HAProxy ALOHA

Release notes

On this page

Version 16.0 Jump to heading

Key changes in the HAProxy ALOHA 16.0 release include:

Web Application Firewall

  • This version contains a new and improved web application firewall. Now called the HAProxy Enterprise WAF, it utilizes an improved WAF ruleset and engine (called the Intelligent WAF Engine) that has been trained with machine learning. An optional OWASP Core Rule Set compatibility mode exists for anyone who needs it. However, traffic will pass throug the Intelligent WAF Engine first and only traffic marked suspicious will be inspected by the OWASP CRS.

Layer 4 load balancing

  • The LB Layer4 (LVS) tab gained new load balancing algorithms:

    • weightedoverflow: The Overflow connection scheduling algorithm implements overflow load balancing according to the number of active connections. It will relay all connections to the server with the highest weight and then overflow to the next server if the number of connections exceeds the server’s weight. Note that this scheduler might not be suitable for UDP because it only uses active connections.
    • weightedfailover: Connections go to the server with the highest weight value, if it is available, and then to the next highest and so forth. This is a good choice for implementing a simple failover solution.
    • maglevhash: Google’s Maglev hashing scheduler. It provides consistent hashing, but with minimal disruption, and each destination receives an almost equal number of connections.
    • twoschoice: This algorithm picks two random servers based on weights and then selects the server with the fewest connections, normalized by weight.

Better isolation of admin services

  • To make it easier to segregate administrative services onto a separate subnet, some services now support specifying the network interface on which to run. The new @iface keyword is available for the following services:

    • collectd
    • httpd
    • notify
    • ntpd
    • snmpd
    • sshd
    • syslog

Upgraded kernel

  • This version upgrades ALOHA’s Linux kernel to version 6.1.

Performance upgrades

  • The latest HTTP implementation in HAProxy Enterprise uses less memory and is 40-60% more CPU-efficient for large data transfers. This is due to faster recyling of buffers, which makes zero-copy forwarding operations more likely. To disable this, set the global directive tune.disable-zero-copy-forwarding.
  • The locking code got an upgrade, leading to a performance gain of 2-4% on x86 systems and 14-33% on Arm systems.
  • Measures to reduce contention on shared pools improved performance for HTTP/2 and HTTP/3. The HTTP/2 request rate improved from 1.5M to 6.7M requests/second on 80 threads without the shared cache, and from 368k to 4.7M requests/second with the shared cache.
  • In the log-forward section, the lock used in the part of the code related to updating the log server’s index during sampling has been replaced with atomic operations to reduce bottlenecks and facilitate ~4x faster log production.
  • Improvements to the caching storage mechanism to reduce its lock contention on large systems allow it to scale much more linearly with threads.
  • QUIC now uses less memory by releasing resources associated with connections winding down earlier. This improves performance at the termination of a connection when there’s no data left to send.
  • The http-request set-map, http-response set-map, and http-after-response set-map directives perform better in this version. The improvement comes from the search reference now being implemented as a tree, making map updates more efficient.
  • Thread locking code for stick tables was refined by disentangling lookups from peer updates, and improving some undesired cache line sharing.

Health checks

  • Health checks, which in version 15.0 were changed to run on a single thread for better performance, are now more proactive about handing off work to a less busy thread. The new global directive tune.max-checks-per-thread lets you set the number of active checks per thread, above which the thread will try to offload the work. The health check thread will also try to find an existing TLS session to the backend server if it doesn’t have one.
  • The external-check directive has a new preserve-env argument that will preserve environment variables.

Syslog load balancing

  • A new load balancing mode called log enables you to load balance syslog servers in a backend. Backends with this mode support syslog over UDP. Consult the [balance] (https://www.haproxy.com/documentation/haproxy-configuration-manual/latest/#balance) directive documentation to see which load balancing algorithms are allowed.

QUIC

  • On each bind line, you can now set whether QUIC connections should share a listener socket or allocate their own. Set the quic-socket argument to either connection (dedicated socket per connection) or listener (shared listener socket). Previously, you could only configure this behavior at the global level with tune.quic.socket-owner. The default value is connection, which performs the best, but some systems don’t support it.
  • This version adds new performance-tuning directives that change the size of the receive and send buffers: tune.rcvbuf.backend, tune.rcvbuf.frontend, tune.sndbuf.backend, tune.sndbuf.frontend.
  • The global directive maxsslconn, which sets the maximum, per-process number of concurrent TLS connections, now applies to QUIC connections.
  • QUIC connections are now counted in maxconn at their allocation time. Previously, they had been counted only after handshake completion.

