Hi,
HAProxy 2.4.5 was released on 2021/10/01. It added 69 new commits
after version 2.4.4.
Several annoying bugs were fixed in this release. One of most noticeable was
a session leakage because of a deadlock between the stream layer and the H1
multiplexer, when HTTP analyzers were waiting for the message payload. When
the H1 multiplexer received an incomplete message, it was erroneously asking
to the stream layer for more space to proceed while it had to wait for more
incoming data. Because the stream layer was also waiting for the message
payload, both were blocked infinitely.
Still about the H1 multiplexer, A possible infinite loop was fixed when a
parsing error was reported on a request. If HAProxy, for any reason, was not
able to send the error immediately, it was possible to loop infinitely on
the request processing, generating tons of internal error log messages. Now,
the message parsing is skipped if an error was already detected, preventing
any loop at this stage.
A very old bug was fixed in the Lua part. The wrong function was used to
start Lua tasks leading to a process freeze if the call was performed when
the time was wrapping, one millisecond every 49.7 days. On this exact
millisecond, a lua task was able to be queued with no expiration date,
preventing all subsequent timers from being seen as expired. A time
comparison was also fixed in the C function processing core.sleep() or
core.msleep() calls. Because of this bug, these functions were useless for
periods of 24 days every 49 days. Here again, it was an API bug. Finally,
channel.append() and channel.set() functions are no longer allowed to yield
to avoid any undefined behavior.
A rare possibility to divide by zero in the leastconn balance algorithm
because of a thread-unsafe use of a shared variable was fixed.
The remaining fixes are less important:
- It was announced that the "abortonclose" option fix was reverted in
2.4.4 because it introduced a more annoying bug. This option is now
fixed again, with hopefully no side effect this time.
- The processing of upgrade requests in the H1 multiplexer was changed.
Instead of returning a 501-Not-Implemented error if such requests
contain a payload, the "Upgrade" header is now removed. This way, the
upgrade is disabled but the request is still sent to the server. This
change was required because some frameworks systematically tries to
perform H2 upgrade on every requests, including POST ones.
- Some bugs were fixed on the filters management to properly handle client
aborts and to be sure to always release allocated filters when a stream
is released.
- Amaury fixed a possible race condition if a dynamic server was deleted
when the stats applet was using it. To do so, he added a reference
counting mechanism on dynamic servers.
- The LDAP health-check was fixed to make it compatible with Active
Directory servers. The response parsing was improved to also support
servers using multi-bytes length-encoding. Active Directory servers
seems to systematically encode messages or elements length on 4 bytes
while others are using 1-byte length-encoding if possible. Now, 1, 2 and
4 bytes length-encoding are now supported. It should be good enough to
enable LDAP health-check on Active Directory servers.
- The build system was improved in many ways. Several -Wundef warnings
were fixed. Occasional crashes in malloc_trim() on recent glibc when
running with jemalloc were fixed. BSDs support was improved...
- HTTP "TE" header is now sanitized when a request is sent to a
server. Only "trailers" token is sent. It is mandatory because HAProxy
only understand chunked encoding. Other transfer encoding are not
supported.
- A bug on health-check was fixed when a sample fetch depending on the
execution context was used in a tcpcheck rulesets defined in a defaults
section. It is now forbidden. This limitation will probably partially be
relaxed in 2.5.
- tcp-request and tcp-response content rules evaluation is now interrupted
if a read error or the end of input is detected on the corresponding
channel. This change fixes a known bug in HAProxy 2.3 and prior. However,
it does not seem to affect the 2.4.
- Finally, Willy improved error reporting about the variables parsing.
Thanks everyone for your help and your contributions!
