<feed xmlns='http://www.w3.org/2005/Atom'>
<title>vyos-1x.git/data/templates/load-balancing/haproxy.cfg.j2, branch rolling</title>
<subtitle>VyOS command definitions, scripts, and utilities (mirror of https://github.com/vyos/vyos-1x.git)
</subtitle>
<id>https://git.amelek.net/vyos/vyos-1x.git/atom?h=rolling</id>
<link rel='self' href='https://git.amelek.net/vyos/vyos-1x.git/atom?h=rolling'/>
<link rel='alternate' type='text/html' href='https://git.amelek.net/vyos/vyos-1x.git/'/>
<updated>2026-06-19T08:08:06+00:00</updated>
<entry>
<title>haproxy: T8931: Add option http-server-close in backend sections</title>
<updated>2026-06-19T08:08:06+00:00</updated>
<author>
<name>Indrajit Raychaudhuri</name>
<email>irc@indrajit.com</email>
</author>
<published>2026-05-27T00:50:02+00:00</published>
<link rel='alternate' type='text/html' href='https://git.amelek.net/vyos/vyos-1x.git/commit/?id=ed8f6f0b3527dfb68713fd88cf660e323868d8a0'/>
<id>urn:sha1:ed8f6f0b3527dfb68713fd88cf660e323868d8a0</id>
<content type='text'>
</content>
</entry>
<entry>
<title>haproxy: T8931: Add timeout.tunnel in default and backend sections</title>
<updated>2026-06-19T08:08:06+00:00</updated>
<author>
<name>Indrajit Raychaudhuri</name>
<email>irc@indrajit.com</email>
</author>
<published>2026-05-27T00:18:57+00:00</published>
<link rel='alternate' type='text/html' href='https://git.amelek.net/vyos/vyos-1x.git/commit/?id=8a334590daa3104be0519bab8d73557304d8572c'/>
<id>urn:sha1:8a334590daa3104be0519bab8d73557304d8572c</id>
<content type='text'>
</content>
</entry>
<entry>
<title>haproxy: T7906: Probing of a port other than the one to which normal traffic is sent</title>
<updated>2025-10-24T13:54:28+00:00</updated>
<author>
<name>Oleksandr Kuchmystyi</name>
<email>o.kuchmystyi@vyos.io</email>
</author>
<published>2025-10-21T12:51:31+00:00</published>
<link rel='alternate' type='text/html' href='https://git.amelek.net/vyos/vyos-1x.git/commit/?id=bba498d2cf6d897789641ca093c2d3b9daff8472'/>
<id>urn:sha1:bba498d2cf6d897789641ca093c2d3b9daff8472</id>
<content type='text'>
Add support for specifying a custom health check port for HAProxy backend servers.
This allows health probes to target a dedicated endpoint - such as port 8080 - separate
from normal traffic ports (e.g., 80 or 443).
</content>
</entry>
<entry>
<title>haproxy: T7715: Add rule matching on subdomains</title>
<updated>2025-08-13T20:35:59+00:00</updated>
<author>
<name>sarthurdev</name>
<email>965089+sarthurdev@users.noreply.github.com</email>
</author>
<published>2025-08-13T20:35:59+00:00</published>
<link rel='alternate' type='text/html' href='https://git.amelek.net/vyos/vyos-1x.git/commit/?id=87285fb3d69cb601beb9ab84fb693f7384f97f54'/>
<id>urn:sha1:87285fb3d69cb601beb9ab84fb693f7384f97f54</id>
<content type='text'>
</content>
</entry>
<entry>
<title>T7595: Support PROXY protocol for haproxy</title>
<updated>2025-07-12T18:17:17+00:00</updated>
<author>
<name>Nobi</name>
<email>nobi@nobidev.com</email>
</author>
<published>2025-06-27T19:20:34+00:00</published>
<link rel='alternate' type='text/html' href='https://git.amelek.net/vyos/vyos-1x.git/commit/?id=dfaf242147cecc8a8737cd0ff67aa66f63cf8d02'/>
<id>urn:sha1:dfaf242147cecc8a8737cd0ff67aa66f63cf8d02</id>
<content type='text'>
</content>
</entry>
<entry>
<title>pki: T7122: when ACME listen-address is used - check if port is available</title>
<updated>2025-05-05T17:50:20+00:00</updated>
<author>
<name>Christian Breunig</name>
<email>christian@breunig.cc</email>
</author>
<published>2025-05-05T15:20:44+00:00</published>
<link rel='alternate' type='text/html' href='https://git.amelek.net/vyos/vyos-1x.git/commit/?id=f40cf6064a02fbb6baae924e94b9183d6bd87474'/>
<id>urn:sha1:f40cf6064a02fbb6baae924e94b9183d6bd87474</id>
<content type='text'>
When instructing certbot to listen on a given address, check if the address is
free to use. Also take this into account when spawning certbot behind HAProxy.
If the address is not (yet) bound - the request must be done in standalone mode
and not via the reverse-proxy.
</content>
</entry>
<entry>
<title>haproxy: T7122: always reverse-proxy ACL for certbot</title>
<updated>2025-05-04T21:38:29+00:00</updated>
<author>
<name>Christian Breunig</name>
<email>christian@breunig.cc</email>
</author>
<published>2025-05-04T09:35:33+00:00</published>
<link rel='alternate' type='text/html' href='https://git.amelek.net/vyos/vyos-1x.git/commit/?id=59957ad694043f41a7b1e9ee740b19c87f297867'/>
<id>urn:sha1:59957ad694043f41a7b1e9ee740b19c87f297867</id>
<content type='text'>
Always enable the ACL entry to reverse-proxy requests to the path
"/.well-known/acme-challenge/" when "redirect-http-to-https" is configured for
a given HAProxy frontend service.

