HAProxy ALOHA
Release notes
Version 16.5 Jump to heading
Key changes in the HAProxy ALOHA 16.5 release include:
Bot management module
- Added the Bot Management module to HAProxy ALOHA. It uses reputational signals and scoring based on our own large, real-world datasets and data science to identify traffic accurately. The module will categorize clients as human, suspicious, bot, verified crawler (search engines), or verified bot/tool/app (non-browser). You can then combine this information with other security features, such as rate limiting and WAF, to create customized bot management policies.
- New botmgmt-profile section, scoring algorithms, and sample fetches to tune the module and increase observability.
- Export Prometheus metrics from bot management data.
Web Application Firewall
- Support for base64 decoding when defining custom rules.
- WAF related Prometheus exporter metrics.
- Process request body without Content-Type, even in “raw” mode.
- Validate incoming data to ensure it contains valid UTF-8 characters, filtering out potentially harmful characters that may attempt to exploit vulnerabilities.
Network management
- Network services gained support for new directives:
ip rule
enables setting policy-based routing.no arp
gives you the ability to disable ARP on an interface.no multicast
lets you disable receiving of multicasts.dhcptimeout
sets a timeout for DHCP.fctl
enables or disables sending and processing of flow control frames.sysset
sets a parameter insys.class.net
for root orsys.class.net.$if
for interfaces.
- Added support for IPv6 addresses, static routes, and IP rules.
- Added the Network Management CLI, a command-line tool for configuring physical and virtual network interfaces on the load balancer.
WireGuard VPN
- Added WireGuard VPN support to encrypt the configuration synchronization traffic that travels between two HAProxy ALOHA servers. You would use this when the servers are in different data centers and the traffic must go over the public internet.
SSL/TLS Enhancements
- The new crt-store configuration section provides a flexible way to store and consume SSL certificates by separating the certificate storage from their use in a frontend. This provides better visibility for certificate information by moving it from external files and placing it into the main configuration. The
crt-store
section allows you to individually specify the locations of each certificate component; for example certificates files, key files, and OCSP response files. Aliases provide support for human-friendly names for referencing the certificates more easily onbind
lines. - A new global
ssl-security-level
directive allows you to set a global OpenSSL internal security level. This enforces the appropriate checks and restrictions per the level specified. - Explicitly set default TLS certificates.
- You can now set multiple default certificates using the new
default-crt
argument on yourbind
line. You can also indicate a default certificate in a crt-list by marking it with an asterisk.
- You can now set multiple default certificates using the new
- Decrypt TLS 1.3 packet captures to backend servers.
- New to this version, you can now use
tune.ssl.keylog
to enable the logging of TLS secrets for TLS connections between HAProxy ALOHA and backend servers. This allows you to then use those TLS secrets to use Wireshark to decipher your encrypted packet captures.
- New to this version, you can now use
Prevent HAProxy from accepting traffic on privileged ports
- Two new global settings,
harden.reject-privileged-ports.tcp
for TCP connections andharden.reject-privileged-ports.quic
for QUIC connections, enable HAProxy ALOHA to ignore traffic when the client uses a privileged port (0 - 1023) as their source port. Clients using this range of ports are suspicious and such behavior often indicates spoofing, such as to launch DNS/NTP amplification attacks. The benefit in using these settings is that during DNS/NTP amplification attacks, CPU is reserved as HAProxy ALOHA will drop the packets on these privileged ports instead of parsing them.
HTTP/2 tuning options
- You can limit the number of total streams processed per incoming connection for HTTP/2 using the global directive
tune.h2.fe-max-total-streams
. Once this limit is reached, HAProxy ALOHA will send a graceful GOAWAY frame informing the client that it will close the connection after all pending streams have been closed. Usually, this prompts clients to reestablish their connections. This is helpful in situations where there is an imbalance in the load balancing due to clients maintaining long-lived connections. - HAProxy ALOHA now counts protocol “glitches” and allows you to set a limit on them. Protocol glitches are HTTP/2 requests that are valid but have potential to cause issues; for example, sending a single header as a large number of CONTINUATION frames could cause a denial of service. You can also track the glitches in a stick table to identify buggy applications or misbehaving clients.
Consistent hash server mapping
- When load balancing using a hash-based algorithm (
balance hash
), HAProxy ALOHA must keep track of which server is which. The newhash-key
directive allows you to specify how the node keys, that is, the hash for each server, are calculated. This applies to node keys where you have sethash-type
toconsistent
. What this means is that if you have multiple instances of HAProxy ALOHA, each with its own list of servers potentially listed in different orders, routing will be consistent across your load balancers when you use the hash-key directive. There are three options forhash-key
:id
: the server’s numericid
if set, or its position in the server listaddr
: the server’s IP addressaddr-port
: the server’s IP address and port
Memory limit
- The memory limiting mechanism now uses
RLMIT_DATA
instead ofRLIMIT_AS
, which prevents an issue where the processes were reaching out-of-memory conditions below the configured limit when using-m <limit>
to limit the total allocatable memory to a specified number of megabytes across all processes. In master-worker mode, the memory limit is applied separately to the master and its forked worker process, as memory is not shared between processes.
Unix sockets and namespaces
- This version supports the
namespace
argument for UNIX sockets specified onbind
andserver
lines. If a permissions issue arises, HAProxy ALOHA will log a permissions error instead of “failed to create socket”, since the capabilitycap_sys_admin
is required for using namespaces for sockets.
gRPC
- Prior to this version, cancellations, which are represented as RST_STREAM frames in HTTP/2 or as STOP_SENDING frames in HTTP/3, were not being properly relayed to the server. This has been fixed. Furthermore, this version adds new fetch methods that indicate whether the stream was canceled (aka aborted) and the error code.
Silence warnings on deprecated directives
- If you want to use deprecated directives and silence warnings, you must also use the new
expose-deprecated-directives
global directive. This directive applies to deprecated directives that don’t have alternative solutions.
Emergency memory allocation
- The mechanism for emergency memory allocation in low memory conditions has been improved for HTTP/1 and applets. Forward progress in processing is guaranteed as tasks are now queued according to their criticality and which missing buffer they require.
Virtual and optional ACL and Map files
- HAProxy ALOHA now supports virtual ACL and virtual map files.
