Hi, HAProxy 2.6-dev5 was released on 2022/04/09. It added 120 new commits after version 2.6-dev4.
It's visible that we're progressively getting closer to the end of a development cycle, updates are arriving faster and cleanups and small improvements are becoming more numerous. Aside the usual bug fixes, this version brings: - a new converter, add_item(), developed by Nikola Sale, which eases the concatenation of values in headers by automatically prepending delimiters only when the previous value and the added value are not empty. It can typically cut in half the number of "set-var" rules in complex configs. - httpclient improvements and fixes: now the HTTP client can correctly buffer a request body and enable L7 retries to transparently deal with connection errors and torn down keep-alive connections. A final touch on automatic name resolution is currently being worked on to complete the whole thing. - QUIC updates: QUIC was deployed a week ago on https://haproxy.org/ and even if there's little HTTPS traffic there, it already helped identify minor issues, most of which were addressed. One of them limits the performance due to the way buffers are handled down the transmission chain, but this is currently being addressed. I was very pleased to see that it worked without trouble for 6.5 days, after which it was restarted for an update. Those interested in duplicating the experiment can read the latest news on haproxy.org where the main steps are explained. If there's some demand, maybe we could write a more detailed howto, but for now I'd rather see the experts spending their time on polishing the code ;-) - Opentracing updates: in 2.5 we had to disable the use of variables between the plugin and the haproxy core because the code was relying on an original misfeature of the variables which was that they would never disappear after being created, and this misfeature was fixed in 2.5, breaking that part of Opentracing. Miroslav finally found the time to address this and rework it in an elegant way so that the module is fully functional again. It is technically possible to backport his work to 2.5 if there is some demand but at this stage I prefer not to, until there's demand (i.e. some 2.4 users who are blocked on 2.4 only because of this). If you're using opentracing and are missing this in 2.5, please voice in. And similarly if you're using it in 2.5 and would prefer this not to change, feel free to voice in as well. - the automatic frontend connection closing mechanism on reload that was brought into 2.5 caused some concerns to some users, leading to an option to disable it. Now there's a new global setting, "close-spread-time", which can be used to indicate that the closure of idle connections should be randomly spread over that interval, so that reconnecting clients don't all rush at the same time on the new process. This applies both to passive close ("connection: close" on responses), and to active close of idle connections. For best efficiency, the interval should obviously be shorter than the one used in "hard-stop-after" if any. We'll also see how to extend the mechanism to allow never to close at all as there's also some demand for this. - the "ca-file" SSL directive now supports a special "@system-ca" name that requests that the CA provided by default on the operating system are used. This is convenient for outgoing connections to servers that use standard certificates emitted by standard CAs. This way you know that you don't have to maintain your own copy of these CAs and that your system updates will bring you fresh new ones from time to time. - for those who have to produce or parse configs (typically ingress controllers, and the dataplane API), a new set of debug options on the boot command line was added, "-dK", to dump registered keywords per category (config, actions, CLI, samples, etc). This applies after the config loads so that it's also possible to enumerate keywords brought by a Lua module. If there's no config it will work by just running a config check on an empty file or /dev/null. The goal essentially is to compare outputs between versions to detect syntax changes. Note that many old keywords (those parsed by strcmp) are not listed. Regarding what's left to be done before the release, as I mentioned above, host name resolution for the httpclient will be nice and seems within reach. There's still quite some QUIC work to be done (improved buffer