Hi, HAProxy 2.5.1 was released on 2022/01/11. It added 58 new commits after version 2.5.0.
As usual, this release fixes several issues and brings some improvements: - there was a possible slow memory leak of struct sockaddr during layer-7 retries that would end up with a redispatch. We're speaking about ~200 bytes per retried request, which normally doesn't harm, but can at least fool some monitoring and cause some concerns. - there was another memory leak in jwt_header_query and jwt_payload_query converters. A full buffer was leaking at each invocation (~16k by default). - there was a risk of frozen stream or spinning loop when combining layer-7 retries with some filters because an analyzer responsible for releasing the filter was dropped. This was fixed. - there was an allocation problem when SSL was configured using a "default-server" directive. Some SSL settings like "crt" or possibly "ca" as well were causing an SSL_CTX to be allocated too early (at the moment the directive was parsed) and replicated for each server inheriting it. But that led to problems when these fields were updated at runtime for a given server as that could affect other servers' as well. And during soft-stop it would cause double-free issues as reported in github issue 1488. - William found that a number of free() were missing for server SSL settings when deleting a server. That's not dramatic but it could definitely be noticeable by those adding/removing servers often. - splicing of HTTP/1.1 responses would always incorrectly end up in closing the client connection at the end of the transfer, and was simply disabled for messages of unknown lengths (neither content-length nor transfer-encoding). Fixing these issues, an inter-release regression was introduced. This was fixed and at the end, no 2.5 release is impacted. Only the 2.4.11 is concerned by this regression. - there was an issue with the HTTP/1.1 chunk-encoded message parsing, when the message headers were not received in one time. In this case, a parsing error could be erroneously reported. This was fixed. - using multiple log-forward sections would crash after parsing the config, that's now fixed. - a possible crash on master CLI when trying to enter an old pid when in prompt mode. - there was a FD leak on the eventpoll in the master-worker in wait mode. This was fixed. In addition, in this mode, on reload, the master was trying to get the listeners FD from the previous process using _getsocks on the stat socket. It was not necessary. And if the reload failed, it led the master to exit with EXIT_FAILURE status, killing the workers. This was fixed by restricting the use of _getsocks to some modes. - yet another risk of crash on resolvers was fixed, this time when getting a response error, because some invalid elements could be left in the list. - a possible crash when adding a server on the CLI with a custom ID because the key was not properly initialized. - there was an issue with "show cache" command. Each entry was reported several times because of a bug in the loop walking through the cache. - The http-client was systematically adding a Host header using the provided URL while it is possible to pass it in the header list. Now if it is found in the header list, no other Host header is added. - Client SNI was not saved in case of ClientHello error, making strict-sni related errors hard to debug. This was fixed. - conn_cur was not properly ignored from incoming peer messages, especially when frequency counters or arrays are exchanged after conn_cur. The stream was desynchronized and incorrect values were read. - Some server-side SSL settings could be lost when using more than one default-server directive. - since 2.4 during a soft-stop we're closing all idle frontend connections so that we don't have to wait for clients to time out nor for them to send a new request. But it turns out that doing it as any server would do it disturbs AWS' ALB, which immediately emits a 502 to their clients after failing to upload a new request on such a closed connection. It's well known (and documented) that reused connections have a window of uncertainty and that an agent must retry on them (which is why haproxy usually silently closes with the client when it experiences this so that the client can decide to retry). Thus ALB's behavior is incorrect and prevents from using keep-alive normally with the next hop. What was done here was to add an option "idle-close-on-response" to reintroduce the old behavior and wait for clients to speak first before closing. Credits go to William Dauchy for the report and the work around. - Daniel Jakots fixed the build with libreSSL 3.5 and newer (some macros didn't work anymore). - David Carlier fixed the build with FreeBSD 14, which changes the cpuset API to better match Linux's. - a small improvement, in order to help users provide exploitable cores, there's now a new command-line option "-dL" which dumps the dynamic libraries that were detected at run time just before forking. This possibly includes dependencies from Lua or various other libs that do not always appear in "ldd". Typically libgcc_s is listed. The output format allows to pipe that to tar to produce an archive of all executable code that apparently tends to open well with a core, irrelevant to the distros in use. Since it eases bug reports, we've decided to backport it. - another build issue, this time with clang on i386. It tries to make use of the CMPXCHG8B instruction