HAProxy Performance Packages provide Next-Gen Speed for Open Source

Fresh from AWS re:Invent: Supercharging HAProxy Community with AWS-LC Performance Packages

December 12th, 2025

6 min read

Fresh from AWS re:Invent: Supercharging HAProxy Community with AWS-LC Performance Packages

The timing couldn’t have been better.

Last week, the tech world descended on Las Vegas for AWS re:Invent. It was the perfect venue to talk about cloud infrastructure, scale, and the future of application delivery. While we enjoyed talking shop at our booth, we didn't just bring swag and demos; we brought a significant performance improvement for our open-source community.

We were proud to announce the release of HAProxy 3.3 along with a game-changer for high-performance setups: HAProxy Community Performance Packages. These are pre-compiled, install-ready packages built not with the standard OpenSSL library (as found in most OS distributions), but with the new and lightning-fast AWS-LC.

Why does this matter? Because in the world of CPU-intensive work (like processing TLS connections), time is money, and efficiency is everything. We have done the heavy lifting to bundle HAProxy with the most performant library, ensuring you get maximum throughput right out of the box and linear scaling with additional CPU cores.

Our open-source commitment: performance is non-negotiable

At HAProxy, we have always been obsessed with efficiency. Our philosophy is simple: load balancers should not be a bottleneck. However, the SSL/TLS landscape has evolved significantly in recent years.

OpenSSL has long served as the industry standard, providing stability and security. With the transition to OpenSSL 3, the project focused on enhancing modularity and security architecture. While these are valuable goals for the broader ecosystem, the architectural changes introduced trade-offs in specific high-load environments.

Our internal research found that in multi-threaded configurations, the new architecture can face scalability challenges due to lock contention and atomic operations. In scenarios involving high-volume handshakes, performance can plateau rather than scaling linearly with CPU cores.

For a community that relies on HAProxy for speed, we needed a solution that could fully utilize modern hardware. We published a detailed research paper, "The State of SSL Stacks," which analyzes these behaviors and explores alternatives.

Enter AWS-LC: the speed you need

We evaluated several alternatives, including WolfSSL, LibreSSL, and BoringSSL. But the standout performer for general-purpose, high-scale deployments was AWS-LC.

AWS-LC is a general-purpose cryptographic library maintained by the AWS Cryptography team. It is open-source, based on code from the Google BoringSSL project and the OpenSSL project, and it aggressively targets both security and performance.

When we benchmarked HAProxy built with AWS-LC against other SSL stacks, the results were clear:

Massive Throughput: In our testing of end-to-end encryption with TLS resumption on a 64-core Graviton4 instance, we achieved over 180,000 end-to-end connections per second using AWS-LC.
Significant Gains: This represents a performance increase of approximately 50% over OpenSSL 1.1.1w and significantly outperforms OpenSSL 3.x versions.
Linear Scaling: This library scales linearly. When you add more CPU cores, you actually achieve greater performance rather than encountering diminishing returns due to software locks.

A collaboration of code and community

We didn't just pick a library off the shelf; we collaborated.

During our deep testing of AWS-LC, we identified a build configuration nuance where the build system wasn't defaulting to the C11 standard, which disabled certain atomic operations crucial for performance. We reported this to the AWS-LC team, and their response was exactly what you hope for in open source: fast, receptive, and effective.

They fixed the oversight quickly, allowing the library to utilize modern atomic operations instead of locks. We would like to extend a huge thank you to the AWS team for helping us push the boundaries of what is possible on modern hardware.

Why we built the performance packages

Here is the reality for most users: You know that switching SSL/TLS libraries could make your load balancer faster. But actually doing it? That’s hard. It usually requires:

Downloading source code.
Managing complex dependencies.
Compiling HAProxy manually.
Maintaining that custom build forever.

That is a high barrier to entry. We believe that every HAProxy user deserves access to the best possible performance. You shouldn't have to be a compilation expert to get it.

So, we did the work for you. We are now providing official HAProxy Community Performance Packages. These are pre-packaged for your distribution (currently available for Ubuntu 24.04, Debian 12, and Debian 13). You can install them via apt just like you would any standard package.

This also aligns with the latest release of HAProxy 3.3!

HAProxy 3.3: more than just speed

While the new SSL/TLS library is the fuel injector under the hood, the engine itself, HAProxy 3.3, has received significant upgrades. This release is packed with features designed for modern infrastructure:

Kernel TLS (KTLS): For those who are more performance-focused, we’ve added support for offloading symmetric encryption to the Linux kernel, saving memory copies and CPU cycles.
QUIC on the Backend (Experimental): You can now connect to backend servers using HTTP/3 over QUIC. This future-proofs your infrastructure as more internal services move toward QUIC for reduced latency.
ACME DNS-01 Support: We’ve expanded our Let’s Encrypt integration. HAProxy can now handle DNS-01 challenges, allowing you to validate domain ownership via DNS TXT records rather than just HTTP files.
Persistent Stats: Observability is critical. In HAProxy 3.3, you can store statistics in shared memory. This means that if you reload HAProxy to apply a configuration change, you won't lose your metrics history.