Hi,
HAProxy 2.2-dev1 was released on 2020/01/22. It added 241 new commits
after version 2.2-dev0.
While many of us were apparently serving as a feedback loop between a
screen and a keyboard, time was still flying and 2 months elapsed since
2.1 was released. So I thought it was about time to issue a new
development preview to ease testing.
Let's keep the door open for discussions about upcoming changes for the
next 2 months (till end of March) and reserve the last two months to
finish and fix, aiming at a 2.2 release around end of May.
Now, regarding the changes that came in between 2.1 and 2.2-dev1, I'm
noticing approximately these (for those not listed, sorry if I forgot
your work, feel free to chime in) :
- a significant number of code cleanups and harmless refactoring
(connection, dns, HTTP/TCP actions)
- rework of errorfiles: new "http-errors" sections to ease their share
between sections, and the ability to specifiy the one to use on "deny"
rules.
- DNS traffic reduction for SRV records by reusing information already
available in extension parts of the response packet
- better reporting of internal processing errors. In the past, adding
a header in too large a buffer would be silently ignored. Now we can
finally fail and report an error by chosing between strict or relaxed
mode using the "strict-mode" action.
- some security hardening, such as preventing the creation of processes
at runtime by default, and preventing the process from switching UIDs
again, in order to limit the risks of abuses of bugs or uncontrollable
inherited Lua libraries. This is now enabled by default, and this will
break external checks, which will require to add the new global option
"insecure-fork-wanted", and even "insecure-setuid-wanted" if calling a
setuid binary (both options should ring a bell for the users who really
want to depend on them).
- Lua's GC is not systematically called anymore when dealing with outgoing
connections. This almost doubles the Lua's performance in such use cases.
- some performance improvements at the connection layer resulting in
less syscalls on average, especially for epoll.
- the "debug" converter is now always available and it logs to internal
event sinks (ring buffer, stdout, stderr).
- a number of new sample fetch functions expose HTX internals to help
live debugging.
- addition of status codes "404" and "410" for http-request deny
- new "replace-path" HTTP action to help replace old "reqrep" rules. It
works like replace-uri but only acts on the path. This makes a
difference in H2 or with absolute requests in HTTP/1.
- new "attr" field added to the "cookie" directive, in order to set cookie
attributes when adding persistence cookies.
- new CLI command "show ssl cert" to report detailed information on loaded
certificates, such as validity dates, issuer, alt names etc.
- LDAPv3 alternate output format for ssl_{c,f}_{i,s}_dn sample fetches.
- de-duplication of ca-file and crl-file, which should also save startup
speed and memory when there are many of them.
- 10 new regtests (thanks!)
- 84 bugs fixed
These are already quite a nice number of improvements. I suspect that next
versions might degrade a little bit as usual depending how things go, which
is also another reason to keep an expectedly clean reference version to work
on. If possible I'd like to release more often for the next ones to keep
changes visible and easy to test.
Ah, last thing, I messed up with the release, there are two RELEASE commits,
don't worry you're not drunk. But I noticed it far too late to fix it with
a forced push, so my punishment will be to look stupid now (I sensed it was
already the case anyway so that's OK).
