v9.3.0

New Features

• Added support for HAProxy's experimental multi-threading logic.
  Previously, this boshrelease used ha_proxy.threads to set the nbproc
  value of HAProxy, causing a multi-threaded behavior by spawning multiple
  HAProxy processes. In v1.8.x, built-in multi-threading was enabled in an
  experimental mode. This can be enabled via ha_proxy.nbthread. Adding multi-
  threading works in-conjunction with multi-process HAProxy, or on its own.
  To reduce confusion, the ha_proxy.threads property has been deprecated,
  but still affects the number of processes run. In the future, ha_proxy.nbproc
  should be used. To enable the experimental multi-threading, use ha_proxy.nbthread.

  Note: One of the upsides to multi-thread vs multi-process is that the threads
  are able to share memory, resulting in the need for only one stats socket/listener.
  One of the downsides is that LUA scripts are globally single-threaded, so only one
  script will run at a time, ever. HAProxy can still service requests that don't involve
  calling LUA code, but multiple calls requiring LUA will be serialized.

Updates

• HAProxy was updated to v1.8.13

Deprecation Warning!

• ha_proxy.threads is hereby deprecated, and will be removed in the next major
  version of the boshrelease. It previously referred to the number of HAProxy
  processes running, and was going to be confusing with the added thread support.
  Please use ha_proxy.nbproc instead.

Acknowledgments

Thanks @teancom for all the amazing work once again!

Deployment

releases:
- name: haproxy
  version: 9.3.0
  url: https://github.com/cloudfoundry-incubator/haproxy-boshrelease/releases/download/v9.3.0/haproxy-9.3.0.tgz
  sha1: 384de4ad378b940641a34cda1c63fdc02c901b8f

v9.2.1

Typo fix to allow the TCP Router backend to work.

Thanks to eagle-eyed @ljfranklin for catching this!

Deployment

releases:
- name: haproxy
  version: 9.2.1
  url: https://github.com/cloudfoundry-incubator/haproxy-boshrelease/releases/download/v9.2.1/haproxy-9.2.1.tgz
  sha1: b37404f8029517a704364a67637265f1109b08fc

v9.2.0

KNOWN ISSUES

There is a bug in this release which results in it being incompatible with the CF TCP Router (or anything providing the tcp_router link

New Features

• The haproxy job can now be easily configured to use the CF Routing tier's HTTP-based
  health checks. Specify ha_proxy.backend_use_http_health = true to enable it. If custom
  ports or URIs are necessary for HTTP backend health checks, they can be specified via
  ha_proxy.backend_http_health_port and ha_proxy.backend_http_health_uri. There are similar
  properties available for the ha_proxy.routed_backends datastructures via backend_use_http_health,
  backend_http_health_port, and backend_http_health_uri properties on each routed backend
  definition.

  Generic TCP routing was not updated with support for custom HTTP backends. However, when the
  tcp_router link is consumed from Cloud Foundry, it now enforces the use of HTTP health checks
  to the TCP router. Previously, only a TCP port check on port 80 was done.

• Added a property to allow lua scripts to be easily loaded into the HA proxy config
  via ha_proxy.lua_scripts. This is a list of full paths to the lua script on disk.
  You'll want to provide those with some other boshrelease.

• Added a property for providing arbitrary frontend config to haproxy via ha_proxy.frontend_config.
  This applies to all of the haproxy frontends.

• Added a property for providing arbitrary backend config to haproxy backends via the ha_proxy.backend_config,
  and ha_proxy.tcp_backend_config (the former will be used on default + routed HTTP backends, the latter on
  all tcp-mode backends).

• Added a property for providing arbitrary global config to haproxy via ha_proxy.global_config.

• Improved logging to include info related to health check/backend status, and elevate log levels for error messages.

Fixes

• The default logging endpoint has changed from 127.0.0.1 to /dev/log, which resolves issues where haproxy
  was deployed on a VM that did not have TCP/UDP listeners enabled in rsyslog.

Acknowledgements

Thanks @teancom for helping out with the features for this release! Many thanks to @macox for the backend_config
support!

Deployment

releases:
- name: haproxy
  version: 9.2.0
  url: https://github.com/cloudfoundry-incubator/haproxy-boshrelease/releases/download/v9.2.0/haproxy-9.2.0.tgz
  sha1: 1f9fca2c0143e6f385c13567b405e7b5087b4157

v9.1.0

New Features

• Added a new ha_proxy.raw_config attribute, to allow users to specify an
  entire haproxy config to be used. This replaces all other haproxy config logic
  in the boshrelease, and should be used with care.
• HAProxy is now compiled with LUA support, which may be useful when providing
  a custom config.

Acknowledgements

Thanks @teancom for the help!

Deployment

releases:
- name: haproxy
  version: 9.1.0
  url: https://github.com/cloudfoundry-incubator/haproxy-boshrelease/releases/download/v9.1.0/haproxy-9.1.0.tgz
  sha1: 2cbcec6e3a32a27c333ef451474a3f4d0e840f87

v9.0.0

New Features

• haproxy_boshrelease now supports the same X-Forwarded-Client-Cert behaviors as the
  gorouter. You can set ha_proxy.forwarded_client_cert to always_forward_only, forward_only,
  or sanitize_set. However, the default for haproxy_boshrelease is sanitize_set. This differs
  from previous behaviors.

Acknowledgements

Thanks to @jgf for supplying this feature!

