HAProxy 2.6-dev11 was released on 2022/05/20. It added 106 new commits
after version 2.6-dev10.

Yes, there were still too many changes for a final version, that's often
like this when getting close to a release. And I couldn't finish the
renaming of the confusing stuff in the conn_stream layer, for which I'll
rely on Christopher's help next week. I now understand the trouble some
developers face when creating an applet and why the only practical
solution is to copy-paste existing stuff, because even some of the
existing functions' comments are ambiguous if you stumble on them with
the wrong idea of what they do, and I absolutely want to address this
for the release, or it will further complicate development in new
versions, or maintenance of 2.6 if we rename later.

Most of the changes are of minor importance, or bug fixes though, but
some are particularly interesting:

 - on the SSL front, a few global settings were added to configure the
   ssl-providers that come with OpenSSL 3 to replace the engines. At this
   point it's not totally clear to me how this will evolve, but since
   these are just global settings that are very likely to become necessary
   mid-term, it's better if they're readily available.

 - QUIC now provides a number of counters of retries, errors etc, and
   finally supports the Retry mechanism, which is the QUIC equivalent of
   the TCP SYN cookies. These are used to validate a client's connection
   request and make sure it's not a spoofed packet. They can be forced, or
   will be automatically enabled when a configurable number of incoming
   connections are not yet confirmed. This is done via the global
   "tune.quic.retry-threshold" parameter. BTW I'm just seeing that it's
   not documented yet; Fred, please do not forget to update it!

 - outgoing applets now support delayed initialization. I know it's a bit
   late for merging this but it addresses a long-existing problem with the
   peers and that could possibly be further emphasized with the http client.
   The problem was that outgoing applets were only created on the thread
   that required them, and for peers it was created during config parsing,
   thus all outgoing applets were on thread 1, possibly eating a lot of
   CPU on this thread. That's the issue that Maciej Zdeb reported a month
   ago. Maciej tried to address this but there was a chicken-and-egg issue
   that made it impossible to create the applets on another thread. Now
   that they can be initialized later, it's possible to schedule them on
   any thread, and Maciej's patches could be integrated as well, so the
   peers will no longer aggregate mostly on one thread.

 - a QUIC flow-control limitation that was preventing large POST requests
   from working was addressed, so with this last limitation removed, the
   stack is expected to be fully operational. In addition, the HTTP/3
   decoder now has better latency as it doesn't need to wait for a full
   data frame anymore before starting to decode and forward it.

 - a new global setting "cluster-secret" was added. For now it's only used
   by QUIC for cluster-wide crypto such as retries so that a connection
   retry can be validated by any node. It will likely be used for more QUIC
   stuff, and it makes sense to use it for anything else that is cluster-wide
   in the future so the option was named without "quic" in its name.

 - New option "http-restrict-req-hdr-names" was added at the proxy level.
   It can be used to inspect HTTP header names and decide what to do with
   those having any character other than alphanumerical or dash ("-"),
   either delete the header or reject the request. The purpose is to help
   protect application servers that map dash to underscore due to CGI
   inheritance, or worse, which crash when passed such characters. The
   option is automatically set to the delete mode in backends having
   FastCGI configured. This will eventually be backported, because we got
   reports of such broken application servers deployed in field where site
   owners count on haproxy to work around this problem.

 - some configuration issues related to QUIC remained, by which it was
   possible to combine incompatible values of "proto" and sockets, such
   as a QUIC bind with a "proto h2" or no "proto", or "proto quic" on a
   TCP line, or a QUIC address used in peers, or "quic" without "ssl" etc.
   And such combinations were problematic at runtime because the QUIC mux
   and transport cannot be split apart, so each being used with the wrong
   other part caused immediate crashes. This is what made "proto quic"
   mandatory for QUIC bind lines. This was finally sorted out so that
   incompatible combinations are now rejected at parsing time, "ssl" is
   implied but warns that it's missing, and that "proto quic" is no more
   necessary, as implied by the presence of "quic" in the address which
   implies the use of QUIC connections.

 - some build fixes on FreeBSD 13.1 and Solaris

 - the rest is essentially code cleanups

I essentially expect cleanups and fixes next week. If we face trouble,
there will be a dev12 by the end of the week. Otherwise we could imagine
releasing on Monday or Tuesday. So please test it, beat it, and report
problems. If you're curious about a feature that you expect to use soon,
please have a look at the related doc and report any confusing part you
would notice (or better, please propose fixes).

