Hi, here's an update for 1.5. It contains a security fix, please read, as you'll want either to update or to apply the fix on top of your version if you are running it.
Configurations at risk are those which combine use of HTTP keywords in TCP content inspection rules, client-side keep-alive, header rewriting rules and which receive pipelined requests. These configurations may be remotely crashed when run with haproxy 1.4 up to and including 1.4.22 or development versions up to and including 1.5-dev17. Versions 1.4.23 and 1.5-dev18 are safe. This issue was reported and troubleshooted by Yves Lafon from the W3C. Thanks Yves for the time you spent on this and all the efforts you made to get this core! For those who want to quickly deploy a fix, please use this patch for 1.5 : http://git.1wt.eu/web?p=haproxy.git;a=commitdiff;h=aae75e3279 Many things have changed since 1.5-dev17. Many bugs were fixed, and bunch of regressions were introduced during the chanegs, as was seen today. But we're improving the code modularity and maintenability, this is important. The most important changes (not counting the bugs) are listed below : - systemd support was brought by Marc-Antoine Perennou - agent-based health check was implemented by Simon Hormans based on specs provided by Loadbalancer.org. This is a first step towards a more complete health check system. In this version, health checks can be switched to use a special agent running on the system, which can tell haproxy what weight it wants, if it is up/down/ill/in maintenance, etc... - all address parsers were merged intoo a single one. This means that "bind", "log", "source", "server", ... now all use the same address parser. It has been improved to support forcing the address family by the use of the "@" prefix, and environment variables. It is now possible to build configurations which use the local address without using sed. It is also possible to listen to a pre-bound file descriptor passed by the parent. - ability to limit the maximum SSL/TLS record size (suggested by Ilya Grigorik, and earlier by Mike Belshe). In short, when you send a 16kB ciphered block to a browser, it has to receive it completely before deciphering it and starting to render the contents. By reducing the size, we slightly reduce the performance but we allow the browser to start rendering the page and fetch new objects much earlier. - HTTP redirect can now emit statuses 307 and 308 (Yves Lafon). - PCRE JIT support was contributed by Hiroaki Nakamura, it should provide much faster regex processing. - poll() is now enabled by default in the makefile even for unknown targets. - ACL and sample fetch converged to something much better : everything that could be extracted from a request or response is now accessible via a sample fetch (so no more lamenting about whether it's availble as one or the other), and ACLs do not have a fetch function anymore, they use the sample's fetch methods. There are several benefits of doing this. The first one is that we don't duplicate code anymore and we'll avoid many bugs (many were found during this work). The second benefit is that ACLs can now select the matching method to be used with the new -m parameter, so many more combinations are possible and won't require duplicating code anymore. The third benefit is that error reporting was greatly improved, as each fetch argument knows its exact position in the expression, and each fetch method knows it compatibility matrix. Thus, no more silent uses of an L6 fetch with an L4 or things like this. Some further changes are expected on this point (maps, variables, concatenation, conversions). - TLS ALPN was implemented similarly as NPN was made. It is supposed to replace NPN. All the rest are bugs. I counted 43... Usual links below : Site index : http://haproxy.1wt.eu/ Sources : http://haproxy.1wt.eu/download/1.5/src/devel/ Changelog : http://haproxy.1wt.eu/download/1.5/src/CHANGELOG Cyril's HTML doc : http://cbonte.github.com/haproxy-dconv/configuration-1.5.html I'm not appending the changelog, it's too large. And remember, if you use "tcp-request content" with any HTTP keyword, you need either a config change or an update. Willy