Connection handling

  • The backlog directive now limits the number of concurrent handshakes and connections waiting to be accepted.
  • The new timeout client-hs directive applies to handshakes on TCP, HTTP/1, and HTTP/2. It prevents handshakes from running too long. It defaults to the value of timeout client.

TLS

  • You can now specify sigalgs and client-sigalgs on server lines in a backend. The first argument, sigalgs, determines allowed signature algorithms for a TLS handshake. The second, client-sigalgs, determines allowed signature algorithms for client certificate authentication. You can also set these globally with the directives ssl-default-server-sigalgs and ssl-default-server-client-sigalgs.
  • The server directive has a new curves argument for setting elliptic curves to use when sending the ClientHello message to a backend server during a TLS handshake. You can also set this globally for all servers with the ssl-default-server-curves directive.

Reverse HTTP

  • A new, experimental feature named Reverse HTTP facilitates a two-tier load balancer architecture, where the first HAProxy Enterprise tier initiates a connection to the second HAProxy Enterprise tier. The second tier load balancer then converts the connection to be bidirectional and allows client traffic to pass over that connection. For example, an edge load balancer can accept connections from data center load balancers and then, once established, begin sending client traffic over those connections to the data centers. This is in contrast to the traditional way of configuring backend servers, which is via a static list of server addresses. Instead, this allows a load balancer to self-register itself as an available server within the backend.

Load balancing

  • When you set the balance directive to the hash-based algorithm hash, you can then provide a fetch method to calculate the hash key with the utmost flexibility. This verison introduces the ability to set hash-type to none, allowing you to disable the built-in hash function and manually hash the key using a converter.

Proxy Protocol

  • This version expands support for the Proxy Protocol’s Type-Length-Value (TLV) fields, which let you attach custom data to the Proxy Protocol header. In this version of HAProxy Enterprise, you can:

    • set new TLVs by adding the set-proxy-v2-tlv-fmt argument on a server line.
    • use the fc_pp_tlv fetch method to extract TLVs from the protocol header.
    • use set-proxy-v2-tlv-fmt to forward TLVs you receive with fc_pp_tlv.

Caching

  • The cache can differentiate cached objects if they have the Vary HTTP header. However, until now, you could only vary on the Accept-Encoding and Referer headers. This version adds support for varying on the Origin header to support caching CORS responses correctly.

Lua

  • HAProxy ALOHA 16.0 adds these Lua features:

    • A new function named core.get_var(var_name) returns proc scoped variables. The older txn:get_var(var_name) returns txn scoped variables.
    • The httpclient class now supports a retries field, which sets the number of times to retry a failed request.
    • The httpclient class now supports a timeout.connect field for setting the maximum time to wait for establishing a connection, in milliseconds. It defaults to 5 seconds.
    • The core.register_action now supports http-after-res.
    • Setting the new global directive tune.lua.log.loggers to on enables sending log messages from your Lua script to the loggers you’ve configured with log lines. Setting it to off disables the logging. The default value is on.
    • Setting tune.lua.log.stderr to on will send log messages to stderr. When set to auto, logging to stderr occurs when tune.lua.log.loggers is set to off or when there’s no proxy-level logger assigned, such as for Lua tasks that run in the background. The default value is auto.

HTTP protocol

  • Two new directives, option accept-invalid-http-request and option accept-invalid-http-response, enable the load balancer to accept some invalid characters in URIs that it normally wouldn’t, such as the hash mark (#).

Converters

  • This version adds the following converters:

    Name Description
    ms_ltime Same as ltime but takes input in milliseconds.
    ms_utime Same as utime but takes input in milliseconds.
    us_ltime Same as ltime but takes input in microseconds.
    us_utime Same as utime but takes input in microseconds.

  • The bytes converter now accept variables for its offset and length arguments, which makes it easier to work with the TLV fields in the Proxy Protocol, since they have variable lengths.

  • The json_query converter now supports parsing JSON arrays.

Fetch methods

  • This version adds the following fetch methods:

