Loadbalancer.org product roadmap – new features, release notes and more (as always, a work in progress) updated 11th October 2021

Understandably, we get quite a few requests for a product roadmap containing release notes and feature updates. We've had a chat about this internally and thought that it would be nice to have a permanent post on the blog that we change on the fly as and when customer requirements change. Putting this on the blog enables our customers to express their arguments for and against new features etc. This entry should also give you a better idea of our priorities and how we develop the product.

You can jump straight to our latest update (v8.5.8) here ->

We've changed our focus from v9 later to v8 now...
And we've doubled the size of our development team, which means that we can bring new features to you quickly. We are also changing the way that we release product updates. We have moved to a regular quarterly release cycle, to enable a more rigorous approach to quality.

Releases will be made available at the end of January, April, July and October on a rolling basis. In the event that we need to provide a release to mitigate against a serious security vulnerability, you will be informed and the release will be made off-cycle.

So what can you expect in the next quarterly release v8.6? (Coming soon)

We’ve already added 3 powerful new features:

• ACL Traffic Rules
  • Easy to use multi-conditional content rules
  • Easy re-ordering and validation in TCP or HTTP mode
  • Modify headers, redirect, block or specify backend servers
  • Support for complex configuration with Free Type rules
• External Health Checks
  • New Interface making simple to upload, edit and manage
  • Compatible with Layer 4, Layer 7 and GSLB
• Web Application Firewall
  • Fully integrated CRS3 rule set reducing false positives by 98%
  • New tools for simplifying deployment and maintenance

And we’ve got time to add more..
So shout now if you want something changed — you can contact our CTO directly by emailing miles@loadbalancer.org

How do we decide what to do next on our priority list?

Our principles always guide us, this is an overview of the things we feel are most important in a load balancer appliance in order of priority:

1. Security
   • Fast, rapid and proactive improvements i.e. Heartbleed/Shell Shock and others
   • Focus on WAF/DOS/DDOS as well as just simply a secure appliance.
   • Compliance with government standards HIPAA, FIPS, FISMA, NIST etc.
   • Integration with your current security framework AD, RADIUS etc.
2. High-availability
   • Constant improvements to underlying systems
   • Future enhancements to intelligence, logging and alerting.
3. Maintenance
   • Constant focus on close to zero downtime for maintenance and security updates
   • Helping the customer carry out software updates on servers in the cluster.
4. Performance
   • Constant re-assessment of the best default configurations for performance
   • Renewed focus on special application performance requirements (i.e. lots of small packets or lots of large ones).
5. Support
   • How can we make the product easier to support and how can we improve our support service?
6. Usability
   • Improvements to look and feel + intelligence and ease of use
7. New platforms
   • Integrate new platforms as and when they become customer priorities i.e. azure
8. New features
   • Assess against our priorities and implement if, and only if they match our stated priorities.
9. New products
   • Constantly looking for new applications to help customers with their infrastructure requirements.

Hang on, what happened to v9?
The fabled v9 has evolved into our Partner Product, a customizable, and modular solution that simplifies large scale deployment. It’s already seamlessly embedded into hundreds of critical systems across the globe.

In fact it's grown into a bit of a monster. So while we prepare version 9 for general availability, we have decided to accelerate development of v8 to bring you new and exciting features.

So, what exactly is our partner product?

Put simply, our partner product is a platform for application delivery.
But more importantly it's something we create together — with amazing results. After all not every partner needs all of our services:

• API driven, vendor agnostic, data plane agnostic centralized application delivery
• Fully automated deployment, maintenance & monitoring of your applications
• Tight integration with your development team and your roadmap
• Our support integrated with your customer service team
• OEM Hardware development, deployment, certification and logistics
• Centralized management of security and version control
• Flexible contracts with long term commitments to your roadmap

Why do you need our partner product?
You are a respected technology vendor in your sector. And you have a large number of customers depending on your systems. And it's getting increasingly complex to support them on a global scale — while keeping the pace of innovation going with your own product roadmap.

I'm sure your system has unique requirements:

But wouldn't it be great to work with someone who wants to help you increase your revenue & customer satisfaction, while reducing complexity & costs?

