reliable UDP proxying and load balancing. The module offers customers best-in-class performance among software load balancers, capable of reliably handling 3.8 million Syslog messages per second.
But there was a bigger story to tell.
Adding UDP proxying and load balancing to HAProxy Enterprise was a critical move to simplify application delivery infrastructure. Previously, those with UDP applications might have used another load balancing solution alongside HAProxy Enterprise, adding complexity to their infrastructure. By including UDP support in HAProxy Enterprise, alongside support for TCP, QUIC, SSL, and HTTP, we provided customers with a simple, unified solution.
With HAProxy Enterprise 3.1, we’re reinforcing our commitment to flexibility by enhancing the UDP Module’s capabilities—bringing you even closer to a truly unified load balancing solution for all your application needs.
Greater control over UDP traffic
HAProxy Enterprise 3.1 introduces the hash-based load balancing algorithm to the UDP Module to broaden the capabilities of HAProxy Enterprise when handling UDP traffic. The hash-based algorithm brings customers improved session persistence, optimized caching, and consistent routing.
The hash-based algorithm handles UDP traffic the same way it handles HTTP traffic, enabling consistent request mapping to backend servers using map-based or consistent hashing. Additionally, hash-balance-factor prevents any one server from getting too many requests at once.
hash-type: This defines the function for creating hashes of requests and the method for assigning hashed requests to backend servers. Users can select between map-based hashing (which is static but provides uniform distribution) and consistent hashing (which adapts to server changes while minimizing service disruptions).hash-balance-factor: This prevents overloading a single server by limiting its concurrent requests relative to the average load across servers, ensuring a more balanced distribution, particularly in high-throughput environments.
Hash-based load balancing ensures predictable, consistent request routing based on the request attribute. With both map-based and consistent hashing, along with hash-balance-factor to prevent server overload, HAProxy Enterprise now provides an expanded toolset for UDP load balancing.
Learn more about load balancing algorithms.
For customers using HAProxy Enterprise with VMware Omnissa Horizon, the introduction of the hash-based load balancing algorithm removes a previous limitation that prevented session persistence between TCP/HTTP and UDP services.
New cookie options for the CAPTCHA Module bring enhanced security and session handling
We recently released the new CAPTCHA Module in HAProxy Enterprise to simplify configuration and extend support for CAPTCHA providers. By embedding CAPTCHA functionality directly within HAProxy Enterprise as a native module, we provided our customers with a simplified and flexible way to verify human clients.
With HAProxy Enterprise 3.1, we’ve expanded the CAPTCHA Module’s capabilities by introducing new cookie-related options. Now, upon CAPTCHA verification, users can control key attributes of a cookie, such as where cookies are valid within the application, which domain they apply to, how they interact with cross-site requests, and the length of the session.
The new cookie-related options include:
Path:
cookie-pathdefines where the cookie is valid within the applicationDomain:
cookie-domainspecifies the domain the cookie is valid forSameSite:
cookie-samesitespecifies how cookies are sent across sitesSecure:
cookie-secureensures cookie is transmitted over HTTPS connectionsMax-Age:
cookie-max-agedefines a cookie’s lifetime in secondsExpires:
cookie-expiresdefines the expiration date for the cookie.
These options provide greater customization of cookie behavior during CAPTCHA verification. With HAProxy Enterprise 3.1, the CAPTCHA Module will now provide:
Enhanced control: Users can control the lifespan, scope, and security of CAPTCHA cookies, offering more customization to meet various use cases.
Improved security: Expanding the cookie-related options benefits users by making the CAPTCHA verification process more secure and observable.
Better session handling: New options offer better control over sessions for performance and user experience.
With HAProxy Enterprise 3.1, the expanded cookie options in the CAPTCHA Module provide precise control over cookie behavior, enhancing both security and the client experience. Web applications gain stronger protection against malicious bots, while verified human users enjoy smoother access and reduced likelihood of unnecessary authentication, ensuring a seamless and more secure browsing experience.
