Update docs for dev

HAProxy Community · HAProxy Community · commit a6af50942d27 · 2025-10-30T00:59:37.000Z
diff --git a/docs/dev/configuration.html b/docs/dev/configuration.html
@@ -2,7 +2,7 @@
 <html lang="en">
 	<head>
 		<meta charset="utf-8" />
-		<title>HAProxy version 3.3-dev10-56 - Configuration Manual</title>
+		<title>HAProxy version 3.3-dev10-69 - Configuration Manual</title>
 		<link href="https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/3.3.7/css/bootstrap.min.css" rel="stylesheet" />
 		<link href="https://raw.githubusercontent.com/thomaspark/bootswatch/v3.3.7/cerulean/bootstrap.min.css" rel="stylesheet" />
 		<link href="../css/page.css?0.4.2-15" rel="stylesheet" />
@@ -3745,6 +3745,8 @@
 							
 							<a class="list-group-item" href="#ssl-mode-async">ssl-mode-async</a>
 							
+							<a class="list-group-item" href="#ssl-passphrase-cmd">ssl-passphrase-cmd</a>
+							
 							<a class="list-group-item" href="#ssl-propquery">ssl-propquery</a>
 							
 							<a class="list-group-item" href="#ssl-provider">ssl-provider</a>
@@ -3891,6 +3893,8 @@
 							
 							<a class="list-group-item" href="#ssl_fc_early_exporter_secret">ssl_fc_early_exporter_secret</a>
 							
+							<a class="list-group-item" href="#ssl_fc_early_rcvd">ssl_fc_early_rcvd</a>
+							
 							<a class="list-group-item" href="#ssl_fc_ecformats_bin">ssl_fc_ecformats_bin</a>
 							
 							<a class="list-group-item" href="#ssl_fc_eclist_bin">ssl_fc_eclist_bin</a>
@@ -4683,7 +4687,7 @@
 					You can use <strong>left</strong> and <strong>right</strong> arrow keys to navigate between chapters.<br>
 				</p>
 				<p class="text-right">
-					<small>Converted with <a href="https://github.com/cbonte/haproxy-dconv">haproxy-dconv</a> v<b>0.4.2-15</b> on <b>2025/10/23</b></small>
+					<small>Converted with <a href="https://github.com/cbonte/haproxy-dconv">haproxy-dconv</a> v<b>0.4.2-15</b> on <b>2025/10/29</b></small>
 				</p>
 			</div>
 			<!-- /.sidebar -->
@@ -4694,7 +4698,7 @@
 						<div class="text-center">
                             <h1><a href="http://www.haproxy.org/" title="HAProxy"><img src="../img/HAProxyCommunityEdition_60px.png?0.4.2-15" /></a></h1>
 							<h2>Configuration Manual</h2>
-							<p><strong>version 3.3-dev10-56</strong></p>
+							<p><strong>version 3.3-dev10-69</strong></p>
 							<p>
 								2025/10/18<br>
 								
