Introducing next-gen security intelligence and up to 2X greater TLS performance
HAProxy Enterprise 3.2 is a pivotal release that reinforces the product’s identity as both the world’s fastest software load balancer and a sophisticated edge security layer. This release brings next-generation security intelligence, extends its industry-leading performance, and expands the native routing and integration capabilities in HAProxy Enterprise.
The headlining addition in HAProxy Enterprise 3.2 is the introduction of the Threat Detection Engine (TDE) within the Bot Management Module. The TDE provides sophisticated detection, classification, and industry-standard labeling of application DDoS, brute force, web scraper, and vulnerability scanner threats without compromising latency or customer privacy. Crucially, the TDE is engineered to run anywhere — even in highly controlled or air-gapped environments — without requiring any external connection or sending customer data to a third party. This design gives customers maximum control over their infrastructure, simplifies data compliance, and removes vulnerable external dependencies.
HAProxy Enterprise 3.2 is a foundational component of the HAProxy One platform, in which the data plane, control plane, and secure edge network work together seamlessly. HAProxy Fusion 1.4, coming later this year, carries forward our security innovation momentum, bringing the Security Control Plane announced earlier this year at HAProxyConf 2025. Together, the groundbreaking Threat Detection Engine and Security Control Plane (featuring the Threat-Response Matrix for intuitive, visual policy building) will offer a unique combination of next-generation security intelligence and next-generation security user experience (UX).
New to HAProxy Enterprise?
HAProxy Enterprise provides high-performance load balancing for TCP, UDP, QUIC, and HTTP-based applications, high availability, an API/AI gateway, Kubernetes application routing, SSL processing, DDoS protection, bot management, global rate limiting, and a next-generation WAF.
HAProxy Enterprise combines the performance, reliability, and flexibility of our open-source core (HAProxy — the most widely used software load balancer) with ultra-low-latency security layers and world-class support. HAProxy Enterprise benefits from full-lifecycle management, monitoring, and automation (provided by HAProxy Fusion), and next-generation security layers powered by threat intelligence from HAProxy Edge and enhanced by machine learning.
Together, this flexible data plane, scalable control plane, and secure edge network form HAProxy One: the world’s fastest application delivery and security platform that is the G2 category leader in API Management, Container Networking, DDoS Protection, Web Application Firewall (WAF), and Load Balancing.
To learn more, contact our sales team for a demonstration or request a free trial.
What’s new?
HAProxy Enterprise 3.2 incorporates all features and enhancements previously announced in the community version of HAProxy 3.2, which extend performance, flexibility, and observability. These include automatic CPU binding, which optimizes performance on modern multi-core systems (with a mix of performance and efficiency cores), and improvements to the Runtime API and Prometheus exporter — making monitoring and traffic inspection simpler.
The additional enhancements within HAProxy Enterprise 3.2 affect four key areas.
Feature | Benefit | Impact | |
Security & Intelligence | Threat Detection Engine (Bot Management Module), WAF Profiles, and enhanced CAPTCHA Module | Exceptionally accurate, private threat detection | Risk reduction and compliance |
Performance & Scalability | AWS-LC TLS library | Significant performance increase (more than 2X at 64 threads) | Scalability and modernization |
Global Routing & Resilience | Native Route Health Injection (RHI) Module and HTTPS health checks for GSLB | Low-latency, simplified geo-distributed routing with native logs | Performance and observability |
Operational Modernization | Open ID Connect (OIDC) | Simple, flexible integration with modern SSO providers | Implementation cost and innovation |
Ready to upgrade?
When you are ready to start the upgrade procedure, go to the upgrade instructions for HAproxy Enterprise.
Next-generation security and intelligence
The primary focus of HAProxy Enterprise 3.2 is delivering next-generation security features that overcome the traditional limitations of high resource usage, compliance risks, and performance degradation often associated with sophisticated threat detection systems — especially SaaS/cloud products that process customer data or require an external connection with added latency.
The new Threat Detection Engine: sophistication without the security tax
Businesses today face persistent threats from sophisticated bots executing application layer DDoS attacks, content scraping for unlawful use or LLM training, and vulnerability scanners that precede malicious attacks. Historically, most security solutions employ brute-force methods leading to high resource usage (and therefore high costs in cloud or on-premises deployments), or apply overly zealous rules that generate disruptive false positives, or are only available as SaaS/cloud products that run outside your network.
