Loadbalancer.org product roadmap – new features, release notes and more (as always, a work in progress) updated 3rd February 2023Updated on •17 mins
Understandably, we get quite a few requests for a product roadmap containing release notes and feature updates. We've had a chat about this internally and thought that it would be nice to have a permanent post on the blog that we change on the fly as and when customer requirements change. Putting this on the blog enables our customers to express their arguments for and against new features etc. This entry should also give you a better idea of our priorities and how we develop the product.
You can jump straight to our latest update (v8.8.1) here ->
We've changed our focus from v9 later to v8 now...
And we've doubled the size of our development team, which means that we can bring new features to you quickly. We are also changing the way that we release product updates. We have moved to a regular quarterly release cycle, to enable a more rigorous approach to quality.
In the event that we need to provide a release to mitigate against a serious security vulnerability, you will be informed and the release will be made off-cycle.
So what can you expect in the next few months?
We've recently added a some realy useful template deployment functionality. We aim to gradually improve this to support our partners with large and rapid deployments.
We've just completed a huge overhaul of the backup & recovery functionality. The focus being to make it as simple and flexible as possible. Making it far easier to automate and test deployments, and be ready for centralized management. And we finally added Prometheus support, for external graphing and analytics.
After making sure that Software Updates can Rollforward, we are now working on the Rollback. And most importantly we're tidying up centralized management before general release of our cloud portal.
And we’ve got time to add more..
So shout now if you want something changed — you can contact me directly by emailing firstname.lastname@example.org
How do we decide what to do next on our priority list?
Our principles always guide us, this is an overview of the things we feel are most important in a load balancer appliance in order of priority:
- Fast, rapid and proactive improvements i.e. Heartbleed/Shell Shock and others
- Focus on WAF/DOS/DDOS as well as just simply a secure appliance.
- Compliance with government standards HIPAA, FIPS, FISMA, NIST etc.
- Integration with your current security framework AD, RADIUS etc.
- Constant improvements to underlying systems
- Future enhancements to intelligence, logging and alerting.
- Constant focus on close to zero downtime for maintenance and security updates
- Helping the customer carry out software updates on servers in the cluster.
- Constant re-assessment of the best default configurations for performance
- Renewed focus on special application performance requirements (i.e. lots of small packets or lots of large ones).
- How can we make the product easier to support and how can we improve our support service?
- Improvements to look and feel + intelligence and ease of use
- New platforms
- Integrate new platforms as and when they become customer priorities i.e. azure
- New features
- Assess against our priorities and implement if, and only if they match our stated priorities.
- New products
- Constantly looking for new applications to help customers with their infrastructure requirements.
Hang on, what happened to v9?
The fabled v9 has evolved into our Partner Product, a customizable, and modular solution that simplifies large scale deployment. It’s already seamlessly embedded into hundreds of critical systems across the globe.
In fact it's grown into a bit of a monster. So while we prepare version 9 for general availability, we have decided to accelerate development of v8 to bring you new and exciting features.
So, what exactly is our partner product?
Put simply, our partner product is a platform for application delivery.
But more importantly it's something we create together — with amazing results. After all not every partner needs all of our services:
- API driven, vendor agnostic, data plane agnostic centralized application delivery
- Fully automated deployment, maintenance & monitoring of your applications
- Tight integration with your development team and your roadmap
- Our support integrated with your customer service team
- OEM Hardware development, deployment, certification and logistics
- Centralized management of security and version control
- Flexible contracts with long term commitments to your roadmap
Why do you need our partner product?
You are a respected technology vendor in your sector. And you have a large number of customers depending on your systems. And it's getting increasingly complex to support them on a global scale — while keeping the pace of innovation going with your own product roadmap.
I'm sure your system has unique requirements:
But wouldn't it be great to work with someone who wants to help you increase your revenue & customer satisfaction, while reducing complexity & costs?
Don't worry: We'll still be updating & supporting v8 for a very long time!
