Hi, HAProxy 2.2.10 was released on 2021/03/03. It added 53 new commits after version 2.2.9.
This release contains more or less the same fixes than the freshly announced 2.3.6 : - Dragan addressed a long-standing issue in the way variables are used as arguments to converters. First they were never locked, resulting in bad things when accessing shared variables in the "proc" scope. And the argument was improperly checked: if it didn't parse it was implicitly a variable, but that could die in some circumstances (such as truncated base64 values to "base64"). Dragan had no other option but to add boot-time config checks that may trigger errors on currently invalid configs that silently validate. If it proves to be problematic, we could try to replace the error with a warning and use whatever we find reliable enough. - Willy fixed a thread-safety issue when a stream was killed on a hard-stop or when using "shutdown sessions" over the CLI. The streams list was not locked. This issue might lead to a crash if an already dead stream was shut down. Now, these operations are using thread_isolate() to guarantee no other threads are running in same time. - Willy also optimized the health_adjust() function by reducing the server lock scope, grabbing it only when required. This function is used to adjust the server status depending on the communication with the server, via the "observe" parameter. He also fixed a time wrapping issue in this function, a bug introduced with the feature, more than 10 years ago, preventing some health-checks to be immediately triggered half of the time. - Two bugs were fixed on the H1 multiplexer. The first one is a regression. The client side might be blocked at the end of a transaction if a "Connection: upgrade" was found in a response other than 101-Switching-Protocol, preventing the following request to be parsed. This happened because of a missing flag on the H1 connection on the server side, keeping it attached to the stream. The second one was an issue with the responses to CONNECT requests other than 200-Ok. If the requested tunnel establishment was not performed by a server, the end of the transaction was not properly detected, closing the connection on the client side. - Willy fixed another very old bug (13 years !) about queue and tarpit timeouts picked from the last defaults section during the configuration check validity. Looking at the wrong defaults section. It should be the one before the evaluated proxy. The worst part of it is that it might have randomly worked by accident for some configurations when there was a single defaults section, but has certainly caused too short queue expirations once another defaults section was added later in the file with these explicitly defined. - A segmentation fault in the SPOE filter was fixed when a logger to a ring buffer was used. The corresponding sink was not resolved during the post parsing staged. In addition, in multi-threaded mode, the SPOE applets are now killed if there are pending connections. This is important to not let queued sessions waiting forever. SPOE connections are persistent and sticky to a thread. Thus with a low maxconn value, for instance 1, some threads might hold all available slots, leaving other threads with no free slots. - Two issues were fixed on the DNS resolvers. The first one was about the loading of obsoletes server ip/port when a server-state file was used. These information were not reset when an server resolution failed or when obsoletes SRV records were removed. Another issue was about the unconditional TTL renew of SRV records when found in a DNS response. SRV records with no additional record were never expired. - The server-state-file-name directive was fixed. Since the beginning, in contrary to what the documentation said, this directive was not able to be used with no parameter. To use the backend name as file name, the undocumented parameter "use-backend-name" had to be used instead. Now, both modes are supported. Another issue about the server-state file was fixed. If the name of local server-state file was too long, the fopen() function was called with a NULL file name. Finally, the RMAINT admin mode is now ignored when a server state is loaded. Before, when this admin mode was set, an error was reported, preventing the server state to be loaded. - The tracked sessions counter was not atomically incremented, resulting in occasional slightly off values. - The smp_is_safe() function was fixed. Zero size string samples were not systematically considered as unsafe. In some circumstances, it was possible to consider such samples as safe by reading one byte after the buffer. - The HTTP return action was fixed when configured on the response side. The server response status code, if any, was used instead of the one of the HTTP return action. - Address assignment for address-less servers was fixed to be able to handle IPv4 and IPv6 by setting the right address family. - The set-dst action was buggy. The original