Hi,
finally we managed to merge all the stuff ! Haproxy 1.5-dev3 was released
with everything that went into 1.4.9, plus some added bonus that were
mainly developped at Exceliance :
- support for binding to UNIX socket on the accept side. Haproxy can
now receive connections over a UNIX socket. This is particularly
useful when combined with stunnel (we also have a patch for that
in the 'patches' directory).
- support for a new "PROXY" protocol that was designed to forward
transport-level information between proxies. The idea is to permit a
component like stunnel to inform haproxy about the protocol, source
and destinations of an incoming connection, so that haproxy can make
use of that everywhere internally (acls, logs, transparent, ...)
instead of stunnel's address. The main advantage over the x-forwarded-for
patch is that it now supports keep-alive and is not limited to HTTP
anymore. When combined with the UNIX socket, it can make haproxy and
stunnel integrate seamlessly and reliably. Obviously, we have a patch
for stunnel ready too ;-)
- tcp-response filtering : it's possible to wait for some ACLs to match in
the response before forwarding (or blocking).
- stick-table learning from responses. It's now possible to learn some
patterns from responses and match them again in requests. Doing so
allows haproxy to learn SSL IDs in order to offer SSL-based stickiness
to SSL reverse-proxy farms.
- stick-table synchronization : the stickiness information in stick-tables
can now be synchronized over the network between as many other haproxies
as you like in a multi-master fashion. Also, during soft-restarts, the
new process learns the table from the old one so that restarts do not
lose that precious information anymore. Designing this was quite a tough
work (Aleks might recall we started talking about such a protocol about
6 years ago now), and is the second half of the large work co-sponsored
by Exceliance[1] and LoadBalancer.org[2]. Now it's completely advisable
to simply rely on source IP for some protocols such as RDP in certain
environments, since restarts will not kill user connections.
For those interested in the last point, the protocol is very cheap over the
wire and is designed with a large window and ACKs, so that it can sync over
high latency networks and even recover from network outages. The sync is fast
enough so that even people using a round-robin L4 LB in front of two haproxies
should not experience any issues under moderate loads (thousands of new entries
per second).
A few typos, minor bugs and error reporting issues were fixed (including the
ones contributed by Cyril a few days ago).
Minor optimizations were performed in order to avoid a few useless operations
in process_session(). The acute observers may notice a tiny drop of CPU usage
(around 5% of user time) from previous versions.
Now you know where to get it :
site index : http://haproxy.1wt.eu/
sources : http://haproxy.1wt.eu/download/1.5/src/devel/
changelog : http://haproxy.1wt.eu/download/1.5/src/CHANGELOG
stunnel patches : http://haproxy.1wt.eu/download/patches/
For the next versions, I'd really like to be able to concentrate on the core
to try to finish the end-to-end keep-alive support. After that there are
less intrusive changes to work on. I'm still hoping for an 1.5 release by
the beginning of next year.
Stay tuned,
Willy
--
[1] http://www.exceliance.fr/
[2] http://www.loadbalancer.org/