    Name Description
    acl Evaluates up to 12 named ACLs separated by commas and returns a boolean result.
    pid Returns the process ID of the current process, which is usually the worker process.
    act_conn Returns the total number of active, concurrent connections on the process.
    bytes_in Returns the number of bytes uploaded from the client to the load balancer.
    bytes_out Returns the number of bytes transmitted from the load balancer to the client.
    accept_date Returns the exact date when the connection was received by the load balancer.
    request_date Returns the value for the exact date when the load balancer received the first byte of the HTTP request.
    fc.timer.handshake Returns the time spent accepting the TCP connection and executing handshakes and is equivalent to %Th.
    fc.timer.total Returns the total session duration time and is equivalent to %Tt.
    req.timer.idle Returns the idle time before the request and is equivalent to %Ti.
    req.timer.hdr Returns the time spent waiting to get the client’s request and is equivalent to %TR.
    req.timer.tq Returns the sum of %Th, %Ti and %TR and is equivalent to %Tq.
    req.timer.queue Returns the time spent queued and is equivalent to %Tw.
    bc.timer.connect Returns the time spent establishing a connection to the backend server and is equivalent to %Tc.
    res.timer.data Returns the time spent transferring the response payload to the client and is equivalent to %Td.
    res.timer.hdr Returns the time spent waiting for the server to send a full response and is equivalent to %Tr.
    txn.timer.user Returns the estimated time as seen by the client and is equivalent to %Tu.
    txn.timer.total Returns the active time for the HTTP request and is equivalent to %Ta.
    req.cook_names Returns the names of all cookies in requests.
    res.cook_names Returns the names of all cookies in responses.
    ssl_bc_curve Retrieves the name of the curve used in the key agreement when the outgoing connection was made over an SSL/TLS transport layer.
    ssl_fc_curve Retrieves the name of the curve used in the key agreement when the incoming connection was made over an SSL/TLS transport layer.
    cur_client_timeout Retrieves the value in milliseconds for the currently configured client timeout.
    fc_pp_tlv Returns the TLV value for a given TLV ID. This fetch may be useful in detecting errors related to duplicate TLV IDs.

Version 15.5 Jump to heading

Key changes in the HAProxy ALOHA 15.5 release include:

PacketShield QUIC support

  • PacketShield received an update that allows it to protect HTTP/3 traffic over the QUIC protocol. QUIC is a UDP-based protocol.

Email alerts as a Lua module

  • The mailers feature, which lets you send email alerts about the load balancer, has been ported to be a Lua module. The benefit to you is the ability to edit the Lua code to suit your needs, such as to customize the alert messages that the load balancer produces. To enable it, load the mailers Lua module using the lua-load directive in the global section.

Lua updates

  • A new event framework allows Lua modules to subscribe to some load balancer events and execute event handler functions. Events you can subscribe to include when servers are added, deleted, or go up or down. Use the function Server.event_sub to subscribe to events.
  • A new core.queue function lets you create a first-in first-out data structure in Lua.
  • The Server class gained new functions for accessing information about backend servers, including getting the server’s name (get_name), the number of active sessions (get_cur_sess), the number of pending connections (get_pend_conn), and other functions.
  • A new global directive named tune.lua.burst-timeout terminates the Lua process if it exceeds the timeout value without ever yielding execution back to the load balancer. A well-behaved Lua module will yield execution on the current thread back to the load balancer during long-running tasks, to be continued later.
  • The Lua’s HTTP client that ships with the load balancer is able to resolve DNS hostnames thanks to a default resolvers section invisibly added to the configuration. If you do not use the HTTP client in Lua, then you can disable this by setting the new global directive httpclient.resolvers.disabled to on.

HTTP compression

  • The HTTP compression directives have an updated syntax that allows you to compress both responses and requests. For example, you can now compress requests that contain JSON messages before relaying them to backend servers. See the compression direction, compression algo-req, compression algo-res, compression type-req, and compression type-res directives.

TLS signing algorithms and curves

  • The new global directives ssl-default-bind-client-sigalgs and ssl-default-bind-sigalgs, as well as the new bind arguments client-sigalgs and sigalgs let you list the TLS signing algorithms the load balancer will use or accept during a TLS handshake and during validating a client certificate.
  • The curves argument, which sets a list of elliptic curve algorithms negotiated during the TLS handshake, is now available on the server and default-server lines.

Default ALPN values

  • You no longer need to specify alpn h2 on a bind line to enable HTTP/2. This is now the default value and will fall back to HTTP/1.1 if the client does not support HTTP/2. Also, bind lines that use the QUIC protocol will default to having an alpn argument set to h3 for HTTP/3.

HTTP Forwarded header

  • The new directive option forwarded will add a Forwarded header to HTTP requests, passing the client’s IP address to backend servers. This is the successor to the non-standard X-Forwarded-For header. New converters let you validate and read the header: rfc7239_is_valid, rfc7239_field, rfc7239_n2nn, and rfc7239_n2np.

Configurable sticky counters

  • The new global directive tune.stick-counters lets you increase the number of stick table sticky counters, which had previously been a built-in constant set to 3.

HTTP actions

  • The http-after-response directive gained an expanded set of actions, including set-map, sc-add-gpc, set-log-level, and others.
  • All action directives now support the sc-add-gpc action.

HTTP/2 tuning options

  • New global directives enable tuning the HTTP/2 protocol. They include tune.h2.be.initialize-window-size, tune.h2.be.max-concurrent-streams, tune.h2.fe.initial-window-size, tune.h2.fe.max-concurrent-streams, tune.h2.initial-window-size and tune.h2.max-concurrent-streams.

