Update docs for 3.1

Author: HAProxy Community

docs/3.1/configuration.html

@@ -2,7 +2,7 @@
 <html lang="en">
 	<head>
 		<meta charset="utf-8" />
-		<title>HAProxy version 3.1.8-17 - Configuration Manual</title>
+		<title>HAProxy version 3.1.8-85 - Configuration Manual</title>
 		<link href="https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/3.3.7/css/bootstrap.min.css" rel="stylesheet" />
 		<link href="https://raw.githubusercontent.com/thomaspark/bootswatch/v3.3.7/cerulean/bootstrap.min.css" rel="stylesheet" />
 		<link href="../css/page.css?0.4.2-15" rel="stylesheet" />
@@ -4430,7 +4430,7 @@
 					You can use <strong>left</strong> and <strong>right</strong> arrow keys to navigate between chapters.<br>
 				</p>
 				<p class="text-right">
-					<small>Converted with <a href="https://github.com/cbonte/haproxy-dconv">haproxy-dconv</a> v<b>0.4.2-15</b> on <b>2025/06/17</b></small>
+					<small>Converted with <a href="https://github.com/cbonte/haproxy-dconv">haproxy-dconv</a> v<b>0.4.2-15</b> on <b>2025/08/26</b></small>
 				</p>
 			</div>
 			<!-- /.sidebar -->
@@ -4441,7 +4441,7 @@
 						<div class="text-center">
                             <h1><a href="http://www.haproxy.org/" title="HAProxy"><img src="../img/HAProxyCommunityEdition_60px.png?0.4.2-15" /></a></h1>
 							<h2>Configuration Manual</h2>
-							<p><strong>version 3.1.8-17</strong></p>
+							<p><strong>version 3.1.8-85</strong></p>
 							<p>
 								2025/06/02<br>
 
@@ -7073,6 +7073,7 @@ <h2 id="chapter-2.9" data-target="2.9"><small><a class="small" href="#2.9">2.9.<
    - <a href="#insecure-setuid-wanted">insecure-setuid-wanted</a>
    - <a href="#issuers-chain-path">issuers-chain-path</a>
    - <a href="#key-base">key-base</a>
+   - <a href="#limited-quic">limited-quic</a>
    - <a href="#localpeer">localpeer</a>
    - <a href="#log">log</a>
    - <a href="#log-send-hostname">log-send-hostname</a>
@@ -7082,6 +7083,7 @@ <h2 id="chapter-2.9" data-target="2.9"><small><a class="small" href="#2.9">2.9.<
    - <a href="#lua-prepend-path">lua-prepend-path</a>
    - <a href="#mworker-max-reloads">mworker-max-reloads</a>
    - <a href="#nbthread">nbthread</a>
+   - <a href="#no-quic">no-quic</a>
    - <a href="#node">node</a>
    - <a href="#numa-cpu-mapping">numa-cpu-mapping</a>
    - <a href="#ocsp-update.disable">ocsp-update.disable</a>
@@ -7210,6 +7212,7 @@ <h2 id="chapter-2.9" data-target="2.9"><small><a class="small" href="#2.9">2.9.<
    - <a href="#tune.pool-low-fd-ratio">tune.pool-low-fd-ratio</a>
    - <a href="#tune.pt.zero-copy-forwarding">tune.pt.zero-copy-forwarding</a>
    - <a href="#tune.quic.cc-hystart">tune.quic.cc-hystart</a>
+   - <a href="#tune.quic.cc.cubic.min-losses">tune.quic.cc.cubic.min-losses</a>
    - <a href="#tune.quic.disable-udp-gso">tune.quic.disable-udp-gso</a>
    - <a href="#tune.quic.frontend.glitches-threshold">tune.quic.frontend.glitches-threshold</a>
    - <a href="#tune.quic.frontend.max-idle-timeout">tune.quic.frontend.max-idle-timeout</a>
@@ -9781,6 +9784,10 @@ <h2 id="chapter-3.4" data-target="3.4"><small><a class="small" href="#3.4">3.4.<
 As a side note, musl (e.g. Alpine Linux) implementations are known to be
 slower than their glibc counterparts when calculating hashes, so you might
 want to consider this aspect too.
+
+All passwords are considered normal arguments and are therefor subject to
+regular <a href="#2.2">section 2.2</a> Quoting and escaping. Single quoting passwords is
+therefor recommended.
 </pre><div class="separator">
 <span class="label label-success">Example:</span>
 <pre class="prettyprint">
@@ -9789,16 +9796,16 @@ <h2 id="chapter-3.4" data-target="3.4"><small><a class="small" href="#3.4">3.4.<
   group G2 users xdb,scott
 