Please find the usual URLs below :
   Site index       : http://www.haproxy.org/
   Documentation    : http://docs.haproxy.org/
   Wiki             : https://github.com/haproxy/wiki/wiki
   Discourse        : http://discourse.haproxy.org/
   Slack channel    : https://slack.haproxy.org/
   Issue tracker    : https://github.com/haproxy/haproxy/issues
   Sources          : http://www.haproxy.org/download/2.6/src/
   Git repository   : http://git.haproxy.org/git/haproxy.git/
   Git Web browsing : http://git.haproxy.org/?p=haproxy.git
   Changelog        : http://www.haproxy.org/download/2.6/src/CHANGELOG
   Pending bugs     : http://www.haproxy.org/l/pending-bugs
   Reviewed bugs    : http://www.haproxy.org/l/reviewed-bugs
   Code reports     : http://www.haproxy.org/l/code-reports
   Latest builds    : http://www.haproxy.org/l/dev-packages

Complete changelog :
Amaury Denoyelle (25):
      BUG/MEDIUM: ncbuf: fix null buffer usage
      MINOR: ncbuf: fix warnings for testing build
      BUG/MEDIUM: quic: fix Rx buffering
      OPTIM: quic: realign empty Rx buffer
      BUG/MINOR: ncbuf: fix ncb_is_empty()
      MINOR: ncbuf: refactor ncb_advance()
      BUG/MINOR: mux-quic: update session's idle delay before stream creation
      MINOR: h3: do not wait a complete frame for demuxing
      MINOR: h3: flag demux as full on HTX full
      MEDIUM: mux-quic: implement recv on io-cb
      MINOR: mux-quic: remove qcc_decode_qcs() call in XPRT
      MINOR: mux-quic: reorganize flow-control frames emission
      MINOR: mux-quic: implement MAX_STREAM_DATA emission
      MINOR: mux-quic: implement MAX_DATA emission
      BUG/MINOR: mux-quic: support nul buffer with qc_free_ncbuf()
      MINOR: mux-quic: free RX buf if empty
      BUG/MINOR: quic: break for error on sendto
      MINOR: quic: abort on unlisted errno on sendto()
      MINOR: quic: detect EBADF on sendto()
      BUG/MEDIUM: quic: fix initialization for local/remote TPs
      CLEANUP: quic: adjust comment/coding style for TPs init
      MINOR: quic/mux-quic: define CONNECTION_CLOSE send API
      MINOR: mux-quic: emit FLOW_CONTROL_ERROR
      MINOR: mux-quic: emit STREAM_LIMIT_ERROR
      MINOR: mux-quic: close connection on error if different data at offset

Christopher Faulet (30):
      MEDIUM: http-ana: Add a proxy option to restrict chars in request header 
      CLEANUP: conn-stream: Remove cs_applet_shut declaration from header file
      MINOR: applet: Prepare appctx to own the session on frontend side
      MINOR: applet: Let the frontend appctx release the session
      MINOR: applet: Change return value for .init callback function
      MINOR: stream: Export stream_free()
      MINOR: applet: Add appctx_init() helper fnuction
      MINOR: applet: Add a function to finalize frontend appctx startup
      MINOR: applet: Add function to release appctx on error during init stage
      MEDIUM: dns: Refactor dns appctx creation
      MEDIUM: spoe: Refactor SPOE appctx creation
      MEDIUM: lua: Refactor cosocket appctx creation
      MEDIUM: httpclient: Refactor http-client appctx creation
      MINOR: sink: Add a ref to sink in the sink_forward_target structure
      MEDIUM: sink: Refactor sink forwarder appctx creation
      MINOR: peers: Add a ref to peers section in the peer structure
      MEDIUM: peers: Refactor peer appctx creation
      MINOR: applet: Add API to start applet on a thread subset
      MEDIUM: applet: Add support for async appctx startup on a thread subset
      MINOR: conn-stream/applet: Stop setting appctx as the endpoint context
      CLEANUP: proxy: Remove dead code when parsing 
"http-restrict-req-hdr-names" option
      REGTESTS: abortonclose: Fix some race conditions
      BUG/MINOR: spoe: Fix error handling in spoe_init_appctx()
      CLEANUP: peers: Remove unreachable code in peer_session_create()
      CLEANUP: httpclient: Remove useless test on ss_dst in 
      BUG/MEDIUM: config: Reset outline buffer size on realloc error in 
      BUG/MINOR: check: Reinit the buffer wait list at the end of a check
      MEDIUM: check: No longer shutdown the connection in .wake callback 
      REORG: check: Rename and export I/O callback function
      MEDIUM: check: Use the CS to handle subscriptions for read/write events

