v10.1.1

New Features

• Bumps LUA to 5.4.1 and HAProxy to 2.2.5, to address many CVEs

Acknowledgements

Thanks @domdom82 for the upgrade PR!

Deployment

releases:
- name: haproxy
  version: 10.1.1
  url: https://github.com/cloudfoundry-incubator/haproxy-boshrelease/releases/download/v10.1.1/haproxy-10.1.1.tgz
  sha1: b79bae46449de09cd30ecdbaec322c50121049e9

v10.1.0

New Features

• Support has been added for pulling in certificates to be managed
  out of band to haproxy-boshrelease. This is useful for cases where
  many certs need to be provided to HAProxy in an on demand basis without
  doing a full bosh deploy + restarting HAProxy every time a client's
  certificate changes. See the docs for more details!

Acknowledgments

Thanks @domdom82 for the feature!

Deployment

releases:
- name: haproxy
  version: 10.1.0
  url: https://github.com/cloudfoundry-incubator/haproxy-boshrelease/releases/download/v10.1.0/haproxy-10.1.0.tgz
  sha1: c892c02b90913a669d06b03ce27964dd403139f4

v10.0.0

Breaking Changes

• HAProxy now logs to stdout by default! They will now show up in /var/vcap/sys/log/haproxy
  and can be forwarded using the syslog-boshrelease like any other log. If you wish to use
  syslog to forward logs directly, this can still be accomplished, however you will likely want
  to also set ha_proxy.log_format back to rfc3164 as its default changed to raw in support of
  stdout logging.

  If you make use of ha_proxy.nbproc at a value larger than one, stdout logging is not supported,
  and a syslog server must be specified. This is NOT required when using ha_proxy.nbthread > 1.

• The deprecated ha_proxy.threads property has been removed in favor of ha_proxy.nbproc
  and ha_proxy.nbthread

New Features

• Support for live config reloading was added via a reload script. This can be used in use cases
  where config updates need to happen out of band to BOSH, where stopping and restarting processes
  is too disruptive. No changes were made to traditional BOSH process management for HAProxy as a result
  of this change, but the capability is now there for operators or other processes running on HAProxy
  VMs to trigger these reloads.
• ha_proxy.maxrewrite is now tunable for supporting large headers from things like X-Forwarded-Client-Cert.

Upgrades

• haproxy has been upgraded to v1.9.15 from v1.8.20.
• pcre2 has been upgraded to v10.34 from v10.31.
• socat has been upgraded to v1.7.3.4 from v1.7.3.2.

Acknowledgements

Thanks @domdom82 for the live reloading support and @stefanlay for the header length fix!

Deployment

releases:
- name: haproxy
  version: 10.0.0
  url: https://github.com/cloudfoundry-incubator/haproxy-boshrelease/releases/download/v10.0.0/haproxy-10.0.0.tgz
  sha1: 8c485beb92dceb4e2a78c4b540b2d0506684b9a8

v9.8.0

New Features

• The hatop utility has been added to haproxy-boshrelease to assist in haproxy troubleshooting
  http://feurix.org/projects/hatop/ Kudos to @jhunt and the Genesis Community for making this possible!
• @Scoobed added support for specifying additional filesystem paths to make available to the HAProxy
  process via BPM's unrestricted volumes list.
  This is particularly helpful when integrating LUA scripts from other BOSH releases. The
  ha_proxy.additional_unrestricted_volumes will allow this, and uses the same syntax as BPM.

Acknowledgements

Thanks @jhunt and @Scoobed!

Deployment

releases:
- name: haproxy
  version: 9.8.0
  url: https://github.com/cloudfoundry-incubator/haproxy-boshrelease/releases/download/v9.8.0/haproxy-9.8.0.tgz
  sha1: 8b9bf30e11e19f40e88cafa1a3cca1037f350516

v9.7.1

Fixes

• BPM now whitelists the filepath used for HAProxy's logging device, rather
  than hardcoding /dev/log. If you use a custom logging socket, this tells BPM
  to allow HAProxy to access the root filesystem for it.

