Has been published the release of the HAProxy 2.0 load balancer, which allows you to distribute HTTP traffic and arbitrary TCP requests between a group of servers, paying attention to many factors (for example, checks server availability, estimates the load level, has DDoS countermeasures) and performs initial data filtering (for example, you can parse HTTP headers, filter out the transfer of incorrect request parameters, block SQL and XSS substitution, connect content processing agents). HAProxy can also be used to coordinate the interaction of components in systems based on microservice architecture. The project code is written in C and comes under the GPLv2 license. The project is used on many large sites, including Airbnb, Alibaba, GitHub, Imgur, Instagram, Reddit, StackOverflow, Tumblr, Twitter and Vimeo.

Key features of the release:

  • Introduced the new Data Plan API, which allows you to manage HAProxy settings on spot through the REST Web API. Also you can dynamically add and remove backends and servers, create ACLs, change the routing of requests, change the bindings of handlers to IP;
  • Added the nbthread directive, which allows you to configure the number of threads used in HAProxy to optimize performance on multi-core CPUs. By default, the number of workflows is selected depending on the available CPU cores in the current environment, and in cloud environments, one thread is set by default. To set hard limits, were added assembly options MAX_THREADS and MAX_PROCS, limiting the upper limit to the number of threads and processes;
  • Simplified use of the bind directive to bind handlers to network addresses. During configuring, now it is not necessary to determine the process parameters – the connections will be distributed according to the number of active connections by default.
  • The configuration of logs at startup in isolated containers is simplified – the log can now be sent to stdout and stderr, as well as to any existing file descriptor (for example, “log fd @ 1 local0”);
  • Enabled by default support for HTX (Native HTTP Representation), which allows balancing during applying advanced features such as end-to-end HTTP / 2, Layer 7 Retries, and gRPC. HTX doesn’t replace the headers in places, but reduces the change operation to deleting and adding a new heading to the end of the list, which allows you to manipulate any advanced versions of the HTTP protocol, preserving the original semantics of the headers and allowing better performance by translating HTTP / 2 to HTTP / 1.1;
  • Has been added official support for the End-to-End HTTP / 2 mode (processing of all stages in HTTP / 2, including calls to the backend, and not just the interaction of the proxy with the client);
  • Implemented full support for gRPC bidirectional proxy with the ability to parse gRPC streams, highlight individual messages, reflect gRPC traffic in the log and filter messages using ACLs. gRPC allows you to organize the work of microservices in various programming languages ​​that interact with each other using a universal API. Networking in gRPC is implemented over the HTTP / 2 protocol and is based on the use of Protocol Buffers for data serialization.
  • Added support for the “Layer 7 Retries” mode, which allows to send repeated HTTP requests in case of software failures that are not related to network connection problems (for example, in the absence of a response or an empty response to a POST request). To disable the mode, has been added the “disable-l7-retry” flag to the “http-request” option, and the “retry-on” option has appeared in the defaults, listen and backend sections for fine tuning. The following attributes are available for resending: all-retryable-errors, none, conn-failure, empty-response, junk-response, response-timeout, 0rtt-rejected, as well as binding to return status codes (404, etc.) ;
  • Implemented a new process manager (Process Manager), which allows you to configure the call of external executable files with handlers for HAProxy. For example, in the form of such an external handler, is implemented the Data Plan API (/ usr / sbin / dataplaneapi), as well as various engines of Offload-processing flows;
  • For .NET Core, Go, Lua, and Python have been added bindings to develop the SPOE (Stream Processing Offload Engine) and SPOP (Stream Processing Offload Protocol) extensions. Previously supported the development of extensions only in C;
  • An external spoa-mirror handler (/ usr / sbin / spoa-mirror) has been added to mirror requests to a separate server (for example, to copy part of the work traffic to test the experimental environment under real load);
  • Introduced by HAProxy Kubernetes Ingress Controller to enable integration with the Kubernetes platform;
  • Added built-in support for exporting statistics to the Prometheus monitoring system;
  • Has been expanded The Peers Protocol, used to exchange information with other nodes with HAProxy. Including support for Heartbeat and encrypted data transfer.
  • The parameter “sample” has been added to the “log” directive, which allows to dump only a part of the requests into the log, for example 1 out of 10, to form an analytical sample;
  • Added automatic profiling mode (directive profiling.tasks, which can take the values ​​auto, on and off). Automatic profiling is enabled if the average delay exceeds a mark of 1000 ms. To view the profiling data in the Runtime API, has been added the “show profiling” command or there is the option to reset statistics to the log;
  • Added support for accessing backend servers using the SOCKS4 protocol;
  • Added end-to-end support for the mechanism for quickly opening of TCP connections (TFO – TCP Fast Open, RFC 7413), which allows you to reduce the number of steps to establish a connection by combining one request into one and the second steps of the classic 3-stage process of negotiating a connection and makes it possible to send data at the initial stage of establishing a connection;

New actions:

  • “http-request replace-uri” to replace the URL using a regular expression;
  • “tcp-request content do-resolve” and “http-request do-resolve” for resolving the host name;
  • “tcp-request content set-dst” and “tcp-request content set-dst-port” to substitute the destination IP address and port.

New conversion modules:

  • aes_gcm_dev for decrypting streams using the AES128-GCM, AES192-GCM and AES256-GCM algorithms;
  • protobuf to extract fields from Protocol Buffers messages;
  • ungrpc to extract fields from gRPC messages.