Last checked and updated on 05 Jun 2026
What Is New in HAProxy 2.1
HAProxy 2.1 introduces significant enhancements in observability, security, and dynamic configuration. This release focuses on making the load balancer more transparent and easier to manage at scale.
| Category | Key Changes |
|---|---|
| New Features | HTTPS Logging, Dynamic SSL Certificates, Log Forwarding, Prometheus Exporter |
| Improvements | Cache Performance, Stick Table Data Retention, ACL and Sample Fetch Updates |
| Bug Fixes | HTTP/2, SSL/TLS, Connection Management, and Memory Handling |
| Deprecated | None specifically mentioned for this release. |
How does HTTPS logging improve troubleshooting?
You can now log directly over HTTPS, which secures your log data in transit. This is a big deal for compliance and prevents sensitive data from being exposed on the wire. It integrates with services like Splunk and Elasticsearch without needing a separate log shipper.
In practice, you configure it with a log line that specifies an HTTPS endpoint. The load balancer
handles the TLS connection, making your logging pipeline both simpler and more secure from end to end.
What's the deal with dynamic SSL certificates?
This feature lets you load new SSL certificates on the fly without a reload. You use the Runtime API to add or update certificates, which is perfect for large-scale environments with thousands of domains.
This matters because it eliminates service interruption during certificate rotations. You can automate cert updates from an ACME client like Certbot, making your infrastructure more resilient and easier to maintain.
Can HAProxy forward logs to a remote server?
Yes, the new Log Forwarding feature acts as a built-in syslog client. It can send logs to multiple destinations simultaneously, which is great for redundancy or sending data to different analysis tools.
You define a log forward section in your configuration and then reference it from your frontends and backends. This separates the logging logic from the proxy logic, giving you more flexibility in how you handle observability data.
How is the built-in Prometheus exporter used?
A new stats frontend exposes metrics in the Prometheus format natively. You just point Prometheus to the HAProxy stats URI, and it scrapes the data without needing any exporters or converters.
This simplifies your monitoring stack significantly. You get immediate insight into key metrics like request rates, error codes, and backend health, all formatted correctly for Prometheus.
What performance gains were made with caching?
The HTTP cache now supports conditional requests (If-Modified-Since). This means HAProxy can serve a 304 Not Modified response without hitting the origin server, reducing backend load and improving response times for clients.
It also handles the Vary header more intelligently, creating separate cache entries for different content types. This prevents clients from getting the wrong version of a resource, which is a common headache with caching.
FAQ
Do I need to change my configuration to use HTTPS logging?
Yes, you must update your
log directives to point to an https:// URL instead of a traditional syslog address.
The configuration syntax changes to support the new protocol.
Can I use the dynamic certificate API with Let's Encrypt?
Absolutely. This is a primary use
case. You can hook an ACME client into the Runtime API to automatically deploy new certificates as they are
issued, achieving zero-downtime renewals.
What happens if my log forwarding destination is down?
HAProxy can buffer log messages in
memory if the remote server becomes unavailable. This prevents log loss during network partitions, but you need
to size your buffers appropriately for your expected log volume.
Is the Prometheus exporter enabled by default?
No, you must explicitly configure a frontend
with the mode prometheus-exporter option to expose the metrics. It doesn't run automatically
without setup.
Were there any breaking changes in the ACL or sample fetch system?
Mostly additive. New
sample fetches were added, like ssl_bc_alg_keysize, but existing ones remain unchanged. Always test
your configs, but upgrades from 2.0 should be smooth.