HAProxy Enterprise Documentation 2.7r1

Release Notes

About this release

Key changes in the HAProxy Enterprise 2.7r1 release include:

Support for HTTP/3 over QUIC
Debugging tools that let you more conveniently trace system events and create anonymized versions of configuration files and logs
Control over SSL errors and a new Runtime API command for managing CA files
The ability to pass optional arguments to your Lua scripts
Thread groups, which enable assigning sets of threads to listeners
New converters
Performance upgrades

If you're not an HAProxy Enterprise user yet, request a free 14 day trial: https://www.haproxy.com/downloads/hapee-trial/ .

If you'd like to speak to someone about becoming an HAProxy Enterprise user, contact us here https://www.haproxy.com/contact-us/.

HTTP/3 over QUIC

This version adds support for the HTTP/3 protocol over QUIC. Because it requires a specialized version of the OpenSSL library, a separate install package is provided.

Debugging

A new global directive named trace lets you configure the HAProxy events tracing subsystem from the configuration file, whereas previously it was accessible only through the Runtime API's trace command. This directive is experimental and requires you to set the global option expose-experimental-directives.
You can anonymize the output of some Runtime API commands to mask IP addresses, names of sections, and hostnames. Add set anon on, followed by a semicolon, before a command such as show sess.
```
$ echo "set anon on; show sess" |\
    sudo socat stdio /var/run/hapee-2.7/hapee-lb.sock
```
You can also display a version of your HAProxy Enterprise configuration with IP addresses, section names, and hostnames masked by using the hapee-lb command's -dC<key> flag, where key is an arbitrary number used when creating the masked values.

For example, to display an anonymized version of the HAProxy Enterprise configuration:
```
$ /opt/hapee-2.7/sbin/hapee-lb -dC123456 -f etc/hapee-2.7/hapee-lb.cfg
```

TLS

The bind directive's ca-ignore-err and crt-ignore-err arguments, which let you list TLS errors to ignore, now accept human-readable names in addition to numeric IDs. Refer to the OpenSSL list of error codes to see which values are available.
The new Runtime API command, add ssl ca-file, adds an SSL/TLS certificate to the in-memory CA file list.

Lua

You can now pass optional arguments to your custom Lua scripts from within your HAProxy Enterprise configuration file. The lua-load and lua-load-per-thread directives accept one or more arguments after the first argument, which is always the script's filepath. Then, in your script use the built-in table.pack(...) function with an ellipsis as its argument to collect arguments into a variable of type table.

Multithreading

A new global directive named thread-group lets you place a range of threads into a group. Once in a group, you can assign those threads to a listening address by adding the thread argument to a bind line in a frontend or listen section. On servers with many CPU cores and thus many threads, allocating a subset of threads to handle connections like this can improve performance by reducing the number of threads competing for work. You can define up to 64 thread groups, each including up to 64 threads.
A new global directive named thread-groups lets you set the number of thread groups to create and HAProxy Enterprise will divide the threads available on your server into that number of groups. The maximum number is 64.

Converters

This version adds the following converters:

Name	Description
`table_expire(<table>[,<default_value>])`	Returns the remaining time before a given key will expire in the stick table, as well as how long ago a given key was last seen.
`table_idle(<table>)`	Returns the time the given key has remained idle since the last time it was updated.
`host_only`	Converts a string that contains a Host header value and removes its port.
`port_only`	Converts a string that contains a Host header value and returns only its integer port.
`x509_v_err_str`	Converts a numerical value to its corresponding X509_V_ERR constant name, which is useful for setting ACL expressions based on different client certificate errors (expired certificate, revoked certificate, etc.) when working with multiple versions of OpenSSL.

Performance upgrades

Server health checks, which run at an interval, now fire on the same thread exclusively rather than allowing any available thread to perform the task. This has reduced latency by decreasing competition among threads.
Stick tables became more efficient by changing the type of lock used to restrict multiple threads from accessing a table simultaneously. By revising internal code to use a read-write lock, which allows multiple threads to read from the table simultaneously, but allows only one thread to write, performance improved.
HAProxy Enterprise 2.7 reduces latency by more aggressively using idle connections when sending HTTP requests to backend servers. If you leave the defaults, or if you manually set the http-reuse directive in a backend to safe, reusing idle connections is enabled and you are choosing the safest mode. That is, a client's first HTTP request will be dispatched to a backend server on a new thread guaranteed to not be closed, and only subsequent requests will use idle connections, which have the risk of closing unexpectedly. In this release, as long as you have also set the retry-on directive in that backend to retry the connection in case of failure, HAProxy Enterprise will use an idle connection for a client's first request too. Set retry-on to include conn-failure, empty-response, and response-timeout.

Deprecated keywords

Current HAProxy Enterprise customers, log in to the customer portal, https://my.haproxy.com/portal/cust/login.

Next up