Am 29.01.2019 um 06:52 schrieb Willy Tarreau:
> Hi,
> HAProxy 1.9.3 was released on 2019/01/29. It added 35 new commits after
> version 1.9.2.
> It mainly addresses a few stability issues affecting versions up to 1.9.2.
> Several of these issues are only reproducible when using H2 to connect to
> the servers and are caused by various incorrect or insufficient error
> handling when facing failures during connection reuse. Another issue was
> a side effect of the fixes on mailers (which still use the checks
> infrastructure) that resulted in a crash when using agent-check. A last
> minor fix for the checks was made to address a timeout issue, and checks
> are expected to be in a better shape now.
> Another issue was reported on the way our SSL stack deals with KeyUpdate
> messages that are part of TLS 1.3. These were identified as renegotiation
> attempts and were dropped, causing some communication issues with Chrome
> when they attempted to make use of them. Apparently we were not the only
> ones so it's a side effect of reusing a feature which has long had to be
> disabled everywhere. Now the issue was addressed, and it's important that
> distros update their packages to get this part fixed when they use OpenSSL
> 1.1.1 so that we don't leave early bugs on the net which prevent security
> features from reliably being used. This patch was also backported into the
> 1.8 branch and will be present in the next 1.8 release.
> On the less important issues, some better control for stream limits were
> enforced on outgoing H2 connections. We used to observe batches of errors
> when the server was refusing too high stream IDs after it sent a GOAWAY,
> now we can react faster. In addition, in order to avoid this situation at
> all (as Nginx wants to close by default after 1000 streams over the same
> connection), we've added a "max-reuse" server parameter indicating how
> many times a connection may be reused. For example setting this to 990
> is enough to always stop reusing a connection before nginx sends its
> The H2 mux was not respecting the reserve in HTX mode, leading to the
> impossibility to manipulate headers and to some request or response
> errors. Some other small issues affecting the reserve size in HTX were
> addressed, though some of them are now a bit foggy to me.
> That's about all for this release. I still have some pending fixes that
> I preferred to delay a bit and that I'll backport for the next 1.9 :
>   - make outgoing connection reuse failure fail more gracefully and
>     support a retry ; we have everything for this, it just required a
>     few changes in the connection setup code that I didn't feel bold
>     enough to integrate into this one.
>   - H2 will check that the content-length header matches the amount of
>     DATA (standards compliance)
>   - H2 currently don't use the server's advertised MAX_CONCURRENT_STREAMS
>     setting and only uses its global one, but it's not much complicated
>     to address. I expect that we may face some of these sooner or later.
>   - there's this ":authority" header field missing from H2 requests that
>     we should apparently add when upgrading H1 to H2.
>   - regarding the reported issue of some large objects transfers over H2
>     from some specific clients being truncated during reloads, I brought
>     the issue to the IETF HTTP working group. Some gave me examples showing
>     my initial idea of watching WINDOW_UPDATE messages will not work. However
>     I managed to design another solution that I will experiment with soon
>     in 2.0-dev. If it ends up working fine enough, we'll backport it to 1.9.
> Last, if you feel like you'd like to contribute but don't know where to
> start, please have a look at the issue tracker (see the URL below), have
> a look at the bugs and if you feel like you can work on one of them, just
> mention it in the issue and propose a patch.
> Please find the usual URLs below :
>    Site index       :
>    Discourse        :
>    Slack channel    :
>    Issue tracker    :
>    Sources          :
>    Git repository   :
>    Git Web browsing :
>    Changelog        :
>    Cyril's HTML doc :

Docker Images are also updated:

Both have some errors at `make reg-tests`, I think that this could be a problem 
with containerized testing.
Does anyone run haproxy in container with h2?


Testing with haproxy version: 1.9.3
#    top  TEST ./reg-tests/connection/b00000.vtc FAILED (8.793) exit=2
#    top  TEST ./reg-tests/http-messaging/h00002.vtc FAILED (0.749) exit=2
2 tests failed, 0 tests skipped, 32 tests passed

Testing with haproxy version: 1.9.3
#    top  TEST ./reg-tests/http-messaging/h00002.vtc FAILED (0.737) exit=2
1 tests failed, 0 tests skipped, 33 tests passed

> Willy


> ---
> Complete changelog :
> Christopher Faulet (4):
>       BUG/MINOR: check: Wake the check task if the check is finished in 
> wake_srv_chk()
>       BUG/MINOR: proto-htx: Return an error if all headers cannot be received 
> at once
>       BUG/MEDIUM: mux-h2/htx: Respect the channel's reserve
>       BUG/MINOR: mux-h1: Apply the reserve on the channel's buffer only
> Dirkjan Bussink (1):
>       BUG/MEDIUM: ssl: Fix handling of TLS 1.3 KeyUpdate messages
> Jérôme Magnin (1):
>       BUG/MINOR: server: don't always trust srv_check_health when loading a 
> server state
> Miroslav Zagorac (1):
>       BUG/MINOR: spoe: corrected fragmentation string size
> Olivier Houchard (3):
>       BUG/MEDIUM: servers: Make assign_tproxy_address work when ALPN is set.
>       BUG/MEDIUM: connections: Add the CO_FL_CONNECTED flag if a send 
> succeeded.
>       BUG/MEDIUM: servers: Attempt to reuse an unfinished connection on retry.
> PiBa-NL (1):
>       REGTEST: checks basic stats webpage functionality
> Uman Shahzad (1):
>       BUG/MINOR: startup: certain goto paths in init_pollers fail to free
> Willy Tarreau (23):
>       BUG/MEDIUM: checks: fix recent regression on agent-check making it crash
>       DOC: mention the effect of nf_conntrack_tcp_loose on src/dst
>       BUG/MINOR: mux-h1: avoid copying output over itself in zero-copy
>       BUG/MAJOR: mux-h2: don't destroy the stream on failed allocation in 
> h2_snd_buf()
>       BUG/MEDIUM: backend: also remove from idle list muxes that have no more 
> room
>       BUG/MEDIUM: mux-h2: properly abort on trailers decoding errors
>       MINOR: h2: declare new sets of frame types
>       BUG/MINOR: mux-h2: CONTINUATION in closed state must always return 
>       BUG/MINOR: mux-h2: headers-type frames in HREM are always a connection 
> error
>       BUG/MINOR: mux-h2: make it possible to set the error code on an already 
> closed stream
>       BUG/MINOR: hpack: return a compression error on invalid table size 
> updates
>       MINOR: server: make sure pool-max-conn is >= -1
>       BUG/MINOR: stream: take care of synchronous errors when trying to send
>       BUG/MINOR: mux-h2: always check the stream ID limit in 
> h2_avail_streams()
>       BUG/MINOR: mux-h2: refuse to allocate a stream with too high an ID
>       BUG/MEDIUM: backend: never try to attach to a mux having no more stream 
> available
>       MINOR: server: add a max-reuse parameter
>       MINOR: mux-h2: always consider a server's max-reuse parameter
>       DOC: nbthread is no longer experimental.
>       BUG/MINOR: listener: always fill the source address for accepted 
> socketpairs
>       BUG/MINOR: mux-h2: do not report available outgoing streams after GOAWAY
>       BUG/MINOR: task: fix possibly missed event in inter-thread wakeups
>       BUG/MEDIUM: backend: always call si_detach_endpoint() on async 
> connection failure
> ---

Reply via email to