The new Threat Detection Engine (TDE), integrated into the HAProxy Enterprise Bot Management Module, resolves these challenges. Previously, the Bot Management Module provided generalized classification of humans, bots, and suspicious users; the TDE is far more specific and granular. It is engineered to detect, classify, and label specific high-impact threats, including application layer DDoS, brute force attacks, web scrapers, and vulnerability scanners, with the roadmap supporting future expansions. The TDE is accurate out-of-the-box, dynamically adaptable, incredibly efficient and performant, and completely private and secure.
Accurate out-of-the-box
The engine achieves its accuracy through novel and proprietary techniques that combine multiple signals, including reputational and behavioral signals, directly within HAProxy Enterprise. Our team’s deep expertise in security, data science, and machine learning yields highly precise and actionable threat classifications with minimal configuration or tuning required out-of-the-box.
The threat detection algorithms are derived from our machine learning models, which are trained externally using anonymized traffic data collected from HAProxy Edge. This pre-training mechanism provides the benefit of global threat intelligence without ever requiring customer data or live external connections, resulting in reduced risk and improved operational efficiency due to a low rate of false positives.
Dynamic adaptability and flexibility
The Threat Detection Engine provides dynamic detection of application DDoS attacks, taking into account both real-time and historical traffic data to identify anomalies; this is essential because the threshold for what constitutes an attack varies significantly between different applications. This capability allows the engine to adapt its protection automatically without tuning the configuration manually, which leads to lower implementation costs.
You have complete control over when and how HAProxy Enterprise responds to threats identified by the TDE, including combining the TDE’s threat labels with other signals generated by HAProxy Enterprise and its various modules, to determine whether to trigger a response. For example, while you may trigger a response to all vulnerability scanners, you may choose to only trigger a response to web scrapers if they also match specific geo-locations.
Furthermore, you can easily customize the response to any threat type using HAProxy Enterprise’s flexible toolkit, which includes blocking, denying, rate limiting, CAPTCHA challenges, tarpitting, and more. This dynamic nature allows for tailored and precise enforcement.
Incredibly efficient and performant
The design of the TDE directly addresses the performance cost often imposed by sophisticated security processing. It maintains ultra-low latency while significantly reducing memory and CPU consumption compared to typical methods. The TDE specifically gains a huge latency advantage over solutions that rely on an additional network hop (such as for an external connection to a security scanner), ensuring that security processing does not degrade the user experience (UX) for legitimate traffic or inflate infrastructure costs. This focus on performance ensures that the TDE maintains the high-speed integrity expected of the HAProxy One platform.
Private and secure: the compliance advantage
One of the most compelling characteristics of the TDE is its security and privacy model. All the intelligent threat detection processing occurs locally on an HAProxy Enterprise node. Despite leveraging algorithms derived from advanced machine learning, the TDE does not involve third-party or off-site processing of any customer or user data, either synchronously or asynchronously, and requires no external connection to function.
This architectural choice is critical for organizations facing stringent compliance requirements. By eliminating vulnerable external dependencies and third-party data processing (with its stringent requirements), the TDE simplifies compliance and makes the solution viable for highly regulated or air-gapped environments. This design successfully achieves SaaS/cloud-level security intelligence while maintaining strict operational control and data privacy on-premises.
Threat Detection Engine (TDE) value matrix
How it works | Benefit | |
Accurate | Combines proprietary reputational and behavioral signals with pre-trained ML models | Reduced risk and improved operational efficiency (low false positives) |
Dynamic | App DDoS detection accounts for real-time/historical traffic data; adapts protection automatically | Lower implementation costs and minimal configuration or tuning required |
Efficient | Ultra-low latency compared to solutions with an extra network hop; reduced memory/CPU usage. | Lower infrastructure costs and better UX/performance |
Private | Processes everything locally; requires no external connection or third-party processing of customer/user data | Easier compliance and simplified deployment in air-gapped environments |
Customizable protection with new WAF Profiles
The HAProxy Enterprise Web Application Firewall (WAF), powered by the Intelligent WAF Engine, previously offered a default mode providing the highest accuracy and performance, and an optional OWASP CRS compatibility mode for industry-standard transparency. These modes are effective for customers who do not need significant customization. However, we wanted to give you more power and flexibility by simplifying WAF rule customization even further.
HAProxy Enterprise 3.2 introduces support for customizable WAF Profiles. You can now create, customize, and apply a unique WAF ruleset for each WAF Profile, applying them selectively across different applications or locations. This granular control is essential for tailoring security across diverse application portfolios.
