Hi,
HAProxy 2.5.1 was released on 2022/01/11. It added 58 new commits
after version 2.5.0.
As usual, this release fixes several issues and brings some improvements:
- there was a possible slow memory leak of struct sockaddr during layer-7
retries that would end up with a redispatch. We're speaking about ~200
bytes per retried request, which normally doesn't harm, but can at least
fool some monitoring and cause some concerns.
- there was another memory leak in jwt_header_query and jwt_payload_query
converters. A full buffer was leaking at each invocation (~16k by
default).
- there was a risk of frozen stream or spinning loop when combining
layer-7 retries with some filters because an analyzer responsible
for releasing the filter was dropped. This was fixed.
- there was an allocation problem when SSL was configured using a
"default-server" directive. Some SSL settings like "crt" or
possibly "ca" as well were causing an SSL_CTX to be allocated too
early (at the moment the directive was parsed) and replicated for
each server inheriting it. But that led to problems when these
fields were updated at runtime for a given server as that could
affect other servers' as well. And during soft-stop it would cause
double-free issues as reported in github issue 1488.
- William found that a number of free() were missing for server SSL
settings when deleting a server. That's not dramatic but it could
definitely be noticeable by those adding/removing servers often.
- splicing of HTTP/1.1 responses would always incorrectly end up in closing
the client connection at the end of the transfer, and was simply disabled
for messages of unknown lengths (neither content-length nor
transfer-encoding). Fixing these issues, an inter-release regression was
introduced. This was fixed and at the end, no 2.5 release is impacted.
Only the 2.4.11 is concerned by this regression.
- there was an issue with the HTTP/1.1 chunk-encoded message parsing, when
the message headers were not received in one time. In this case, a
parsing error could be erroneously reported. This was fixed.
- using multiple log-forward sections would crash after parsing the
config, that's now fixed.
- a possible crash on master CLI when trying to enter an old pid when in
prompt mode.
- there was a FD leak on the eventpoll in the master-worker in wait
mode. This was fixed. In addition, in this mode, on reload, the master
was trying to get the listeners FD from the previous process using
_getsocks on the stat socket. It was not necessary. And if the reload
failed, it led the master to exit with EXIT_FAILURE status, killing the
workers. This was fixed by restricting the use of _getsocks to some
modes.
- yet another risk of crash on resolvers was fixed, this time when
getting a response error, because some invalid elements could be
left in the list.
- a possible crash when adding a server on the CLI with a custom ID
because the key was not properly initialized.
- there was an issue with "show cache" command. Each entry was reported
several times because of a bug in the loop walking through the cache.
- The http-client was systematically adding a Host header using the
provided URL while it is possible to pass it in the header list. Now if
it is found in the header list, no other Host header is added.
- Client SNI was not saved in case of ClientHello error, making strict-sni
related errors hard to debug. This was fixed.
- conn_cur was not properly ignored from incoming peer messages,
especially when frequency counters or arrays are exchanged after
conn_cur. The stream was desynchronized and incorrect values were read.
- Some server-side SSL settings could be lost when using more than one
default-server directive.
- since 2.4 during a soft-stop we're closing all idle frontend connections
so that we don't have to wait for clients to time out nor for them to
send a new request. But it turns out that doing it as any server would
do it disturbs AWS' ALB, which immediately emits a 502 to their clients
after failing to upload a new request on such a closed connection. It's
well known (and documented) that reused connections have a window of
uncertainty and that an agent must retry on them (which is why haproxy
usually silently closes with the client when it experiences this so that
the client can decide to retry). Thus ALB's behavior is incorrect and
prevents from using keep-alive normally with the next hop. What was done
here was to add an option "idle-close-on-response" to reintroduce the
old behavior and wait for clients to speak first before closing.
Credits go to William Dauchy for the report and the work around.
- Daniel Jakots fixed the build with libreSSL 3.5 and newer (some macros
didn't work anymore).
- David Carlier fixed the build with FreeBSD 14, which changes the cpuset
API to better match Linux's.
- a small improvement, in order to help users provide exploitable cores,
there's now a new command-line option "-dL" which dumps the dynamic
libraries that were detected at run time just before forking. This
possibly includes dependencies from Lua or various other libs that do
not always appear in "ldd". Typically libgcc_s is listed. The output
format allows to pipe that to tar to produce an archive of all
executable code that apparently tends to open well with a core,
irrelevant to the distros in use. Since it eases bug reports, we've
decided to backport it.
- another build issue, this time with clang on i386. It tries to make use
of the CMPXCHG8B instruction to perform 64-bit atomics but incorrectly
expects the operands to be 64-bit aligned while neither the ABI nor the
instruction have this requirement. So basically it complains about the
code it produces itself. The analysis showed that working around this
would require tens to hundreds of isolated hacks and that the least
dirty solution is to disable the warning. Firefox faced the same issue 3
years ago and adopted the same work around. I guess nobody's interested
anymore in i386 for anyone to expect a fix there anyway.
- a workaround for a possibly slow malloc_trim() in modern libcs upon
reload when using many threads, that could be slow enough to panic
the old process.
- a few other build fixes and doc fixes.
- "show version" command was added to display the current process version.
- "capture" action is now supported in http-after-response rulesets.
- Empty lines were removed from "show ssl ocsp-response" command output.
