Hi,
HAProxy 2.5-dev13 was released on 2021/11/06. It added 35 new commits
after version 2.5-dev12.
These are the last-mile fixes and cleanups for this release.
- the backend support for WebSocket over HTTP/2 was adjusted to allow
WebSocket to use HTTP/1 even if HTTP traffic uses HTTP/2. There were
indeed some users complaining about broken WebSocket when H2 is
enabled on the backend side because their servers did not yet support
WebSocket over HTTP/2. With this, haproxy will offer WS over HTTP/2
even if the server runs HTTP/2 without it, and haproxy will use HTTP/1
connections to the server for WS. The new server keyword to tune this
is "ws". This part will be backported to 2.4 to fix the issues that
these users are facing. More improvements are planned (autodetection)
but they do present certain shortcomings in case servers would restart
and change their status, so they were kept on hold for now.
- the fc_conn_err and bc_conn_err sample fetch functions which return the
frontend connection and backend connection error codes were renamed to
"fc_err" and "bc_err" to be consistent with the other ones, as "fc" and
"bc" already stand for "frontend connection" and "backend connection".
No need for the confusing redundancy. This may possibly break some
configs if you were using them on a development version, but better fix
that before they're part of a final release.
- as discussed a few days ago, the frontend connection's SNI was added to
the HTTPS log format. It was placed just before the SSL version and
ciphers, delimited with a '/' so that even if an empty one is sent,
there is no ambiguity on the field parsing.
- some of the DNS stats counters were split into their own resolvers
stats, because they were really resolver events rather than DNS
protocol level events. This could make a difference when we later
implement support for DNS load balancing.
- a warning is now sent when "compression offload" is used in a defaults
section, because that does nothing. While the doc was already clear
about it, it used to be accepted by the config parser, so we cannot
really error on it now at the risk of breaking some harmless configs.
However a warning does seem appropriate at least.
- small fixes and updates on JWT, resolvers, and QUIC
- build instructions for QUIC and quictls were added to the INSTALL file
- an example error-log-format was added to the doc, as it wasn't exactly
trivial. We think it covers most use cases, so with a bit of luck it
will often be copy-pasted and generalized.
- more code cleanups, doc updates, and regtest cleanups
Yesterday while reviewing optimal logging options for HTTPS with William,
we noticed that some sample-fetch functions are missing to retrieve the
certificate check status on the backend, or extract the backend's TLS
version or SNI. The code already exists (we even did most of it on the
fly just to test) but I didn't want to rush a last-minute set of new
sample-fetch functions, whose tests and documentation would needlessly
delay this release. I will probably add them later next week or after the
release, and they're low-importance details that can trivially be
backported if we want.
I've told Björn not to rush his patches on Multi-path TCP. While they're
trivial and certainly harmless, there's no reason to hurry on this at the
last minute and risk to make mistakes, we'll have plenty of time to complete
this work later. MPTCP is still young, and if there's some demand, once
merged the backport should even be trivial to perform.
I expect a few more doc updates, makefile reorderings/cleanups, regtests,
bug fixes, maybe a few more sample-fetch functions and converters, some
more tests on various machine sizes, and if everything's good we could
release by the end of next week.
So, please test it. If you can't take any risk on your production, at the
very least please check that it properly loads your configuration and/or
that any warning or error is expected, that could save you some precious
time later ;-)
Please find the usual URLs below :
Site index : http://www.haproxy.org/
Discourse : http://discourse.haproxy.org/
Slack channel : https://slack.haproxy.org/
Issue tracker : https://github.com/haproxy/haproxy/issues
Wiki : https://github.com/haproxy/wiki/wiki
Sources : http://www.haproxy.org/download/2.5/src/
Git repository : http://git.haproxy.org/git/haproxy.git/
Git Web browsing : http://git.haproxy.org/?p=haproxy.git
Changelog : http://www.haproxy.org/download/2.5/src/CHANGELOG
Cyril's HTML doc : http://cbonte.github.io/haproxy-dconv/
Willy
---
Complete changelog :
Amaury Denoyelle (8):
MINOR: mux-h2: add trace on extended connect usage
BUG/MEDIUM: mux-h2: reject upgrade if no RFC8441 support
MINOR: stream/mux: implement websocket stream flag
MINOR: connection: implement function to update ALPN
MINOR: connection: add alternative mux_ops param for conn_install_mux_be
MEDIUM: server/backend: implement websocket protocol selection
MINOR: server: add ws keyword
DOC: add QUIC instruction in INSTALL
Christopher Faulet (2):
MINOR: backend: Get client dst address to set the server's one only if
needful
MINOR: compression: Warn for 'compression offload' in defaults sections
Emeric Brun (4):
BUG/MINOR: resolvers: fix sent messages were counted twice
BUG/MINOR: resolvers: throw log message if trash not large enough for
query
MINOR: resolvers/dns: split dns and resolver counters in dns_counter
struct
MEDIUM: resolvers: rename dns extra counters to resolvers extra counters
Frédéric Lécaille (5):
MINOR: quic: Allocate listener RX buffers
CLEANUP: quic: Remove useless code
MINOR: quic: Enhance the listener RX buffering part
MINOR: quic: Remove a useless lock for CRYPTO frames
MINOR: quic: Use QUIC_LOCK QUIC specific lock label.
Remi Tricot-Le Breton (1):
BUG/MINOR: jwt: Fix jwt_parse_alg incorrectly returning JWS_ALG_NONE
Tim Duesterhus (7):
MINOR: jwt: Make invalid static JWT algorithms an error in `jwt_verify`
converter
CLEANUP: halog: Remove dead stores
DEV: coccinelle: Add ha_free.cocci
CLEANUP: Apply ha_free.cocci
DEV: coccinelle: Add rule to use `istnext()` where possible
CLEANUP: Apply ist.cocci
REGTESTS: Use `feature cmd` for 2.5+ tests (2)
Willy Tarreau (8):
SCRIPTS: git-show-backports: re-enable file-based filtering
DOC: internals: move some API definitions to an "api" subdirectory
MEDIUM: connection: rename fc_conn_err and bc_conn_err to fc_err and
bc_err
DOC: configuration: move the default log formats to their own section
MINOR: ssl: make the ssl_fc_sni() sample-fetch function always available
MEDIUM: log: add the client's SNI to the default HTTPS log format
DOC: config: add an example of reasonably complete error-log-format
DOC: config: move error-log-format before custom log format
---