This is an intentional design decision to simplify the implementation and reduce
overall code complexity. It poses no risk: a missing path returns a 404, and an
unavailable backend yields an error 503.

This approach avoids a chicken-and-egg problem where certbot might try to
request a certificate via reverse-proxy before the proxy config is actually
generated and active.

By always routing through HAProxy, we also eliminate downtime as port 80 does
not need to be freed for certbot's standalone mode.
</content>
</entry>
<entry>
<title>haproxy: T7122: automatically reverse-proxy to certbot</title>
<updated>2025-04-28T20:10:08+00:00</updated>
<author>
<name>Christian Breunig</name>
<email>christian@breunig.cc</email>
</author>
<published>2025-04-28T20:08:46+00:00</published>
<link rel='alternate' type='text/html' href='https://git.amelek.net/vyos/vyos-1x.git/commit/?id=f8b0d74eecabdd16cb0cd6239c8095ed6d2321e3'/>
<id>urn:sha1:f8b0d74eecabdd16cb0cd6239c8095ed6d2321e3</id>
<content type='text'>
Automatically render HaProxy rules to reverse-proxy ACME challanges when the
requested certificate was issued using ACME.
</content>
</entry>
<entry>
<title>haproxy: T7122: render explicit http configuration to properly bind port 80</title>
<updated>2025-04-28T20:10:08+00:00</updated>
<author>
<name>Christian Breunig</name>
<email>christian@breunig.cc</email>
</author>
<published>2025-04-22T14:37:22+00:00</published>
<link rel='alternate' type='text/html' href='https://git.amelek.net/vyos/vyos-1x.git/commit/?id=d4206a0885c080ef2e4b19ff33a30abc8b479dad'/>
<id>urn:sha1:d4206a0885c080ef2e4b19ff33a30abc8b479dad</id>
<content type='text'>
If redirect-http-to-https is set we will render a discrete onfiguration in
HAproxy to properly claim port 80 in the system to detect if a service is
alreadey using the port or not.
</content>
</entry>
<entry>
<title>T7190: Add haproxy default timeout options configurable</title>
<updated>2025-02-24T10:28:33+00:00</updated>
<author>
<name>Viacheslav Hletenko</name>
<email>v.gletenko@vyos.io</email>
</author>
<published>2025-02-22T15:44:34+00:00</published>
<link rel='alternate' type='text/html' href='https://git.amelek.net/vyos/vyos-1x.git/commit/?id=fe20eae99ebdb7781f74ada3a7c13a848ea75bcc'/>
<id>urn:sha1:fe20eae99ebdb7781f74ada3a7c13a848ea75bcc</id>
<content type='text'>
Add the ability to configurate default timeout and frontend
client timeout

```
set load-balancing haproxy service web timeout client '600'
set load-balancing haproxy timeout check '4'
set load-balancing haproxy timeout client '600'
set load-balancing haproxy timeout connect '12'
set load-balancing haproxy timeout server '120'
```
</content>
</entry>
</feed>