Deployment

releases:
- name: haproxy
  version: 9.0.0
  url: https://github.com/cloudfoundry-incubator/haproxy-boshrelease/releases/download/v9.0.0/haproxy-9.0.0.tgz
  sha1: 88e72b43d225f8818aef6466ed5775f93edcee95

v8.9.0

Improvements + Bug Fixes

• X-Forwarded-Client-Cert header is now added if client certificate is present during mutual tls
  Thanks @jgf for the addition!
• Fixed a path typo for the ttar package. Thanks @ntdt for the fix!
• HTTP health check ports are now configurable, thanks to @LowLatency!

Deployment

releases:
- name: haproxy
  version: 8.9.0
  url: https://github.com/cloudfoundry-incubator/haproxy-boshrelease/releases/download/v8.9.0/haproxy-8.9.0.tgz
  sha1: 0a135d9f5ce4e32dc9f1afd9a0e93baeff71c62d

v8.8.0

Improvements

There is now a more flexible option for using ACLs to restrict access to
requests, using the ha_proxy.http_request_deny_conditions property:

 example:
   http_request_deny_conditions:
   - condition:
     - acl_name: block_host
       acl_rule: "hdr_beg(host) -i login"
     - acl_name: block_reset_password_url
       acl_rule: "path_beg,url_dec -m beg -i /reset_password"

Acknowledgements

Thanks @stefanlay for providing this feature!

Deployment

releases:
- name: haproxy
  version: 8.8.0
  url: https://github.com/cloudfoundry-incubator/haproxy-boshrelease/releases/download/v8.8.0/haproxy-8.8.0.tgz
  sha1: 7b262d39568d891ce89f1e48f58ccde5de5e5b58

v8.7.0

New Features

• haproxy has been upgraded to v1.8.4 from v1.6.12

• haproxy is now build with pcre2 10.32, and pcre2 JIT enabled

• With the introduction of haproxy v1.8.4, there is now support for
  per-certificate TLS binding options. To make use of this, use
  ha_proxy.crt_list instead of ha_proxy.ssl_pem. It allows
  custom client_ca_file, verify, ssl_ciphers, client_revocation_list,
  settings for each provided certificate, as well as an snifilter to
  restrict use of each cert to specific domains.

  For more information:

  • https://cbonte.github.io/haproxy-dconv/1.8/configuration.html#5.1-crt-list
  • https://github.com/cloudfoundry-incubator/haproxy-boshrelease/blob/master/jobs/haproxy/spec#L83-L127

• There is now an ha_proxy.disable_tcp_accept_proxy parameter to disable the PROXY protocol
  for tcp-based backends while still leaving it enabled for http/https based backends

Fixes

• haproxy.config.erb has been cleaned up considerably, and
  should be a lot more readable pre and post template rendering.
• The HTTP frontend now supports accept-proxy.
• Bugs where accept-proxy was not honored during mutual TLS have been
  resolved
• ha_proxy.client_cert is no longer required to enable TLS. It is
  still honored to enable mutual tls, but the boshrelease will also
  use the presence of the following parameters to enable mutual TLS:
  • ha_proxy.client_ca_file
  • ha_proxy.client_revocation_list
  • ha_proxy.crt_list.<i>.client_ca_file
  • ha_proxy.crt_list.<i>.client_revocation_list
  • ha_proxy.crt_list.<i>.verify - only when value is not "none"
• The following options are now honored in the :4443 backend:
  • ha_proxy.cidr_whitelist
  • ha_proxy.cidr_blacklist
  • ha_proxy.block_all
  • ha_proxy.hsts_*
  • ha_proxy.rsp_headers
• The X-Forwarded-Client_Cert header is now set for requests in the :4443
  backend.
• The X-Forwarded-Proto header behavior in the :4443 backend now
  matches the behavior in the :443 backend
• Spec descriptions + examples were updated for resolvers

Acknowlegements

Many thanks to @jgf and @dueckminor for their work on crt-list and assistance testing
everything else out!

Deployment

releases:
- name: haproxy
  version: 8.7.0
  url: https://github.com/cloudfoundry-incubator/haproxy-boshrelease/releases/download/v8.7.0/haproxy-8.7.0.tgz
  sha1: 7898c1894c4b3254aa4a0ade0a02d33cf6c5c59a

v8.6.1

Bug Fixes

• keepalived now waits on all its children to exit, and tracks the PId of the checker
  process.
• Fixed a bug resulting in keepalived configs from being properly generated when specifying
  interfaces explicitly using the keepalived.interface property.

Acknowledgements

Thanks @poblin-orange and @aveyrenc for finding and squashing these bugs!

Deployment

releases:
- name: haproxy
  version: 8.6.1
  url: https://github.com/cloudfoundry-incubator/haproxy-boshrelease/releases/download/v8.6.1/haproxy-8.6.1.tgz
  sha1: 47f5a23d54998ad00e001ba9cd00879f8fb6f159

v8.6.0

New Features

• tcp-routing support. HAProxy can now consume the tcp-routing link
  from the routing-release.
  Ports used by HAProxy for this can be controlled via the ha_proxy.tcp_routing.port_range
  property.

Acknowledgements

Thanks @ishustava for adding this feature!

Deployment

releases:
- name: haproxy
  version: 8.6.0
  url: https://github.com/cloudfoundry-incubator/haproxy-boshrelease/releases/download/v8.6.0/haproxy-8.6.0.tgz
  sha1: 673cd82ce0a42576faae163fbecb7f47c6122a52