Hi,
HAProxy 2.6-dev10 was released on 2022/05/14. It added 74 new commits
after version 2.6-dev9.
A few bugs were fixed and the fixes were already backported to previous
branches (such as DNS locking issues, or state-file line increase).
There was another bunch of interesting updates on QUIC. We now support
sending a stateless reset, which is important as it's the only way to
reset an unknown connection (e.g. after the process has restarted or has
been switched to a backup server) and avoid the clients staying hung.
This requires setting a per-cluster secret key. The performance of POST
over lossy networks should have improved a little bit thanks to the
implementation of non-contiguous buffers that allow to more easily store
and process out-of-order frames. A number of other small improvements and
fixes were brought there, as usual.
A global option was added to explicitly permit payload on GET/HEAD/DELETE
requests in HTTP/1.0. These are disabled by default since 2.5 according to
the latest HTTP spec (RFC9110 to be), but some users need them to support
old clients on specific applications.
A change of behavior was applied to certificates and CA-files: when a
directory is configured, previously we would load all files from that
directory. Now only the files not beginning with "." are considered. It
seems that most other tools loading from directories already proceed
like this and this difference in haproxy was causing trouble to some
users.
The code now builds without warnings on GCC-12.
A minor cosmetic change was done in the internal chaining of layers to
have more symmetrical relations between entities. This should make the
internal architecture a bit less difficult to grasp. However, there
remains some naming confusion that I really want to address before the
release because, for example, the link between a "stream" and a
"connection" used to be called a "conn_stream" but nowadays there may
be something different than a stream on top (e.g. a check) and something
different than a connection at the bottom (e.g. an applet). This is
really troubling at certain places and I'm a bit worried it could induce
bugs in the long term due to misunderstandings. I want this to be done
before the release so that we don't have a specific version to deal with
during backports (with the risk of getting something wrong). We'll still
work on this next week. It might produce numerous patches (or touch many
files) but this will be mechanical and will not change the produced code.
Among the remaining things that I have in mind for the release:
- there's still something incomplete regarding QUIC flow control,
so POSTs are limited to small objects and there can't be more than
roughly 50000 requests over a single connection. My understanding
is that it's not that difficult, there were just more important
things to finish before, so this will normally be OK for the release.
- William wanted to add some OCSP path settings in crt-lists, apparently
this is easy so I'm fine with this being done late.
- Christopher is finishing the patch set that allows to delay applet
initialization and which should permit outgoing peers connection to
start on multiple threads instead of all using the first one like
today.
- Fred and Amaury would like the QUIC retry mechanism to be operational
for the release (that's the equivalent of SYN cookies, and will be
useful in case of spoofing attacks).
- I'd like to finish to address the processing of the "proto" keyword
on the "bind" lines so that it cannot specify a protocol that is
incompatible with the listening socket, and that it's not needed
anymore with QUIC.
- We'll still have some doc updates to add, and write a few words
about QUIC and the changes it brings.
Depending on how things go and the level of extra testing required for
the final changes, there may or may not be one extra dev release next
week. If we see by the end of the week that almost nothing changed, we
could decide to directly release. If there are some sensitive enough
changes, we'll emit a dev11.
As such, please do test this one as if you were going to deploy it next week.
Please find the usual URLs below :
Site index : http://www.haproxy.org/
Documentation : http://docs.haproxy.org/
Wiki : https://github.com/haproxy/wiki/wiki
Discourse : http://discourse.haproxy.org/
Slack channel : https://slack.haproxy.org/
Issue tracker : https://github.com/haproxy/haproxy/issues
Sources : http://www.haproxy.org/download/2.6/src/
Git repository : http://git.haproxy.org/git/haproxy.git/
Git Web browsing : http://git.haproxy.org/?p=haproxy.git
Changelog : http://www.haproxy.org/download/2.6/src/CHANGELOG
Pending bugs : http://www.haproxy.org/l/pending-bugs
Reviewed bugs : http://www.haproxy.org/l/reviewed-bugs