- A virtual file doesn’t exist on disk and exists only in memory. The load balancer creates it as an in-memory representation during startup. Virtual files will not persist after restarting the load balancer.
- When you mark a file as optional, the load balancer will check for it on the filesystem, but if it doesn’t find it, it will assume that the file is virtual. Optional files are useful for allowing startup without a file on disk, but saving the file to disk at a later time for long-term persistence.
- You can use virtual and optional files in cases where you’ll use the Runtime API to dynamically update the values.
Report the key that matched in a map file
- New
map_*_key
converters return the key that was matched, rather than the associated value, making it easier to view the reason why the load balancer rerouted a request or took some other action.
Track specific HTTP errors
- Two global directives
http-err-codes
andhttp-fail-codes
let you specify which HTTP status codes to track when using thehttp_err_cnt
,http_err_rate
,http_fail_cnt
, andhttp_fail_rate
stick table data types.
Stick table pointers
- Prior to this version, you could use the Runtime API to remove or update a record in a stick table based on its key. You can now specify the record’s unique ID (its pointer) instead of its key to update or delete that record. Use the
show table
command to retrieve the pointer.
Set fwmark on packets to clients and servers
- HAProxy ALOHA now supports setting an
fwmark
on connections to backend servers as well as to clients connected on the frontend using theset-fc-mark
andset-bc-mark
actions. These replace theset-mark
action, which had applied only to frontends. Setting anfwmark
on an IP packet classifies it so that, for example, it can use a specific routing table.
Set traffic priority
- New in this version, HAProxy ALOHA can modify the header of an IP packet to include the Differentiated Services (DS) field on connections to backend servers in addition to frontend connections to clients. Use the
set-fc-tos
andset-bc-tos
actions (referring to the old Type of Service header field, which has been superseded by DS).
Weights in log backends
- In this version, you can set weights on server lines in your
mode log
backends.mode log
is used for load balancing the Syslog protocol.
Support for UUIDv7 identifiers
- Generate universally unique identifiers that use the UUIDv7 format by using the
unique-id-format
directive with theuuid
fetch.
Reverse HTTP
- A new directive named
pool-conn-name
provides more flexibility when using reverse HTTP, allowing you to set the name to match with an expression of fetch methods and converters, instead of matching via SNI.
Prometheus
- When configuring the Prometheus exporter, you can include a URL parameter named extra-counters that enables additional counters that provide information related to the HTTP protocol, QUIC, and SSL.
Lua
- Single-threaded Lua scripts using
lua-load
will see a performance improvement from changes to the thread yielding behavior.- Use
tune.lua.forced-yield
to tune the thread yielding behavior. For scripts that uselua-load
, the optimal (and default) value was found to be the maximum of either 500 instructions or 10000 instructions divided by the number of threads. As for scripts loaded usinglua-load-per-thread
, in cases where more responsiveness is required, the value can be lowered from the default of 10000 instructions. In cases where the results of the Lua scripts are mandatory for processing the data, the value can be increased, but with caution, as an increase could cause thread contention.
- Use
- By default HAProxy ALOHA prevents thread and process creation after it starts. This is particularly important executing Lua files of uncertain origin. Generally speaking, it’s a best practice to make sure that no unexpected background activity can be triggered by traffic. However, this may prevent external checks from working, and it may break some very specific Lua scripts which actively rely on the ability to fork.
- In addition, forking from Lua, or anywhere else, is not reliable, as the forked process could embed a lock set by another thread and cause operations to never cease execution. As such, we recommend that you use this option with extreme caution, and that you move any workload requiring such a fork to a safer solution (such as using agents instead of external checks).
QUIC
- The QUIC protocol is supported by default because we’re distributing a QUIC-compatible OpenSSL library with the load balancer package, rather than relying on the library that comes standard with the operating system.
- Two new global settings improve QUIC performance:
- Use
tune.quic.reorder-ratio
to change how quickly HAProxy ALOHA detects outgoing packet losses. Lowering the ratio lowers the number of packets that can be missing ACKs before HAProxy ALOHA takes action. The default value is 50%. - Use
tune.quic.cc-hystart
to enable the use of the HyStart++ (RFC9406) algorithm instead of the Cubic algorithm. The HyStart++ algorithm provides an alternative to the TCP slow start phase of the congestion control algorithm and may show better recovery patterns regarding packet loss.
- Use
Invalid request targets rejected for non-compliant URIs
- Parsing is now more strict during HTTP/1 processing for request target validation. This means that where previously, for compatibility, non-standard-compliant URIs were forwarded as-is for HTTP/1, now some invalid request targets are rejected with a 400 Bad Request error. The following rules now apply:
- The asterisk-form is now only allowed for OPTIONS and OTHER methods. There must now be only one asterisk and nothing more.
- The CONNECT method must have a valid authority-form. All other forms are rejected.
- The authority-form is now only supported for the CONNECT method. Origin-form is only checked for the CONNECT method.
- Absolute-form must have a scheme and a valid authority.
Performance upgrades
- Applets, such as the cache, can also take advantage of the fast forwarding mechanism introduced in version 2.9 for TCP, HTTP/1, HTTP/2, and HTTP/3. This enhancement avoids queuing more data when the mux buffer is full resulting in significantly less memory usage. Disable this behavior using
tune.applet.zero-copy-forwarding
for applets only, ortune.disable.zero-copy-forwarding
globally. In regards to QUIC, simplification of the internal send API resulted in removal of one buffer copy. In regards to QUIC, the fast forwarding now considers the flow control, which reduces the number of thread wakeups and optimizes packet filling. The HTTP/1 mutex now also supports zero-copy forwarding for chunks of unknown size. For example, chunks whose size may be larger than the buffer. - Performance improved for ebtree on non-x86 machines. This results in approximately 3% faster task switching and approximately 2% faster string lookups.
- Configuration parsing time will see an improvement thanks to a change in server name lookups. The lookups now use a tree, which improves lookup time, whereas before the lookup was a linear operation.
- An improvement to traces, made possible by the implementation of near lockless rings, will enable their use on servers with moderate to high levels of traffic without risk of server impact.
- Stick tables have received a performance boost due to a change in the locking mechanism.
- When defining a dynamic server, use of the
enabled
argument is now rejected with an error, whereas previously it was only silently ignored.
