HAProxy

The Reliable, High Performance TCP/HTTP Load Balancer

Quick links

HAProxyTech's blog, and the mailing-list announcement.

Feb, 12th, 2026 : CVE-2026-26080 and CVE-2026-26081

Two vulnerabilities affecting some deep parts of the QUIC parsing were reported against versions 3.0 and above (CVE-2026-26081) and 3.2 and above (CVE-2026-26080). These were fixed and new versions were emitted (3.0.12, 3.1.14, 3.2.12, 3.3.3). The risk is that specially crafted packets could crash the process. More details on HAProxy Tech's blog. We'd like to particularly thank the reporter, Asim Viladi Oglu Manizada, for his responsible disclosure coming with a detailed analysis and a working reproducer.

Dec, 3rd, 2025 : HAProxy Technologies' Performance Packages

It's no news that many users have been hit by the massive performance cost caused by the switch to OpenSSL 3.x a few years ago. Even if things are less dramatic with 3.1-3.6 than they were with 3.0 -- and we're actively working with the OpenSSL team to help improve the situation --, the cost of leaving OpenSSL 1.1.1 is still important for large-scale users. We've also been working with alternatives such as WolfSSL and AWS-LC that provide excellent performance (even beyond OpenSSL 1.1.1), but neither is packaged in mainstream distros. For this reason, HAProxy Technologies decided to provide a set of Performance Packages for latest Debian, Ubuntu, and soon RHEL, containing the latest HAProxy stable version built against the latest AWS-LC stable version, which currently happens to be the most feature-complete and versatile alternative to OpenSSL. We hope this will save power users from having to decide between maintaining their own packages and dependencies or doubling the number of servers.

Older news...

high availability, load balancing, and proxying for TCP and HTTP-based applications. It is particularly suited for very high traffic web sites and powers a significant portion of the world's most visited ones. Over the years it has become the de-facto standard opensource load balancer, is now shipped with most mainstream Linux distributions, and is often deployed by default in cloud platforms. Since it does not advertise itself, we only know it's used when the admins report it :-)

The HAProxy core team maintains multiple versions in parallel. Since version 1.8, two major version are emitted every year. The first digit usually indicates a breaking change (config format etc) but in practice rarely changes. The second digit indicates new features. Both constitute a branch. One extra number appears after these digits to indicate the bug fix release.

The core team deploys a lot of efforts backporting fixes to older releases while being extremely careful not to break anything. For this reason, it is really important to stay up to date within one branch, i.e. having the highest possible number on the last digits.

Branches with an even number are called "LTS" (for "long term support") and area maintained for 5 years after their release. During this time they will receive fixes for bugs that are discovered after the release. These branches are aimed at general users who seek extreme stability and do not want to qualify a new version too often but still want to receive fixes.

Branches with an odd number are only called "stable", they're aimed at highly skilled users who prefer to upgrade often to benefit from modern features, and who are also able to roll back in case of problem. These versions are maintained between 12 and 18 months. The duration is short and purposely not strict so that the maintenance cycle is decided with users based on feedback, and so that these versions do not end up in embedded products. It may happen that a few features are backported to these version if there is some reasonable demand and the operation is considered riskless enough.

Everyone used to dealing with production knows that it's difficult to upgrade components in field when one has to plan and advertise upwards of any operation. For this reason, the HAProxy core team doesn't insist on users to upgrade, will not ask someone to switch to a new branch (unless they ask for a feature that is part of that other branch), but will often ask the user to re-check with the latest version of their branch before reporting a problem, because nobody likes to troubleshoot a problem a second time. It's often suggested to use the versions that come with the operating system when it follows the official maintenance cycle, and depending on the expected level of stability or exposure, some users may want to update as soon as an update is available while others may prefer to wait a few weeks to a month to be sure the update is reliable enough for them.

Here's a very rough history of changes in each major version:

