Hi,
HAProxy 2.2-dev6 was released on 2020/04/17. It added 88 new commits
after version 2.2-dev5.
It's a bit late as I would have preferred to emit that one earlier, but
anyway now it's available.
The changes are mostly split into 4 categories:
- bug fixes: 22 bugs were fixed since 2.2-dev5. It's worth noting that
this version is the first tagged 2.2-dev which includs the fix for
CVE-2020-11100 that's going to be published next week
- SSL runtime cert updates: William has completed his rework of the
certificate management so apparently (if my understanding is right)
now any certificate can now be updated on the fly from the CLI, added
to or deleted from crt-list, etc. This was a long awaited feature but
now it's a reality. See William's e-mail below for all the details:
https://www.mail-archive.com/[email protected]/msg36927.html
- idle connections improvements: it was reported that under sustained
load, some connections were still occasionally dropped and recreated.
This was caused by the fact that we periodically kill half of the idle
ones. Now instead haproxy constantly monitors how many are needed on a
server, and it kills half of those which are not expected to be used
based on the previous period measurements. This way fluctuating loads
will keep even more connections reusable.
- troubleshooting: given that some users get trapped into running the
wrong haproxy executable when they install several of them on their
system, when haproxy emits an alert during the startup, it will now
also report its exact version and the path the executable was loaded
from (this last one is only on recent linux systems). This can help
detect a wrong path in an init script for example. In addition, there
is a new "zero-warning" mode which can be enabled using -dW or using
"zero-warning" in the global section, which turns any warning into a
fatal error to prevent it from starting. This can help for those who
are careful about keeping clean configs, or who want to enforce clean
configs on shared systems. Last, "haproxy -c" will now indicate at the
end if some warnings were found. This may be useful in check scripts.
The rest is very minor, usual code/doc/CI cleanups mostly. A new sample-
fetch function "so_name" reports the "name" field of the bind line that
accepted the incoming connection. A new "linux-musl" target was added to
the makefile because I believed I was the only one using it but I'm not,
so this can slightly help Docker users.
And I think that's about all for this one.
Regarding the pending stuff I'm aware off, Christopher told me he'll soon
have a first batch of health-check changes, Emeric will have some updates
to support syslog over TCP, there are a few patches still being discussed
on the list and bugs worth having a look at in the github tracker. But
overall I think we'll be good for end of May or early June.
If you're using a lot of SSL certificates or using them in a non-trivial
way, please give this one a try and report anything strange you might
notice, or anything you would find confusing in the way to manage your
certs. William did a lot of tests but we also know it's a very tricky
area where users are sometimes creative :-)
Please find the usual URLs below :
Site index : http://www.haproxy.org/
Discourse : http://discourse.haproxy.org/
Slack channel : https://slack.haproxy.org/
Issue tracker : https://github.com/haproxy/haproxy/issues
Sources : http://www.haproxy.org/download/2.2/src/
Git repository : http://git.haproxy.org/git/haproxy.git/
Git Web browsing : http://git.haproxy.org/?p=haproxy.git
Changelog : http://www.haproxy.org/download/2.2/src/CHANGELOG
Cyril's HTML doc : http://cbonte.github.io/haproxy-dconv/
Willy
---
Complete changelog :
Adam Mills (1):
DOC: hashing: update link to hashing functions
Baptiste Assmann (2):
CLEANUP: remove obsolete comments
BUG/MEDIUM: dns: improper parsing of aditional records
Daniel Corbett (1):
BUG/MINOR: stats: Fix color of draining servers on stats page
Dominik Froehlich (1):
CLEANUP: http: Fixed small typo in parse_http_return
Emmanuel Hocdet (4):
BUG/MINOR: ssl: memory leak when find_chain is NULL
CLEANUP: ssl: rename ssl_get_issuer_chain to ssl_get0_issuer_chain
MINOR: ssl: rework add cert chain to CTX to be libssl independent
MINOR: ssl: skip self issued CA in cert chain for ssl_ctx
Frédéric Lécaille (3):
BUG/MINOR: peers: Use after free of "peers" section.
BUG/MINOR: protocol_buffer: Wrong maximum shifting.
BUG/MINOR: peers: Incomplete peers sections should be validated.
