HAProxy 1.8-dev2 was released on 2017/06/02. It added 101 new commits
after version 1.8-dev1. Given that a lot of new stuff got merged, I
prefer to issue a new release to make it easier for testers to give it
a try.

Some of the expected breakage in -dev1 was addressed (-fwrapv, dns+kqueue,
server args after "source", OCSP not working with BoringSSL). But that's
not what is the most interesting for this release.

What's interesting is that two months after -dev1 was issued, a part of
the pending stuff was already completed and merged, and we managed to
mostly focus on this stuff, resulting in more progress than when we all
walk on each other's feet, so that looks like a better long term
organisation :
  - ability to pass the listening FDs from the old to the new process
    during a reload to workaround the painful (rare but existing) RST
    issue under Linux when closing the listener (Olivier). Please note
    for those who might have deployed the initial patch that some minor
    changes were applied a few days ago, you need an option on the stats
    socket to indicate that you want it to be usable to pass fds
    ("expose-fd listeners").

  - openssl async API (Grant Zhang, reviewed by Emeric). Interestingly
    this has unveiled a limitation in the openssl async API when used
    with symmetric algorithms that Emeric tried to work around with no
    luck for now, but we may get more info on this later. Anyway that's
    mostly interesting for asymmetric crypto so it's not really an issue.

  - master/worker model to get rid of systemd-wrapper (William)

  - server-template (Fred) : pre-provisionning of disabled servers that
    can easily be enabled over CLI/DNS/whatever.

  - dns updates (Baptiste) : now the DNS resolution doesn't depend anymore
    on health checks, it's totally autonomous and can even be smarter at
    distributing addresses to servers using the same FQDN.

  - dealing with the openssl version configuration mess revealed by
    the new APIs (Manu and Emeric) -- this will impact some server
    keywords, these are now ssl-min-ver and ssl-max-ver.

  - the maximum length of the log URI can now be configured (Stéphane Cottin)

  - modsecurity SPOA module (Thierry Fournier)

  - mod_defender SPOA module (Dragan Dosen)

Already Queued :
  - ssl-min-ver/ssl-max-ver with crt-list (Emeric just gave me his ACK)

Still in progress with active work :
  - initial multi-threading support (Emeric and Christopher)

  - HTTP/2 frontend (me)

  - RAM-based "favicon" cache (William)

For later as time permits :
  - make userlists updatable from the CLI (William) -- turning them to
    maps was done already but never merged, it didn't appear sustainable
    so a new approach will be followed

  - a few connection management fixes/improvements that are pending
    in a few of my branches (improved close handling & polling
    accuracy), possibly a hack to use eBPF to destroy empty ACKs during
    reload to prevent empty connections from getting killed by close().

  - improve handling of error-file by splitting headers and body -- I
    don't know if someone is still working on this, but it's still
    welcome and should not interfer with the other devs

I hope I didn't forget anything, the commit log is long enough, otherwise
feel free to blame me.

All in all, I'm pretty satisfied with the progress made. And even on the
work in progress I've seen some encouraging stuff.

There were reports of slow downloads which I'm going to work on next week.
In short, when we migrated to the new frontend server, we also replaced the
cache and I thought it would be as efficient but apparently I was optimistic,
so some objects get downloaded from the (slow) master and once it happens I
think some errors invalidate the objects resulting in everyone getting them
at the same time from the slow server, making the situation even worse. I'm
not worried though as there are more solutions than problems, they will just
require some changes in my publication process, which is what I tried hard
to avoid.

Please test, play and report, as usual. This is still development code,
so no prod! BTW, some scary bugs were reported on 1.7.5 and are being
worked on, they almost certainly affect 1.8-dev2 as well. So don't be
surprized if you manage to crash it (and then report it)! That's also
why there is no 1.7.6 yet.