management, improved traces, some reliability fixes, cleanups). There are some pending reworks of some of relation between streams, connections and applets, to make them more straightforward and help to avoid a number of bugs in the future, as well as to help fixing issues. I'll recheck with Björn if we can finish the MPTCP patchset (it was almost finished for 2.5, but none of us had time to polish it), and we need to see with Christopher if we can unblock the stream creation on a different thread so that Maciej can optimize the thread usage on peers. There were a few tunables I wanted to add for H2, maybe they'll be added late in the cycle. Aside this, with Cyril and Tim we've been working on integrating the doc generation in the CI so that it's automated. That's why there's a new "docs" repository on the github account. No need to go there for now, that's not finished but we're working on it, and will announce the updated URLs once it looks complete. Please find the usual URLs below : Site index : http://www.haproxy.org/ Discourse : http://discourse.haproxy.org/ Slack channel : https://slack.haproxy.org/ Issue tracker : https://github.com/haproxy/haproxy/issues Wiki : https://github.com/haproxy/wiki/wiki Sources : http://www.haproxy.org/download/2.6/src/ Git repository : http://git.haproxy.org/git/haproxy.git/ Git Web browsing : http://git.haproxy.org/?p=haproxy.git Changelog : http://www.haproxy.org/download/2.6/src/CHANGELOG Cyril's HTML doc : http://cbonte.github.io/haproxy-dconv/ Willy --- Complete changelog : Aleksandar Lazic (1): DOC: remove double blanks in configuration.txt Amaury Denoyelle (23): BUG/MEDIUM: quic: do not use qcs from quic_stream on ACK parsing MINOR: mux-quic: return qcs instance from qcc_get_qcs MINOR: mux-quic: reorganize qcs free MINOR: mux-quic: define release app-ops BUG/MINOR: h3: release resources on close BUG/MINOR: mux-quic: ensure to free all qcs on MUX release CLEANUP: quic: complete comment on qcs_try_to_consume MINOR: quic: implement stream descriptor for transport layer MEDIUM: quic: move transport fields from qcs to qc_conn_stream MEDIUM: mux-quic: remove qcs tree node BUG/MEDIUM: quic: ensure quic-conn survives to the MUX CLEANUP: quic: use static qualifer on quic_close CLEANUP: mux-quic: remove unused QC_CF_CC_RECV BUG/MINOR: fix memleak on quic-conn streams cleaning MINOR: mux-quic: factorize conn-stream attach MINOR: mux-quic: adjust timeout to accelerate closing MINOR: mux-quic: define is_active app-ops MINOR: mux-quic: centralize send operations in qc_send MEDIUM: mux-quic: report CO_FL_ERROR on send MEDIUM: mux-quic: report errors on conn-streams MEDIUM: quic: report closing state for the MUX CLEANUP: mux-quic: remove uneeded TODO in qc_detach BUG/MEDIUM: mux-quic: properly release conn-stream on detach Christopher Faulet (11): BUG/MEDIUM: mux-fcgi: Properly handle return value of headers/trailers parsing BUG/MEDIUM: mux-h1: Properly detect full buffer cases during message parsing BUG/MINOR: log: Initialize the list element when allocating a new log server BUG/MINOR: fcgi-app: Don't add C-L header on response to HEAD requests BUG/MEDIUM: stats: Be sure to never set EOM flag on an empty HTX message BUG/MEDIUM: hlua: Don't set EOM flag on an empty HTX message in HTTP applet BUG/MEDIUM: promex: Be sure to never set EOM flag on an empty HTX message BUG/MEDIUM: mux-h1: Set outgoing message to DONE when payload length is reached BUG/MINOR: http_client: Don't add input data on an empty request buffer BUG/MEDIUM: http-conv: Fix url_enc() to not crush const samples BUG/MEDIUM: http-act: Don't replace URI if path is not found or invalid Frédéric Lécaille (24): BUG/MEDIUM: quic: Possible crash in ha_quic_set_encryption_secrets() CLEANUP: quic: Remove all atomic operations on quic_conn struct CLEANUP: quic: Remove all atomic operations on packet number spaces MEDIUM: quic: Send ACK frames asap BUG/MINOR: quic: Missing probing packets when coalescing BUG/MINOR: quic: Discard Initial packet number space only one time MINOR: quic: Do not display any timer value from process_timer() BUG/MINOR: quic: Do not probe from an already probing packet number space BUG/MINOR: quic: Non duplicated frames upon fast retransmission BUG/MINOR: quic: Too much prepared retransmissions due to anti-amplification MINOR: quic: Useless call to SSL_CTX_set_default_verify_paths() MINOR: quic: Add traces about list of frames BUG/MINOR: h3: Missing wait event struct field