David CARLIER (1):
      BUILD/MINOR: cpuset fix build for FreeBSD 13.1

David Carlier (2):
      BUILD: fix build warning on solaris based systems with __maybe_unused.
      MINOR: tools: add get_exec_path implementation for solaris based systems.

Frédéric Lécaille (15):
      MINOR: quic: Dump initial derived secrets
      MINOR: quic_tls: Add quic_tls_derive_retry_token_secret()
      MINOR: quic_tls: Add quic_tls_decrypt2() implementation
      MINOR: quic: Retry implementation
      MINOR: cfgparse: Update for "cluster-secret" keyword for QUIC Retry
      MINOR: quic: Move quic_lstnr_dgram_dispatch() out of xprt_quic.c
      BUILD: stats: Missing headers inclusions from stats.h
      MINOR: quic_stats: Add a new stats module for QUIC
      MINOR: quic: Attach proxy QUIC stats counters to the QUIC connection
      BUG/MINOR: quic: Fix potential memory leak during QUIC connection 
      MINOR: quic: QUIC stats counters handling
      MINOR: quic: Add tune.quic.retry-threshold keyword
      MINOR: quic: Dynamic Retry implementation
      BUG/MINOR: quic: Fixe a typo in qc_idle_timer_task()
      BUG/MINOR: quic: Missing <conn_opening> stats counter decrementation

Ilya Shipitsin (2):
      CI: determine actual LibreSSL version dynamically
      CI: determine actual OpenSSL version dynamically

Maciej Zdeb (2):
      MINOR: peers: Track number of applets run by thread
      MEDIUM: peers: Balance applets across threads

Remi Tricot-Le Breton (5):
      MEDIUM: ssl: Delay random generator initialization after config parsing
      MINOR: ssl: Add 'ssl-propquery' global option
      MINOR: ssl: Add 'ssl-provider' global option
      BUG/MINOR: ssl: Fix crash when no private key is found in pem
      MINOR: ssl: Add 'ssl-provider-path' global option

Tim Duesterhus (4):
      CLEANUP: Add missing header to ssl_utils.c
      CLEANUP: Add missing header to hlua_fcn.c
      CLEANUP: Remove unused function hlua_get_top_error_string
      CLEANUP: http_ana: Make use of the return value of 

Willy Tarreau (20):
      BUG/MINOR: cfgparse: abort earlier in case of allocation error
      BUG/MINOR: peers: fix error reporting of "bind" lines
      CLEANUP: config: improve address parser error report for unmatched 
      CLEANUP: config: provide cleare hints about unsupported QUIC addresses
      MINOR: protocol: replace ctrl_type with xprt_type and clarify it
      MINOR: listener: provide a function to process all of a bind_conf's 
      MINOR: config: use the new bind_parse_args_list() to parse a "bind" line
      CLEANUP: listener: add a comment about what the BC_SSL_O_* flags are for
      MINOR: listener: add a new "options" entry in bind_conf
      CLEANUP: listener: replace all uses of bind_conf->is_ssl with BC_O_USE_SSL
      CLEANUP: listener: replace bind_conf->generate_cers with 
      CLEANUP: listener: replace bind_conf->quic_force_retry with 
      CLEANUP: listener: store stream vs dgram at the bind_conf level
      MINOR: listener: detect stream vs dgram conflict during parsing
      MINOR: listener: set the QUIC xprt layer immediately after parsing the 
      MINOR: listener/ssl: set the SSL xprt layer only once the whole config is 
      MINOR: connection: add flag MX_FL_FRAMED to mark muxes relying on framed 
      MINOR: config: detect and report mux and transport incompatibilities
      MINOR: listener: automatically select a QUIC mux with a QUIC transport
      MINOR: listener: automatically enable SSL if a QUIC transport is found


Reply via email to