HAProxy Enterprise 2.8 and HAProxy ALOHA 15.5 are now available. Users of our enterprise-class software load balancer and hardware/virtual load balancer appliance who upgrade to the latest versions will benefit from the features announced in the community version, HAProxy 2.8, plus some features that enhance the flexibility of our enterprise security options to meet even more use cases. If you want to start the upgrade procedure straight away, go to the upgrade instructions for HAProxy Enterprise and HAProxy ALOHA.
Features from HAProxy 2.8
We announced the release of HAProxy 2.8 in May 2023. HAProxy 2.8 brought many benefits to users of HAProxy’s community version, upgrading old features and introducing new ones. Highlights include:
Improved OCSP stapling
HTTP compression for requests
Signing algorithms for TLS
For an introduction to the features listed above, watch our on-demand webinar “HAProxy 2.8 Feature Roundup”.
Automated OCSP stapling brings scalable management of low-latency SSL/TLS security
One feature incorporated from HAProxy 2.8 will be of particular interest to many HAProxy Enterprise customers: automated OCSP stapling.
SSL/TLS certificates are typically valid for one year but could be compromised during that time. To account for this, a client will hold a connection during a TLS handshake to check the server’s certificate with the certificate authority (CA). This check adds latency when establishing a connection.
You can mitigate this by connecting daily to your CA to validate your certificate and get a stamp (called “stapling”) that proves to clients that your certificate is trustworthy. As a result, the client does not need to validate your certificate with the CA, eliminating the latency.
Previously, you could do this “stapling” manually using a bash script. Now, you can automate this process. This provides a scalable and consistent way of improving performance without compromising security.
More flexible security to fit more of your use cases
HAProxy Enterprise and HAProxy ALOHA are well known for their powerful and flexible security features that enable a wide range of use cases. As one happy user of HAProxy Enterprise posted on G2, the "security modules are exceptional!"
In HAProxy Enterprise 2.8 and HAProxy ALOHA 15.5, we have further improved these capabilities.
HAProxy Enterprise 2.8 additional features
HAProxy Enterprise 2.8 introduces several features that help customers to customize SSL/TLS, single sign-on (SSO), and embedded IoT systems.
SSL/TLS signature algorithms and server-side curves parameters
To increase security and improve compatibility with third-party middleboxes, you can now set the SSL/TLS signature algorithm, and set the curves parameter on the server side. These features let users tune SSL/TLS for certain use cases, and simplify migration from F5 to HAProxy Enterprise.
These features are backported to HAProxy Enterprise 2.6.
Flexible SSO authentication with Kerberos
The HAProxy Enterprise Single Sign-On solution allows you to use the Kerberos protocol for authentication. HAProxy Enterprise 2.8 gives you more flexibility over how to use Kerberos for authentication and security.
Previously, HAProxy Enterprise had to connect to a Kerberos server to validate an authentication ticket sent by a client. Now you can configure HAProxy Enterprise with a local key to validate a ticket without connecting to a Kerberos server.
This feature is backported to HAProxy Enterprise 2.6.
Broader IoT support with PROXY protocol
With HAProxy Enterprise 2.8, you can extract more information from the PROXY protocol when accepting it on a frontend listener. The protocol allows implementers to append extra fields to the end of the header, and a new fetch method named fc_pp_tlv makes it possible to read those values from within your load balancer configuration.
One way to use this is to support client certificate authentication on behalf of Internet of Things (IoT) devices when the IoT device has an instance of HAProxy Enterprise to receive the connection. With HAProxy Enterprise, the PROXY protocol allows you to relay the certificate's distinguished name in an alternative way, as part of the TCP connection.
Now you can transport the Client ID and client certificate through the PROXY protocol for TCP-only connections.
The Client ID is transported using the MQ Telemetry Transport (MQTT) username from MQTT CONNECT and the givenName (GN) from the presented client certificate.
The certificate is transported using the distinguished name (DN) and givenName (GN).
This feature is backported to HAProxy Enterprise 2.6.
HAProxy ALOHA 15.5 additional features
HAProxy ALOHA 15.5 extends its excellent DDoS protection to QUIC traffic and enables automated management of SSL/TLS certificates.
PacketShield DDoS protection for QUIC traffic
In HAProxy ALOHA, PacketShield protects against packet floods and protocol-level attacks to mitigate distributed denial-of-service (DDoS) attempts. Building on our groundbreaking support for HTTP/3 over QUIC in HAProxy ALOHA 15, version 15.5 supports using PacketShield with QUIC traffic.
Now you can take advantage of the performance benefits of QUIC while using PacketShield’s line-rate traffic filtering to address some of the security concerns associated with UDP (which is necessary to enable QUIC).
HAProxy ALOHA 15.5 can:
detect and drop packets that do not belong to an existing QUIC session.
detect and drop spoofed INIT packets by using a QUIC “Retry” token to detect authentic packets and clients (this emulates a SYN cookie in a TCP connection).
detect and block suspicious sessions when establishing a session; allowing clients that might be part of DoS attempt to establish a session is a viable approach when using QUIC because generating a new session requires more resources on the client side than on the server side.
Automated SSL/TLS certificate management using Data Plane API
HAProxy ALOHA manages SSL certificates differently from HAProxy Enterprise. As a result, you couldn’t use the Data Plane API to manage SSL certificates on previous versions of HAProxy ALOHA. But from HAProxy ALOHA 15.5, you can do this easily using the command ssl-frontend, providing users the flexibility to automate certificate management if they choose.
End of life (EOL) announcements
Users of HAProxy Enterprise’s Real-time Dashboard, HAProxy ALOHA 14.0, HAProxy ALOHA 12.5, and HAProxy Enterprise 2.5r1 should read this section for end-of-life and end-of-support announcements.
HAProxy Enterprise’s Real-time Dashboard
The Real-time Dashboard is deprecated and will no longer be supported. HAProxy Enterprise 2.8 is the last version where it will be available; it will not be available in the next version of HAProxy Enterprise.
The Real-time Dashboard is a web application that collects and displays live metrics from your HAProxy Enterprise load balancers. Since we launched the Real-time Dashboard, two things have happened:
We released HAProxy Fusion to provide improved management, monitoring, and automation for HAProxy Enterprise. HAProxy Fusion includes a more modern and scalable monitoring function and GUI than the Real-time Dashboard.
We learned that the Real-time Dashboard was not widely used and did not provide the modern monitoring experience that customers wanted.
As a result, we have decided to deprecate the Real-time Dashboard and focus more development resources on HAProxy Fusion. For customers who need a native GUI for management, monitoring, and automation, we will help them to migrate to HAProxy Fusion.
For more information, see the HAProxy Fusion product page.
The following releases reach end-of-support in 2023. If you have any questions, please contact your account manager.
Upgrade or try HAProxy Enterprise 2.8 & HAProxy ALOHA 15.5
When you are ready to upgrade to HAProxy Enterprise 2.8 or HAProxy ALOHA 15.5, follow the links below.
If you’re not already using HAProxy Enterprise or HAProxy ALOHA, request a free trial or contact our sales team for a demonstration.
HAProxy Enterprise 2.8
HAProxy ALOHA 15.5