Understandably, we get quite a few requests for a product roadmap containing release notes and feature updates. We've had a chat about this internally and thought that it would be nice to have a permanent post on the blog that we change on the fly as and when customer requirements change. Putting this on the blog enables our customers to express their arguments for and against new features etc. This entry should also give you a better idea of our priorities and how we develop the product.
Let's start with our priority list, this is an overview of the things we feel are most important in a load balancer appliance in order of priority:
- Constant improvements to underlying systems
- Future enhancements to intelligence, logging and alerting.
- Constant focus on close to zero downtime for maintenance and security updates
- Helping the customer carry out software updates on servers in the cluster.
- Constant re-assessment of the best default configurations for performance
- Renewed focus on special application performance requirements (i.e. lots of small packets or lots of large ones).
- How can we make the product easier to support and how can we improve our support service?
- Improvements to look and feel + intelligence and ease of use
- New platforms
- Integrate new platforms as and when they become customer priorities i.e. azure
- New features
- Assess against our priorities and implement if, and only if they match our stated priorities.
- New products
- Constantly looking for new applications to help customers with their infrastructure requirements.
So what features are we currently working on? (i.e. next couple of weeks)
We've recently been working on v8.3.8 which has now been released (see below). But as you may know our main focus is still v9 and we're getting closer to finishing it - so watch this space!
Alongside v8.3.8, we've also been working on our biggest development yet - v9
Actually we're already 12 months late but we are a very patient bunch of people...
So, what are we doing for v9?
- Completely re-writing the backend so that everything is processed from a single API.
- We are building on our previous work in v7.6.3 for complex Layer 7 manual configuration support in the system overview.
- We will enhance the web interface with full support for front end / backend configurations to work seamlessly with the entire web interface.
- This will allow the vast majority of F5 migrations to be completed without the requirement of manual configurations.
- It will also make it easier for different backend groups to have different health checks.
- All functions will have automatic testing and documentation.
- Performance of everything will be much faster.
- Web user interface support for multiple backend clusters attached to front ends with rules i.e. server pools
- Multiple pools for health checks as above
What features were recently completed?
NB. As of 17th June 2019, the current recommended version is V8.3.8
Important security update
- This release moves the Loadbalancer.org kernel to v4.9.182.
- This fixes a remote denial of service vulnerability in the SACK implementation.
- Specifically CVEs: CVE-2019-11477, CVE-2019-11478, CVE-2019-11479
- Duplication of services now available from the edit service page.
- Add HTTP 'Options' method health check at L7.
- Security Lock down by default + option to make it irrevocable.
- Modify Virtual Server is now context sensitive with multiple advanced menu options.
- L7 Persistence methods are selectable based on L7 protocol.
- Improved PBR ReadMe Document.
- NIC offloading help corrected.
- SSL Certificate verification of pem files on import.
- Increased default PCRE Limit for the WAF.
- ModSecurity databases removed from support download to reduce size.
- L7 Stats page has deprecated TLS versions disabled.
- Update quick start guide URLS.
- SSL certificate elements were not copied to the slave correctly.
- Disaster recovery script now copies WAF configuration correctly from recovery node.
- Edge/IE11 are now able to access HAProxy stats/Layer 7 Status page.
- Stop TPROXY from enabling occasionally when generating a support download.
- Node recovery was not notifying on completion.
- Adding SNI rules incorrectly reverts 'manual' state.
- Improved validation checks for L7 Headers.
- Cannot create a wild card SNI rule.
- Correctly escaping quotes in header values.
- Replace header is now available from the headers section.
- Inactive HTTP stream reuse is now available.
- We have made the path_beg and path_end ACLS case insensitive.
- When using HEAD checks the response expected box is no longer displayed.
- HAProxy has been updated to 1.8.17 to mitigate against h2 bug.
- Proxy protocol was getting incorrectly disabled - now fixed.
- Stopped users executing lbcli from the web interface.
- 40Gbit/s mellanox card drivers have been added.
- Fixed incorrect ciphers when enabling HTTPS and the WUI.
- Hardware network interface TCP Offloading is now available
AWS: Reload dialogue displayed un-necessarily when using AWS autoscaling.
HAProxy: Restoring XML will no longer remove existing manual configuration files. Added new ACL functionality for query strings.
SSL PROXY BIND: Fix read-only issues from 8.3.4 online update - and allow easy removal of existing bindings.
Other: Removed disturbing message from CLI when generating support download.
HAProxy: Updated to v1.8.14 for critical fix to HPACK decoder used for HTTP/2 (vulnerable to buffer overflow)
Let's Encrypt: Critical fix to the automated certficate renewal script
SSL PROXY BIND: Fix broken proxy bind if you modify the layer 7 VIP or delete the termination SSL VIP.
HyperV: We have improved the HyperV live migration and as a result this no longer causes potential heartbeat latency issues.
WAF: The WAF interface has now been simplified, and we've added easy log diagnosis & automated whitelist suggestions. We've also added a new fast page cache, for accelerating Wordpress.
SSL: The interface has been simplified and OpenSSL has been updated to 1.1.0h.
-- STunnel has been updated to 5.46 to resolve a slow memory leak when reloading 1000's of SNI rules.
-- Automated certificate generation is now available, using Let's Encrypt.
-- We have increased the number of SNI rules you can add via the web interface to 8000!
HAProxy: Has now been updated to 1.8.11. The core change being the ability to configure multi-threading for greater than 10G performance.
Other: Bonded interface limit has increased - you can now create up to 4 bonded pairs with full 802.3ad support.
Azure: AZ HA service can now run scripts on failure.
