mirror of
https://github.com/opnsense/plugins.git
synced 2026-02-19 02:29:23 -05:00
534 lines
15 KiB
Text
534 lines
15 KiB
Text
HAProxy is a free, very fast and reliable solution offering high
|
|
availability, load balancing, and proxying for TCP and HTTP-based
|
|
applications. It is particularly suited for web sites crawling under
|
|
very high loads while needing persistence or Layer7 processing.
|
|
|
|
Plugin Changelog
|
|
================
|
|
|
|
5.0
|
|
|
|
WARNING: This is a new major release, which may result in
|
|
incompatible changes for some users.
|
|
|
|
Added:
|
|
* add support for HTTP/3 over QUIC to frontends (#4341)
|
|
* add new rule: http-request silent-drop
|
|
* add new rule: http-after-response
|
|
* add new condition: HTTP method
|
|
* support custom HTTP status code in "http-request deny" rules
|
|
* add new backend option to control PROXY protocol for health checks (#2909)
|
|
* add support for new map file types: beg,end,int,ip,reg,str,sub (#3641)
|
|
* add support for more sample fetches: quic_enabled, stopping, wait_end (#3702)
|
|
* add support for HTTP compression (#4867)
|
|
* add all action keywords for http-request/-response and tcp-request/-response rules
|
|
* add "enabled" field to rules
|
|
* add support for all stick-table data types
|
|
* add support for GPC/GPT/SC to conditions and rules (#1123, #5109)
|
|
* add support for SSL SNI expression to servers (#3756)
|
|
* add column "mode" to servers overview (#4632)
|
|
* add support for loading mapfiles in conditions and rules
|
|
* add support for sample fetches in rules
|
|
|
|
Fixed:
|
|
* Maintenance tab "SSL Certificates" not working with only one cert
|
|
|
|
Changed:
|
|
* upgrade to HAProxy 3.2 release series (#5147)
|
|
* refactor http/tcp rules to make extensions easier
|
|
* rename some labels in rules
|
|
* change LUA boolean conversion (see tune.lua.bool-sample-conversion)
|
|
* stick-table "size" and "expiration time" are no longer advanced options (now always visible)
|
|
* replace stick-table type "ip" with "ipv4" (#5147)
|
|
* show the actual HAProxy option name in conditions for clarity
|
|
* allow stick-table types "binary", "integer" and "string" in backends
|
|
* make mapfiles more useful in rules
|
|
|
|
4.6
|
|
|
|
Changed:
|
|
* improve help text for "http-request redirect" rules (#4650)
|
|
* rename "http-request redirect" input field (#4650)
|
|
|
|
4.5
|
|
|
|
Changed:
|
|
* upgrade to HAProxy 3.0 release series (#4411)
|
|
* migrate cert export to Trust MVC
|
|
|
|
4.4
|
|
|
|
Fixed:
|
|
* Cron job "Sync SSL certificate changes" not working (#4035)
|
|
* Template error with empty user group (#3364)
|
|
|
|
4.3
|
|
|
|
Added:
|
|
* Add new global parameter: DNS prefer IP family (#3779)
|
|
|
|
Fixed:
|
|
* SNI not working when automatic OCSP updates are enabled (#3779)
|
|
* HAProxy error: has an OCSP URI but an error occurred (#3779)
|
|
|
|
Changed:
|
|
* prefer IPv4 results when resolving DNS names (#3779)
|
|
* disable OCSP updates if cert contains no OCSP data (#3779)
|
|
|
|
4.2
|
|
|
|
Added:
|
|
* add support for built-in OCSP update feature
|
|
* add support for forwarded header (RFC7239)
|
|
* add option "X-Forwarded-For Header" to backend settings
|
|
* add options for HTTP/2 performance tuning
|
|
|
|
Fixed:
|
|
* fix SSL sync cron job (bulk sync was never working properly)
|
|
|
|
Changed:
|
|
* upgrade to HAProxy 2.8 release series (#3459)
|
|
* change default for HTTP/2 to enabled (only new frontends/backends)
|
|
