We are improving our documentation experience. View Beta Documentation.

Changelog

version 3.3r1



Summary

2026/03/10 : 3.3r1 (1.0.0-366.245) - SCRIPTS: git-show-backports: add a restart-from-last option - SCRIPTS: git-show-backports: hide the common ancestor warning in quiet mode - BUG/MINOR: admin: haproxy-reload rename -vv long option - BUG/MINOR: backend: Don't get proto to use for webscoket if there is no server - BUG/MINOR: ssl-sample: Fix sample_conv_sha2() by checking EVP_Digest* failures - BUG/MINOR: stconn: Increase SC bytes_out value in se_done_ff() - BUG/MEDIUM: hlua: Fix end of request detection when retrieving payload - BUG/MINOR: hlua: Properly enable/disable line receives from HTTP applet - BUG/MEDIUM: mux-fcgi: Use a safe loop to resume each stream eligible for sending - BUG/MAJOR: resolvers: Properly lowered the names found in DNS response - BUG/MAJOR: fcgi: Fix param decoding by properly checking its size - BUG/MINOR: http-ana: Increment scf bytes_out value if an haproxy error is sent - BUG/MINOR: sample: Fix sample to retrieve the number of bytes received and sent - BUG/MINOR: channel: Increase the stconn bytes_in value in channel_add_input() - DOC: config: Use the right alias for %B - MINOR: filters: Set last_entity when a filter fails on stream_start callback - DEBUG: stream: Display the currently running rule in stream dump - BUG/MINOR: h1-htx: Be sure that H1 response version starts by "HTTP/" - BUG/MEDIUM: qpack: correctly deal with too large decoded numbers - BUG/MINOR: quic: fix OOB read in preferred_address transport parameter - BUG/MINOR: qpack: fix 1-byte OOB read in qpack_decode_fs_pfx() - BUG/MAJOR: qpack: unchecked length passed to huffman decoder - BUG/MEDIUM: hpack: correctly deal with too large decoded numbers - BUG/MEDIUM: stream: Handle TASK_WOKEN_RES as a stream event - BUG/MINOR: promex: fix server iteration when last server is deleted - BUG/MEDIUM: mux-h2: make sure to always report pending errors to the stream - MINOR: mux-h2: add a new setting, "tune.h2.log-errors" to tweak error logging - MINOR: mux-h2: also count glitches on invalid trailers - MINOR: net_helper: extend the ip.fp output with an option presence mask 2026/02/18 : 3.3r1 (1.0.0-365.216) - BUG/MINOR: deviceatlas: fix deinit to only finalize when initialized - BUG/MINOR: deviceatlas: fix cookie vlen using wrong length after extraction - BUG/MINOR: deviceatlas: fix off-by-one in da_haproxy_conv() - BUG/MEDIUM: deviceatlas: fix resource leaks on init error paths - BUG/MINOR: deviceatlas: add NULL checks on strdup() results in config parsers - BUG/MINOR: deviceatlas: add missing return on error in config parsers - MINOR: stconn: Add missing SC_FL_NO_FASTFWD flag in sc_show_flags - BUG/MINOR: http-ana: Stop to wait for body on client error/abort - CLEANUP: compression: Remove unused static buffers - BUG/MINOR: flt-trace: Properly compute length of the first DATA block - DEV: term-events: Fix hanshake events decoding - BUG/MEDIUM: applet: Fix test on shut flags for legacy applets (v2) - BUG/MEDIUM: mux-h1: Stop sending vi fast-forward for unexpected states - BUG/MEDIUM: mux-h2/quic: Stop sending via fast-forward if stream is closed - BUG/MEDIUM: h3: reject frontend CONNECT as currently not implemented - BUG/MAJOR: Revert "MEDIUM: mux-quic: add BUG_ON if sending on locally closed QCS" - BUG/MINOR: ssl: error with ssl-f-use when no "crt" - BUG/MINOR: ssl: clarify ssl-f-use errors in post-section parsing - BUG/MINOR: ssl: fix leak in ssl-f-use parser upon error - BUG/MINOR: ssl: double-free on error path w/ ssl-f-use parser - BUG/MINOR: ssl: lack crtlist_dup_ssl_conf() declaration - DOC: proxy-proto: underline the packed attribute for struct pp2_tlv_ssl - DOC: internals: addd mworker V3 internals - MINOR: hapee: update to new URLs - BUG/MINOR: backend: fix access on shared counters array - BUG/MINOR: quic: ensure handshake speed up is only run once per conn - BUG/MINOR: ssl: SSL_CERT_DIR environment variable doesn't affect haproxy - MINOR: activity: allow to switch per-task lock/memory profiling at runtime - MEDIUM: activity: apply and use new