Please find the usual URLs below :
Site index : http://www.haproxy.org/
Discourse : http://discourse.haproxy.org/
Slack channel : https://slack.haproxy.org/
Issue tracker : https://github.com/haproxy/haproxy/issues
Wiki : https://github.com/haproxy/wiki/wiki
Sources : http://www.haproxy.org/download/2.4/src/
Git repository : http://git.haproxy.org/git/haproxy-2.4.git/
Git Web browsing : http://git.haproxy.org/?p=haproxy-2.4.git
Changelog : http://www.haproxy.org/download/2.4/src/CHANGELOG
Cyril's HTML doc : http://cbonte.github.io/haproxy-dconv/
---
Complete changelog :
Amaury Denoyelle (8):
BUG/MINOR: connection: prevent null deref on mux cleanup task allocation
BUILD: ist: prevent gcc11 maybe-uninitialized warning on istalloc
BUG/MINOR: server: allow 'enable health' only if check configured
MINOR: server: implement a refcount for dynamic servers
MINOR: global: define MODE_STOPPING
BUG/MINOR: server: do not use refcount in free_server in stopping mode
MINOR: server: return the next srv instance on free_server
BUG/MINOR: stats: use refcount to protect dynamic server on dump
Christopher Faulet (26):
MINOR: lua: Add a flag on lua context to know the yield capability at run
time
BUG/MINOR: lua: Yield in channel functions only if lua context can yield
BUG/MINOR: lua: Don't yield in channel.append() and channel.set()
BUG/MINOR: stream: Don't release a stream if FLT_END is still registered
BUG/MEDIUM: http-ana: Reset channels analysers when returning an error
BUG/MINOR: filters: Always set FLT_END analyser when CF_FLT_ANALYZE flag
is set
BUG/MINOR: filters: Set right FLT_END analyser depending on channel
BUG/MEDIUM: mux-h1: Remove "Upgrade:" header for requests with payload
MINOR: htx: Skip headers with no value when adding a header list to a
message
CLEANUP: mux-h1: Remove condition rejecting upgrade requests with payload
BUG/MEDIUM: stream-int: Don't block SI on a channel policy if EOI is
reached
BUG/MAJOR: mux-h1: Don't eval input data if an error was reported
BUG/MINOR: tcpcheck: Improve LDAP response parsing to fix LDAP check
BUG/MINOR: h1-htx: Fix a typo when request parser is reset
BUG/MEDIUM: mux-h1: Adjust conditions to ask more space in the channel
buffer
BUG/MEDIUM: stream-int: Notify stream that the mux wants more room to
xfer data
BUG/MEDIUM: stream: Stop waiting for more data if SI is blocked on
RXBLK_ROOM
MINOR: stream-int: Set CO_RFL transient/persistent flags apart in
si_cs_rcv()
MINOR: htx: Add an HTX flag to know when a message is fragmented
MINOR: htx: Add a function to know if the free space wraps
BUG/MEDIUM: stream-int: Defrag HTX message in si_cs_recv() if necessary
MINOR: stream-int: Notify mux when the buffer is not stuck when calling
rcv_buf
BUG/MINOR: mux-h1/mux-fcgi: Sanitize TE header to only send "trailers"
MINOR: arg: Be able to forbid unresolved args when building an argument
list
BUG/MINOR: tcpcheck: Don't use arg list for default proxies during parsing
BUG/MINOR: tcp-rules: Stop content rules eval on read error and
end-of-input
David Carlier (1):
BUILD: tools: get the absolute path of the current binary on NetBSD.
Dragan Dosen (2):
BUG/MINOR: flt-trace: fix an infinite loop when random-parsing is set
BUG/MINOR: http-ana: increment internal_errors counter on response error
Emeric Brun (1):
DOC: peers: fix doc "enable" statement on "peers" sections
William Lallemand (3):
BUG/MINOR: systemd: ExecStartPre must use -Ws
DOC: management: certificate files must be sanitized before injection
MINOR: Makefile: add MEMORY_POOLS to the list of DEBUG_xxx options
Willy Tarreau (25):
BUG/MINOR: compat: make sure __WORDSIZE is always defined
CLEANUP: pools: factor all malloc_trim() calls into trim_all_pools()
MINOR: pools: automatically disable malloc_trim() with external allocators
MINOR: pools: use mallinfo2() when available instead of mallinfo()
BUG/MINOR: cli/payload: do not search for args inside payload
BUILD: activity: use #ifdef not #if on USE_MEMORY_PROFILING
BUILD/MINOR: defaults: eliminate warning on MAXHOSTNAMELEN with -Wundef
BUILD/MINOR: ssl: avoid a build warning on LIBRESSL_VERSION with -Wundef
IMPORT: slz: silence a build warning with -Wundef
BUILD/MINOR: regex: avoid a build warning on USE_PCRE2 with -Wundef
BUILD: ssl: next round of build warnings on LIBRESSL_VERSION_NUMBER
BUILD: ssl: fix two remaining occurrences of #if USE_OPENSSL
BUILD: tools: properly guard __GLIBC__ with defined()
BUG/MINOR: vars: improve accuracy of the rules used to check expression
validity
MINOR: sample: add missing ARGC_ entries
BUG/MINOR: vars: properly set the argument parsing context in the
expression
BUG/MINOR: vars: truncate the variable name in error reports about scope.
BUG/MINOR: vars: do not talk about global section in CLI errors for
set-var
BUILD: compiler: fixed a missing test on defined(__GNUC__)
BUILD: halog: fix a -Wundef warning on non-glibc systems
BUILD: threads: fix -Wundef for _POSIX_PRIORITY_SCHEDULING on libmusl
BUG/MEDIUM: leastconn: fix rare possibility of divide by zero
BUG/MEDIUM: lua: fix wakeup condition from sleep()
BUG/MAJOR: lua: use task_wakeup() to properly run a task once
MINOR: tasks: catch TICK_ETERNITY with BUG_ON() in __task_queue()
[email protected] (3):
MINOR: tools: add FreeBSD support to get_exec_path()
MINOR: proc: setting the process to produce a core dump on FreeBSD.
BUILD: fix dragonfly build again on __read_mostly
--
Christopher Faulet