Listener shards

  • The new global directive tune.listener.default-shards simplifies setting shards. Sharding is a feature for servers with a high number of threads that makes it easier to replicate a bind line to create multiple listeners and assign worker threads to the listeners. The goal is to reduce thread contention. You can set the directive to a number of shards, to the value by-thread, or to the value by-group. Setting by-group is especially convenient since you can then group threads and assign them together to a listener, and so this is the default setting.

Other performance tuning options

  • The bind line’s cpu-map argument, which associates threads with CPUs, now accepts a list, delimited by commas.
  • The bind line’s thread argument can now be set to a comma-delimited list of thread ranges instead of just a single range.
  • The new global directive tune.listener.multi-queue controls how work is distributed to threads assigned to a listener. A value of on, which is the default, passes work to the least busy thread. A value of fair passes work in a round-robin rotation.
  • The new global directive tune.memory.hot-size allows you to set the amount of memory kept hot in the local cache, but the default value of 512 KB should be sufficient for most.

HTTP request body and URL parameters

  • The req.body_param, url_param, and urlp_val fetch methods now accept an additional argument that enables case-insensitive matching of parameters, which makes it easier to configure the load balancer’s behavior to agree with the web server’s behavior. Also, a new converter named param extracts name-value parameters from a string while letting you set the delimiter used between parameters.

Round-trip time

  • The new fetch methods bc_rtt and bc_trrvar return the round-trip time between the load balancer and a backend server. You can configure them to return values in milliseconds or microseconds.

Preprocessor directives

  • This version introduces two new preprocessor functions. The strstr function returns true if the inspected string contains a given string. The enabled function returns true if the given option is enabled at runtime.

Proxy Protocol

  • Proxy Protocol v2 has been updated in this version to allow the load balancer to extract extra information from the Proxy Protocol header when a TCP connection is established on the frontend. The new fetch method fc_pp_tlv supports extracting a TLV (Type-Length-Value) from the protocol header.

Version 15.0 Jump to heading

Key changes in the HAProxy ALOHA 15.0 release include:

HTTP/3 over QUIC

  • This version adds support for the HTTP/3 protocol over QUIC.

TLS

  • The bind directive’s ca-ignore-err and crt-ignore-err arguments, which let you list TLS errors to ignore, now accept human-readable names in addition to numeric IDs. Refer to the OpenSSL list of error codes to see which values are available.

Lua

  • You can now pass optional arguments to your custom Lua scripts from within your L7 configuration file. The lua-load and lua-load-per-thread directives accept one or more arguments after the first argument, which is always the script’s filepath. Then, in your script use the built-in table.pack(...) function with an ellipsis as its argument to collect arguments into a variable of type table.

Multithreading

  • A new global directive named thread-group lets you place a range of threads into a group. Once in a group, you can assign those threads to a listening address by adding the thread argument to a bind line in a frontend or listen section. On servers with many CPU cores and thus many threads, allocating a subset of threads to handle connections like this can improve performance by reducing the number of threads competing for work. You can define up to 64 thread groups, each including up to 64 threads.
  • A new global directive named thread-groups lets you set the number of thread groups to create and HAProxy ALOHA will divide the threads available on your server into that number of groups. The maximum number is 64.

Converters

  • This version adds the following converters:

    Name Description
    table_expire(<table>[,<default_value>]) Returns the remaining time before a given key will expire in the stick table, as well as how long ago a given key was last seen.
    table_idle(<table>) Returns the time the given key has remained idle since the last time it was updated.
    host_only Converts a string that contains a Host header value and removes its port.
    port_only Converts a string that contains a Host header value and returns only its integer port.
    x509_v_err_str Converts a numerical value to its corresponding X509_V_ERR constant name, which is useful for setting ACL expressions based on different client certificate errors (expired certificate, revoked certificate, etc.).

Performance upgrades

  • Server health checks, which run at an interval, now fire on the same thread exclusively rather than allowing any available thread to perform the task. This has reduced latency by decreasing competition among threads.
  • Stick tables became more efficient by changing the type of lock used to restrict multiple threads from accessing a table simultaneously. By revising internal code to use a read-write lock, which allows multiple threads to read from the table simultaneously, but allows only one thread to write, performance improved.
  • The integrated HAProxy reduces latency by more aggressively using idle connections when sending HTTP requests to backend servers. If you leave the defaults, or if you manually set the http-reuse directive in a backend to safe, reusing idle connections is enabled and you are choosing the safest mode. That is, a client’s first HTTP request will be dispatched to a backend server on a new thread guaranteed to not be closed, and only subsequent requests will use idle connections, which have the risk of closing unexpectedly. In this release, as long as you have also set the retry-on directive in that backend to retry the connection in case of failure, HAProxy Enterprise will use an idle connection for a client’s first request too. Set retry-on to include conn-failure, empty-response, and response-timeout.

