HAProxy is a free, very fast and reliable solution offering high availability, load balancing, and proxying for TCP and HTTP-based applications. It is particularly suited for web sites crawling under very high loads while needing persistence or Layer7 processing. Plugin Changelog ================ 5.1 Added: * more conditions have support for converters * add support for mapfile URLs (#4825) Fixed: * migration fails if a http-request/-response "lua" rule is configured Changed: * modernize UI templates 5.0 WARNING: This is a new major release, which may result in incompatible changes for some users. Added: * add support for HTTP/3 over QUIC to frontends (#4341) * add new rule: http-request silent-drop * add new rule: http-after-response * add new condition: HTTP method * support custom HTTP status code in "http-request deny" rules * add new backend option to control PROXY protocol for health checks (#2909) * add support for new map file types: beg,end,int,ip,reg,str,sub (#3641) * add support for more sample fetches: quic_enabled, stopping, wait_end (#3702) * add support for HTTP compression (#4867) * add all action keywords for http-request/-response and tcp-request/-response rules * add "enabled" field to rules * add support for all stick-table data types * add support for GPC/GPT/SC to conditions and rules (#1123, #5109) * add support for SSL SNI expression to servers (#3756) * add column "mode" to servers overview (#4632) * add support for loading mapfiles in conditions and rules * add support for sample fetches in rules Fixed: * Maintenance tab "SSL Certificates" not working with only one cert Changed: * upgrade to HAProxy 3.2 release series (#5147) * refactor http/tcp rules to make extensions easier * rename some labels in rules * change LUA boolean conversion (see tune.lua.bool-sample-conversion) * stick-table "size" and "expiration time" are no longer advanced options (now always visible) * replace stick-table type "ip" with "ipv4" (#5147) * show the actual HAProxy option name in conditions for clarity * allow stick-table types "binary", "integer" and "string" in backends * make mapfiles more useful in rules 4.6 Changed: * improve help text for "http-request redirect" rules (#4650) * rename "http-request redirect" input field (#4650) 4.5 Changed: * upgrade to HAProxy 3.0 release series (#4411) * migrate cert export to Trust MVC 4.4 Fixed: * Cron job "Sync SSL certificate changes" not working (#4035) * Template error with empty user group (#3364) 4.3 Added: * Add new global parameter: DNS prefer IP family (#3779) Fixed: * SNI not working when automatic OCSP updates are enabled (#3779) * HAProxy error: has an OCSP URI but an error occurred (#3779) Changed: * prefer IPv4 results when resolving DNS names (#3779) * disable OCSP updates if cert contains no OCSP data (#3779) 4.2 Added: * add support for built-in OCSP update feature * add support for forwarded header (RFC7239) * add option "X-Forwarded-For Header" to backend settings * add options for HTTP/2 performance tuning Fixed: * fix SSL sync cron job (bulk sync was never working properly) Changed: * upgrade to HAProxy 2.8 release series (#3459) * change default for HTTP/2 to enabled (only new frontends/backends) * add "no-alpn" option if HTTP/2 is not enabled (only TLS-enabled frontends) * move OCSP settings from "Service" to "Global" section * replace bundled haproxyctl library with haproxy-cli Deprecated: * frontend option "X-Forwarded-For Header" (the backend option should be used) Removed: * remove OSCP update cron job 4.1 Fixed: * fix SSL preferences in health checks (#3221) 4.0 Added: * add new service option "Gradual connection close time" (close-spread-time) (#3026) * add new frontend option "shards" (#3026) Changed: * upgrade to HAProxy 2.6 release series (#3026) * rename frontend option "Type" to "Connection Mode" (#3026) * migrate options "http-tunnel" and "forceclose" to "http-keep-alive" (#3026) * replace "process" with "threads" bind keyword for CPU Affinity (#3026) * no longer duplicate global defaults in backends/frontends (#2642) Removed: * remove Processes/nbproc option (use Threads/nbthread instead) (#3026) * remove "Process ID" from CPU Affinity settings (now always 1) (#3026) * remove "bind-process" option (replaced by the "threads" bind keyword) (#3026) * remove options "http-tunnel" and "forceclose" from "Connection Mode" (#3026) 3.12 Added: * add support for req.ssl_hello_type (#2311) * add support for Prometheus exporter (#2764) * add support for FastCGI applications (#2769) * add server option to override the multiplexer protocol Fixed: * fix unix sockets in chrooted environment (#3093) * fix peers by automatically configuring the local peer (#3114) Changed: * update HAProxy documentation URLs 3.11 Added: * add support for cache parameter (#2908) 3.10 WARNING: This release switches to the HAProxy 2.4 release series, which may result in incompatible changes for some users. Added: * add support for DNS resolution over TCP (#2644) Changed: * upgrade to HAProxy 2.4 release series (#2644) * disable strict-limits for safekeeping (#2644) Removed: * remove deprecated option tune.chksize (#2644) 3.9 Added: * add SSL SNI setting to servers and health