Last checked and updated on April 22, 2026What Is New in HAProxy 3.3
HAProxy 3.3 introduces significant enhancements in observability, security, and core load balancing functionality. This release focuses on providing deeper insights into traffic patterns and strengthening defenses against modern threats.
| Category | Key Changes |
|---|---|
| New Features | Traffic Shadowing, Dynamic SSL Certificates, Prometheus Exporter, Stick Table Aggregation |
| Improvements | HTTP Connection Management, HPACK Encoding, Server Queue Priority, Lua Integration |
| Bug Fixes | Numerous fixes across HTTP, SSL/TLS, DNS, and the SPOE framework |
How does traffic shadowing improve testing?
The new Traffic Shadowing feature lets you mirror live production traffic to a test environment. This means you can send a copy of requests to a separate set of servers without impacting the response to the original client.
In practice, this is a game-changer for testing new application versions or infrastructure. You can validate changes with real user traffic, catching issues that synthetic tests might miss before doing a full cut-over.
What's new for SSL and TLS management?
HAProxy 3.3 adds support for Dynamic SSL Certificates, allowing you to load new certificates without a full process reload. This is managed through the set ssl cert command via the runtime API or a socket.
This eliminates the need for SIGHUP signals to reload certificates, making certificate rotations seamless and avoiding any potential for dropped connections during the process.
How is observability enhanced?
A native Prometheus exporter is now integrated directly into the stats module. You can expose a vast array of metrics in Prometheus format by appending ?prometheus to your stats URI.
Furthermore, stick table data can now be aggregated across multiple processes in multi-threaded or multi-process setups. This provides a unified view of tracked data, which is crucial for accurate rate limiting and tracking.
What core performance optimizations were made?
Significant work was done on HTTP connection reuse. The introduction of a per-server idle connection list drastically reduces the time spent managing connections between threads, which lowers latency.
HPACK encoding for HTTP/2 was optimized to reduce CPU usage, and server queue priorities were improved to better handle traffic surges. Lua integration also saw performance gains, making embedded scripts run faster.
FAQ
How do I enable the new Prometheus metrics?
Append ?prometheus to your stats URI. For example, a request to http://your-haproxy:8404/stats?prometheus will return all metrics in the correct format for scraping.
Does dynamic certificate loading work with all certificate types?
Yes, the feature supports both full certificate bundles and individual key pairs, allowing for flexible and on-the-fly certificate updates without service interruption.
Can I mirror traffic to multiple shadow backends?
No, the traffic shadowing feature currently allows you to define only one shadow backend per use_backend rule for mirroring traffic.
What is the benefit of stick table aggregation?
It allows a unified view of counters (e.g., for rate limiting) across all threads or processes, preventing inaccurate counts that could occur when data was isolated to a single process.
Were there any important security fixes?
Yes, several fixes address potential issues, including a vulnerability in the HPACK decoder that could cause a crash and fixes for proper SSL termination under specific traffic patterns.