Am 13.09.2019 um 14:09 schrieb Christopher Faulet: > Hi, > > HAProxy 2.0.6 was released on 2019/09/13. It added 36 new commits > after version 2.0.5. > > A major issue was fixed in the SSL part. When a SSL socket was created, its > context was not fully initialized. Because this context is allocated from a > memory pool, it was possible to inherit some information from a previous > session. Thus, some fetches, related to client's certificate presence or its > verify status and errors, was returning erroneous values. So SSL connections > without client certificate were able to be accepted by HAProxy from the time a > previous one was already accepted with a valid client certificate. This issue > was reported on GitHub (#248). > > An AB/BA locking issue was fixed about the listeners. The functions > protocol_enable_all() and delete_listener() were using the same locks in a > reverse order. The former being used during startup and the latter during > stop, > it was possible to have a deadlock during reload floods. Note though, it is > pretty hard to hit this issue in 2.0 and above. > > Nathan Davison (@ndavison) reported that in legacy mode we didn't correctly > rejected messages featuring a transfer-encoding header missing the "chunked" > value. The impact was limited, but if combined with "http-reuse always", it > could be used as an help to construct a content smuggling attack against a > vulnerable component employing a lenient parser which would ignore the > content-length header as soon as it sees a transfer-encoding one, without even > parsing it. > > An improvement was made on the idle connections management. Now, we don't keep > more idle connections than we've ever had outstanding requests on a server. > This > way the total number of idle connections will never exceed the sum of maximum > connections. Thus highly loaded servers will be able to get many connections > and > slightly loaded servers will keep less. This address performance issues with > the > option "http-reuse safe" (the default) because of too many idle connections > kept > opened and never reused. > > An old bug on legacy HTTP analyzers was fixed. When HAProxy was waiting for a > request or a response, the parsing was delayed if the buffer appeared as not > rewritable (reserve not fully free), without any other criteria. It might > blocked > the message analysis for a while, sometime infinitely depending on > circumstances. For instance, It was happening when the cache applet used the > reserve to added the header "Age" on cached responses. This test was based an > old > implicit assumption that stated if a buffer was not rewritable, it meant some > outgoing data were pending to be sent. On recent versions, this is not true > anymore because all outgoing data are sent before starting the analysis of the > next transaction. > > Several bugs was fixed into the H1 multiplexer. The trailers of chunked > messages > were sometimes truncated on buffer boundary because the parser systematically > reported an error when the buffer was full during trailers parsing. Now, an > error is only reported if the buffer is full because trailers are too huge. In > the same spirit, errors might be reported on transfers ending if the buffer > was > full because no more space left to add the EOM block. SD termination state was > erroneously reported in HAProxy logs for successful transfers. > > Two bugs was fixed on the cache. Both concerned the way messages with a huge > header part were handled by the cache. First, messages with an header part > impinging upon the buffer's reserved were stored in the cache. Now these > messages are not cached anymore. The reserve must remain available to handle > the response processing when a cached object is served, just like any other > response. Then, in the cache, messages with an header part stored on several > shctx blocks (> 1024 bytes) were not correctly served. > > Finally, the usual bunch of bug fixes here and there. Some improvements were > made on checks to adapt them to recent changes on the connections layer. The > sample fetch url32 was fixed to really take the path part into account. A > memory > leak during configuration parsing was fixed, when an ACL expression was > parsed. Response flags are now correctly reset when 1xx messages are handled > so > it is possible to compress HTTP responses preceded by a 100-Continue. The > server > weights are now ignored for empty servers to not always pick the same server > on > low load (thanks to @malsumis and @jaroslawr for this fix). And so on. > > It is also noticeable that Luca Schimweg added the sample fetch uuid() to get > an > UUID following the format of version 4 in the RFC4122 standard. The > DRAIN/MAINT/NOLB status are now reported for servers by the Prometheus > exporter. And > the number of idle connections for each server is now reported on the stats > page > likewise the configuration limit. > > All users of the 2.0 are encouraged to upgrade, especially those using > authentication with SSL client certificate. > > > Please find the usual URLs below : > Site index : http://www.haproxy.org/ > Discourse : http://discourse.haproxy.org/ > Slack channel : https://slack.haproxy.org/ > Issue tracker : https://github.com/haproxy/haproxy/issues > Sources : http://www.haproxy.org/download/2.0/src/ > Git repository : http://git.haproxy.org/git/haproxy-2.0.git/ > Git Web browsing : http://git.haproxy.org/?p=haproxy-2.0.git > Changelog : http://www.haproxy.org/download/2.0/src/CHANGELOG > Cyril's HTML doc : http://cbonte.github.io/haproxy-dconv/ > > --- > Complete changelog : [snipp]
Image is updated to 2.0.6. https://hub.docker.com/r/me2digital/haproxy20-centos Regards Aleks