Hi,
HAProxy 2.5-dev10 was released on 2021/10/16. It added 75 new commits
after version 2.5-dev9.
The smoke is progressively being blown away and we're starting to see
clearer what final 2.5 will look like.
In completely random order, here are the main changes I noticed in this
release:
- some fixes for OpenSSL 3.0.0 support from Rémi and William; regression
tests were fixed as well and the version in the CI was upgraded from
alpha17 to 3.0.0
- Rémi's JWT patches were merged. Now it becomes possible to decode
JWT tokens and check their integrity. There are still a few pending
patches for it but they're essentially cosmetic, so the code is
expected to be already operational. Those who've been waiting for
this are strongly invited to give it a try so that any required
change has a chance to be merged before 2.5. Alex ?
- Christopher merged his series that allows to place tcp-request and
http-request rules in named "defaults" sections and have them
processed first by frontends and backends that explicitly depend on
them. This finally allows to merge infrastructure rules in defaults
sections while keeping section-specific rules in frontend/backend
sections. The long-term goal is to ease the creation of fully
functional backends on the fly in the future. It was much trickier than
initially imagined due to arguemnts of sample fetches and converters
that are context-dependent (e.g. current proxy name). All envisioned
corner cases were addressed but that doesn't mean that it's 100%
problem-free yet. However I asked Christopher to merge it now to help
collect more feedback on configs that are not trivial to think about.
So if your config repeats many identical tcp/http rules in their
frontends or backends, you may be interested in giving this a try,
and we're interested in knowing if you faced any error that makes it
impossible for you to express a config that you'd consider simple.
- the first part of Björn's MPTCP patches was merged. This part deals
with the formatting of socket errors and warnings so that the whole
list of warnings can be reported instead of only the last one.
- I merged the patches adding the "shards" option to the "bind" lines. It
replicates the listeners the specified number of times and distributes
them among the number of threads. This can be useful on workloads
involving a high connection rate on large thread numbers, when the
kernel-side CPU load becomes high due to the close() syscall locking
the pollers. By spreading the activity over multiple sockets, this
contention reduces a lot. This will later be reused with the thread
groups when trying to bind some listeners on more than 64 threads.
- improved error reporting (e.g. bind errors about MSS/interfaces), and
troubleshooting (file, line number and names for active filters and
rules in "show sess all").
- William added a new config predicate "ssllib_name_startswith" to
detect the type of SSL library in "-cc" rules.
- some doc rearragement for long lists of rules
- another batch of H3/QUIC cleanups and fixes
- new regression tests were written (I'm seeing 162 being executed right now).
- usual small batch of bug fixes
There are still a number of things I've collected during this week:
- some config predicates are not documented (openssl_version_atleast,
openssl_version_before, ssllib_name_startswith)
- a number of cleanup patches were posted on the list but not reviewed
yet (at first glance they all look right)
- there are at least two issues left on the resolvers code that affect
2.4 as well. One of them is a random crash that I could only verify
that it depends on a use-after-free that I couldn't spot yet. I'm
getting closer but not there yet :-( The other one is a remaining
code path with extreme complexity that runs under a global lock and
manages to trigger the watchdog when used with many threads and many
servers. Some improvements were made, and we have some ideas about
how to go much farther (replacing the last-level list with a tree,
and splitting the single lock in two to still allow some parallelism).
- some TLS issues were reported at least since 2.4, causing more
renegotiations than needed because the session cache is not always
updated. Emeric and William started to find some problems when trying
to reproduce but further investigation is still ongoing.
- there are still many issues on github and I'd like that we prioritize
them over code. Most of them affect versions before 2.4 so they are
not last-minute regressions, but until we have an idea how they'll
have to be fixed, it's still not too late to make significant changes
if that helps releasing 2.5 in a cleaner state.
