opnsense-plugins/net/haproxy/pkg-descr
2026-02-09 17:04:33 +01:00

534 lines
15 KiB
Text

HAProxy is a free, very fast and reliable solution offering high
availability, load balancing, and proxying for TCP and HTTP-based
applications. It is particularly suited for web sites crawling under
very high loads while needing persistence or Layer7 processing.
Plugin Changelog
================
5.0
WARNING: This is a new major release, which may result in
incompatible changes for some users.
Added:
* add support for HTTP/3 over QUIC to frontends (#4341)
* add new rule: http-request silent-drop
* add new rule: http-after-response
* add new condition: HTTP method
* support custom HTTP status code in "http-request deny" rules
* add new backend option to control PROXY protocol for health checks (#2909)
* add support for new map file types: beg,end,int,ip,reg,str,sub (#3641)
* add support for more sample fetches: quic_enabled, stopping, wait_end (#3702)
* add support for HTTP compression (#4867)
* add all action keywords for http-request/-response and tcp-request/-response rules
* add "enabled" field to rules
* add support for all stick-table data types
* add support for GPC/GPT/SC to conditions and rules (#1123, #5109)
* add support for SSL SNI expression to servers (#3756)
* add column "mode" to servers overview (#4632)
* add support for loading mapfiles in conditions and rules
* add support for sample fetches in rules
Fixed:
* Maintenance tab "SSL Certificates" not working with only one cert
Changed:
* upgrade to HAProxy 3.2 release series (#5147)
* refactor http/tcp rules to make extensions easier
* rename some labels in rules
* change LUA boolean conversion (see tune.lua.bool-sample-conversion)
* stick-table "size" and "expiration time" are no longer advanced options (now always visible)
* replace stick-table type "ip" with "ipv4" (#5147)
* show the actual HAProxy option name in conditions for clarity
* allow stick-table types "binary", "integer" and "string" in backends
* make mapfiles more useful in rules
4.6
Changed:
* improve help text for "http-request redirect" rules (#4650)
* rename "http-request redirect" input field (#4650)
4.5
Changed:
* upgrade to HAProxy 3.0 release series (#4411)
* migrate cert export to Trust MVC
4.4
Fixed:
* Cron job "Sync SSL certificate changes" not working (#4035)
* Template error with empty user group (#3364)
4.3
Added:
* Add new global parameter: DNS prefer IP family (#3779)
Fixed:
* SNI not working when automatic OCSP updates are enabled (#3779)
* HAProxy error: has an OCSP URI but an error occurred (#3779)
Changed:
* prefer IPv4 results when resolving DNS names (#3779)
* disable OCSP updates if cert contains no OCSP data (#3779)
4.2
Added:
* add support for built-in OCSP update feature
* add support for forwarded header (RFC7239)
* add option "X-Forwarded-For Header" to backend settings
* add options for HTTP/2 performance tuning
Fixed:
* fix SSL sync cron job (bulk sync was never working properly)
Changed:
* upgrade to HAProxy 2.8 release series (#3459)
* change default for HTTP/2 to enabled (only new frontends/backends)
* add "no-alpn" option if HTTP/2 is not enabled (only TLS-enabled frontends)
* move OCSP settings from "Service" to "Global" section
* replace bundled haproxyctl library with haproxy-cli
Deprecated:
* frontend option "X-Forwarded-For Header" (the backend option should be used)
Removed:
* remove OSCP update cron job
4.1
Fixed:
* fix SSL preferences in health checks (#3221)
4.0
Added:
* add new service option "Gradual connection close time" (close-spread-time) (#3026)
* add new frontend option "shards" (#3026)
Changed:
* upgrade to HAProxy 2.6 release series (#3026)
* rename frontend option "Type" to "Connection Mode" (#3026)
* migrate options "http-tunnel" and "forceclose" to "http-keep-alive" (#3026)
* replace "process" with "threads" bind keyword for CPU Affinity (#3026)
* no longer duplicate global defaults in backends/frontends (#2642)
Removed:
* remove Processes/nbproc option (use Threads/nbthread instead) (#3026)
* remove "Process ID" from CPU Affinity settings (now always 1) (#3026)
* remove "bind-process" option (replaced by the "threads" bind keyword) (#3026)
* remove options "http-tunnel" and "forceclose" from "Connection Mode" (#3026)
3.12
Added:
* add support for req.ssl_hello_type (#2311)
* add support for Prometheus exporter (#2764)
* add support for FastCGI applications (#2769)
* add server option to override the multiplexer protocol
Fixed:
* fix unix sockets in chrooted environment (#3093)
* fix peers by automatically configuring the local peer (#3114)
Changed:
* update HAProxy documentation URLs
3.11
Added:
* add support for cache parameter (#2908)
3.10
WARNING: This release switches to the HAProxy 2.4 release series,
which may result in incompatible changes for some users.
