Last checked and updated on April 22, 2026What Is New in HAProxy 2.8
HAProxy 2.8 delivers significant enhancements in observability, security, and performance tuning. This release focuses on giving operators deeper insights and more granular control over their load balancers.
| Category | Key Changes |
|---|---|
| New Features | OpenTelemetry support, Dynamic SSL Certificates, Stick Table Data Sampling |
| Improvements | DNS resolution, Logging, Prometheus Exporter, Server Queue Priority |
| Bug Fixes | Numerous fixes across HTTP, SPOE, SSL, and the runtime API |
| Deprecated | None specified in this release |
How does OpenTelemetry integration improve monitoring?
The native OpenTelemetry exporter is the headline feature. It allows HAProxy to send metrics directly to an OpenTelemetry Collector, eliminating the need for a separate stats intermediary.
In practice, this simplifies your observability stack. You can now correlate HAProxy metrics with traces and logs from other services in your OpenTelemetry backend, providing a unified view of system performance.
Configuration is straightforward. You define an opentelemetry section in your haproxy.cfg and use it as a backend for a stats exporter.
opentelemetry my-otel-exporter
endpoint http://otel-collector:4318/v1/metrics
timeout 5s
batch-size 100
batch-wait 5sWhat's new for managing SSL certificates?
Dynamic SSL certificate storage via the Runtime API is now stable. This lets you add, update, and remove SSL certificates on the fly without reloading the process.
This matters because it removes a major operational headache. Certificate rotations and deployments no longer cause a reload, which means zero connection drops and no impact on long-lived streams like WebSockets or SSH sessions.
You can manage certs directly through the socket using commands like set ssl cert and commit ssl cert, making automation scripts much more reliable.
How can I debug stick table data more effectively?
Stick table data sampling allows you to inspect live data in your stick tables. This is a game-changer for debugging session affinity and tracking down problematic clients.
You can now sample data based on a key or randomly, and the output is formatted for easy consumption. This provides a real-time look at what's happening with your stick tables, which was previously much harder to achieve.
Use the Runtime API command show table with the new data.sample operator to try it out. It helps you verify that your stick rules are working as intended.
What improvements were made to DNS resolution?
DNS resolution is now more robust with the ability to pre-resolve names at startup for servers not yet resolved. This prevents initial connection failures for services that are discovered asynchronously.
The resolver also gained support for the usevc option, which forces DNS queries to use TCP instead of UDP. This is crucial for large DNS responses that get truncated over UDP, ensuring you always get the full record set.
Are there any logging enhancements?
Yes, the logging format has been extended. You can now include the SSL/TLS version and the QUIC connection ID in your log fields, providing more detail for troubleshooting encrypted and HTTP/3 traffic.
New sample fetches like ssl_fc_protocol and quic_conn_id give you access to this data for logging or ACLs. This adds another layer of visibility into your modern traffic flows.
FAQ
Is the OpenTelemetry support a replacement for the built-in Prometheus exporter?
No, it's an additional option. The native Prometheus exporter is still available and supported. OpenTelemetry is for teams that have standardized on an OTel stack and want to integrate HAProxy metrics directly into it without an intermediate converter.
Does dynamic SSL certificate management work with all certificate types?
It works with PEM-formatted certificates. You can add both RSA and ECDSA certificates dynamically. The key feature is that the change is committed live to the running process, avoiding a full configuration reload.
What is the main use case for stick table data sampling?
The primary use is debugging. If you're using stick tables for session persistence, rate limiting, or tracking abuse, you can now sample entries to see which keys are present, their expiration timers, and the associated data values in real-time.
How does the 'usevc' DNS option help with SRV records?
SRV records often contain multiple targets and can exceed the size limit for a UDP DNS response. Forcing TCP with usevc ensures the entire response is received, preventing resolution failures due to truncated packets.
Were there any changes to the Data Plane API in this release?
The changelog does not highlight specific Data Plane API changes for 2.8. The major additions are focused on the core runtime functionality like dynamic SSL certs and OpenTelemetry, which the Data Plane API would likely leverage.