• version 3.4 : dynamic backends, QMux, ACME with dns-persist-01, OpenTelemetry
• version 3.3 : QUIC on the backend, persistent stats, more seamless ACME, Kernel TLS+splicing, TLS ECH, improved performance and observability
• version 3.2 : ACME & SSL management, improved CPU scalability, QUIC performance, improved troubleshooting
• version 3.1 : troubleshooting, improved config reliability, improved QUIC and H2 performance, new SPOE engine, finer error reporting
• version 3.0 : crt-stores, persistent stats, syslog load balancing, JSON&CBOR log encoding, virtual maps &acls, zero-copy from the cache, H2/H3 protocol-level protections
• version 2.9 : reverse-http, log backends, zero-copy forwarding, memory usage reduction, increased bandwidth, better general scalability, AWS-LC support, QUIC openssl compat layer, PROXY protocol manipulation
• version 2.8 : QUIC now prod ready, Lua-based mailers, OCSP auto updates, LetsEncrypt, wolfSSL support, RFC7239 "forwarded", listeners on more than 64 threads, perf/usability/reliability/observability improvements
• version 2.7 : Traffic shaping, QUIC improvements, thread groups, easier switch to alternate SSL libraries, improved debugging
• version 2.6 : QUIC/HTTP3, OpenSSL 3.0, better usability, improved code accessibility and maintenance
• version 2.5 : runtime server addition/removal, runtime CA/CRL updates, native HTTP client, simplified HTTPS logging, default TCP/HTTP rulesets, JWT validation, and more
• version 2.4 : syslog and DNS over TCP, multi-threaded Lua, full sharing of idle conns, lower latency, server-side dynamic SSL update, Opentracing, WebSocket over H2, atomic maps, Vary support, new debugging tools, even more user-friendly CLI and configuration, lots of cleanups
• version 2.3 : syslog forwarding, better idle conn management, improved balancing with large queues, simplified SSL managment, more stats metrics, stricter config checking by default, general performance improvements
• version 2.2 : runtime certificate additions, improved idle connection management, logging over TCP, HTTP "return" directive, errorfile templates, TLSv1.2 by default, extensible health-checks
• version 2.1 : improved I/Os and multi-threading, FastCGI, runtime certificate updates, HTX-only, improved debugging, removal of obsolete keywords
• version 2.0 : gRPC, layer 7 retries, process manager, SSL peers, log load balancing/sampling, end-to-end TCP fast-open, automatic settings (maxconn, threads, HTTP reuse, pools), ...
• version 1.9 : improved multi-threading, end-to-end HTTP/2, connection pools, queue priority control, stdout logging, ...
• version 1.8 : multi-threading, HTTP/2, cache, on-the fly server addition/removal, seamless reloads, DNS SRV, hardware SSL engines, ...
• version 1.7 : added server hot reconfiguration, content processing agents, multi-type certs, ...
• version 1.6 : added DNS resolution support, HTTP connection multiplexing, full stick-table replication, stateless compression, ...
• version 1.5 : added SSL, IPv6, server-side keep-alive, DDoS protection, ...
• version 1.4 : client-side keep-alive, stick to any expression, more complete CLI
• version 1.3 : ACL & content switching (frontend/backend split), CLI, TCP splicing, dynamic LB algos
• version 1.2 : epoll, queuing, more LB algorithms
• version 1.1 : health checks, cookie insertion
• version 1.0 : high availability, cookie-based stickiness

Hide/Show older ones ...

this test run on AWS ARM-based Graviton2, HAProxy scales very well with threads and was shown to be able to reach 2 million requests/s over SSL and 100 Gbps for forwarded traffic.

This is made possible thanks to its event-driven architecture that allows to react extremely quickly to I/O events, its parallelism on SMP machines provided by light multi-threading, a task scheduler that permanently composes between low-latency and high throughput, and generally speaking a permanent quest of resource savings at every single architecture layer. These efforts tend to cost a bit in development time but are immediately valued by users who are able to reduce their number of machines upgrade after upgrade. For the vast majority of common loads, the HAProxy process is simply not noticed, which tends to make its users forget it, sometimes resulting in questions regarding extremely old versions.

Please consult this section for more information on the architecture details and some performance test results.

coding style aims at avoiding common traps when writing or reviewing code. Some high standards are sought when it comes to dealing with unvalidated data. Non-portable functions and those having unreliable behaviors are avoided or replaced. Input data gets sanitized very early in the lower layers. Resource usage is carefully controlled. Dangling pointers are forbidden in the code via careful release functions. These standards already help eliminate a great deal of uncertainty in the code itself.

Since zero-bug is not reasonable, the product embarks a number of defensive measures, such as chroot, privilege drops, fork prevention, strict protocol validation, checks for impossible states and detailed traces in case of violation detection, etc. All these usually result in an attempt to exploit a real bug in a failure or possibly a crash. These measures have to be purposely disabled by the user using sufficiently evocative commands so that the reason for doing so has to be regularly questioned.

HTML versions are direct translations from the text version automatically performed by Cyril Bont�'s excellent documentation converter, dconv. A TeX-oriented variant able to produce PDFs was also created by Pavel Lang for versions 1.4 and 1.5 but it is not maintained anymore.

1. HAProxy Technologies to hire some professional services or subscribe a support contract ;
2. install HAProxy Enterprise load balancer, which is a long-term maintained HAProxy package accompanied by a well-polished collection of software, scripts, configuration files and documentation which significantly simplifies the setup and maintenance of a completely operational solution ; it is particularly suited to Cloud environments where deployments must be fast.
3. try an ALOHA appliance (hardware or virtual), which will even save you from having to worry about the system, hardware and from managing a Unix-like system.

• 
  Read the list archives on mail-archive
  Read the list pre-2009 archives on Marc.info
  
  Subscribe to the list :
  Unsubscribe from the list :
• HAProxy site in HTTPS (needed for HTTP/3 and HTTP/2) : https://www.haproxy.org/
• Willy' main site : http://1wt.eu/
• e-mail :

Some people regularly ask if it is possible to send donations, so I have set up a Paypal account for this. Click here if you want to donate.

An IRC channel for HAProxy has been opened on Libera.Chat:

irc://irc.libera.chat/%23haproxy

https://slack.haproxy.org/