Announcing HAProxy Enterprise 2.9

HAProxy Enterprise 2.9 is now available and we’re quite excited about this one. This release includes next-generation web application firewall (WAF) and bot management capabilities, and extends HAProxy Enterprise’s legendary performance and flexibility to support applications using the UDP transport protocol. Supported by industry-leading benchmark results, these landmark features offer customers a powerful solution to the challenges of security, latency, and scale.

New to HAProxy Enterprise?

HAProxy is the world’s fastest and most widely used software load balancer and the G2 category leader in API management, container networking, DDoS protection, web application firewall (WAF), and load balancing. HAProxy Enterprise elevates the experience with premium support, robust multi-layered security, and centralized management, monitoring, and automation with HAProxy Fusion. HAProxy Enterprise and HAProxy Fusion provide a secure application delivery platform for modern enterprises and applications.

To learn more, contact our sales team for a demonstration or request a free trial.

What’s new?

HAProxy Enterprise 2.9 includes exclusive new enterprise features plus all the features from the community version of HAProxy 2.9. For the full list of features, read the release notes for HAProxy Enterprise 2.9.

New and exclusive in HAProxy Enterprise 2.9 are the following important features:

  • The next-generation HAProxy Enterprise WAF powered by our unique Intelligent WAF Engine provides exceptional accuracy, zero-day threat detection, ultra-low latency, and simple management with optional OWASP Core Rule Set compatibility. Our industry-leading WAF performance virtually eliminates the security impact of false negatives and the noise of false positives, with a balanced accuracy of 98.53% measured in testing based on open source WAF benchmark data.

  • The new HAProxy Enterprise Bot Management Module provides fast, reliable, and flexible identification and categorization of bots attempting to access websites or applications, with 100% local processing for low latency and no external dependencies. Our proven real-world performance shows the ability to catch previously unidentified bots while supporting 2X more requests per second on one instance than the nearest competitor.

  • The new HAProxy Enterprise UDP Module provides fast and reliable UDP proxying and load balancing alongside HAProxy’s existing broad protocol support. Our best-in-class UDP performance is capable of reliably handling 3.8 million Syslog messages per second (46Gb/s) – 4.6X faster than the nearest enterprise competitor. 

We announced the release of HAProxy 2.9 in December 2023, which included faster performance, more flexibility, and better observability. The features from HAProxy 2.9 are now available in HAProxy Enterprise 2.9.

For an introduction to the features listed above, watch our HAProxy Enterprise 2.9: Next-Generation WAF, New Bot Management, and UDP Load Balancing webinar.

Ready to upgrade?

When you are ready to start the upgrade procedure, go to the upgrade instructions for HAProxy Enterprise.

haproxy-2_9-web-application-firewall

Next-generation WAF brings secure application delivery without compromise

One reason why HAProxy Enterprise is so popular is the bundled web application firewall (WAF). In HAProxy Enterprise 2.9, security is better than ever. The next-generation HAProxy Enterprise WAF brings industry-leading accuracy, performance, and simplicity.

Why a next-generation WAF?

Previously, HAProxy Enterprise included multiple WAF options including an Advanced WAF and a ModSecurity WAF based on the OWASP Core Rule Set (CRS). 

  • Customers using the Advanced WAF found it to be extremely fast and powerful, but the skill requirements were relatively high. 

  • Meanwhile, customers using the ModSecurity WAF appreciated the simplicity and industry-standard CRS compatibility, but the open source ModSecurity WAF introduced more latency and higher false positives than many customers were comfortable with. 

As we looked at the other WAF options on the market we also realized that low accuracy was a common problem, leaving users struggling to manage many false positives and to mitigate the damage caused by application attacks that slip through a WAF undetected. 

We wanted to give customers a WAF experience that combined the speed of the Advanced WAF, the simplicity of the ModSecurity WAF, and unprecedented accuracy to strengthen security and eliminate the noise. This goal led us to create the next-generation HAProxy Enterprise WAF, which delivers secure application delivery without compromise.

What can you do with HAProxy Enterprise WAF?

