Last checked and updated on April 22, 2026What Is New in HAProxy 3.1
HAProxy 3.1 delivers a significant update focused on enhanced security, improved performance, and expanded protocol support. This release introduces new features like native OpenTracing, SOCKS4 support, and important SSL/TLS improvements.
| Category | Key Changes |
|---|---|
| New Features | Native OpenTracing, SOCKS4 support, New converters, DNS resolution over TCP |
| Improvements | SSL/TLS enhancements, Prometheus exporter, Lua scripting, HTTP/2 |
| Bug Fixes | Numerous fixes across the core, HTTP, and SSL components |
| Deprecated | None specified in this release |
How does HAProxy 3.1 improve security and SSL/TLS?
The release strengthens security with several SSL/TLS enhancements. It now supports the 'allow-0rtt' TLSv1.3 option for faster connections and includes a new 'ssl_c_chain' keyword to send the intermediate CA chain in the correct order.
This matters because proper chain ordering prevents certificate validation issues with certain clients. The update also fixes a bug where the wrong certificate might be sent for wildcard SNI, which directly improves reliability for multi-domain setups.
What new observability features were added?
Native OpenTracing support is the headline observability feature. You can now use the opentracing keyword in the global section to enable distributed tracing, providing deeper insights into request flows.
The Prometheus exporter also received updates, including a new gauge for the number of active peers and a fix for the server_id label. These changes make it easier to monitor complex, distributed HAProxy deployments effectively.
What new protocol and connectivity options are available?
HAProxy 3.1 adds SOCKS4 support for outbound connections, giving you more flexibility for routing traffic. It also introduces DNS resolution over TCP, which is crucial for handling large DNS responses that exceed the typical UDP packet size.
For HTTP/2, the release fixes several bugs, including one related to handling large DATA frames. This improves stability and performance for modern HTTP/2 traffic, which is now the standard for many web applications.
What enhancements were made for configuration and data manipulation?
New converters like utf8s2u, u8, and hex were added, expanding the ways you can manipulate data within the HAProxy configuration. The lua-prepend-path global directive was also introduced for better managing Lua module paths.
In practice, these new tools give you more power to write complex routing and content transformation rules directly in your config, reducing the need for external processing scripts.
FAQ
Does HAProxy 3.1 support TLS 1.3 0-RTT (Zero Round Trip Time Resumption)?
Yes, it does. You can now enable it using the 'allow-0rtt' option for a bind line configured for TLSv1.3, which can reduce latency for returning clients.
I use wildcard certificates. Was there a fix for SNI matching?
Absolutely. A bug was fixed where the wrong certificate could be selected for a wildcard SNI if a previous exact match existed. This ensures the correct certificate is always served.
Can HAProxy now resolve DNS over TCP?
Yes, this release adds support for DNS resolution over TCP. This is essential for handling large DNS responses that wouldn't fit in a single UDP packet, preventing resolution failures.
What is the new 'ssl_c_chain' keyword used for?
The ssl_c_chain keyword is used to send the intermediate Certificate Authority chain in the correct order. This helps avoid client-side certificate validation errors that can occur with misordered chains.
Is OpenTracing built into HAProxy now?
Yes, native OpenTracing support was added. You can enable it with the opentracing global directive to integrate with distributed tracing systems for better observability.