Hello,

can we please address https://github.com/haproxy/haproxy/issues/1585 before
final 2.6 ?

Ilya

сб, 21 мая 2022 г. в 13:11, Willy Tarreau <w...@1wt.eu>:

> Hi,
>
> HAProxy 2.6-dev11 was released on 2022/05/20. It added 106 new commits
> after version 2.6-dev10.
>
> Yes, there were still too many changes for a final version, that's often
> like this when getting close to a release. And I couldn't finish the
> renaming of the confusing stuff in the conn_stream layer, for which I'll
> rely on Christopher's help next week. I now understand the trouble some
> developers face when creating an applet and why the only practical
> solution is to copy-paste existing stuff, because even some of the
> existing functions' comments are ambiguous if you stumble on them with
> the wrong idea of what they do, and I absolutely want to address this
> for the release, or it will further complicate development in new
> versions, or maintenance of 2.6 if we rename later.
>
> Most of the changes are of minor importance, or bug fixes though, but
> some are particularly interesting:
>
>  - on the SSL front, a few global settings were added to configure the
>    ssl-providers that come with OpenSSL 3 to replace the engines. At this
>    point it's not totally clear to me how this will evolve, but since
>    these are just global settings that are very likely to become necessary
>    mid-term, it's better if they're readily available.
>
>  - QUIC now provides a number of counters of retries, errors etc, and
>    finally supports the Retry mechanism, which is the QUIC equivalent of
>    the TCP SYN cookies. These are used to validate a client's connection
>    request and make sure it's not a spoofed packet. They can be forced, or
>    will be automatically enabled when a configurable number of incoming
>    connections are not yet confirmed. This is done via the global
>    "tune.quic.retry-threshold" parameter. BTW I'm just seeing that it's
>    not documented yet; Fred, please do not forget to update it!
>
>  - outgoing applets now support delayed initialization. I know it's a bit
>    late for merging this but it addresses a long-existing problem with the
>    peers and that could possibly be further emphasized with the http
> client.
>    The problem was that outgoing applets were only created on the thread
>    that required them, and for peers it was created during config parsing,
>    thus all outgoing applets were on thread 1, possibly eating a lot of
>    CPU on this thread. That's the issue that Maciej Zdeb reported a month
>    ago. Maciej tried to address this but there was a chicken-and-egg issue
>    that made it impossible to create the applets on another thread. Now
>    that they can be initialized later, it's possible to schedule them on
>    any thread, and Maciej's patches could be integrated as well, so the
>    peers will no longer aggregate mostly on one thread.
>
>  - a QUIC flow-control limitation that was preventing large POST requests
>    from working was addressed, so with this last limitation removed, the
>    stack is expected to be fully operational. In addition, the HTTP/3
>    decoder now has better latency as it doesn't need to wait for a full
>    data frame anymore before starting to decode and forward it.
>
>  - a new global setting "cluster-secret" was added. For now it's only used
>    by QUIC for cluster-wide crypto such as retries so that a connection
>    retry can be validated by any node. It will likely be used for more QUIC
>    stuff, and it makes sense to use it for anything else that is
> cluster-wide
>    in the future so the option was named without "quic" in its name.
>
>  - New option "http-restrict-req-hdr-names" was added at the proxy level.
>    It can be used to inspect HTTP header names and decide what to do with
>    those having any character other than alphanumerical or dash ("-"),
>    either delete the header or reject the request. The purpose is to help
>    protect application servers that map dash to underscore due to CGI
>    inheritance, or worse, which crash when passed such characters. The
>    option is automatically set to the delete mode in backends having
>    FastCGI configured. This will eventually be backported, because we got
>    reports of such broken application servers deployed in field where site
>    owners count on haproxy to work around this problem.
>
>  - some configuration issues related to QUIC remained, by which it was
>    possible to combine incompatible values of "proto" and sockets, such
>    as a QUIC bind with a "proto h2" or no "proto", or "proto quic" on a
>    TCP line, or a QUIC address used in peers, or "quic" without "ssl" etc.