Out-of-the-box, the HAProxy Enterprise WAF provides ultra-low latency protection against application attacks. This includes common attacks such as SQL Injection, Cross Site Scripting (XSS), Remote Code Execution (RCE), and Local File Inclusion (LFI), as well as emerging and zero-day threats. You can optionally use the industry-standard OWASP Core Rule Set (CRS) compatibility mode to maximize compatibility and transparency where needed.

HAProxy Enterprise WAF is part of HAProxy Enterprise’s multi-layered security, which also includes the new Bot Management Module and Global Rate Limiting (powered by the Global Profiling Engine). You can combine accurate WAF detection and blocking with the other powerful layers in the security suite to create highly customizable threat management strategies – from simple to advanced.

Why should you use HAProxy Enterprise WAF?

Three reasons:

  1. Stronger security with exceptional balanced accuracy measured using open source WAF benchmark data, virtually eliminating the security impact of false negatives and the noise of false positives.

  2. Higher performance ensures ultra-low latency threat detection and traffic filtering while keeping resource use and operational costs low. 

  3. Simple to set up and manage with out-of-the-box behavior suitable for most deployments.

The next-generation HAProxy Enterprise WAF powered by the unique Intelligent WAF Engine brings industry-leading efficacy and performance. The Intelligent WAF Engine is a single low-latency process based on the company’s unique data science, security analytics, and real-world datasets. It identifies security threats using a non-signature-based detection system capable of blocking emerging and zero-day threats without requiring users to create and manage long or complex lists of rules.

Let’s talk accuracy. WAF accuracy can be calculated by measuring the true positive rate and the true negative rate:

  • True positive rate refers to the proportion of dangerous traffic correctly identified by the WAF. Dangerous traffic incorrectly identified as safe is a “false negative”.

  • True negative rate refers to the proportion of safe traffic correctly identified by the WAF. Safe traffic incorrectly identified as dangerous is a “false positive”.

The average of these two values is called “balanced accuracy”. The vast majority of WAFs on the market do well at one metric but not the other, resulting in poor scores for balanced accuracy (generally below 90%). Naturally, we wanted to have a go ourselves, so we followed the same methodology with the new HAProxy Enterprise WAF.

HAProxy Enterprise WAF powered by the Intelligent WAF Engine achieved: 

  • a true-positive rate of 99.61%

  • a true-negative rate of 97.45%

  • a resulting balanced accuracy rate of 98.53%

This result comfortably beats the category average. It means that false positives are a thing of the past, reducing the impact on legitimate users and the operational burden of monitoring security alerts. It also means that false negatives are virtually eliminated, reducing the risk that malicious traffic will cause downtime, data loss, fraud, and more.

When using the optional OWASP CRS compatibility mode, we measured an impressively low false-positive rate of 1.78% at paranoia level 2 (compared with 28.36% for the ModSecurity WAF at the same paranoia level) resulting in reduced noise and a better user experience.

How about performance? WAF performance can be evaluated by the latency (the time taken to process each request) incurred with a variety of attack payloads and traffic volumes. The HAProxy Enterprise WAF provides high-performance threat detection and filtering with latency below measurable thresholds for the majority of attack payloads, meaning no performance penalty for security and virtually zero impact on legitimate traffic.

Performance is also improved significantly when using the optional OWASP CRS compatibility mode. With a realistic mix of safe and suspicious traffic (approximately 5% suspicious), the HAProxy Enterprise WAF achieves on average 15X lower latency than the ModSecurity WAF using the OWASP CRS.

This incredible accuracy and performance is available out-of-the-box to users of HAProxy Enterprise 2.9. You won’t need to write and maintain your own custom WAF rules. With the power of the Intelligent WAF Engine, it just works. This industry-leading performance in a simple package helps customers protect their business and reputation, simplify security, and reduce the impact on application performance and user experience.

haproxy-2_9-bot-management

New bot management makes identifying bots and categorizing your traffic a breeze

Our customers have implemented some impressive bot management strategies using HAProxy’s tools for traffic profiling, tracking, and filtering. Now, it’s even easier to use HAProxy Enterprise as a powerful alternative to a separate bot management solution. The new Bot Management Module provides fast, reliable, and flexible bot identification and categorization with low latency and deep integration with HAProxy Enterprise’s multi-layered security controls. 

