Hi, HAProxy 2.6.1 was released on 2022/06/21. It added 59 new commits after version 2.6.0.
This version was primarily prepared to distribute a set of fixes related to the QUIC stack. It is nonetheless also shipped with improvements on other areas as well. Here is a brief summary. QUIC is in experimental phase on 2.6 and as expected we received users reports early on. The most important was a defect in our QPACK implementation which filtered some HTTP headers to the backend. This caused most advanced web applications to malfunction, with browsers automatically switching back to legacy HTTP. Now that is has been resolved, the situation has been fairly improved and it is now possible to navigate on complex webapps powered by QUIC/HTTP-3. Other bugs with less impact were fixed such as the PTO timer which was not properly initialized on connection initialization. This could cause some connections to be instantly closed when dealing with ClientHello messages splitted over several QUIC packets. Also, the process half open connection counter was wrongly calculated and frequently wrapped. This information is most notably used to detect suspect client behavior which will automatically activate address validation with Retry packets, provided that a cluster-secret is specified in haproxy configuration. Asides of this bugs, we also resolved some crashes and memleaks. Overall, the QUIC stability so far seems pretty good, even if we still suspect memory leaks. We frequently deploy the development version on haproxy.org which give us a good confidence on it, completed with a daily interop test suite. For QUIC enthusiats, you are welcome to give it a try and test it despite its experimental status. Users feedback is always welcome to determine our next steps. In particular, I would like to thank here Tristan of mangadex and Shawn Heisey for their reports and help on the subject. Outside of QUIC, a bug report was issued on the memory consumption of the docker image which has significantly risen since 2.4. Actually, it is linked to the master/worker mode, and can be observed in environments with a high file descriptors limit. The culprit was the master process which now is re-exec to release memory allocated after configuration loading. However, its allocated fdtab was not limited anymore by the configured maxconn parameter. To resolve this situation, a sane fixed internal maxconn limit has been applied on the master process. Mailers healthchecks were causing a crash since the refactoring of the internal haproxy connection stack introduced in 2.6. This is now fixed. Speaking of the massive refactoring of the 2.6, the first weeks of this new version seems to indicate that it is fairly stable; this should facilitate code maintenance, in particular when dealing with applets. One of the only regression caused by it was identified when performing TCP to HTTP upgrade. This could have caused a crash but it is now solved. The HTTP client also received some fixes. First, CLI output is not closed at the end of the response, which prevented to use the CLI interactive mode. A regression which removed the first header of a response is solved. Finally, the reponse may also have been truncated in the rare case where haproxy internal output buffer was full. The CLI commands set to manage SSL certificates has been improved. Similarly to the HTTP client, message/error reporting for "commit ssl" commands may have been lost if haproxy internal output buffer is full. Also, "show ssl" commands might have produced a loop when issued in parallel with a running certificate transaction. Finally, a crash was reproduced on "add ssl crt-list" but this was encountered only in the dubious case where it referenced a certificate used both by a bind and a server instance. The option "dontlog" was broken since 2.6.0. This was caused by a previous fix on the server connection retries counter. This has been reported on our github issue tracker and it's now functional again. Haproxy might rewrite some parts of an HTTP request outside of http-rules, for an example to add an X-Forwarded-For header when "option forwardfor" is set. Previously, failures on these rewrites operations were reported as internal errors in logs. Now, this appears as rewrite failure, which is consistent with http-rules error reporting. Thanks to everyone for this release. Enjoy ! Please find the usual URLs below : Site index : http://www.haproxy.org/ Documentation : http://docs.haproxy.org/ Wiki : https://github.com/haproxy/wiki/wiki