checks (#2388) Fixed: * fix custom TCP health checks (#2653) Changed: * replace "force SSL" setting with "SSL preferences" in health checks (#2388) * health check port is no longer an advanced option 3.8 Added: * add support for unix sockets (#2040) * add "max connections" option to servers (#2641) Changed: * allow setting "max connections" to "0" (unlimited) * raise maximum value for "max connections" to 10000000 3.7 Added: * add options "preload" and "filename scheme" to Lua scripts (#2265) * add syslog-ng socket for logging (#2620) * show hint to apply changes after every config change (#2590) * show warning for pending configuration changes (#2590) Fixed: * unable to use the "require" function in Lua scripts (#2265) * request logging not working (#2587) * fix syntax error in template (#2619) Changed: * set "lua-prepend-path" so that Lua scripts can be found (#2265) * show "apply" and "test syntax" buttons on introduction pages 3.6 Added: * add support for advanced resolver properties (#2330) * add graceful stop timeout to service settings * support "monitor-uri" and "monitor fail" in rules (#2387) * add new option "case-sensitive" to conditions (#2576) Fixed: * no haproxy.conf after restoring a config backup (#2474) Changed: * deploy haproxy.conf if it does not exist (#2474) * add new timeout (60s) which will terminate open connections when using graceful stop * allow retries to be set to "0" (#2585) 3.5 Fixed: * fix maintenance page not loading (#2485) 3.4 Fixed: * fix empty resolve-prefer option (#2340) 3.3 Changed: * use HAProxy socket to apply updated OCSP stapling data (in cron job) (#2351) 3.2 Fixed: * fix config test when HAProxy service is not enabled Changed: * ignore incompatible ciphersuites options when LibreSSL is used (#2013) 3.1 Fixed: * fix items that cannot be deleted (#2266) Changed: * rules: only accept a single value for backend/server fields (#2266) 3.0 Added: * add new maintenance page to change server state and weight on-the-fly (#2213) * add new commands to update SSL certificates in runtime (#2244, #1882) * add new SSL bind option: prefer-client-ciphers * add global option to enable old buggy behaviour for PROXY v2 connections * add support for HTTP/2 in health checks * add config export (#2035) * add config diff * guard against broken config by using a staging config file * add basic OCSP stapling support (#1430) * add support for e-mail alerts and mailers (#1669) * add support for custom header checks (#1907) * add support for server templates (#1975) * add support for additional resolver options (#1975) * add support for resolve-prefer option (#1975) * add pre-defined cron jobs to maintenance page Fixed: * prevent service outage by aborting "Apply" when configtest fails * fix direct links to individual statistics tabs * prevent the deletion of items that are still referenced elsewhere (core/#1897) Changed: * upgrade to HAProxy 2.2 release series (#2092) * change default SSL version to TLSv1.2 (ssl-min-ver) * remove weak ciphers from (default) SSL settings * remove default SSL bind options that would conflict with ssl-min-ver * move SSL bind options below other SSL settings, they are rarely used nowadays * change default for tune.ssl.default-dh-param from 1024 to 2048 * use new "http-check send" command for HTTP health checks * change default for spreadChecks from 0 to 2 * no longer overwrite live config file when running a syntax check * make restart/reload commands usable in cron jobs * relax GUI input validation for servers, move validation to jinja template (#1975) Deprecated: * nbproc is deprecated and will be removed in os-haproxy 4.0 2.26 Fixed: * preserve sort order of default SSL bind options 2.25 Added: * add support for TLSv1.3 (#790) 2.24 Added: * add support for http-request set-var and http-response set-var (#1796) * add group as userlist to HAProxy config to make it usable in rules/conditions (#1796) * add support for resolvers to customize how HAProxy handles name resolution (#1787) * add support for init-addr to allow HAProxy to start when DNS does not resolve (#1787) Fixed: * honor sort order of all rules, remove special handling of "use_[backend|server]" options (#1925) Changed: * add "Save & Test syntax" button to all "Settings" pages * add "introduction" page for Settings tab * streamline "Settings" subtabs 2.23 Fixed: * add missing acl SNI regex text field (#1883) 2.22 Added: * enable SSL verification for a server when "Force SSL" is enabled in the associated health check (#1761) * use the systems local Root CA Certificates for SSL verification when no CA was selected (#1761) Fixed: * fix label of src_sess_cnt (#1780) * fix invalid use of option httplog (resolves a warning in config test) * fix invalid use of option forwardfor (resolves a warning in config test) 2.21 Fixed: * override "graceful" restart if required (#1745) 2.20 Changed: * update stats socket permission for easier (non-root) monitoring (#1232) 2.19 Added: * switch to HAProxy 2.0 release series (#1089) * add support for the "max-object-size" cache configuration option (#1458) * add end-to-end HTTP/2 support (details) * add support for the random balancing algorithm (details) Fixed: * fix IPv6 validation