HAProxy release notes – 2.8/stable¶

These release notes cover new features and changes in HAProxy for revisions 217-283 between the dates of 2025-08-21 and 2025-12-08.

Main features:

Added support for TCP is added with the new haproxy-route-tcp relation.
Added support for downstream HTTPS is added together with the certificate_transfer relation.
The product’s Terraform module now supports keepalived as an alternative option to hacluster for high-availability.
Removed the restriction on header rewrite expressions in the haproxy-route relation ( previously HAProxy’s reserved characters were forbidden )
Added HTTP/2 support over HTTPS for backend communication. Note that this requires the backend to set protocol=HTTPS and the use of the certificate_transfer relation is also required.
Requirers can now request for backends to be made available through HTTP using the new allow_http attribute of the haproxy-route relation.

Main bug fixes:

Fixed handling of haproxy-route-tcp requirer data.

See our Release policy and schedule.

Requirements and compatibility¶

The charm operates HAProxy 2.8.

The table below shows the required or supported versions of the software necessary to operate the charm.

Software	Required version
Juju	3.x
Terraform	1.6
Terraform Juju provider	1.1
Ubuntu	24.04

Updates¶

The following major and minor features were added in this release.

Added `get-proxied-endpoints` action¶

Now the charm has a new action, get-proxied-endpoints, that gets the endpoints proxied by HAProxy.

Relevant links:

Updates to the HAProxy apt package¶

Unpinned the HAProxy APT package version (PR).
To fix an issue where the install hook was failing, the charm now uses 2.8.5-1ubuntu3.4 of the HAProxy apt package (PR).

Get network information from relation endpoint binding¶

So that the charm will work with Juju spaces, now the charm gets its network information from the relation endpoint binding.

Relevant links:

Added `haproxy-spoe-auth` snap¶

Now the repository contains a snap package running a Stream Processing Offload Engine (SPOE) agent for the charm. The SPOE agent works with HAProxy to act as an authentication proxy for both LDAP and OIDC.

Relevant links:

Added `http-server-close` support¶

Added the http-server-close argument to the HAProxy configuration. When this argument is set, it closes the connection after the request.

Relevant links:

Removed `haproxy_route` restriction for expressions¶

Currently some valid characters are not allowed for expressions in the haproxy_route relation. Now only the newline character is restricted.

Relevant links:

Updated Terraform module to support keepalived¶

The Terraform module was updated to provide support for keepalived, and validation rules were added to ensure mutual exclusivity between the two options.

Relevant links:

Added `rsyslog` configuration when HAProxy is installed¶

Now the rsyslog configuration is added when the HAProxy package is installed, setting the logging destination to the Unix socket.

Relevant links:

Documented release policy and schedule for the `haproxy-operator` monorepo¶

Add documentation for the release policy and schedule covering both the haproxy and haproxy-spoe-auth charms in the monorepo.

Relevant links:

Added HTTPS backend support for HAProxy routing¶

Enable HAProxy to route traffic to HTTPS backends with certificate handling and validation.

Relevant links:

Allow enabling HTTP for haproxy route backend¶

Add a new allow_http attribute to allow disabling mandatory HTTPS redirection for backends. Add logic to build the required ACL and rendering logic in the Jinja2 template.

Relevant links:

Run renovate only twice a month¶

Run renovate only twice a month except for vulnerability alerts. Also use allNonMajor.

Relevant links:

Added SPOE Auth interface library¶

Add the charms.haproxy.v0.spoe_auth library to enable SPOE authentication integration.

Relevant links:

Added HTTP/2 support to HAProxy¶

Added HTTP/2 support in the HAProxy charm for both frontend and backend connections.

Relevant links:

Updated TCP ports behavior after updating HAProxy configuration¶

After the HAProxy configuration is updated, the requested TCP ports are opened.

Relevant links:

Added HAProxy SPOE Auth charm¶

Added a new charm for HAProxy SPOE authentication.

Relevant links:

Migrated the Python project to use `uv` and `ruff`¶

Now the repository uses uv, tox-uv, and ruff for building, testing and linting.

Relevant links:

Bug fixes¶

Fixed handling of haproxy-route-tcp requirer data (PR).
Fixed a typo in the cookie fetch method in the load-balancing algorithm (PR).

Known issues¶

Thanks to our contributors¶

f-atwi, yhaliaw, Thanhphan1147, gregory-schiano, javierdelapuente, swetha1654, alithethird, dimaqq, weiiwang01, erinecon

HAProxy release notes – 2.8/stable¶

Requirements and compatibility¶

Updates¶

Added get-proxied-endpoints action¶

Updates to the HAProxy apt package¶

Get network information from relation endpoint binding¶

Added haproxy-spoe-auth snap¶

Added http-server-close support¶

Removed haproxy_route restriction for expressions¶

Updated Terraform module to support keepalived¶

Added rsyslog configuration when HAProxy is installed¶

Documented release policy and schedule for the haproxy-operator monorepo¶

Added HTTPS backend support for HAProxy routing¶

Allow enabling HTTP for haproxy route backend¶

Run renovate only twice a month¶

Added SPOE Auth interface library¶

Added HTTP/2 support to HAProxy¶

Updated TCP ports behavior after updating HAProxy configuration¶

Added HAProxy SPOE Auth charm¶

Migrated the Python project to use uv and ruff¶

Bug fixes¶

Known issues¶

Thanks to our contributors¶

Added `get-proxied-endpoints` action¶

Added `haproxy-spoe-auth` snap¶

Added `http-server-close` support¶

Removed `haproxy_route` restriction for expressions¶

Added `rsyslog` configuration when HAProxy is installed¶

Documented release policy and schedule for the `haproxy-operator` monorepo¶

Migrated the Python project to use `uv` and `ruff`¶