Last updated 3rd February 2023:
Latest version v8.8.1
Minimum recommended version is v8.5.2
Minimum secure version v8.3.8
3rd February 2023
- As we move into 2023, Loadbalancer.org will be rolling out a new look & feel for our brand
We believe the new logo and color scheme is more reflective of our true company personality
The new branding will be introduced in this update of the appliance's webUI
The complete transition to the new brand-look will happen gradually over the next few months
- Rolling online updates: Starting with this release you will now be able to update to the latest version without having to perform incremental updates.
- Added the facility to manage Loadbalancer Portal configuration via the WebUI.
- Added "First" Scheduler and “Last Successful” persistence method.
- Added new ACL type "Reported SNI" to act on the value of the SNI field of an unterminated TLS connection.
- Added Template Importer/Exporter to help with deployment automation.
- Virtual servers can now be bound to traffic on ANY interface by using 0.0.0.0.
- Improved gateway address validation to prevent entering an invalid ip.
- Open-vm tools for VMware based deployments on new installations.
- Free-type ACLs may now be multiline.
- Improved HAProxy config error reporting to add more detail.
- Improvements to LBCLI including input and output validation.
- The Stunnel service is now supervised to improve high availability.
- Updated OpenSSH to 9.0p1.
- HAProxy Stats page will now auto-refresh by default.
- Fixed having to specify a Floating IP and/or a Gateway when creating a new PBR rule.
- Fixed issue where L4 services would restart when autoscaling in AWS.
- Fixed setup wizard to validate passwords correctly.
- Backend-only virtual services no longer cause a conflict with layer 7 logging.
19th August 2022
- New and improved revamped backup & restore process.
- New and improved support download page.
- Added the ability online/offline floating IP addresses through the floating IP address page.
- Added the ability to restore a backup without having the floating IP addresses come immediately online.
- Added Intercom as our new live chat solution.
- Added the facility to enable the HAProxy Prometheus exporter via the web user interface.
- Added the facility to update your license via the lbapi.
- Added OPTIONs check to lbapi.
- Improved Linux RNG configuration to mitigate TPM errors relating to KVM.
- Updated HAProxy to version 2.0.28
- Resolved VIP and Management PBR conflicting.
- WAF - Resolved issue relating to inbound anomaly scores not calculating correctly and hence not logging as expected if they were less than the defined inbound anomaly score threshold.
- Windows Feedback Agent - Resolved an issue relating to the feedback agent incorrectly reporting RIP load.
12th May 2022
- Updated the copyright year found as part of our product footer.
- Updated the version of OpenSSL to address a vulnerability (CVE-2022-0778). Loadbalancer.org products are unaffected.
12th April 2022
- Create and manage multiple HAProxy backends with the web interface, removing the need for manual configurations.
- Added the ability to configure an individual real server to redirect traffic to another site.
- Added the ability to easily create self-signed certificates.
- Added basic HAProxy LUA support.
- Fixed the configuration for layer 4 email alerts.
- Fixed the labeling of interface names relating to virtio drivers with KVM.
- Fixed incorrect tooltips showing when configuring network interfaces.
- Fixed potential issue using the WAF with IPv6.
- Language improvements relating to cluster member names.
- Updated the PCRE version as part of ModSecurity for performance.
18th January 2022
- Prevent Apache update breaking custom SSL certificate for web interface
- Fix 8.6 regression in vlan configuration with bonding
10th January 2022
- Configure powerful and extensive ACL Traffic Rules, simply, using our new interface which removes the need for manual configurations.
- External Health Check scripts are now easy to edit and manage across L4/L7 and GSLB.
- ModSecurity CRS3 rules fully integrated into the WAF which will give less false positives.
- Online chat integrated into the product for quick access to support.
- 100G mellanox network card drivers updated.
- DHCP configuration now available from the console setup wizard.
- SNMP v3 is now configurable from the web interface.
- Changed Master/Slave Terminology to Primary/Secondary
- Re-generating a self signed certificate for the web interface is now possible.
