Last checked and updated on April 22, 2026What Is New in HAProxy 2.9
| Category | Key Changes |
|---|---|
| New Features | Dynamic TLS Certificate Update, Event-Driven MQTT Support, DNS over TCP, Log Distribution Forwarding |
| Improvements | HTTP/3 Experimental Support, Enhanced Prometheus Exporter, Stick Table Data Type Additions |
| Bug Fixes | Numerous fixes across HTTP, SPOE, SSL, and connection management |
| Deprecated | The hash-balance-factor algorithm |
How does HAProxy 2.9 handle TLS certificates dynamically?
HAProxy 2.9 introduces a new command to dynamically update TLS certificates without a reload. You can now push a
new certificate and key to a running process using the set ssl cert command via the runtime API.
This eliminates the operational overhead and latency of a full reload for certificate rotations.
In practice, this means zero downtime when updating certificates from an ACME client like certbot. The feature
supports both the crt and crt-list directives, making it a seamless upgrade for
existing configurations.
What MQTT enhancements were added?
Version 2.9 brings event-driven MQTT support, moving beyond the previous simple packet filtering. This allows HAProxy to make more intelligent routing decisions based on MQTT message content, such as the topic or client ID.
You can now use ACLs to inspect MQTT CONNECT messages and route traffic accordingly. This matters because it transforms HAProxy into a full-fledged, high-performance MQTT broker layer, which is crucial for IoT and real-time messaging infrastructures.
Is DNS over TCP supported now?
Yes, HAProxy 2.9 finally adds native support for DNS over TCP. Before this, DNS resolution was limited to UDP, which could cause issues with large responses that get truncated.
This is a foundational improvement. It ensures reliable DNS resolution for all record sizes, making HAProxy more robust in environments with complex service discovery that relies on large DNS payloads.
How was the Prometheus exporter improved?
The Prometheus exporter got a significant upgrade, now automatically exposing all metrics from the built-in stats page. You no longer need to manually declare which metrics to export, which simplifies configuration dramatically.
This auto-exposure feature means you get immediate visibility into every metric without extra work. It also includes new metrics for the internal task scheduler, giving deeper insight into HAProxy's performance.
What new data types are available for stick tables?
Stick tables now support two new data types: str and bin. The str type
stores a string value, while bin stores a binary payload.
This opens up new possibilities for state tracking. For example, you can now store a JWT or a serialized user session object directly in a stick table for shared state across a cluster of HAProxy nodes.
FAQ
Can I use HTTP/3 in production with HAProxy 2.9?
No, the HTTP/3 implementation is still
marked as experimental. It's included for early testing and development, but it's not recommended for production
workloads due to its preliminary status.
What command do I use to update a TLS certificate at runtime?
Use the runtime API command
set ssl cert <filename> <payload> followed by
commit ssl cert <filename> to apply the new certificate without a reload.
Why was the hash-balance-factor algorithm deprecated?
It was deprecated because it was rarely
used and added unnecessary complexity to the codebase. The consistent hashing algorithm is the preferred and
more efficient method for load balancing.
Does the new DNS over TCP support work for both resolution and service discovery?
Yes, the
support applies to both cases where HAProxy acts as a DNS client for resolver configurations and when it uses
DNS for service discovery via SRV records.
What is the new log forwarding feature?
It's a feature that allows you to forward logs to a
server that understands the HAProxy log format. This is useful for building custom log aggregation pipelines
without relying on standard syslog protocols.