haproxytech · oktalz · Feb 19, 2026 · Feb 10, 2026
diff --git a/.aspell.yml b/.aspell.yml
@@ -59,16 +59,19 @@ allowed:
   - reconciler
   - releaser
   - repo
+  - req
   - resync
   - runtime
   - slogger
   - ssl
+  - sslv
   - sudo
   - symlink
   - taskfile
   - testenv
   - tcp
   - tls
+  - tlsv
   - ubuntu
   - unix
   - usr

diff --git a/fs/usr/local/hug/haproxy.cfg b/fs/usr/local/hug/haproxy.cfg
@@ -25,7 +25,7 @@ global
   pidfile /var/run/haproxy.pid
   stats socket /var/run/haproxy-runtime-api.sock level admin expose-fd listeners
   stats timeout 36000
-  ssl-default-bind-options no-sslv3 no-tls-tickets no-tlsv10
+  ssl-default-bind-options ssl-min-ver TLSv1.1 no-tls-tickets
   ssl-default-bind-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA:!3DES
   hard-stop-after 1800000
   log stdout format raw daemon

diff --git a/k8s/gate/haproxy/frontends.go b/k8s/gate/haproxy/frontends.go
@@ -250,40 +250,40 @@ func (b *HaproxyConfMgrImpl) newFrontend(params newFrontendParams) (*models.Fron
 	switch {
 	case listener.TLS != nil && utils.PointerDefaultValueIfNil(listener.TLS.Mode) == gatewayv1.TLSModePassthrough:
 		tcpRules = []*models.TCPRequestRule{
-			{ // tcp-request content reject if !{ req_ssl_hello_type 1 }
+			{ // tcp-request content reject if !{ req.ssl_hello_type 1 }
 				Type:     "content",
 				Action:   "reject",
 				Cond:     "if",
-				CondTest: "!{ req_ssl_hello_type 1 }",
+				CondTest: "!{ req.ssl_hello_type 1 }",
 			},
 			{
 				// tcp-request inspect-delay 50000
 				Type:    "inspect-delay",
 				Timeout: utils.PtrInt64(50000),
 			},
 			{
-				// tcp-request content set-var(sess.sni) req_ssl_sni
+				// tcp-request content set-var(sess.sni) req.ssl_sni
 				Type:     "content",
 				Action:   "set-var",
 				VarName:  "sni",
 				VarScope: "sess",
-				Expr:     "req_ssl_sni",
+				Expr:     "req.ssl_sni",
 			},
 			{
-				// tcp-request content set-var(txn.sni_match) req_ssl_sni,map(sni.map)
+				// tcp-request content set-var(txn.sni_match) req.ssl_sni,map(sni.map)
 				Type:     "content",
 				Action:   "set-var",
 				VarName:  "sni_match",
 				VarScope: "txn",
-				Expr:     "req_ssl_sni,map(" + sniMap.FullPath() + ")",
+				Expr:     "req.ssl_sni,map(" + sniMap.FullPath() + ")",
 			},
 			{
-				// tcp-request content set-var(txn.sni_match,ifnotexists) req_ssl_sni,map_end(sniDomainWildcardMap.map)
+				// tcp-request content set-var(txn.sni_match,ifnotexists) req.ssl_sni,map_end(sniDomainWildcardMap.map)
 				Type:     "content",
 				Action:   "set-var",
 				VarName:  "sni_match,ifnotexists",
 				VarScope: "txn",
-				Expr:     "req_ssl_sni,map_end(" + sniDomainWildcardMap.FullPath() + ")",
+				Expr:     "req.ssl_sni,map_end(" + sniDomainWildcardMap.FullPath() + ")",
 			},
 		}
 		backendSwitchingRules = []*models.BackendSwitchingRule{
-Original file line number
+Diff line change
@@ Expand Up / @@ -59,16 +59,19 @@ allowed: @@
       - reconciler
       - releaser
       - repo
+      - req
       - resync
       - runtime
       - slogger
       - ssl
+      - sslv
       - sudo
       - symlink
       - taskfile
       - testenv
       - tcp
       - tls
+      - tlsv
       - ubuntu
       - unix
       - usr
@@ Expand Down @@