What Is New in HAProxy 2.4
HAProxy 2.4 introduces significant enhancements in security, performance, and cloud-native integration. This release focuses on modernizing the load balancer for dynamic environments with new features and critical updates.
| Category | Key Changes |
|---|---|
| New Features | HTTPS DNS over QUIC, Log to STDERR, FastCGI App Support, Prometheus Exporter |
| Improvements | HTTP Connection Management, HPACK Encoder, Server Queue Priority, SSL/TLS Offloading |
| Bug Fixes | Memory Management, Connection Handling, ACL and Map File Reloads |
| Deprecated | SSL/TLSv1.0 and v1.1, certain keywords and options |
How does HAProxy 2.4 improve DNS resolution?
HAProxy 2.4 adds support for DNS over HTTPS (DoH) and DNS over QUIC, moving beyond traditional UDP-based resolution. This allows for encrypted and more reliable DNS queries, which is crucial for traversing restrictive networks. In practice, this means your service discovery is more secure and resilient to interception or packet loss.
What new application protocols are supported?
This version introduces a native FastCGI application server, enabling HAProxy to communicate directly with FastCGI processes like PHP-FPM. You can now use mode fastcgi in a backend to proxy requests, offloading this task from your web servers. This simplifies architectures that rely on FastCGI by integrating the protocol handling into the load balancer layer.
How is observability enhanced in this release?
Observability gets a major boost with a built-in Prometheus exporter. You can now expose metrics in Prometheus format by enabling the new expose-prometheus directive in a frontend or listen section. Additionally, the ability to log to STDERR makes it easier to integrate with containerized logging systems that capture standard output streams.
What performance optimizations were made?
The HPACK encoder for HTTP/2 was rewritten, significantly reducing CPU usage when dealing with HPACK compression. Server queue handling was improved with a new random load-balancing algorithm that prioritizes servers with the shortest queues. These changes matter because they directly reduce latency and improve throughput for HTTP/2 traffic and heavily loaded pools of servers.
Are there any important security deprecations?
Yes, support for the SSLv3, TLSv1.0, and TLSv1.1 protocols has been completely removed to enforce stronger security postures. Furthermore, the nbproc configuration keyword and the allow-0rtt option for TLSv1.3 are now deprecated. You should plan to migrate to TLSv1.2 or higher and use the newer nbthread model.
FAQ
How do I enable the new Prometheus metrics?
Add expose-prometheus to a frontend or listen section and define the URI path. Clients can then scrape metrics from that endpoint in the standard Prometheus format.
Can I use DoH with any DNS provider?
Yes, you can configure the resolvers section to use a dns nameserver with the proto https option pointing to your preferred DoH provider's URL.
What replaces the deprecated nbproc?
You should use the nbthread directive and the thread-based architecture, which has been the preferred model for multi-processing since earlier versions and offers better performance.
Is the FastCGI support a replacement for a web server?
No, it's a proxy feature. It allows HAProxy to forward requests to a FastCGI application process, but it does not serve static files like a traditional web server such as nginx or Apache.
Why was the HPACK encoder rewritten?
The old implementation was inefficient and could become a CPU bottleneck for HTTP/2 traffic. The new encoder is much more performant, reducing CPU load and improving overall throughput.