Hi,
HAProxy 2.3.6 was released on 2021/03/03. It added 55 new commits after
version 2.3.5.
Several fixes for this release, most of them are minor, but some ones may
have visible effects :
- An issue leading to possible infinite loops because of a double locking
effect in the mt lists was fixed by Olivier. If MT_LIST_TRY_ADDQ()
macro, it was possible to try to lock twice the same element, making the
second lock attempt to fail in loop.
- Dragan addressed a long-standing issue in the way variables are used as
arguments to converters. First they were never locked, resulting in bad
things when accessing shared variables in the "proc" scope. And the
argument was improperly checked: if it didn't parse it was implicitly a
variable, but that could die in some circumstances (such as truncated
base64 values to "base64"). Dragan had no other option but to add
boot-time config checks that may trigger errors on currently invalid
configs that silently validate. If it proves to be problematic, we could
try to replace the error with a warning and use whatever we find
reliable enough.
- Willy fixed a thread-safety issue when a stream was killed on a
hard-stop or when using "shutdown sessions" over the CLI. The streams
list was not locked. This issue might lead to a crash if an already dead
stream was shut down. Now, these operations are using thread_isolate()
to guarantee no other threads are running in same time.
- Willy also optimized the health_adjust() function by reducing the server
lock scope, grabbing it only when required. This function is used to
adjust the server status depending on the communication with the server,
via the "observe" parameter. He also fixed a time wrapping issue in this
function, a bug introduced with the feature, more than 10 years ago,
preventing some health-checks to be immediately triggered half of the
time.
- Two bugs were fixed on the H1 multiplexer. The first one is a
regression. The client side might be blocked at the end of a transaction
if a "Connection: upgrade" was found in a response other than
101-Switching-Protocol, preventing the following request to be
parsed. This happened because of a missing flag on the H1 connection on
the server side, keeping it attached to the stream. The second one was
an issue with the responses to CONNECT requests other than 200-Ok. If
the requested tunnel establishment was not performed by a server, the
end of the transaction was not properly detected, closing the connection
on the client side.
- Willy fixed another very old bug (13 years !) about queue and tarpit
timeouts picked from the last defaults section during the configuration
check validity. Looking at the wrong defaults section. It should be the
one before the evaluated proxy. The worst part of it is that it might
have randomly worked by accident for some configurations when there was
a single defaults section, but has certainly caused too short queue
expirations once another defaults section was added later in the file
with these explicitly defined.
- A segmentation fault in the SPOE filter was fixed when a logger to a
ring buffer was used. The corresponding sink was not resolved during the
post parsing staged. In addition, in multi-threaded mode, the SPOE
applets are now killed if there are pending connections. This is
important to not let queued sessions waiting forever. SPOE connections
are persistent and sticky to a thread. Thus with a low maxconn value,
for instance 1, some threads might hold all available slots, leaving
other threads with no free slots.
- Two issues were fixed on the DNS resolvers. The first one was about the
loading of obsoletes server ip/port when a server-state file was
used. These information were not reset when an server resolution failed
or when obsoletes SRV records were removed. Another issue was about the
unconditional TTL renew of SRV records when found in a DNS response.
SRV records with no additional record were never expired.
- The server-state-file-name directive was fixed. Since the beginning, in
contrary to what the documentation said, this directive was not able to
be used with no parameter. To use the backend name as file name, the
undocumented parameter "use-backend-name" had to be used instead. Now,
both modes are supported. Another issue about the server-state file was
fixed. If the name of local server-state file was too long, the fopen()
function was called with a NULL file name. Finally, the RMAINT admin
mode is now ignored when a server state is loaded. Before, when this
admin mode was set, an error was reported, preventing the server state
to be loaded.
- The tracked sessions counter was not atomically incremented, resulting
in occasional slightly off values.
- The smp_is_safe() function was fixed. Zero size string samples were not
systematically considered as unsafe. In some circumstances, it was
possible to consider such samples as safe by reading one byte after the
buffer.
- The HTTP return action was fixed when configured on the response
side. The server response status code, if any, was used instead of the
one of the HTTP return action.
- The matching on the "no-maint" option in the stats page was buggy,
hiding maintenance servers when "norefresh" option was used.
- Address assignment for address-less servers was fixed to be able to
handle IPv4 and IPv6 by setting the right address family.
- The set-dst action was buggy. The original port was not set for IPv4
address. It was a problem for UNIX sockets, the port was not set to 0
and had an undefined value.
- The processing of the HTTP originalto action was fixed to only consider
the destination address. The address family of the source address was
tested and not the destination one.
- Not a fix but an improvement. Thanks to Amaury, a connection header may
now be specified on "http-check send" lines. This way, it is possible to
implement a websocket upgrade check.
Thanks to everyone for this release !