Why bot management?

HAProxy Enterprise has long enabled users to identify bot traffic using a combination of tools, such as:

  • the Verify Crawler module, which verifies the identity of bots claiming to be valid crawlers, such as the Googlebot web crawler,

  • the Fingerprint modules, which use multiple data points to accurately identify clients and requests,

  • the Global Profiling Engine, which provides a comprehensive and up-to-date view of client behavior across a cluster and enables Global Rate Limiting.

From DoS attacks to content scraping, the risks from bot traffic are growing yearly. Failure to identify and block malicious bots could result in downtime, data theft, fraud, and more, affecting an organization’s reputation and revenue. Additionally, bot traffic can significantly increase resource use, which increases operational costs and could affect application performance for legitimate human users. 

To combat the rising risks, we wanted to make effective bot management more accessible and more powerful. In HAProxy Enterprise 2.9, customers have a new weapon in their arsenal against bots. The new HAProxy Enterprise Bot Management Module is simple to set up and uses HAProxy Enterprise’s unique advantages to make it faster, more reliable, and more flexible than the market-leading alternatives.

What can you do with the HAProxy Enterprise Bot Management Module?

HAProxy Enterprise’s Bot Management Module works out-of-the-box to identify traffic accurately, categorizing it as human, suspicious, bot, verified crawler (search engines), or verified bot/tool/app (non-browser). 

You can combine accurate bot identification with the other powerful layers in the security suite (including the next-generation HAProxy Enterprise WAF and Global Rate Limiting) to create customizable, high-performance, and low latency bot management and rate limiting strategies – from simple to advanced.

Why should you use the HAProxy Enterprise Bot Management Module?

Three reasons:

  • Fast performance eliminates latency and ensures rapid bot identification and enforcement of bot management policies even under heavy load (eg. DoS attack). 

  • Reliable bot management with a simple architecture reduces complexity and keeps your data local and secure.

  • Flexible and customizable bot management shares intelligence with other powerful security layers for smarter, more holistic decision-making and enforcement. 

For most users, we expect the simple answer to be: why wouldn’t you use it? 🙂 You can enable it in moments, and since it’s built into HAProxy Enterprise – the world’s fastest software load balancer – it works quickly and efficiently even under heavy load. 

But the real question for many customers is: why use this instead of one of the market-leading bot management solutions? 

Unfortunately, bot management solutions often come with significant compromises (not even counting the extra cost).

  • Latency: solutions that pass requests through an additional layer, sometimes in a different network location, add latency (in addition to the often-quoted processing time) that affects the user experience.

  • Complexity: solutions that require a constant or frequent connection to the vendor’s cloud (for example, for automatic updates to the detection algorithm) introduce complexity and an additional point of failure, putting reliability and data privacy at risk. 

  • Lack of integration: solutions without deep integration with other security layers, such as with the WAF and anomaly detection layers, make decisions with incomplete information and do not give users the flexibility to enhance and customize their bot management strategy.

HAProxy Enterprise’s Bot Management Module uses reputational signals and scoring based on HAProxy Technologies’ security expertise, data science, and large real-world datasets to identify traffic accurately. Importantly, all the detection, processing, and enforcement is local to the HAProxy Enterprise instance. It does not add additional layers to the request path and does not require an external connection. This minimizes latency, maximizes reliability, and gives you the flexibility to deploy anywhere you like – such as in air-gapped environments.

With deep integration with HAProxy Enterprise’s multi-layered security, you can customize your organization’s bot management to meet your unique needs and traffic profile. You can customize your enforcement policies with options including blocking, tarpitting, challenging, and rate limiting.

But how good is it at identifying bots? While this is hard to test in a benchmark scenario, in real-world deployments with early adopters the HAProxy Enterprise Bot Management Module helped a top eCommerce website handling 300,000 requests per second identify heavy amounts of suspicious traffic and avoid crippling outages. As much as 20% of traffic was identified as anomalous, which their previous system had accepted without raising any security concerns. HAProxy Enterprise’s efficiency also resulted in cost savings, supporting 2X more requests per second on one instance than the nearest competitor.

