Release Notes

About this release

Key changes in the HAProxy Enterprise 2.5r1 release include:

• Improved performance from enhancements in memory utilization, HTTP chunking, multithreading, and DNS response processing

• More granular thread allocation and control to reduce scheduler contention to support high connection rates

• Access to more actionable information through logging, fetches and Runtime API commands

• Runtime adding, editing and removal of certificate authority (CA) entries and certificate revocation list (CRL) files

• Added functionality for Lua scripting

Getting this release

Installation and upgrade instructions.

If you're not an HAProxy Enterprise user yet, request a free 14 day trial: https://www.haproxy.com/downloads/hapee-trial/ .

If you'd like to speak to someone about becoming an HAProxy Enterprise user, contact us here https://www.haproxy.com/contact-us/ .

What's new, improved and removed

Multiple performance improvements are built-in to HAProxy Enterprise.

Improved Performance

• Memory optimizations on x86 platforms

• Lockless memory pool implementation for non-x86 architectures

• Faster connection dequeueing due to locking reduction

• Revamped and more efficient Domain Name Service (DNS) response processing

• Faster HTTP/1 small chunk parsing

Better thread allocation and control

Split the total number of configured threads (nbthread) into ranges and assign them to handle incoming connections for unique IP addresses by adding the thread argument to a bind. Reduce scheduler contention with the binds and shards options on systems that support multiple listeners per socket.

Observability and access to more information

• More robust reporting on startup

• Statistics for stopped proxies are viewable in the Stats Pane

• The HAProxy Enterprise version and executable path are displayed before the first warning or error to aid with troubleshooting

• Retrieve the original source address of an incoming proxy that connects using the PROXY protocol with fetch fc_src and tcp-request content ruleset: set-src, set-src-port

• Log connection information for handshake errors, using: ssl_bc_err, ssl_fc_err, ssl_bc_err_str, ssl_fc_err_str, fc_err, bc_err

• Retrieve backend connection errors with bc_err, bc_err_str

Configuration

• Store up to 100 indexes in a single Stick Table variable, using General Purpose Counter (GPC) and General Purpose Tag (GPT) arrays.

• Disable bootstrapping WebSockets with HTTP/2 (RFC8441) for newer browsers that don't support it by using h2-workaround-bogus-websocket-clients.

• Ignore connections without data transfer in the logs with the http-ignore-probes option.

• Gracefully stop proxies, allowing enough time for layer 4 devices to detect changes with the global grace option.

• Add tcp-request and http-request directives to named defaults sections.

• Add more logic to configuration file .if, .elif, and endif conditions with the addition of AND, OR, NOT, and parentheses expressions.

• improved reliability of host header field dependent ACLs by automatically stripping the port (80 or 443) from the URI and the host field.

• Peers ignore updates on the Stick Table conn_cur counter from other peers, ensuring local data is accurate and reflects actual traffic.

Runtime API commands

• Display free memory in thread-local caches with show pools

• Display file, line numbers, rules, and filters processed per session with show sess all

• Full support for creating, managing and removing servers on the fly. The add server command now supports all keywords including: check, track, slowstart, error-limit, ssl and observe.

• View the number of entries in summary output of the show map and show acl commands with the included entry_cnt variable.

Lua scripting

Initiate HTTP requests using the httpclient class. Inspect or modify TCP and HTTP content using an experimental feature set that should be used only in test environments.

Traffic routing

Redirect rules for empty target URLs are skipped by adding ignore-empty to the http-request redirect directive.

Security

• Check the integrity of claims contained within JSON Web Tokens (JWT) and extract data from JWTs to use in rules.

• Add, update, and delete Certificate Authorities (CA) and Certificate Revocation Lists (CRL) using Runtime API commands.

• Display Online Certificate Status Protocol (OCSP) to validate X.509 digital certificates from the command line (CLI) with show ssl cert and show ssl ocsp-response commands.

• OpenSSL 3.0 is fully supported

• Automatic sanitizing of Transfer Encoding (TE) headers to conform to HTTP/1 specs by making a request or response TE header or a request with Content-Length and TE header the last on a connection.

Removed directives

• grace (per proxy directive replaced by global grace directive)

• http-tunnel

• nbproc

• no option http-use-htx

• option forceclose

• option http_proxy

• set-cookie()

• tune.chksize

Getting Support

Current HAProxy Enterprise customers, log in to the customer portal, https://my.haproxy.com/portal/cust/login.