Release Notes
To facilitate the maintenance of this LTS release, this version upgrades many of its open-source components. It also includes the latest HAProxy updates.
What's new, improved and removed
- Advanced WAF
-
New match zones,
$COOKIES_VAR
and$COOKIES_VAR_X
allow rules to match violations found in specific HTTP cookies, complementing the less specific$HEADERS_VAR
and$HEADERS_VAR_X
match zones.A new variable,
txn.<filter>.wlcnt
returns the number of disabled rules that would have matched the current request.The
filter waf
line now supports a parameter namedlog-wl
that includes disabled WAF rule violations in extended logs.The
filter waf
line now supports a parameter namedlog-ext-nonzero
that enables extended logs only when the violated rule had a non-zero score or triggered an immediate action, cutting down on noise in the logs.The
filter waf
line now supports a parameter namedtable-categorized
that prefixes entries in the violated rules stick table with the category of the violated rule.The
filter waf
line'sbody-limit
parameter defaults to the global optionwaf-body-limit
, which now defaults totune.bufsize
rather than the compile-time value ofBUFSIZE
.
- ModSecurity WAF
-
To associate WAF logs with load balancer logs, you could already use the unique identifier that ModSecurity creates by referencing the
txn.<filter>.unique_id
variable, appending it to your load balancer logs. Now, you can define a different unique ID format by setting theuse-unique-id-format
parameter on thefilter modsecurity
line and then defining a new format with theunique-id-format
directive.A new parameter
use-vars
on thefilter modsecurity
line disables ModSecurity from denying suspicious requests and delegates that to the load balancer. A variable namedtxn.<filter>.block
returns true when the WAF would have denied the request. You can read this variable and then decide on a response policy to enforce. Other variables that support this includetxn.<filter>.error
,txn.<filter>.status
, andtxn.<filter>.url
.
- Traffic shaping
-
New directives,
filter bwlim-in
andfilter bwlim-out
, support limiting upload and download speeds for clients. Set bandwidth limits that apply per HTTP stream or to all streams associated with a stick table entry, such as to set a limit per client IP address or per backend application.
- Load balancing
-
A generic load balancing algorithm named
hash
was introduced and serves as a replacement for the more specificsource
,uri
,url_param
, andrdp-cookie
algorithms. It accepts a fetch method as a parameter, which indicates the data used to calculate the hash.
- TLS and mTLS
-
When you enable client certificate authentication with the
verify required
parameter on abind
line, you must also specify theca-file
parameter, which indicates the CA certificate used to verify the client's certificate. Now,ca-file
accepts a path to a directory of CA certificates.Similarly, in a
backend
, you can set theca-file
parameter on aserver
line to verify the backend server's TLS certificate against a known CA. Thisca-file
parameter now accepts a path to a directory of certificates or you can set it to@system-ca
to load your system's list of trusted CAs.
- Lua
-
The Lua programming language integration gained the
CertCache
class, which lets you update an SSL certificate in the load balancer's runtime memory.The Lua
httpclient
class, which lets you make non-blocking HTTP calls, now supports adst
parameter and atimeout
parameter. The former sets the destination address and the latter sets atimeout server
value. New global directives support this:httpclient.ssl.ca-file
,httpclient.ssl.verify
,httpclient.ssl.resolvers.id
, andhttpclient.resolvers.prefer <ipv4|ipv6>
.
- Fetches and converts
-
New fetches have been added:
last_rule_file
, which returns the name of the configuration file (e.g.hapee-lb.cfg
) that contains the last line processed during stream analysis, andlast_rule_line
, which returns the line number. Use this to locate thehttp-request deny
line that stopped a request, for example.A new converter has been added:
add_item
, which concatenates strings with a delimiter between them, such as a semicolon.
- Other keyword changes
-
The
set-var
directives, such ashttp-request set-var
, now accept a second parameter to only set the variable if a condition is true. Conditions include:ifexists
,ifnotexists
,ifempty
,ifnotempty
,ifset
,ifnotset
,ifgt
,iflt
. For example, to set the variable only if it has not already been set:http-request set-var(txn.myvariable,ifnotset) req.hdr(X-MyValue)
.
- Performance upgrades
-
Performance optimizations were made to the task scheduler, connection dequeueing, and connection stream code.
Next up
Changelog