- A notification is now displayed when an online product update is available.
- A unique host header for each backend server can now be configured using the server label.
- Service reload errors are now visible directly from the blue restart prompt.
- If host header is provided, then Layer 7 health checks default to HTTP 1.1
- The Online update server location is now editable.
- Number of threads in use at boot time now correctly displays in the user interface.
- Selecting a non-existent interface with autonat no longer results in an exception.
- Removing a static route now brings back the auto route for the NIC.
- Licence key expiration date now shows immediately after installation, without page refresh.
- Complex PFX certificate passwords are now fully supported.
- Using LBCLI on the passive node no longer triggers potential failover.
- Firewall lockdown wizard now allows layer 7 statistics access by default.
16th September 2021
- Fix 8.5.7 regression in the WAF behaviour previously resolved in 8.5.5
- Minor fix for invalid or corrupted XML files when importing backup from historical versions.
- Resolve critical issue in Azure clustering causing invalid Secondary IP address in the configuration file.
27th August 2021
- Fixed issue with HTTPS redirect loop when adding force to https to a WAF protected layer 7 service.
4th August 2021
- Resolved issue where SNI certificates could not be selected through the web interface for a small number of customers.
- The SSL termination padlock associated with a WAF now shows on the frontend rather than the backend.
- Resolved an issue where LBCLI would return a malformed JSON response for a small number of customers.
27th July 2021
- Now supports PEM formatted SSH keys allowing better compatibility and useability.
- A new padlock icon showing if a virtual service has an 'SSL Termination' attached is now shown for quick access to linked services.
- The HAProxy statistics page is now integrated within the Web UI for easier accessibility. It no longer consumes an additional port (TCP/7777) or requires separate authentication details to access.
- Better handling of recent recommendations regarding cookies, HAProxy now adds 'samesite=none' by default to persistence cookies for better cross-site handling.
- Updated defaults for LDirectord allowing XML files with a blank config section to still allow the service to start successfully.
- Fixed an issue when adding a WAF between SNI SSL Terminations and HAProxy, it no longer fails and shows 'HTTP 400 bad request' in a web browser.
- Management gateway PBR rules now start correctly after reboot even when other PBR rules are not in use.
- Changing port on HAProxy service now updates linked Stunnel service.
- Slave appliances in Azure no longer incorrectly write the Masters IP in some SNI configurations
- Restoring an XML file now picks up the configured WebUI port from the configuration file.
16th April 2021
NB. The online update following this patch will jump straight to version 8.5.8
- Update OpenSSL to version 1.1.1k
NB. The Loadbalancer.org product is not vulnerable to the 3 issues fixed in this patch.
31st March 2021
- Added the JQ library package
- Large support downloads now ‘stream' using less local disk space
- Fallback server support with SNI now available for VIPs using SSL Pass-through or Re-Encrypt to Backend
- Fixed rare issue with feedback agent when updating HAProxy
- Fixed reload process for Stunnel
- Updated SNMPD to resolve rare memory leak
- Various improvements including Stunnel and OpenSSH
26th November 2020
- WAF now has enhanced support for IPV6
- Add new fogroup persistence method in gslb
- Warn user if a network card is not in a fast enough PCI slot.
- Update Haproxy to 1.8.27
- Network bonding default mode in GUI corrected to be HA mode 1
- GSLB restart no longer fails without defining config first
- Fix issue when installing an invalid licence key.
- Fix lbcli function negotiate_http_head
- Fix potential issue detecting serial port configuration
- Stop GSLB wizard modifiying user defined SSL options
- Fix for rare but confirmed WAF memory consumption issue
9th October 2020
- New SNMP agent and MIBs for Layer 7 services.
- New GSLB graphical interface (automatic upgrade of existing manual configs)
- New GSLB distribution state table
- New and more Flexible bonding of interfaces
- Bond mode now selectable from setup wizard.