   user tiger password $6$k6y3o.eP$JlKBx9za9667qe4(...)xHSwRv6J.C0/D7cV91
-  user scott insecure-password elgato
-  user xdb insecure-password hello
+  user scott insecure-password 'elgato'
+  user xdb insecure-password 'hello'
 
 userlist L2
   group G1
   group G2
 
   user tiger password $6$k6y3o.eP$JlKBx(...)xHSwRv6J.C0/D7cV91 groups G1
-  user scott insecure-password elgato groups G1,G2
-  user xdb insecure-password hello groups G2
+  user scott insecure-password 'elgato' groups G1,G2
+  user xdb insecure-password 'hello' groups G2
 </code></pre>
 </div><pre class="text">Please note that both lists are functionally identical.
 </pre></div>
@@ -15357,8 +15364,23 @@ <h2 id="chapter-4.2" data-target="4.2"><small><a class="small" href="#4.2">4.2.<
 desirable in these environments as well, to avoid redistributing the traffic
 after every other response.
 
-If this option has been enabled in a &quot;defaults&quot; section, it can be disabled
-in a specific instance by prepending the &quot;no&quot; keyword before it.
+It may be useful to precise here, which load balancing algorithms are
+considered deterministic. Deterministic algorithms will always select the same
+server for a given client data, assuming the set of available servers has not
+changed. In general, deterministic algorithms involve hasing or lookups on the
+incoming requests to choose the target server. However, this is not always the
+case; &quot;static-rr&quot;, for example, can be also considered as deterministic because
+the server choice is based on the server's static weight, making the selection
+predictable. &quot;sticky&quot; algorithm provides deterministic routing for the
+returning clients.
+
+As for non-deterministic algorithms, these algorithms select a server based on
+dynamic server state or simple rotation, so two consecutive requests are not
+guaranteed to land on the same server. option prefer-last-server is designed
+specifically for these. roundrobin, leastconn are examples of such algorithms.
+
+If this option has been enabled in a &quot;defaults&quot; section, it can be
+disabled in a specific instance by prepending the &quot;no&quot; keyword before it.
 </pre><div class="page-header"><b>See also:</b> &quot;<a href="#option%20http-keep-alive">option http-keep-alive</a>&quot;</div>
 <a class="anchor" name="option"></a><a class="anchor" name="4-option"></a><a class="anchor" name="4.2-option"></a><a class="anchor" name="option (Proxies)"></a><a class="anchor" name="option (Alphabetically sorted keywords reference)"></a><a class="anchor" name="option redispatch"></a><a class="anchor" name="4-option redispatch"></a><a class="anchor" name="4.2-option redispatch"></a><a class="anchor" name="option redispatch (Proxies)"></a><a class="anchor" name="option redispatch (Alphabetically sorted keywords reference)"></a><div class="keyword"><b><a class="anchor" name="option redispatch"></a><a href="#4.2-option%20redispatch">option redispatch</a></b></div><a class="anchor" name="option"></a><a class="anchor" name="4-option"></a><a class="anchor" name="4.2-option"></a><a class="anchor" name="option (Proxies)"></a><a class="anchor" name="option (Alphabetically sorted keywords reference)"></a><a class="anchor" name="option redispatch"></a><a class="anchor" name="4-option redispatch"></a><a class="anchor" name="4.2-option redispatch"></a><a class="anchor" name="option redispatch (Proxies)"></a><a class="anchor" name="option redispatch (Alphabetically sorted keywords reference)"></a><div class="keyword"><b><a class="anchor" name="option redispatch"></a><a href="#4.2-option%20redispatch">option redispatch</a></b> <span style="color: #080">&lt;interval&gt;</span></div><a class="anchor" name="no"></a><a class="anchor" name="4-no"></a><a class="anchor" name="4.2-no"></a><a class="anchor" name="no (Proxies)"></a><a class="anchor" name="no (Alphabetically sorted keywords reference)"></a><a class="anchor" name="no option"></a><a class="anchor" name="4-no option"></a><a class="anchor" name="4.2-no option"></a><a class="anchor" name="no option (Proxies)"></a><a class="anchor" name="no option (Alphabetically sorted keywords reference)"></a><a class="anchor" name="no option redispatch"></a><a class="anchor" name="4-no option redispatch"></a><a class="anchor" name="4.2-no option redispatch"></a><a class="anchor" name="no option redispatch (Proxies)"></a><a class="anchor" name="no option redispatch (Alphabetically sorted keywords reference)"></a><div class="keyword"><b><a class="anchor" name="no option redispatch"></a><a href="#4.2-no%20option%20redispatch">no option redispatch</a></b></div><pre class="text">Enable or disable session redistribution in case of connection failure
 