This fast, reliable, and flexible bot management solution helps customers protect their business and reputation and reduce the resource cost of serving requests from unwanted bots.

haproxy-2_9-udp-module

UDP load balancing is here – and it was worth the wait

We heard from a few of you that you wanted UDP in HAProxy Enterprise, to supplement the existing support for TCP, QUIC, HTTP, and everything else. And by “a few”, I mean this was our most requested feature. Well, the wait is over and we promise it was worth it. HAProxy Enterprise’s UDP Module delivers best-in-class performance for software load balancers, capable of reliably handling 3.8 million Syslog messages per second.

Why UDP?

Adding UDP proxying and load balancing to HAProxy Enterprise is a critical move to simplify application delivery infrastructure. Previously, those with UDP applications might have used another load balancing solution alongside HAProxy Enterprise, introducing inconsistent performance, management, and deployment form factors. No one wants to deal with that extra complexity. By including UDP support in HAProxy Enterprise, alongside support for TCP, QUIC, SSL, HTTP and everything else HAProxy is known for, we provide customers with a simple, unified solution with the flexibility to proxy and load balance many more applications.

What can you do with the HAProxy Enterprise UDP Module?

HAProxy Enterprise’s UDP Module supports proxying and load balancing for time-sensitive UDP applications including – but not limited to – DNS, NTP, RADIUS, and Syslog traffic. 

You can now combine UDP proxying and load balancing with HAProxy Enterprise’s powerful features such as health checks and monitoring, extending HAProxy Enterprise’s reliability to more applications – while avoiding the complexity and overhead of managing multiple products.

Why should you use the HAProxy Enterprise UDP Module?

It’s fast. It wouldn’t be HAProxy if it wasn’t.

HAProxy Enterprise customers have long benefited from HAProxy’s legendary performance in load balancing TCP/HTTP traffic. When we decided to add UDP support, we resolved that UDP would not be treated as a second-class citizen in HAProxy Enterprise. It had to meet our high standards for performance and reliability.

Customers using HAProxy Enterprise’s UDP Module benefit from faster and more reliable UDP load balancing compared with other software load balancers. We measured excellent throughput and reliability when testing HAProxy Enterprise’s UDP Module with Syslog traffic.

Test parameters:

  • A single instance of HAProxy Enterprise 2.9.

  • A network with 100Gb/s bandwidth.

  • Log servers with a bandwidth of 40Gb/s capable of receiving 3.3M messages per second.

  • A log line message size of 1,472 Bytes. 

  • A payload of 2 million log messages sent via the load balancer to the log servers.

Syslog UDP bandwidth

Syslog UDP messages per second

Message delivery rate

HAProxy Enterprise

46Gb/s

3.8M/s

99.2%

In our tests, we saw that HAProxy Enterprise’s UDP Module is capable of processing 3.8 million messages per second – up to 4.6X faster than the nearest enterprise competitor. 

Reliability was also excellent. UDP is a connectionless transport protocol where some packet loss is expected due to a variety of network conditions and, when it happens, is uncorrected because (unlike TCP) there is no client-server connection to identify and correct packet loss. Despite this, we saw that HAProxy Enterprise’s UDP Module achieved a very high delivery rate of 99.2% when saturating the log server’s 40Gb’s bandwidth – 4X more reliable message delivery than the nearest enterprise competitor. 

This best-in-class UDP performance compared with other software load balancers helps customers scale higher, eliminate performance bottlenecks, reduce resource utilization on servers and cloud compute, and decrease overall costs.

Try HAProxy Enterprise 2.9

The world’s leading companies and cloud providers trust HAProxy Technologies to protect their applications and APIs. High-performing teams delivering mission-critical applications and APIs need the most secure, reliable, and efficient application delivery engine available. HAProxy Enterprise’s no-compromise approach to secure application delivery empowers organizations to deliver next-level enterprise scale and innovation.

There has never been a better time to start using HAProxy Enterprise. Request a free trial of HAProxy Enterprise and see for yourself.

Subscribe to our blog. Get the latest release updates, tutorials, and deep-dives from HAProxy experts.