Please find the usual URLs below :
Site index : http://www.haproxy.org/
Discourse : http://discourse.haproxy.org/
Slack channel : https://slack.haproxy.org/
Issue tracker : https://github.com/haproxy/haproxy/issues
Sources : http://www.haproxy.org/download/2.2/src/
Git repository : http://git.haproxy.org/git/haproxy.git/
Git Web browsing : http://git.haproxy.org/?p=haproxy.git
Changelog : http://www.haproxy.org/download/2.2/src/CHANGELOG
Cyril's HTML doc : http://cbonte.github.io/haproxy-dconv/
Willy
---
Complete changelog :
Baptiste Assmann (2):
MEDIUM: dns: use Additional records from SRV responses
BUG/MINOR: http_act: don't check capture id in backend
Ben51Degrees (1):
BUG/MINOR: 51d: Fix bug when HTX is enabled
Christopher Faulet (84):
BUG/MINOR: h1: Don't test the host header during response parsing
BUG/MINOR: http-htx: Don't make http_find_header() fail if the value is
empty
BUG/MINOR: fcgi-app: Make the directive pass-header case insensitive
BUG/MINOR: stats: Fix HTML output for the frontends heading
BUG/MEDIUM: mux-h1: Never reuse H1 connection if a shutw is pending
BUG/MINOR: mux-h1: Don't rely on CO_FL_SOCK_RD_SH to set H1C_F_CS_SHUTDOWN
BUG/MINOR: mux-h1: Fix conditions to know whether or not we may receive
data
BUG/MINOR: mux-h1: Be sure to set CS_FL_WANT_ROOM when EOM can't be added
BUG/MEDIUM: mux-fcgi: Handle cases where the HTX EOM block cannot be
inserted
MEDIUM: h1-htx: Add HTX EOM block when the message is in H1_MSG_DONE state
MINOR: http-htx: Add some htx sample fetches for debugging purpose
REGTEST: Add an HTX reg-test to check an edge case
BUG/MAJOR: mux-h1: Don't pretend the input channel's buffer is full if
empty
BUG/MEDIUM: stream: Be sure to never assign a TCP backend to an HTX stream
BUG/MINOR: h1: Report the right error position when a header value is
invalid
BUG/MINOR: proxy: Fix input data copy when an error is captured
BUG/MINOR: channel: inject output data at the end of output
BUG/MINOR: stream-int: Don't trigger L7 retry if max retries is already
reached
MINOR: http-htx: Move htx sample fetches in the scope "internal"
MINOR: http-htx: Rename 'internal.htx_blk.val' to 'internal.htx_blk.data'
MINOR: http-htx: Make 'internal.htx_blk_data' return a binary string
DOC: Add a section to document the internal sample fetches
MINOR: mux-h1: Inherit send flags from the upper layer
MINOR: contrib/prometheus-exporter: Add heathcheck status/code in server
metrics
BUG/MINOR: http-ana/filters: Wait end of the http_end callback for all
filters
BUG/MINOR: http-rules: Remove buggy deinit functions for HTTP rules
BUG/MINOR: stick-table: Use MAX_SESS_STKCTR as the max track ID during
parsing
MEDIUM: http-rules: Register an action keyword for all http rules
MINOR: tcp-rules: Always set from which ruleset a rule comes from
MINOR: actions: Use ACT_RET_CONT code to ignore an error from a custom
action
MINOR: tcp-rules: Kill connections when custom actions return ACT_RET_ERR
MINOR: http-rules: Return an error when custom actions return ACT_RET_ERR
MINOR: counters: Add a counter to report internal processing errors
MEDIUM: http-ana: Properly handle internal processing errors
MINOR: http-rules: Add a rule result to report internal error
MINOR: http-rules: Handle internal errors during HTTP rules evaluation
MINOR: http-rules: Add more return codes to let custom actions act as
normal ones
MINOR: tcp-rules: Handle denied/aborted/invalid connections from TCP rules
MINOR: http-rules: Handle denied/aborted/invalid connections from HTTP
rules
MINOR: stats: Report internal errors in the proxies/listeners/servers
stats
MINOR: contrib/prometheus-exporter: Export internal errors per
proxy/server
MINOR: counters: Remove failed_secu counter and use denied_resp instead
MINOR: counters: Review conditions to increment counters from analysers
MINOR: http-ana: Add a txn flag to support soft/strict message rewrites
MINOR: http-rules: Handle all message rewrites the same way
MINOR: http-rules: Add a rule to enable or disable the strict rewriting
mode
MEDIUM: http-rules: Enable the strict rewriting mode by default
REGTEST: Fix format of set-uri HTTP request rule in h1or2_to_h1c.vtc
MINOR: actions: Add a function pointer to release args used by actions
MINOR: actions: Regroup some info about HTTP rules in the same struct
MINOR: http-rules/tcp-rules: Call the defined action function first if
defined
