v11.9.1

New Features

• forwarded_client_cert property now additionally controls a X-Forwarded-Client-Chain header. This contains the CA certificate chain sent by the client in binary DER format (Base64 encoded). Note that multiple DER-encoded certificates are concatenated before being base64-encoded.

Acknowledgements

Thanks @peterellisjones

Deployment

releases:
- name: haproxy
  version: 11.9.1
  url: https://github.com/cloudfoundry/haproxy-boshrelease/releases/download/v11.9.1/haproxy-11.9.1.tgz
  sha1: ab7f3b1e2a4779f1ab71f4ddbf747ea2b11d4bd5

v11.8.1

New Features

• #271 : routed backends can now be routed based on user-provided ACLs as well as URL path prefix

Acknowledgements

Thanks @andy-paine for the PR

Deployment

releases:
- name: haproxy
  version: 11.8.1
  url: https://github.com/cloudfoundry/haproxy-boshrelease/releases/download/v11.8.1/haproxy-11.8.1.tgz
  sha1: 191500d1e79e2e054f49e8d0a62194b103c56af8

v11.8.0

New Features

• Adds new properties backend_health_fall and backend_health_rise for backend health checks. These are enabled if backend_use_http_health is set to true and correspond to the the fall and rise parameters in HAProxy

Deployment

releases:
- name: haproxy
  version: 11.8.0
  url: https://github.com/cloudfoundry/haproxy-boshrelease/releases/download/v11.8.0/haproxy-11.8.0.tgz
  sha1: 9987279a94619b40abdf8293c4739083c6fe2ee6

v11.7.1

New Features

• We have changed the Github Organization for HAProxy from cloudfoundry-incubator to cloudfoundry. This release has no functional changes but is intended to verify that our release automation is still working correctly.

Deployment

releases:
- name: haproxy
  version: 11.7.1
  url: https://github.com/cloudfoundry/haproxy-boshrelease/releases/download/v11.7.1/haproxy-11.7.1.tgz
  sha1: 8baef53d89139513562d614ce1f303f44405266e

v11.7.0

New Features

• ha_proxy.backend_match_http_protocol This causes HAProxy to use the same HTTP protocol for backend connections that was used for frontend connections. Note that this property ignores the value of ha_proxy.enable_http2, and requires that ha_proxy.backend_ssl is not off for HTTP2 support

Acknowledgements

Thanks @peterellisjones, @Rob-rls, @Mrizwanshaik for the PR

Deployment

releases:
- name: haproxy
  version: 11.7.0
  url: https://github.com/cloudfoundry-incubator/haproxy-boshrelease/releases/download/v11.7.0/haproxy-11.7.0.tgz
  sha1: 5bca8da20bd04ad463f65403cf5c78a71dcc070c

v11.6.0

New Features

• New property disable_backend_http2_websockets to force backend websocket connections to use HTTP/1.1 (default false) #263 / #261
• Support for alpn property in crt-list was added #262

Acknowledgements

Thanks @46bit and @b1tamara!

Deployment

releases:
- name: haproxy
  version: 11.6.0
  url: https://github.com/cloudfoundry-incubator/haproxy-boshrelease/releases/download/v11.6.0/haproxy-11.6.0.tgz
  sha1: 0fe345b021790430defeb6a49f67322dea59f632

v11.5.0

Fixes

• X-SSL-* headers that could previously contain non-standard ASCII characters are now base64 encoded. These include X-SSL-Client-Subject-CN, X-SSL-Client-Subject-DN, X-SSL-Client-Issuer-DN. Client certificates may contain non ASCII characters and when these were added to the X-SSL-* headers it was breaking some backend server implementation that have strict checks for HTTP header RFC compliance. Note this is a breaking change.

Deployment

releases:
- name: haproxy
  version: 11.5.0
  url: https://github.com/cloudfoundry-incubator/haproxy-boshrelease/releases/download/v11.5.0/haproxy-11.5.0.tgz
  sha1: ef212c666d281a2b7297d3cfad23eed00d3e7b1a

v11.4.4

Fixes

• ssl_ciphersuites no longer has a default value. This fixes support for Xenial stemcells which are not compatible with the HAProxy ssl-default-server-ciphersuites and ssl-default-bind-ciphersuites config properties as they do not have OpenSSL >= 1.1.1. We also added an acceptance test to catch future changes which break Xenial support.

New Features

• When using backend healthchecks via enable_health_check_http: true, the new flag disable_monit_health_check_http can be used to prevent BOSH considering the VMs unhealthy if the HAProxy backends are unhealthy. This can be useful wh
  n you deploy HAProxy before deploying your backend servers and therefore have a period of time when the backend server
  are not yet deployed.

Acknowledgements

Thanks @maxmoehl, @crhntr, @jaristiz for the PR / fixes!

v11.4.3

Upgrades

• haproxy has been upgraded to v2.4.4 from v2.4.2 to mitigate CVE-2021-40346

Acknowledgements

Thanks @peterellisjones and @plowin for the PR / fixes!

Deployment

releases:
- name: haproxy
  version: 11.4.3
  url: https://github.com/cloudfoundry-incubator/haproxy-boshrelease/releases/download/v11.4.3/haproxy-11.4.3.tgz
  sha1: d3071cdba96bdcd1112cb56f59b0c2e36f76f8a6

v11.4.2

Fixes

• fix a typo in the ha_proxy.ssl_ciphersuites property
  • ha_proxy.ssl_chiphersuites -> ha_proxy.ssl_ciphersuites

Deployment

releases:
- name: haproxy
  version: 11.4.2
  url: https://github.com/cloudfoundry-incubator/haproxy-boshrelease/releases/download/v11.4.2/haproxy-11.4.2.tgz
  sha1: 755ce24c55ff2af74b5a82eaa93e6662455ca966