⚠️ SECURITY NOTICE (February 2026)
CVE-2026-26080 & CVE-2026-26081: QUIC parsing vulnerabilities (DoS). Fixed in versions 3.0.12, 3.1.14, 3.2.12, 3.3.3+. Update immediately if using QUIC.
| Aspect | Status | Notes |
|---|---|---|
| Project Maintenance | ✅ Active | Regular releases |
| Security Response | ✅ Responsive | Security patches issued promptly |
| Recent Releases | ✅ 3.3.4 (Feb 2026) | Security fixes included |
| Known CVEs | ⚠️ 2 recent | QUIC DoS vulnerabilities (patched) |
| Package Availability | ✅ Available | Official repositories |
| CVE | Year | Description | Fixed |
|---|---|---|---|
| CVE-2025-XXXXX | 2025 | Various fixes | Current versions |
| CVE-2024-XXXXX | 2024 | Various fixes | Current versions |
# Debian/Ubuntu
sudo apt update && sudo apt upgrade haproxy
# RHEL/CentOS
sudo dnf update haproxy
# Verify version
haproxy -v
# Should be 3.3.4+ or LTS 3.2.13+
If you don’t need HTTP/3, disable QUIC to reduce attack surface:
global
# Do not enable QUIC if not needed
# tune.quic.disable = 1
frontend stats
bind *:8404 ssl crt /path/to/cert.pem
mode http
stats enable
stats uri /stats
stats refresh 30s
# Restrict to trusted networks
acl allowed_network src 192.168.1.0/24
http-request allow if allowed_network
http-request deny
global
ssl-default-bind-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384
ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
ssl-default-bind-options ssl-min-ver TLSv1.2 no-tls-tickets
# Define stick table
stick-table type ip size 1m expire 5m store gpc0,http_req_rate(10s)
frontend http_front
bind *:80
mode http
# Track requests
http-request track-sc0 src
# Deny if rate exceeded
http-request deny if { sc0_http_req_rate gt 10 }
# Configuration files
sudo chown root:haproxy /etc/haproxy/haproxy.cfg
sudo chmod 640 /etc/haproxy/haproxy.cfg
# SSL certificates
sudo chown root:root /etc/ssl/private/*.pem
sudo chmod 600 /etc/ssl/private/*.pem
# Stats socket
sudo chown root:haproxy /var/run/haproxy/admin.sock
sudo chmod 660 /var/run/haproxy/admin.sock
# /etc/systemd/system/haproxy.service.d/hardening.conf
[Service]
# Filesystem protection
ProtectSystem=strict
ProtectHome=read-only
PrivateTmp=true
ReadWritePaths=/var/run/haproxy /var/log/haproxy
# Network restrictions
RestrictAddressFamilies=AF_INET AF_INET6
# Capability restrictions
CapabilityBoundingSet=CAP_NET_BIND_SERVICE
AmbientCapabilities=
# System call filtering
SystemCallArchitectures=native
SystemCallFilter=@system-service
# Memory protection
PrivateDevices=true
ProtectKernelTunables=true
ProtectKernelModules=true
ProtectControlGroups=true
# Restrict privileges
NoNewPrivileges=true
RestrictSUIDSGID=true
# Resource limits
LimitNOFILE=65535
# Define stick table for rate limiting
stick-table type ip size 1m expire 5m store gpc0,http_req_rate(10s),http_err_rate(10s)
frontend http_front
bind *:80
mode http
# Track source IP
http-request track-sc0 src
# Block excessive request rates
http-request deny deny_status 429 if { sc0_http_req_rate(10s) gt 100 }
# Block high error rates (potential attackers)
http-request deny deny_status 429 if { sc0_http_err_rate(10s) gt 50 }
frontend http_front
bind *:80
mode http
# Block malicious user agents
acl bad_agent hdr_sub(User-Agent) -i -f /etc/haproxy/bad_agents.txt
http-request deny if bad_agent
# Block suspicious URLs
acl invalid_url url_reg -i ^.*\.(exe|bat|cmd|scr|pif)$
http-request deny if invalid_url
# Block SQL injection attempts
acl sql_injection url_param -m sub select
http-request deny if sql_injection
defaults
# Prevent Slowloris attacks
timeout client 30s
timeout server 30s
timeout http-keep-alive 10s
# WebSocket support (if needed)
timeout tunnel 3600s
| Risk | Mitigation |
|---|---|
| Malformed packets | Update to patched version (3.3.4+) |
| Resource exhaustion | Implement connection limits |
| Amplification attacks | Configure rate limits |
| 0-RTT replay | Disable 0-RTT for sensitive apps |
global
# QUIC settings (if enabled)
tune.quic.max_idle_timeout 30s
tune.quic.initial_rx_win 1048576
# Consider disabling if not needed
# tune.quic.disable 1
defaults
log-format '{"timestamp":"%T", "client_ip":"%ci", "frontend_name":"%ft", "backend_name":"%b", "server_name":"%s", "status_code":%ST, "bytes_read":%B, "term_state":"%ts"}'
# Check for unusual error rates
tail -f /var/log/haproxy.log | grep -E "50[0-9]|429"
# Monitor connection counts
watch 'echo "show stat" | socat /var/run/haproxy/admin.sock stdio | cut -d, -f1,2,17,18'
Monitor these metrics:
See HAProxy Hardening for server-specific hardening details.