Deprecated keywords

  • The bind-process directive has been removed.
  • The process argument on a bind line has been removed.

Version 14.5 Jump to heading

Key changes in the HAProxy ALOHA 14.5 release include:

Advanced WAF

  • New match zones, $COOKIES_VAR and $COOKIES_VAR_X allow rules to match violations found in specific HTTP cookies, complementing the less specific $HEADERS_VAR and $HEADERS_VAR_X match zones.
  • A new variable, txn.<filter>.wlcnt returns the number of disabled rules that would have matched the current request.
  • The filter waf line now supports a parameter named log-wl that includes disabled WAF rule violations in extended logs.
  • The filter waf line now supports a parameter named log-ext-nonzero that enables extended logs only when the violated rule had a non-zero score or triggered an immediate action, cutting down on noise in the logs.
  • The filter waf line now supports a parameter named table-categorized that prefixes entries in the violated rules stick table with the category of the violated rule.
  • The filter waf line’s body-limit parameter defaults to the global option waf-body-limit, which now defaults to tune.bufsize rather than the compile-time value of BUFSIZE.

ModSecurity WAF

  • To associate WAF logs with load balancer logs, you could already use the unique identifier that ModSecurity creates by referencing the txn.<filter>.unique_id variable, appending it to your load balancer logs. Now, you can define a different unique ID format by setting the use-unique-id-format parameter on the filter modsecurity line and then defining a new format with the unique-id-format directive.
  • A new parameter use-vars on the filter modsecurity line disables ModSecurity from denying suspicious requests and delegates that to the load balancer. A variable named txn.<filter>.block returns true when the WAF would have denied the request. You can read this variable and then decide on a response policy to enforce. Other variables that support this include txn.<filter>.error, txn.<filter>.status, and txn.<filter>.url.

Traffic shaping

  • New directives, filter bwlim-in and filter bwlim-out, support limiting upload and download speeds for clients. Set bandwidth limits that apply per HTTP stream or to all streams associated with a stick table entry, such as to set a limit per client IP address or per backend application.

Load balancing

  • A generic load balancing algorithm named hash was introduced and serves as a replacement for the more specific source, uri, url_param, and rdp-cookie algorithms. It accepts a fetch method as a parameter, which indicates the data used to calculate the hash.

TLS and mTLS

  • When you enable client certificate authentication with the verify required parameter on a bind line, you must also specify the ca-file parameter, which indicates the CA certificate used to verify the client’s certificate. Now, ca-file accepts a path to a directory of CA certificates.
  • Similarly, in a backend, you can set the ca-file parameter on a server line to verify the backend server’s TLS certificate against a known CA. This ca-file parameter now accepts a path to a directory of certificates or you can set it to @system-ca to load your system’s list of trusted CAs.

Lua

  • The Lua programming language integration gained the CertCache class, which lets you update an SSL certificate in the load balancer’s runtime memory.
  • The Lua httpclient class, which lets you make non-blocking HTTP calls, now supports a dst parameter and a timeout parameter. The former sets the destination address and the latter sets a timeout server value. New global directives support this: httpclient.ssl.ca-file, httpclient.ssl.verify, httpclient.ssl.resolvers.id, and httpclient.resolvers.prefer <ipv4|ipv6>.

Fetches and converts

  • New fetches have been added: last_rule_file, which returns the name of the configuration file (e.g. HAProxy Enterprise-lb.cfg) that contains the last line processed during stream analysis, and last_rule_line, which returns the line number. Use this to locate the http-request deny line that stopped a request, for example.
  • A new converter has been added: add_item, which concatenates strings with a delimiter between them, such as a semicolon.

Other keyword changes

  • The set-var directives, such as http-request set-var, now accept a second parameter to only set the variable if a condition is true. Conditions include: ifexists, ifnotexists, ifempty, ifnotempty, ifset, ifnotset, ifgt, iflt. For example, to set the variable only if it has not already been set: http-request set-var(txn.myvariable,ifnotset) req.hdr(X-MyValue).

Performance upgrades

  • Performance optimizations were made to the task scheduler, connection dequeueing, and connection stream code.

Version 14.0 Jump to heading

The changes in this release focus on two major features: Global server load balancing (GSLB) and the Advanced Web Application Firewall.

You can now run ALOHA as a DNS server and enable GSLB to load balance traffic across multiple datacenters. DNS records will direct clients to the datacenter closest to them or to the one that is reporting as healthy.

