load balancer release , which allows you to distribute HTTP traffic and arbitrary TCP requests between a group of servers, taking into account many factors (for example, checks the availability of servers, evaluates the load level, has DDoS countermeasures) and performs primary data filtering (for example, you can parse HTTP headers, filter out transmission incorrect query parameters, block SQL and XSS substitution, connect content processing agents). HAProxy can also to coordinate the interaction of components in systems based on the microservices architecture. The project code is written in C language and licensed under GPLv2. The project is used by many major sites including Airbnb, Alibaba, GitHub, Imgur, Instagram, Reddit, StackOverflow, Tumblr, Twitter, and Vimeo.
Key features of the release:
- New API introduced , which allows you to manage HAProxy settings on the fly via the REST Web API. Among other things, you can dynamically add and remove backends and servers, create ACLs, change request routing, change handler bindings to IP;
- Added nbthread directive to adjust the number of threads used in HAProxy to optimize performance on multi-core CPUs. By default, the number of worker threads is selected depending on the CPU cores available in the current environment, and in cloud environments, one thread is set by default. To set hard limits, the assembly options MAX_THREADS and MAX_PROCS have been added, which limit the upper limit on the number of threads and processes;
- Simplified use of the bind directive to bind handlers to network addresses. When configuring, it is no longer necessary to define process parameters - by default, connections will be distributed among streams depending on the number of active connections.
- Simplified setting up logs when running in isolated containers - the log can now be directed to stdout and stderr, as well as to any existing file descriptor (for example, "log fd@1 local0");
- HTX (Native HTTP Representation) support is enabled by default to provide balance when using advanced features such as end-to-end HTTP/2, Layer 7 Retries, and gRPC. HTX does not replace headers in place, but reduces the change operation to removing and adding a new header to the end of the list, which allows you to manipulate any extended versions of the HTTP protocol while maintaining the original semantics of the headers and allowing you to achieve higher performance when translating HTTP/2 to HTTP/1.1 and vice versa;
- Added official support for the End-to-End HTTP/2 mode (handling all stages in HTTP/2, including calls to the backend, and not just the interaction of the proxy with the client);
- Full support for gRPC bidirectional proxying has been implemented with the ability to parse gRPC streams, extracting individual messages, reflecting gRPC traffic in the log, and filtering messages using ACLs. gRPC allows you to organize the work of microservices in various programming languages that interact with each other using a universal API. Network communication in gRPC is implemented on top of the HTTP/2 protocol and is based on the use of Protocol Buffers for data serialization.
- Added support for the "Layer 7 Retries" mode, which allows you to send repeated HTTP requests in case of software failures that are not related to problems establishing a network connection (for example, if there is no response or an empty response to the POST request). To disable the mode, the “disable-l7-retry” flag has been added to the “http-request” option, and the “retry-on” option has appeared in the defaults, listen and backend sections for fine-tuning. The following retry flags are available: all-retryable-errors, none, conn-failure, empty-response, junk-response, response-timeout, 0rtt-rejected, and binding to returned status codes (404, etc.) ;
- A new Process Manager has been implemented that allows you to configure the call of external executable files with handlers for HAProxy.
For example, in the form of such an external handler, the Data Plan API (/usr/sbin/dataplaneapi) is implemented, as well as various offload stream processing engines; - Bindings have been added for .NET Core, Go, Lua and Python for developing SPOE (Stream Processing Offload Engine) and SPOP (Stream Processing Offload Protocol) extensions. Previously only C extension development was supported;
- Added an external spoa-mirror handler (/usr/sbin/spoa-mirror) for mirroring requests to a separate server (for example, to copy part of the working traffic for testing an experimental environment on a real load);
- Submitted by to provide integration with the Kubernetes platform;
- Added built-in support for exporting statistics to the monitoring system ;
- Extended the Peers Protocol used to exchange information with other nodes with HAProxy. Including added support for Heartbeat and encrypted data transfer;
- The “sample” parameter has been added to the “log” directive, which allows only a part of the requests to be dumped into the log, for example, 1 out of 10, to form an analytical sample;
- Added automatic profiling mode (the profiling.tasks directive, which can take the values auto, on and off). Automatic profiling is enabled if the average delay value exceeds 1000 ms. To view profiling data, the “show profiling” command has been added to the Runtime API or it is possible to reset statistics to the log;
- Added support for accessing backend servers using the SOCKS4 protocol;
- Added terminal (end-to-end, on its request processing path, covering the backend) support for the TCP Fast Open (TFO - TCP Fast Open, RFC 7413), which allows you to reduce the number of connection setup steps by combining the first one into one request and the second steps of the classic 3-step connection negotiation process and allows data to be sent at the initial stage of connection setup;
- Added new actions:
- "http-request replace-uri" to replace the URL using a regular expression;
- "tcp-request content do-resolve" and "http-request do-resolve" for hostname resolution;
- "tcp-request content set-dst" and "tcp-request content set-dst-port" to substitute the target IP address and port.
- Added new conversion modules:
- aes_gcm_dev for decrypting streams using the AES128-GCM, AES192-GCM and AES256-GCM algorithms;
- protobuf to extract fields from Protocol Buffers messages;
- ungrpc to extract fields from gRPC messages.
Source: opennet.ru