- Disabled access to HAProxy statistics page port 7777 for TLS1.1
- Fixed issue where specific ACL rule broke lb_config
- Fix for samesite cookie issue
- Revert self signed certificate back to localhost.localdomain
- Fix read-only lock when using manual L7 configuration
- Force UI/Console password change from the setup wizard.
- PDNS Updated to 4.3.0
27th April 2020
- OpenSSL updated to mitigate potential but 'unproven in the wild' DOS vulverability CVE-2020-1967
20th April 2020
- Rsyslog updated to version 7
- Alternate default gateway available for L7 VIPS
- TProxy can now be enabled per VIP
- Syslog default communication method now UDP.
- SDK updated for GCP appliances
- Enabled SNI support for re-encrypt to backend.
- Editing values on the physical advanced page was disabling PBR
- Erroneous Bond interface showing after running console setup wizard
- Azure appliances ACLs fixed in HA deployment
- Fixed intermittent 502 errors coming from WAF gateways.
- Fixed STunnel slow start on boot
- Source address lost when Stunnel bound L7 VIP had its SSL mode changed
- HAProxy configuration locking fixed
- Manual HAProxy configuration input was incorrectly converting single quotes
- HAProxy Updated to mitigate H2 bug CVE-2020-11100
14th January 2020
Performance & Security enhancements
- Updated STunnel to version 5.56
- Updated HAProxy to version 1.8.23
- Updated OpenSSL to version 1.1.1d
- Fixed XSS vulnerabilities in web interface
- New graphical menu for console based setup
- Easier bond and vlan configuration at setup
- TLS v1.3 available
- Changed placement of SNI Rules page for ease of use.
- Fixed potential error when updating WAF advanced settings.
- Updating L7 child VIP when bound with SNI no longer overwrites parent.
- Fixed potential segfault in STunnel
- Changed console default keyboard layout to US.
- Optionally exclude .gz files in support download.
- Improvements to SSL advanced page.
- Improvements to WAF diagnosis functionality.
- Improvements to LBCLI for automated deployments.
- SSL performance improvements
13th September 2019
Deprecated - Do not use
- Potential segfault in SSL handling - version pulled.
- Changes bellow rolled into v8.4.1
- Improved NIC ordering script for physical appliances.
- Improved setup script to clear out user added VLANS.
- Stunnel performance improvements updated to 5.55
- Improved SNI domain name validation to now allow '-' in the URL.
- Improved form formatting for L4 negotiate checks.
- Azure WAF - Fix routing traffic when master is unavailable.
- WAF frontends no longer count towards VIP licenced total.
- OpenSSL updated to 1.1.0k
- Haproxy Updated to 1.8.20
5th July 2019
Important security update
- This release moves the Loadbalancer.org kernel to v4.9.182.
- This fixes a remote denial of service vulnerability in the SACK implementation.
- Specifically CVEs: CVE-2019-11477, CVE-2019-11478, CVE-2019-11479
5th July 2019
- Duplication of services now available from the edit service page.
- Add HTTP 'Options' method health check at L7.
- Security Lock down by default + option to make it irrevocable.
- Modify Virtual Server is now context sensitive with multiple advanced menu options.
- L7 Persistence methods are selectable based on L7 protocol.
- Improved PBR ReadMe Document.
- NIC offloading help corrected.
- SSL Certificate verification of pem files on import.
- Increased default PCRE Limit for the WAF.
- ModSecurity databases removed from support download to reduce size.
- L7 Stats page has deprecated TLS versions disabled.
- Update quick start guide URLS.
- SSL certificate elements were not copied to the slave correctly.
- Disaster recovery script now copies WAF configuration correctly from recovery node.
- Edge/IE11 are now able to access HAProxy stats/Layer 7 Status page.
- Stop TPROXY from enabling occasionally when generating a support download.
- Node recovery was not notifying on completion.
- Adding SNI rules incorrectly reverts 'manual' state.
- Improved validation checks for L7 Headers.
- Cannot create a wild card SNI rule.