MINOR: actions: Rename the act_flag enum into act_opt
MINOR: actions: Add flags to configure the action behaviour
MINOR: actions: Use an integer to set the action type
MINOR: http-rules: Use a specific action type for some custom HTTP actions
MINOR: http-rules: Make replace-header and replace-value custom actions
MINOR: http-rules: Make set-header and add-header custom actions
MINOR: http-rules: Make set/del-map and add/del-acl custom actions
MINOR: http-rules: Group all processing of early-hint rule in its case
clause
MEDIUM: http-rules: Make early-hint custom actions
MINOR: http-rule/tcp-rules: Make track-sc* custom actions
MINOR: tcp-rules: Make tcp-request capture a custom action
MINOR: http-rules: Add release functions for existing HTTP actions
BUG/MINOR: http-rules: Fix memory releases on error path during action
parsing
MINOR: tcp-rules: Add release functions for existing TCP actions
BUG/MINOR: tcp-rules: Fix memory releases on error path during action
parsing
MINOR: http-htx: Add functions to read a raw error file and convert it in
HTX
MINOR: http-htx: Add functions to create HTX redirect message
MINOR: config: Use dedicated function to parse proxy's errorfiles
MINOR: config: Use dedicated function to parse proxy's errorloc
MEDIUM: http-htx/proxy: Use a global and centralized storage for HTTP
error messages
MINOR: proxy: Register keywords to parse errorfile and errorloc directives
MINOR: http-htx: Add a new section to create groups of custom HTTP errors
MEDIUM: proxy: Add a directive to reference an http-errors section in a
proxy
MINOR: http-rules: Update txn flags and status when a deny rule is
executed
MINOR: http-rules: Support an optional status on deny rules for http
reponses
MINOR: http-rules: Use same function to parse request and response deny
actions
MINOR: http-ana: Add an error message in the txn and send it when defined
MEDIUM: http-rules: Support an optional error message in http deny rules
REGTEST: Add a strict rewriting mode reg test
REGEST: Add reg tests about error files
BUG/MINOR: http_htx: Fix some leaks on error path when error files are
loaded
CLEANUP: http-ana: Remove useless test on txn when the error message is
retrieved
MINOR: proxy/http-ana: Add support of extra attributes for the cookie
directive
Elliot Otchet (1):
MINOR: ssl: Add support for returning the dn samples from
ssl_(c|f)_(i|s)_dn in LDAP v3 (RFC2253) format.
Emmanuel Hocdet (10):
MINOR: ssl: deduplicate ca-file
MINOR: ssl: compute ca-list from deduplicate ca-file
MINOR: ssl: deduplicate crl-file
BUG/MINOR: ssl: fix SSL_CTX_set1_chain compatibility for openssl < 1.0.2
BUG/MINOR: ssl: fix X509 compatibility for openssl < 1.1.0
BUG/MINOR: ssl: certificate choice can be unexpected with openssl >= 1.1.1
MINOR: ssl: accept 'verify' bind option with 'set ssl cert'
BUG/MINOR: ssl: ssl_sock_load_ocsp_response_from_file memory leak
BUG/MINOR: ssl: ssl_sock_load_issuer_file_into_ckch memory leak
BUG/MINOR: ssl: ssl_sock_load_sctl_from_file memory leak
Florian Tham (2):
MINOR: http: Add 410 to http-request deny
MINOR: http: Add 404 to http-request deny
Ilya Shipitsin (8):
BUILD: travis-ci: link with ssl libraries using rpath instead of
LD_LIBRARY_PATH/DYLD_LIBRARY_PATH
BUILD: travis-ci: reenable address sanitizer for clang builds
BUILD: CI: modernize cirrus-ci
BUILD: cirrus-ci: choose proper openssl package name
REGTEST: set_ssl_cert.vtc: replace "echo" with "printf"
BUILD: CI: introduce ARM64 builds
BUILD: ssl: more elegant anti-replay feature presence check
BUG/MINOR: ssl: fix build on development versions of openssl-1.1.x
Jerome Magnin (3):
BUG/MINOR: stream: don't mistake match rules for store-request rules
BUG/MINOR: pattern: handle errors from fgets when trying to load patterns
BUILD: pattern: include errno.h
Julien Pivotto (2):
DOC: Fix ordered list in summary
DOC: proxies: HAProxy only supports 3 connection modes
Kevin Zhu (1):
BUG/MEDIUM: http-ana: Truncate the response when a redirect rule is
applied
Lukas Tribus (1):
BUILD: ssl: improve SSL_CTX_set_ecdh_auto compatibility
Mathias Weiersmueller (1):
DOC: clarify matching strings on binary fetches
Olivier Houchard (12):
BUG/MEDIUM: tasks: Make sure we switch wait queues in task_set_affinity().
BUG/MEDIUM: checks: Make sure we set the task affinity just before
connecting.
BUG/MEDIUM: kqueue: Make sure we report read events even when no data.