Don't worry: We'll still be updating & supporting v8 for a very long time!

Last updated 16th September 2021:
Latest version v8.5.8
Minimum recommended version is v8.5.2
Minimum secure version v8.3.8

[v8.5.8]

16th September 2021
Bug Fixes

• Fix 8.5.7 regression in the WAF behaviour previously resolved in 8.5.5
• Minor fix for invalid or corrupted XML files when importing backup from historical versions.
• Resolve critical issue in Azure clustering causing invalid Secondary IP address in the configuration file.

[v8.5.7]

27th August 2021
Bug Fixes

• Fixed issue with HTTPS redirect loop when adding force to https to a WAF protected layer 7 service.

[v8.5.6]

4th August 2021
Bug Fixes

• Resolved issue where SNI certificates could not be selected through the web interface for a small number of customers.
• The SSL termination padlock associated with a WAF now shows on the frontend rather than the backend.
• Resolved an issue where LBCLI would return a malformed JSON response for a small number of customers.

[v8.5.5]

27th July 2021
New Features

• Now supports PEM formatted SSH keys allowing better compatibility and useability.
• A new padlock icon showing if a virtual service has an 'SSL Termination' attached is now shown for quick access to linked services.

Improvements

• The HAProxy statistics page is now integrated within the Web UI for easier accessibility. It no longer consumes an additional port (TCP/7777) or requires separate authentication details to access.
• Better handling of recent recommendations regarding cookies, HAProxy now adds 'samesite=none' by default to persistence cookies for better cross-site handling.

Bug Fixes

• Updated defaults for LDirectord allowing XML files with a blank config section to still allow the service to start successfully.
• Fixed an issue when adding a WAF between SNI SSL Terminations and HAProxy, it no longer fails and shows 'HTTP 400 bad request' in a web browser.
• Management gateway PBR rules now start correctly after reboot even when other PBR rules are not in use.
• Changing port on HAProxy service now updates linked Stunnel service.
• Slave appliances in Azure no longer incorrectly write the Masters IP in some SNI configurations
• New upstart script for Stunnel service, improving reliability
• Restoring an XML file now picks up the configured WebUI port from the configuration file.

[v8.5.3]

16th April 2021

NB. The online update following this patch will jump straight to version 8.5.8

Security

• Update OpenSSL to version 1.1.1k
  NB. The Loadbalancer.org product is not vulnerable to the 3 issues fixed in this patch.

[v8.5.2]

31st March 2021
Improvements

• Added the JQ library package
• Large support downloads now ‘stream' using less local disk space
• Fallback server support with SNI now available for VIPs using SSL Pass-through or Re-Encrypt to Backend

Bug Fixes

• Fixed rare issue with feedback agent when updating HAProxy
• Fixed reload process for Stunnel
• Updated SNMPD to resolve rare memory leak

Security

• Various improvements including Stunnel and OpenSSH

[v8.5.1]

26th November 2020
New Features

• WAF now has enhanced support for IPV6

Improvements

• Add new fogroup persistence method in gslb
• Warn user if a network card is not in a fast enough PCI slot.
• Update Haproxy to 1.8.27

Bug Fixes

• Network bonding default mode in GUI corrected to be HA mode 1
• GSLB restart no longer fails without defining config first
• Fix issue when installing an invalid licence key.
• Fix lbcli function negotiate_http_head
• Fix potential issue detecting serial port configuration
• Stop GSLB wizard modifiying user defined SSL options
• Fix for rare but confirmed WAF memory consumption issue

[v8.5]

New Features
9th October 2020

• New SNMP agent and MIBs for Layer 7 services.
• New GSLB graphical interface (automatic upgrade of existing manual configs)
• New GSLB distribution state table
• New and more Flexible bonding of interfaces

Improvements

• Bond mode now selectable from setup wizard.

