Chainguard Image now available for HAProxy

Today, we’re excited to announce a Chainguard Image for HAProxy. If you’ve ever used the internet, you’ve almost definitely used HAProxy. In fact, you’re probably using HAProxy right now without even knowing it. HAProxy is almost ubiquitous at the edge of cloud, internet, and public facing web services. It’s commonly used for load balancing and SSL termination, making it one of the most security critical deployments on the internet today.

‍

In fact, HAProxy works so well and is so easy to use that it’s easy to forget about. While this is great from an infrastructure and cost perspective, it can be problematic for security, since HAProxy still needs to be regularly patched and updated. Thankfully, the Chainguard Image for HAProxy is built on Wolfi, our secure-by-default Linux (un)distristribution. This means it’s lighter-weight (up to 90% smaller than some of the alternatives), has fewer CVEs (aiming for zero-known CVEs), and is built with our hardened toolchain, making it as memory-safe as possible.

‍

By the numbers:

% docker images --format "{{.Repository}}:{{.Tag}} {{.Size}}"
cgr.dev/chainguard/haproxy:latest 16.2MB
bitnami/haproxy:latest 117MB
haproxy:latest 96.6MB
haproxy:alpine 23.6MB

You can see that the Chainguard Image is only 16.2MB, 25% smaller than the closest alternative and 90% smaller than some of the others!

‍

As always, the binaries in our Images are built from source and come with comprehensive SBOMs from the start. These SBOMs contain the package metadata for everything in the Image and can be used for vulnerability scanning or license compliance. You can download the SBOMs for these containers with cosign:

$ cosign download sbom --platform=linux/amd64 cgr.dev/chainguard/haproxy
% cosign download sbom --platform=linux/amd64 cgr.dev/chainguard/haproxy | head -n 50
WARNING: Downloading SBOMs this way does not ensure its authenticity. If you want to ensure a tamper-proof SBOM, download it using 'cosign download attestation ' or verify its signature.
Found SBOM of media type: spdx+json
{
  "SPDXID": "SPDXRef-DOCUMENT",
  "name": "sbom-sha256:2c99ad16b2cc74fd01940070fa41a8a13123ae30f86500785eebbd8c9813baf3",
  "spdxVersion": "SPDX-2.3",
  "creationInfo": {
    "created": "2023-01-21T00:10:13Z",
    "creators": [
      "Tool: apko (canary)",
      "Organization: Chainguard, Inc"
    ],
    "licenseListVersion": "3.16"
  },
  "dataLicense": "CC0-1.0",
  "documentNamespace": "https://spdx.org/spdxdocs/apko/",
  "documentDescribes": [
    "SPDXRef-Package-sha256-9dc541bb8ec6736cb312efcdbb2a2a9a5b2837ed90dad1446ac98b7f33f8dd7e"
  ],
  "files": [
    {
      "SPDXID": "SPDXRef-File-/usr/lib/locale/C.utf8/LC_ADDRESS",
      "fileName": "/usr/lib/locale/C.utf8/LC_ADDRESS",
      "licenseConcluded": "NOASSERTION",
      "checksums": [
        {
          "algorithm": "SHA1",
          "checksumValue": "12d0e0600557e0dcb3c64e56894b81230e2eaa72"
        },
        {
          "algorithm": "SHA256",
          "checksumValue": "26e2800affab801cb36d4ff9625a95c3abceeda2b6553a7aecd0cfcf34c98099"
        },
        {
          "algorithm": "SHA512",
          "checksumValue": "d38b225e8204e1e85e6c631481f46d0b8fca8cf8d8dfc290f00adb15b605959f91f0d55dc830fdd82c22f916140090928e44f1b5123facac135705cc81df00b0"
        }
      ]
    },
    {
      "SPDXID": "SPDXRef-File-/usr/lib/locale/C.utf8/LC_COLLATE",
      "fileName": "/usr/lib/locale/C.utf8/LC_COLLATE",
      "licenseConcluded": "NOASSERTION",
      "checksums": [
        {
          "algorithm": "SHA1",
          "checksumValue": "f245e3207984879d0b736c9aa42f4268e27221b9"
        },
        {
          "algorithm": "SHA256",
          "checksumValue": "47a5f5359a8f324abc39d69a7f6241a2ac0e2fbbeae5b9c3a756e682b75d087b"
        },

If you want to see upwards of an 90% reduction in your HAProxy Image sizes with more security built in by default start using Chainguard’s HAProxy Image today at github.com/chainguard-images, or get started with our HAProxy Image using documentation in Chainguard Academy. Chainguard Images are now available for kubectl, Python, Redis, Bazel, curl, Git, Go, Jenkins, Postgres, Ruby and more. We currently offer our public Chainguard Images catalog for no cost to users, which includes features like SBOMs, signatures and SLSA Build Level 2 provenance information. If your organization requires patching SLAs, older version support or Images for compliance requirements, we offer Standard and Custom subscription tiers. Contact our team to learn more.

‍

We are always looking for ways to improve our end user experience. If you have feedback or would like to submit a support issue you can reach out to us directly or file it here.

‍

Update on our Chainguard Images Catalog: On August 16, 2023, we will be making changes to how Chainguard Image tags are pulled. Please see this announcement for further details about accessing our free, public Image catalog.