initialization BUG/MINOR: quic: QUIC TLS secrets memory leak BUG/MINOR: quic: Missing ACK range deallocations BUG/MINOR: quic: Missing TX packet deallocations MINOR: quic: Add draining connection state. MINOR: quic: Add closing connection state BUG/MEDIUM: quic: Possible crash from quic_free_arngs() MINOR: quic_tls: Add reusable cipher contexts to QUIC TLS contexts MINOR: quic_tls: Stop hardcoding cipher IV lengths CLEANUP: quic: Do not set any cipher/group from ssl_quic_initial_ctx() MINOR: quic: Add short packet key phase bit values to traces MINOR: quic_tls: Make key update use of reusable cipher contexts Ilya Shipitsin (1): CI: github actions: update OpenSSL to 3.0.2 Lukas Tribus (1): DOC: reflect H2 timeout changes Miroslav Zagorac (16): BUG/MINOR: opentracing: setting the return value in function flt_ot_var_set() BUG/BUILD: opentracing: fixed OT_DEFINE variable setting EXAMPLES: opentracing: refined shell scripts for testing filter performance DOC: opentracing: corrected comments in function descriptions CLEANUP: opentracing: removed unused function flt_ot_var_unset() CLEANUP: opentracing: removed unused function flt_ot_var_get() Revert "MINOR: opentracing: change the scope of the variable 'ot.uuid' from 'sess' to 'txn'" MINOR: opentracing: only takes the variables lock on shared entries CLEANUP: opentracing: added flt_ot_smp_init() function CLEANUP: opentracing: added variable to store variable length MINOR: opentracing: improved normalization of context variable names DEBUG: opentracing: show return values of all functions in the debug output CLEANUP: opentracing: added FLT_OT_PARSE_INVALID_enum enum DEBUG: opentracing: display the contents of the err variable after setting MAJOR: opentracing: reenable usage of vars to transmit opentracing context Revert "BUILD: opentracing: display warning in case of using OT_USE_VARS at compile time" Nikola Sale (1): MINOR: sample: converter: Add add_item convertor Remi Tricot-Le Breton (2): BUG/MINOR: ssl/cli: Remove empty lines from CLI output MEDIUM: global: Add a "close-spread-time" option to spread soft-stop on time window William Lallemand (18): MEDIUM: httpclient/lua: be stricter with httpclient parameters MINOR: ssl: split the cert commit io handler MINOR: ssl: move the cert_exts and the CERT_TYPE enum MINOR: ssl: simplify the certificate extensions array MINOR: ssl: export ckch_inst_rebuild() MINOR: ssl: add "crt" in the cert_exts array MINOR: ssl/lua: CertCache.set() allows to update an SSL certificate file BUILD: ssl/lua: CacheCert needs OpenSSL DOC: lua: CertCache class documentation DOC: management: add missing dot in 9.4.1 MEDIUM: ssl: allow loading of a directory with the ca-file directive BUG/MINOR: ssl: continue upon error when opening a directory w/ ca-file MINOR: ssl: ca-file @system-ca loads the system trusted CA DOC: configuration: add the ca-file changes BUG/MINOR: ssl: handle X509_get_default_cert_dir() returning NULL MINOR: httpclient: enable request buffering MEDIUM: httpclient: enable l7-retry BUG/MINOR: httpclient: end callback in applet release Willy Tarreau (22): BUG/MINOR: samples: add missing context names for sample fetch functions MINOR: management: add some basic keyword dump infrastructure MINOR: config: add a function to dump all known config keywords MINOR: filters: extend flt_dump_kws() to dump to stdout MINOR: services: extend list_services() to dump to stdout MINOR: cli: add a new keyword dump function MINOR: acl: add a function to dump the list of known ACL keywords MINOR: samples: add a function to list register sample fetch keywords MINOR: sample: list registered sample converter functions MINOR: tools: add strordered() to check whether strings are ordered MINOR: action: add a function to dump the list of actions for a ruleset MINOR: config: alphanumerically sort config keywords output MINOR: sample: alphanumerically sort sample & conv keyword dumps MINOR: acl: alphanumerically sort the ACL dump MINOR: cli: alphanumerically sort the dump of supported commands MINOR: filters: alphabetically sort the list of filter names MINOR: services: alphabetically sort service names BUG/MINOR: cli/stream: fix "shutdown session" to iterate over all threads BUG/MAJOR: mux_pt: always report the connection error to the conn_stream CLEANUP: hpack: be careful about integer promotion from uint8_t OPTIM: hpack: read 32 bits at once when possible. BUG/MINOR: quic: set the source not the destination address on accept() ---