>    And such combinations were problematic at runtime because the QUIC mux
>    and transport cannot be split apart, so each being used with the wrong
>    other part caused immediate crashes. This is what made "proto quic"
>    mandatory for QUIC bind lines. This was finally sorted out so that
>    incompatible combinations are now rejected at parsing time, "ssl" is
>    implied but warns that it's missing, and that "proto quic" is no more
>    necessary, as implied by the presence of "quic" in the address which
>    implies the use of QUIC connections.
>
>  - some build fixes on FreeBSD 13.1 and Solaris
>
>  - the rest is essentially code cleanups
>
> I essentially expect cleanups and fixes next week. If we face trouble,
> there will be a dev12 by the end of the week. Otherwise we could imagine
> releasing on Monday or Tuesday. So please test it, beat it, and report
> problems. If you're curious about a feature that you expect to use soon,
> please have a look at the related doc and report any confusing part you
> would notice (or better, please propose fixes).
>
> Please find the usual URLs below :
>    Site index       : http://www.haproxy.org/
>    Documentation    : http://docs.haproxy.org/
>    Wiki             : https://github.com/haproxy/wiki/wiki
>    Discourse        : http://discourse.haproxy.org/
>    Slack channel    : https://slack.haproxy.org/
>    Issue tracker    : https://github.com/haproxy/haproxy/issues
>    Sources          : http://www.haproxy.org/download/2.6/src/
>    Git repository   : http://git.haproxy.org/git/haproxy.git/
>    Git Web browsing : http://git.haproxy.org/?p=haproxy.git
>    Changelog        : http://www.haproxy.org/download/2.6/src/CHANGELOG
>    Pending bugs     : http://www.haproxy.org/l/pending-bugs
>    Reviewed bugs    : http://www.haproxy.org/l/reviewed-bugs
>    Code reports     : http://www.haproxy.org/l/code-reports
>    Latest builds    : http://www.haproxy.org/l/dev-packages
>
> Willy
> ---
> Complete changelog :
> Amaury Denoyelle (25):
>       BUG/MEDIUM: ncbuf: fix null buffer usage
>       MINOR: ncbuf: fix warnings for testing build
>       BUG/MEDIUM: quic: fix Rx buffering
>       OPTIM: quic: realign empty Rx buffer
>       BUG/MINOR: ncbuf: fix ncb_is_empty()
>       MINOR: ncbuf: refactor ncb_advance()
>       BUG/MINOR: mux-quic: update session's idle delay before stream
> creation
>       MINOR: h3: do not wait a complete frame for demuxing
>       MINOR: h3: flag demux as full on HTX full
>       MEDIUM: mux-quic: implement recv on io-cb
>       MINOR: mux-quic: remove qcc_decode_qcs() call in XPRT
>       MINOR: mux-quic: reorganize flow-control frames emission
>       MINOR: mux-quic: implement MAX_STREAM_DATA emission
>       MINOR: mux-quic: implement MAX_DATA emission
>       BUG/MINOR: mux-quic: support nul buffer with qc_free_ncbuf()
>       MINOR: mux-quic: free RX buf if empty
>       BUG/MINOR: quic: break for error on sendto
>       MINOR: quic: abort on unlisted errno on sendto()
>       MINOR: quic: detect EBADF on sendto()
>       BUG/MEDIUM: quic: fix initialization for local/remote TPs
>       CLEANUP: quic: adjust comment/coding style for TPs init
>       MINOR: quic/mux-quic: define CONNECTION_CLOSE send API
>       MINOR: mux-quic: emit FLOW_CONTROL_ERROR
>       MINOR: mux-quic: emit STREAM_LIMIT_ERROR
>       MINOR: mux-quic: close connection on error if different data at
> offset
>
> Christopher Faulet (30):
>       MEDIUM: http-ana: Add a proxy option to restrict chars in request
> header names
>       CLEANUP: conn-stream: Remove cs_applet_shut declaration from header
> file
>       MINOR: applet: Prepare appctx to own the session on frontend side
>       MINOR: applet: Let the frontend appctx release the session
>       MINOR: applet: Change return value for .init callback function
>       MINOR: stream: Export stream_free()
>       MINOR: applet: Add appctx_init() helper fnuction
>       MINOR: applet: Add a function to finalize frontend appctx startup
>       MINOR: applet: Add function to release appctx on error during init
> stage
>       MEDIUM: dns: Refactor dns appctx creation
>       MEDIUM: spoe: Refactor SPOE appctx creation
>       MEDIUM: lua: Refactor cosocket appctx creation
>       MEDIUM: httpclient: Refactor http-client appctx creation
>       MINOR: sink: Add a ref to sink in the sink_forward_target structure
>       MEDIUM: sink: Refactor sink forwarder appctx creation
>       MINOR: peers: Add a ref to peers section in the peer structure
>       MEDIUM: peers: Refactor peer appctx creation
>       MINOR: applet: Add API to start applet on a thread subset
>       MEDIUM: applet: Add support for async appctx startup on a thread
