v9.0.0

New Features

• haproxy_boshrelease now supports the same X-Forwarded-Client-Cert behaviors as the
  gorouter. You can set ha_proxy.forwarded_client_cert to always_forward_only, forward_only,
  or sanitize_set. However, the default for haproxy_boshrelease is sanitize_set. This differs
  from previous behaviors.

Acknowledgements

Thanks to @jgf for supplying this feature!

Deployment

releases:
- name: haproxy
  version: 9.0.0
  url: https://github.com/cloudfoundry-incubator/haproxy-boshrelease/releases/download/v9.0.0/haproxy-9.0.0.tgz
  sha1: 88e72b43d225f8818aef6466ed5775f93edcee95

v8.9.0

Improvements + Bug Fixes

• X-Forwarded-Client-Cert header is now added if client certificate is present during mutual tls
  Thanks @jgf for the addition!
• Fixed a path typo for the ttar package. Thanks @ntdt for the fix!
• HTTP health check ports are now configurable, thanks to @LowLatency!

Deployment

releases:
- name: haproxy
  version: 8.9.0
  url: https://github.com/cloudfoundry-incubator/haproxy-boshrelease/releases/download/v8.9.0/haproxy-8.9.0.tgz
  sha1: 0a135d9f5ce4e32dc9f1afd9a0e93baeff71c62d

v8.8.0

Improvements

There is now a more flexible option for using ACLs to restrict access to
requests, using the ha_proxy.http_request_deny_conditions property:

 example:
   http_request_deny_conditions:
   - condition:
     - acl_name: block_host
       acl_rule: "hdr_beg(host) -i login"
     - acl_name: block_reset_password_url
       acl_rule: "path_beg,url_dec -m beg -i /reset_password"

Acknowledgements

Thanks @stefanlay for providing this feature!

Deployment

releases:
- name: haproxy
  version: 8.8.0
  url: https://github.com/cloudfoundry-incubator/haproxy-boshrelease/releases/download/v8.8.0/haproxy-8.8.0.tgz
  sha1: 7b262d39568d891ce89f1e48f58ccde5de5e5b58

v8.7.0

New Features

• haproxy has been upgraded to v1.8.4 from v1.6.12

• haproxy is now build with pcre2 10.32, and pcre2 JIT enabled

• With the introduction of haproxy v1.8.4, there is now support for
  per-certificate TLS binding options. To make use of this, use
  ha_proxy.crt_list instead of ha_proxy.ssl_pem. It allows
  custom client_ca_file, verify, ssl_ciphers, client_revocation_list,
  settings for each provided certificate, as well as an snifilter to
  restrict use of each cert to specific domains.

  For more information:

  • https://cbonte.github.io/haproxy-dconv/1.8/configuration.html#5.1-crt-list
  • https://github.com/cloudfoundry-incubator/haproxy-boshrelease/blob/master/jobs/haproxy/spec#L83-L127

• There is now an ha_proxy.disable_tcp_accept_proxy parameter to disable the PROXY protocol
  for tcp-based backends while still leaving it enabled for http/https based backends

Fixes

• haproxy.config.erb has been cleaned up considerably, and
  should be a lot more readable pre and post template rendering.
• The HTTP frontend now supports accept-proxy.
• Bugs where accept-proxy was not honored during mutual TLS have been
  resolved
• ha_proxy.client_cert is no longer required to enable TLS. It is
  still honored to enable mutual tls, but the boshrelease will also
  use the presence of the following parameters to enable mutual TLS:
  • ha_proxy.client_ca_file
  • ha_proxy.client_revocation_list
  • ha_proxy.crt_list.<i>.client_ca_file
  • ha_proxy.crt_list.<i>.client_revocation_list
  • ha_proxy.crt_list.<i>.verify - only when value is not "none"
• The following options are now honored in the :4443 backend:
  • ha_proxy.cidr_whitelist
  • ha_proxy.cidr_blacklist
  • ha_proxy.block_all
  • ha_proxy.hsts_*
  • ha_proxy.rsp_headers
• The X-Forwarded-Client_Cert header is now set for requests in the :4443
  backend.
• The X-Forwarded-Proto header behavior in the :4443 backend now
  matches the behavior in the :443 backend
• Spec descriptions + examples were updated for resolvers

Acknowlegements

Many thanks to @jgf and @dueckminor for their work on crt-list and assistance testing
everything else out!

