Last checked and updated on 10 Jun 2026
What Is New in HAProxy 2.7
| Category | Key Changes |
|---|---|
| New Features | DNS over TCP, HTTP/3 Support (Tech Preview), Dynamic TLS Certificate Storage, Prometheus Exporter Improvements |
| Improvements | Cache Performance, HTTP FastCGI App Support, Lua API, SSL/TLS, Logging, I/O & Buffer Handling |
| Bug Fixes | Numerous fixes across core components, HTTP processing, and the SPOE framework |
| Deprecated | The hash-type directive's consistent keyword |
How is DNS resolution more robust now?
HAProxy 2.7 finally adds native support for DNS over TCP. This is a big deal because it prevents resolution failures for large DNS responses that exceed the traditional 512-byte UDP limit.
In practice, this makes service discovery much more reliable in modern environments like Kubernetes where DNS records can be large. You no longer have to worry about silent failures when a server list doesn't fit in a UDP packet.
What's the deal with HTTP/3 support?
This release introduces a technology preview of HTTP/3. You can enable it using the new h3 option in a bind line, allowing clients to connect over QUIC.
Since it's a preview, it's not recommended for production yet. However, it lets you start testing the next generation of HTTP, which reduces latency and improves performance on lossy networks compared to TCP.
How did TLS certificate management get easier?
A new dynamic certificate storage API allows TLS certificates to be managed in memory without being tied to a file on disk. This enables tighter integration with external systems like service meshes or custom secret management tools.
You can now load certificates directly from memory, which is faster and more flexible for automated, dynamic environments where certificates change frequently.
What performance improvements were made?
The cache feature received significant optimizations. It's now smarter about serving stale data while revalidating in the background, leading to faster response times for users during cache updates.
Under the hood, general I/O and buffer handling improvements reduce CPU usage, making the entire proxy more efficient even under heavy load.
What about monitoring and observability?
The built-in Prometheus exporter was enhanced to support more metrics and provide a more structured data format. This gives you deeper insight into HAProxy's internal state and performance.
You get better visibility without needing extra tools, which is crucial for debugging complex routing issues or understanding traffic patterns.
FAQ
Is HTTP/3 production-ready in HAProxy 2.7?
No, it is explicitly marked as a technology preview. It's intended for testing and development purposes only. Avoid using it for critical production traffic until it's declared stable in a future release.
Do I need to change my configuration to use DNS over TCP?
No, it's handled automatically. HAProxy will seamlessly fall back to TCP when it receives a truncated UDP response, making the transition completely transparent.
What should I use instead of the deprecated `consistent` keyword for `hash-type`?
You should migrate to the consistent keyword of the new hash-balance-factor directive. This new method provides better performance and more consistent hashing.
Can I use the new dynamic TLS certificates with my existing PKI system?
Yes, that's the primary use case. The new API is designed for integration with external certificate authorities and secret management systems that programmatically provide certificates.
How significant are the cache performance improvements?
They are substantial for cache-heavy deployments. The ability to serve stale content while revalidating asynchronously can drastically reduce latency spikes during cache expiration events.