> subset
>       MINOR: conn-stream/applet: Stop setting appctx as the endpoint
> context
>       CLEANUP: proxy: Remove dead code when parsing
> "http-restrict-req-hdr-names" option
>       REGTESTS: abortonclose: Fix some race conditions
>       BUG/MINOR: spoe: Fix error handling in spoe_init_appctx()
>       CLEANUP: peers: Remove unreachable code in peer_session_create()
>       CLEANUP: httpclient: Remove useless test on ss_dst in
> httpclient_applet_init()
>       BUG/MEDIUM: config: Reset outline buffer size on realloc error in
> readcfgfile()
>       BUG/MINOR: check: Reinit the buffer wait list at the end of a check
>       MEDIUM: check: No longer shutdown the connection in .wake callback
> function
>       REORG: check: Rename and export I/O callback function
>       MEDIUM: check: Use the CS to handle subscriptions for read/write
> events
>
> David CARLIER (1):
>       BUILD/MINOR: cpuset fix build for FreeBSD 13.1
>
> David Carlier (2):
>       BUILD: fix build warning on solaris based systems with
> __maybe_unused.
>       MINOR: tools: add get_exec_path implementation for solaris based
> systems.
>
> Frédéric Lécaille (15):
>       MINOR: quic: Dump initial derived secrets
>       MINOR: quic_tls: Add quic_tls_derive_retry_token_secret()
>       MINOR: quic_tls: Add quic_tls_decrypt2() implementation
>       MINOR: quic: Retry implementation
>       MINOR: cfgparse: Update for "cluster-secret" keyword for QUIC Retry
>       MINOR: quic: Move quic_lstnr_dgram_dispatch() out of xprt_quic.c
>       BUILD: stats: Missing headers inclusions from stats.h
>       MINOR: quic_stats: Add a new stats module for QUIC
>       MINOR: quic: Attach proxy QUIC stats counters to the QUIC connection
>       BUG/MINOR: quic: Fix potential memory leak during QUIC connection
> allocations
>       MINOR: quic: QUIC stats counters handling
>       MINOR: quic: Add tune.quic.retry-threshold keyword
>       MINOR: quic: Dynamic Retry implementation
>       BUG/MINOR: quic: Fixe a typo in qc_idle_timer_task()
>       BUG/MINOR: quic: Missing <conn_opening> stats counter decrementation
>
> Ilya Shipitsin (2):
>       CI: determine actual LibreSSL version dynamically
>       CI: determine actual OpenSSL version dynamically
>
> Maciej Zdeb (2):
>       MINOR: peers: Track number of applets run by thread
>       MEDIUM: peers: Balance applets across threads
>
> Remi Tricot-Le Breton (5):
>       MEDIUM: ssl: Delay random generator initialization after config
> parsing
>       MINOR: ssl: Add 'ssl-propquery' global option
>       MINOR: ssl: Add 'ssl-provider' global option
>       BUG/MINOR: ssl: Fix crash when no private key is found in pem
>       MINOR: ssl: Add 'ssl-provider-path' global option
>
> Tim Duesterhus (4):
>       CLEANUP: Add missing header to ssl_utils.c
>       CLEANUP: Add missing header to hlua_fcn.c
>       CLEANUP: Remove unused function hlua_get_top_error_string
>       CLEANUP: http_ana: Make use of the return value of
> stream_generate_unique_id()
>
> Willy Tarreau (20):
>       BUG/MINOR: cfgparse: abort earlier in case of allocation error
>       BUG/MINOR: peers: fix error reporting of "bind" lines
>       CLEANUP: config: improve address parser error report for unmatched
> protocols
>       CLEANUP: config: provide cleare hints about unsupported QUIC
> addresses
>       MINOR: protocol: replace ctrl_type with xprt_type and clarify it
>       MINOR: listener: provide a function to process all of a bind_conf's
> arguments
>       MINOR: config: use the new bind_parse_args_list() to parse a "bind"
> line
>       CLEANUP: listener: add a comment about what the BC_SSL_O_* flags are
> for
>       MINOR: listener: add a new "options" entry in bind_conf
>       CLEANUP: listener: replace all uses of bind_conf->is_ssl with
> BC_O_USE_SSL
>       CLEANUP: listener: replace bind_conf->generate_cers with
> BC_O_GENERATE_CERTS
>       CLEANUP: listener: replace bind_conf->quic_force_retry with
> BC_O_QUIC_FORCE_RETRY
>       CLEANUP: listener: store stream vs dgram at the bind_conf level
>       MINOR: listener: detect stream vs dgram conflict during parsing
>       MINOR: listener: set the QUIC xprt layer immediately after parsing
> the args
>       MINOR: listener/ssl: set the SSL xprt layer only once the whole
> config is known
>       MINOR: connection: add flag MX_FL_FRAMED to mark muxes relying on
> framed xprt
>       MINOR: config: detect and report mux and transport incompatibilities
>       MINOR: listener: automatically select a QUIC mux with a QUIC
> transport
>       MINOR: listener: automatically enable SSL if a QUIC transport is
> found
>
> ---
>
>

Reply via email to