Hi,
HAProxy 2.5.0 was released on 2021/11/23. It added 9 new commits after
version 2.5-dev15, fixing minor last-minute details (bind warnings
that turned to errors, and an incorrect free in the backend SSL cache).
We were slightly delayed compared to my initial expectations (~1-2 weeks),
but nothing to be ashamed of at all, as it allowed to nail down several
issues that were affecting older releases, and to improve the doc, so
that's not wasted time.
I must confess that I've had a hard time enumerating just a few changes
in this version, as the spectrum is quite broad and the amoung of changes
varies a lot between areas. Thus I'll focus on those that seem relevant,
keeping the deeply technical stuff synthetic, and sorry for those who do
not see their work cited here, it doesn't mean it's not interesting, just
that it doesn't come to my mind before the other ones:
- more dynamic servers. Now virtually any setting can be changed at
run time, and servers may even be deleted.
- The native HTTP client got merged. It currently offers an ease of
use from Lua, but will also open the way to native interaction with
external services.
- speaking of Lua, it's now possible to implement content filters in
Lua to inspect or modify contents passing through haproxy. This is
currently experiemntal.
- Stick-tables now allow to store and replicate arrays of general
purpose tags and counters
- SSL saw a lot of improvements, by CA/CRL now updatable at runtime,
much better error reporting and logging, OCSP status now readable
from the CLI, a new httpslog option, and OpenSSL 3.0.0 being
supported. SSL client fingerprinting using the JA3 de-facto
standard is also supported.
- JWT token validation helps integrate with environments requiring
authentication.
- QUIC is born. Like a baby, it doesn't walk yet but it's possible to
interact with it and it will respond. There's still quite some work
to do before it can be deployed but I have good hopes that for 2.6
it will be mature enough and the SSL library issues will be resolved
either by the OpenSSL team listening to their users or by distros
finally adopting a fork.
- the master process now always switches to wait mode to release its
memory. That counts quite a lot for those dealing with extremely
large configs, maps or ACLs.
- huge performance improvements in some areas (HTTP/1 chunking *8,
queues *2, DNS N->log(N), threads:2-5%)
- the frontend mode (TCP/HTTP) can now be switched on the fly per
session, so that HTTP rules are applied to TCP connections once
validated as HTTP.
- defaults sections now support TCP and HTTP rulesets, that
frontends and backends will use prior to theirs. This allows one
to standardize some configuration for similar applications and place
common rules there.
- stats of stopping proxies are now available in a stopping process
for as long as the process is reachable (e.g. master->worker).
- generally speaking, a number of usability improvements (error
reporting, new converters and sample fetch functions, improved
details in CLI's output etc).
I hope you'll enjoy it and will provide useful feedback. I know that some
of my haproxytech coworkers have been working on an in-depth article to
provide more details on each change. This will likely appear soon on the
blog on https://haproxy.com/blog/ but no rush, I know how hard it is to
emit release notes, it's even harder to write working examples!
As a reminder, this is a stable version which will receive fixes for
around 12 months. Its initially scheduled EOL is 2023-Q1 but it can be
slightly extended depending on adoption and feedback.
2.6-dev0 was also created as a copy of 2.5.0 to mark the beginning of 2.6
which is expected to be released between May and June of 2022, and will
be an LTS release. Haproxy.org was already upgraded to run on it :-)
As an announce message cannot be one without the usual thanks, let me
first turn the projector on our new code contributors in this release,
who I hope will continue to contribute good code and ideas:
Anubhav, Daniel Black, Jaroslaw Rzeszótko, Jonathon Lacher,
Kunal Gangakhedkar, Mark Mullan, Marno Krahmer, jenny-cheung,
vishnu
In addition to them I'm also counting 22 returning contributors, among
which:
Aleksandar Lazic, Amaury Denoyelle, Björn Jacke, Christopher Faulet,
David Carlier, Dirkjan Bussink, Dragan Dosen, Emeric Brun,
Frédéric Lécaille, Ilya Shipitsin, John Roesler, Marcin Deranek,
Maximilian Mader, Miroslav Zagorac, Olivier Houchard,
Remi Tricot-Le Breton, Thayne McCombs, Thierry Fournier,
Tim Düsterhus, William Dauchy, William Lallemand, Willy Tarreau
And that's without mentioning the usual team who devotes a lot of their
time helping users and operating the infrastructure tools behind the
curtains, particularly Lukas Tribus, Tim Düsterhus, Ilya Shipitsin, as
well as all those who provide helpful comments on the list and report
bugs.
Please find the usual URLs below :
Site index : http://www.haproxy.org/
Discourse : http://discourse.haproxy.org/
Slack channel : https://slack.haproxy.org/
Issue tracker : https://github.com/haproxy/haproxy/issues
Wiki : https://github.com/haproxy/wiki/wiki
Sources : http://www.haproxy.org/download/2.5/src/
Git repository : http://git.haproxy.org/git/haproxy-2.5.git/
Git Web browsing : http://git.haproxy.org/?p=haproxy-2.5.git
Changelog : http://www.haproxy.org/download/2.5/src/CHANGELOG
Cyril's HTML doc : http://cbonte.github.io/haproxy-dconv/
Willy
---
Complete changelog since 2.5-dev15:
Ilya Shipitsin (3):
BUILD: SSL: add quictls build to scripts/build-ssl.sh
BUILD: SSL: add QUICTLS to build matrix
CLEANUP: assorted typo fixes in the code and comments
Tim Duesterhus (1):
CLEANUP: sock: Wrap `accept4_broken = 1` into additional parenthesis
William Lallemand (1):
BUG/MINOR: ssl: free correctly the sni in the backend SSL cache
Willy Tarreau (4):
BUILD: cli: clear a maybe-unused warning on some older compilers
BUG/MEDIUM: cli: make sure we can report a warning from a bind keyword
BUG/MINOR: ssl: make SSL counters atomic
MINOR: version: mention that it's stable now
---