finegrained task profiling settings - MINOR: activity: support setting/clearing lock/memory watching for task profiling - BUG/MINOR: startup: handle a possible strdup() failure - BUG/MINOR: startup: fix allocation error message of progname string - BUG/MINOR: config: Fix setting of alt_proto - MEDIUM: backend: make "balance random" consider req rate when loads are equal - DOC: config: mention the limitation on server id range for consistent hash - BUG/MEDIUM: lb-chash: always properly initialize lb_nodes with dynamic servers - CLEANUP: lb-chash: free lb_nodes from chash's deinit(), not global - BUG/MINOR: cpu-topo: count cores not cpus to distinguish core types - CLEANUP: haproxy: fix bad line wrapping in run_poll_loop() - BUG/MEDIUM: threads: Atomically set TH_FL_SLEEPING and clr FL_NOTIFIED - BUG/MAJOR: quic: fix parsing frame type - BUG/MAJOR: quic: reject invalid token 2026/02/04 : 3.3r1 (1.0.0-365.174) - HAPEE: admin: use the right master CLI path for scripts - BUG/MEDIUM: applet: Fix test on shut flags for legacy applets - DOC: internals: cleanup few typos in master-worker documentation - BUG/MEDIUM: hapee/51d: use a spin lock in _51d_init_internal() - MINOR: hapee/WURFL: transfer error status from the _wurfl_reload() function - MINOR: hapee/WURFL: added live update database function - MINOR: hapee/WURFL: added custom API log function - MINOR: hapee/WURFL: added function to check correct module initialization - BUG/MINOR: hapee/WURFL: corrected version check of used wurfl library - MINOR: hapee/da: remove STG_LOCK INITCALL - MINOR: hapee/da: alert in case of incorrect data version - BUG/MINOR: hapee/da: enabling use of precompiled json database in 'deviceatlas-json-file' - BUG/MINOR: hapee/da: fixed bug when using binary version of database - BUG/BUILD: hapee/da: added preprocessed source code generation for *.cpp files - BUILD: hapee/da: repaired build in case of using old DeviceAtlas library - MINOR: hapee/da: add function that allow data reload - MINOR: hapee/da: add spin locking - MINOR: hapee/da: add support for loading a precompiled json data - MEDIUM: hapee/da: Revert "MEDIUM: da: update module to handle schedule mode." - MINOR: hapee/51d: remove STG_LOCK INITCALL - MEDIUM: hapee/51d: use '_' instead of '-' in 51d-set-property-vars() names - MEDIUM: hapee/51d: set version and date metadata variables - REORG: hapee/51d: Create a function for setting property variables - MEDIUM: hapee/51d: add a new action "http-request 51d-set-property-vars" - MEDIUM: hapee/51d: support data reload for 51Degrees V4 engine - MINOR: hapee/51d: add function that returns path to 51Degrees data file - MINOR: hapee/51d: add function that allow data reload - BUG/MINOR: hapee/51d: add spin locking - BUILD: hapee/51d: fix error when building with 51Degrees enabled - BUG/MEDIUM: hapee/51d: fix a segfault on exit when 51d configuration is not loaded - MEDIUM: hapee/51d: use fiftyoneDegreesProvider to access the pool and dataset - MEDIUM: h1: strictly verify quoting in chunk extensions - BUG/MEDIUM: debug: only dump Lua state when panicking - BUG/MEDIUM: ssl: fix msg callbacks on QUIC connections - BUG/MINOR: config/ssl: fix spelling of "expose-experimental-directives" - BUG/MINOR: config: check capture pool creations for failures - BUG/MINOR: stick-tables: abort startup on stk_ctr pool creation failure - DOC: config: mention some possible TLS versions restrictions for kTLS - BUG/MAJOR: applet: Don't call I/O handler if the applet was shut - BUG/MINOR: ssl: Encrypted keys could not be loaded when given alongside certificate - BUG/MINOR: ssl: Properly manage alloc failures in SSL passphrase callback - DOC: reg-tests: update VTest upstream link in the starting guide - MINOR: hlua: Add support for lua 5.5 - BUG/MINOR: ssl: fix error message of tune.ssl.certificate-compression - MINOR: ssl: allow to disable certificate compression - BUG/MINOR: proto_tcp: Properly report support for HAVE_TCP_MD5SIG feature - BUG/MEDIUM: mux-h1: Skip UNUSED htx block when formating the start line - BUG/MINOR: promex: Detach promex from the server on error dump its metrics dump - BUG/MINOR: hlua: consume error object if ignored after a failing lua_pcall() - BUG/MEDIUM: hlua: fix invalid lua_pcall() usage in hlua_traceback() - BUG/MINOR: proxy: fix deinit crash on defaults with duplicate name - REGTESTS: ssl: fix generate-certificates w/ LibreSSL - BUG/MEDIUM: mux-quic: prevent BUG_ON() on aborted uni stream close - BUG/MEDIUM: ssl: fix generate-certificates option when SNI greater than 64bytes - BUG/MEDIUM: ssl: fix error path on generate-certificates - BUG/MEDIUM: log: parsing log-forward options may result in segfault - BUG/MEDIUM: promex: server iteration may rely on stale server - BUG/MINOR: server: ensure server is detached from proxy list before being freed - MINOR: cli: use srv_drop() when server was created using new_server() - BUG/MINOR: cfgparse: fix "default" prefix parsing - BUG/MINOR: proxy: free persist_rules - BUG/MINOR: http_act: fix deinit performed on uninitialized lf_expr in release_http_map() - BUG/MEDIUM: quic: fix ACK ECN frame parsing - BUG/MINOR: hlua_fcn: ensure Patref:add_bulk() is given a table object before using it - BUG/MINOR: hlua_fcn: fix broken yield for Patref:add_bulk() - MINOR: cfgparse: remove duplicate "force-persist" in common kw list - MINOR: hapee: add a .hapee directory to list backporting notes - BUG/MINOR: net_helper: fix IPv6 header length processing - MINOR: net_helper: add an option to ip.fp() to append the source address - MINOR: net_helper: add an option to ip.fp() to append the TTL to the fingerprint - MINOR: net_helper: prepare the ip.fp() converter to support more options - MINOR: net_helper: add ip.fp() to build a simplified fingerprint of a SYN - MINOR: net_helper: add sample converters to decode TCP headers - MINOR: net_helper: add sample converters to decode IP packet headers - MINOR: net_helper: add sample converters to decode ethernet frames - MINOR: tcp_sample: implement the fc_saved_syn sample fetch function - MINOR: tcp: implement the get_opt() function - MINOR: protocol: support a generic way to call getsockopt() on a connection - MINOR: tcp: add new bind option "tcp-ss" to instruct the kernel to save the SYN - MINOR: mux-h1: perform a graceful close at 75% glitches threshold - MEDIUM: mux-h1: implement basic glitches support - BUG/MINOR: ech/quic: enable ech configuration also for quic listeners - REGTESTS: ssl: Fix reg-tests curve check - BUG/MINOR: cli/stick-tables: argument to "show table" is optional - BUILD: sockpair: fix build issue on macOS related to variable-length arrays - BUG/MINOR: cfgparse: wrong section name upon error - BUILD: tools: memchr definition changed in C23 - BUILD: ssl: strchr definition changed in C23 - BUG/MINOR: quic: fix deprecated warning for window size keyword - BUG/MEDIUM: stconn: Move data from <kip> to <kop> during zero-copy forwarding - BUG/MEDIUM: mworker: can't use signals after a failed reload - BUG/MEDIUM: mux-h1: Take care to update <kop> value during zero-copy forwarding - BUG/MEDIUM: peers: Properly handle shutdown when trying to get a line - BUG/MINOR: mworker/cli: fix show proc pagination using reload counter - DOC: config: fix the length attribute name for stick tables of type binary / string - BUG/MINOR: backend: inspect request not response buffer to check for TFO - BUG/MINOR: backend: fix the conn_retries check for TFO - MINOR: mux-h2: perform a graceful close at 75% glitches threshold - MINOR: mux-h2: add missing glitch count for non-decodable H2 headers - BUG/MEDIUM: mux-h2: synchronize all conditions to create a new backend stream - BUG/MEDIUM: backend: Do not remove CO_FL_SESS_IDLE in assign_server() - BUG/MEDIUM: quic: Don't try to use hystart if not implemented - BUG/MINOR: quic-be: Missing keywords array NULL termination - MINOR: quic: implement cc-algo server keyword - MINOR: quic: extract cc-algo parsing in a dedicated function - MINOR: quic: define quic_cc_algo as const - Revert "MINOR: quic: use dynamic cc_algo on bind_conf" - BUG/MEDIUM: stconn: Don't report abort from SC if read0 was already received - BUG/MEDIUM: http-ana: Properly detect client abort when forwarding response (v2) - MINOR: h2/trace: emit a