Please find the usual URLs below :
   Site index       : http://www.haproxy.org/
   Discourse        : http://discourse.haproxy.org/
   Sources          : http://www.haproxy.org/download/1.8/src/
   Git repository   : http://git.haproxy.org/git/haproxy.git/
   Git Web browsing : http://git.haproxy.org/?p=haproxy.git
   Changelog        : http://www.haproxy.org/download/1.8/src/CHANGELOG
   Cyril's HTML doc : http://cbonte.github.io/haproxy-dconv/

Complete changelog :
Adam Spiers (1):
      DOC: stick-table is available in frontend sections

Andrew Rodland (1):
      BUG/MINOR: hash-balance-factor isn't effective in certain circumstances

Baptiste Assmann (11):
      CLEANUP: server.c: missing prototype of srv_free_dns_resolution
      MINOR: dns: smallest DNS fqdn size
      MINOR: dns: functions to manage memory for a DNS resolution structure
      MINOR: dns: parse_server() now uses srv_alloc_dns_resolution()
      REORG: dns: dns_option structure, storage of hostname_dn
      MINOR: dns: new snr_check_ip_callback function
      MAJOR: dns: save a copy of the DNS response in struct resolution
      MINOR: dns: implement a LRU cache for DNS resolutions
      MINOR: dns: make 'ancount' field to match the number of saved records
      MINOR: dns: introduce roundrobin into the internal cache (WIP)
      MAJOR/REORG: dns: DNS resolution task and requester queues

Christopher Faulet (1):
      BUG/MEDIUM: http: Drop the connection establishment when a redirect is 

David CARLIER (1):
      BUG/MINOR: contrib/mod_security: fix build on FreeBSD

David Carlier (2):
      CLEANUP: server: moving netinet/tcp.h inclusion
      BUG/MINOR: server : no transparent proxy for DragonflyBSD

Dmitry Sivachenko (1):
      CLEANUP: retire obsoleted USE_GETSOCKNAME build option

Dragan Dosen (1):
      MINOR: Add Mod Defender integration as contrib

Emeric Brun (2):
      BUG/MINOR: ssl: fix warnings about methods for opensslv1.1.
      MEDIUM: ssl: handle multiple async engines

Emmanuel Hocdet (9):
      MEDIUM: ssl: revert ssl/tls version settings relative to default-server.
      MEDIUM: ssl: ssl_methods implementation is reworked and factored for 
min/max tlsxx
      MEDIUM: ssl: calculate the real min/max TLS version and find holes
      MINOR: ssl: support TLSv1.3 for bind and server
      MINOR: ssl: show methods supported by openssl
      MEDIUM: ssl: add ssl-min-ver and ssl-max-ver parameters for bind and 
      MEDIUM: ssl: ssl-min-ver and ssl-max-ver compatibility.
      MINOR: boringssl: basic support for OCSP Stapling
      BUILD: ssl: fix build with OPENSSL_NO_ENGINE

Frédéric Lécaille (11):
      BUG/MINOR: dns: Wrong address family used when creating IPv6 sockets.
      BUG/MINOR: server: Fix a wrong error message during 'usesrc' keyword 
      BUG/MAJOR: Broken parsing for valid keywords provided after 'source' 
      BUG/MINOR: server: missing default server 'resolvers' setting duplication.
      MINOR: server: Extract the code responsible of copying default-server 
      MINOR: server: Extract the code which finalizes server initializations 
after 'server' lines parsing.
      MINOR: server: Add 'server-template' new keyword supported in backend 
      MINOR: server: Add server_template_init() function to initialize servers 
from a templates.
      DOC: Add documentation for new "server-template" keyword.
      MINOR: server: cli: Add server FQDNs to server-state file and stats 
      BUG/MAJOR: dns: Broken kqueue events handling (BSD systems).