* add "no-alpn" option if HTTP/2 is not enabled (only TLS-enabled frontends)
|
|
* move OCSP settings from "Service" to "Global" section
|
|
* replace bundled haproxyctl library with haproxy-cli
|
|
|
|
Deprecated:
|
|
* frontend option "X-Forwarded-For Header" (the backend option should be used)
|
|
|
|
Removed:
|
|
* remove OSCP update cron job
|
|
|
|
4.1
|
|
|
|
Fixed:
|
|
* fix SSL preferences in health checks (#3221)
|
|
|
|
4.0
|
|
|
|
Added:
|
|
* add new service option "Gradual connection close time" (close-spread-time) (#3026)
|
|
* add new frontend option "shards" (#3026)
|
|
|
|
Changed:
|
|
* upgrade to HAProxy 2.6 release series (#3026)
|
|
* rename frontend option "Type" to "Connection Mode" (#3026)
|
|
* migrate options "http-tunnel" and "forceclose" to "http-keep-alive" (#3026)
|
|
* replace "process" with "threads" bind keyword for CPU Affinity (#3026)
|
|
* no longer duplicate global defaults in backends/frontends (#2642)
|
|
|
|
Removed:
|
|
* remove Processes/nbproc option (use Threads/nbthread instead) (#3026)
|
|
* remove "Process ID" from CPU Affinity settings (now always 1) (#3026)
|
|
* remove "bind-process" option (replaced by the "threads" bind keyword) (#3026)
|
|
* remove options "http-tunnel" and "forceclose" from "Connection Mode" (#3026)
|
|
|
|
3.12
|
|
|
|
Added:
|
|
* add support for req.ssl_hello_type (#2311)
|
|
* add support for Prometheus exporter (#2764)
|
|
* add support for FastCGI applications (#2769)
|
|
* add server option to override the multiplexer protocol
|
|
|
|
Fixed:
|
|
* fix unix sockets in chrooted environment (#3093)
|
|
* fix peers by automatically configuring the local peer (#3114)
|
|
|
|
Changed:
|
|
* update HAProxy documentation URLs
|
|
|
|
3.11
|
|
|
|
Added:
|
|
* add support for cache parameter (#2908)
|
|
|
|
3.10
|
|
|
|
WARNING: This release switches to the HAProxy 2.4 release series,
|
|
which may result in incompatible changes for some users.
|
|
|
|
Added:
|
|
* add support for DNS resolution over TCP (#2644)
|
|
|
|
Changed:
|
|
* upgrade to HAProxy 2.4 release series (#2644)
|
|
* disable strict-limits for safekeeping (#2644)
|
|
|
|
Removed:
|
|
* remove deprecated option tune.chksize (#2644)
|
|
|
|
3.9
|
|
|
|
Added:
|
|
* add SSL SNI setting to servers and health checks (#2388)
|
|
|
|
Fixed:
|
|
* fix custom TCP health checks (#2653)
|
|
|
|
Changed:
|
|
* replace "force SSL" setting with "SSL preferences" in health checks (#2388)
|
|
* health check port is no longer an advanced option
|
|
|
|
3.8
|
|
|
|
Added:
|
|
* add support for unix sockets (#2040)
|
|
* add "max connections" option to servers (#2641)
|
|
|
|
Changed:
|
|
* allow setting "max connections" to "0" (unlimited)
|
|
* raise maximum value for "max connections" to 10000000
|
|
|
|
3.7
|
|
|
|
Added:
|
|
* add options "preload" and "filename scheme" to Lua scripts (#2265)
|
|
* add syslog-ng socket for logging (#2620)
|
|
* show hint to apply changes after every config change (#2590)
|
|
* show warning for pending configuration changes (#2590)
|
|
|
|
Fixed:
|
|
* unable to use the "require" function in Lua scripts (#2265)
|
|
* request logging not working (#2587)
|
|
* fix syntax error in template (#2619)
|
|
|
|
Changed:
|
|
* set "lua-prepend-path" so that Lua scripts can be found (#2265)
|
|
* show "apply" and "test syntax" buttons on introduction pages
|
|
|
|
3.6
|
|
|
|
Added:
|
|
* add support for advanced resolver properties (#2330)
|
|
* add graceful stop timeout to service settings
|
|
* support "monitor-uri" and "monitor fail" in rules (#2387)
|
|