@@ -8962,6 +8966,16 @@ <h2 id="chapter-3.1" data-target="3.1"><small><a class="small" href="#3.1">3.1.<
 Custom DH parameters may be generated by using the OpenSSL command
 &quot;openssl dhparam &lt;size&gt;&quot;, where size should be at least 2048, as 1024-bit DH
 parameters should not be considered secure anymore.
+</pre><a class="anchor" name="ssl-passphrase-cmd"></a><a class="anchor" name="3-ssl-passphrase-cmd"></a><a class="anchor" name="3.1-ssl-passphrase-cmd"></a><a class="anchor" name="ssl-passphrase-cmd (Global section)"></a><a class="anchor" name="ssl-passphrase-cmd (Process management and security)"></a><div class="keyword"><b><a class="anchor" name="ssl-passphrase-cmd"></a><a href="#3.1-ssl-passphrase-cmd">ssl-passphrase-cmd</a></b> <span style="color: #080">&lt;cmd&gt;</span> <span style="color: #080">&lt;args&gt;</span> ...</div><pre class="text">This settings is only available when support for OpenSSL was built in. It
+allows to define a full command line that will be called when an encrypted
+certificate is loaded during init. The command could be a script or any other
+program. It will be provided with the encrypted private key path as first
+parameter and the user-defined &quot;args&quot; parameters then and should dump the
+passphrase that allows to decode the encrypted private key on the standard
+output.
+For every new encrypted private key loaded during init, HAProxy will first
+try every other already known passphrase to decode the private key and will
+ultimately call the passphrase command again if none works.
 </pre><a class="anchor" name="ssl-propquery"></a><a class="anchor" name="3-ssl-propquery"></a><a class="anchor" name="3.1-ssl-propquery"></a><a class="anchor" name="ssl-propquery (Global section)"></a><a class="anchor" name="ssl-propquery (Process management and security)"></a><div class="keyword"><b><a class="anchor" name="ssl-propquery"></a><a href="#3.1-ssl-propquery">ssl-propquery</a></b> <span style="color: #080">&lt;query&gt;</span></div><pre class="text">This setting is only available when support for OpenSSL was built in and when
 OpenSSL's version is at least 3.0. It allows to define a default property
 string used when fetching algorithms in providers. It behave the same way as
@@ -23801,7 +23815,7 @@ <h2 id="chapter-7.1" data-target="7.1"><small><a class="small" href="#7.1">7.1.<
 that were not initially planned, or with sample fetch methods which return a
 string. The matching method also affects the way the patterns are parsed. So,
 it must not be used with sample fetches with a matching suffix (_beg, _end,
-_sub...). In addition, specifying several &quot;-m&quot; pattern matching methods is now
+_sub...). In addition, specifying several &quot;-m&quot; pattern matching methods is not
 allowed.
 
