HAProxy Enterprise Documentation 2.0r1

Release Notes

New and/or improved features in HAProxy Enterprise 2.0r1 include:

Backports

  • Converters:

    • sha2: Converts a binary input sample to a digest in the SHA-2 family

    • srv_queue: Takes an input value of type string and returns the number of queued sessions on that server

  • Fetches:

    • uuid: Returns a UUID following the RFC4122 standard

    • http_auth_type: Returns the authentication method from the Authorization header

    • http_auth_user: Returns the authorized user from the Authorization header

    • http_auth_pass: Returns the authentication password from the Authorization header

  • Stats page export in JSON

  • Additional support for logging to a ring buffer

  • SSL memory enhancements

  • FastCGI support

Core

Cloud-native threading

HAProxy Enterprise sets the number of worker threads to match the machine's number of available CPU cores to scale and accommodate any environment with less manual configuration.

Cloud-native logging

Easier to adapt for containerized environments, allowing you to log directly to stdout and stderr or to a file descriptor.

HTTP representation (HTX)

Introduced with HAProxy Enterprise 1.9, HTX makes any future HTTP protocols easier to integrate. It is enabled by default.

End-to-End HTTP/2

Official support for end-to-end HTTP/2 through new parameters alpn h2 and proto h2.

gRPC: Full support for the open-source RPC framework

This allows for bidirectional streaming of data, detection of gRPC messages, and logging gRPC traffic. Activated using a standard end-to-end HTTP/2 configuration.

Layer 7 retries

Can retry a connection at Layer 7 for failed HTTP requests using the new configuration directive retry-on.

Data Plane API

Provides a modern REST API to configure HAProxy Enterprise on the fly by dynamically adding and removing frontends, backends, and servers. You can create ACL rules, insert HTTP routing directives, set IP and port bindings, etc.

Process Manager

Allows you to specify external binaries for HAProxy Enterprise to start and manage as child processes.

Traffic Shadowing (or mirroring)

Allows you to mirror requests from one environment to another. The new Traffic Shadowing daemon is developed as a Stream Processing Offload Agent (SPOA) and takes advantage of HAProxy's SPOE which allows you to extend HAProxy Enterprise using any programming language.

Kubernetes Ingress Controller

Provides a high-performance ingress for your Kubernetes-hosted applications. It supports TLS offloading, Layer 7 routing, rate limiting, IP allow lists,

Prometheus Exporter

HAProxy Enterprise can export metrics to Prometheus for monitoring and alerting purposes.

Peers & Stick Tables

HAProxy Enterprise 2.0 introduces several improvements to the Peers Protocol including:

  • Heartbeat

  • Stick tables in peers sections

  • SSL support

  • Runtime API command: show peers

  • New stick table counters

  • New stick table data type, server_name

  • Peers section expanded to allow using the bind, default-bind, server, and default-server configuration directives. It also now supports having stick tables directly within itself.

Power of Two Random Choices Algorithm

Added a new load-balancing algorithm called random that chooses a random number as the key for the consistent hashing function. This is useful with large farms or when servers are frequently added or removed.

Log Distribution and Sampling

It is now possible to do sampling directly within HAProxy Enterprise by using the log directive's sample parameter. You can specify multiple log and sample directives simultaneously.

Built-in Automatic Profiling

This version now features the profiling.tasks directive to specify in the global section. CPU profiling per task shows where the time is spent and which requests have what effect on which other request.

Enhanced TCP Fast Open (TFO)

Added TFO for connections to backend servers on systems that support it. This requires Linux kernel 4.11 or newer.

New request actions

Introduced several new http-request and tcp-request actions below:

  • http-request do-resolve: Performs DNS resolution of the output and stores the result in the variable.

  • http-request disable-l7-retry: Disables any attempt to retry the request if it fails for any reason other than a connection failure. This ensures that POST requests aren't retried upon failure.

  • http-request replace-uri: Matches the regular expression in the URI part of the request and replaces it.

  • tcp-request content do-resolve: Performs DNS resolution of the output and stores the result in the variable.

  • tcp-request content set-dst: Sets the destination IP address.

  • tcp-request content set-dst-port: Sets the destination port.

New converters

Converters allow you to transform data captured by fetch methods. Below are new converters in this version:

  • aes_gcm_dev: Decrypts the raw byte input using the AES128-GCM, AES192-GCM or AES256-GCM algorithm.

  • protobuf: Extracts the raw field of an input binary sample representation of a Protocol Buffers message.

  • ungrpc: Extracts the raw field of an input binary sample representation of a gRPC message.

New fetches

Fetches provide a source of information from either an internal state or from layers 4, 5, 6, and 7. New fetches in this release return a random of the front or back connection when the incoming connection was made over an SSL/TLS transport layer. This release's new fetches (below) return a random of the front or back connection when the incoming connection was made over an SSL/TLS transport layer:

  • ssl_fc_client_random: Returns the client random of the front connection

  • ssl_fc_server_random: Returns the server random of the front connection

  • sl_bc_client_random: Returns the client random of the back connection

  • ssl_bc_server_random: Returns the server random of the back connection; this requires OpenSSL >= 1.1.0, or BoringSSL.

Miscellaneous improvements

SSL/TLS Ticket Keys

TLS session tickets help to speed up session resumption for clients that support them. HAProxy Enterprise 2.0 adds support for AES256-bit ticket keys specified in both a file or through the Runtime API.

Core Dump - ease of use

A new global directive set-dumpable makes it easier to retrieve a core file.

SOCKS4 support

Introduces 2 new server keywords, socks4 and check-via-socks4 used for communicating with servers within a backend over SOCKS4 and adds similar functionality for health checking over SOCKS4.

LTS support for 1.9 features

  • Small Object Cache with an increased caching size up to 2GB

  • New fetches that report either an internal state or from layer 4, 5, 6, and 7.

  • New converters that allow you to transform data within HAProxy.

  • HTTP 103 (Early Hints), which asks the browser to preload resources.

  • Server Queue Priority Control to let you prioritize some queued connections over others.

  • Connection pooling to backend servers

  • The resolvers section supports using resolv.conf by specifying parse-resolv-conf.

  • The busy-polling directive to reduce request processing latency by 30-100 microseconds on machines using frequency scaling or supporting deep idle states.

  • Lua:

    • The Server class gained the ability to change a server's maxconn value.

    • The TXN class can now adjust a connection's priority within the server queue.

    • There is a new StickTable class that allows access to the content of a stick-table by key and allows dumping of content.

Native modules

  • Javascript Challenge module now supports templates

  • DeviceAtlas module

  • ScientiaMobile WURFL module

  • Extensive ModSecurity hardening improvements

Next up

Getting Started