Ilya Shipitsin (11):
CI: github actions: add weekly h2spec test
CLEANUP: assorted typo fixes in the code and comments
CLEANUP: src/fd.c: mask setsockopt with DISGUISE
CLEANUP: assorted typo fixes in the code and comments
CI: use better SSL library definition
CI: travis-ci: enable DEBUG_STRICT=1 for CI builds
CI: travis-ci: upgrade openssl to 1.1.1f
CI: cirrus-ci: rename openssl package after it is renamed in FreeBSD
CI: adopt openssl download script to download all versions
CLEANUP: assorted typo fixes in the code and comments
CLEANUP: assorted typo fixes in the code and comments
Jerome Magnin (2):
MINOR: listener: add so_name sample fetch
MEDIUM: stream: support use-server rules with dynamic names
Miroslav Zagorac (1):
DOC: internals: Fix spelling errors in filters.txt
Olivier Carrère (1):
DOC: Make how "option redispatch" works more explicit
Olivier Houchard (6):
BUG/MEDIUM: mux_h1: Process a new request if we already received it.
MINOR: build: Fix build in mux_h1
MINOR: servers: Add a counter for the number of currently used
connections.
MEDIUM: connections: Revamp the way idle connections are killed
MINOR: connections: Don't mark conn flags 0x00000001 and 0x00000002 as
unused.
BUG/MEDIUM: dns: Consider the fact that dns answers are case-insensitive
William Lallemand (46):
BUG/MINOR: peers: init bind_proc to 1 if it wasn't initialized
BUG/MINOR: peers: avoid an infinite loop with peers_fe is NULL
MINOR: cli: add a general purpose pointer in the CLI struct
MINOR: ssl: add a list of bind_conf in struct crtlist
REORG: ssl: move SETCERT enum to ssl_sock.h
BUG/MINOR: ssl: ckch_inst wrongly inserted in crtlist_entry
REORG: ssl: move some functions above crtlist_load_cert_dir()
MINOR: ssl: use crtlist_free() upon error in directory loading
MINOR: ssl: add a list of crtlist_entry in ckch_store
MINOR: ssl: store a ptr to crtlist in crtlist_entry
MINOR: ssl/cli: update pointer to store in 'commit ssl cert'
MEDIUM: ssl/cli: 'add ssl crt-list' command
REGTEST: ssl/cli: test the 'add ssl crt-list' command
BUG/MINOR: ssl: entry->ckch_inst not initialized
REGTEST: ssl/cli: change test type to devel
MINOR: ssl: split the line parsing of the crt-list
MINOR: ssl/cli: support filters and options in add ssl crt-list
MINOR: ssl: add a comment above the ssl_bind_conf keywords
REGTEST: ssl/cli: tests options and filters w/ add ssl crt-list
REGTEST: ssl: pollute the crt-list file
BUG/MINOR: ssl/cli: initialize fcount int crtlist_entry
REGTEST: ssl/cli: add other cases of 'add ssl crt-list'
DOC: management: add the new crt-list CLI commands
BUG/MINOR: ssl/cli: fix spaces in 'show ssl crt-list'
MINOR: ssl/cli: 'del ssl crt-list' delete an entry
MINOR: ssl/cli: replace dump/show ssl crt-list by '-n' option
MINOR: ssl: improve the errors when a crt can't be open
BUG/MINOR: ssl/cli: lock the ckch structures during crt-list delete
MINOR: ssl/cli: improve error for bundle in add/del ssl crt-list
MINOR: ssl/cli: 'del ssl cert' deletes a certificate
BUG/MINOR: ssl: trailing slashes in directory names wrongly cached
BUG/MINOR: ssl/cli: memory leak in 'set ssl cert'
CLEANUP: ssl: use the refcount for the SSL_CTX'
CLEANUP: ssl/cli: use the list of filters in the crtlist_entry
BUG/MINOR: ssl: memleak of the struct cert_key_and_chain
CLEANUP: ssl: remove a commentary in struct ckch_inst
MINOR: ssl: initialize all list in ckch_inst_new()
MINOR: ssl: free instances and SNIs with ckch_inst_free()
MINOR: ssl: replace ckchs_free() by ckch_store_free()
BUG/MEDIUM: ssl/cli: trying to access to free'd memory
MINOR: ssl: ckch_store_new() alloc and init a ckch_store
MINOR: ssl: crtlist_new() alloc and initialize a struct crtlist
REORG: ssl: move some free/new functions
MINOR: ssl: crtlist_entry_{new, free}
BUG/MINOR: ssl: ssl_conf always set to NULL on crt-list parsing
MINOR: ssl: don't alloc ssl_conf if no option found
Willy Tarreau (9):
REGTEST: make the PROXY TLV validation depend on version 2.2
REGTEST: make the unique-id test depend on version 2.0
BUG/CRITICAL: hpack: never index a header into the headroom after wrapping
BUG/MINOR: connection: always send address-less LOCAL PROXY connections
MINOR: init: report in "haproxy -c" whether there were warnings or not
MINOR: init: add -dW and "zero-warning" to reject configs with warnings
MINOR: init: report the compiler version in haproxy -vv
MINOR: init: report the haproxy version and executable path once on errors
BUILD: Makefile: add linux-musl to TARGET
---