The Advanced WAF is an alternative to the ModSecurity WAF and provides a stricter set of rules, which requires more tuning to allow valid traffic through, but has a better requests-per-second throughput.

  • Upgraded to HAProxy Enterprise 2.5r1.
  • Added the ability to run ALOHA as a DNS server for global server load balancing.
  • Added a new WAF mode called Advanced WAF that you can use instead of ModSecurity.

Version 13.5 Jump to heading

Key changes in the HAProxy ALOHA 13.5 release include:

  • Upgraded to HAProxy Enterprise 2.4r1.
  • Added a command-line interface that you can access from the web UI.
  • The virtual appliance images now have a bigger disk > 8GB.
  • Web UI warnings are now also printed when logging with SSH or the console.

Version 13.0 Jump to heading

Key changes in the HAProxy ALOHA 13.0 release include:

  • Kernel updated to 4.19.189.
  • Upgrade to HAProxy Enterprise 2.3r1.
  • Additional management components, including the Dataplane API.
  • Additional security components, including ModSecurity WAF.
  • Graphical file manager in the WUI.
  • curl utility on the CLI.
  • Update to latest Update module
  • Upgrade to latest Antibot module.
  • Upgrade to latest Fingerprint module.
  • Custom routing table target on the flowmgr flow manager.
  • 8k maximum message length to on syslog.
  • OpenSSL 1.1.1k.
  • Better compliance with container environments (additional signals handled in sysvinit).

Version 12.5 Jump to heading

Key changes in the HAProxy ALOHA 12.5 release include:

  • Kernel updated to 4.19.155.
  • Upgrade to HAProxy Enterprise 2.2r1.
  • RADIUS authentication is now supported.
  • Prometheus exporter now available.
  • Licenses are now autosaved on upload.
  • Update to latest Update module.
  • Upgrade to latest Antibot module
  • Obsolete ALOHA image aloha-albevalonly-vmplayer.zip.
  • timeout command from coreutils is now available.
  • VRRP information has been added to the tech support output.
  • Tech support process output improved.

Version 12.0 Jump to heading

Key changes in the HAProxy ALOHA 12.0 release include:

  • Kernel updated to 4.19.123.
  • Upgrade to HAProxy Enterprise 2.1r1.
  • Removal of the deprecated lb-sanitize module.
  • Support for SSO SAML.
  • Support for USB3 (XHCI) on the ALB 5300.
  • Inotify kernel support.

Version 11.5 Jump to heading

Key changes in the HAProxy ALOHA 11.5 release include:

  • Support of SNMP v3.
  • Upgrade to HAProxy Enterprise 2.0r1.
  • All fixes and features from ALOHA v11.0.7.
  • Support of new hardware for model ALB5300.

Version 11.0 Jump to heading

Major features in ALOHA 11.0 include an upgrade to HAProxy Enterprise 1.9r1 which comprises the following new and improved functionalities:

  • End-to-end HTTP/2 support.
  • gRPC support.
  • Connection pooling to backends.
  • Connection multiplexing to backends.
  • Improved threading.
  • Automatic threading configuration.
  • Cache Improvements (supports objects of 2GB).
  • Server Queue Priority Control.
  • Random Load Balancing Algorithm, which supports configurable draw which can be used for Power of Two Random Choices Load Balancing.
  • Early Hints (HTTP 103) and Misdirected Request (HTTP 421) support.
  • Runtime API improvements.
  • New fetches.
  • New Converters.
  • System Components version upgrades.
  • Upgrade all components with an OpenSSL dependency to be compliant with v1.1.0b (OpenSSL 1.0.2 was removed).
  • Keepalived upgraded to 1.4.5.
  • Automatic network configuration using VMWare OVF properties (VA only).

Version 10.5 Jump to heading

New and/or improved features to ALOHA 10.5 include:

  • LDAP support which allows authentication of users against a remote LDAP server on CLI/WUI.

  • Configurable access type per user.

  • Use of PAM for authentication.

  • Upgrade to HAProxy Enterprise 1.8r2.

  • Security:

    • Update to OpenSSL 1.1.1a support for Layer7 SSL offloading.
    • Update to OpenSSL 1.0.2q to fix latest CVEs.

  • Kernel update to latest 4.9 mainline version.

  • PacketShield: Use of hardware acceleration to compute a secure hash for SYN cookies.

  • Rework of CPU mapping to support nbproc or nbthread equal to max CPU (setting to half of available CPU still offers the best balanced performances).

Version 10.0 Jump to heading

HAProxy ALOHA 10.0 brings the following improvements:

Latest version of HAProxy Enterprise

  • Upgrade to HAProxy Enterprise 1.8r1.