Please find the usual URLs below :
Site index : http://www.haproxy.org/
Discourse : http://discourse.haproxy.org/
Slack channel : https://slack.haproxy.org/
Issue tracker : https://github.com/haproxy/haproxy/issues
Wiki : https://github.com/haproxy/wiki/wiki
Sources : http://www.haproxy.org/download/2.5/src/
Git repository : http://git.haproxy.org/git/haproxy.git/
Git Web browsing : http://git.haproxy.org/?p=haproxy.git
Changelog : http://www.haproxy.org/download/2.5/src/CHANGELOG
Cyril's HTML doc : http://cbonte.github.io/haproxy-dconv/
Willy
---
Complete changelog :
Amaury Denoyelle (9):
MEDIUM: mux-quic: rationalize tx buffers between qcc/qcs
MEDIUM: h3: properly manage tx buffers for large data
MINOR: mux-quic: standardize h3 settings sending
CLEANUP: h3: remove dead code
MINOR: mux-quic: implement standard method to detect if qcc is dead
MEDIUM: mux-quic: defer stream shut if remaining tx data
MINOR: mux: remove last occurences of qcc ring buffer
MINOR: quic: handle CONNECTION_CLOSE frame
BUG/MEDIUM: cpuset: fix cpuset size for FreeBSD
Bjoern Jacke (1):
MINOR: proto_tcp: use chunk_appendf() to ouput socket setup errors
Christopher Faulet (22):
MINOR: stream: report the current filter in "show sess all" when known
CLEANUP: stream: Properly indent current_rule line in "show sess all"
BUG/MINOR: http-ana: Don't eval front after-response rules if stopped on
back
BUG/MINOR: sample: Fix 'fix_tag_value' sample when waiting for more data
DOC: config: Move 'tcp-response content' at the right place
BUG/MINOR: proxy: Use .disabled field as a bitfield as documented
MINOR: proxy: Introduce proxy flags to replace disabled bitfield
MINOR: sample/arg: Be able to resolve args found in defaults sections
MEDIUM: proxy: Warn about ambiguous use of named defaults sections
MINOR: proxy: Be able to reference the defaults section used by a proxy
MINOR: proxy: Add PR_FL_READY flag on fully configured and usable proxies
MINOR: config: Finish configuration for referenced default proxies
MINOR: config: No longer remove previous anonymous defaults section
MINOR: tcpcheck: Support 2-steps args resolution in defaults sections
MEDIUM: rules/acl: Parse TCP/HTTP rules and acls defined in defaults
sections
MEDIUM: tcp-rules: Eval TCP rules defined in defaults sections
MEDIUM: http-ana: Eval HTTP rules defined in defaults sections
BUG/MEDIUM: sample: Cumulate frontend and backend sample validity flags
REGTESTS: Add scripts to test support of TCP/HTTP rules in defaults
sections
DOC: config: Add documentation about TCP/HTTP rules in defaults section
DOC: config: Rework and uniformize how TCP/HTTP rules are documented
BUG/MINOR: proxy: Release ACLs and TCP/HTTP rules of default proxies
Olivier Houchard (1):
MINOR: initcall: Rename __GLOBL and __GLOBL1.
Remi Tricot-Le Breton (12):
REGTESTS: ssl: Fix references to removed option in test description
MINOR: ssl: Add ssllib_name_startswith precondition
REGTESTS: ssl: Fix ssl_errors test for OpenSSL v3
REGTESTS: ssl: Reenable ssl_errors test for OpenSSL only
REGTESTS: ssl: Use mostly TLSv1.2 in ssl_errors test
MINOR: http: Add http_auth_bearer sample fetch
MINOR: jwt: Parse JWT alg field
MINOR: jwt: JWT tokenizing helper function
MINOR: jwt: Insert public certificates into dedicated JWT tree
MINOR: jwt: jwt_header_query and jwt_payload_query converters
MEDIUM: jwt: Add jwt_verify converter to verify JWT integrity
REGTESTS: jwt: Add tests for the jwt_verify converter
Tim Duesterhus (1):
BUG/MINOR: lua: Fix lua error handling in `hlua_config_prepend_path()`
William Lallemand (4):
CI: github: switch to OpenSSL 3.0.0
REGTESTS: ssl: re-enable set_ssl_cert_bundle.vtc
MINOR: ssl: add ssl_fc_is_resumed to "option httpslog"
BUILD: jwt: fix declaration of EVP_KEY in jwt-h.h
Willy Tarreau (25):
MINOR: rules: add a new function new_act_rule() to allocate act_rules
MINOR: rules: add a file name and line number to act_rules
MINOR: stream: report the current rule in "show sess all" when known
MINOR: proto_tcp: also report the attempted MSS values in error message
MINOR: inet: report the faulty interface name in "bind" errors
MINOR: protocol: report the file and line number for binding/listening
errors
MINOR: protocol: uniformize protocol errors
MINOR: resolvers: fix the resolv_str_to_dn_label() API about trailing zero
BUG/MEDIUM: resolver: make sure to always use the correct hostname length
BUG/MINOR: resolvers: do not reject host names of length 255 in SRV
records
MINOR: resolvers: fix the resolv_dn_label_to_str() API about trailing zero
MEDIUM: listeners: split the thread mask between receiver and bind_conf
MINOR: listeners: add clone_listener() to duplicate listeners at boot time
MEDIUM: listener: add the "shards" bind keyword
BUG/MEDIUM: resolvers: use correct storage for the target address
MINOR: resolvers: merge address and target into a union "data"
BUG/MEDIUM: resolvers: fix truncated TLD consecutive to the API fix
BUG/MEDIUM: jwt: fix base64 decoding error detection
BUG/MINOR: jwt: use CRYPTO_memcmp() to compare HMACs
DOC: jwt: fix a typo in the jwt_verify() keyword description
BUG/MEDIUM: sample/jwt: fix another instance of base64 error detection
BUG/MINOR: sample: fix backend direction flags consecutive to last fix
BUG/MINOR: listener: fix incorrect return on out-of-memory
BUG/MINOR: listener: add an error check for unallocatable trash
CLEANUP: listeners: remove unreachable code in clone_listener()
---