@@ -16715,9 +16737,9 @@ <h2 id="chapter-4.2" data-target="4.2"><small><a class="small" href="#4.2">4.2.<
 <code><span class="comment"># statistics admin level depends on the authenticated user</span>
 userlist stats-auth
     group admin    users admin
-    user  admin    insecure-password AdMiN123
+    user  admin    insecure-password 'AdMiN123'
     group readonly users haproxy
-    user  haproxy  insecure-password haproxy
+    user  haproxy  insecure-password 'haproxy'
 
 backend stats_auth
     stats enable
@@ -21344,9 +21366,16 @@ <h2 id="chapter-5.1" data-target="5.1"><small><a class="small" href="#5.1">5.1.<
 </pre><a class="anchor" name="prefer-client-ciphers"></a><a class="anchor" name="5-prefer-client-ciphers"></a><a class="anchor" name="5.1-prefer-client-ciphers"></a><a class="anchor" name="prefer-client-ciphers (Bind and server options)"></a><a class="anchor" name="prefer-client-ciphers (Bind options)"></a><div class="keyword"><b><a class="anchor" name="prefer-client-ciphers"></a><a href="#5.1-prefer-client-ciphers">prefer-client-ciphers</a></b></div><pre class="text">Use the client's preference when selecting the cipher suite, by default
 the server's preference is enforced. This option is also available on
 global statement &quot;<a href="#ssl-default-bind-options">ssl-default-bind-options</a>&quot;.
+
 Note that with OpenSSL &gt;= 1.1.1 ChaCha20-Poly1305 is reprioritized anyway
 (without setting this option), if a ChaCha20-Poly1305 cipher is at the top of
 the client cipher list.
+
+When using a dual algorithms setup (RSA + ECDSA), the selection algorithm
+will chose between RSA and ECDSA and will always prioritize ECDSA. Once the
+right certificate is chosen, it will let the SSL library prioritize ciphers,
+curves etc. Meaning this option can't be used to prioritize an RSA
+certificate over an ECDSA one.
 </pre><a class="anchor" name="proto"></a><a class="anchor" name="5-proto"></a><a class="anchor" name="5.1-proto"></a><a class="anchor" name="proto (Bind and server options)"></a><a class="anchor" name="proto (Bind options)"></a><div class="keyword"><b><a class="anchor" name="proto"></a><a href="#5.1-proto">proto</a></b> <span style="color: #080">&lt;name&gt;</span></div><pre class="text">Forces the multiplexer's protocol to use for the incoming connections. It
 must be compatible with the mode of the frontend (TCP or HTTP). It must also
 be usable on the frontend side. The list of available protocols is reported
@@ -24450,11 +24479,14 @@ <h3 id="chapter-7.3.1" data-target="7.3.1"><small><a class="small" href="#7.3.1"
 compiled with USE_OPENSSL.
 </pre><a class="anchor" name="jwt_verify"></a><a class="anchor" name="7-jwt_verify"></a><a class="anchor" name="7.3.1-jwt_verify"></a><a class="anchor" name="jwt_verify (Using ACLs and fetching samples)"></a><a class="anchor" name="jwt_verify (Converters)"></a><div class="keyword"><b><a class="anchor" name="jwt_verify"></a><a href="#7.3.1-jwt_verify">jwt_verify</a></b>(<span style="color: #080">&lt;alg&gt;</span>,<span style="color: #080">&lt;key&gt;</span>)</div><pre class="text">Performs a signature verification for the JSON Web Token (JWT) given in input
 by using the &lt;alg&gt; algorithm and the &lt;key&gt; parameter, which should either
-hold a secret or a path to a public certificate. Returns 1 in case of
-verification success, 0 in case of verification error and a strictly negative
-value for any other error. Because of all those non-null error return values,
-the result of this converter should never be converted to a boolean. See
-below for a full list of the possible return values.
+hold a secret or a path to a public key. The public key should either be in
+the PKCS#1 format (for RSA keys, starting with BEGIN RSA PUBLIC KEY) or SPKI
+format (Subject Public Key Info, starting with BEGIN PUBLIC KEY).
+Returns 1 in case of verification success, 0 in case of verification failure
+and a strictly negative value for any other error. Because of all those
+non-null error return values, the result of this converter should never be
+converted to a boolean. See below for a full list of the possible return
+values.
 
