Am 26.06.2019 um 19:28 schrieb Christopher Faulet: > Hi, > > HAProxy 2.0.1 was released on 2019/06/26. It added 27 new commits > after version 2.0.0. > > This new version fixes several annoying bugs with various visible effects. > Among > others, two majors bugs have been fixed. The first one is a regression on > stick-tables. HAProxy was unable to start when a stick-table was used in > "if/unless" ACL condition. An error claimed the stick-table name was > missing. The second major bug is in the H1 multiplexer. The area of a trash > chunk was easily able to be released by error when an outgoing HTTP message > was > formatted. So it is a pretty old bug and it is strange we never spotted it > before. But it led to a memory corruption and thus to a wide variety of bugs. > > Several bugs in the HTX was fixed. One of them concerned the H2. When cookie > headers were grouped during the conversion of an H2 request into an HTX > message, > the HTX message was not fully updated. When it happened, most of time the > connection hung. Another bug concerned the way 1xx informational messages was > emitted by HAProxy. An EOM was mistakenly added in these HTX messages. It was > totally valid on HAProxy-1.9. But in 2.0, these messages are part of the > response and must never have EOM block. This unexpected error was not > correctly > caught, blocking the connection. Now, when HAProxy generates such transitional > responses, it does not emit EOM block. And if an unexpected error happens > during > H1 output formatting, a fatal error is triggered and the connection is closed. > > On the H1 multiplexer, parsing errors when a too big message was received were > not correctly caught, blocking connections. It was due to an optimization to > allow zero copy transfers. In the H2 multiplexer, the frame padding was not > correctly handled in two ways, leading in both cases to protocol errors. > > Olivier fixed a bug on the connection's layer when the PROXY protocol was > used. The xprt handshake was not always present to send the PROXY protocol > header, leading to an infinite loop. He also fixed a bug in the SSL that was > able to crash HAProxy. In the function ssl_subscribe(), before doing anything, > we must be sure to have an xprt context. Finally he fixed a bug on > stream-interfaces. The flag SI_FL_ERR was unconditionally set when an error > was > detected on the connection or on the conn-stream. But it must only be set when > the stream-interface is connected or is attempting a connection. > > A segfault was fixed in the leastconn LB algorithm because of an unsafe test > outside the LB lock. Thanks to Tim Duesterhus, HAProxy now set the header > "Vary" > in compressed responses. William fixed two bugs in the master-worker. The > first > was a segfault when the master switched to wait mode because the thread and > the fdtab deinit functions were called. The second was about the master cli > that > was unable to send commands to several workers. > > Finally, as always, some small other bugs were fixed here and there. Thanks to > everyone to report and/or fixed bugs, or just for testing this new major > release. Of course, we encourage everyone to upgrade. Several bugs considered > as > fixed are a bit hard or a bit long to reproduce. So we hope this release is > better than the last one. But please continue to report any issue you'll meet! > > > Please find the usual URLs below : > Site index : http://www.haproxy.org/ > Discourse : http://discourse.haproxy.org/ > Slack channel : https://slack.haproxy.org/ > Issue tracker : https://github.com/haproxy/haproxy/issues > Sources : http://www.haproxy.org/download/2.0/src/ > Git repository : http://git.haproxy.org/git/haproxy-2.0.git/ > Git Web browsing : http://git.haproxy.org/?p=haproxy-2.0.git > Changelog : http://www.haproxy.org/download/2.0/src/CHANGELOG > Cyril's HTML doc : http://cbonte.github.io/haproxy-dconv/
TLS 1.3 Image ready: https://hub.docker.com/r/me2digital/haproxy20-centos ``` HA-Proxy version 2.0.1 2019/06/26 - https://haproxy.org/ Build options : TARGET = linux-glibc CPU = generic CC = gcc CFLAGS = -O2 -g -fno-strict-aliasing -Wdeclaration-after-statement -fwrapv -Wno-unused-label -Wno-sign-compare -Wno-unused-parameter -Wno-old-style-declaration -Wno-ignored-qualifiers -Wno-clobbered -Wno-missing-field-initializers -Wtype-limits OPTIONS = USE_PCRE=1 USE_PCRE_JIT=1 USE_PTHREAD_PSHARED=1 USE_REGPARM=1 USE_OPENSSL=1 USE_LUA=1 USE_SLZ=1 Feature list : +EPOLL -KQUEUE -MY_EPOLL -MY_SPLICE +NETFILTER +PCRE +PCRE_JIT -PCRE2 -PCRE2_JIT +POLL -PRIVATE_CACHE +THREAD +PTHREAD_PSHARED +REGPARM -STATIC_PCRE -STATIC_PCRE2 +TPROXY +LINUX_TPROXY +LINUX_SPLICE +LIBCRYPT +CRYPT_H -VSYSCALL +GETADDRINFO +OPENSSL +LUA +FUTEX +ACCEPT4 -MY_ACCEPT4 -ZLIB +SLZ +CPU_AFFINITY +TFO +NS +DL +RT -DEVICEATLAS -51DEGREES -WURFL -SYSTEMD -OBSOLETE_LINKER +PRCTL +THREAD_DUMP -EVPORTS Default settings : bufsize = 16384, maxrewrite = 1024, maxpollevents = 200 Built with multi-threading support (MAX_THREADS=64, default=1). Built with OpenSSL version : OpenSSL 1.1.1c 28 May 2019 Running on OpenSSL version : OpenSSL 1.1.1c 28 May 2019 OpenSSL library supports TLS extensions : yes OpenSSL library supports SNI : yes OpenSSL library supports : TLSv1.0 TLSv1.1 TLSv1.2 TLSv1.3 Built with Lua version : Lua 5.3.5 Built with network namespace support. Built with transparent proxy support using: IP_TRANSPARENT IPV6_TRANSPARENT IP_FREEBIND Built with libslz for stateless compression. Compression algorithms supported : identity("identity"), deflate("deflate"), raw-deflate("deflate"), gzip("gzip") Built with PCRE version : 8.32 2012-11-30 Running on PCRE version : 8.32 2012-11-30 PCRE library supports JIT : yes Encrypted password support via crypt(3): yes Built with the Prometheus exporter as a service Available polling systems : epoll : pref=300, test result OK poll : pref=200, test result OK select : pref=150, test result OK Total: 3 (3 usable), will use epoll. Available multiplexer protocols : (protocols marked as <default> cannot be specified using 'proto' keyword) h2 : mode=HTX side=FE|BE mux=H2 h2 : mode=HTTP side=FE mux=H2 <default> : mode=HTX side=FE|BE mux=H1 <default> : mode=TCP|HTTP side=FE|BE mux=PASS Available services : prometheus-exporter Available filters : [SPOE] spoe [COMP] compression [CACHE] cache [TRACE] trace ``` Regards Aleks