Added:
* add support for DNS resolution over TCP (#2644)
Changed:
* upgrade to HAProxy 2.4 release series (#2644)
* disable strict-limits for safekeeping (#2644)
Removed:
* remove deprecated option tune.chksize (#2644)
3.9
Added:
* add SSL SNI setting to servers and health checks (#2388)
Fixed:
* fix custom TCP health checks (#2653)
Changed:
* replace "force SSL" setting with "SSL preferences" in health checks (#2388)
* health check port is no longer an advanced option
3.8
Added:
* add support for unix sockets (#2040)
* add "max connections" option to servers (#2641)
Changed:
* allow setting "max connections" to "0" (unlimited)
* raise maximum value for "max connections" to 10000000
3.7
Added:
* add options "preload" and "filename scheme" to Lua scripts (#2265)
* add syslog-ng socket for logging (#2620)
* show hint to apply changes after every config change (#2590)
* show warning for pending configuration changes (#2590)
Fixed:
* unable to use the "require" function in Lua scripts (#2265)
* request logging not working (#2587)
* fix syntax error in template (#2619)
Changed:
* set "lua-prepend-path" so that Lua scripts can be found (#2265)
* show "apply" and "test syntax" buttons on introduction pages
3.6
Added:
* add support for advanced resolver properties (#2330)
* add graceful stop timeout to service settings
* support "monitor-uri" and "monitor fail" in rules (#2387)
* add new option "case-sensitive" to conditions (#2576)
Fixed:
* no haproxy.conf after restoring a config backup (#2474)
Changed:
* deploy haproxy.conf if it does not exist (#2474)
* add new timeout (60s) which will terminate open connections when using graceful stop
* allow retries to be set to "0" (#2585)
3.5
Fixed:
* fix maintenance page not loading (#2485)
3.4
Fixed:
* fix empty resolve-prefer option (#2340)
3.3
Changed:
* use HAProxy socket to apply updated OCSP stapling data (in cron job) (#2351)
3.2
Fixed:
* fix config test when HAProxy service is not enabled
Changed:
* ignore incompatible ciphersuites options when LibreSSL is used (#2013)
3.1
Fixed:
* fix items that cannot be deleted (#2266)
Changed:
* rules: only accept a single value for backend/server fields (#2266)
3.0
Added:
* add new maintenance page to change server state and weight on-the-fly (#2213)
* add new commands to update SSL certificates in runtime (#2244, #1882)
* add new SSL bind option: prefer-client-ciphers
* add global option to enable old buggy behaviour for PROXY v2 connections
* add support for HTTP/2 in health checks
* add config export (#2035)
* add config diff
* guard against broken config by using a staging config file
* add basic OCSP stapling support (#1430)
* add support for e-mail alerts and mailers (#1669)
* add support for custom header checks (#1907)
* add support for server templates (#1975)
* add support for additional resolver options (#1975)
* add support for resolve-prefer option (#1975)
* add pre-defined cron jobs to maintenance page
Fixed:
* prevent service outage by aborting "Apply" when configtest fails
* fix direct links to individual statistics tabs
* prevent the deletion of items that are still referenced elsewhere (core/#1897)
Changed:
* upgrade to HAProxy 2.2 release series (#2092)
* change default SSL version to TLSv1.2 (ssl-min-ver)
* remove weak ciphers from (default) SSL settings
* remove default SSL bind options that would conflict with ssl-min-ver
* move SSL bind options below other SSL settings, they are rarely used nowadays
* change default for tune.ssl.default-dh-param from 1024 to 2048
* use new "http-check send" command for HTTP health checks
* change default for spreadChecks from 0 to 2
* no longer overwrite live config file when running a syntax check
* make restart/reload commands usable in cron jobs
* relax GUI input validation for servers, move validation to jinja template (#1975)
Deprecated:
* nbproc is deprecated and will be removed in os-haproxy 4.0
2.26
Fixed:
* preserve sort order of default SSL bind options
2.25
Added:
* add support for TLSv1.3 (#790)
2.24
Added:
* add support for http-request set-var and http-response set-var (#1796)
* add group as userlist to HAProxy config to make it usable in rules/conditions (#1796)
* add support for resolvers to customize how HAProxy handles name resolution (#1787)
* add support for init-addr to allow HAProxy to start when DNS does not resolve (#1787)
Fixed:
* honor sort order of all rules, remove special handling of "use_[backend|server]" options (#1925)
Changed:
* add "Save & Test syntax" button to all "Settings" pages
* add "introduction" page for Settings tab
* streamline "Settings" subtabs
2.23
Fixed:
* add missing acl SNI regex text field (#1883)
2.22
Added:
* enable SSL verification for a server when "Force SSL" is enabled in the associated health check (#1761)
* use the systems local Root CA Certificates for SSL verification when no CA was selected (#1761)
Fixed:
* fix label of src_sess_cnt (#1780)
* fix invalid use of option httplog (resolves a warning in config test)
* fix invalid use of option forwardfor (resolves a warning in config test)
2.21
Fixed:
* override "graceful" restart if required (#1745)
2.20
Changed:
* update stats socket permission for easier (non-root) monitoring (#1232)
2.19
Added:
* switch to HAProxy 2.0 release series (#1089)
* add support for the "max-object-size" cache configuration option (#1458)