Fetch methods
-
New fetch methods introduced in this version expose data that you can use in ACL expressions:
Name Description bc_be_queue
The number of streams de-queued while waiting for a connection slot on the target backend. bc_glitches
The number of protocol glitches counted on the backend connection. bc_nb_streams
The number of streams opened on the backend connection. bc_srv_queue
The number of streams de-queued while waiting for a connection slot on the target server. fc_glitches
The number of protocol glitches counted on the frontend connection. bc_settings_streams_limit
The maximum number of streams allowed on the backend connection. fc_nb_streams
The number of streams opened on the frontend connection. fc_settings_streams_limit
The maximum number of streams allowed on the frontend connection. txn.redispatched
True if the connection has experienced redispatch.
Version 16.0 Jump to heading
Key changes in the HAProxy ALOHA 16.0 release include:
Web Application Firewall
- This version contains a new and improved web application firewall. Now called the HAProxy Enterprise WAF, it utilizes an improved WAF ruleset and engine (called the Intelligent WAF Engine) that has been trained with machine learning. An optional OWASP Core Rule Set compatibility mode exists for anyone who needs it. However, traffic will pass throug the Intelligent WAF Engine first and only traffic marked suspicious will be inspected by the OWASP CRS.
Layer 4 load balancing
-
The LB Layer4 (LVS) tab gained new load balancing algorithms:
weightedoverflow
: The Overflow connection scheduling algorithm implements overflow load balancing according to the number of active connections. It will relay all connections to the server with the highest weight and then overflow to the next server if the number of connections exceeds the server’s weight. Note that this scheduler might not be suitable for UDP because it only uses active connections.weightedfailover
: Connections go to the server with the highest weight value, if it is available, and then to the next highest and so forth. This is a good choice for implementing a simple failover solution.maglevhash
: Google’s Maglev hashing scheduler. It provides consistent hashing, but with minimal disruption, and each destination receives an almost equal number of connections.twoschoice
: This algorithm picks two random servers based on weights and then selects the server with the fewest connections, normalized by weight.
Better isolation of admin services
-
To make it easier to segregate administrative services onto a separate subnet, some services now support specifying the network interface on which to run. The new
@iface
keyword is available for the following services:- collectd
- httpd
- notify
- ntpd
- snmpd
- sshd
- syslog
Upgraded kernel
- This version upgrades ALOHA’s Linux kernel to version 6.1.
Performance upgrades
- The latest HTTP implementation in HAProxy Enterprise uses less memory and is 40-60% more CPU-efficient for large data transfers. This is due to faster recyling of buffers, which makes zero-copy forwarding operations more likely. To disable this, set the global directive
tune.disable-zero-copy-forwarding
. - The locking code got an upgrade, leading to a performance gain of 2-4% on x86 systems and 14-33% on Arm systems.
- Measures to reduce contention on shared pools improved performance for HTTP/2 and HTTP/3. The HTTP/2 request rate improved from 1.5M to 6.7M requests/second on 80 threads without the shared cache, and from 368k to 4.7M requests/second with the shared cache.
- In the
log-forward
section, the lock used in the part of the code related to updating the log server’s index during sampling has been replaced with atomic operations to reduce bottlenecks and facilitate ~4x faster log production. - Improvements to the caching storage mechanism to reduce its lock contention on large systems allow it to scale much more linearly with threads.
- QUIC now uses less memory by releasing resources associated with connections winding down earlier. This improves performance at the termination of a connection when there’s no data left to send.
- The
http-request set-map
,http-response set-map
, andhttp-after-response set-map
directives perform better in this version. The improvement comes from the search reference now being implemented as a tree, making map updates more efficient. - Thread locking code for stick tables was refined by disentangling lookups from peer updates, and improving some undesired cache line sharing.
Health checks
- Health checks, which in version 15.0 were changed to run on a single thread for better performance, are now more proactive about handing off work to a less busy thread. The new global directive
tune.max-checks-per-thread
lets you set the number of active checks per thread, above which the thread will try to offload the work. The health check thread will also try to find an existing TLS session to the backend server if it doesn’t have one. - The
external-check
directive has a newpreserve-env
argument that will preserve environment variables.
Syslog load balancing
- A new load balancing
mode
calledlog
enables you to load balance syslog servers in abackend
. Backends with this mode support syslog over UDP. Consult the [balance] (https://www.haproxy.com/documentation/haproxy-configuration-manual/latest/#balance) directive documentation to see which load balancing algorithms are allowed.
QUIC
- On each
bind
line, you can now set whether QUIC connections should share a listener socket or allocate their own. Set thequic-socket
argument to eitherconnection
(dedicated socket per connection) orlistener
(shared listener socket). Previously, you could only configure this behavior at the global level withtune.quic.socket-owner
. The default value isconnection
, which performs the best, but some systems don’t support it. - This version adds new performance-tuning directives that change the size of the receive and send buffers:
tune.rcvbuf.backend
,tune.rcvbuf.frontend
,tune.sndbuf.backend
,tune.sndbuf.frontend
. - The global directive
maxsslconn
, which sets the maximum, per-process number of concurrent TLS connections, now applies to QUIC connections. - QUIC connections are now counted in
maxconn
at their allocation time. Previously, they had been counted only after handshake completion.
Connection handling
- The
backlog
directive now limits the number of concurrent handshakes and connections waiting to be accepted. - The new
timeout client-hs
directive applies to handshakes on TCP, HTTP/1, and HTTP/2. It prevents handshakes from running too long. It defaults to the value oftimeout client
.
TLS
- You can now specify
sigalgs
andclient-sigalgs
onserver
lines in abackend
. The first argument,sigalgs
, determines allowed signature algorithms for a TLS handshake. The second,client-sigalgs
, determines allowed signature algorithms for client certificate authentication. You can also set these globally with the directivesssl-default-server-sigalgs
andssl-default-server-client-sigalgs
. - The
server
directive has a newcurves
argument for setting elliptic curves to use when sending theClientHello
message to a backend server during a TLS handshake. You can also set this globally for all servers with thessl-default-server-curves
directive.
Reverse HTTP
- A new, experimental feature named Reverse HTTP facilitates a two-tier load balancer architecture, where the first HAProxy Enterprise tier initiates a connection to the second HAProxy Enterprise tier. The second tier load balancer then converts the connection to be bidirectional and allows client traffic to pass over that connection. For example, an edge load balancer can accept connections from data center load balancers and then, once established, begin sending client traffic over those connections to the data centers. This is in contrast to the traditional way of configuring backend servers, which is via a static list of server addresses. Instead, this allows a load balancer to self-register itself as an available server within the backend.