 For now, only JWS tokens using the Compact Serialization format can be
 processed (three dot-separated base64-url encoded strings). All the
@@ -24463,16 +24495,16 @@ <h3 id="chapter-7.3.1" data-target="7.3.1"><small><a class="small" href="#7.3.1"
 
 If the used algorithm is of the HMAC family, &lt;key&gt; should be the secret used
 in the HMAC signature calculation. Otherwise, &lt;key&gt; should be the path to the
-public certificate that can be used to validate the token's signature. All
-the certificates that might be used to verify JWTs must be known during init
-in order to be added into a dedicated certificate cache so that no disk
-access is required during runtime. For this reason, any used certificate must
-be mentioned explicitly at least once in a jwt_verify call. Passing an
-intermediate variable as second parameter is then not advised.
+public key that can be used to validate the token's signature. All the public
+keys that might be used to verify JWTs must be known during init in order to
+be added into a dedicated cache so that no disk access is required during
+runtime. For this reason, any used public key must be mentioned explicitly at
+least once in a jwt_verify call. Passing an intermediate variable as second
+parameter is then not advised.
 
 This converter only verifies the signature of the token and does not perform
 a full JWT validation as specified in <a href="#7.2">section 7.2</a> of RFC7519. We do not
-ensure that the header and payload contents are fully valid JSON's once
+ensure that the header and payload contents are fully valid JSONs once
 decoded for instance, and no checks are performed regarding their respective
 contents.
 
@@ -24500,7 +24532,7 @@ <h3 id="chapter-7.3.1" data-target="7.3.1"><small><a class="small" href="#7.3.1"
 http-request set-var(txn.bearer) http_auth_bearer
 http-request set-var(txn.jwt_alg) var(txn.bearer),jwt_header_query('$.alg')
 http-request deny unless { var(txn.jwt_alg) -m str &quot;RS256&quot; }
-http-request deny unless { var(txn.bearer),jwt_verify(txn.jwt_alg,&quot;/path/to/crt.pem&quot;) 1 }
+http-request deny unless { var(txn.bearer),jwt_verify(txn.jwt_alg,&quot;/path/to/pubkey.pem&quot;) 1 }
 </code></pre>
 </div><a class="anchor" name="language"></a><a class="anchor" name="7-language"></a><a class="anchor" name="7.3.1-language"></a><a class="anchor" name="language (Using ACLs and fetching samples)"></a><a class="anchor" name="language (Converters)"></a><div class="keyword"><b><a class="anchor" name="language"></a><a href="#7.3.1-language">language</a></b>(<span style="color: #080">&lt;value&gt;</span><span style="color: #008">[,<span style="color: #080">&lt;default&gt;</span>]</span>)</div><pre class="text">Returns the value with the highest q-factor from a list as extracted from the
 &quot;accept-language&quot; header using &quot;<a href="#req.fhdr">req.fhdr</a>&quot;. Values with no q-factor have a
@@ -31786,7 +31818,7 @@ <h2 id="chapter-11.3" data-target="11.3"><small><a class="small" href="#11.3">11
 						<br>
 						<hr>
 						<div class="text-right">
-							HAProxy 3.1.8-17 &ndash; Configuration Manual<br>
+							HAProxy 3.1.8-85 &ndash; Configuration Manual<br>
 							<small>, 2025/06/02</small>
 						</div>
 					</div>