By fine-tuning WAF security based on the unique traffic patterns and security requirements of individual applications, you can minimize false positives, reduce alert fatigue, and ensure an improved UX for your legitimate users. Additionally, WAF Profiles are completely transparent — including the base ruleset and every custom rule — with support for extensive logging to help you understand exactly why specific WAF rules were triggered.
Secure bot mitigation with an enhanced native CAPTCHA Module
CAPTCHA challenges have become an essential weapon in the fight to mitigate unwanted bot traffic. HAProxy Enterprise has featured a native CAPTCHA Module since version 3.0, providing simple configuration and flexible integration. It supports Google reCAPTCHA v2 and v3, reCAPTCHA Enterprise, hCaptcha, Friendly Captcha (frCaptcha), Turnstile, and more — including custom providers — which enables multiple CAPTCHA types (beyond the “I'm not a robot” checkbox). It also allows for multiple CAPTCHA challenges during a session if anomalous behavior is detected.
We wanted to build on this simplicity and flexibility, making the module even more robust and secure.
The enhanced native CAPTCHA Module in HAProxy Enterprise 3.2 ensures continuity and a seamless UX in the event that an external CAPTCHA verification server is unreachable; in this condition, the CAPTCHA Module can act like the challenge is solved and set a valid CAPTCHA cookie that will expire after a set time. Critically, security is enhanced by computing a 100% unique CAPTCHA key, eliminating the small risk of sophisticated attackers exploiting key reuse. This comprehensive, resilient, secure, and cost-efficient native solution can fully replace the need for expensive external services such as Google reCAPTCHA Enterprise.
Unified security management (a look ahead to HAProxy Fusion 1.4)
The new security capabilities introduced in HAProxy Enterprise 3.2 are part of a broader vision to deliver a modern security platform through HAProxy One — a vision that also includes unified security management. The advanced controls, customization options for WAF Profiles, and the detailed threat data generated by the TDE will be fully complemented by the Security Control Plane coming soon in HAProxy Fusion 1.4.
This update to the authoritative control plane for HAProxy Enterprise is expected to release in November 2025 and will allow customers to manage centralized security policies, apply customized Security Profiles, and configure policies intuitively using a new visual policy builder called the Threat-Response Matrix.
Performance and scalability
HAProxy Enterprise maintains its competitive edge by continuously optimizing its performance foundation. The adoption of the AWS-LC TLS library in version 3.2 is a strategic mandate designed to reduce cryptographic overhead and ensure that HAProxy’s legendary performance continues to scale efficiently on today’s massively multi-core CPUs.
AWS-LC: consistently higher TLS performance
Secure HTTPS connections, negotiated via the SSL/TLS protocol, rely heavily on the performance and features of the underlying TLS library. Previously, HAProxy used OpenSSL by default; however, version 1.1.1 – which was well-regarded – reached end-of-life in 2023. Although we had an extended support license to continue using it in HAProxy Enterprise, this was not a long-term solution. Meanwhile, OpenSSL version 3.0 LTS introduced significant performance regressions that subsequent versions have not adequately resolved.
Our benchmarks, published in May 2025 in our article The State of SSL Stacks, reported massive performance degradation when running HAProxy built with OpenSSL 3+, particularly when multithreaded on systems with 16 threads or more, limiting HAProxy's expected HTTPS performance.
The need to process secure connections efficiently is paramount, as excessive processing time can constrain scalability, limit the total number of simultaneous connections, and inflate the resource cost of meeting high traffic demands.
In HAProxy Enterprise 3.2, we have strategically replaced the default OpenSSL library with AWS-LC. AWS-LC is a general-purpose TLS library maintained by the AWS Cryptography team, based on code from Google BoringSSL and the OpenSSL project.
The benefits of this transition are substantial, as demonstrated in our latest benchmarks comparing HAProxy Enterprise 3.0 built with OpenSSL 1.1.1 and HAProxy Enterprise 3.2 built with AWS-LC.
We tested each system using two public key encryption algorithms: RSA 2048-bit keys and ECDSA 256-bit keys.
We tested each system in AWS on the same instance types, starting at 8 threads and scaling up to 64 threads at increments of 8 threads.
To stress-test the systems with the worst-case scenario for server-side capacity, we disabled TLS-reuse so that every connection would trigger a key exchange. Note that this scenario only tests the capacity of the systems to process new connections and TLS handshakes, and is not equivalent to a measure of requests-per-second, which would measure much higher.
