Release notes

HAProxy Data Plane API 3.3 release notes

On this page

This page includes key changes in the HAProxy Data Plane API 3.3 release.

New Features Jump to heading

Here’s what’s new in this release.

ACME DNS-01 Challenge Support Jump to heading

We’ve added comprehensive support for ACME DNS-01 challenges:

  • Enabled automated certificate management via DNS validation.
  • Added ACME DNS-01 challenge support using libdns to resolve challenges for HAProxy. To use it, configure HAProxy’s acme section to use the DNS-01 challenge with the appropriate acme-provider and acme-vars.
  • Implemented DNS propagation checks for ACME with configurable timeout via DPAPI_ACME_PROPAGTIMEOUT_SEC and DPAPI_ACME_PROPAGDELAY_SEC environment variables. Setting DPAPI_ACME_PROPAGTIMEOUT_SEC to -1 disables propagation checks.
  • Added support for listening to HAProxy events on the master socket and handling the newcert event to save newly generated certificates to disk.
  • Added runtime handlers for ACME status and renew operations.
  • Enabled a Route53 DNS provider for ACME challenges.
  • Enabled a deSEC DNS provider for ACME challenges.
  • Added support for the acme-provider and acme-vars directives for DNS-01 challenge configuration.
  • Added support for the reuse-key ACME directive.

Configuration Enhancements Jump to heading

This release adds support for new HAProxy configuration parameters and options.

  • Added the ssl-passphrase-cmd parameter to the global section.
  • Added the abortonclose parameter to the frontend section.
  • Added the cc (congestion control) parameter to the server and bind directives.
  • Added the experimental ktls parameter to server and bind for kernel TLS offloading.
  • Added the no-ktls option to the global section.
  • Added the experimental shm-stats-file and shm-stats-file-max-objects options to the global section.
  • Added the sni-auto / no-sni-auto parameters to the server directive.
  • Added the check-sni-auto / no-check-sni-auto parameters to the server directive.
  • Added the tcp-md5sig parameter to both server and bind directives.
  • Added the renegotiate option for servers.
  • Added the label parameter to the bind directive.
  • The specification now populates defaults from the OpenAPI spec.

SSL/TLS Improvements Jump to heading

Your ability to secure traffic with SSL/TLS has been improved through the following changes:

  • Added support for setting multiple certificate files on bind directives, now parsed and serialized as the SslCertificate field delimited by :.
  • Added runtime support for saving SSL certificates to the filesystem.
  • Fixed IP address certificate acceptance.
  • Enhanced leaf certificate selection to include DNS names, fixing cases where names are too long and have no CN but only SAN.
  • Fixed self-signed certificates parsing in the storage API.

Parser and Serialization Improvements Jump to heading

We’ve updated the parser and optimized how data is serialized.

  • Added a parser option that allows excluding sections with given names during serialization.
  • Sections are now always sorted by name even if the dependency or circular checks fail.
  • Switched to go-method-gen for methods generation with automatic unit tests generation.
  • ACL now uses the same type in config parser as in the rest of the module.
  • Config parser now allows using models for types.

Bug Fixes Jump to heading

This release contains fixes for a more stable experience.

Data Plane API Jump to heading

These bug fixes apply to the Data Plane API service:

  • Fixed GET default sections endpoint ignoring the full_section=true parameter.
  • Fixed service discovery to keep running instead of stopping, despite errors.
  • Fixed AWS service discovery to enforce context timeout when interacting with AWS endpoints.

Configuration and Serialization (client-native) Jump to heading

These bug fixes apply to configuration parsing and serialization:

  • Fixed missing set-var-fmt in http_after_response_rule.
  • Fixed duplicate name entry of binds.
  • Fixed all names marked as required to fit in map structured data.
  • Fixed default time suffix for stats refresh delay (was milliseconds, should be seconds).
  • Fixed serialization of FCGI option mpxs-conns.
  • Fixed duplication of xxx / no-xxx options on serialization.
  • Fixed server templates ordering by name when serialized.
  • Fixed serialization of UseFCGIApp, which was failing with “invalid data”.
  • Fixed missing int and expression in http-after-response sc-add-gpc.
  • Fixed http-response sc-add-gpc and sc-inc-gpc serialization issues.
  • Fixed http-request sc-add-gpc and sc-inc-gpc serialization.
  • Fixed tcp-request content set-bandwidth-limit to avoid serializing limit and period if not set.
  • Fixed filter bwlim-in and bwlim-out min-serialize.
  • Fixed tls-tickets serialization in bind params.
  • Fixed server fall and rise options parsing (they are counters, not time values).
  • Fixed serialization of log-steps.
  • Fixed servers in backends to be ordered by name when serialized.
  • Fixed missing ID in frontend serialization.
  • Fixed default-bind to report errors when parsing fails.
  • Fixed ACME vars ordering when serializing.
  • Fixed metadata where it was missing.

Runtime Jump to heading

These bug fixes apply to runtime behavior:

  • Added missing fields to stick table output: http_fail_cnt, http_fail_rate, gpt, gpc, and gpc_rate.
  • Fixed missing reload socket command termination.
  • Fixed redispatch to allow interval of 0.

Other Changes Jump to heading

Other changes in this release are summarized here.

Build and Dependencies Jump to heading

The following build options and dependencies have changed:

  • Upgraded Go to 1.25.
  • Upgraded golangci-lint to 2.8.0.
  • Upgraded go-swagger to v0.32.3.
  • Upgraded client-native library to latest version.
  • Updated AWS SDK packages to latest versions.
  • Updated golang.org/x packages.
  • Fixed CVE-2025-47911.
  • Swagger now honors default values for fields set in the specification.

Testing Jump to heading

The test suite received these updates:

  • Updated E2E tests for HAProxy 3.3 and 3.4 compatibility.
  • Added ACME test infrastructure and HTTP-01 testing.
  • Fixed tests for HAProxy 3.3 (backends and frontends cannot share the same name; program section removed).
  • Allowed passing multiple test names in $TESTNAME for faster test validation.
  • Fixed the set_uid E2E test to work on both Alpine and Debian.
  • Added automatic unit tests generation for client-native.
  • Fixed gentype issue that prevented running tests for sections with dashes.
  • Re-enabled the gocritic linter, which was mistakenly disabled.

CI/CD Jump to heading

The CI/CD pipeline has been updated.

  • Added CI question for backport need on merge requests.
  • Cancel duplicate pipelines on forked projects.
  • Updated GitHub Actions tooling and Go versions.

HAProxy Compatibility Jump to heading

This release supports HAProxy 3.3 and newer versions.

Contributors Jump to heading

We would like to thank all the contributors who made this release possible:

Contributor Area
Olivier Duclos FEATURE | BUG | TEST | REORG
Marko Juraga BUILD | BUG | CLEANUP | FEATURE | TEST
Vincent Gramer FEATURE | BUG | BUILD
Helene Durand BUG | FEATURE | TEST
Zlatko Bratkovic BUILD | BUG | CLEANUP
Dario Tranchitella BUG
Ivan Matmati FEATURE | CLEANUP
Pierre-Alain SIMON BUILD
Philipp Kolberg BUG
JM BUG
AdamJCrawford BUILD

Thank you to everyone who contributed code, reported issues, and provided feedback for this release!

Do you have any suggestions on how we can improve the content of this page?

Previous page Release notes Next page v3.2
© 2026 HAProxy Technologies, LLC. All Rights Reserved
Manage Cookie Preferences