docs/3.1/intro.html

@@ -2,7 +2,7 @@
 <html lang="en">
 	<head>
 		<meta charset="utf-8" />
-		<title>HAProxy version 3.1.8-17 - Starter Guide</title>
+		<title>HAProxy version 3.1.8-85 - Starter Guide</title>
 		<link href="https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/3.3.7/css/bootstrap.min.css" rel="stylesheet" />
 		<link href="https://raw.githubusercontent.com/thomaspark/bootswatch/v3.3.7/cerulean/bootstrap.min.css" rel="stylesheet" />
 		<link href="../css/page.css?0.4.2-15" rel="stylesheet" />
@@ -484,7 +484,7 @@
 					You can use <strong>left</strong> and <strong>right</strong> arrow keys to navigate between chapters.<br>
 				</p>
 				<p class="text-right">
-					<small>Converted with <a href="https://github.com/cbonte/haproxy-dconv">haproxy-dconv</a> v<b>0.4.2-15</b> on <b>2025/06/17</b></small>
+					<small>Converted with <a href="https://github.com/cbonte/haproxy-dconv">haproxy-dconv</a> v<b>0.4.2-15</b> on <b>2025/08/26</b></small>
 				</p>
 			</div>
 			<!-- /.sidebar -->
@@ -495,7 +495,7 @@
 						<div class="text-center">
                             <h1><a href="http://www.haproxy.org/" title="HAProxy"><img src="../img/HAProxyCommunityEdition_60px.png?0.4.2-15" /></a></h1>
 							<h2>Starter Guide</h2>
-							<p><strong>version 3.1.8-17</strong></p>
+							<p><strong>version 3.1.8-85</strong></p>
 							<p>
 								<br>
 
@@ -2515,7 +2515,7 @@ <h2 id="chapter-4.4" data-target="4.4"><small><a class="small" href="#4.4">4.4.<
 						<br>
 						<hr>
 						<div class="text-right">
-							HAProxy 3.1.8-17 &ndash; Starter Guide<br>
+							HAProxy 3.1.8-85 &ndash; Starter Guide<br>
 							<small>, </small>
 						</div>
 					</div>

docs/3.1/management.html

@@ -2,7 +2,7 @@
 <html lang="en">
 	<head>
 		<meta charset="utf-8" />
-		<title>HAProxy version 3.1.8-17 - Management Guide</title>
+		<title>HAProxy version 3.1.8-85 - Management Guide</title>
 		<link href="https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/3.3.7/css/bootstrap.min.css" rel="stylesheet" />
 		<link href="https://raw.githubusercontent.com/thomaspark/bootswatch/v3.3.7/cerulean/bootstrap.min.css" rel="stylesheet" />
 		<link href="../css/page.css?0.4.2-15" rel="stylesheet" />
@@ -652,7 +652,7 @@
 					You can use <strong>left</strong> and <strong>right</strong> arrow keys to navigate between chapters.<br>
 				</p>
 				<p class="text-right">
-					<small>Converted with <a href="https://github.com/cbonte/haproxy-dconv">haproxy-dconv</a> v<b>0.4.2-15</b> on <b>2025/06/17</b></small>
+					<small>Converted with <a href="https://github.com/cbonte/haproxy-dconv">haproxy-dconv</a> v<b>0.4.2-15</b> on <b>2025/08/26</b></small>
 				</p>
 			</div>
 			<!-- /.sidebar -->
@@ -663,7 +663,7 @@
 						<div class="text-center">
                             <h1><a href="http://www.haproxy.org/" title="HAProxy"><img src="../img/HAProxyCommunityEdition_60px.png?0.4.2-15" /></a></h1>
 							<h2>Management Guide</h2>
-							<p><strong>version 3.1.8-17</strong></p>
+							<p><strong>version 3.1.8-85</strong></p>
 							<p>
 								<br>
 
@@ -1031,6 +1031,12 @@ <h1 id="chapter-summary" data-target="summary">Summary</h1>
   -c : only performs a check of the configuration files and exits before trying
     to bind. The exit status is zero if everything is OK, or non-zero if an
     error is encountered. Presence of warnings will be reported if any.
+    By default this option does not report a success message. Combined with
+    &quot;-V&quot; this will print the message &quot;Configuration file is valid&quot; upon
+    success.
+
+    Scripts must use the exit status to determine the success of the
+    command.
 
   -cc : evaluates a condition as used within a conditional block of the
     configuration. The exit status is zero if the condition is true, 1 if the
@@ -5405,7 +5411,7 @@ <h2 id="chapter-13.1" data-target="13.1"><small><a class="small" href="#13.1">13
 						<br>
 						<hr>
 						<div class="text-right">
-							HAProxy 3.1.8-17 &ndash; Management Guide<br>
+							HAProxy 3.1.8-85 &ndash; Management Guide<br>
 							<small>, </small>
 						</div>
 					</div>