BUG/MEDIUM: ssl: Don't set the max early data we can receive too early.
BUG/MEDIUM: ssl: Revamp the way early data are handled.
BUG/MEDIUM: fd/threads: fix a concurrency issue between add and rm on the
same fd
BUG/MEDIUM: checks: Only attempt to do handshakes if the connection is
ready.
BUG/MEDIUM: connections: Hold the lock when wanting to kill a connection.
MINOR: ssl: Remove unused variable "need_out".
BUG/MEDIUM: tasks: Use the MT macros in tasklet_free().
BUG/MEDIUM: mux_h1: Don't call h1_send if we subscribed().
BUG/MEDIUM: raw_sock: Make sur the fd and conn are sync.
Rosen Penev (1):
BUG/MINOR: ssl: openssl-compat: Fix getm_ defines
Tim Duesterhus (7):
CLEANUP: ssl: Clean up error handling
DOC: Clarify behavior of server maxconn in HTTP mode
MINOR: sample: Validate the number of bits for the sha2 converter
DOC: Fix copy and paste mistake in http-response replace-value doc
BUG/MINOR: cache: Fix leak of cache name in error path
BUG/MINOR: dns: Make dns_query_id_seed unsigned
CLEANUP: Consistently `unsigned int` for bitfields
William Dauchy (9):
BUG/MINOR: contrib/prometheus-exporter: decode parameter and value only
CLEANUP: dns: resolution can never be null
MINOR: config: disable busy polling on old processes
CLEANUP: mux-h2: remove unused goto "out_free_h2s"
CLEANUP: server: remove unused err section in server_finalize_init
CLEANUP: ssl: remove opendir call in ssl_sock_load_cert
DOC: clarify crt-base usage
CLEANUP: compression: remove unused deinit_comp_ctx section
CLEANUP: proxy: simplify proxy_parse_rate_limit proxy checks
William Lallemand (12):
DOC: ssl/cli: set/commit/abort ssl cert
BUG/MINOR: ssl/cli: 'ssl cert' cmd only usable w/ admin rights
BUG/MINOR: ssl/cli: don't overwrite the filters variable
MINOR: ssl/cli: 'show ssl cert' give information on the certificates
BUG/MINOR: ssl/cli: fix build for openssl < 1.0.2
REGTEST: ssl: test the "set ssl cert" CLI command
REGTEST: run-regtests: implement #REQUIRE_BINARIES
BUG/MINOR: cli/mworker: can't start haproxy with 2 programs
REGTEST: mcli/mcli_start_progs: start 2 programs
BUG/MEDIUM: mworker: remain in mworker mode during reload
BUG/MEDIUM: cli: _getsocks must send the peers sockets
CLEANUP: cli: deduplicate the code in _getsocks
Willy Tarreau (84):
DOC: this is development again
MINOR: version: this is development again, update the status
SCRIPTS: update create-release to fix the changelog on new branches
BUILD/MINOR: trace: fix use of long type in a few printf format strings
DOC: move the "group" keyword at the right place
MEDIUM: init: prevent process and thread creation at runtime
BUG/MEDIUM: stream-int: don't subscribed for recv when we're trying to
flush data
BUG/MINOR: stream-int: avoid calling rcv_buf() when splicing is still
possible
BUG/MEDIUM: listener/thread: fix a race when pausing a listener
MINOR: debug: replace popen() with pipe+fork() in "debug dev exec"
MEDIUM: init: set NO_NEW_PRIVS by default when supported
BUG/MINOR: proxy: make soft_stop() also close FDs in LI_PAUSED state
BUG/MINOR: listener/threads: always use atomic ops to clear the FD events
BUG/MINOR: listener: also clear the error flag on a paused listener
BUG/MEDIUM: listener/threads: fix a remaining race in the listener's
accept()
MINOR: listener: make the wait paths cleaner and more reliable
MINOR: listener: split dequeue_all_listener() in two
REORG: listener: move the global listener queue code to listener.c
DOC: document the listener state transitions
BUG/MAJOR: dns: add minimalist error processing on the Rx path
BUG/MEDIUM: proto_udp/threads: recv() and send() must not be exclusive.
