Hi,
HAProxy 3.2-dev12 was released on 2025/04/25. It added 44 new commits
after version 3.2-dev11.
Lots of small things this time. A few bugs were fixed but a few were also
discovered (less fun but that's the purpose of the feature freeze period).
For the noticeable changes:
- the CLI's buffering rework could be done. It doesn't really offer new
features at the moment (well, you can play tetris directly from the
CLI but that's not the point), but it makes sure the infrastructure
will be more flexible for advanced scripting. I've long been dreaming
of interactive tools a-la "top" on the CLI, and it seems that this
possibility is getting closer now. At least some stuff is now possible
using Lua so that's great.
- on the ACME front, the few previously envisioned syntax changes were
merged ("account" -> "account-key", "uri" -> "directory"). The automated
renewal scheduler now considers the advertised "Retry-After" in responses
to avoid needlessly flooding the servers with requests.
- a new global directive "dns-accept-family" takes a combination of 3
possible values, "ipv4", "ipv6" and "auto". It allows to forcefully
disable IPv4 DNS resolutions or IPv6 DNS resolutions process-wide. This
affects both servers and the do-resolve() action. The default is still
"ipv4","ipv6" to match what has been done till now, but a few of us now
think we should change it to "auto" which checks for IPv6 connectivity
at boot time and uses that to decide whether or not to enable IPv6.
There's obviously a caveat with that: systems where the network is not
ready at boot could see their IPv6 resolution disabled. The way the code
is done will permit adaptations consisting in periodically re-checking,
which might be a nice solution as well. I'm interested in opinions on
this. I tend to suspect that even in the current situation with a boot-
time check, the solution can be much better than what has been the
default over the years, creating trouble to users when IPv6-only
addresses appear in the DNS. This would be a behavior change compared
to 3.1 but I think it could be an acceptable one if we mention it in
the release notes. Ah, I almost forgot, there's also a "-4" option on
the command line to force v4-only resolutions. It can be useful for
debugging, or even for reg-tests.
- custom "content-length: 0" headers added by the config can now be
passed to the recipient. Some non-compliant applications need this
with 101 or 204 status responses for example. Previously they were
trimmed on output as unnecessary. Now they're trimmed on input and
permitted on output so that a add-header rule works.
- a new "pause" action allows to delay processing of a request or response
based on any criterion. It takes either a value or an expression. This
could be used to enforce the respect of a Retry-After response for
example, or just slow down some requests on a fragile or abused service.
Previously it could only be hacked using tcp-request inspect-delay and
tcp-request content rules, that was definitely no longer flexible enough.
- the HTTP client now has an HTTPS log format for HTTPS requests, which
will help detect certificate or SSL cipher issues.
- a new directive "http-drop-request-trailers" allows to just drop trailers
from requests or responses. This can be useful when it's known that a
server might leak info there that's not necessary for example, or when
a server known for being sensitive to contents there should not be
exposed to a client sending them.
- as usual, a few cleanups.
I was particularly enthousiast until Christian reported a nasty bug proving
that we're doing something wrong in thread groups (GitHub issue #2951). I
suspect that we're sometimes incorrectly appropriating a file descriptor
when a certain sequence happens. I just can't reproduce the syndrom (and
believe me, I've been using thread groups a lot during all the development
of the cpu-policy stuff). If others think they've observed somthing similar
(typically CPUs getting to 100%, CLI failing to respond at some point), and
*ONLY* with thread-groups while it never happens without, then please share
some context there. Please do not hijack that issue for problems that are
different (e.g. problems that also happen without thread groups). This bug
was present since at least 3.2-dev8, but I suspect it could even pre-date
it and was just made easier to trigger by the addition of the cpu-policy
keyword. For me this bug is on the critical path to the release, as we
can't afford to have broken thread groups at this point in time! Thus any
extra help is welcome!