HTTP/2 Protocol Support

  • HAProxy Enterprise now supports HTTP/2 on the client side (i.e. the front-end sections) and can act as a gateway between HTTP/2 clients and your HTTP/1.1 and HTTP/1.0 applications.

Multi-threading Model

  • The multi-threading model is a feature that allows HAProxy to start multiple threads within a single process.

Server-template Configuration Directive

  • The server-template configuration directive allows you to instantiate a number of placeholder backend servers in a single configuration line, instead of having to add tens or hundreds of configuration lines explicitly.

Dynamic Cookies

  • A new keyword dynamic for the directive cookie now exists to enable cookie-based application persistence.

SSL/TLS Mode Async

  • The OpenSSL library version 1.1.0 and above supports asynchronous I/O operations. This means that the key computation phase (the heaviest part of the TLS protocol) can be run in a non-blocking way in HAProxy.

New Sample Fetches

  • HAProxy Enterprise can extract data from traffic passing through it. We call these functions “sample fetches”. More information about sample fetches can be found under “Fetching Data Samples” in the HAProxy Enterprise documentation.

Version 9.5 Jump to heading

HAProxy ALOHA 9.5 brings the following improvements:

Major Features

  • Upgrade to HAProxy Enterprise 1.7r2.
  • Single-Sign-On (SSO) Module.
  • DNS for Service Discovery.
  • Small Object Caching.

Monitoring

  • Support of collectd’s statistics export protocol.

SSL/TLS

  • Upgrade to openssl-1.1.1 with tls1.3 pending support.
  • Enhanced asymmetric performances using multi-CPU engine.

Version 9.0 Jump to heading

HAProxy ALOHA 9.0 is now powered by HAProxy Enterprise 1.7r1, and brings the following improvements:

Major Features

  • Upgraded to HAProxy Enterprise 1.7r1.
  • PCRE JIT support.
  • Namespace support.
  • DNS improvements.
  • Server: init-addr indicates the order to resolve the server’s adress upon startup. The method none indicates specifically that the server should start without any valid IP address in a down state.
  • New srv_admin flag: SRV_ADMF_RMAINT.
  • Listener: accept-netscaler-cip option added to the bind keyword.
  • Added tcp-request connection expect-netscaler-cip layer4.
  • Log format: error management improvements.

SSL/TLS

  • Upgrade to openssl-1.1.0 for LB Layer7 SSL offloading.
  • lb-update support for TLS session ticket keys.

Route Health Injection

  • Upgraded route injection daemon to support newest features.

VRRP

  • Upgraded VRRP daemon.

Miscellaneous

  • Upgrade to Linux kernel 4.9.
  • Automatic flash’s partitions resizing during upgrade.
  • New models support: ALB5200 and ALB3200.

New fetches

  • fe_name
  • be_name
  • fc_rcvd_proxy
  • xx-hash converters

Command Line Interface

  • show cli sockets lists the CLI sockets.
  • show stat now supports a proxy name.
  • show errors now supports a proxy name; now also capable of dumping only request or response.
  • RMAINT state remains when setting an IP address on the CLI.

LUA Scripting

  • CLI handler for LUA.
  • Allow argument for actions.
  • HAProxy now has variable access to the applets.
  • Function that returns true if the channel is full.
  • IP addresses and network manipulation.
  • Utility to check for a boolean argumentA tokenize function.

Version 8.5 Jump to heading

HAProxy ALOHA 8.5 brings the following improvements:

New Features

  • Powered by HAProxy 1.6r2.
  • TCP layer statistics are available in the form of new sample fetches (rtt, rtt variance etc, retransmits, losses, etc.).
  • New dst_is_local, src_is_local sample fetches make it easier to handle locally initiated connections in contrast to remote connections.
  • The peers protocol was updated to version 2.1 with support for synchronization of expiration dates.
  • CLI keyword registration to allow modules to plug-in on the command line and receive actions (example: refresh now).
  • Ability to disable SO_REUSEPORT with a new bind directive: noreuseport.
  • New possibilities for accessing load balancer internals with LUA.
  • Idle time in logs is now ignored by default for time measurements, so that HTTP request time corresponds to the time elapsed between the first character and the full request. The handshake time is also available to measure the time spent in SSL/PROXY handshakes.
  • Stick-tables now use native types to guarantee better accuracy of tracked information, especially binary keys.
  • Mailers now support a configurable connection timeout.
  • Changing server address, port and checkport is now possible from the CLI
  • New tcp-request session rule-sets makes it possible to track some L5-only information; for instance, anything negotiated in the handshake such as SSL DN or the client’s IP address as passed by the PROXY protocol. Previously, it was needed to do it in tcp-request content rules, which would count one new connection event per request.
  • New stats field for denied connections and denied sessions.
  • New hash-balance-factor directive for consis.
  • New tent hashing method.
  • New http-response rule track-sc.