in frontends (#540) Changed: * add IPv6 example to listen address help text * update URLs to HAProxy 2.0 documentation * frontends: move HTTP/2 option to HTTP settings * change order of frontend options 2.18 Added: * add support for HAProxy cache (#1442) Changed: * change http-reuse default (align with HAProxy's default value, #1439) 2.17 Added: * allow backends without servers (#1304) * add support for deciphered SNI check in ACLs (#1365) * allow to force SSL for health checks (#1282) Changed: * improve wording for SNI conditions to differentiate between deciphered vs. not deciphered 2.16 Fixed: * allow hyphens in server, frontend and backend names (#1346) 2.15 Added: * rules can finally be sorted by using drag'n'drop (#582) * added "enabled" field to servers (#1208) * TCP inspection delays are supported in rules (#1188) Changed: * server option "mode" is always visible, no longer requires "advanced mode" (#1208) * most dropdown fields finally have alphanumeric sorting (#687, opnsense/core#3251) * rules: align indentation of comments in haproxy.conf 2.14 Fixed: * bulk deleting does not work (#1164) Changed: * migrate to mutable controller (required to fix #1164) 2.13 Added: * support multiple CAs for SSL verification for servers Fixed: * fix export of CAs (#1074) Changed: * export a frontend's default SSL certificate (#1088) * it is no longer required to add a default SSL certificate to a frontend's "certificates" list (#1088) * avoid duplicate entry in certlist file if a default SSL certificate is specified * always show "Default certificate" option in frontends, it's no longer an "advanced" option 2.12 Added: * add support for HTTP/2 (#1047) 2.11 Fixed: * fix warning: a 'http-request' rule placed after a 'use_backend' rule will still be processed before (#999) * fix wrong parameter name when using tcp-request content lua (#999) Changed: * internal: trim whitespace, remove empty lines in haproxy.conf (#999) 2.10 Added: * add support for multithreading (available as new option in Settings -> Global Parameters) (#1003) * add support for client certificate authentication (#426) * add support for HTTP Basic Auth to frontends/backends/ACLs (#300) * add basic user/group management functionality (supports Basic Auth as well as stats users) * add new CPU Affinity Rules feature (which is a combination of HAProxy's cpu-map, bind-process and process options) (see #1003 for a short explanation) Fixed: * function "http-request header-delete" generated a corrupted haproxy.conf (#882) Changed: * migrate all stats users from old (and cumbersome) username:password format to new user management feature * internal: use /tmp for autogenerated files (now they are automatically cleaned up on boot) * internal: change filename of cert lists from id.crtlist to id.certlist 2.9 Added: * add "http-reuse" option (#836) 2.8 Added: * support truly seamless reloads (#224) * add support for the "map" feature (#180) Fixed: * fix reload of service template in "reconfigure" action (#690; introduced in 7381101) * enabling "hard stop" mode resulted in an invalid "hardrestart" RC command Changed: * use "reload" instead of "restart" RC action * if "reload" fails, also issue a "restart" command (required when enabling seamless reloads) * start progress animation (spinner) earlier when applying settings 2.7 Added: * support rise/fall parameters in backends and health checks * support set-path in ACLs * support for cookie-based persistence (#680) Fixed: * fix X-Forwarded-For option disappeared (#647) * fix validation for source address fields (#695) 2.6 Added: * add support for http-response set-status in ACLs to manipulate HTTP status codes Fixed: * fix invalid backend name when using nbsrv in ACLs 2.5 Added: * add support for the PROXY protocol (i.e. in combination with postfix or dovecot) * switch to HAProxy 1.8.4 2.4 Added: * add support for "preload" and "includeSubDomains" HSTS options (#447) * support session sync / HAProxy peers (#165) * add new HTTP timeout options (to mitigate slowloris attacks) (#202) * allow tracking additional values in stick-tables (#202) * add stick-table config for frontends (optional, disabled by default) (#202) * add support for many new conditions (#202) * enable sticky counters for frontend stick-tables (required for new conditions) (#202) Changed: * relax validation masks for several "name" fields (to allow more "special" characters) * switch to new mutable service controller 2.3 Added: * new option to hide introduction pages (#340) Fixed: * fix wrong introduction for "Advanced" tab (regression introduced in 8cdcbda) 2.2 Fixed: * fix for rules parameters (values could not be saved, leading to invalid rules) 2.1 Fixed: * do not enable HSTS unconditionally (now works as described in #380) * enable HSTS only for HTTP frontends 2.0 Added: * new GUI to guide new users and improve general usability (#208) * make server port optional (#341) * new SSL settings for frontends (#380) * new global SSL default values (#380) * new option for HTTP Strict Transport Security (#380) Fixed: * rephrase text to make it clear that aliases cannot be used (#360) * rephrase text to make it clear that "use_server" will only work for backends (#361)