HAProxy 2.3.0 was released on 2020/11/05. It added 33 new commits after
version 2.3-dev9. I was right to wait a few more days before releasing,
we could spot two late regressions and fix them in time!

This time we're on schedule and that's great. It's also one of the benefits
of working more on features than for a target version. We could start with
some accumulated stuff pending in -next (which we'll do again by the way)
and focus more on features at the beginning of the cycle and more on fixes
and cleanups at the end.

Most of the changes in this version are not user-visible, as frustrating
as this can be, as they're more low-level stuff to prepare the ground to
accept new features for 2.4. With this said, I can still cite a few nice
new features which were already mentioned as they were merged but I know
not everyone reads development announces:

  - syslog forwarding / load balancing: we can now receive UDP/TCP syslog
    and forward the messages to any set of servers over UDP/TCP/unix etc,
    and even transcode the RFC3164/5424 formats as needed. A typical use
    case is to receive log from your infrastructure and load-balance them
    to a two-servers farm while keeping a local copy to a 3rd server. It
    makes use of the existing logging infrastructure and as such, benefits
    from its facilities. Check "log-forward" in the doc for more info.

  - the stats engine was improved to allow "modules" to register and provide
    their own counters. Actually these modules are all of the non-core stuff
    that was hard to integrate with the stats. Muxes are such an example,
    SSL is another one, more will come soon (actually I'm seeing that the
    SSL part was not merged in time for 2.3 but we may backport it later
    if needed). The problem was to add optional counters without breaking
    existing tools, and for this the stats output is cut in two parts, the
    fixed metrics first, a column named "-" and dynamic metrics which may
    change with your version, build options, etc. On the HTML stats page,
    these are optionally reported when "stats show-modules" is specified,
    in which case a new column is added with links to the relevant modules
    and their respective stats. The output isn't as pretty there since
    these stats by definition are of any type. But they're properly typed
    and available to all outputs, including Prometheus.

  - the second improvement in the stats is that they now support "domains",
    which allow modules to register stats for everything not a proxy or a
    server. The DNS stats that were available in "show resolvers" are now
    available in a generic way under "show stat domain dns". We can expect
    that peers, SPOE etc which do not directly interact with proxies will
    appear there in the near future.

  - another improvement to the stats is that it's now possible not to list
    servers that are in maintenance, typically because they were reserved
    using a server-template. Users with huge configs had to consume gigabytes
    of data because of this. This change was really trivial, and if this is
    something you're suffering from in an LTS version, let me know, maybe
    I'll accept to backport it to 2.2. Maybe.

  - the cache is now able to respond "304 not modified" to conditional
    requests instead of returning the full object. This will not change the
    cache hit ratio but could slightly lower the amount of data sent over
    the wire when the client already has an up-to-date content.

  - in "http-reuse safe" mode (the default one), we don't merge multiple
    clients' requests anymore. The reason behind this is to avoid the
    head-of-line blocking that results from merging multiple client
    connections into a same server connection when one of these clients
    is slow. This may result in slightly higher H2 connection counts on
    your servers if using H2 on the backend at high request rates, but
    in lower and stable response times for your users.

  - backend connections using a constant "sni()" expression will now
    support being reused. In the past they were closed, but some users
    have fixed strings there and there was no reason for not supporting
    them in an optimal way.

  - an option was added to decide how to match SSL file name extensions
    (either appending ".key" or replacing ".crt" with ".key"), because it
    used to be unconventional for some users to have "foo.crt.key" next
    to "foo.crt".

  - some minor adjustments were made to the non-deterministic LB algos to
    improve the resistance and ability to gracefully recover from bad
    situations (e.g. huge queues after a temporary network outage). They
    will avoid searching for a server if it's known that all are full. In
    addition, leastconn will now consider the server's queue length in
    addition to the connection count and will accept to append directly
    into the server's queue if that's considered better than any other
    server. This helps flush spikes better.

  - speaking of LB algorithms, "balance URI" got a new "path-only" option
    to only use the path and not the full URI so that origin/absolute URIs
    as found in HTTP/1 and HTTP/2 requests respectively hash similarly.
    This will improve the cache hit ratio for those using it to load balance
    cache farms.

  - there is a new "iif" converter that I think will help us simplify our
    configurations. It's a ternary operator, it returns arg1 or arg2
    depending on the input. This is convenient when deciding to report
    a protocol name versus another one, or "miss" versus "hit", or be
    combined after an strcmp() converter, etc.

  - we're progressively becoming less sensitive to version abuses by
    OpenSSL derivatives that claim to be similar to OpenSSL version X but
    do not fully implement its API. The work has begun to rely on more
    reliable patterns whenever possible to detect support of various

  - some long-announced option removals were finally done, particularly
    "option http-tunnel", "monitor-net" and "mode health", which were only
    working in some rare (and irrelevant) situations nowadays and forcing
    some architectural issues that prevented the code from evoling.

  - the "nbproc" directive was marked as deprecated and will be killed
    in 2.5. We've long past the point of its unsuitability to plenty of
    use cases, and now we're at a point where just keeping its support is
    regularly source of vicious bugs (like listeners not always being in
    the expected state), and will not be usable at all with any UDP-based
    protocol such QUIC. It will emit a warning inviting you to try without
    it or to use "nbthread 1" to shut the warning. If you're having trouble
    getting rid of it, I'm interested in knowing why.

  - the strict-limits are now on by default, so that if you start with a
    bogus configuration that it known to break under load (due to missing
    FDs to satisfy your maxconn for example), haproxy will now refuse to
    start so that you don't discover the hard way after the incident that
    it already warned you. Of course this can be disabled and developers
    or support teams will certainly continue to do so :-)

  - those running with large numbers of threads should observe a slightly
    lower CPU usage, as we managed to further reduce contention and locking
    cost in several hot code paths.