* add new option "case-sensitive" to conditions (#2576)
|
|
|
|
Fixed:
|
|
* no haproxy.conf after restoring a config backup (#2474)
|
|
|
|
Changed:
|
|
* deploy haproxy.conf if it does not exist (#2474)
|
|
* add new timeout (60s) which will terminate open connections when using graceful stop
|
|
* allow retries to be set to "0" (#2585)
|
|
|
|
3.5
|
|
|
|
Fixed:
|
|
* fix maintenance page not loading (#2485)
|
|
|
|
3.4
|
|
|
|
Fixed:
|
|
* fix empty resolve-prefer option (#2340)
|
|
|
|
3.3
|
|
|
|
Changed:
|
|
* use HAProxy socket to apply updated OCSP stapling data (in cron job) (#2351)
|
|
|
|
3.2
|
|
|
|
Fixed:
|
|
* fix config test when HAProxy service is not enabled
|
|
|
|
Changed:
|
|
* ignore incompatible ciphersuites options when LibreSSL is used (#2013)
|
|
|
|
3.1
|
|
|
|
Fixed:
|
|
* fix items that cannot be deleted (#2266)
|
|
|
|
Changed:
|
|
* rules: only accept a single value for backend/server fields (#2266)
|
|
|
|
3.0
|
|
|
|
Added:
|
|
* add new maintenance page to change server state and weight on-the-fly (#2213)
|
|
* add new commands to update SSL certificates in runtime (#2244, #1882)
|
|
* add new SSL bind option: prefer-client-ciphers
|
|
* add global option to enable old buggy behaviour for PROXY v2 connections
|
|
* add support for HTTP/2 in health checks
|
|
* add config export (#2035)
|
|
* add config diff
|
|
* guard against broken config by using a staging config file
|
|
* add basic OCSP stapling support (#1430)
|
|
* add support for e-mail alerts and mailers (#1669)
|
|
* add support for custom header checks (#1907)
|
|
* add support for server templates (#1975)
|
|
* add support for additional resolver options (#1975)
|
|
* add support for resolve-prefer option (#1975)
|
|
* add pre-defined cron jobs to maintenance page
|
|
|
|
Fixed:
|
|
* prevent service outage by aborting "Apply" when configtest fails
|
|
* fix direct links to individual statistics tabs
|
|
* prevent the deletion of items that are still referenced elsewhere (core/#1897)
|
|
|
|
Changed:
|
|
* upgrade to HAProxy 2.2 release series (#2092)
|
|
* change default SSL version to TLSv1.2 (ssl-min-ver)
|
|
* remove weak ciphers from (default) SSL settings
|
|
* remove default SSL bind options that would conflict with ssl-min-ver
|
|
* move SSL bind options below other SSL settings, they are rarely used nowadays
|
|
* change default for tune.ssl.default-dh-param from 1024 to 2048
|
|
* use new "http-check send" command for HTTP health checks
|
|
* change default for spreadChecks from 0 to 2
|
|
* no longer overwrite live config file when running a syntax check
|
|
* make restart/reload commands usable in cron jobs
|
|
* relax GUI input validation for servers, move validation to jinja template (#1975)
|
|
|
|
Deprecated:
|
|
* nbproc is deprecated and will be removed in os-haproxy 4.0
|
|
|
|
2.26
|
|
|
|
Fixed:
|
|
* preserve sort order of default SSL bind options
|
|
|
|
2.25
|
|
|
|
Added:
|
|
* add support for TLSv1.3 (#790)
|
|
|
|
2.24
|
|
|
|
Added:
|
|
* add support for http-request set-var and http-response set-var (#1796)
|
|
* add group as userlist to HAProxy config to make it usable in rules/conditions (#1796)
|
|
* add support for resolvers to customize how HAProxy handles name resolution (#1787)
|
|
* add support for init-addr to allow HAProxy to start when DNS does not resolve (#1787)
|
|
|
|
Fixed:
|
|
* honor sort order of all rules, remove special handling of "use_[backend|server]" options (#1925)
|
|
|
|
Changed:
|
|
* add "Save & Test syntax" button to all "Settings" pages
