Hi,
HAProxy 1.9.3 was released on 2019/01/29. It added 35 new commits after
version 1.9.2.
It mainly addresses a few stability issues affecting versions up to 1.9.2.
Several of these issues are only reproducible when using H2 to connect to
the servers and are caused by various incorrect or insufficient error
handling when facing failures during connection reuse. Another issue was
a side effect of the fixes on mailers (which still use the checks
infrastructure) that resulted in a crash when using agent-check. A last
minor fix for the checks was made to address a timeout issue, and checks
are expected to be in a better shape now.
Another issue was reported on the way our SSL stack deals with KeyUpdate
messages that are part of TLS 1.3. These were identified as renegotiation
attempts and were dropped, causing some communication issues with Chrome
when they attempted to make use of them. Apparently we were not the only
ones so it's a side effect of reusing a feature which has long had to be
disabled everywhere. Now the issue was addressed, and it's important that
distros update their packages to get this part fixed when they use OpenSSL
1.1.1 so that we don't leave early bugs on the net which prevent security
features from reliably being used. This patch was also backported into the
1.8 branch and will be present in the next 1.8 release.
On the less important issues, some better control for stream limits were
enforced on outgoing H2 connections. We used to observe batches of errors
when the server was refusing too high stream IDs after it sent a GOAWAY,
now we can react faster. In addition, in order to avoid this situation at
all (as Nginx wants to close by default after 1000 streams over the same
connection), we've added a "max-reuse" server parameter indicating how
many times a connection may be reused. For example setting this to 990
is enough to always stop reusing a connection before nginx sends its
GOAWAY.
The H2 mux was not respecting the reserve in HTX mode, leading to the
impossibility to manipulate headers and to some request or response
errors. Some other small issues affecting the reserve size in HTX were
addressed, though some of them are now a bit foggy to me.
That's about all for this release. I still have some pending fixes that
I preferred to delay a bit and that I'll backport for the next 1.9 :
- make outgoing connection reuse failure fail more gracefully and
support a retry ; we have everything for this, it just required a
few changes in the connection setup code that I didn't feel bold
enough to integrate into this one.
- H2 will check that the content-length header matches the amount of
DATA (standards compliance)
- H2 currently don't use the server's advertised MAX_CONCURRENT_STREAMS
setting and only uses its global one, but it's not much complicated
to address. I expect that we may face some of these sooner or later.
- there's this ":authority" header field missing from H2 requests that
we should apparently add when upgrading H1 to H2.
- regarding the reported issue of some large objects transfers over H2
from some specific clients being truncated during reloads, I brought
the issue to the IETF HTTP working group. Some gave me examples showing
my initial idea of watching WINDOW_UPDATE messages will not work. However
I managed to design another solution that I will experiment with soon
in 2.0-dev. If it ends up working fine enough, we'll backport it to 1.9.
Last, if you feel like you'd like to contribute but don't know where to
start, please have a look at the issue tracker (see the URL below), have
a look at the bugs and if you feel like you can work on one of them, just
mention it in the issue and propose a patch.
Please find the usual URLs below :
Site index : http://www.haproxy.org/
Discourse : http://discourse.haproxy.org/
Slack channel : https://slack.haproxy.org/
Issue tracker : https://github.com/haproxy/haproxy/issues
Sources : http://www.haproxy.org/download/1.9/src/
Git repository : http://git.haproxy.org/git/haproxy-1.9.git/
Git Web browsing : http://git.haproxy.org/?p=haproxy-1.9.git
Changelog : http://www.haproxy.org/download/1.9/src/CHANGELOG
Cyril's HTML doc : http://cbonte.github.io/haproxy-dconv/
Willy
---
Complete changelog :
Christopher Faulet (4):
BUG/MINOR: check: Wake the check task if the check is finished in
wake_srv_chk()
BUG/MINOR: proto-htx: Return an error if all headers cannot be received
at once
BUG/MEDIUM: mux-h2/htx: Respect the channel's reserve
BUG/MINOR: mux-h1: Apply the reserve on the channel's buffer only
Dirkjan Bussink (1):
BUG/MEDIUM: ssl: Fix handling of TLS 1.3 KeyUpdate messages
Jérôme Magnin (1):
BUG/MINOR: server: don't always trust srv_check_health when loading a
server state
Miroslav Zagorac (1):
BUG/MINOR: spoe: corrected fragmentation string size
Olivier Houchard (3):
BUG/MEDIUM: servers: Make assign_tproxy_address work when ALPN is set.
BUG/MEDIUM: connections: Add the CO_FL_CONNECTED flag if a send succeeded.
BUG/MEDIUM: servers: Attempt to reuse an unfinished connection on retry.
PiBa-NL (1):
REGTEST: checks basic stats webpage functionality
Uman Shahzad (1):
BUG/MINOR: startup: certain goto paths in init_pollers fail to free
Willy Tarreau (23):
BUG/MEDIUM: checks: fix recent regression on agent-check making it crash
DOC: mention the effect of nf_conntrack_tcp_loose on src/dst
BUG/MINOR: mux-h1: avoid copying output over itself in zero-copy
BUG/MAJOR: mux-h2: don't destroy the stream on failed allocation in
h2_snd_buf()
BUG/MEDIUM: backend: also remove from idle list muxes that have no more
room
BUG/MEDIUM: mux-h2: properly abort on trailers decoding errors
MINOR: h2: declare new sets of frame types
BUG/MINOR: mux-h2: CONTINUATION in closed state must always return GOAWAY
BUG/MINOR: mux-h2: headers-type frames in HREM are always a connection
error
BUG/MINOR: mux-h2: make it possible to set the error code on an already
closed stream
BUG/MINOR: hpack: return a compression error on invalid table size updates
MINOR: server: make sure pool-max-conn is >= -1
BUG/MINOR: stream: take care of synchronous errors when trying to send
BUG/MINOR: mux-h2: always check the stream ID limit in h2_avail_streams()
BUG/MINOR: mux-h2: refuse to allocate a stream with too high an ID
BUG/MEDIUM: backend: never try to attach to a mux having no more stream
available
MINOR: server: add a max-reuse parameter
MINOR: mux-h2: always consider a server's max-reuse parameter
DOC: nbthread is no longer experimental.
BUG/MINOR: listener: always fill the source address for accepted
socketpairs
BUG/MINOR: mux-h2: do not report available outgoing streams after GOAWAY
BUG/MINOR: task: fix possibly missed event in inter-thread wakeups
BUG/MEDIUM: backend: always call si_detach_endpoint() on async connection
failure
---