Deployment

releases:
- name: haproxy
  version: 8.7.0
  url: https://github.com/cloudfoundry-incubator/haproxy-boshrelease/releases/download/v8.7.0/haproxy-8.7.0.tgz
  sha1: 7898c1894c4b3254aa4a0ade0a02d33cf6c5c59a

v8.6.1

Bug Fixes

• keepalived now waits on all its children to exit, and tracks the PId of the checker
  process.
• Fixed a bug resulting in keepalived configs from being properly generated when specifying
  interfaces explicitly using the keepalived.interface property.

Acknowledgements

Thanks @poblin-orange and @aveyrenc for finding and squashing these bugs!

Deployment

releases:
- name: haproxy
  version: 8.6.1
  url: https://github.com/cloudfoundry-incubator/haproxy-boshrelease/releases/download/v8.6.1/haproxy-8.6.1.tgz
  sha1: 47f5a23d54998ad00e001ba9cd00879f8fb6f159

v8.6.0

New Features

• tcp-routing support. HAProxy can now consume the tcp-routing link
  from the routing-release.
  Ports used by HAProxy for this can be controlled via the ha_proxy.tcp_routing.port_range
  property.

Acknowledgements

Thanks @ishustava for adding this feature!

Deployment

releases:
- name: haproxy
  version: 8.6.0
  url: https://github.com/cloudfoundry-incubator/haproxy-boshrelease/releases/download/v8.6.0/haproxy-8.6.0.tgz
  sha1: 673cd82ce0a42576faae163fbecb7f47c6122a52

v8.5.0

New Features

• It is now possible to force HAProxy to require SNI from a client
  to match one of HAProxies defined certificates. If enabled, and the
  client does not requets a corresponding host via SNI, the request will
  be rejected, rather than being served HAProxy's default certificate.
  To enable, set the ha_proxy.strict_sni property to true.

Acknowledgements

Thanks @b1tamara for the new feature!

Deployment

releases:
- name: haproxy
  version: 8.5.0
  url: https://github.com/cloudfoundry-incubator/haproxy-boshrelease/releases/download/v8.5.0/haproxy-8.5.0.tgz
  sha1: 002957451c1328bb6e199fef10be379ed3a5f65e

v8.4.2

New Features

• Added the ability for HAProxy to do mutual TLS authentication with its HTTP backend servers
  Thanks @datianshi!

Other

• Improved documentation regarding the many timeouts HAProxy supports
• Migrated the ttar utility to a submodule in src, from a blob, for greater
  transparency

Deployment

releases:
- name: haproxy
  version: 8.4.2
  url: https://github.com/cloudfoundry-incubator/haproxy-boshrelease/releases/download/v8.4.2/haproxy-8.4.2.tgz
  sha1: dc543f84d361eeb41a8ecbd56f481bcbcd4eacc7

v8.4.1

Bug Fixes

• Resolved an issue where certs specified using the new cert_chain
  and private_key would result in an invalid cert file, if a newline
  wasn't provided in the cert_chain value. Leading + trailing whitespace
  are now removed, and the newline is added for you.
• When using links for the TCP backend, the health_check_http property is now consumed, to
  set up an HTTP health check for the backend. If not there, it will fail
  to the default ha_proxy.tcp_link_health_check_http value (or if that
  isn't present, no health check is enabled)

Acknowledgements

Thanks @ryanmoran and @philippthun for the fixes!

Deployment

releases:
- name: haproxy
  version: 8.4.1
  url: https://github.com/cloudfoundry-incubator/haproxy-boshrelease/releases/download/v8.4.1/haproxy-8.4.1.tgz
  sha1: 3b860b9a12ac94ea9e9f9f6ad7ec7b58becd0e7a

v8.4.0

New Features

• ssl_pem now has additional support for supplying custom cert chains associated with each certificate.
  It can still be specified as a single block of text, and array of private keys. The newly supported format
  looks something like this:

  ssl_pem:
  - private_key: |
      -----BEGIN RSA PRIVATE KEY-----
      key here
      -----END RSA PRIVATE KEY-----
    cert_chain: |
      -----BEGIN CERTIFICATE-----
      cert here
      -----END CERTIFICATE-----
      -----BEGIN CERTIFICATE-----
      cert here
      -----END CERTIFICATE-----
  

Acknowledgements

Thanks @Nino-K and @flawedmatrix for the new feature!

Deployment

releases:
- name: haproxy
  version: 8.4.0
  url: https://github.com/cloudfoundry-incubator/haproxy-boshrelease/releases/download/v8.4.0/haproxy-8.4.0.tgz
  sha1: a3a911f0cf8e672b27c6cb16318fd8c7c77f5bde