|
|
* add "introduction" page for Settings tab
|
|
* streamline "Settings" subtabs
|
|
|
|
2.23
|
|
|
|
Fixed:
|
|
* add missing acl SNI regex text field (#1883)
|
|
|
|
2.22
|
|
|
|
Added:
|
|
* enable SSL verification for a server when "Force SSL" is enabled in the associated health check (#1761)
|
|
* use the systems local Root CA Certificates for SSL verification when no CA was selected (#1761)
|
|
|
|
Fixed:
|
|
* fix label of src_sess_cnt (#1780)
|
|
* fix invalid use of option httplog (resolves a warning in config test)
|
|
* fix invalid use of option forwardfor (resolves a warning in config test)
|
|
|
|
2.21
|
|
|
|
Fixed:
|
|
* override "graceful" restart if required (#1745)
|
|
|
|
2.20
|
|
|
|
Changed:
|
|
* update stats socket permission for easier (non-root) monitoring (#1232)
|
|
|
|
2.19
|
|
|
|
Added:
|
|
* switch to HAProxy 2.0 release series (#1089)
|
|
* add support for the "max-object-size" cache configuration option (#1458)
|
|
* add end-to-end HTTP/2 support (details)
|
|
* add support for the random balancing algorithm (details)
|
|
|
|
Fixed:
|
|
* fix IPv6 validation in frontends (#540)
|
|
|
|
Changed:
|
|
* add IPv6 example to listen address help text
|
|
* update URLs to HAProxy 2.0 documentation
|
|
* frontends: move HTTP/2 option to HTTP settings
|
|
* change order of frontend options
|
|
|
|
2.18
|
|
|
|
Added:
|
|
* add support for HAProxy cache (#1442)
|
|
|
|
Changed:
|
|
* change http-reuse default (align with HAProxy's default value, #1439)
|
|
|
|
2.17
|
|
|
|
Added:
|
|
* allow backends without servers (#1304)
|
|
* add support for deciphered SNI check in ACLs (#1365)
|
|
* allow to force SSL for health checks (#1282)
|
|
|
|
Changed:
|
|
* improve wording for SNI conditions to differentiate between deciphered vs. not deciphered
|
|
|
|
2.16
|
|
|
|
Fixed:
|
|
* allow hyphens in server, frontend and backend names (#1346)
|
|
|
|
2.15
|
|
|
|
Added:
|
|
* rules can finally be sorted by using drag'n'drop (#582)
|
|
* added "enabled" field to servers (#1208)
|
|
* TCP inspection delays are supported in rules (#1188)
|
|
|
|
Changed:
|
|
* server option "mode" is always visible, no longer requires "advanced mode" (#1208)
|
|
* most dropdown fields finally have alphanumeric sorting (#687, opnsense/core#3251)
|
|
* rules: align indentation of comments in haproxy.conf
|
|
|
|
2.14
|
|
|
|
Fixed:
|
|
* bulk deleting does not work (#1164)
|
|
|
|
Changed:
|
|
* migrate to mutable controller (required to fix #1164)
|
|
|
|
2.13
|
|
|
|
Added:
|
|
* support multiple CAs for SSL verification for servers
|
|
|
|
Fixed:
|
|
* fix export of CAs (#1074)
|
|
|
|
Changed:
|
|
* export a frontend's default SSL certificate (#1088)
|
|
* it is no longer required to add a default SSL certificate to a frontend's "certificates" list (#1088)
|
|
* avoid duplicate entry in certlist file if a default SSL certificate is specified
|
|
* always show "Default certificate" option in frontends, it's no longer an "advanced" option
|
|
|
|
2.12
|
|
|
|
Added:
|
|
* add support for HTTP/2 (#1047)
|
|
|
|
2.11
|
|
|
|
Fixed:
|
|
* fix warning: a 'http-request' rule placed after a 'use_backend' rule will still be processed before (#999)
|
|
* fix wrong parameter name when using tcp-request content lua (#999)
|
|
|
|
Changed:
|
|
* internal: trim whitespace, remove empty lines in haproxy.conf (#999)
|
|
|
|
2.10
|
|
|
|
Added:
|
|
* add support for multithreading (available as new option in Settings -> Global Parameters) (#1003)
|
|
* add support for client certificate authentication (#426)
