Hi,
HAProxy 2.0.16 was released on 2020/07/17. It added 45 new commits after version
2.0.15.
A major issue was fixed when a connection retry is performed after a failure. In
this case, a new connection was created but the destination address was not set
again. So, if the connection was recycled from the memory pool, the previous
address was used, leading to a connection established to a random destination
(to
any server in any backend). If a freshly allocated connection was used, no
destination address was set, leading to an internal error. The bug comes from a
recent fix to avoid some crashes when using L7 retries. Only the 2.0.15 is
affected by this bug. Many thanks to Michael Wimmesberger for its detailed bug
report and its reproducer.
This bug reveals another one about connection retries when the plain HTTP proxy
mode is used (http_proxy option). On the 2.0.15, it does not work anymore
because, on failure, the connection is released and, with it, all information
about the destination address it carried. Because there was no simple solution
to
fix this bug and because it is not a so commonly used option, we decided to
simply disable the connection retries in this case. This limitation is specific
to the 2.0.
Some issues about the splicing for HTTP/1 sessions were fixed. A freeze of the
connection may be experienced if a shutdown for reads is received while the
splicing is in use. Another freeze may also be experienced if more than
tune.recv_enough bytes are moved to a pipe and immediately sent. It happens
because the FD's ability to read is not re-enabled after a successful send on
the opposite side. To fix the bug, the FD's ability to read is no more checked
when we try to move data to a pipe. At worst, we have an extra syscall from time
to time. Next, a wakeups loop on an HTTP/1 connection was fixed. It may happen
if the splicing is in use with no data in the pipe. Finally, the splicing now
works again for connections in tunnel mode.
A bug leading to a wakeups loop of the LUA cosocket's applet was fixed. It is
due to an old bug in the way data are read on LUA cosocket, especially if the
read per line is used. An unfinished line is never consumed, even if a shutdown
for writes is pending. The applet is woken up in loop to flush the data to ack
the shutdown for writes but data are never consumed.
And, as usual, a bunch of fixes or minor changes here and there. Among others :
- An old issue about the watchdog triggering when reloading huge maps was
fixed.
- The hdr_ip sample fetch function was fixed. It could parse more characters
than really present in the sample, occasionally causing some trailing
digits present in a previous sample to be read.
- Pattern matching against strings was fixed to be sure to always add a
trailing null character to the tested string. If the buffer is not large
enough, it is now duplicated. This fixes a possible buffer overflow.
- The command line finally supports escaping spaces using a backslash, thanks
to Yves Lafon, and to William who could adjust the master CLI code to match
it.
- "show sess" would endlessly dump new streams when they arrive too fast. It
was a real pain so now it will only dump past the last stream known at the
moment the command is typed. This means that it may show less streams than
the total, but will not result in multi-gigabyte dumps anymore.
- New set of ssl_s_* sample fetch functions to retrieve information about a
server's SSL certificate.
- For systemd users, the network dependency to start haproxy in the unit file
was fixed, thanks to a patch from Ryan O'Hara. It will now wait for an
online network. This is so that those who use DNS names where addresses are
expected don't have startup failures at boot.
- 404, 410 and 413 status codes are now supported in errorfiles.
Don't forget to update to this version if you are using the 2.0 branch,
especially if you are running the 2.0.15.
Please find the usual URLs below :
Site index : http://www.haproxy.org/
Discourse : http://discourse.haproxy.org/
Slack channel : https://slack.haproxy.org/
Issue tracker : https://github.com/haproxy/haproxy/issues
Sources : http://www.haproxy.org/download/2.0/src/
Git repository : http://git.haproxy.org/git/haproxy-2.0.git/
Git Web browsing : http://git.haproxy.org/?p=haproxy-2.0.git
Changelog : http://www.haproxy.org/download/2.0/src/CHANGELOG
Cyril's HTML doc : http://cbonte.github.io/haproxy-dconv/
---
Complete changelog :
Anthonin Bonnefoy (1):
MINOR: http: Add support for http 413 status
Christopher Faulet (14):
REGTEST: Add a simple script to tests errorfile directives in proxy
sections
MINOR: spoe: Don't systematically create new applets if processing rate
is low
BUG/MEDIUM: pattern: Add a trailing \0 to match strings only if possible
BUG/MINOR: mux-h1: Fix the splicing in TUNNEL mode
BUG/MINOR: mux-h1: Don't read data from a pipe if the mux is unable to
receive
BUG/MINOR: mux-h1: Disable splicing only if input data was processed
BUG/MEDIUM: mux-h1: Disable splicing for the conn-stream if read0 is
received
BUG/MEDIUM: mux-h1: Subscribe rather than waking up in h1_rcv_buf()
BUG/MEDIUM: connection: Continue to recv data to a pipe when the FD is
not ready
BUG/MINOR: backend: Remove CO_FL_SESS_IDLE if a client remains on the
last server
BUG/MAJOR: stream: Mark the server address as unset on new outgoing
connection
BUG/MEDIUM: stream-int: Disable connection retries on plain HTTP proxy
mode
BUG/MEDIUM: mux-h1: Continue to process request when switching in tunnel
mode
BUG/MEDIUM: channel: Be aware of SHUTW_NOW flag when output data are
peeked
Emeric Brun (1):
BUG/MEDIUM: log: issue mixing sampled to not sampled log servers.
Florian Tham (2):
MINOR: http: Add 410 to http-request deny
MINOR: http: Add 404 to http-request deny
Miroslav Zagorac (1):
BUG/MINOR: spoe: correction of setting bits for analyzer
Ryan O'Hara (1):
BUG/MINOR: systemd: Wait for network to be online
Tim Duesterhus (4):
BUG/MEDIUM: fetch: Fix hdr_ip misparsing IPv4 addresses due to missing NUL
BUG/MINOR: http_act: don't check capture id in backend (2)
BUG/MINOR: sample: Free str.area in smp_check_const_bool
BUG/MINOR: sample: Free str.area in smp_check_const_meth
William Lallemand (7):
BUG/MINOR: mworker/cli: fix the escaping in the master CLI
BUG/MINOR: mworker/cli: fix semicolon escaping in master CLI
REGTEST: http-rules: test spaces in ACLs
REGTEST: http-rules: test spaces in ACLs with master CLI
REGTEST: ssl: tests the ssl_f_* sample fetches
REGTEST: ssl: add some ssl_c_* sample fetches test
DOC: ssl: add "allow-0rtt" and "ciphersuites" in crt-list
Willy Tarreau (13):
BUG/MINOR: tcp-rules: tcp-response must check the buffer's fullness
BUG/MEDIUM: ebtree: use a byte-per-byte memcmp() to compare memory blocks
BUG/MINOR: spoe: add missing key length check before checking key names
MEDIUM: map: make the "clear map" operation yield
BUG/MINOR: http_ana: clarify connection pointer check on L7 retry
MINOR: cli: make "show sess" stop at the last known session
BUG/MINOR: proxy: fix dump_server_state()'s misuse of the trash
BUG/MINOR: proxy: always initialize the trash in show servers state
DOC: configuration: add missing index entries for
tune.pool-{low,high}-fd-ratio
DOC: configuration: fix alphabetical ordering for
tune.pool-{high,low}-fd-ratio
MINOR: connection: move the CO_FL_WAIT_ROOM cleanup to the reader only
DOC: configuration: remove obsolete mentions of H2 being converted to
HTTP/1.x
CONTRIB: da: fix memory leak in dummy function da_atlas_open()
Yves Lafon (1):
BUG/MINOR: cli: allow space escaping on the CLI
---
--
Christopher Faulet
