HAProxy Data Plane API 3.2 release notes

Key changes in the HAProxy Data Plane API 3.2 release include:

New features Jump to heading #

• ACME support

  • Added support for the acme section.
  • Added crt-store support for acme and domains attributes.
  • Added runtime APIs for acme renew and acme status.
  • Enterprise: Added support for the HTTP-01 challenge.

• Configuration enhancements

  • Added support for child resources in the defaults section.
  • Added parsing and serializing of in-line comments in configuration for all API resources. They’re parsed and serialized as plain JSON and in the metadata field for each API resource.
  • Introduced tune.quic.frontend.max-tx-mem to the global tune_quic_options.
  • Added minsize-req and minsize-res to the compression parameter.
  • Added the recv-only flag to the stick-table and table resources.
  • Added glitches_kill_cpu_usage and takeover_other_tg_connections to the global tune options.
  • Added strict-maxconn to the server parameters.
  • Added the check-pool-conn-name and check-reuse-pool health check parameters for servers.
  • Implemented the idle-ping parameter for server and bind.
  • Added support for the tune.notsent-lowat.server and tune.notsent-lowat.client parameters in the global section.
  • Added support for tune.lua.bool-sample-conversion.
  • Added support for the hash-preserve-affinity parameter in defaults, backends, and listen sections.
  • Added support for the cpu-set and cpu-policy parameters in the global section.
  • Added support for the HAProxy 3.2 global parameters: acme.scheduler, stress-level, tune.epoll.mask-events, and tune.max-rules-at-once.
  • Added support for the dont-parse-log and assume-rfc6587-ntf options in the log-forward section.
  • Added support for the option pause for http-request and http-response parameters.
  • Added support for http-drop-response-trailers in defaults and frontend sections.
  • Added support for http-drop-request-trailers in defaults and backend sections.
  • Added the dns-accept-family option in the global section.
  • Enterprise: Added support for debug.stress-level parameter in global section.
  • Enterprise: Added support for http-drop-request-trailers, ssl_front_use_list, andhash-preserve-affinity parameters in frontend section.

• SSL/TLS

  • Added support for the ssl-f-use parameter.
  • Added runtime APIs for certificates, CRLs, and OCSP.
  • Added support for crt-list files in storage.
  • Added support for the skip_reload parameter when creating SSL certificates.
  • Added the no-strict-sni and tls-tickets parameters to bind.
  • Enterprise: Added force-strict-sni parameter to bind.
  • Enterprise: Added status, chain_issuer, and chain_subject parameters for SSL certificates.

• API and validation

  • Added Subject and Serial to the certificate response model.
  • Now uses the same logic to check configuration when using the /raw API.
  • Now shows validation errors for /raw API uploads, not just the status.

• Enterprise: WAF module support

  • Added support for two sections: waf-global and waf-profile.

• Enterprise: Logging improvements

  • Improvements to the log_sink functionality including preventing panics on empty configurations, adjusting log levels for heavy loads, correcting parser error messages, better buffer management, reduced lock acquisitions, and enhanced HAProxy log origin support across multiple parsers.
  • Added WAF log classification support, network namespace binding for syslog inputs, and better UUID handling.
  • Parse logs with the cbor encoding flag to produce an access log as a CBOR map (major type 5), where the key is the HAProxy log item name and the value is the log item.

Bug fixes Jump to heading #

• Runtime and server management

  • Fixed an issue where all server options weren’t being added for runtime_server.
  • Fixed creating servers with HAProxy >= 3.0, where the enabled parameter is no longer accepted dynamically.

• Configuration and users

  • Fixed panic when insecure isn’t set for users.
  • Fixed setting of duration types in the configuration.
  • Fixed tune.bufsize parsing issue, reverting to the string type.
  • Fixed the reload service name for the s6 reload strategy.
  • Fixed the general storage error message when no FileUpload is specified.
  • Fixed option redispatch serialization.
  • Fixed bind updates without requiring a restart, addressing serialization type issues for bind parameters.
  • Added a nil check on global conversion to avoid panic if TuneOptions was nil.

• Authentication

  • Now ensures userlist settings are respected when configured.

• API and rules

  • The API now accepts set-var-fmt in http_request_rule.

• Panics

  • Avoids panic in runtime Reload if the output is empty.

Deprecated feature Jump to heading #

• The no_tls_tickets parameter in bind is deprecated in favor of tls_tickets.

Other Changes Jump to heading #

• Build and dependencies

  • Upgraded the API version to 3.2.
  • Upgraded Go to 1.24.
  • Upgraded the bats version for CI.
  • Fixed yaml-lint errors.

• Internal refinements and tests

  • Refactored to not use logrus directly in handlers.
  • Fixed cache tests in E2E tests.
  • Removed debug traces from E2E tests.
  • Fixed program tests for the deprecated section.
  • Fixed removing of added SSL certificates.
  • Added 3.2 for CI and removed 2.9 in E2E tests.
  • Added a proper HAProxy configuration for the x_issue_132 test in E2E tests.
  • Added a runtime server unit test.
  • Fixed random CI failures when removing a defaults section.
  • Attempted to fix bug_132 failures on CI.
  • Aligned the specification to the latest changes in the client-native library.
  • Made port optional via a nil value in the service.
  • Fixed the compare test generator.
  • Added metadata tests.
  • Fixed Go 1.24 lint errors.
  • Generated the spec with the latest changes.