<feed xmlns='http://www.w3.org/2005/Atom'>
<title>vyos-1x.git/data/templates/load-balancing, branch rolling</title>
<subtitle>VyOS command definitions, scripts, and utilities (mirror of https://github.com/vyos/vyos-1x.git)
</subtitle>
<id>https://git.amelek.net/vyos/vyos-1x.git/atom?h=rolling</id>
<link rel='self' href='https://git.amelek.net/vyos/vyos-1x.git/atom?h=rolling'/>
<link rel='alternate' type='text/html' href='https://git.amelek.net/vyos/vyos-1x.git/'/>
<updated>2026-06-19T08:08:06+00:00</updated>
<entry>
<title>haproxy: T8931: Add option http-server-close in backend sections</title>
<updated>2026-06-19T08:08:06+00:00</updated>
<author>
<name>Indrajit Raychaudhuri</name>
<email>irc@indrajit.com</email>
</author>
<published>2026-05-27T00:50:02+00:00</published>
<link rel='alternate' type='text/html' href='https://git.amelek.net/vyos/vyos-1x.git/commit/?id=ed8f6f0b3527dfb68713fd88cf660e323868d8a0'/>
<id>urn:sha1:ed8f6f0b3527dfb68713fd88cf660e323868d8a0</id>
<content type='text'>
</content>
</entry>
<entry>
<title>haproxy: T8931: Add timeout.tunnel in default and backend sections</title>
<updated>2026-06-19T08:08:06+00:00</updated>
<author>
<name>Indrajit Raychaudhuri</name>
<email>irc@indrajit.com</email>
</author>
<published>2026-05-27T00:18:57+00:00</published>
<link rel='alternate' type='text/html' href='https://git.amelek.net/vyos/vyos-1x.git/commit/?id=8a334590daa3104be0519bab8d73557304d8572c'/>
<id>urn:sha1:8a334590daa3104be0519bab8d73557304d8572c</id>
<content type='text'>
</content>
</entry>
<entry>
<title>haproxy: T7906: Probing of a port other than the one to which normal traffic is sent</title>
<updated>2025-10-24T13:54:28+00:00</updated>
<author>
<name>Oleksandr Kuchmystyi</name>
<email>o.kuchmystyi@vyos.io</email>
</author>
<published>2025-10-21T12:51:31+00:00</published>
<link rel='alternate' type='text/html' href='https://git.amelek.net/vyos/vyos-1x.git/commit/?id=bba498d2cf6d897789641ca093c2d3b9daff8472'/>
<id>urn:sha1:bba498d2cf6d897789641ca093c2d3b9daff8472</id>
<content type='text'>
Add support for specifying a custom health check port for HAProxy backend servers.
This allows health probes to target a dedicated endpoint - such as port 8080 - separate
from normal traffic ports (e.g., 80 or 443).
</content>
</entry>
<entry>
<title>wlb: T114: Add firewall group support for WAN load balancer</title>
<updated>2025-09-10T10:09:09+00:00</updated>
<author>
<name>sarthurdev</name>
<email>965089+sarthurdev@users.noreply.github.com</email>
</author>
<published>2025-09-10T08:44:15+00:00</published>
<link rel='alternate' type='text/html' href='https://git.amelek.net/vyos/vyos-1x.git/commit/?id=ae732fb0eb1dd352ba0b97b07aaf3db9c514ea19'/>
<id>urn:sha1:ae732fb0eb1dd352ba0b97b07aaf3db9c514ea19</id>
<content type='text'>
</content>
</entry>
<entry>
<title>haproxy: T7715: Add rule matching on subdomains</title>
<updated>2025-08-13T20:35:59+00:00</updated>
<author>
<name>sarthurdev</name>
<email>965089+sarthurdev@users.noreply.github.com</email>
</author>
<published>2025-08-13T20:35:59+00:00</published>
<link rel='alternate' type='text/html' href='https://git.amelek.net/vyos/vyos-1x.git/commit/?id=87285fb3d69cb601beb9ab84fb693f7384f97f54'/>
<id>urn:sha1:87285fb3d69cb601beb9ab84fb693f7384f97f54</id>
<content type='text'>
</content>
</entry>
<entry>
<title>Merge pull request #4586 from nobidev/features/add-support-proxy-for-haproxy</title>
<updated>2025-07-13T02:22:52+00:00</updated>
<author>
<name>Viacheslav Hletenko</name>