* add end-to-end HTTP/2 support (details)
* add support for the random balancing algorithm (details)
Fixed:
* fix IPv6 validation in frontends (#540)
Changed:
* add IPv6 example to listen address help text
* update URLs to HAProxy 2.0 documentation
* frontends: move HTTP/2 option to HTTP settings
* change order of frontend options
2.18
Added:
* add support for HAProxy cache (#1442)
Changed:
* change http-reuse default (align with HAProxy's default value, #1439)
2.17
Added:
* allow backends without servers (#1304)
* add support for deciphered SNI check in ACLs (#1365)
* allow to force SSL for health checks (#1282)
Changed:
* improve wording for SNI conditions to differentiate between deciphered vs. not deciphered
2.16
Fixed:
* allow hyphens in server, frontend and backend names (#1346)
2.15
Added:
* rules can finally be sorted by using drag'n'drop (#582)
* added "enabled" field to servers (#1208)
* TCP inspection delays are supported in rules (#1188)
Changed:
* server option "mode" is always visible, no longer requires "advanced mode" (#1208)
* most dropdown fields finally have alphanumeric sorting (#687, opnsense/core#3251)
* rules: align indentation of comments in haproxy.conf
2.14
Fixed:
* bulk deleting does not work (#1164)
Changed:
* migrate to mutable controller (required to fix #1164)
2.13
Added:
* support multiple CAs for SSL verification for servers
Fixed:
* fix export of CAs (#1074)
Changed:
* export a frontend's default SSL certificate (#1088)
* it is no longer required to add a default SSL certificate to a frontend's "certificates" list (#1088)
* avoid duplicate entry in certlist file if a default SSL certificate is specified
* always show "Default certificate" option in frontends, it's no longer an "advanced" option
2.12
Added:
* add support for HTTP/2 (#1047)
2.11
Fixed:
* fix warning: a 'http-request' rule placed after a 'use_backend' rule will still be processed before (#999)
* fix wrong parameter name when using tcp-request content lua (#999)
Changed:
* internal: trim whitespace, remove empty lines in haproxy.conf (#999)
2.10
Added:
* add support for multithreading (available as new option in Settings -> Global Parameters) (#1003)
* add support for client certificate authentication (#426)
* add support for HTTP Basic Auth to frontends/backends/ACLs (#300)
* add basic user/group management functionality (supports Basic Auth as well as stats users)
* add new CPU Affinity Rules feature (which is a combination of HAProxy's cpu-map, bind-process and process options) (see #1003 for a short explanation)
Fixed:
* function "http-request header-delete" generated a corrupted haproxy.conf (#882)
Changed:
* migrate all stats users from old (and cumbersome) username:password format to new user management feature
* internal: use /tmp for autogenerated files (now they are automatically cleaned up on boot)
* internal: change filename of cert lists from id.crtlist to id.certlist
2.9
Added:
* add "http-reuse" option (#836)
2.8
Added:
* support truly seamless reloads (#224)
* add support for the "map" feature (#180)
Fixed:
* fix reload of service template in "reconfigure" action (#690; introduced in 7381101)
* enabling "hard stop" mode resulted in an invalid "hardrestart" RC command
Changed:
* use "reload" instead of "restart" RC action
* if "reload" fails, also issue a "restart" command (required when enabling seamless reloads)
* start progress animation (spinner) earlier when applying settings
2.7
Added:
* support rise/fall parameters in backends and health checks
* support set-path in ACLs
* support for cookie-based persistence (#680)
Fixed:
* fix X-Forwarded-For option disappeared (#647)
* fix validation for source address fields (#695)
2.6
Added:
* add support for http-response set-status in ACLs to manipulate HTTP status codes
Fixed:
* fix invalid backend name when using nbsrv in ACLs
2.5
Added:
* add support for the PROXY protocol (i.e. in combination with postfix or dovecot)
* switch to HAProxy 1.8.4
2.4
Added:
* add support for "preload" and "includeSubDomains" HSTS options (#447)
* support session sync / HAProxy peers (#165)
* add new HTTP timeout options (to mitigate slowloris attacks) (#202)
* allow tracking additional values in stick-tables (#202)
* add stick-table config for frontends (optional, disabled by default) (#202)
* add support for many new conditions (#202)
* enable sticky counters for frontend stick-tables (required for new conditions) (#202)
Changed:
* relax validation masks for several "name" fields (to allow more "special" characters)
* switch to new mutable service controller
2.3
Added:
* new option to hide introduction pages (#340)
Fixed:
* fix wrong introduction for "Advanced" tab (regression introduced in 8cdcbda)
2.2
Fixed:
* fix for rules parameters (values could not be saved, leading to invalid rules)
2.1
Fixed:
* do not enable HSTS unconditionally (now works as described in #380)
* enable HSTS only for HTTP frontends
2.0
Added:
* new GUI to guide new users and improve general usability (#208)
* make server port optional (#341)
* new SSL settings for frontends (#380)
* new global SSL default values (#380)
* new option for HTTP Strict Transport Security (#380)
Fixed:
* rephrase text to make it clear that aliases cannot be used (#360)
* rephrase text to make it clear that "use_server" will only work for backends (#361)