Code reports : http://www.haproxy.org/l/code-reports
Latest builds : http://www.haproxy.org/l/dev-packages
Willy
---
Complete changelog :
Amaury Denoyelle (13):
MINOR: ncbuf: define non-contiguous buffer
MINOR: ncbuf: complete API and define block interal abstraction
MINOR: ncbuf: optimize storage for the last gap
MINOR: ncbuf: implement insertion
MINOR: ncbuf: define various insertion modes
MINOR: ncbuf: implement advance
MINOR: ncbuf: write unit tests
BUG/MINOR: ncbuf: fix coverity warning on uninit sz_data
MINOR: xprt_quic: adjust flow-control according to bufsize
MEDIUM: mux-quic/h3/hq-interop: use ncbuf for bidir streams
MEDIUM: mux-quic/h3/qpack: use ncbuf for uni streams
CLEANUP: mux-quic: remove unused fields for Rx
CLEANUP: quic: remove unused quic_rx_strm_frm
Boyang Li (2):
BUG/MEDIUM: lua: fix argument handling in data removal functions
DOC/MINOR: fix typos in the lua-api document
Christopher Faulet (2):
MINOR: mux-h1: Add global option accpet payload for any HTTP/1.0 requests
CLEANUP: mux-h1: Fix comments and error messages for global options
Emeric Brun (1):
BUG/MAJOR: dns: multi-thread concurrency issue on UDP socket
Frédéric Lécaille (16):
MINOR: quic: Add a debug counter for sendto() errors
BUG/MINOR: quic: Dropped peer transport parameters
BUG/MINOR: quic: Wrong unit for ack delay for incoming ACK frames
MINOR: quic: Congestion controller event trace fix (loss)
MINOR: quic: Add correct ack delay values to ACK frames
MINOR: config: Add "cluster-secret" new global keyword
MINOR: quic-tls: Add quic_hkdf_extract_and_expand() for HKDF
MINOR: quic: new_quic_cid() code moving
MINOR: quic: Initialize stateless reset tokens with HKDF secrets
MINOR: qc_new_conn() rework for stateless reset
MINOR: quic: Stateless reset token copy to transport parameters
MINOR: quic: Send stateless reset tokens
MINOR: quic: Short packets always embed a trailing AEAD TAG
CLEANUP: quic: wrong use of eb*entry() macro
CLEANUP: quic: Useless use of pointer for quic_hkdf_extract()
CLEANUP: quic_tls: QUIC_TLS_IV_LEN defined two times
Remi Tricot-Le Breton (1):
BUG/MINOR: ssl: Fix typos in crl-file related CLI commands
William Lallemand (4):
MINOR: ssl: ignore dotfiles when loading a dir w/ ca-file
MEDIUM: ssl: ignore dotfiles when loading a dir w/ crt
DOC: configuration: add the httpclient keywords to the global keywords
index
BUG/MEDIUM: wdt: don't trigger the watchdog when p is unitialized
Willy Tarreau (34):
MINOR: compiler: add a new macro to set an attribute on an enum when
possible
BUILD: stats: conditionally mark obsolete stats states as deprecated
BUILD: ssl: work around bogus warning in gcc 12's -Wformat-truncation
BUILD: debug: work around gcc-12 excessive -Warray-bounds warnings
BUILD: listener: shut report of possible null-deref in listener_accept()
BUG/MEDIUM: ssl: fix the gcc-12 broken fix :-(
DOC: install: update gcc version requirements
BUILD: makefile: add -Wfatal-errors to the default flags
BUG/MINOR: mux-h2: mark the stream as open before processing it not after
MINOR: mux-h2: report a trace event when failing to create a new stream
MINOR: conn_stream: make cs_set_error() work on the endpoint instead
CLEANUP: mux-h1: always take the endp from the h1s not the cs
CLEANUP: mux-h2: always take the endp from the h2s not the cs
CLEANUP: mux-pt: always take the endp from the context not the cs
CLEANUP: mux-fcgi: always take the endp from the fstrm not the cs
CLEANUP: mux-quic: always take the endp from the qcs not the cs
CLEANUP: applet: use the appctx's endp instead of cs->endp
MINOR: conn_stream: add a pointer back to the cs from the endpoint
MINOR: mux-h1: remove the now unneeded h1s->cs
MINOR: mux-h2: make sure any h2s always has an endpoint
MINOR: mux-h2: remove the now unneeded conn_stream from the h2s
MINOR: mux-fcgi: make sure any stream always has an endpoint
MINOR: mux-fcgi: remove the now unneeded conn_stream from the fcgi_strm
MINOR: mux-quic: remove the now unneeded conn_stream from the qcs
MINOR: mux-pt: remove the now unneeded conn_stream from the context
CLEANUP: muxes: make mux->attach/detach take a conn_stream endpoint
MINOR: applet: replace cs_applet_shut() with appctx_shut()
MINOR: applet: add appctx_strm() and appctx_cs() to access common fields
CLEANUP: applet: remove the unneeded appctx->owner
CLEANUP: conn_stream: merge cs_new_from_{mux,applet} into
cs_new_from_endp()
MINOR: ext-check: indicate the transport and protocol of a server
BUG/MEDIUM: mux-quic: fix a thinko in the latest cs/endpoint cleanup
MINOR: tools: improve error message accuracy in str2sa_range
MINOR: config: make sure never to mix dgram and stream protocols on a
bind line
vigneshsp (1):
BUG/MINOR: server: Make SRV_STATE_LINE_MAXLEN value from 512 to 2kB (2000
bytes).
---