1st March 2019
- Correctly escaping quotes in header values.
- Replace header is now available from the headers section.
- Inactive HTTP stream reuse is now available.
- We have made the path_beg and path_end ACLS case insensitive.
- When using HEAD checks the response expected box is no longer displayed.
- HAProxy has been updated to 1.8.17 to mitigate against h2 bug.
- Proxy protocol was getting incorrectly disabled - now fixed.
- Stopped users executing lbcli from the web interface.
- 40Gbit/s mellanox card drivers have been added.
- Fixed incorrect ciphers when enabling HTTPS and the WUI.
- Hardware network interface TCP Offloading is now available
21st November 2018
AWS: Reload dialogue displayed un-necessarily when using AWS autoscaling.
HAProxy: Restoring XML will no longer remove existing manual configuration files. Added new ACL functionality for query strings.
SSL PROXY BIND: Fix read-only issues from 8.3.4 online update - and allow easy removal of existing bindings.
Other: Removed disturbing message from CLI when generating support download.
20th September 2018
HAProxy: Updated to v1.8.14 for critical fix to HPACK decoder used for HTTP/2 (vulnerable to buffer overflow)
Let's Encrypt: Critical fix to the automated certficate renewal script
SSL PROXY BIND: Fix broken proxy bind if you modify the layer 7 VIP or delete the termination SSL VIP.
10th September 2018
HyperV: We have improved the HyperV live migration and as a result this no longer causes potential heartbeat latency issues.
WAF: The WAF interface has now been simplified, and we've added easy log diagnosis & automated whitelist suggestions. We've also added a new fast page cache, for accelerating Wordpress.
SSL: The interface has been simplified and OpenSSL has been updated to 1.1.0h.
-- STunnel has been updated to 5.46 to resolve a slow memory leak when reloading 1000's of SNI rules.
-- Automated certificate generation is now available, using Let's Encrypt.
-- We have increased the number of SNI rules you can add via the web interface to 8000!
HAProxy: Has now been updated to 1.8.11. The core change being the ability to configure multi-threading for greater than 10G performance.
Other: Bonded interface limit has increased - you can now create up to 4 bonded pairs with full 802.3ad support.
Azure: AZ HA service can now run scripts on failure.
-- SNAT Mode with HA now displays the correct VIP in the system overview on the slave appliance.
-- SNAT Mode with HA wrong slave appliance IP selected on 'modify VIP page'.
-- WALinuxAgent updated to 2.2.21.
-- Kernel updated to 4.9.107 for network performance improvement (reboot required).
WAF: SecPcreLimit is now configurable from the interface.
PBR: You can now set a separate gateway for the management IP.
EC2: Enhanced networking (ENA) module available.
SSL: Disabling of TLS 1.0, 1.1, 1.2 is now possible from the interface.
HAProxy: Has been updated to version 1.7.11. Raw table no track rules are now being written correctly.
-- HTTP HEAD health check is now available.
-- To improve compatibility with websocket tunnel timeout has been added.
Other: RADIUS and Basic AD authentication is now available for the web interface.
-- lbinsecure now defaults setup user and user interface password correctly.
Azure: Added multiple interfaces to Azure.
WAF: The system can now direct WAF logs to syslog and therefore a remote syslog server.
PBR: You can now start/stop a single set of rules without having to re-write/affect all PBR services.
GSLB: GSLB is now available and configurable from the interface. Yup! I didn't believe it either. We have finally caved to your constant demands for GSLB! Actually Aaron finally found some really powerful uses for it on customer sites as explained in his blog about full GSLB support in v8.3.1.
Kernel: Kernel is updated to 4.4.110 to mitigate the meltdown attack. (Warning: requires reboot)
HAProxy: Haproxy updated to 1.7.10 and re-encrypt to backend is now available in TCP mode.
Layer 4: LVS SNAT mode has been added giving you the performance of layer 4 load balancing for TCP and UDP without the requirement of making server or infrastructure changes. Why we didn't do this earlier - I don't know, because it's great!