Load balancing
- When you set the
balance
directive to the hash-based algorithmhash
, you can then provide a fetch method to calculate the hash key with the utmost flexibility. This verison introduces the ability to sethash-type
tonone
, allowing you to disable the built-in hash function and manually hash the key using a converter.
Proxy Protocol
-
This version expands support for the Proxy Protocol’s Type-Length-Value (TLV) fields, which let you attach custom data to the Proxy Protocol header. In this version of HAProxy Enterprise, you can:
- set new TLVs by adding the
set-proxy-v2-tlv-fmt
argument on aserver
line. - use the
fc_pp_tlv
fetch method to extract TLVs from the protocol header. - use
set-proxy-v2-tlv-fmt
to forward TLVs you receive withfc_pp_tlv
.
- set new TLVs by adding the
Caching
- The cache can differentiate cached objects if they have the
Vary
HTTP header. However, until now, you could only vary on theAccept-Encoding
andReferer
headers. This version adds support for varying on theOrigin
header to support caching CORS responses correctly.
Lua
-
HAProxy ALOHA 16.0 adds these Lua features:
- A new function named
core.get_var(var_name)
returnsproc
scoped variables. The oldertxn:get_var(var_name)
returnstxn
scoped variables. - The
httpclient
class now supports aretries
field, which sets the number of times to retry a failed request. - The
httpclient
class now supports atimeout.connect
field for setting the maximum time to wait for establishing a connection, in milliseconds. It defaults to 5 seconds. - The
core.register_action
now supportshttp-after-res
. - Setting the new global directive
tune.lua.log.loggers
toon
enables sending log messages from your Lua script to the loggers you’ve configured withlog
lines. Setting it tooff
disables the logging. The default value ison
. - Setting
tune.lua.log.stderr
toon
will sendlog
messages tostderr
. When set toauto
, logging tostderr
occurs whentune.lua.log.loggers
is set tooff
or when there’s no proxy-level logger assigned, such as for Lua tasks that run in the background. The default value isauto
.
- A new function named
HTTP protocol
- Two new directives,
option accept-invalid-http-request
andoption accept-invalid-http-response
, enable the load balancer to accept some invalid characters in URIs that it normally wouldn’t, such as the hash mark (#
).
Converters
-
This version adds the following converters:
Name Description ms_ltime
Same as ltime
but takes input in milliseconds.ms_utime
Same as utime
but takes input in milliseconds.us_ltime
Same as ltime
but takes input in microseconds.us_utime
Same as utime
but takes input in microseconds. -
The
bytes
converter now accept variables for its offset and length arguments, which makes it easier to work with the TLV fields in the Proxy Protocol, since they have variable lengths. -
The
json_query
converter now supports parsing JSON arrays.
Fetch methods
-
This version adds the following fetch methods:
Name Description acl
Evaluates up to 12 named ACLs separated by commas and returns a boolean result. pid
Returns the process ID of the current process, which is usually the worker process. act_conn
Returns the total number of active, concurrent connections on the process. bytes_in
Returns the number of bytes uploaded from the client to the load balancer. bytes_out
Returns the number of bytes transmitted from the load balancer to the client. accept_date
Returns the exact date when the connection was received by the load balancer. request_date
Returns the value for the exact date when the load balancer received the first byte of the HTTP request. fc.timer.handshake
Returns the time spent accepting the TCP connection and executing handshakes and is equivalent to %Th
.fc.timer.total
Returns the total session duration time and is equivalent to %Tt
.req.timer.idle
Returns the idle time before the request and is equivalent to %Ti
.req.timer.hdr
Returns the time spent waiting to get the client’s request and is equivalent to %TR
.req.timer.tq
Returns the sum of %Th
,%Ti
and%TR
and is equivalent to%Tq
.req.timer.queue
Returns the time spent queued and is equivalent to %Tw
.bc.timer.connect
Returns the time spent establishing a connection to the backend server and is equivalent to %Tc
.res.timer.data
Returns the time spent transferring the response payload to the client and is equivalent to %Td
.res.timer.hdr
Returns the time spent waiting for the server to send a full response and is equivalent to %Tr
.txn.timer.user
Returns the estimated time as seen by the client and is equivalent to %Tu
.txn.timer.total
Returns the active time for the HTTP request and is equivalent to %Ta
.req.cook_names
Returns the names of all cookies in requests. res.cook_names
Returns the names of all cookies in responses. ssl_bc_curve
Retrieves the name of the curve used in the key agreement when the outgoing connection was made over an SSL/TLS transport layer. ssl_fc_curve
Retrieves the name of the curve used in the key agreement when the incoming connection was made over an SSL/TLS transport layer. cur_client_timeout
Retrieves the value in milliseconds for the currently configured client timeout. fc_pp_tlv
Returns the TLV value for a given TLV ID. This fetch may be useful in detecting errors related to duplicate TLV IDs.
Version 15.5 Jump to heading
Key changes in the HAProxy ALOHA 15.5 release include:
PacketShield QUIC support
- PacketShield received an update that allows it to protect HTTP/3 traffic over the QUIC protocol. QUIC is a UDP-based protocol.
Email alerts as a Lua module
- The mailers feature, which lets you send email alerts about the load balancer, has been ported to be a Lua module. The benefit to you is the ability to edit the Lua code to suit your needs, such as to customize the alert messages that the load balancer produces. To enable it, load the mailers Lua module using the
lua-load
directive in theglobal
section.
Lua updates
- A new event framework allows Lua modules to subscribe to some load balancer events and execute event handler functions. Events you can subscribe to include when servers are added, deleted, or go up or down. Use the function
Server.event_sub
to subscribe to events. - A new
core.queue
function lets you create a first-in first-out data structure in Lua. - The
Server
class gained new functions for accessing information about backend servers, including getting the server’s name (get_name
), the number of active sessions (get_cur_sess
), the number of pending connections (get_pend_conn
), and other functions. - A new global directive named
tune.lua.burst-timeout
terminates the Lua process if it exceeds the timeout value without ever yielding execution back to the load balancer. A well-behaved Lua module will yield execution on the current thread back to the load balancer during long-running tasks, to be continued later. - The Lua’s HTTP client that ships with the load balancer is able to resolve DNS hostnames thanks to a default
resolvers
section invisibly added to the configuration. If you do not use the HTTP client in Lua, then you can disable this by setting the new global directivehttpclient.resolvers.disabled
toon
.