Bug Fixes

• Disabled access to HAProxy statistics page port 7777 for TLS1.1
• Fixed issue where specific ACL rule broke lb_config
• Fix for samesite cookie issue
• Revert self signed certificate back to localhost.localdomain
• Fix read-only lock when using manual L7 configuration

Security

• Force UI/Console password change from the setup wizard.
• PDNS Updated to 4.3.0

[v8.4.3]

Security
27th April 2020

• OpenSSL updated to mitigate potential but 'unproven in the wild' DOS vulverability CVE-2020-1967

[v8.4.2]

20th April 2020
New Features

• Rsyslog updated to version 7
• Alternate default gateway available for L7 VIPS
• TProxy can now be enabled per VIP

Improvements

• Syslog default communication method now UDP.
• SDK updated for GCP appliances
• Enabled SNI support for re-encrypt to backend.

Bug Fixes

• Editing values on the physical advanced page was disabling PBR
• Erroneous Bond interface showing after running console setup wizard
• Azure appliances ACLs fixed in HA deployment
• Fixed intermittent 502 errors coming from WAF gateways.
• Fixed STunnel slow start on boot
• Source address lost when Stunnel bound L7 VIP had its SSL mode changed
• HAProxy configuration locking fixed
• Manual HAProxy configuration input was incorrectly converting single quotes

Security

• HAProxy Updated to mitigate H2 bug CVE-2020-11100

[v8.4.1]

14th January 2020
Performance & Security enhancements

• Updated STunnel to version 5.56
• Updated HAProxy to version 1.8.23
• Updated OpenSSL to version 1.1.1d
• Fixed XSS vulnerabilities in web interface

New Features

• New graphical menu for console based setup
• Easier bond and vlan configuration at setup
• TLS v1.3 available

Bug Fixes

• Changed placement of SNI Rules page for ease of use.
• Fixed potential error when updating WAF advanced settings.
• Updating L7 child VIP when bound with SNI no longer overwrites parent.
• Fixed potential segfault in STunnel

Improvements

• Changed console default keyboard layout to US.
• Optionally exclude .gz files in support download.
• Improvements to SSL advanced page.
• Improvements to WAF diagnosis functionality.
• Improvements to LBCLI for automated deployments.
• SSL performance improvements

[v8.4]

13th September 2019
Deprecated - Do not use

• Potential segfault in SSL handling - version pulled.
• Changes bellow rolled into v8.4.1

Improvements

• Improved NIC ordering script for physical appliances.
• Improved setup script to clear out user added VLANS.
• Stunnel performance improvements updated to 5.55

Bug Fixes

• Improved SNI domain name validation to now allow '-' in the URL.
• Improved form formatting for L4 negotiate checks.
• Azure WAF - Fix routing traffic when master is unavailable.
• WAF frontends no longer count towards VIP licenced total.

Security

• OpenSSL updated to 1.1.0k
• Haproxy Updated to 1.8.20

[v8.3.8]

5th July 2019
Important security update

• This release moves the Loadbalancer.org kernel to v4.9.182.
• This fixes a remote denial of service vulnerability in the SACK implementation.
• Specifically CVEs: CVE-2019-11477, CVE-2019-11478, CVE-2019-11479

[v8.3.7]

5th July 2019
New features

• Duplication of services now available from the edit service page.
• Add HTTP 'Options' method health check at L7.
• Security Lock down by default + option to make it irrevocable.

Improvements

• Modify Virtual Server is now context sensitive with multiple advanced menu options.
• L7 Persistence methods are selectable based on L7 protocol.
• Improved PBR ReadMe Document.
• NIC offloading help corrected.
• SSL Certificate verification of pem files on import.
• Increased default PCRE Limit for the WAF.
• ModSecurity databases removed from support download to reduce size.
• L7 Stats page has deprecated TLS versions disabled.
• Update quick start guide URLS.

Bug Fixes

• SSL certificate elements were not copied to the slave correctly.
• Disaster recovery script now copies WAF configuration correctly from recovery node.
• Edge/IE11 are now able to access HAProxy stats/Layer 7 Status page.
• Stop TPROXY from enabling occasionally when generating a support download.
• Node recovery was not notifying on completion.
• Adding SNI rules incorrectly reverts 'manual' state.
• Improved validation checks for L7 Headers.
• Cannot create a wild card SNI rule.