Glenn Strauss (2):
      DOC: update sample code for PROXY protocol
      DOC: mention lighttpd 1.4.46 implements PROXY

Grant Zhang (2):
      MEDIUM: ssl: add basic support for OpenSSL crypto engine
      MAJOR: ssl: add openssl async mode support

Holger Just (1):
      MINOR: sample: Add b64dec sample converter

Jarno Huuskonen (5):
      DOC: changed "block"(deprecated) examples to http-request deny
      DOC: add few comments to examples.
      DOC: add layer 4 links/cross reference to "block" keyword.
      DOC: errloc/errorloc302/errorloc303 missing status codes.
      CLEANUP: str2mask return code comment: non-zero -> zero.

Jim Freeman (1):
      CLEANUP: logs: typo: simgle => single

Lukas Tribus (2):
      DOC: update RFC references
      MINOR: ssl: add prefer-client-ciphers

Michal Idzikowski (1):
      MEDIUM: server: Inherit CLI weight changes and agent-check weight 

Olivier Houchard (10):
      MINOR server: Restrict dynamic cookie check to the same proxy.
      MINOR: cli: Add a command to send listening sockets.
      MINOR: global: Add an option to get the old listening sockets.
      MINOR: tcp: When binding socket, attempt to reuse one from the old proc.
      MINOR: doc: document the -x flag
      MINOR: proxy: Don't close FDs if not our proxy.
      MINOR: socket transfer: Set a timeout on the socket.
      MINOR: systemd wrapper: add support for passing the -x option.
      BUG/MAJOR: Use -fwrapv.
      BUG/MINOR: server: don't use "proxy" when px is really meant.

Stéphane Cottin (1):
      MINOR: log: Add logurilen tunable.

Thierry FOURNIER (8):
      BUG/MEDIUM: lua: memory leak
      CLEANUP: lua: remove test
      BUG/MINOR: change header-declared function to static inline
      REORG: spoe: move spoe_encode_varint / spoe_decode_varint from spoe to 
      MINOR: Add binary encoding request header sample fetch
      MINOR: proto-http: Add sample fetch wich returns all HTTP headers
      MINOR: Add ModSecurity wrapper as contrib
      BUG/MEDIUM: lua: segfault if a converter or a sample doesn't return 

William Lallemand (12):
      MINOR: cli: add ACCESS_LVL_MASK to store the access level
      MINOR: cli: add 'expose-fd listeners' to pass listeners FDs
      MEDIUM: proxy: zombify proxies only when the expose-fd socket is bound
      MEDIUM: mworker: replace systemd mode by master worker mode
      MEDIUM: mworker: handle reload and signals
      MEDIUM: mworker: wait mode on reload failure
      MEDIUM: mworker: try to guess the next stats socket to use with -x
      MEDIUM: mworker: exit-on-failure option
      MEDIUM: mworker: workers exit when the master leaves
      DOC: add documentation for the master-worker mode
      MEDIUM: systemd: Type=forking in unit file
      MAJOR: systemd-wrapper: get rid of the wrapper

Willy Tarreau (15):
      BUILD/MINOR: stats: remove unexpected argument to stats_dump_json_header()
      BUILD/MINOR: tools: fix build warning in debug_hexdump()
      BUG/MINOR: config: missing goto out after parsing an incorrect ACL 
      BUG/MINOR: arg: don't try to add an argument on failed memory allocation
      BUG/MEDIUM: arg: ensure that we properly unlink unresolved arguments on 
      BUG/MEDIUM: acl: don't free unresolved args in prune_acl_expr()
      BUG/MEDIUM: servers: unbreak server weight propagation
      MINOR: lua: ensure the memory allocator is used all the time
      BUG/MEDIUM: acl: proprely release unused args in prune_acl_expr()
      MEDIUM: config: don't check config validity when there are fatal errors
      CONTRIB: tcploop: add action "X" to execute a command
      BUG/MINOR: checks: don't send proxy protocol with agent checks
      MINOR: tools: make debug_hexdump() use a const char for the string
      MINOR: tools: make debug_hexdump() take a string prefix
      CLEANUP: connection: remove unused CO_FL_WAIT_DATA


Reply via email to