Figure 1: TLS connections per second using RSA 2048-bit keys
Figure 2: TLS connections per second using ECDSA 256-bit keys
HAProxy Enterprise 3.2 built with AWS-LC achieves consistently higher TLS performance compared with HAProxy Enterprise 3.0 built with OpenSSL 1.1.1, regardless of the public key encryption algorithm or the number of threads. On average, HAProxy Enterprise 3.2 with AWS-LC had 38% higher performance using RSA, and 68% higher performance using ECDSA.
The biggest benefits are realized as systems scale up with more threads.
With RSA, HAProxy Enterprise 3.2 had 34% higher performance at 16 cores, which increased to 54% at 64 cores.
With ECDSA, HAProxy Enterprise 3.2 had 55% higher performance at 16 cores, which increased to a staggering 156% at 64 cores – more than twice as performant.
These TLS performance improvements make HAProxy Enterprise even more scalable for high-traffic applications compared with previous versions built with OpenSSL 1.1.1, which was the best-performing TLS library from OpenSSL. Furthermore, AWS-LC includes robust support for the QUIC protocol, which simplifies the modernization of application infrastructure with efficient, modern transport protocols.
The adoption of AWS-LC is a critical engineering step that safeguards the platform's core performance identity, ensuring that performance remains uncompromised even as advanced security features are added.
Open source performance enhancement from HAProxy 3.2
Beyond the AWS-LC shift, HAProxy Enterprise 3.2 benefits from performance accelerators inherited from the community version. QUIC protocol support is now faster, more reliable on lossy networks, and more resource-efficient. Additionally, automatic CPU binding simplifies management and squeezes more performance out of large-scale, multi-core systems by ensuring optimal resource utilization, which enabled Criteo to reduce CPU usage by 20% with the same level of network traffic.
Global routing and resilience
For organizations operating across multiple autonomous data centers, efficient and resilient geo-distributed routing is essential. HAProxy Enterprise 3.2 significantly simplifies the management of this critical routing infrastructure — and improves performance.
Simplifying geo-distribution: native RHI and enhanced GSLB
Routing external traffic across multiple autonomous data centers relies heavily on technologies like Border Gateway Protocol (BGP) for path announcement and Global Server Load Balancing (GSLB) for data center selection. HAProxy Enterprise has supported Route Health Injection (RHI) over BGP for a while, but this previously required multiple configuration files and the use of an external process. We wanted to give you a simpler way to manage RHI configuration, with improved observability.
HAProxy Enterprise 3.2 introduces a native RHI Module. This native module calculates and announces BGP routes directly within the HAProxy process itself. You can also make RHI conditional, for example, only announcing a route if a minimum number of healthy servers are detected at a specific location. The result is a simple native configuration and native logs that dramatically increase observability and simplify troubleshooting for geo-routing issues.
Here's an example that shows the RHI Module's syntax:
| rhi-bgp dc1 | |
| hold-time 30 | |
| timeout connect 1s | |
| timeout open 5s | |
| timeout reconnect 1s | |
| timeout keepalive 10s | |
| timeout min-update-interval 3s | |
| timeout graceful-restart 5s | |
| log global | |
| local-id 192.168.0.101 | |
| local-as 65001 | |
| neighbor 192.168.0.1:179 as 65001 | |
| next-hop-ipv4 192.168.0.101 | |
| acl backend_is_up nbsrv(webservers) gt 0 | |
| rhi-announce addrs 192.168.1.10/32 if backend_is_up | |
| frontend www | |
| bind 192.168.1.10:80 name http | |
| bind 192.168.1.10:443 name https ssl crt site.pem | |
| default_backend webservers | |
| backend webservers | |
| server web1 192.168.0.102:80 check | |
| server web2 192.168.0.103:80 check |
Concurrent enhancements to GSLB address management complexity and risk. You can now split GSLB configuration into multiple files, allowing you to divide zones or regions into smaller, more manageable, and faster-loading files. Furthermore, GSLB health checks can now use secure HTTPS connections between the GSLB server and the data centers. This upgrade directly mitigates risk associated with potentially unsecured connections between a GSLB server (often running in a public cloud) and private on-premises data centers.
Unified traffic management: UDP ACLs and session persistence
Since the introduction of the HAProxy Enterprise UDP Module in version 2.9, HAProxy Enterprise has offered reliable, high-performance UDP proxying and load balancing. But we wanted to add more advanced functionality.
