Hi,
HAProxy 2.5-dev4 was released on 2021/08/17. It added 82 new commits
after version 2.5-dev3.
This version was expected to be emitted last week but was slightly
delayed so that it contains the final fixes for the H2 vulnerabilities
reported by Tim that were described in previous message, and which
affect Host name consistency with H2 backend servers when Host and
:authority differ or when garbage is placed in the ":scheme" or ":path"
headers, and the one which allows to abuse the H2 ":method" pseudo-header
to forge some malformed HTTP/1 messages that some vulnerable servers
might possibly accept to parse (though we're not aware of any among the
usual mainstream ones).
In addition to this, this version contains a number of improvements:
- The filters support was added to Lua. It is now possible to write
Lua scripts to filter HTTP or TCP sessions. For now, this feature
is highly experimental and must not be used in production as the
API might possibly still change a little bit (see lua-api/index.rst
for the details). The API of the Channel class was revisited and
an HTTPMessage class was added to help writing filters. It comes
with some limitations. First, it is not possible to yield inside a
filter callback and it is not really clear for now if this
limitation will ever be lifted. Second, most functions exposed by
the Channel class are forbidden when an HTTP message is filtered.
Finally, only few filter callbacks are supported for now:
start_analyze, end_analyze, http_headers, http_payload, http_end
and tcp_payload. This feature was not heavily tested. Thus, if you
try it, you will most probably encounter several bugs. Be gentle
but don't hesitate to report them and feel free to criticize the
API. It is the first stage of this feature and inputs and feedback
will help us to improve it.
- health checks and agent checks can now be enabled on dynamically
added servers. Out of my head, I think it was the last missing
feature to get fully functional hot addition/removal of servers,
so testers are really welcome!
- the enable/disable health/agent CLI commands that were mistakenly
marked as deprecated while cleaning up the CLI help have been fixed
as they are not deprecated.
- the stats page now always continues to list stopped proxies during
reloads, and only skips the internal ones (there was no such notion
of internal proxies in the past, forcing us to resort to some tricks
to avoid listing the ones used by the master CLI for example). This
means that it finally is possible to collect the last stats of a
stopping process.
And 25 bugs were fixed, mostly on dynamic servers, Lua, and of course, H2.
Given that 2.5 is focused on technical improvements, I'm fine with merging
patches reasonably late in the release cycle, so let's fix a freeze of
important code submissions on September 15th, which should allow one or two
round trips before the 30th, after which anything too sensitive should be
postponed to -next, and the focus will move towards fixing (or reverting)
what was already merged, and cleaning it up. This should leave us with
about one month for this and will allow us to release between late October
and early November just like we did for 2.3.
Please find the usual URLs below :
Site index : http://www.haproxy.org/
Discourse : http://discourse.haproxy.org/
Slack channel : https://slack.haproxy.org/
Issue tracker : https://github.com/haproxy/haproxy/issues
Wiki : https://github.com/haproxy/wiki/wiki
Sources : http://www.haproxy.org/download/2.5/src/
Git repository : http://git.haproxy.org/git/haproxy.git/
Git Web browsing : http://git.haproxy.org/?p=haproxy.git
Changelog : http://www.haproxy.org/download/2.5/src/CHANGELOG
Cyril's HTML doc : http://cbonte.github.io/haproxy-dconv/
Willy
---
Complete changelog :
Amaury Denoyelle (24):
BUG/MINOR: server: fix race on error path of 'add server' CLI if track
BUG/MINOR: server: remove srv from px list on CLI 'add server' error
MINOR: server: unmark deprecated on enable health/agent cli
MEDIUM: task: implement tasklet kill
MINOR: server: initialize fields for dynamic server check
MINOR: check: allocate default check ruleset for every backends
MINOR: check: export check init functions
MINOR: check: do not increment global maxsock at runtime
MINOR: server: implement a refcount for dynamic servers
MEDIUM: check: implement check deletion for dynamic servers
MINOR: check: enable safe keywords for dynamic servers
MEDIUM: server: implement check for dynamic servers
MEDIUM: server: implement agent check for dynamic servers