[V8.3.6]

1st March 2019

HAProxy

• Correctly escaping quotes in header values.
• Replace header is now available from the headers section.
• Inactive HTTP stream reuse is now available.
• We have made the path_beg and path_end ACLS case insensitive.
• When using HEAD checks the response expected box is no longer displayed.
• HAProxy has been updated to 1.8.17 to mitigate against h2 bug.

SSL

• Proxy protocol was getting incorrectly disabled - now fixed.

Other

• Stopped users executing lbcli from the web interface.
• 40Gbit/s mellanox card drivers have been added.
• Fixed incorrect ciphers when enabling HTTPS and the WUI.
• Hardware network interface TCP Offloading is now available

[v8.3.5]

21st November 2018

• AWS: Reload dialogue displayed un-necessarily when using AWS autoscaling.

• HAProxy: Restoring XML will no longer remove existing manual configuration files. Added new ACL functionality for query strings.

• SSL PROXY BIND: Fix read-only issues from 8.3.4 online update - and allow easy removal of existing bindings.

• Other: Removed disturbing message from CLI when generating support download.

[v8.3.4]

20th September 2018

• HAProxy: Updated to v1.8.14 for critical fix to HPACK decoder used for HTTP/2 (vulnerable to buffer overflow)

• Let's Encrypt: Critical fix to the automated certficate renewal script

• SSL PROXY BIND: Fix broken proxy bind if you modify the layer 7 VIP or delete the termination SSL VIP.

[v8.3.3]

10th September 2018

• HyperV: We have improved the HyperV live migration and as a result this no longer causes potential heartbeat latency issues.

• WAF: The WAF interface has now been simplified, and we've added easy log diagnosis & automated whitelist suggestions. We've also added a new fast page cache, for accelerating Wordpress.

• SSL: The interface has been simplified and OpenSSL has been updated to 1.1.0h.
  -- STunnel has been updated to 5.46 to resolve a slow memory leak when reloading 1000's of SNI rules.
  -- Automated certificate generation is now available, using Let's Encrypt.
  -- We have increased the number of SNI rules you can add via the web interface to 8000!

• HAProxy: Has now been updated to 1.8.11. The core change being the ability to configure multi-threading for greater than 10G performance.

• Other: Bonded interface limit has increased - you can now create up to 4 bonded pairs with full 802.3ad support.

[v8.3.2]

• Azure: AZ HA service can now run scripts on failure.
  -- SNAT Mode with HA now displays the correct VIP in the system overview on the slave appliance.
  -- SNAT Mode with HA wrong slave appliance IP selected on 'modify VIP page'.
  -- WALinuxAgent updated to 2.2.21.
  -- Kernel updated to 4.9.107 for network performance improvement (reboot required).

• WAF: SecPcreLimit is now configurable from the interface.

• PBR: You can now set a separate gateway for the management IP.

• EC2: Enhanced networking (ENA) module available.

• SSL: Disabling of TLS 1.0, 1.1, 1.2 is now possible from the interface.

• HAProxy: Has been updated to version 1.7.11. Raw table no track rules are now being written correctly.
  -- HTTP HEAD health check is now available.
  -- To improve compatibility with websocket tunnel timeout has been added.

• Other: RADIUS and Basic AD authentication is now available for the web interface.
  -- lbinsecure now defaults setup user and user interface password correctly.

[v8.3.1]

• Azure: Added multiple interfaces to Azure.

• WAF: The system can now direct WAF logs to syslog and therefore a remote syslog server.

• PBR: You can now start/stop a single set of rules without having to re-write/affect all PBR services.

• GSLB: GSLB is now available and configurable from the interface. Yup! I didn't believe it either. We have finally caved to your constant demands for GSLB! Actually Aaron finally found some really powerful uses for it on customer sites as explained in his blog about full GSLB support in v8.3.1.

• Kernel: Kernel is updated to 4.4.110 to mitigate the meltdown attack. (Warning: requires reboot)

• HAProxy: Haproxy updated to 1.7.10 and re-encrypt to backend is now available in TCP mode.

• Layer 4: LVS SNAT mode has been added giving you the performance of layer 4 load balancing for TCP and UDP without the requirement of making server or infrastructure changes. Why we didn't do this earlier - I don't know, because it's great!