- The only change between v8.2.5 and v8.3 was a BIG update of the Linux Kernel from our existing 2.6.35 all the way to 4.4.49.
- We have done a lot of testing with the new Kernel and we are very happy with the performance improvements.
- Enhanced performance and new double login feature for our WAF
- Improved SSL hot reload to guarantee zero downtime
- PROXY protocol no longer requires a separate VIP on port 81
- API fully updated with 98% of functions available
- Big performance updates for the WAF went into v8.2.5, we also added the new double login and Google Authentication features.
In the process of designing our WAF implementation we've been having a lot of conversations with Sucuri, these guys are awesome and know everything about web application firewalls and denial of service protection. Sucuri are also way more friendly than Incapsula (who were impossible to get any straight answers from).
- More wizards for setting up specific applications
- Dynamic graphing and dynamic numerical stats
- Re-write and enhancement of the initial configuration wizard(s)
- Layer 7 email alerts - as usual we've released it open source before actually putting it in our product (how do we make any money anyway?)
- Re-write of the security model for pairing master and slave units - for full security compatibility with cloud platforms AWS and Azure.
- Overhaul of system overview
- Loads of improvements to the web interface in general, making it easy to use as well as nice to look at
- Layer 7 external health checks i.e. NTLM proxy health checks
- Enhancements to layer 4 maintainability and matching behaviour to be similar to layer 7 (especially the fallback server)
- Hardware compatibility/performance updates for new hardware models i.e. Dell R220
- Moving the full v7.x application to the Amazon EC2 cloud platform.
- Kernel improvements for multiple hyper-visor platforms VMWare, XEN, Hyper-V, KVM & EC2
- Improvements to the layer 7 HAproxy stateful restart and replication model
- Automated contrack tuning and irq balance performance updates
- Re-write of the user security model in the web interface
- Performance and functionality improvements to the windows feedback agent
- Port of the full product to Microsoft Azure cloud platform - in progress but trying to make the Kernel secure without access to the Microsoft source code is fun!
Other previous updates....
- SNI support in the web interface
- WAF / Mod_Security: We've ensured that our Layer 7 rate limiting enables seamless protection for each WAF instance by default, because the last thing we want is the WAF itself being an easy way to DOS our load balancer!
- Simple ACL redirects and rules with support for manual backend configurations
API & LBCLI improvements
- AWS - automatic one click integration with auto scaling groups
- Complete re-write of the disaster recovery functionality - NO DOWNTIME!
- Several performance enhancements for specific types of traffic.
And then we have some features on the soon to be scheduled / wish list:
- Full re-write of the high-availability subsystem (heartbeat) focusing on stability and scalability and intelligence for multiple nodes.
- Plug-in architecture and wizard for controlling the auto-scaling of backend servers in clusters - that would be fun/interesting.
- Enhancements and intelligence into real server health monitoring
- Easy to use Denial of Service rules- manual config.
- Simple rules to direct users to different clusters when the primary one is busy i.e. busy e-commerce site flood control - manual config.
- Easy and secure remote access to customer load balancers from Loadbalancer.org support staff
- Easier integration of existing authentication methods i.e. RADIUS/LDAP/Active Directory
Things we are not doing:
- SNORT - Why? But we might make DDOS protection more automated..
- iPhone/iPad/Android apps
- Graphical firewall
- Firewall load balancing - we could ask Horms very nicely to modify the Linux Kernel for this...maybe...
- Bridge based load balancing - yuck...But a LOT of people use web filters and WAFs in bridge mode so something like the Net Optics xbalancer solution makes sense.
- Link balancing - really? I don't think so. And here's why...
- TMG SSO replacements - Yuk. Although, Andrew might look into doing this during his downtime (our developers get 14 hours a week free/fun/downtime).
- Making anything more complicated, or harder to use....
Obviously, this blog post needs a lot of work...and will change rapidly...please comment below, thanks.