In HAProxy Enterprise 3.2, the HAProxy Enterprise UDP Module now supports ACLs and basic fetches based on attributes such as source IP and destination IP. This enables more advanced routing logic for UDP traffic. In the example below, we set up split-brain DNS:
| udp-lb dns | |
| acl local src 10.0.0.0/24 | |
| use-server dns1 if local | |
| use-server dns2 if !local | |
| server dns1 10.0.0.10:53 check | |
| server dns2 10.0.0.11:53 check | |
| ... |
Critically, customers can now configure the UDP Module to provide session persistence for UDP traffic, ensuring that user connections are reliably connected to the same backend server. This enhancement provides more consistent traffic management capabilities across TCP, QUIC, and UDP, delivering more flexibility for advanced routing and an excellent UX for any type of application.
Operational modernization and integration
Last but not least, this release reduces integration complexity by standardizing crucial services into native, easy-to-manage HAProxy configurations.
Modern identity: native Open ID Connect (OIDC) SSO
Enabling Single Sign-On (SSO) at the proxy layer offloads security risk and complexity from application servers. HAProxy Enterprise has supported SSO integration for some time, but this has had limited protocol support (SAML, Kerberos, or ADFSPIP) and relied on HAProxy’s Stream Processing Offload Engine (SPOE) to integrate with an external SSO process. We wanted to give you more flexibility, along with the simplicity of native HAProxy configuration.
HAProxy Enterprise 3.2 introduces modernized SSO with a new native Open ID Connect (OIDC) Module, along with enhancements to the SAML Module. The native modules run inside the HAProxy Enterprise process, eliminating the need for SPOE, and use standard HAProxy configuration syntax, resulting in simpler implementation. In addition, native support for the OIDC standard allows seamless integration with a vast array of modern third-party SSO providers — including Google, Apple, Facebook, Okta, Microsoft Active Directory, and Microsoft Entra ID (formerly Azure Active Directory).
By standardizing complex identity management into simple native modules, HAProxy Enterprise 3.2 reduces risk, lowers implementation costs, enables more rapid innovation, and improves operational efficiency across the platform.
Simplified observability: Global Profiling Engine (GPE) configuration
The Global Profiling Engine (GPE) aggregates HAProxy stick table data, enabling real-time, cluster-wide tracking of users — a key observability feature. To help customers take advantage of GPE’s powerful capabilities, we wanted to make it easier to configure GPE to listen on multiple ports, where previously this required a new configuration line for every port.
In HAProxy Enterprise 3.2, GPE configuration is streamlined, allowing you to configure the engine to listen to all ports using a simple one-line configuration option. This reduced configuration debt is a major benefit for large-scale deployments, resulting in lower implementation costs and significantly improved operational efficiency.
Conclusion
HAProxy Enterprise 3.2 is a landmark release that strategically positions the HAProxy One platform as an intelligent edge security solution. By integrating the highly efficient, private, and exceptionally accurate Threat Detection Engine, HAProxy Enterprise now provides next-generation security intelligence without negatively impacting performance or compliance, unlike many SaaS/cloud-based solutions. This security sophistication is built upon a foundation of unrivaled performance, which is guaranteed by the architectural shift to the AWS-LC TLS library, unlocking critical scalability.
HAProxy One's commitment to operational excellence is further demonstrated through the standardization of complex functions — including RHI, OIDC, and CAPTCHA — into powerful native HAProxy modules.
HAProxy Enterprise 3.2 reinforces its status as the fastest, most flexible, and most reliable software load balancer, and significantly advances its position as a modern and sophisticated edge security layer.
Upgrade to HAProxy Enterprise 3.2
When you are ready to upgrade to HAProxy Enterprise 3.2, follow the links below.
Documentation | Release Notes | Install Instructions |
Try HAProxy Enterprise 3.2
The world’s leading platforms and cloud providers trust HAProxy Technologies to simplify, scale, and secure modern applications, APIs, and AI services in any environment. As part of the HAProxy One platform, HAProxy Enterprise’s no-compromise approach to secure application delivery empowers organizations to deliver multi-cloud load balancing as a service (LBaaS), web app and API protection, API/AI gateways, Kubernetes networking, application delivery network (ADN), and end-to-end observability.
There has never been a better time to start using HAProxy Enterprise. Request a free trial of HAProxy Enterprise and see for yourself.
Subscribe to our blog. Get the latest release updates, tutorials, and deep-dives from HAProxy experts.