Please find the usual URLs below :
Site index : http://www.haproxy.org/
Discourse : http://discourse.haproxy.org/
Slack channel : https://slack.haproxy.org/
Issue tracker : https://github.com/haproxy/haproxy/issues
Wiki : https://github.com/haproxy/wiki/wiki
Sources : http://www.haproxy.org/download/2.3/src/
Git repository : http://git.haproxy.org/git/haproxy-2.3.git/
Git Web browsing : http://git.haproxy.org/?p=haproxy-2.3.git
Changelog : http://www.haproxy.org/download/2.3/src/CHANGELOG
Cyril's HTML doc : http://cbonte.github.io/haproxy-dconv/
---
Complete changelog :
Amaury Denoyelle (3):
MINOR: check: do not ignore a connection header for http-check send
BUG/MINOR: backend: hold correctly lock when killing idle conn
BUG/MINOR: stats: fix compare of no-maint url suffix
Baptiste Assmann (1):
BUG/MINOR: resolvers: new callback to properly handle SRV record errors
Christopher Faulet (25):
BUG/MINOR: http-ana: Don't increment HTTP error counter on internal errors
BUG/MEDIUM: mux-h1: Always set CS_FL_EOI for response in MSG_DONE state
BUG/MINOR: tools: Fix a memory leak on error path in parse_dotted_uints()
BUG/MINOR: server: Fix server-state-file-name directive
CLEANUP: deinit: release global and per-proxy server-state variables on
deinit
BUG/MINOR: server: Don't call fopen() with server-state filepath set to
NULL
BUG/MINOR: server: Remove RMAINT from admin state when loading server
state
BUG/MINOR: sample: Always consider zero size string samples as unsafe
BUG/MEDIUM: spoe: Resolve the sink if a SPOE logs in a ring buffer
BUG/MINOR: http-rules: Always replace the response status on a return
action
BUG/MINOR: server: Init params before parsing a new server-state line
BUG/MINOR: server: Be sure to cut the last parsed field of a server-state
line
BUG/MEDIUM: mux-h1: Fix handling of responses to CONNECT other than 200-ok
BUG/MINOR: resolvers: Fix condition to release received ARs if not
assigned
BUG/MINOR: resolvers: Only renew TTL for SRV records with an additional
record
BUG/MEDIUM: resolvers: Reset server address and port for obselete SRV
records
BUG/MEDIUM: resolvers: Reset address for unresolved servers
CLEANUP: muxes: Remove useless if condition in show_fd function
BUG/MINOR: mux-h1: Immediately report H1C errors from h1_snd_buf()
BUG/MINOR: http-ana: Only consider dst address to process originalto
option
BUG/MINOR: tcp-act: Don't forget to set the original port for IPv4
set-dst rule
BUG/MINOR: connection: Use the client's dst family for adressless servers
BUG/MEDIUM: spoe: Kill applets if there are pending connections and nbthread
> 1
DOC: spoe: Add a note about fragmentation support in HAProxy
BUG/MINOR: http-ana: Don't increment HTTP error counter on read
error/timeout
Dragan Dosen (2):
BUG/MINOR: sample: secure convs that accept base64 string and var name as
args
BUG/MEDIUM: vars: make functions vars_get_by_{name,desc} thread-safe
Emeric Brun (1):
CLEANUP: channel: fix comment in ci_putblk.
Eric Salama (1):
BUG/MINOR: ssl: potential null pointer dereference in ckchs_dup()
Ilya Shipitsin (4):
BUILD: ssl: fix typo in HAVE_SSL_CTX_ADD_SERVER_CUSTOM_EXT macro
BUILD: ssl: guard SSL_CTX_add_server_custom_ext with special macro
BUILD: ssl: guard SSL_CTX_set_msg_callback with SSL_CTRL_SET_MSG_CALLBACK
macro
BUILD: ssl: introduce fine guard for OpenSSL specific SCTL functions
Olivier Houchard (1):
BUG/MEDIUM: lists: Avoid an infinite loop in MT_LIST_TRY_ADDQ().
Tim Duesterhus (2):
MINOR: Configure the `cpp` userdiff driver for *.[ch] in .gitattributes
BUG/MINOR: mux-h2: Fix typo in scheme adjustment
William Dauchy (2):
BUG/MINOR: server: re-align state file fields number
DOC: tune: explain the origin of block size for ssl.cachesize
William Lallemand (1):
BUG/MINOR: ssl/cli: potential null pointer dereference in "set ssl cert"
Willy Tarreau (12):
BUG/MINOR: intops: fix mul32hi()'s off-by-one
BUG/MEDIUM: config: don't pick unset values from last defaults section
BUG/MINOR: stats: revert the change on ST_CONVDONE
BUG/MINOR: cfgparse: do not mention "addr:port" as supported on proxy
lines
BUG/MINOR: session: atomically increment the tracked sessions counter
BUG/MINOR: checks: properly handle wrapping time in __health_adjust()
BUG/MEDIUM: checks: don't needlessly take the server lock in
health_adjust()
DOC: explain the relation between pool-low-conn and tune.idle-pool.shared
BUG/MEDIUM: proxy: use thread-safe stream killing on hard-stop
BUG/MEDIUM: cli/shutdown sessions: make it thread-safe
BUG/MINOR: proxy: wake up all threads when sending the hard-stop signal
BUG/MINOR: fd: properly wait for !running_mask in fd_set_running_excl()
--
Christopher Faulet