Acknowledgments

Thanks go to @h0nlg for the PR!

Deployment

releases:
- name: haproxy
  version: 9.7.1
  url: https://github.com/cloudfoundry-incubator/haproxy-boshrelease/releases/download/v9.7.1/haproxy-9.7.1.tgz
  sha1: a26aff30b406849160854b9ee95eaad133a7338b

v9.7.0

New Features

• Syslog length and format can now be configured via ha_proxy.log_max_length and ha_proxy.log_format.
  Defaults remain unchanged at 1024 bytes, and rfc3164.

• HAProxy can now bind to the default interface on both IPv4 and IPv6 simultaneously, via the ha_proxy.v4v6
  property. When this is set, you must also set the ha_proxy.binding_ip to :: for it to take effect. This
  feature is off by default.

Acknowledgements

Thanks go to @cunnie for the IPv6 binding, and @msahihi for the log customization PRs!

Deployment

releases:
- name: haproxy
  version: 9.7.0
  url: https://github.com/cloudfoundry-incubator/haproxy-boshrelease/releases/download/v9.7.0/haproxy-9.7.0.tgz
  sha1: 8afcfb2d22b244477de5dcba40e9c11d58b376ad

v9.6.2

New Features

• Via backend_prefer_local_az, haproxy can now be configured to prefer sending traffic
  to backend servers in the same BOSH AZ as the haproxy server, to save cross-az traffic.
  This option is currently off by default, but will likely become on by default in a future
  release.

Acknowledgments

Thanks @h0nIg for the new feature!

Deployment

releases:
- name: haproxy
  version: 9.6.2
  url: https://github.com/cloudfoundry-incubator/haproxy-boshrelease/releases/download/v9.6.2/haproxy-9.6.2.tgz
  sha1: f4c80edae5e8655f21501c34f7fe9482b581be64

v9.6.1

Fixes

• Bump haproxy to 1.8.20 to resolve CVEs:
  https://security-tracker.debian.org/tracker/CVE-2018-20615
  https://security-tracker.debian.org/tracker/CVE-2019-11323

Deployment

releases:
- name: haproxy
  version: 9.6.1
  url: https://github.com/cloudfoundry-incubator/haproxy-boshrelease/releases/download/v9.6.1/haproxy-9.6.1.tgz
  sha1: b7e9d428adf2fd13a20b66a55cf1bcc28f2052c5

v9.6.0

Improvements

• ha_proxy.http_request_deny_conditions now supports negations of ACLs thanks to @gdenn
  Simply add the negate: true field to your ACL to negate it.
• ha_proxy.cidrs_in_file has been added to allow users to specify a wide array of ACLs
  that apply to an ACL in the ha_proxy.http_request_deny_conditions ACL list, which
  would otherwise be too long for haproxy to start up properly. Take a look at [the example]
  for more details(https://github.com/cloudfoundry-incubator/haproxy-boshrelease/blob/master/jobs/haproxy/spec#L396-L406).
  Thanks @gdenn for this feature as well!

Bug Fixes

• Resolved an issue where the haproxy stop script would fail if haproxy was already stopped.
  Thanks for the fix @domdom82!

Deployment

releases:
- name: haproxy
  version: 9.6.0
  url: https://github.com/cloudfoundry-incubator/haproxy-boshrelease/releases/download/v9.6.0/haproxy-9.6.0.tgz
  sha1: 2e4715251b9446d4e45818f315ef021c35a7564f

v9.5.2

New Features

• Custom HTTP responses can be configured using ha_proxy.custom_http_error_files. It takes
  a map of status codes to raw http responses to send. This allows operators to customize things
  like the 502/503 errors returned by HA Proxy.

Acknowledgements

Many thanks to @rodolf2488 and @barakyo for implementing this!

Deployment

releases:
- name: haproxy
  version: 9.5.2
  url: https://github.com/cloudfoundry-incubator/haproxy-boshrelease/releases/download/v9.5.2/haproxy-9.5.2.tgz
  sha1: 34e1120cd321dcdb0a359b3c8873b75a7b60575b