HAProxy 2.4.9 was released on 2021/11/23. It added 36 new commits
after version 2.4.8.

In the previous release, fixes about shutdowns management in the muxes have
exposed some hidden bugs. Since the muxes were introduced, in the 1.8,
shutdowns at the conn-stream level were not fully idempotent. Until
recently, it was not an issue. But in the 2.4.8, some users observed delays
to close client connections on the HAProxy side corresponding to the client
timeout because the silent mode was used instead of the clean one to
shutdown the connection. In addition, true silent shutdowns were not
properly handled in the H1 multiplexer when outgoing data were blocked,
leading too to delay to close connections.

A H2 multiplexer fix to drain data and be sure to send GOAWAY frame was
announced in the 2.4.8. However a patch was missing. Another side effect of
this missing patch was the TLS sessions were not cached as expected. It is
now fixed. Still on the H2 multiplexer, an old fix for H2 partial frames was
incomplete and caused some high CPU usages in h2_io_cb() on some rare

Some users reported occasional crashes in the cache (#1284 and #1451). We
finally had an explanation (a missing break). This was fixed. "show cache"
cli command was also fixed to be thread-safe. Under high load, it was
possible to dereference a node already reassigned, leading to
crash. Finally, parsing of "max-age" or "s-maxage" was improved to properly
ignore unparsable value in quotes.

A bug with the "program" post-parser was fixed. It could be called with an
empty programs list in case of a config parsing error on reload after
another error, and could crash.

Recent adjustments about the backend support for WebSocket over HTTP/2 were
backported. They allow to fallback on a HTTP/1 connection if the WebSockets
are not support in HTTP/2. In addition the server keyword "ws" can be used
to tune this.

http-response rulesets evaluation was not aligned with what is said in the
documentation. It was possible to inhibit the frontend rules evaluation with
an "allow" rule in the backend section while it should instead only stop
backend rules evaluation. This bug exists since the beginning and only
concerns the "allow" rule. It was fixed and http-after-response rulesets
evaluation was also fixed in the same way.

The support for backend aggregated server check status in the Prometheus
exporter was backported. Thanks to this feature, the number of server per
health-check status are now reported at the backend level.

William fixed some bugs in the SSL part. First, outgoing TLS connections
involving SNI couldn't be resumed in TLS 1.3 because the call to
SSL_get_servername() on a resumed connection doesn't return the previous SNI
with TLS 1.3. Then, the wrong error was reported during SSL handshake when a
non-matching SNI was found with the strict-sni option enabled because the
clientHello callback was returning with a success code. An "handshake
failure" was reported instead of "unrecognized name". As a side effect of
this bug, the connections was accepted in case of TLS resume. Finally,
thanks to Willy, the SSL counter are now atomically updated.

The detection of the need for libatomic in the makefile was modified so that
it's not hard-coded on the architecture but instead detects what the
compiler says it needs. This allowed to remove the arm/aarch64 hacks on
linux and also allows MIPS and RISCV to work as expected. In addition it's
now trivial to force it if desired.

In addition, the usual bunch of some of small fixes and cleanups.

The 2.3.16 will be emitted quite soon. The next 2.2 and 2.0 releases are
planned for the next week.

Thanks everyone for your help and your contributions!

Please find the usual URLs below :
   Site index       : http://www.haproxy.org/
   Discourse        : http://discourse.haproxy.org/
   Slack channel    : https://slack.haproxy.org/
   Issue tracker    : https://github.com/haproxy/haproxy/issues
   Wiki             : https://github.com/haproxy/wiki/wiki
   Sources          : http://www.haproxy.org/download/2.4/src/
   Git repository   : http://git.haproxy.org/git/haproxy-2.4.git/
   Git Web browsing : http://git.haproxy.org/?p=haproxy-2.4.git
   Changelog        : http://www.haproxy.org/download/2.4/src/CHANGELOG
   Cyril's HTML doc : http://cbonte.github.io/haproxy-dconv/

Complete changelog :
Amaury Denoyelle (7):
      MINOR: mux-h2: add trace on extended connect usage
      BUG/MEDIUM: mux-h2: reject upgrade if no RFC8441 support
      MINOR: stream/mux: implement websocket stream flag
      MINOR: connection: implement function to update ALPN
      MINOR: connection: add alternative mux_ops param for conn_install_mux_be
      MEDIUM: server/backend: implement websocket protocol selection
      MINOR: server: add ws keyword

Christopher Faulet (10):
      DOC: config: Fix typo in ssl_fc_unique_id description
      BUG/MINOR: http-ana: Apply stop to the current section for http-response 
      Revert "BUG/MINOR: http-ana: Don't eval front after-response rules if stopped 
on back"
      DOC: lua: Be explicit with the Reply object limits
      MINOR: mux-h1: Slightly Improve H1 traces
      BUG/MEDIUM: conn-stream: Don't reset CS flags on close
      BUG/MINOR: mux-h2: Fix H2_CF_DEM_SHORT_READ value
      BUG/MINOR: stick-table/cli: Check for invalid ipv6 key
      BUG/MEDIUM: mux-h1: Handle delayed silent shut in h1_process() to release 
      BUG/MINOR: cache: Fix loop on cache entries in "show cache"

Emeric Brun (2):
      BUG/MINOR: resolvers: fix sent messages were counted twice
      BUG/MINOR: resolvers: throw log message if trash not large enough for 

William Dauchy (1):
      MINOR: promex: backend aggregated server check status

William Lallemand (5):
      BUG/MINOR: mworker: doesn't launch the program postparser
      BUG/MEDIUM: ssl: backend TLS resumption with sni and TLSv1.3
      BUG/MINOR: ssl: free correctly the sni in the backend SSL cache
      CLEANUP: ssl: fix wrong #else commentary
      BUG/MEDIUM: ssl: abort with the correct SSL error when SNI not found

Willy Tarreau (11):
      MINOR: connection: add a new CO_FL_WANT_DRAIN flag to force drain on close
      MINOR: mux-h2: perform a full cycle shutdown+drain on close
      BUG/MINOR: cache: properly ignore unparsable max-age in quotes
      BUG/MEDIUM: connection: make cs_shutr/cs_shutw//cs_close() idempotent
      BUILD: makefile: simplify detection of libatomic
      BUG/MEDIUM: mux-h2: always process a pending shut read
      BUG/MEDIUM: cache/cli: make "show cache" thread-safe
      BUG/MEDIUM: shctx: leave the block allocator when enough blocks are found
      BUG/MINOR: shctx: do not look for available blocks when the first one is 
      MINOR: shctx: add a few BUG_ON() for consistency checks
      BUG/MINOR: ssl: make SSL counters atomic

Christopher Faulet

Reply via email to