Thanks everyone for your help and your contributions!
Please find the usual URLs below :
Site index : http://www.haproxy.org/
Discourse : http://discourse.haproxy.org/
Slack channel : https://slack.haproxy.org/
Issue tracker : https://github.com/haproxy/haproxy/issues
Wiki : https://github.com/haproxy/wiki/wiki
Sources : http://www.haproxy.org/download/2.5/src/
Git repository : http://git.haproxy.org/git/haproxy-2.5.git/
Git Web browsing : http://git.haproxy.org/?p=haproxy-2.5.git
Changelog : http://www.haproxy.org/download/2.5/src/CHANGELOG
Cyril's HTML doc : http://cbonte.github.io/haproxy-dconv/
---
Complete changelog :
Bertrand Jacquin (1):
BUG/MINOR: lua: remove loop initial declarations
Christopher Faulet (15):
BUG/MINOR: cache: Fix loop on cache entries in "show cache"
BUG/MEDIUM: cli: Properly set stream analyzers to process one command at
a time
BUG/MINOR: server: Don't rely on last default-server to init server SSL
context
BUG/MEDIUM: resolvers: Detach query item on response error
BUG/MEDIUM: h1: Properly reset h1m flags when headers parsing is restarted
MINOR: mux-h1: Improve H1 traces by adding info about http parsers
BUILD: bug: Fix error when compiling with -DDEBUG_STRICT_NOCRASH
MINOR: http-rules: Add capture action to http-after-response ruleset
BUG/MINOR: cli/server: Don't crash when a server is added with a custom id
DOC: spoe: Clarify use of the event directive in spoe-message section
DOC: config: Specify %Ta is only available in HTTP mode
BUG/MEDIUM: mux-h1: Fix splicing by properly detecting end of message
BUG/MINOR: mux-h1: Fix splicing for messages with unknown length
BUG/MEDIUM: http-ana: Preserve response's FLT_END analyser on L7 retry
BUG/MAJOR: mux-h1: Don't decrement .curr_len for unsent data
Daniel Jakots (1):
BUILD: ssl: unbreak the build with newer libressl
David CARLIER (3):
MINOR: cpuset: switch to sched_setaffinity for FreeBSD 14 and above.
BUILD/MINOR: cpuset FreeBSD 14 build fix.
BUILD: cpuset: fix build issue on macos introduced by previous change
David Carlier (1):
BUILD/MINOR: tools: solaris build fix on dladdr.
Emeric Brun (1):
BUG/MAJOR: segfault using multiple log forward sections.
Ilya Shipitsin (3):
CI: Github Actions: do not show VTest failures if build failed
CI: github actions: update OpenSSL to 3.0.1
CI: github actions: clean default step conditions
Lukas Tribus (2):
DOC: config: retry-on list is space-delimited
DOC: config: fix error-log-format example
Miroslav Zagorac (1):
BUILD: opentracing: display warning in case of using OT_USE_VARS at
compile time
Remi Tricot-Le Breton (3):
BUG/MINOR: vars: Fix the set-var and unset-var converters
MINOR: ssl: Remove empty lines from "show ssl ocsp-response" output
BUG/MINOR: ssl: Store client SNI in SSL context in case of ClientHello
error
Thierry Fournier (1):
DOC: fix misspelled keyword "resolve_retries" in resolvers
Tim Duesterhus (1):
BUG/MEDIUM: sample: Fix memory leak in sample_conv_jwt_member_query
William Dauchy (1):
MINOR: proxy: add option idle-close-on-response
William Lallemand (13):
BUG/MINOR: httpclient: allow to replace the host header
BUG/MINOR: lua: don't expose internal proxies
BUG/MEDIUM: mworker: FD leak of the eventpoll in wait mode
BUG/MINOR: mworker: deinit of thread poller was called when not
initialized
MINOR: cli: "show version" displays the current process version
BUG/MEDIUM: mworker/cli: crash when trying to access an old PID in prompt
mode
BUG/MEDIUM: ssl: initialize correctly ssl w/ default-server
REGTESTS: ssl: fix ssl_default_server.vtc
BUG/MINOR: ssl: free the fields in srv->ssl_ctx
BUG/MEDIUM: ssl: free the ckch instance linked to a server
REGTESTS: ssl: update of a crt with server deletion
BUG/MINOR: cli: fix _getsocks with musl libc
BUG/MEDIUM: mworker: don't use _getsocks in wait mode
Willy Tarreau (11):
BUILD: evports: remove a leftover from the dead_fd cleanup
BUILD: tree-wide: avoid warnings caused by redundant checks of obj_types
IMPORT: slz: use the correct CRC32 instruction when running in 32-bit mode
MINOR: pools: work around possibly slow malloc_trim() during gc
BUG/MEDIUM: backend: fix possible sockaddr leak on redispatch
BUG/MEDIUM: peers: properly skip conn_cur from incoming messages
DEBUG: ssl: make sure we never change a servername on established
connections
MINOR: compat: detect support for dl_iterate_phdr()
MINOR: debug: add ability to dump loaded shared libraries
MINOR: debug: add support for -dL to dump library names at boot
BUILD: makefile: add -Wno-atomic-alignment to work around clang abusive
warning
--
Christopher Faulet
