New and/or improved features in HAProxy Enterprise 2.1r1 include:

Backports

  • Strict Rewriting Mode By default, HAProxy triggers an internal error when a rule that performs a rewrite on an HTTP message fails.

  • New HTTP Errors section allows you to:

    • Create global groups of custom HTTP error files by using the new section http-errors.

    • Support the loading of http-errors groups using the expanded directives error-files, http-request deny, and http-response deny.

  • New HTTP Return Actions make it possible to:

    • Return a custom response from HAProxy with any status code based on an error file, a file, or a string using the new actions http-request return and http-response return.

    • Enable responses with dynamic content by using a log-format string or a log-format file.

    • Define extra headers by passing the hdr argument

  • HTTP "After Response" Rulesets makes it possible to:

    • Evaluate a new ruleset http-after-response on all responses prior to forwarding

    • Let HAProxy evaluate these rules at the end of the response analysis on all HTTP responses, just before it forwards the data. This includes responses from the server as well as responses from HAProxy. This makes it possible to add headers to the responses that the stats applet generates.

  • Cookie Attributes allow you to:

    • Supply an attr option to insert any attribute when HAProxy inserts a cookie.

    • Use with the Chrome 80 update that requires the "SameSite" attribute. (Example: cookie SRV insert attr "SameSite=Strict")

    • Repeat the attr option to add several attributes.

Core

  • Dynamic SSL Certificate Updates

    • Centralized SSL certificate information that only loads once when multiple bind lines reference the same certificate.

    • Ability to update SSL certificates with the Runtime API using the set ssl cert and commit ssl cert commands.

  • FastCGI

    • Direct communication between HAProxy and FastCGI

    • New protocol fcgi

    • Definition of parameters for communicating with a FastCGI application in a new section called fcgi-app

    • Backends can relay requests to a defined application using the use-fcgi-app directive

  • Native Protocol Tracing

    • Integration of a new tracing infrastructure to allow systems engineers and developers to collect low-level trace messages

    • Tracing ability and access through the Runtime API using the trace and show trace commands

  • Removal of the File Descriptor Cache

    • Complete removal of the file descriptor (FD)

    • This change has shown an increase in performance of up to ~20% on some artificially tailored workloads. Realistically, production environments can expect to see a 5-10% improvement.

  • Scheduler Improvements

    • Improved internal scheduler supports waking up tasks that belong to another thread

    • The scheduler now uses a combination of a locked and a lock-free list to regain 5-10% performance on workloads involving high connection rates.

  • Defaulted HTTP Representation to HTX

    • Removal of support for legacy HTTP mode

    • Support only of the Native HTTP Representation (HTX)

    • No configuration change is necessary, unless you try to specify no option http-use-htx, in which case you get an error.

    • Assistance for a seamless transition from legacy applications with new global directives h1-case-adjust and h1-case-adjust-file.

    • Option case-adjust-bogus-client and option h1-case-adjust-bogus-server directives to enable explicitly the case adjustment within defined frontend, listen, and backend sections.

  • Fetches

    Name

    Description

    srv_name

    Returns a string containing the name of the server that processed the request. It can be useful to return this to the client for debugging purposes.

    srv_queue

    Takes an input, either a server name or <backend>/<server> format and returns the number of queued sessions on that server.

    fc_pp_authority

    Returns the PP2_TYPE_AUTHORITY Type-Length-Value (TLV) from the client in the PROXY protocol header.

    uuid

    Returns a universally unique identifier (UUID) following the RFC4122 standard. Currently, there is only support for version 4.

  • Converters

    Name

    Description

    sha2(number_of_bits)

    Generates a checksum for a binary string using the SHA-2 cryptographic hash function. The result is a binary value with a byte length equal to number_of_bits / 8. You can set the number_of_bits parameter to 224, 256, 384, or 512. The default is 256.

  • Deprecated Configuration Options

    Deprecated directive

    Replacement directive

    block

    http-request deny

    reqrep

    http-request <replace-uri|replace-header>

    rsprep

    http-response replace-header

    clitimeout

    timeout client

    contimeout

    timeout connect

    srvtimeout

    timeout server

    redispatch

    option redispatch

    resolution_pool_size

    NONE

    option independant-streams

    option independent-streams

  • Strict Limits Setting

    • Allows HAProxy to abort at startup if it cannot get the required limits, such as in cases where HAProxy is unable to increase necessary limits upon startup.

    • A new global directive strict-limits will cause HAProxy to fail to start if it cannot increase the limits through setrlimit()

  • Version Info Show Links: Passing -v now displays End of Life (EOL) information for this release

  • Runtime API Field Descriptions: The show info and show stat Runtime API commands now accept a new parameter called desc that adds a short description to each field.

  • Prometheus Improvements: You can now pass a new scope query string parameter to filter exported metrics. The following values are supported: global, frontend, backend, server, * (all)

  • Miscellaneous Improvements

    • Moving the storage of the server-state global file to a tree, which provides much faster reloads

    • Acceptance as an expression: http-request / http-response sc-set-gpt0

    • The directive resolve-opts now accepts ignore-weight. Hence, when HAProxy generates servers with DNS SRV records, it can set server weights dynamically using agent health checks or the Runtime API, and not have DNS SRV reset the weights subsequently.

    • Ability to export the Stats page in JSON format by appending "/;json" to the URI

    • Ability to send the PP2_TYPE_AUTHORITY value to allow it to chain layers using SNI, using the new directive send-proxy-v2

    • Additional support for the user and group directives in the program's Process Manager section

    • Connections require significantly less memory as HAProxy allocates dynamically the source and destination addresses as needed. This translates to 128 to 256 bytes saved per connection and per side in the common case.