REGTESTS: server: add dynamic check server test
MINOR: doc: specify ulimit-n usage for dynamic servers
REGTESTS: server: fix dynamic server with checks test
BUG/MINOR: check: test if server is not null in purge
MINOR: global: define MODE_STOPPING
BUG/MINOR: server: do not use refcount in free_server in stopping mode
BUG/MINOR: check: do not reset check flags on purge
BUG/MINOR: check: fix leak on add dynamic server with agent-check error
BUG/MEDIUM: check: fix leak on agent-check purge
BUG/MEDIUM: server: support both check/agent-check on a dynamic instance
REGTESTS: add a test to prevent h2 desync attacks
Christopher Faulet (27):
MINOR: spoe: Add a pointer on the filter config in the spoe_agent
structure
BUG/MEDIUM: spoe: Create a SPOE applet if necessary when the last one is
released
BUG/MEDIUM: spoe: Fix policy to close applets when SPOE connections are
queued
BUG/MINOR: tcpcheck: Properly detect pending HTTP data in output buffer
BUG/MINOR: stream: Don't release a stream if FLT_END is still registered
MINOR: lua: Add a flag on lua context to know the yield capability at run
time
BUG/MINOR: lua: Yield in channel functions only if lua context can yield
BUG/MINOR: lua: Don't yield in channel.append() and channel.set()
MINOR: filters/lua: Release filters before the lua context
MINOR: lua: Add a function to get a reference on a table in the stack
MEDIUM: lua: Process buffer data using an offset and a length
MEDIUM: lua: Improve/revisit the lua api to manipulate channels
DOC: Improve the lua documentation
MEDIUM: filters/lua: Add support for dummy filters written in lua
MINOR: lua: Add a function to get a filter attached to a channel class
MINOR: lua: Add flags on the lua TXN to know the execution context
MEDIUM: filters/lua: Be prepared to filter TCP payloads
MEDIUM: filters/lua: Support declaration of some filter callback
functions in lua
MEDIUM: filters/lua: Add HTTPMessage class to help HTTP filtering
MINOR: filters/lua: Add request and response HTTP messages in the lua TXN
MINOR: filters/lua: Support the HTTP filtering from filters written in lua
DOC: config: Fix 'http-response send-spoe-group' documentation
BUG/MINOR: lua: Properly check negative offset in Channel/HttpMessage
functions
BUG/MINOR: lua: Properly catch alloc errors when parsing lua filter
directives
BUG/MINOR: filters: Always set FLT_END analyser when CF_FLT_ANALYZE flag
is set
BUG/MINOR: lua/filters: Return right code when txn:done() is called
DOC: lua-api: Add documentation about lua filters
David Carlier (1):
BUILD: tools: get the absolute path of the current binary on NetBSD.
Emeric Brun (1):
BUG/MEDIUM: cfgcheck: verify existing log-forward listeners during config
check
Ilya Shipitsin (3):
CI: travis-ci: temporarily disable arm64 builds
CLEANUP: assorted typo fixes in the code and comments
CI: github actions: relax OpenSSL-3.0.0 version comparision
Jonathon Lacher (1):
DOC/MINOR: fix typo in management document
Kunal Gangakhedkar (1):
DOC: Minor typo fix - 'question mark' -> 'exclamation mark'
Tim Duesterhus (1):
CI: Remove obsolete USE_SLZ=1 CI job
William Lallemand (8):
MINOR: log: rename 'dontloglegacyconnerr' to 'log-error-via-logformat'
MINOR: doc: rename conn_status in `option httsplog`
MINOR: proxy: disabled takes a stopping and a disabled state
MINOR: stats: shows proxy in a stopped state
BUG/MINOR: buffer: fix buffer_dump() formatting
MINOR: channel: remove an htx block from a channel
MINOR: cli: delare the CLI frontend as an internal proxy
MINOR: proxy: disable warnings for internal proxies
Willy Tarreau (15):
CLEANUP: thread: fix fantaisist indentation of thread_harmless_till_end()
MINOR: threads: make thread_release() not wait for other ones to complete
MEDIUM: threads: add a stronger thread_isolate_full() call
MEDIUM: servers: make the server deletion code run under full thread
isolation
MINOR: activity/fd: remove the dead_fd counter
MAJOR: fd: get rid of the DWCAS when setting the running_mask
CLEANUP: fd: remove the now unused fd_set_running()
CLEANUP: fd: remove the now unneeded fd_mig_lock
BUG/MINOR: server: update last_change on maint->ready transitions too
ADMIN: dyncookie: implement a simple dynamic cookie calculator
MINOR: http: add a new function http_validate_scheme() to validate a
scheme
BUG/MAJOR: h2: verify early that non-http/https schemes match the valid
syntax
BUG/MAJOR: h2: verify that :path starts with a '/' before concatenating it
BUG/MAJOR: h2: enforce stricter syntax checks on the :method pseudo-header
BUG/MEDIUM: h2: give :authority precedence over Host
---