Please find the usual URLs below :
Site index : https://www.haproxy.org/
Documentation : https://docs.haproxy.org/
Wiki : https://github.com/haproxy/wiki/wiki
Discourse : https://discourse.haproxy.org/
Slack channel : https://slack.haproxy.org/
Issue tracker : https://github.com/haproxy/haproxy/issues
Sources : https://www.haproxy.org/download/3.2/src/
Git repository : https://git.haproxy.org/git/haproxy.git/
Git Web browsing : https://git.haproxy.org/?p=haproxy.git
Changelog : https://www.haproxy.org/download/3.2/src/CHANGELOG
Dataplane API :
https://github.com/haproxytech/dataplaneapi/releases/latest
Pending bugs : https://www.haproxy.org/l/pending-bugs
Reviewed bugs : https://www.haproxy.org/l/reviewed-bugs
Code reports : https://www.haproxy.org/l/code-reports
Latest builds : https://www.haproxy.org/l/dev-packages
Willy
---
Complete changelog :
Amaury Denoyelle (4):
BUG/MINOR: quic: do not crash on CRYPTO ncbuf alloc failure
MINOR: h3: simplify h3_rcv_buf return path
BUG/MINOR: mux-quic: fix possible infinite loop during decoding
BUG/MINOR: mux-quic: do not decode if conn in error
Christopher Faulet (21):
CLEANUP: Slightly reorder some proxy option flags to free slots
MINOR: proxy: Add options to drop HTTP trailers during message forwarding
MINOR: h1-htx: Skip C-L and T-E headers for 1xx and 204 messages during
parsing
MINOR: mux-h1: Keep custom "Content-Length: 0" header in 1xx and 204
messages
MINOR: hlua/h1: Use http_parse_cont_len_header() to parse content-length
value
CLEANUP: h1: Remove now useless h1_parse_cont_len_header() function
BUG/MEDIUM: mux-spop: Respect the negociated max-frame-size value to send
frames
MINOR: http-act: Add 'pause' action to temporarily suspend the message
analysis
BUG/MINOR: cli: Issue an error when too many args are passed for a command
MINOR: cli: Use a full prompt command for bidir connections with workers
MAJOR: cli: Refacor parsing and execution of pipelined commands
MINOR: cli: Rename some CLI applet states to reflect recent refactoring
CLEANUP: applet: Update st0/st1 comment in appctx structure
BUG/MINOR: hlua: Fix I/O handler of lua CLI commands to not rely on the SC
BUG/MINOR: ring: Fix I/O handler of "show event" command to not rely on
the SC
MINOR: cli/applet: Move appctx fields only used by the CLI in a private
context
MINOR: cache: Add a pointer on the cache in the cache applet context
MINOR: hlua: Use the applet name in error messages for lua services
MINOR: applet: Save the "use-service" rule in the stream to init a
service applet
CLEANUP: applet: Remove unsued rule pointer in appctx structure
BUG/MEDIUM: cli: Handle applet shutdown when waiting for a command line
William Lallemand (8):
MINOR: acme/cli: add the 'acme renew' command to the help message
MINOR: httpclient: add an "https" log-format
MEDIUM: acme: use a customized proxy
MEDIUM: acme: rename "uri" into "directory"
MEDIUM: acme: rename "account" into "account-key"
MEDIUM: acme: use Retry-After value for retries
MEDIUM: acme: reset the remaining retries
MEDIUM: acme: better error/retry management of the challenge checks
Willy Tarreau (11):
BUG/MINOR: proxy: always detach a proxy from the names tree on free()
CLEANUP: proxy: detach the name node in proxy_free_common() instead
MINOR: stick-table: use a separate lock label for updates
BUG/MINOR: master/cli: properly trim the '@@' process name in error
messages
MEDIUM: resolvers: add global "dns-accept-family" directive
MINOR: resolvers: add command-line argument -4 to force IPv4-only DNS
MINOR: sock-inet: detect apparent IPv6 connectivity
MINOR: resolvers: add "dns-accept-family auto" to rely on detected IPv6
Revert "BUG/MINOR: master/cli: properly trim the '@@' process name in
error messages"
BUG/MINOR: master/cli: only parse the '@@' prefix on complete lines
MINOR: resolvers: use the runtime IPv6 status instead of boot time one
---
