HAProxy 2.6-dev10 was released on 2022/05/14. It added 74 new commits
after version 2.6-dev9.

A few bugs were fixed and the fixes were already backported to previous
branches (such as DNS locking issues, or state-file line increase).

There was another bunch of interesting updates on QUIC. We now support
sending a stateless reset, which is important as it's the only way to
reset an unknown connection (e.g. after the process has restarted or has
been switched to a backup server) and avoid the clients staying hung.
This requires setting a per-cluster secret key. The performance of POST
over lossy networks should have improved a little bit thanks to the
implementation of non-contiguous buffers that allow to more easily store
and process out-of-order frames. A number of other small improvements and
fixes were brought there, as usual.

A global option was added to explicitly permit payload on GET/HEAD/DELETE
requests in HTTP/1.0. These are disabled by default since 2.5 according to
the latest HTTP spec (RFC9110 to be), but some users need them to support
old clients on specific applications.

A change of behavior was applied to certificates and CA-files: when a
directory is configured, previously we would load all files from that
directory. Now only the files not beginning with "." are considered. It
seems that most other tools loading from directories already proceed
like this and this difference in haproxy was causing trouble to some

The code now builds without warnings on GCC-12.

A minor cosmetic change was done in the internal chaining of layers to
have more symmetrical relations between entities. This should make the
internal architecture a bit less difficult to grasp. However, there
remains some naming confusion that I really want to address before the
release because, for example, the link between a "stream" and a
"connection" used to be called a "conn_stream" but nowadays there may
be something different than a stream on top (e.g. a check) and something
different than a connection at the bottom (e.g. an applet). This is
really troubling at certain places and I'm a bit worried it could induce
bugs in the long term due to misunderstandings. I want this to be done
before the release so that we don't have a specific version to deal with
during backports (with the risk of getting something wrong). We'll still
work on this next week. It might produce numerous patches (or touch many
files) but this will be mechanical and will not change the produced code.

Among the remaining things that I have in mind for the release:
  - there's still something incomplete regarding QUIC flow control,
    so POSTs are limited to small objects and there can't be more than
    roughly 50000 requests over a single connection. My understanding
    is that it's not that difficult, there were just more important
    things to finish before, so this will normally be OK for the release.

  - William wanted to add some OCSP path settings in crt-lists, apparently
    this is easy so I'm fine with this being done late.

  - Christopher is finishing the patch set that allows to delay applet
    initialization and which should permit outgoing peers connection to
    start on multiple threads instead of all using the first one like

  - Fred and Amaury would like the QUIC retry mechanism to be operational
    for the release (that's the equivalent of SYN cookies, and will be
    useful in case of spoofing attacks).

  - I'd like to finish to address the processing of the "proto" keyword
    on the "bind" lines so that it cannot specify a protocol that is
    incompatible with the listening socket, and that it's not needed
    anymore with QUIC.

  - We'll still have some doc updates to add, and write a few words
    about QUIC and the changes it brings.

Depending on how things go and the level of extra testing required for
the final changes, there may or may not be one extra dev release next
week. If we see by the end of the week that almost nothing changed, we
could decide to directly release. If there are some sensitive enough
changes, we'll emit a dev11.

As such, please do test this one as if you were going to deploy it next week.

Please find the usual URLs below :
   Site index       : http://www.haproxy.org/
   Documentation    : http://docs.haproxy.org/
   Wiki             : https://github.com/haproxy/wiki/wiki
   Discourse        : http://discourse.haproxy.org/
   Slack channel    : https://slack.haproxy.org/
   Issue tracker    : https://github.com/haproxy/haproxy/issues
   Sources          : http://www.haproxy.org/download/2.6/src/
   Git repository   : http://git.haproxy.org/git/haproxy.git/
   Git Web browsing : http://git.haproxy.org/?p=haproxy.git
   Changelog        : http://www.haproxy.org/download/2.6/src/CHANGELOG
   Pending bugs     : http://www.haproxy.org/l/pending-bugs
   Reviewed bugs    : http://www.haproxy.org/l/reviewed-bugs
   Code reports     : http://www.haproxy.org/l/code-reports
   Latest builds    : http://www.haproxy.org/l/dev-packages

Complete changelog :
Amaury Denoyelle (13):
      MINOR: ncbuf: define non-contiguous buffer
      MINOR: ncbuf: complete API and define block interal abstraction
      MINOR: ncbuf: optimize storage for the last gap
      MINOR: ncbuf: implement insertion
      MINOR: ncbuf: define various insertion modes
      MINOR: ncbuf: implement advance
      MINOR: ncbuf: write unit tests
      BUG/MINOR: ncbuf: fix coverity warning on uninit sz_data
      MINOR: xprt_quic: adjust flow-control according to bufsize
      MEDIUM: mux-quic/h3/hq-interop: use ncbuf for bidir streams
      MEDIUM: mux-quic/h3/qpack: use ncbuf for uni streams
      CLEANUP: mux-quic: remove unused fields for Rx
      CLEANUP: quic: remove unused quic_rx_strm_frm