SSL/TLS

  • SNI filters supported in multi-type certificates.
  • Support of lb-update for TLS session ticket keys.

PacketShield and DDOS protection

  • Half-stateful mode for direct server return.
  • ICMP rate limiting.
  • Geolocalization filtering support.

API REST/JSON

  • Support for tcp-check rules.

Miscellaneous

  • Kernel version Linux 4.4.
  • Review partition sizes on flash.
  • LUA support added to the load balancer.
  • Support for the LVS sync daemon in the init script.

Version 8.0 Jump to heading

HAProxy ALOHA 8.0 brings the following improvements:

New Features

  • Powered by HAProxy 1.6r1.

SSL/TLS

  • Multi-certificate key type support.

PacketShield and DDOS protection

  • IPv6 support.
  • Stateful protection for all UDP protocols (SNMP, UPnP, etc.).
  • Notification by traps or mail.
  • New global counters.
  • Ability to manually enable countermeasure.
  • Counters available through SNMP.

WUI

  • Graphs for PacketShield.

VRRP

  • Support of VRRPv3.
  • Support of Virtual MAC addresses.

LB Layer7

  • New http-reuse to share unused server-side connections for multiple clients.
  • export of HAProxy’s show info through SNMP.
  • Support of double quotes in the configuration.
  • DNS resolution of server name at run time.
  • GZIP stateless compression.
  • Support of variables at run time.
  • Stick tables statistics synchronization.
  • New hash-type load-balancing algorithm crc32.
  • Redispatch interval.
  • Dynamic generation of SSL certificates.
  • New map type: map_regm to allow matching zones in the regex.
  • Mathematical converters can use a variable generated at runtime.

New http-request rules

  • sc-inc-gpc0(<sc-id>)
  • sc-set-gpt0(<sc-id>) <int>
  • silent-drop
  • set-src <expr>

New http-response rules

  • set-status
  • set-var(<var-name>) <expr>
  • sc-inc-gpc0(<sc-id>)
  • sc-set-gpt0(<sc-id>) <int>
  • silent-drop

New tcp-request connection rules

  • sc-inc-gpc0(<sc-id>)
  • sc-set-gpt0(<sc-id>) <int>
  • silent-drop

New tcp-response content rules

  • set-var(<var-name>) <expr>
  • sc-inc-gpc0(<sc-id>)
  • sc-set-gpt0(<sc-id>) <int>
  • silent-drop

New tcp-request content rules

  • sc-inc-gpc0(<sc-id>)
  • sc-set-gpt0(<sc-id>) <int>
  • set-var(<var-name>) <expr>
  • silent-drop

New converters

  • capture-req(<id>)
  • capture-res(<id>)
  • set-var(<var name>)
  • table_gpt0(<table>)

New fetches for internal states

  • bin(<hexa>)
  • bool(<bool>)
  • int(<integer>)
  • ipv4(<ipv4>)
  • ipv6(<ipv6>)
  • meth(<method>)
  • str(<string>)
  • var(<var-name>)

Layer 4

  • sc_get_gpt0(<ctr>[,<table>])
  • sc0_get_gpt0([<table>])
  • src_get_gpt0([<table>])

Layer 6

  • req.ssl_st_ext
  • res.ssl_hello_type

Layer 7

  • unique-id

Version 7.5 Jump to heading

HAProxy ALOHA 7.5 brings the following improvements:

Major features

  • Configuration deployment using templates in the GUI.
  • PacketShield, our packet flood protection solution, now also available on Hardware appliances 1G interfaces.
  • SYNPROXY module, to use in conjunction with PacketShield to enable protection for LVS and traffic routed through the appliance.

HAProxy Enterprise Improvements

  • Faster processing of ACLs by using a match result cache.
  • Ability to analyze HTTP requests body (frontend option option http-buffer-request).
  • Faster HTTP gzip compression.
  • Traffic capture.
  • Comments in tcp-check rules.
  • Server side TLS SNI.
  • Server side tcp-ut timeout.

New sample fetches

  • ssl_fc_is_resumed
  • req.ssl_ec_ext
  • req.body_param
  • req.body_len
  • req.body_size

Additional Diagnostic Tools in GUI tab

  • Layer 7 errors
  • Layer 7 info
  • Tech support

HAProxy Enterprise features through the API

  • stick-table, stickreq, stickrsp
  • tcp-check
  • adv-check-http-version
  • http-request log-level
  • listener tcp-ut

Do you have any suggestions on how we can improve the content of this page?

Previous page Changelog Next page End-of-life dates
© 2024 HAProxy Technologies, LLC. All Rights Reserved
Manage Cookie Preferences