|
|
* add support for HTTP Basic Auth to frontends/backends/ACLs (#300)
|
|
* add basic user/group management functionality (supports Basic Auth as well as stats users)
|
|
* add new CPU Affinity Rules feature (which is a combination of HAProxy's cpu-map, bind-process and process options) (see #1003 for a short explanation)
|
|
|
|
Fixed:
|
|
* function "http-request header-delete" generated a corrupted haproxy.conf (#882)
|
|
|
|
Changed:
|
|
* migrate all stats users from old (and cumbersome) username:password format to new user management feature
|
|
* internal: use /tmp for autogenerated files (now they are automatically cleaned up on boot)
|
|
* internal: change filename of cert lists from id.crtlist to id.certlist
|
|
|
|
2.9
|
|
|
|
Added:
|
|
* add "http-reuse" option (#836)
|
|
|
|
2.8
|
|
|
|
Added:
|
|
* support truly seamless reloads (#224)
|
|
* add support for the "map" feature (#180)
|
|
|
|
Fixed:
|
|
* fix reload of service template in "reconfigure" action (#690; introduced in 7381101)
|
|
* enabling "hard stop" mode resulted in an invalid "hardrestart" RC command
|
|
|
|
Changed:
|
|
* use "reload" instead of "restart" RC action
|
|
* if "reload" fails, also issue a "restart" command (required when enabling seamless reloads)
|
|
* start progress animation (spinner) earlier when applying settings
|
|
|
|
2.7
|
|
|
|
Added:
|
|
* support rise/fall parameters in backends and health checks
|
|
* support set-path in ACLs
|
|
* support for cookie-based persistence (#680)
|
|
|
|
Fixed:
|
|
* fix X-Forwarded-For option disappeared (#647)
|
|
* fix validation for source address fields (#695)
|
|
|
|
2.6
|
|
|
|
Added:
|
|
* add support for http-response set-status in ACLs to manipulate HTTP status codes
|
|
|
|
Fixed:
|
|
* fix invalid backend name when using nbsrv in ACLs
|
|
|
|
2.5
|
|
|
|
Added:
|
|
* add support for the PROXY protocol (i.e. in combination with postfix or dovecot)
|
|
* switch to HAProxy 1.8.4
|
|
|
|
2.4
|
|
|
|
Added:
|
|
* add support for "preload" and "includeSubDomains" HSTS options (#447)
|
|
* support session sync / HAProxy peers (#165)
|
|
* add new HTTP timeout options (to mitigate slowloris attacks) (#202)
|
|
* allow tracking additional values in stick-tables (#202)
|
|
* add stick-table config for frontends (optional, disabled by default) (#202)
|
|
* add support for many new conditions (#202)
|
|
* enable sticky counters for frontend stick-tables (required for new conditions) (#202)
|
|
|
|
Changed:
|
|
* relax validation masks for several "name" fields (to allow more "special" characters)
|
|
* switch to new mutable service controller
|
|
|
|
2.3
|
|
|
|
Added:
|
|
* new option to hide introduction pages (#340)
|
|
|
|
Fixed:
|
|
* fix wrong introduction for "Advanced" tab (regression introduced in 8cdcbda)
|
|
|
|
2.2
|
|
|
|
Fixed:
|
|
* fix for rules parameters (values could not be saved, leading to invalid rules)
|
|
|
|
2.1
|
|
|
|
Fixed:
|
|
* do not enable HSTS unconditionally (now works as described in #380)
|
|
* enable HSTS only for HTTP frontends
|
|
|
|
2.0
|
|
|
|
Added:
|
|
* new GUI to guide new users and improve general usability (#208)
|
|
* make server port optional (#341)
|
|
* new SSL settings for frontends (#380)
|
|
* new global SSL default values (#380)
|
|
* new option for HTTP Strict Transport Security (#380)
|
|
|
|
Fixed:
|
|
* rephrase text to make it clear that aliases cannot be used (#360)
|
|
* rephrase text to make it clear that "use_server" will only work for backends (#361)
|