port was not set for IPv4 address. It was a problem for UNIX sockets, the port was not set to 0 and had an undefined value. - The processing of the HTTP originalto action was fixed to only consider the destination address. The address family of the source address was tested and not the destination one. - Not a fix but an improvement. Thanks to Amaury, a connection header may now be specified on "http-check send" lines. This way, it is possible to implement a websocket upgrade check. Thanks to everyone for this release ! Please find the usual URLs below : Site index : http://www.haproxy.org/ Discourse : http://discourse.haproxy.org/ Slack channel : https://slack.haproxy.org/ Issue tracker : https://github.com/haproxy/haproxy/issues Wiki : https://github.com/haproxy/wiki/wiki Sources : http://www.haproxy.org/download/2.2/src/ Git repository : http://git.haproxy.org/git/haproxy-2.2.git/ Git Web browsing : http://git.haproxy.org/?p=haproxy-2.2.git Changelog : http://www.haproxy.org/download/2.2/src/CHANGELOG Cyril's HTML doc : http://cbonte.github.io/haproxy-dconv/ --- Complete changelog : Amaury Denoyelle (2): MINOR: check: do not ignore a connection header for http-check send BUG/MINOR: backend: hold correctly lock when killing idle conn Baptiste Assmann (1): BUG/MINOR: resolvers: new callback to properly handle SRV record errors Christopher Faulet (25): BUG/MINOR: http-ana: Don't increment HTTP error counter on internal errors BUG/MEDIUM: mux-h1: Always set CS_FL_EOI for response in MSG_DONE state BUG/MINOR: tools: Fix a memory leak on error path in parse_dotted_uints() BUG/MINOR: server: Fix server-state-file-name directive CLEANUP: deinit: release global and per-proxy server-state variables on deinit BUG/MINOR: server: Don't call fopen() with server-state filepath set to NULL BUG/MINOR: server: Remove RMAINT from admin state when loading server state BUG/MINOR: sample: Always consider zero size string samples as unsafe BUG/MEDIUM: spoe: Resolve the sink if a SPOE logs in a ring buffer BUG/MINOR: http-rules: Always replace the response status on a return action BUG/MINOR: server: Init params before parsing a new server-state line BUG/MINOR: server: Be sure to cut the last parsed field of a server-state line BUG/MEDIUM: mux-h1: Fix handling of responses to CONNECT other than 200-ok BUG/MINOR: resolvers: Fix condition to release received ARs if not assigned BUG/MINOR: resolvers: Only renew TTL for SRV records with an additional record BUG/MEDIUM: resolvers: Reset server address and port for obselete SRV records BUG/MEDIUM: resolvers: Reset address for unresolved servers CLEANUP: muxes: Remove useless if condition in show_fd function BUG/MINOR: mux-h1: Immediately report H1C errors from h1_snd_buf() BUG/MINOR: http-ana: Only consider dst address to process originalto option BUG/MINOR: tcp-act: Don't forget to set the original port for IPv4 set-dst rule BUG/MINOR: connection: Use the client's dst family for adressless servers BUG/MEDIUM: spoe: Kill applets if there are pending connections and nbthread > 1 DOC: spoe: Add a note about fragmentation support in HAProxy BUG/MINOR: http-ana: Don't increment HTTP error counter on read error/timeout Dragan Dosen (2): BUG/MINOR: sample: secure convs that accept base64 string and var name as args BUG/MEDIUM: vars: make functions vars_get_by_{name,desc} thread-safe Emeric Brun (1): CLEANUP: channel: fix comment in ci_putblk. Eric Salama (1): BUG/MINOR: ssl: potential null pointer dereference in ckchs_dup() Ilya Shipitsin (4): BUILD: ssl: fix typo in HAVE_SSL_CTX_ADD_SERVER_CUSTOM_EXT macro BUILD: ssl: guard SSL_CTX_add_server_custom_ext with special macro BUILD: ssl: guard SSL_CTX_set_msg_callback with SSL_CTRL_SET_MSG_CALLBACK macro BUILD: ssl: introduce fine guard for OpenSSL specific SCTL functions Tim Duesterhus (2): MINOR: Configure the `cpp` userdiff driver for *.[ch] in .gitattributes BUG/MINOR: mux-h2: Fix typo in scheme adjustment William Dauchy (2): BUG/MINOR: server: re-align state file fields number DOC: tune: explain the origin of block size for ssl.cachesize William Lallemand (1): BUG/MINOR: ssl/cli: potential null pointer dereference in "set ssl cert" Willy Tarreau (12): BUG/MINOR: intops: fix mul32hi()'s off-by-one BUG/MEDIUM: config: don't pick unset values from last defaults section BUG/MINOR: stats: revert the change on ST_CONVDONE BUG/MINOR: cfgparse: do not mention "addr:port" as supported on proxy lines BUG/MINOR: session: atomically increment the tracked sessions counter BUG/MINOR: checks: properly handle wrapping time in __health_adjust() DOC: explain the relation between pool-low-conn and tune.idle-pool.shared BUG/MEDIUM: proxy: use thread-safe stream killing on hard-stop BUG/MEDIUM: cli/shutdown sessions: make it thread-safe BUG/MINOR: proxy: wake up all threads when sending the hard-stop signal BUG/MINOR: fd: properly wait for !running_mask in fd_set_running_excl() BUG/MEDIUM: checks: don't needlessly take the server lock in health_adjust() -- Christopher Faulet