The new ADFSPIP Module: a powerful alternative for internal AD FS servers and web applications
AD FS proxying secures access to internal web applications by managing authentication requests from external clients. Organizations often use a dedicated AD FS proxy to bridge the gap between external users and an internal corporate network. While some organizations may use the default AD FS proxy for external client connections, they may instead benefit from a more capable alternative that offers more sophisticated traffic management.
In HAProxy Enterprise 3.1, we’re introducing the new ADFSPIP (Active Directory Federation Services Proxy Integration Protocol) Module, which enables HAProxy Enterprise to handle authentication and application traffic between external clients, internal AD FS servers, and internal web applications.
The high-performance and scalable nature of HAProxy Enterprise allows it to handle a large volume of external traffic for internal AD FS servers and internal web applications. HAProxy Enterprise’s flexible nature means it integrates with your internal corporate network while operating as a load balancer and multi-layered security for your broader application delivery infrastructure. In other words, you can consolidate all of your reverse proxying and load balancing functions into a single solution, reducing operational complexity.
The end result?
Faster, more reliable authentication: The ADFSPIP Module takes advantage of the world’s fastest software load balancer to ensure clients experience fast, reliable authentication with fewer disruptions when accessing internal AD FS servers and web applications.
Tailored solution with smooth integration: With the ADFSPIP Module, HAProxy Enterprise can be adapted to your organization's specific requirements, allowing you to integrate HAProxy Enterprise into your existing infrastructure without major changes.
Reduced management overhead: By consolidating AD FS proxying and load balancing functions into a single solution, your teams can spend less time managing multiple systems, ultimately improving efficiency.
Global Profiling Engine: Improved data aggregation and advanced logging
The Global Profiling Engine helps customers maintain a unified view of client activity across an HAProxy Enterprise cluster. By collecting and analyzing stick table data from all nodes, the Global Profiling Engine offers real-time insight into current and historical client behavior. This data is then shared across the load balancers, enabling informed decision-making such as rate limiting based on the real global rate, to manage traffic effectively.
Customers will be pleased to know that the latest updates to the Global Profiling Engine are available for HAProxy Enterprise 3.1 and all previous versions.
Enhanced aggregation and peer connectivity
In HAProxy Enterprise 3.1, we’ve introduced advancements to the Global Profiling Engine, improving the way data is aggregated and peer connectivity is managed.
Previously, HAProxy Enterprise users leveraging the Global Profiling Engine faced a few challenges with stick table aggregation. Some of these challenges included:
Truncated data display: The
show aggrscommand previously didn’t support multi-buffer streaming, which resulted in a truncated output.Limited control over aggregation: Users had limited options for defining multiple
fromlines per aggregation.Configuration constraints: In environments with multiple layers of aggregators, users had no control over whether data was sent to UP peers.
The updated Global Profiling Engine addresses these challenges by enhancing data visibility, providing greater control over aggregation in multi-layer environments, and supporting multiple aggregation sources with improved peer synchronization.
Expanded data visibility:
show aggrsnow supports multiple buffers, ensuring all data is visible instead of just the first chunk.Greater control over aggregation: A new
no-ascendoption prevents data from being sent to “UP” peers in multi-layer environments.Improved configuration flexibility: Multiple
fromlines are now supported per aggregation, offering greater flexibility in defining aggregation source.Support for more peer data types: The Global Profiling Engine now properly handles previously unsupported peer data types.
Customers looking for a more efficient Global Profiling Engine for monitoring client activity across their infrastructure will love the improvements to the aggregator. Better data aggregation and peer connectivity deliver better resource utilization, improved performance, and greater flexibility.
New advanced logging capabilities
HAProxy Enterprise 3.1 delivers enhanced logging capabilities within the Global Profiling Engine, offering flexible log storage, customizable log formats, and automated log rotation for improved monitoring and troubleshooting.
