Back

Ferron 3.0.0-beta.2 released

Published on:

Today, we’re releasing Ferron 3.0.0-beta.2, the second beta release of Ferron 3.

This release focuses on four major areas:

  • Better production troubleshooting and observability
  • More resilient reverse proxying and load balancing
  • Stronger security defaults
  • Numerous reliability fixes discovered through real-world testing

While beta.1 established the foundations of Ferron 3, beta.2 significantly expands its operational capabilities and moves the project closer to a production-ready stable release.

Breaking changes first

Before diving into what’s new, a quick heads-up: beta.2 includes several breaking configuration changes. If you’re upgrading from beta.1, review these before updating your configuration:

  • Incoming trace context discarded by default - Ferron no longer trusts incoming traceparent, tracestate, or baggage headers unless trust_request true is explicitly set in the trace block. Previously, incoming trace context was always parsed and used as the parent span. To restore the old behavior, add trust_request true to your http { trace { ... } } block.
  • Rate limit windows - syntax updated to enforce standard duration strings (e.g., 10s, 5m, 1h). Bare numeric values are no longer accepted.
  • OTLP verification - no_verify has been renamed to no_verification and now operates strictly as a configuration flag.
  • OTLP defaults - OTLP sink now uses log_style modern default, which may break existing configurations with custom OTLP log formats.
  • Proxy configuration - syntax for passive/active health checks, load balancing algorithms, and connection retries has been unified into a cleaner, more consistent format.

Debug production without guessing

One of the primary goals of Ferron 3 is to make production troubleshooting easier.

During development and observability testing, we repeatedly found that the hardest production problems are rarely caused by a lack of logs or metrics. They are caused by the inability to connect the dots between them.

Beta.2 introduces major improvements to observability and signal correlation:

  • Request and access logs now automatically include request span context when exported through OTLP.
  • HTTP tracing has been unified into a single ferron.request root span with nested child spans.
  • Trace IDs can now be injected into HTTP responses using the new http-traceid module.
  • Trace IDs are also included in console and file logs, making it possible to filter logs using simple tools such as grep.
  • Structured OpenTelemetry-friendly log events are now available through the new log_style modern mode.
  • Baggage promotion allows selected W3C Baggage values to become telemetry attributes across logs, traces, and metrics.
  • OTLP exporters now emit their own diagnostic logs when export failures occur.

The result is a significantly easier troubleshooting workflow: find a trace ID, jump to the corresponding trace, inspect related logs, and correlate behavior with metrics without manually stitching together unrelated systems.

A stronger reverse proxy

Ferron’s reverse proxy gained some of its biggest upgrades so far.

Circuit breakers

Beta.2 introduces native circuit breakers with rolling failure windows, temporary backend ejection, and half-open recovery states.

Instead of continuously sending traffic to unhealthy backends, Ferron can now automatically isolate failing instances and gradually reintroduce them once they recover.

Adaptive load balancing

A new p2c_ewma load balancing algorithm combines Power-of-Two-Choices routing with latency-aware EWMA scoring.

Rather than distributing requests blindly, Ferron can favor faster and healthier backends while still maintaining balanced traffic distribution.

Sticky sessions

Session affinity is now available using:

  • Cookies
  • Headers
  • Client IPs
  • Consistent hashing

Ferron uses a Ketama-style hash ring for deterministic backend selection, helping applications that require stable routing behavior.

Outbound mTLS

Reverse proxy upstreams can now present client certificates when connecting to HTTPS backends.

This enables secure service-to-service communication in environments where mutual TLS is required.

Security-first defaults

Several changes in beta.2 tighten Ferron’s security posture.

The most notable change is the new default behavior for distributed tracing (see the breaking changes section above).

Additional security improvements include:

  • DNS rebinding protections for forward proxy mode
  • Log injection protections for text logs
  • Automatic removal of sensitive headers from access logs
  • Stricter URL canonicalization that rejects null-byte paths
  • Fixes for authentication bypass scenarios
  • Improved handling of proxy access controls

Native abuse protection

Beta.2 introduces a new module:

http-abuseban

This provides lightweight, native Fail2ban-style protection directly inside Ferron.

The module can temporarily ban clients based on repeated rate-limit violations or authentication failures, helping mitigate brute-force attacks without relying on external tooling.

Observability expands beyond traces

Observability coverage has expanded substantially throughout the platform.

Ferron now exposes:

  • Circuit breaker state metrics
  • Retry metrics
  • Connection pool metrics
  • Backend exclusion metrics
  • Health check metrics
  • Connect latency metrics
  • Time-to-first-byte metrics
  • Certificate expiration metrics
  • CGI, FastCGI, and SCGI metrics
  • Additional edge-case request outcome metrics

A significant amount of work also went into reducing cardinality risks and improving telemetry quality.

New baggage promotion controls include cardinality limits, and Prometheus label sanitization has been strengthened to prevent accidental metric explosion.

Better operational tooling

Configuration management received several improvements.

A new command:

ferron doctor

checks configurations for best-practice violations and operational risks.

Validation has also become more comprehensive:

  • Unused directives are detected
  • Unused subdirectives are detected
  • Cleaner diagnostics are produced
  • Successful validation now explicitly reports when no issues are found

For containerized deployments, Ferron’s Docker images now provide a cleaner split configuration layout and improved defaults for logging and observability.

Performance and reliability fixes

Some of the most valuable work in beta.2 happened behind the scenes.

During heavy testing, benchmarking, and chaos engineering exercises, numerous issues were identified and fixed, including:

  • Cache thundering herd scenarios
  • Connection pool limit enforcement issues
  • HTTP timeout handling bugs
  • TLS certificate resolution edge cases
  • OCSP stapling edge cases
  • Rate-limiting race conditions
  • Configuration reload loops
  • Various HTTP protocol handling issues
  • Windows networking bugs
  • Stale cache edge cases

Ferron also benefits from fixes delivered through its underlying networking and HTTP libraries, including corrections for protocol-level issues and denial-of-service vulnerabilities.

More TLS and DNS automation

Automatic TLS capabilities continue to expand.

Highlights include:

  • Support for 58 additional DNS providers for ACME DNS-01 challenges
  • New tls-http provider for obtaining certificates from remote HTTP endpoints
  • Improved OCSP validation and caching
  • Better certificate-related diagnostics
  • Improved Docker defaults for ACME storage

Looking toward stable

Ferron 3 remains in beta, but beta.2 represents a substantial step forward.

The release improves the areas that matter most in production:

  • Reliability
  • Troubleshooting
  • Security
  • Observability
  • Reverse proxy functionality

Many of these improvements were driven by extensive testing, real-world deployment experiments, observability validation, and performance investigations conducted throughout the beta cycle.

As always, feedback, bug reports, and testing results are welcome.

Thank you to everyone following the project and helping shape Ferron 3.

Full changelog

The complete changelog for Ferron 3.0.0-beta.2 is available in the release notes.

Try it

Install Ferron 3 using the installer:

sudo bash -c "$(curl -fsSL https://get.ferron.sh/v3)"
Share this post!
X Facebook Linkedin Threads
Older Ferron 1.x soon to be EOL