to perform 64-bit atomics but incorrectly expects the operands to be 64-bit aligned while neither the ABI nor the instruction have this requirement. So basically it complains about the code it produces itself. The analysis showed that working around this would require tens to hundreds of isolated hacks and that the least dirty solution is to disable the warning. Firefox faced the same issue 3 years ago and adopted the same work around. I guess nobody's interested anymore in i386 for anyone to expect a fix there anyway. - a workaround for a possibly slow malloc_trim() in modern libcs upon reload when using many threads, that could be slow enough to panic the old process. - a few other build fixes and doc fixes. - "show version" command was added to display the current process version. - "capture" action is now supported in http-after-response rulesets. - Empty lines were removed from "show ssl ocsp-response" command output. Thanks everyone for your help and your contributions! Please find the usual URLs below : Site index : http://www.haproxy.org/ Discourse : http://discourse.haproxy.org/ Slack channel : https://slack.haproxy.org/ Issue tracker : https://github.com/haproxy/haproxy/issues Wiki : https://github.com/haproxy/wiki/wiki Sources : http://www.haproxy.org/download/2.5/src/ Git repository : http://git.haproxy.org/git/haproxy-2.5.git/ Git Web browsing : http://git.haproxy.org/?p=haproxy-2.5.git Changelog : http://www.haproxy.org/download/2.5/src/CHANGELOG Cyril's HTML doc : http://cbonte.github.io/haproxy-dconv/ --- Complete changelog : Bertrand Jacquin (1): BUG/MINOR: lua: remove loop initial declarations Christopher Faulet (15): BUG/MINOR: cache: Fix loop on cache entries in "show cache" BUG/MEDIUM: cli: Properly set stream analyzers to process one command at a time BUG/MINOR: server: Don't rely on last default-server to init server SSL context BUG/MEDIUM: resolvers: Detach query item on response error BUG/MEDIUM: h1: Properly reset h1m flags when headers parsing is restarted MINOR: mux-h1: Improve H1 traces by adding info about http parsers BUILD: bug: Fix error when compiling with -DDEBUG_STRICT_NOCRASH MINOR: http-rules: Add capture action to http-after-response ruleset BUG/MINOR: cli/server: Don't crash when a server is added with a custom id DOC: spoe: Clarify use of the event directive in spoe-message section DOC: config: Specify %Ta is only available in HTTP mode BUG/MEDIUM: mux-h1: Fix splicing by properly detecting end of message BUG/MINOR: mux-h1: Fix splicing for messages with unknown length BUG/MEDIUM: http-ana: Preserve response's FLT_END analyser on L7 retry BUG/MAJOR: mux-h1: Don't decrement .curr_len for unsent data Daniel Jakots (1): BUILD: ssl: unbreak the build with newer libressl David CARLIER (3): MINOR: cpuset: switch to sched_setaffinity for FreeBSD 14 and above. BUILD/MINOR: cpuset FreeBSD 14 build fix. BUILD: cpuset: fix build issue on macos introduced by previous change David Carlier (1): BUILD/MINOR: tools: solaris build fix on dladdr. Emeric Brun (1): BUG/MAJOR: segfault using multiple log forward sections. Ilya Shipitsin (3): CI: Github Actions: do not show VTest failures if build failed CI: github actions: update OpenSSL to 3.0.1 CI: github actions: clean default step conditions Lukas Tribus (2): DOC: config: retry-on list is space-delimited DOC: config: fix error-log-format example Miroslav Zagorac (1): BUILD: opentracing: display warning in case of using OT_USE_VARS at compile time Remi Tricot-Le Breton (3): BUG/MINOR: vars: Fix the set-var and unset-var converters MINOR: ssl: Remove empty lines from "show ssl ocsp-response" output BUG/MINOR: ssl: Store client SNI in SSL context in case of ClientHello error Thierry Fournier (1): DOC: fix misspelled keyword "resolve_retries" in resolvers Tim Duesterhus (1): BUG/MEDIUM: sample: Fix memory leak in sample_conv_jwt_member_query William Dauchy (1): MINOR: proxy: add option idle-close-on-response William Lallemand (13): BUG/MINOR: httpclient: allow to replace the host header BUG/MINOR: lua: don't expose internal proxies BUG/MEDIUM: mworker: FD leak of the eventpoll in wait mode BUG/MINOR: mworker: deinit of thread poller was called when not initialized MINOR: cli: "show version" displays the current process version BUG/MEDIUM: mworker/cli: crash when trying to access an old PID in prompt mode BUG/MEDIUM: ssl: initialize correctly ssl w/ default-server REGTESTS: ssl: fix ssl_default_server.vtc BUG/MINOR: ssl: free the fields in srv->ssl_ctx BUG/MEDIUM: ssl: free the ckch instance linked to a server REGTESTS: ssl: update of a crt with server deletion BUG/MINOR: cli: fix _getsocks with musl libc BUG/MEDIUM: mworker: don't use _getsocks in wait mode Willy Tarreau (11): BUILD: evports: remove a leftover from the dead_fd cleanup BUILD: tree-wide: avoid warnings caused by redundant checks of obj_types IMPORT: slz: use the correct CRC32 instruction when running in 32-bit mode MINOR: pools: work around possibly slow malloc_trim() during gc BUG/MEDIUM: backend: fix possible sockaddr leak on redispatch BUG/MEDIUM: peers: properly skip conn_cur from incoming messages DEBUG: ssl: make sure we never change a servername on established connections MINOR: compat: detect support for dl_iterate_phdr() MINOR: debug: add ability to dump loaded shared libraries MINOR: debug: add support for -dL to dump library names at boot BUILD: makefile: add -Wno-atomic-alignment to work around clang abusive warning -- Christopher Faulet