The Global Profiling Engine now empowers customers with advanced logging to files or a Syslog server. The new advanced logging modes are as follows:
Redirection of
stdout/stderrstream output to log file: This mode captures standard output and error messages and writes them into a specified file.Logging into log files: This mode allows logs to be split into different files based on severity or stored in a single common file.
Logging into a UNIX-domain socket (local Syslog server): If a Syslog server is running on the same machine, this mode enables the Global Profiling Engine to log directly to it using a UNIX socket.
Logging into the TCP/UDP INET socket (remote Syslog server): This mode sends logs over the network to a remote Syslog server using TCP or UDP.
Furthermore, customers can fine-tune Global Profiling Engine logging with:
Configurable log formats (RFC3164, RFC5424, or file-based).
Flexible log storage with customizable file paths, severities, and facilities.
Log rotation handling to detect deleted or rotated log files and create new ones automatically.
With advanced logging, the Global Profiling Engine provides greater visibility and control over how data is handled, allowing customers to customize log storage and formats as needed. Integration with remote Syslog servers simplifies log management across distributed infrastructure, while automated log rotation eliminates the need for manual intervention. These improvements make monitoring and troubleshooting with the Global Profiling Engine more efficient.
Reworked Stream Processing Offloading Engine
Stream Processing Offloading Engine (SPOE) enables administrators, DevOps, and SecOps teams to implement custom functions at the proxy layer using any programming language. However, as HAProxy Enterprise’s codebase has evolved, maintaining the original SPOE implementation became a bit more complex.
With HAProxy Enterprise 3.1, SPOE has been updated to fully support HAProxy Enterprise’s modern architecture, allowing greater efficiency in building and managing custom functions. It’s now implemented as a “mux”, which allows for fine-grained management of SPOP (the SPOE Protocol) through a new backend mode called mode spop. This update brings several benefits:
Support for load balancing algorithms: You can now apply any load-balancing strategy to SPOP backends, optimizing traffic distribution.
Connection sharing between threads: Idle connections can be shared, improving efficiency on the server side and response times on the agent side.
What does this mean for our customers? We’ve future-proofed SPOE to better integrate with HAProxy Enterprise’s infrastructure! Rest assured, the reworked SPOE was achieved without any breaking changes. If you’ve built SPOA (Agents) in previous versions of HAProxy Enterprise, they’ll continue to work just fine with HAProxy Enterprise 3.1.
Enhanced Route Health Injection (RHI) Module
The Route Health Injection (RHI) Module monitors your load balancer’s connectivity to backend servers and can remove the entire load balancer from duty if it can suddenly not reach those servers and route all traffic to other, healthy load balancers.
In HAProxy Enterprise 3.1, the RHI has been updated to offer better scalability. The RHI and route packages will now support thousands of route injections. The ability to support thousands of route injections will be particularly beneficial for large-scale infrastructures, empowering customers to manage more dynamic load balancing setups and seamless rerouting in the event that a load balancer fails.
Upgrade to HAProxy Enterprise 3.1
When you are ready to upgrade to HAProxy Enterprise 3.1, follow the link below.
Product | Release Notes | Install Instructions |
Try HAProxy Enterprise 3.1
The world’s leading companies and cloud providers trust HAProxy Technologies to simplify, scale, and secure modern applications, APIs, and AI services in any environment. As part of the HAProxy One platform, HAProxy Enterprise’s no-compromise approach to secure application delivery empowers organizations to deliver multi-cloud load balancing as a service (LBaaS), web app and API protection, API/AI gateways, Kubernetes networking, application delivery network (ADN), and end-to-end observability.
There has never been a better time to start using HAProxy Enterprise. Request a free trial of HAProxy Enterprise and see for yourself.
Subscribe to our blog. Get the latest release updates, tutorials, and deep-dives from HAProxy experts.