Boyang Li (2):
      BUG/MEDIUM: lua: fix argument handling in data removal functions
      DOC/MINOR: fix typos in the lua-api document

Christopher Faulet (2):
      MINOR: mux-h1: Add global option accpet payload for any HTTP/1.0 requests
      CLEANUP: mux-h1: Fix comments and error messages for global options

Emeric Brun (1):
      BUG/MAJOR: dns: multi-thread concurrency issue on UDP socket

Frédéric Lécaille (16):
      MINOR: quic: Add a debug counter for sendto() errors
      BUG/MINOR: quic: Dropped peer transport parameters
      BUG/MINOR: quic: Wrong unit for ack delay for incoming ACK frames
      MINOR: quic: Congestion controller event trace fix (loss)
      MINOR: quic: Add correct ack delay values to ACK frames
      MINOR: config: Add "cluster-secret" new global keyword
      MINOR: quic-tls: Add quic_hkdf_extract_and_expand() for HKDF
      MINOR: quic: new_quic_cid() code moving
      MINOR: quic: Initialize stateless reset tokens with HKDF secrets
      MINOR: qc_new_conn() rework for stateless reset
      MINOR: quic: Stateless reset token copy to transport parameters
      MINOR: quic: Send stateless reset tokens
      MINOR: quic: Short packets always embed a trailing AEAD TAG
      CLEANUP: quic: wrong use of eb*entry() macro
      CLEANUP: quic: Useless use of pointer for quic_hkdf_extract()
      CLEANUP: quic_tls: QUIC_TLS_IV_LEN defined two times

Remi Tricot-Le Breton (1):
      BUG/MINOR: ssl: Fix typos in crl-file related CLI commands

William Lallemand (4):
      MINOR: ssl: ignore dotfiles when loading a dir w/ ca-file
      MEDIUM: ssl: ignore dotfiles when loading a dir w/ crt
      DOC: configuration: add the httpclient keywords to the global keywords 
      BUG/MEDIUM: wdt: don't trigger the watchdog when p is unitialized

Willy Tarreau (34):
      MINOR: compiler: add a new macro to set an attribute on an enum when 
      BUILD: stats: conditionally mark obsolete stats states as deprecated
      BUILD: ssl: work around bogus warning in gcc 12's -Wformat-truncation
      BUILD: debug: work around gcc-12 excessive -Warray-bounds warnings
      BUILD: listener: shut report of possible null-deref in listener_accept()
      BUG/MEDIUM: ssl: fix the gcc-12 broken fix :-(
      DOC: install: update gcc version requirements
      BUILD: makefile: add -Wfatal-errors to the default flags
      BUG/MINOR: mux-h2: mark the stream as open before processing it not after
      MINOR: mux-h2: report a trace event when failing to create a new stream
      MINOR: conn_stream: make cs_set_error() work on the endpoint instead
      CLEANUP: mux-h1: always take the endp from the h1s not the cs
      CLEANUP: mux-h2: always take the endp from the h2s not the cs
      CLEANUP: mux-pt: always take the endp from the context not the cs
      CLEANUP: mux-fcgi: always take the endp from the fstrm not the cs
      CLEANUP: mux-quic: always take the endp from the qcs not the cs
      CLEANUP: applet: use the appctx's endp instead of cs->endp
      MINOR: conn_stream: add a pointer back to the cs from the endpoint
      MINOR: mux-h1: remove the now unneeded h1s->cs
      MINOR: mux-h2: make sure any h2s always has an endpoint
      MINOR: mux-h2: remove the now unneeded conn_stream from the h2s
      MINOR: mux-fcgi: make sure any stream always has an endpoint
      MINOR: mux-fcgi: remove the now unneeded conn_stream from the fcgi_strm
      MINOR: mux-quic: remove the now unneeded conn_stream from the qcs
      MINOR: mux-pt: remove the now unneeded conn_stream from the context
      CLEANUP: muxes: make mux->attach/detach take a conn_stream endpoint
      MINOR: applet: replace cs_applet_shut() with appctx_shut()
      MINOR: applet: add appctx_strm() and appctx_cs() to access common fields
      CLEANUP: applet: remove the unneeded appctx->owner
      CLEANUP: conn_stream: merge cs_new_from_{mux,applet} into 
      MINOR: ext-check: indicate the transport and protocol of a server
      BUG/MEDIUM: mux-quic: fix a thinko in the latest cs/endpoint cleanup
      MINOR: tools: improve error message accuracy in str2sa_range
      MINOR: config: make sure never to mix dgram and stream protocols on a 
bind line

vigneshsp (1):
      BUG/MINOR: server: Make SRV_STATE_LINE_MAXLEN value from 512 to 2kB (2000 


Reply via email to