HTTP compression
- The HTTP compression directives have an updated syntax that allows you to compress both responses and requests. For example, you can now compress requests that contain JSON messages before relaying them to backend servers. See the
compression direction
,compression algo-req
,compression algo-res
,compression type-req
, andcompression type-res
directives.
TLS signing algorithms and curves
- The new global directives
ssl-default-bind-client-sigalgs
andssl-default-bind-sigalgs
, as well as the newbind
argumentsclient-sigalgs
andsigalgs
let you list the TLS signing algorithms the load balancer will use or accept during a TLS handshake and during validating a client certificate. - The
curves
argument, which sets a list of elliptic curve algorithms negotiated during the TLS handshake, is now available on theserver
anddefault-server
lines.
Default ALPN values
- You no longer need to specify
alpn h2
on abind
line to enable HTTP/2. This is now the default value and will fall back to HTTP/1.1 if the client does not support HTTP/2. Also,bind
lines that use the QUIC protocol will default to having analpn
argument set toh3
for HTTP/3.
HTTP Forwarded header
- The new directive
option forwarded
will add aForwarded
header to HTTP requests, passing the client’s IP address to backend servers. This is the successor to the non-standardX-Forwarded-For
header. New converters let you validate and read the header:rfc7239_is_valid
,rfc7239_field
,rfc7239_n2nn
, andrfc7239_n2np
.
Configurable sticky counters
- The new global directive
tune.stick-counters
lets you increase the number of stick table sticky counters, which had previously been a built-in constant set to 3.
HTTP actions
- The
http-after-response
directive gained an expanded set of actions, includingset-map
,sc-add-gpc
,set-log-level
, and others. - All action directives now support the
sc-add-gpc
action.
HTTP/2 tuning options
- New global directives enable tuning the HTTP/2 protocol. They include
tune.h2.be.initialize-window-size
,tune.h2.be.max-concurrent-streams
,tune.h2.fe.initial-window-size
,tune.h2.fe.max-concurrent-streams
,tune.h2.initial-window-size
andtune.h2.max-concurrent-streams
.
Listener shards
- The new global directive
tune.listener.default-shards
simplifies setting shards. Sharding is a feature for servers with a high number of threads that makes it easier to replicate abind
line to create multiple listeners and assign worker threads to the listeners. The goal is to reduce thread contention. You can set the directive to a number of shards, to the valueby-thread
, or to the valueby-group
. Settingby-group
is especially convenient since you can then group threads and assign them together to a listener, and so this is the default setting.
Other performance tuning options
- The
bind
line’scpu-map
argument, which associates threads with CPUs, now accepts a list, delimited by commas. - The
bind
line’sthread
argument can now be set to a comma-delimited list of thread ranges instead of just a single range. - The new global directive
tune.listener.multi-queue
controls how work is distributed to threads assigned to a listener. A value ofon
, which is the default, passes work to the least busy thread. A value offair
passes work in a round-robin rotation. - The new global directive
tune.memory.hot-size
allows you to set the amount of memory kept hot in the local cache, but the default value of 512 KB should be sufficient for most.
HTTP request body and URL parameters
- The
req.body_param
,url_param
, andurlp_val
fetch methods now accept an additional argument that enables case-insensitive matching of parameters, which makes it easier to configure the load balancer’s behavior to agree with the web server’s behavior. Also, a new converter namedparam
extracts name-value parameters from a string while letting you set the delimiter used between parameters.
Round-trip time
- The new fetch methods
bc_rtt
andbc_trrvar
return the round-trip time between the load balancer and a backend server. You can configure them to return values in milliseconds or microseconds.
Preprocessor directives
- This version introduces two new preprocessor functions. The
strstr
function returnstrue
if the inspected string contains a given string. Theenabled
function returnstrue
if the given option is enabled at runtime.
Proxy Protocol
- Proxy Protocol v2 has been updated in this version to allow the load balancer to extract extra information from the Proxy Protocol header when a TCP connection is established on the frontend. The new fetch method
fc_pp_tlv
supports extracting a TLV (Type-Length-Value) from the protocol header.
Version 15.0 Jump to heading
Key changes in the HAProxy ALOHA 15.0 release include:
HTTP/3 over QUIC
- This version adds support for the HTTP/3 protocol over QUIC.
TLS
- The
bind
directive’sca-ignore-err
andcrt-ignore-err
arguments, which let you list TLS errors to ignore, now accept human-readable names in addition to numeric IDs. Refer to the OpenSSL list of error codes to see which values are available.
Lua
- You can now pass optional arguments to your custom Lua scripts from within your L7 configuration file. The
lua-load
andlua-load-per-thread
directives accept one or more arguments after the first argument, which is always the script’s filepath. Then, in your script use the built-intable.pack(...)
function with an ellipsis as its argument to collect arguments into a variable of type table.
Multithreading
- A new global directive named
thread-group
lets you place a range of threads into a group. Once in a group, you can assign those threads to a listening address by adding thethread
argument to abind
line in afrontend
orlisten
section. On servers with many CPU cores and thus many threads, allocating a subset of threads to handle connections like this can improve performance by reducing the number of threads competing for work. You can define up to 64 thread groups, each including up to 64 threads. - A new global directive named
thread-groups
lets you set the number of thread groups to create and HAProxy ALOHA will divide the threads available on your server into that number of groups. The maximum number is 64.
Converters
-
This version adds the following converters:
Name Description table_expire(<table>[,<default_value>])
Returns the remaining time before a given key will expire in the stick table, as well as how long ago a given key was last seen. table_idle(<table>)
Returns the time the given key has remained idle since the last time it was updated. host_only
Converts a string that contains a Host header value and removes its port. port_only
Converts a string that contains a Host header value and returns only its integer port. x509_v_err_str
Converts a numerical value to its corresponding X509_V_ERR constant name, which is useful for setting ACL expressions based on different client certificate errors (expired certificate, revoked certificate, etc.).