trace of the received RST_STREAM type - BUG/MEDIUM: h3: fix access to QCS <sd> definitely - BUG/MEDIUM: ssl: Don't resume session for check connections - BUG/MEDIUM: ssl: Don't store the ALPN for check connections - MINOR: connections: Add a new CO_FL_SSL_NO_CACHED_INFO flag - BUG/MEDIUM: ssl: Always check the ALPN after handshake - MEDIUM: ssl/server: No longer store the SNI of cached TLS sessions - BUG/MEDIUM: ssl: Don't reuse TLS session if the connection's SNI differs - MEDIUM: tcpcheck/backend: Get the connection SNI before initializing SSL ctx - MINOR: connection/ssl: Store the SNI hash value in the connection itself - MINOR: ssl: Compare hashes instead of SNIs when a session is cached - MINOR: ssl: Store hash of the SNI for cached TLS sessions - MINOR: ssl: Add a function to hash SNIs - MEDIUM: quic: Add connection as argument when qc_new_conn() is called - BUG/MINOR: mworker/cli: 'show proc' is limited by buffer size - CLEANUP: mworker/cli: remove useless variable - BUG/MEDIUM: h3: do not access QCS <sd> if not allocated - DOC: config: Improve spop mode documentation - DOC: config: Fix description of the spop mode - BUG/MEDIUM: http-ana: Don't close server connection on read0 in TUNNEL mode - BUG/MINOR: log: Dump good %B and %U values in logs - BUG/MINOR: ssl: Don't allow to set NULL sni - BUG/MINOR: quic: do not set first the default QUIC curves - BUG/MINOR: quic-be: missing connection stream closure upon TLS alert to send - MINOR: quic: avoid code duplication in TLS alert callback - MINOR: quic: Add useful debugging traces in qc_idle_timer_do_rearm() - BUG/MINOR: quic-be: handshake errors without connection stream closure - BUG/MINOR: quic/ssl: crash in ClientHello callback ssl traces - DOC: config: reorder the cache section's keywords - DOC: config: mention clearer that the cache's total-max-size is mandatory - BUG/MEDIUM: config: ignore empty args in skipped blocks - BUG/MEDIUM: connection: fix "bc_settings_streams_limit" typo - DOC: configuration: ECH support details - BUG/MINOR: jwt: Missing "case" in switch statement - BUG/MEDIUM: mworker/listener: ambiguous use of RX_F_INHERITED with shards - MINOR: hapee/modules: report the per-stream allocated size for each module - BUG/MEDIUM: hapee: prevent the module file name being overwritten - MEDIUM: hapee: HAPEE_MODULE_DECLARE() allows to declare an HAPEE module - BUG/MINOR: hapee: Makefile: bad substitution for MODVERSION variable - BUG/MINOR: hapee: relax __vers symbol check - BUG/MINOR: hapee/modules: can't load modules with USE_OBSOLETE_LINKER - BUG/MINOR: hapee: remove leading \n on __vers error - MEDIUM: hapee: warn on unsupported initcalls - BUG/MINOR: hapee: forbid to load a module twice - HAPEE: udp: update structs and functions required for the UDP module - HAPEE: makefile: automatically build objects in addons/hapee_* - HAPEE: makefile: update the cleanup rule to also remove *.i from addons - HAPEE: addons: quic CID in -vv - HAPEE: addons: adds quic CID generator to interop with packetshield - MEDIUM: hapee: does not pass OPTION_LDFLAGS to modules - MINOR: hapee/modules: check if we generate the API hash correctly - BUG/MINOR: hapee/modules: adjust include match() in gen-modules-config-h.awk - BUG/MINOR: hapee/modules: initialize the module head list - BUILD: hapee/modules: select either md5 or md5sum - MEDIUM: hapee/modules: load the STG_REGISTER initcalls - BUG/MINOR: hapee/modules: display detailed error message on mod_init() failure - MINOR: hapee/modules: add a new label MODULES_LOCK to the lock_label enum - MINOR: hapee/modules: add the ability to register variable and functions. - MEDIUM: hapee/modules: 'modules list' on the cli shows currently loaded modules - MINOR: hapee/modules: terminate properly loaded modules if possible - MEDIUM: hapee/modules: add memory reservation support for the modules - BUILD: hapee/modules: update HAPEE version macro to 3.3r1 - BUILD: hapee/modules: add macros to compute numerical value of a HAPEE version - BUILD: hapee/modules: add version of the module in the defines - MEDIUM: hapee/modules: add modules support

HAPEE-LB 3.3r1 – Changelog