 The &quot;-n&quot; flag forbids the dns resolutions. It is used with the load of ip files.
@@ -28233,6 +28247,13 @@ <h3 id="chapter-7.3.4" data-target="7.3.4"><small><a class="small" href="#7.3.4"
 </pre><a class="anchor" name="ssl_fc_curve"></a><a class="anchor" name="7-ssl_fc_curve"></a><a class="anchor" name="7.3.4-ssl_fc_curve"></a><a class="anchor" name="ssl_fc_curve (Using ACLs and fetching samples)"></a><a class="anchor" name="ssl_fc_curve (Fetching samples at Layer 5)"></a><div class="keyword"><b><a class="anchor" name="ssl_fc_curve"></a><a href="#7.3.4-ssl_fc_curve">ssl_fc_curve</a></b> : string</div><pre class="text">Returns the name of the curve used in the key agreement when the incoming
 connection was made over an SSL/TLS transport layer. This requires
 OpenSSL &gt;= 3.0.0.
+</pre><a class="anchor" name="ssl_fc_early_rcvd"></a><a class="anchor" name="7-ssl_fc_early_rcvd"></a><a class="anchor" name="7.3.4-ssl_fc_early_rcvd"></a><a class="anchor" name="ssl_fc_early_rcvd (Using ACLs and fetching samples)"></a><a class="anchor" name="ssl_fc_early_rcvd (Fetching samples at Layer 5)"></a><div class="keyword"><b><a class="anchor" name="ssl_fc_early_rcvd"></a><a href="#7.3.4-ssl_fc_early_rcvd">ssl_fc_early_rcvd</a></b> : boolean</div><pre class="text">Returns true if early data were seen over that connection, regardless of the
+fact that the handshake has since completed. It has no practical use case for
+traffic processing, however it's about the only way to &quot;see&quot; that a client
+used 0-RTT to send early data, and is sometimes useful when debugging, since
+the only other alternatives are network traffic captures or logging the front
+connection's flags and matching them in the code. It may also be useful to
+get statistics on clients' capabilities. See also &quot;<a href="#ssl_fc_has_early">ssl_fc_has_early</a>&quot;.
 </pre><a class="anchor" name="ssl_fc_early_exporter_secret"></a><a class="anchor" name="7-ssl_fc_early_exporter_secret"></a><a class="anchor" name="7.3.4-ssl_fc_early_exporter_secret"></a><a class="anchor" name="ssl_fc_early_exporter_secret (Using ACLs and fetching samples)"></a><a class="anchor" name="ssl_fc_early_exporter_secret (Fetching samples at Layer 5)"></a><div class="keyword"><b><a class="anchor" name="ssl_fc_early_exporter_secret"></a><a href="#7.3.4-ssl_fc_early_exporter_secret">ssl_fc_early_exporter_secret</a></b> : string</div><pre class="text">Return the EARLY_EXPORTER_SECRET as an hexadecimal string for the
 front connection when the incoming connection was made over an TLS 1.3
 transport layer.
@@ -28325,9 +28346,10 @@ <h3 id="chapter-7.3.4" data-target="7.3.4"><small><a class="small" href="#7.3.4"
 certificate is not present in the current connection but may be retrieved
 from the cache or the ticket. So prefer &quot;<a href="#ssl_c_used">ssl_c_used</a>&quot; if you want to check if
 current SSL session uses a client certificate.
-</pre><a class="anchor" name="ssl_fc_has_early"></a><a class="anchor" name="7-ssl_fc_has_early"></a><a class="anchor" name="7.3.4-ssl_fc_has_early"></a><a class="anchor" name="ssl_fc_has_early (Using ACLs and fetching samples)"></a><a class="anchor" name="ssl_fc_has_early (Fetching samples at Layer 5)"></a><div class="keyword"><b><a class="anchor" name="ssl_fc_has_early"></a><a href="#7.3.4-ssl_fc_has_early">ssl_fc_has_early</a></b> : boolean</div><pre class="text">Returns true if early data were sent, and the handshake didn't happen yet. As
-it has security implications, it is useful to be able to refuse those, or
-wait until the handshake happened.
+</pre><a class="anchor" name="ssl_fc_has_early"></a><a class="anchor" name="7-ssl_fc_has_early"></a><a class="anchor" name="7.3.4-ssl_fc_has_early"></a><a class="anchor" name="ssl_fc_has_early (Using ACLs and fetching samples)"></a><a class="anchor" name="ssl_fc_has_early (Fetching samples at Layer 5)"></a><div class="keyword"><b><a class="anchor" name="ssl_fc_has_early"></a><a href="#7.3.4-ssl_fc_has_early">ssl_fc_has_early</a></b> : boolean</div><pre class="text">Returns true if early data were sent, and the handshake didn't complete yet.
+As it has security implications, it is useful to be able to refuse those, or
+wait until the handshake completes (via the &quot;<a href="#wait-for-handshake">wait-for-handshake</a>&quot; action). See
+also &quot;<a href="#ssl_fc_early_rcvd">ssl_fc_early_rcvd</a>&quot;.
 </pre><a class="anchor" name="ssl_fc_has_sni"></a><a class="anchor" name="7-ssl_fc_has_sni"></a><a class="anchor" name="7.3.4-ssl_fc_has_sni"></a><a class="anchor" name="ssl_fc_has_sni (Using ACLs and fetching samples)"></a><a class="anchor" name="ssl_fc_has_sni (Fetching samples at Layer 5)"></a><div class="keyword"><b><a class="anchor" name="ssl_fc_has_sni"></a><a href="#7.3.4-ssl_fc_has_sni">ssl_fc_has_sni</a></b> : boolean</div><pre class="text">This checks for the presence of a Server Name Indication TLS extension (SNI)
 in an incoming connection was made over an SSL/TLS transport layer. Returns
 true when the incoming connection presents a TLS SNI field. This requires
@@ -33641,7 +33663,7 @@ <h2 id="chapter-12.8" data-target="12.8"><small><a class="small" href="#12.8">12
 						<br>
 						<hr>
 						<div class="text-right">
-							HAProxy 3.3-dev10-56 &ndash; Configuration Manual<br>
+							HAProxy 3.3-dev10-69 &ndash; Configuration Manual<br>
 							<small>, 2025/10/18</small>
 						</div>
 					</div>
diff --git a/docs/dev/intro.html b/docs/dev/intro.html
@@ -2,7 +2,7 @@
 <html lang="en">
 	<head>
 		<meta charset="utf-8" />
-		<title>HAProxy version 3.3-dev10-56 - Starter Guide</title>
+		<title>HAProxy version 3.3-dev10-69 - Starter Guide</title>
 		<link href="https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/3.3.7/css/bootstrap.min.css" rel="stylesheet" />
 		<link href="https://raw.githubusercontent.com/thomaspark/bootswatch/v3.3.7/cerulean/bootstrap.min.css" rel="stylesheet" />
 		<link href="../css/page.css?0.4.2-15" rel="stylesheet" />
@@ -484,7 +484,7 @@
 					You can use <strong>left</strong> and <strong>right</strong> arrow keys to navigate between chapters.<br>
 				</p>
 				<p class="text-right">
-					<small>Converted with <a href="https://github.com/cbonte/haproxy-dconv">haproxy-dconv</a> v<b>0.4.2-15</b> on <b>2025/10/23</b></small>
+					<small>Converted with <a href="https://github.com/cbonte/haproxy-dconv">haproxy-dconv</a> v<b>0.4.2-15</b> on <b>2025/10/29</b></small>
 				</p>
 			</div>
 			<!-- /.sidebar -->
@@ -495,7 +495,7 @@
 						<div class="text-center">
                             <h1><a href="http://www.haproxy.org/" title="HAProxy"><img src="../img/HAProxyCommunityEdition_60px.png?0.4.2-15" /></a></h1>
 							<h2>Starter Guide</h2>
-							<p><strong>version 3.3-dev10-56</strong></p>
+							<p><strong>version 3.3-dev10-69</strong></p>
 							<p>
 								<br>
 								