Performance upgrades
- Server health checks, which run at an interval, now fire on the same thread exclusively rather than allowing any available thread to perform the task. This has reduced latency by decreasing competition among threads.
- Stick tables became more efficient by changing the type of lock used to restrict multiple threads from accessing a table simultaneously. By revising internal code to use a read-write lock, which allows multiple threads to read from the table simultaneously, but allows only one thread to write, performance improved.
- The integrated HAProxy reduces latency by more aggressively using idle connections when sending HTTP requests to backend servers. If you leave the defaults, or if you manually set the
http-reuse
directive in a backend to safe, reusing idle connections is enabled and you are choosing the safest mode. That is, a client’s first HTTP request will be dispatched to a backend server on a new thread guaranteed to not be closed, and only subsequent requests will use idle connections, which have the risk of closing unexpectedly. In this release, as long as you have also set theretry-on
directive in that backend to retry the connection in case of failure, HAProxy Enterprise will use an idle connection for a client’s first request too. Setretry-on
to include conn-failure, empty-response, and response-timeout.
Deprecated keywords
- The
bind-process
directive has been removed. - The
process
argument on abind
line has been removed.
Version 14.5 Jump to heading
Key changes in the HAProxy ALOHA 14.5 release include:
Advanced WAF
- New match zones,
$COOKIES_VAR
and$COOKIES_VAR_X
allow rules to match violations found in specific HTTP cookies, complementing the less specific$HEADERS_VAR
and$HEADERS_VAR_X
match zones. - A new variable,
txn.<filter>.wlcnt
returns the number of disabled rules that would have matched the current request. - The
filter waf
line now supports a parameter namedlog-wl
that includes disabled WAF rule violations in extended logs. - The
filter waf
line now supports a parameter namedlog-ext-nonzero
that enables extended logs only when the violated rule had a non-zero score or triggered an immediate action, cutting down on noise in the logs. - The
filter waf
line now supports a parameter namedtable-categorized
that prefixes entries in the violated rules stick table with the category of the violated rule. - The
filter waf
line’sbody-limit
parameter defaults to the global optionwaf-body-limit
, which now defaults totune.bufsize
rather than the compile-time value ofBUFSIZE
.
ModSecurity WAF
- To associate WAF logs with load balancer logs, you could already use the unique identifier that ModSecurity creates by referencing the
txn.<filter>.unique_id
variable, appending it to your load balancer logs. Now, you can define a different unique ID format by setting theuse-unique-id-format
parameter on thefilter modsecurity
line and then defining a new format with theunique-id-format
directive. - A new parameter
use-vars
on thefilter modsecurity
line disables ModSecurity from denying suspicious requests and delegates that to the load balancer. A variable namedtxn.<filter>.block
returns true when the WAF would have denied the request. You can read this variable and then decide on a response policy to enforce. Other variables that support this includetxn.<filter>.error
,txn.<filter>.status
, andtxn.<filter>.url
.
Traffic shaping
- New directives,
filter bwlim-in
andfilter bwlim-out
, support limiting upload and download speeds for clients. Set bandwidth limits that apply per HTTP stream or to all streams associated with a stick table entry, such as to set a limit per client IP address or per backend application.
Load balancing
- A generic load balancing algorithm named
hash
was introduced and serves as a replacement for the more specificsource
,uri
,url_param
, andrdp-cookie
algorithms. It accepts a fetch method as a parameter, which indicates the data used to calculate the hash.
TLS and mTLS
- When you enable client certificate authentication with the
verify required
parameter on abind
line, you must also specify theca-file
parameter, which indicates the CA certificate used to verify the client’s certificate. Now,ca-file
accepts a path to a directory of CA certificates. - Similarly, in a
backend
, you can set theca-file
parameter on aserver
line to verify the backend server’s TLS certificate against a known CA. Thisca-file
parameter now accepts a path to a directory of certificates or you can set it to@system-ca
to load your system’s list of trusted CAs.
Lua
- The Lua programming language integration gained the
CertCache
class, which lets you update an SSL certificate in the load balancer’s runtime memory. - The Lua
httpclient
class, which lets you make non-blocking HTTP calls, now supports adst
parameter and atimeout
parameter. The former sets the destination address and the latter sets atimeout server
value. New global directives support this:httpclient.ssl.ca-file
,httpclient.ssl.verify
,httpclient.ssl.resolvers.id
, andhttpclient.resolvers.prefer <ipv4|ipv6>
.
Fetches and converts
- New fetches have been added:
last_rule_file
, which returns the name of the configuration file (e.g.HAProxy Enterprise-lb.cfg
) that contains the last line processed during stream analysis, andlast_rule_line
, which returns the line number. Use this to locate thehttp-request deny
line that stopped a request, for example. - A new converter has been added:
add_item
, which concatenates strings with a delimiter between them, such as a semicolon.
Other keyword changes
- The
set-var
directives, such ashttp-request set-var
, now accept a second parameter to only set the variable if a condition is true. Conditions include:ifexists
,ifnotexists
,ifempty
,ifnotempty
,ifset
,ifnotset
,ifgt
,iflt
. For example, to set the variable only if it has not already been set:http-request set-var(txn.myvariable,ifnotset) req.hdr(X-MyValue)
.
Performance upgrades
- Performance optimizations were made to the task scheduler, connection dequeueing, and connection stream code.
Version 14.0 Jump to heading
The changes in this release focus on two major features: Global server load balancing (GSLB) and the Advanced Web Application Firewall.
You can now run ALOHA as a DNS server and enable GSLB to load balance traffic across multiple datacenters. DNS records will direct clients to the datacenter closest to them or to the one that is reporting as healthy.
The Advanced WAF is an alternative to the ModSecurity WAF and provides a stricter set of rules, which requires more tuning to allow valid traffic through, but has a better requests-per-second throughput.
- Upgraded to HAProxy Enterprise 2.5r1.
- Added the ability to run ALOHA as a DNS server for global server load balancing.
- Added a new WAF mode called Advanced WAF that you can use instead of ModSecurity.
Version 13.5 Jump to heading
Key changes in the HAProxy ALOHA 13.5 release include:
- Upgraded to HAProxy Enterprise 2.4r1.
- Added a command-line interface that you can access from the web UI.
- The virtual appliance images now have a bigger disk > 8GB.
- Web UI warnings are now also printed when logging with SSH or the console.
