HAProxy Enterprise Documentation 2.6r1

Release Notes

About this release

Key changes in the HAProxy Enterprise 2.6r1 release include:

Getting this release

Installation and upgrade instructions.

If you're not an HAProxy Enterprise user yet, request a free 14 day trial: https://www.haproxy.com/downloads/hapee-trial/ .

If you'd like to speak to someone about becoming an HAProxy Enterprise user, contact us here https://www.haproxy.com/contact-us/.

What's new, improved and removed

Advanced WAF
  • New match zones, $COOKIES_VAR and $COOKIES_VAR_X allow rules to match violations found in specific HTTP cookies, complementing the less specific $HEADERS_VAR and $HEADERS_VAR_X match zones.

  • A new variable, txn.<filter>.wlcnt returns the number of disabled rules that would have matched the current request.

  • The filter waf line now supports a parameter named log-wl that includes disabled WAF rule violations in extended logs.

  • The filter waf line now supports a parameter named log-ext-nonzero that enables extended logs only when the violated rule had a non-zero score or triggered an immediate action, cutting down on noise in the logs.

  • The filter waf line now supports a parameter named table-categorized that prefixes entries in the violated rules stick table with the category of the violated rule.

  • The filter waf line's body-limit parameter defaults to the global option waf-body-limit, which now defaults to tune.bufsize rather than the compile-time value of BUFSIZE.

ModSecurity WAF
  • To associate WAF logs with load balancer logs, you could already use the unique identifier that ModSecurity creates by referencing the txn.<filter>.unique_id variable, appending it to your load balancer logs. Now, you can define a different unique ID format by setting the use-unique-id-format parameter on the filter modsecurity line and then defining a new format with the unique-id-format directive.

  • A new parameter use-vars on the filter modsecurity line disables ModSecurity from denying suspicious requests and delegates that to the load balancer. A variable named txn.<filter>.block returns true when the WAF would have denied the request. You can read this variable and then decide on a response policy to enforce. Other variables that support this include txn.<filter>.error, txn.<filter>.status, and txn.<filter>.url.

Traffic shaping
  • New directives, filter bwlim-in and filter bwlim-out, support limiting upload and download speeds for clients. Set bandwidth limits that apply per HTTP stream or to all streams associated with a stick table entry, such as to set a limit per client IP address or per backend application.

Load balancing
  • A generic load balancing algorithm named hash was introduced and serves as a replacement for the more specific source, uri, url_param, and rdp-cookie algorithms. It accepts a fetch method as a parameter, which indicates the data used to calculate the hash.

TLS and mTLS
  • This version of HAProxy Enterprise supports OpenSSL 3.0.

  • When you enable client certificate authentication with the verify required parameter on a bind line, you must also specify the ca-file parameter, which indicates the CA certificate used to verify the client's certificate. Now, ca-file accepts a path to a directory of CA certificates.

  • Similarly, in a backend, you can set the ca-file parameter on a server line to verify the backend server's TLS certificate against a known CA. This ca-file parameter now accepts a path to a directory of certificates or you can set it to @system-ca to load your system's list of trusted CAs.

Runtime API and Master CLI
  • The Runtime API commands add server and del server, which let you add and remove servers dynamically, are no longer experimental.

  • The new Runtime API command show ssl providers lists providers loaded into OpenSSL.

  • The Master CLI added new commands: prompt, expert-mode [on|off], experimental-mode [on|off], mcli-debug-mode [on|off].

  • The Lua programming language integration gained the CertCache class, which lets you update an SSL certificate in the load balancer's runtime memory.

  • The Lua httpclient class, which lets you make non-blocking HTTP calls, now supports a dst parameter and a timeout parameter. The former sets the destination address and the latter sets a timeout server value. New global directives support this: httpclient.ssl.ca-file, httpclient.ssl.verify, httpclient.ssl.resolvers.id, and httpclient.resolvers.prefer <ipv4|ipv6>.

Fetches and converts
  • New fetches have been added: last_rule_file, which returns the name of the configuration file (e.g. hapee-lb.cfg) that contains the last line processed during stream analysis, and last_rule_line, which returns the line number. Use this to locate the http-request deny line that stopped a request, for example.

  • A new converter has been added: add_item, which concatenates strings with a delimiter between them, such as a semicolon.

Other keyword changes
  • A new global directive named h1-accept-payload-with-any-method lets HTTP/1.0 clients send a request body with GET, HEAD, and DELETE requests. Use with caution because it can make your application more susceptible to request smuggling attacks.

  • Adding the parameter expose-fd listeners on a stats socket line is no longer necessary to achieve hitless reloads.

  • The set-var directives, such as http-request set-var, now accept a second parameter to only set the variable if a condition is true. Conditions include: ifexists, ifnotexists, ifempty, ifnotempty, ifset, ifnotset, ifgt, iflt. For example, to set the variable only if it has not already been set: http-request set-var(txn.myvariable,ifnotset) req.hdr(X-MyValue).

Performance upgrades
  • The new global directive fd-hard-limit enforces a cap on the number of file descriptors HAProxy Enterprise will use, protecting you from consuming too much memory.

  • The new global directive close-spread-time closes idle client connections gradually. For best results, set this lower than hard-stop-after.

  • If the load balancer server is a multi-socket machine, HAProxy Enterprise sets an affinity to run on the CPUs of a single node in order to avoid performance penalties caused by the inter-socket bus latency. You can disable this with the no numa-cpu-mapping directive.

  • Performance optimizations were made to the task scheduler, connection dequeueing, and connection stream code.

Getting Support

Current HAProxy Enterprise customers, log in to the customer portal, https://my.haproxy.com/portal/cust/login.

Next up

Getting Started