-- SNAT Mode with HA now displays the correct VIP in the system overview on the slave appliance.
-- SNAT Mode with HA wrong slave appliance IP selected on 'modify VIP page'.
-- WALinuxAgent updated to 2.2.21.
-- Kernel updated to 4.9.107 for network performance improvement (reboot required).
WAF: SecPcreLimit is now configurable from the interface.
PBR: You can now set a separate gateway for the management IP.
EC2: Enhanced networking (ENA) module available.
SSL: Disabling of TLS 1.0, 1.1, 1.2 is now possible from the interface.
HAProxy: Has been updated to version 1.7.11. Raw table no track rules are now being written correctly.
-- HTTP HEAD health check is now available.
-- To improve compatibility with websocket tunnel timeout has been added.
Other: RADIUS and Basic AD authentication is now available for the web interface.
-- lbinsecure now defaults setup user and user interface password correctly.
Azure: Added multiple interfaces to Azure.
WAF: The system can now direct WAF logs to syslog and therefore a remote syslog server.
PBR: You can now start/stop a single set of rules without having to re-write/affect all PBR services.
GSLB: GSLB is now available and configurable from the interface. Yup! I didn't believe it either. We have finally caved to your constant demands for GSLB! Actually Aaron finally found some really powerful uses for it on customer sites as explained in his blog about full GSLB support in v8.3.1.
Kernel: Kernel is updated to 4.4.110 to mitigate the meltdown attack. (Warning: requires reboot)
HAProxy: Haproxy updated to 1.7.10 and re-encrypt to backend is now available in TCP mode.
Layer 4: LVS SNAT mode has been added giving you the performance of layer 4 load balancing for TCP and UDP without the requirement of making server or infrastructure changes. Why we didn't do this earlier - I don't know, because it's great!
- The only change between v8.2.5 and v8.3 was a BIG update of the Linux Kernel from our existing 2.6.35 all the way to 4.4.49.
- We have done a lot of testing with the new Kernel and we are very happy with the performance improvements.
- Enhanced performance and new double login feature for our WAF
- Improved SSL hot reload to guarantee zero downtime
- PROXY protocol no longer requires a separate VIP on port 81
- API fully updated with 98% of functions available
- Big performance updates for the WAF went into v8.2.5, we also added the new double login and Google Authentication features.
In the process of designing our WAF implementation we've been having a lot of conversations with Sucuri, these guys are awesome and know everything about web application firewalls and denial of service protection. Sucuri are also way more friendly than Incapsula (who were impossible to get any straight answers from).
- More wizards for setting up specific applications
- Dynamic graphing and dynamic numerical stats
- Re-write and enhancement of the initial configuration wizard(s)
- Layer 7 email alerts - as usual we've released it open source before actually putting it in our product (how do we make any money anyway?)
- Re-write of the security model for pairing master and slave units - for full security compatibility with cloud platforms AWS and Azure.
- Overhaul of system overview
- Loads of improvements to the web interface in general, making it easy to use as well as nice to look at
- Layer 7 external health checks i.e. NTLM proxy health checks
- Enhancements to layer 4 maintainability and matching behaviour to be similar to layer 7 (especially the fallback server)
- Hardware compatibility/performance updates for new hardware models i.e. Dell R220
- Moving the full v7.x application to the Amazon EC2 cloud platform.
- Kernel improvements for multiple hyper-visor platforms VMWare, XEN, Hyper-V, KVM & EC2
- Improvements to the layer 7 HAproxy stateful restart and replication model
- Automated contrack tuning and irq balance performance updates
- Re-write of the user security model in the web interface
- Performance and functionality improvements to the windows feedback agent
- Port of the full product to Microsoft Azure cloud platform - in progress but trying to make the Kernel secure without access to the Microsoft source code is fun!
Other previous updates....
- SNI support in the web interface
- WAF / Mod_Security: We've ensured that our Layer 7 rate limiting enables seamless protection for each WAF instance by default, because the last thing we want is the WAF itself being an easy way to DOS our load balancer!
- Simple ACL redirects and rules with support for manual backend configurations
API & LBCLI improvements
- AWS - automatic one click integration with auto scaling groups
- Complete re-write of the disaster recovery functionality - NO DOWNTIME!
- Several performance enhancements for specific types of traffic.
And then we have some features on the soon to be scheduled / wish list:
- Full re-write of the high-availability subsystem (heartbeat) focusing on stability and scalability and intelligence for multiple nodes.
- Plug-in architecture and wizard for controlling the auto-scaling of backend servers in clusters - that would be fun/interesting.
- Enhancements and intelligence into real server health monitoring
- Easy to use Denial of Service rules- manual config.
- Simple rules to direct users to different clusters when the primary one is busy i.e. busy e-commerce site flood control - manual config.
- Easy and secure remote access to customer load balancers from Loadbalancer.org support staff
- Easier integration of existing authentication methods i.e. RADIUS/LDAP/Active Directory
Things we are not doing:
- SNORT - Why? But we might make DDOS protection more automated..
- iPhone/iPad/Android apps
- Graphical firewall
- Firewall load balancing - we could ask Horms very nicely to modify the Linux Kernel for this...maybe...
- Bridge based load balancing - yuck...But a LOT of people use web filters and WAFs in bridge mode so something like the Net Optics xbalancer solution makes sense.
- Link balancing - really? I don't think so. And here's why...
- TMG SSO replacements - Yuk. Although, Andrew might look into doing this during his downtime (our developers get 14 hours a week free/fun/downtime).
- Making anything more complicated, or harder to use....
Obviously this blog post needs a lot of work...and will change rapidly...please comment below, thanks.