Version 13.0 Jump to heading
Key changes in the HAProxy ALOHA 13.0 release include:
- Kernel updated to 4.19.189.
- Upgrade to HAProxy Enterprise 2.3r1.
- Additional management components, including the Dataplane API.
- Additional security components, including ModSecurity WAF.
- Graphical file manager in the WUI.
curl
utility on the CLI.- Update to latest Update module
- Upgrade to latest Antibot module.
- Upgrade to latest Fingerprint module.
- Custom routing table target on the flowmgr flow manager.
- 8k maximum message length to on syslog.
- OpenSSL 1.1.1k.
- Better compliance with container environments (additional signals handled in
sysvinit
).
Version 12.5 Jump to heading
Key changes in the HAProxy ALOHA 12.5 release include:
- Kernel updated to 4.19.155.
- Upgrade to HAProxy Enterprise 2.2r1.
- RADIUS authentication is now supported.
- Prometheus exporter now available.
- Licenses are now autosaved on upload.
- Update to latest Update module.
- Upgrade to latest Antibot module
- Obsolete ALOHA image
aloha-albevalonly-vmplayer.zip
. timeout
command from coreutils is now available.- VRRP information has been added to the tech support output.
- Tech support process output improved.
Version 12.0 Jump to heading
Key changes in the HAProxy ALOHA 12.0 release include:
- Kernel updated to 4.19.123.
- Upgrade to HAProxy Enterprise 2.1r1.
- Removal of the deprecated
lb-sanitize
module. - Support for SSO SAML.
- Support for USB3 (XHCI) on the ALB 5300.
Inotify
kernel support.
Version 11.5 Jump to heading
Key changes in the HAProxy ALOHA 11.5 release include:
- Support of SNMP v3.
- Upgrade to HAProxy Enterprise 2.0r1.
- All fixes and features from ALOHA v11.0.7.
- Support of new hardware for model ALB5300.
Version 11.0 Jump to heading
Major features in ALOHA 11.0 include an upgrade to HAProxy Enterprise 1.9r1 which comprises the following new and improved functionalities:
- End-to-end HTTP/2 support.
- gRPC support.
- Connection pooling to backends.
- Connection multiplexing to backends.
- Improved threading.
- Automatic threading configuration.
- Cache Improvements (supports objects of 2GB).
- Server Queue Priority Control.
- Random Load Balancing Algorithm, which supports configurable draw which can be used for Power of Two Random Choices Load Balancing.
- Early Hints (HTTP 103) and Misdirected Request (HTTP 421) support.
- Runtime API improvements.
- New fetches.
- New Converters.
- System Components version upgrades.
- Upgrade all components with an OpenSSL dependency to be compliant with v1.1.0b (OpenSSL 1.0.2 was removed).
- Keepalived upgraded to 1.4.5.
- Automatic network configuration using VMWare OVF properties (VA only).
Version 10.5 Jump to heading
New and/or improved features to ALOHA 10.5 include:
-
LDAP support which allows authentication of users against a remote LDAP server on CLI/WUI.
-
Configurable access type per user.
-
Use of PAM for authentication.
-
Upgrade to HAProxy Enterprise 1.8r2.
-
Security:
- Update to OpenSSL 1.1.1a support for Layer7 SSL offloading.
- Update to OpenSSL 1.0.2q to fix latest CVEs.
-
Kernel update to latest 4.9 mainline version.
-
PacketShield: Use of hardware acceleration to compute a secure hash for SYN cookies.
-
Rework of CPU mapping to support
nbproc
ornbthread
equal to max CPU (setting to half of available CPU still offers the best balanced performances).
Version 10.0 Jump to heading
HAProxy ALOHA 10.0 brings the following improvements:
Latest version of HAProxy Enterprise
- Upgrade to HAProxy Enterprise 1.8r1.
HTTP/2 Protocol Support
- HAProxy Enterprise now supports HTTP/2 on the client side (i.e. the front-end sections) and can act as a gateway between HTTP/2 clients and your HTTP/1.1 and HTTP/1.0 applications.
Multi-threading Model
- The multi-threading model is a feature that allows HAProxy to start multiple threads within a single process.
Server-template Configuration Directive
- The
server-template
configuration directive allows you to instantiate a number of placeholder backend servers in a single configuration line, instead of having to add tens or hundreds of configuration lines explicitly.
Dynamic Cookies
- A new keyword
dynamic
for the directivecookie
now exists to enable cookie-based application persistence.
SSL/TLS Mode Async
- The OpenSSL library version 1.1.0 and above supports asynchronous I/O operations. This means that the key computation phase (the heaviest part of the TLS protocol) can be run in a non-blocking way in HAProxy.
New Sample Fetches
- HAProxy Enterprise can extract data from traffic passing through it. We call these functions “sample fetches”. More information about sample fetches can be found under “Fetching Data Samples” in the HAProxy Enterprise documentation.
Version 9.5 Jump to heading
HAProxy ALOHA 9.5 brings the following improvements:
Major Features
- Upgrade to HAProxy Enterprise 1.7r2.
- Single-Sign-On (SSO) Module.
- DNS for Service Discovery.
- Small Object Caching.
Monitoring
- Support of collectd’s statistics export protocol.
SSL/TLS
- Upgrade to openssl-1.1.1 with tls1.3 pending support.
- Enhanced asymmetric performances using multi-CPU engine.
Version 9.0 Jump to heading
HAProxy ALOHA 9.0 is now powered by HAProxy Enterprise 1.7r1, and brings the following improvements:
Major Features
- Upgraded to HAProxy Enterprise 1.7r1.
- PCRE JIT support.
- Namespace support.
- DNS improvements.
- Server:
init-addr
indicates the order to resolve the server’s adress upon startup. The methodnone
indicates specifically that the server should start without any valid IP address in a down state. - New
srv_admin
flag:SRV_ADMF_RMAINT
. - Listener:
accept-netscaler-cip
option added to thebind
keyword. - Added
tcp-request connection expect-netscaler-cip layer4
. - Log format: error management improvements.
SSL/TLS
- Upgrade to openssl-1.1.0 for LB Layer7 SSL offloading.
lb-update
support for TLS session ticket keys.
Route Health Injection
- Upgraded route injection daemon to support newest features.
VRRP
- Upgraded VRRP daemon.
Miscellaneous
- Upgrade to Linux kernel 4.9.