<email>v.gletenko@vyos.io</email>
</author>
<published>2025-07-13T02:22:52+00:00</published>
<link rel='alternate' type='text/html' href='https://git.amelek.net/vyos/vyos-1x.git/commit/?id=7fee1e1d7f6fc40b5444d3e23c26a3aa7fe541d5'/>
<id>urn:sha1:7fee1e1d7f6fc40b5444d3e23c26a3aa7fe541d5</id>
<content type='text'>
T7595: Support PROXY protocol for haproxy</content>
</entry>
<entry>
<title>T7595: Support PROXY protocol for haproxy</title>
<updated>2025-07-12T18:17:17+00:00</updated>
<author>
<name>Nobi</name>
<email>nobi@nobidev.com</email>
</author>
<published>2025-06-27T19:20:34+00:00</published>
<link rel='alternate' type='text/html' href='https://git.amelek.net/vyos/vyos-1x.git/commit/?id=dfaf242147cecc8a8737cd0ff67aa66f63cf8d02'/>
<id>urn:sha1:dfaf242147cecc8a8737cd0ff67aa66f63cf8d02</id>
<content type='text'>
</content>
</entry>
<entry>
<title>wan-load-balancing: T7584: Default SNAT behaviour fixed to effect load balanced packets only</title>
<updated>2025-07-02T17:48:17+00:00</updated>
<author>
<name>Abhishek Safui</name>
<email>abhishek.safui@cdot.in</email>
</author>
<published>2025-07-02T17:48:17+00:00</published>
<link rel='alternate' type='text/html' href='https://git.amelek.net/vyos/vyos-1x.git/commit/?id=4374a27342e58fea1ac5928805e688d6d127fd04'/>
<id>urn:sha1:4374a27342e58fea1ac5928805e688d6d127fd04</id>
<content type='text'>
Matched the out iface name in wan load balancer default SNAT rule
so that SNAT is performed to load balanced packets only
</content>
</entry>
<entry>
<title>pki: T7122: when ACME listen-address is used - check if port is available</title>
<updated>2025-05-05T17:50:20+00:00</updated>
<author>
<name>Christian Breunig</name>
<email>christian@breunig.cc</email>
</author>
<published>2025-05-05T15:20:44+00:00</published>
<link rel='alternate' type='text/html' href='https://git.amelek.net/vyos/vyos-1x.git/commit/?id=f40cf6064a02fbb6baae924e94b9183d6bd87474'/>
<id>urn:sha1:f40cf6064a02fbb6baae924e94b9183d6bd87474</id>
<content type='text'>
When instructing certbot to listen on a given address, check if the address is
free to use. Also take this into account when spawning certbot behind HAProxy.
If the address is not (yet) bound - the request must be done in standalone mode
and not via the reverse-proxy.
</content>
</entry>
<entry>
<title>haproxy: T7122: always reverse-proxy ACL for certbot</title>
<updated>2025-05-04T21:38:29+00:00</updated>
<author>
<name>Christian Breunig</name>
<email>christian@breunig.cc</email>
</author>
<published>2025-05-04T09:35:33+00:00</published>
<link rel='alternate' type='text/html' href='https://git.amelek.net/vyos/vyos-1x.git/commit/?id=59957ad694043f41a7b1e9ee740b19c87f297867'/>
<id>urn:sha1:59957ad694043f41a7b1e9ee740b19c87f297867</id>
<content type='text'>
Always enable the ACL entry to reverse-proxy requests to the path
"/.well-known/acme-challenge/" when "redirect-http-to-https" is configured for
a given HAProxy frontend service.

This is an intentional design decision to simplify the implementation and reduce
overall code complexity. It poses no risk: a missing path returns a 404, and an
unavailable backend yields an error 503.

This approach avoids a chicken-and-egg problem where certbot might try to
request a certificate via reverse-proxy before the proxy config is actually
generated and active.

By always routing through HAProxy, we also eliminate downtime as port 80 does
not need to be freed for certbot's standalone mode.
</content>
</entry>
</feed>