[v8.3]

• The only change between v8.2.5 and v8.3 was a BIG update of the Linux Kernel from our existing 2.6.35 all the way to 4.4.49.
• We have done a lot of testing with the new Kernel and we are very happy with the performance improvements.

[v8.2.5]

• Enhanced performance and new double login feature for our WAF
• Improved SSL hot reload to guarantee zero downtime
• PROXY protocol no longer requires a separate VIP on port 81
• API fully updated with 98% of functions available
• Big performance updates for the WAF went into v8.2.5, we also added the new double login and Google Authentication features.

[v8]

In the process of designing our WAF implementation we've been having a lot of conversations with Sucuri, these guys are awesome and know everything about web application firewalls and denial of service protection. Sucuri are also way more friendly than Incapsula (who were impossible to get any straight answers from).

[v7.6.6]

• More wizards for setting up specific applications
• Dynamic graphing and dynamic numerical stats
• Re-write and enhancement of the initial configuration wizard(s)
• Layer 7 email alerts - as usual we've released it open source before actually putting it in our product (how do we make any money anyway?)

[v7.6.5]

• Re-write of the security model for pairing master and slave units - for full security compatibility with cloud platforms AWS and Azure.

[v7.6.4]

• Overhaul of system overview
• Loads of improvements to the web interface in general, making it easy to use as well as nice to look at

[v7.6.3]

• Layer 7 external health checks i.e. NTLM proxy health checks
• Enhancements to layer 4 maintainability and matching behaviour to be similar to layer 7 (especially the fallback server)
• Hardware compatibility/performance updates for new hardware models i.e. Dell R220
• Moving the full v7.x application to the Amazon EC2 cloud platform.
• Kernel improvements for multiple hyper-visor platforms VMWare, XEN, Hyper-V, KVM & EC2
• Improvements to the layer 7 HAproxy stateful restart and replication model
• Automated contrack tuning and irq balance performance updates
• Re-write of the user security model in the web interface
• Performance and functionality improvements to the windows feedback agent
• Port of the full product to Microsoft Azure cloud platform - in progress but trying to make the Kernel secure without access to the Microsoft source code is fun!

Other previous updates....

• SNI support in the web interface
• WAF / Mod_Security: We've ensured that our Layer 7 rate limiting enables seamless protection for each WAF instance by default, because the last thing we want is the WAF itself being an easy way to DOS our load balancer!
• Simple ACL redirects and rules with support for manual backend configurations
  API & LBCLI improvements
• AWS - automatic one click integration with auto scaling groups
• Complete re-write of the disaster recovery functionality - NO DOWNTIME!
• Several performance enhancements for specific types of traffic.

And then we have some features on the soon to be scheduled / wish list:

• Full re-write of the high-availability subsystem (heartbeat) focusing on stability and scalability and intelligence for multiple nodes.
• Plug-in architecture and wizard for controlling the auto-scaling of backend servers in clusters - that would be fun/interesting.
• Enhancements and intelligence into real server health monitoring
• Easy to use Denial of Service rules- manual config.
• Simple rules to direct users to different clusters when the primary one is busy i.e. busy e-commerce site flood control - manual config.
• Easy and secure remote access to customer load balancers from Loadbalancer.org support staff
• Easier integration of existing authentication methods i.e. RADIUS/LDAP/Active Directory

Things we are not doing:

• SNORT - Why? But we might make DDOS protection more automated..
• iPhone/iPad/Android apps
• Graphical firewall
• Firewall load balancing - we could ask Horms very nicely to modify the Linux Kernel for this...maybe...
• Bridge based load balancing - yuck...But a LOT of people use web filters and WAFs in bridge mode so something like the Net Optics xbalancer solution makes sense.
• Link balancing - really? I don't think so. And here's why...
• TMG SSO replacements - Yuk. Although, Andrew might look into doing this during his downtime (our developers get 14 hours a week free/fun/downtime).
• Making anything more complicated, or harder to use....

Obviously this blog post needs a lot of work...and will change rapidly...please comment below, thanks.