- Automatic flash’s partitions resizing during upgrade.
- New models support: ALB5200 and ALB3200.
New fetches
fe_name
be_name
fc_rcvd_proxy
xx-hash converters
Command Line Interface
show cli sockets
lists the CLI sockets.show stat
now supports a proxy name.show errors
now supports a proxy name; now also capable of dumping only request or response.RMAINT
state remains when setting an IP address on the CLI.
LUA Scripting
- CLI handler for LUA.
- Allow argument for actions.
- HAProxy now has variable access to the applets.
- Function that returns true if the channel is full.
- IP addresses and network manipulation.
- Utility to check for a boolean argumentA tokenize function.
Version 8.5 Jump to heading
HAProxy ALOHA 8.5 brings the following improvements:
New Features
- Powered by HAProxy 1.6r2.
- TCP layer statistics are available in the form of new sample fetches (
rtt
,rtt variance etc
,retransmits
,losses
, etc.). - New
dst_is_local
,src_is_local
sample fetches make it easier to handle locally initiated connections in contrast to remote connections. - The peers protocol was updated to version 2.1 with support for synchronization of expiration dates.
- CLI keyword registration to allow modules to plug-in on the command line and receive actions (example:
refresh now
). - Ability to disable
SO_REUSEPORT
with a new bind directive:noreuseport
. - New possibilities for accessing load balancer internals with LUA.
- Idle time in logs is now ignored by default for time measurements, so that HTTP request time corresponds to the time elapsed between the first character and the full request. The handshake time is also available to measure the time spent in SSL/PROXY handshakes.
- Stick-tables now use native types to guarantee better accuracy of tracked information, especially binary keys.
- Mailers now support a configurable connection timeout.
- Changing server address, port and checkport is now possible from the CLI
- New
tcp-request
session rule-sets makes it possible to track some L5-only information; for instance, anything negotiated in the handshake such as SSL DN or the client’s IP address as passed by the PROXY protocol. Previously, it was needed to do it intcp-request content rules
, which would count one new connection event per request. - New stats field for denied connections and denied sessions.
- New
hash-balance-factor
directive forconsis
. - New
tent
hashing method. - New
http-response
ruletrack-sc
.
SSL/TLS
- SNI filters supported in multi-type certificates.
- Support of
lb-update
for TLS session ticket keys.
PacketShield and DDOS protection
- Half-stateful mode for direct server return.
- ICMP rate limiting.
- Geolocalization filtering support.
API REST/JSON
- Support for
tcp-check
rules.
Miscellaneous
- Kernel version Linux 4.4.
- Review partition sizes on flash.
- LUA support added to the load balancer.
- Support for the LVS sync daemon in the init script.
Version 8.0 Jump to heading
HAProxy ALOHA 8.0 brings the following improvements:
New Features
- Powered by HAProxy 1.6r1.
SSL/TLS
- Multi-certificate key type support.
PacketShield and DDOS protection
- IPv6 support.
- Stateful protection for all UDP protocols (SNMP, UPnP, etc.).
- Notification by traps or mail.
- New global counters.
- Ability to manually enable countermeasure.
- Counters available through SNMP.
WUI
- Graphs for PacketShield.
VRRP
- Support of VRRPv3.
- Support of Virtual MAC addresses.
LB Layer7
- New
http-reuse
to share unused server-side connections for multiple clients. - export of HAProxy’s
show info
through SNMP. - Support of double quotes in the configuration.
- DNS resolution of server name at run time.
- GZIP stateless compression.
- Support of variables at run time.
- Stick tables statistics synchronization.
- New hash-type load-balancing algorithm
crc32
. - Redispatch interval.
- Dynamic generation of SSL certificates.
- New map type:
map_regm
to allow matching zones in the regex. - Mathematical converters can use a variable generated at runtime.
New http-request rules
sc-inc-gpc0(<sc-id>)
sc-set-gpt0(<sc-id>) <int>
silent-drop
set-src <expr>
New http-response rules
set-status
set-var(<var-name>) <expr>
sc-inc-gpc0(<sc-id>)
sc-set-gpt0(<sc-id>) <int>
silent-drop
New tcp-request connection rules
sc-inc-gpc0(<sc-id>)
sc-set-gpt0(<sc-id>) <int>
silent-drop
New tcp-response content rules
set-var(<var-name>) <expr>
sc-inc-gpc0(<sc-id>)
sc-set-gpt0(<sc-id>) <int>
silent-drop
New tcp-request content rules
sc-inc-gpc0(<sc-id>)
sc-set-gpt0(<sc-id>) <int>
set-var(<var-name>) <expr>
silent-drop
New converters
capture-req(<id>)
capture-res(<id>)
set-var(<var name>)
table_gpt0(<table>)
New fetches for internal states
bin(<hexa>)
bool(<bool>)
int(<integer>)
ipv4(<ipv4>)
ipv6(<ipv6>)
meth(<method>)
str(<string>)
var(<var-name>)
Layer 4
sc_get_gpt0(<ctr>[,<table>])
sc0_get_gpt0([<table>])
src_get_gpt0([<table>])
Layer 6
req.ssl_st_ext
res.ssl_hello_type
Layer 7
unique-id
Version 7.5 Jump to heading
HAProxy ALOHA 7.5 brings the following improvements:
Major features
- Configuration deployment using templates in the GUI.
- PacketShield, our packet flood protection solution, now also available on Hardware appliances 1G interfaces.
- SYNPROXY module, to use in conjunction with PacketShield to enable protection for LVS and traffic routed through the appliance.
HAProxy Enterprise Improvements
- Faster processing of ACLs by using a match result cache.
- Ability to analyze HTTP requests body (frontend option
option http-buffer-request
). - Faster HTTP gzip compression.
- Traffic capture.
- Comments in
tcp-check
rules. - Server side TLS SNI.
- Server side
tcp-ut
timeout.
New sample fetches
ssl_fc_is_resumed
req.ssl_ec_ext
req.body_param
req.body_len
req.body_size
Additional Diagnostic Tools in GUI tab
- Layer 7 errors
- Layer 7 info
- Tech support
HAProxy Enterprise features through the API
stick-table
,stickreq
,stickrsp
tcp-check
adv-check-http-version
http-request log-level
listener tcp-ut
Do you have any suggestions on how we can improve the content of this page?