DOC: listeners: add a few missing transitions
BUG/MINOR: tasks: only requeue a task if it was already in the queue
MINOR: tasks: split wake_expired_tasks() in two parts to avoid useless
wakeups
DOC: remove references to the outdated architecture.txt
BUG/MINOR: log: fix minor resource leaks on logformat error path
BUG/MINOR: mworker: properly pass SIGTTOU/SIGTTIN to workers
BUG/MINOR: listener: do not immediately resume on transient error
BUG/MINOR: server: make "agent-addr" work on default-server line
BUG/MINOR: listener: fix off-by-one in state name check
BUILD/MINOR: unix sockets: silence an absurd gcc warning about strncpy()
DOC: clarify the fact that replace-uri works on a full URI
BUG/MINOR: sample: fix the closing bracket and LF in the debug converter
BUG/MINOR: sample: always check converters' arguments
MINOR: debug: support logging to various sinks
MINOR: http: add a new "replace-path" action
MINOR: task: only check TASK_WOKEN_ANY to decide to requeue a task
BUG/MAJOR: task: add a new TASK_SHARED_WQ flag to fix foreing requeuing
MINOR: fd/threads: make _GET_NEXT()/_GET_PREV() use the volatile attribute
REGTEST: make the "set ssl cert" require version 2.1
BUG/MEDIUM: state-file: do not allocate a full buffer for each server
entry
BUG/MINOR: state-file: do not store duplicates in the global tree
BUG/MINOR: state-file: do not leak memory on parse errors
BUG/MINOR: checks: refine which errno values are really errors.
BUG/MINOR: connection: only wake send/recv callbacks if the FD is active
CLEANUP: connection: conn->xprt is never NULL
MINOR: pollers: add a new flag to indicate pollers reporting ERR & HUP
MEDIUM: tcp: make tcp_connect_probe() consider ERR/HUP
REORG: connection: move tcp_connect_probe() to conn_fd_check()
MINOR: connection: check for connection validation earlier
MINOR: connection: remove the double test on xprt_done_cb()
CLEANUP: connection: merge CO_FL_NOTIFY_DATA and CO_FL_NOTIFY_DONE
MINOR: poller: do not call the IO handler if the FD is not active
OPTIM: epoll: always poll for recv if neither active nor ready
OPTIM: polling: do not create update entries for FD removal
BUG/MEDIUM: session: do not report a failure when rejecting a session
MEDIUM: dns: implement synchronous send
MINOR: raw_sock: make sure to disable polling once everything is sent
BUG/MAJOR: listener: do not schedule a task-less proxy
BUG/MINOR: mux-h2: use a safe list_for_each_entry in h2_send()
BUG/MEDIUM: mux-h2: fix missing test on sending_list in previous patch
MEDIUM: lua: don't call the GC as often when dealing with outgoing
connections
BUG/MEDIUM: mux-h2: don't stop sending when crossing a buffer boundary
BUG/MAJOR: hashes: fix the signedness of the hash inputs
REGTEST: add sample_fetches/hashes.vtc to validate hashes
BUG/MEDIUM: connection: add a mux flag to indicate splice usability
MINOR: connection: move the CO_FL_WAIT_ROOM cleanup to the reader only
MINOR: stream-int: remove dependency on CO_FL_WAIT_ROOM for rcv_buf()
MEDIUM: connection: get rid of CO_FL_CURR_* flags
MEDIUM: mux-h2: do not try to stop sending streams on blocked mux
MEDIUM: mux-fcgi: do not try to stop sending streams on blocked mux
MEDIUM: mux-h2: do not make an h2s subscribe to itself on deferred shut
MEDIUM: mux-fcgi: do not make an fstrm subscribe to itself on deferred
shut
REORG: stream/backend: move backend-specific stuff to backend.c
MEDIUM: backend: move the connection finalization step to
back_handle_st_con()
MEDIUM: connection: merge the send_wait and recv_wait entries
MEDIUM: xprt: merge recv_wait and send_wait in xprt_handshake
MEDIUM: ssl: merge recv_wait and send_wait in ssl_sock
MEDIUM: mux-h1: merge recv_wait and send_wait
MEDIUM: mux-h2: merge recv_wait and send_wait event notifications
MEDIUM: mux-fcgi: merge recv_wait and send_wait event notifications
MINOR: connection: make the last arg of subscribe() a struct wait_event*
CLEANUP: pattern: remove the pat_time definition
[RELEASE] Released version 2.2-dev1
---
