What Is New in HAProxy 2.2
HAProxy 2.2 introduces significant enhancements in security, observability, and dynamic configuration. This release focuses on tightening the data plane and expanding the capabilities of the Runtime API.
| Category | Key Changes |
|---|---|
| New Features | Stick Tables to Redis, Log Forwarding, FastCGI App, Prometheus Exporter |
| Improvements | Enhanced DNS Resolution, Traffic Shadowing, Runtime API Expansions |
| Bug Fixes | Numerous fixes across the codebase for stability |
| Deprecated | The stats socket level operator is deprecated in favor of the
admin level |
How did data plane security get stronger?
The data plane is now more secure with the introduction of a new privileges parameter for the
stats socket directive. This allows for fine-grained control over which commands can be executed,
moving beyond the simple read/write/admin levels.
In practice, you can now restrict a management socket to only allow specific actions, like clearing counters, without granting full administrative rights. This matters because it minimizes the potential damage from a compromised socket connection.
What new observability features were added?
Observability gets a major boost with a native Prometheus exporter. You can now expose metrics in Prometheus
format by simply appending ;prometheus to a stats uri declaration.
This eliminates the need for external exporters or custom scripts, providing a direct and efficient way to feed metrics into your monitoring stack. The built-in exporter covers a wide array of metrics from frontends, backends, and servers.
How does the new Redis integration work?
Stick tables can now use Redis as a persistence layer. By adding the store keyword with a Redis
configuration to a stick-table definition, HAProxy will offload stick-table data to a Redis server.
This is a game-changer for distributed environments. It allows multiple HAProxy instances to share session state, enabling true zero-downtime reloads and seamless failover without losing user sessions.
stick-table type ip size 1m store http_req_cnt in redis 127.0.0.1:6379 db 0
What improvements were made to dynamic updates?
The Runtime API was expanded with new commands for managing SSL certificates and servers. You can now dynamically
update SSL certificates on a listener without a reload using set ssl cert and
commit ssl cert.
Server management also got smarter. The set server command now accepts a agent-addr
parameter, allowing you to dynamically override the address used for agent checks. This adds flexibility for
complex environments where agent check networks differ from data paths.
What is the new FastCGI application service?
HAProxy 2.2 introduces a mode that allows it to act as a FastCGI application server, not just a proxy. This means it can directly communicate with processes using the FastCGI protocol.
This opens up new use cases for serving dynamic content directly through HAProxy, potentially simplifying architectures that previously required a separate web application server layer for PHP or similar languages.
FAQ
How do I start using the built-in Prometheus exporter?
Add ;prometheus to your
existing stats uri line. For example: stats uri /haproxy?stats;prometheus. Then, point
your Prometheus server to scrape this endpoint.
Can I use the Redis stick table feature for SSL session tickets?
Yes. The store
parameter supports storing SSL session IDs in Redis, which is crucial for sharing SSL session state across a
cluster of load balancers to maintain performance.
What replaces the deprecated 'operator' socket level?
You should use the new
privileges parameter to grant specific command permissions instead of the broad
operator level. The admin level remains for full control.
Is the FastCGI application mode production-ready?
It is a new feature that provides basic
functionality. For complex PHP applications, a dedicated FastCGI process manager like PHP-FPM behind HAProxy is
still the recommended and more robust approach.
How does the new DNS resolution improve upon the old method?
The resolver received updates
for better handling of large numbers of SRV records and improved consistency in resolution across threads,
reducing the chance of stale DNS data affecting load balancing.