@@ -2515,7 +2515,7 @@ <h2 id="chapter-4.4" data-target="4.4"><small><a class="small" href="#4.4">4.4.<
 						<br>
 						<hr>
 						<div class="text-right">
-							HAProxy 3.3-dev10-56 &ndash; Starter Guide<br>
+							HAProxy 3.3-dev10-69 &ndash; Starter Guide<br>
 							<small>, </small>
 						</div>
 					</div>
diff --git a/docs/dev/management.html b/docs/dev/management.html
@@ -2,7 +2,7 @@
 <html lang="en">
 	<head>
 		<meta charset="utf-8" />
-		<title>HAProxy version 3.3-dev10-56 - Management Guide</title>
+		<title>HAProxy version 3.3-dev10-69 - Management Guide</title>
 		<link href="https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/3.3.7/css/bootstrap.min.css" rel="stylesheet" />
 		<link href="https://raw.githubusercontent.com/thomaspark/bootswatch/v3.3.7/cerulean/bootstrap.min.css" rel="stylesheet" />
 		<link href="../css/page.css?0.4.2-15" rel="stylesheet" />
@@ -668,7 +668,7 @@
 					You can use <strong>left</strong> and <strong>right</strong> arrow keys to navigate between chapters.<br>
 				</p>
 				<p class="text-right">
-					<small>Converted with <a href="https://github.com/cbonte/haproxy-dconv">haproxy-dconv</a> v<b>0.4.2-15</b> on <b>2025/10/23</b></small>
+					<small>Converted with <a href="https://github.com/cbonte/haproxy-dconv">haproxy-dconv</a> v<b>0.4.2-15</b> on <b>2025/10/29</b></small>
 				</p>
 			</div>
 			<!-- /.sidebar -->
@@ -679,7 +679,7 @@
 						<div class="text-center">
                             <h1><a href="http://www.haproxy.org/" title="HAProxy"><img src="../img/HAProxyCommunityEdition_60px.png?0.4.2-15" /></a></h1>
 							<h2>Management Guide</h2>
-							<p><strong>version 3.3-dev10-56</strong></p>
+							<p><strong>version 3.3-dev10-69</strong></p>
 							<p>
 								<br>
 								
@@ -5649,7 +5649,7 @@ <h2 id="chapter-13.1" data-target="13.1"><small><a class="small" href="#13.1">13
 						<br>
 						<hr>
 						<div class="text-right">
-							HAProxy 3.3-dev10-56 &ndash; Management Guide<br>
+							HAProxy 3.3-dev10-69 &ndash; Management Guide<br>
 							<small>, </small>
 						</div>
 					</div>