Some important changes were brought to the listeners code in preparation
of the extension to modern protocols such as QUIC, and resulted in a few
inevitable user-visible changes. One of them (which could be considered as
an improvement) is that you won't see "proxy blah started" anymore in your
boot logs, because it's not the proxies that are started but the listeners.
Another one, less visible, is that if you completely mess up with a failed
reload while having a conflicting port still listening in another daemon,
sometimes you could end up with a listener that would stay in pause, with
the proxy in error state and the impossibility to try to rebind that
listener without restarting the process. Now since the listeners are
totally autonomous, a reload cycle again (or just a SIGTTIN) are enough
to retry the binding and recover the listening port. I don't know why I'm
explaining this, I'm pretty sure nobody does that. Or at least I hope... :-)

Now for the next version, there's already quite a bunch of stuff queued up
into -next, and other stuff that I refused a few days ago that is going to
arrive soon. By the way on this last point, when I announce end of merging
of features, it's not to annoy people but because we need to stabilize
everything to test and fix issues, and we owe the testers some guarantees
that what they're testing doesn't change each time they update. Plus when
developers are busy fixing bugs they're not available for reviewing. I've
seen that a few trees continue to fill up with patches so I can expect some
features to land into 2.4 early in the cycle.

For this version I'd like to further shorten the merge window. I won't
anticipate a strict end date too early, but I would like that we don't
perform any sensitive change past February, and that we don't merge any
feature at all past end of March. That will leave us roughly two months
to debug and document before a release end of May, which is not too much
considering that it will be an LTS one. Depending how things go, we may
even advance these dates and close the doors earlier if we consider there
is enough stuff to keep everyone busy. So if you expect to get your
changes in, don't wait to raise your hand and show them!

I've been notified that Daniel has just published a detailed changelog
of 2.3 with config examples below, it contains more info and details
than what I wrote above so it's worth having a look at:


As a reminder, please be kind with your favorite OS package maintainers,
it always takes time to prepare a new release, so there's no need to
repeatedly ask them when their packages will be available, they will be
available when they're ready, as usual. Let's just give them a few days
to catch up.

Please find the usual URLs below :
   Site index       : http://www.haproxy.org/
   Discourse        : http://discourse.haproxy.org/
   Slack channel    : https://slack.haproxy.org/
   Issue tracker    : https://github.com/haproxy/haproxy/issues
   Wiki             : https://github.com/haproxy/wiki/wiki
   Sources          : http://www.haproxy.org/download/2.3/src/
   Git repository   : http://git.haproxy.org/git/haproxy-2.3.git/
   Git Web browsing : http://git.haproxy.org/?p=haproxy-2.3.git
   Changelog        : http://www.haproxy.org/download/2.3/src/CHANGELOG
   Cyril's HTML doc : http://cbonte.github.io/haproxy-dconv/

This time I think I got all the upload right, otherwise you know whom to
blame :-)

Have fun,
Complete changelog since 2.3-dev9:
Amaury Denoyelle (3):
      MINOR: mux_h2: capitalize frame type in stats
      MINOR: mux_h2: add stat for total count of connections/streams
      MINOR: stats: do not display empty stat module title on html

Christopher Faulet (8):
      BUG/MEDIUM: filters: Don't try to init filters for disabled proxies
      BUG/MINOR: proxy/server: Skip per-proxy/server post-check for disabled 
      BUG/MINOR: checks: Report a socket error before any connection attempt
      BUG/MINOR: server: Set server without addr but with dns in RMAINT on 
      MINOR: server: Copy configuration file and line for server templates
      BUG/MEDIUM: mux-pt: Release the tasklet during an HTTP upgrade
      BUG/MINOR: filters: Skip disabled proxies during startup only
      CLEANUP: mux-h2: Remove the h1 parser state from the h2 stream

Daniel Corbett (1):
      DOC: Add dns as an available domain to show stat

Ilya Shipitsin (4):
      BUILD: ssl: use SSL_CTRL_GET_RAW_CIPHERLIST instead of OpenSSL versions
      BUILD: ssl: use HAVE_OPENSSL_KEYLOG instead of OpenSSL versions
      CI: github actions: limit OpenSSL no-deprecated builds to 
"default,bug,devel" reg-tests
      BUILD: ssl: use feature macros for detecting ec curves manipulation 

William Lallemand (1):
      MINOR: mworker/cli: the master CLI use its own applet

Willy Tarreau (16):
      CLEANUP: pattern: remove unused entry "tree" in pattern.val
      MINOR: debug: don't count free(NULL) in memstats
      BUG/MEDIUM: stick-table: limit the time spent purging old entries
      BUG/MEDIUM: listener: only enable a listening listener if needed
      BUG/MEDIUM: listener: never suspend inherited sockets
      BUG/MEDIUM: listener: make the master also keep workers' inherited FDs
      MINOR: fd: add fd_want_recv_safe()
      MEDIUM: listeners: make use of fd_want_recv_safe() to enable early 
      REGTESTS: mark abns_socket as working now
      MINOR: sock: add a check against cross worker<->master socket activities
      BUG/MEDIUM: server: make it possible to kill last idle connections
      MINOR: ssl: define SSL_CTX_set1_curves_list to itself on BoringSSL
      BUILD: makefile: usual reorder of objects for faster builds
      DOC: update INSTALL to mention that TCC is supported
      DOC: mention in INSTALL that haproxy 2.3 is a stable version
      MINOR: version: mention that it's stable now


Reply via email to