Discourse : http://discourse.haproxy.org/ Slack channel : https://slack.haproxy.org/ Issue tracker : https://github.com/haproxy/haproxy/issues Sources : http://www.haproxy.org/download/2.6/src/ Git repository : http://git.haproxy.org/git/haproxy-2.6.git/ Git Web browsing : http://git.haproxy.org/?p=haproxy-2.6.git Changelog : http://www.haproxy.org/download/2.6/src/CHANGELOG Pending bugs : http://www.haproxy.org/l/pending-bugs Reviewed bugs : http://www.haproxy.org/l/reviewed-bugs Code reports : http://www.haproxy.org/l/code-reports Latest builds : http://www.haproxy.org/l/dev-packages --- Complete changelog : Amaury Denoyelle (10): BUG/MINOR: h3: fix frame type definition BUG/MEDIUM: mux-quic: fix flow control connection Tx level BUG/MINOR: mux-quic: fix memleak on frames rejected by transport BUG/MEDIUM: mux-quic: fix segfault on flow-control frame cleanup BUG/MINOR: qpack: support header litteral name decoding MINOR: qpack: add comments and remove a useless trace BUG/MINOR: h3/qpack: deal with too many headers BUG/BUILD: h3: fix wrong label name BUG/MINOR: quic: purge conn Rx packet list on release BUG/MINOR: quic: free rejected Rx packets Christopher Faulet (36): BUG/MINOR: ssl_ckch: Free error msg if commit changes on a cert entry fails BUG/MINOR: ssl_ckch: Free error msg if commit changes on a CA/CRL entry fails BUG/MEDIUM: ssl_ckch: Don't delete a cert entry if it is being modified BUG/MEDIUM: ssl_ckch: Don't delete CA/CRL entry if it is being modified BUG/MINOR: ssl_ckch: Don't duplicate path when replacing a cert entry BUG/MINOR: ssl_ckch: Don't duplicate path when replacing a CA/CRL entry BUG/MEDIUM: ssl_ckch: Rework 'commit ssl cert' to handle full buffer cases BUG/MEDIUM: ssl_ckch: Rework 'commit ssl ca-file' to handle full buffer cases BUG/MEDIUM: ssl/crt-list: Rework 'add ssl crt-list' to handle full buffer cases BUG/MEDIUM: httpclient: Don't remove HTX header blocks before duplicating them BUG/MEDIUM: httpclient: Rework CLI I/O handler to handle full buffer cases MEDIUM: http-ana: Always report rewrite failures as PRXCOND in logs MEDIUM: httpclient: Don't close CLI applet at the end of a response REGTESTS: abortonclose: Add a barrier to not mix up log messages REGTESTS: http_request_buffer: Increase client timeout to wait "slow" clients BUG/MINOR: ssl_ckch: Use right type for old entry in show_crlfile_ctx BUG/MINOR: ssl_ckch: Dump CRL transaction only once if show command yield BUG/MINOR: ssl_ckch: Dump CA transaction only once if show command yield BUG/MINOR: ssl_ckch: Dump cert transaction only once if show command yield BUG/MINOR: ssl_ckch: Init right field when parsing "commit ssl crl-file" cmd BUG/MINOR: ssl_ckch: Fix possible uninitialized value in show_cert I/O handler BUG/MINOR: ssl_ckch: Fix possible uninitialized value in show_cafile I/O handler BUG/MINOR: ssl_ckch: Fix possible uninitialized value in show_crlfile I/O handler REGTESTS: http_abortonclose: Extend supported versions REGTESTS: restrict_req_hdr_names: Extend supported versions BUG/MEDIUM: mailers: Set the object type for check attached to an email alert BUG/MINOR: trace: Test server existence for health-checks to get proxy BUG/MINOR: checks: Properly handle email alerts in trace messages REGTESTS: healthcheckmail: Update the test to be functionnal again REGTESTS: healthcheckmail: Relax health-check failure condition BUG/MINOR: tcp-rules: Make action call final on read error and delay expiration BUG/MEDIUM: stconn: Don't wakeup applet for send if it won't consume data BUG/MEDIUM: cli: Notify cli applet won't consume data during request processing BUG/MEDIUM: stream: Properly handle destructive client connection upgrades MINOR: stream: Rely on stconn flags to abort stream destructive upgrade BUG/MINOR: log: Properly test connection retries to fix dontlog-normal option Frédéric Lécaille (5): BUG/MINOR: quic: Stop hardcoding Retry packet Version field BUG/MINOR: quic: Wrong PTO calculation BUG/MINOR: quic: Unexpected half open connection counter wrapping BUG/MINOR: quic_stats: Duplicate "quic_streams_data_blocked_bidi" field name BUG/MINOR: quic: Acknowledgement must be forced during handshake William Lallemand (3): BUG/MEDIUM: ssl/cli: crash when crt inserted into a crt-list BUG/MEDIUM: mworker: use default maxconn in wait mode REGTESTS: ssl: add the same cert for client/server Willy Tarreau (5): BUILD: compiler: implement unreachable for older compilers too BUG/MINOR: cli/stats: add missing trailing LF after JSON outputs BUG/MINOR: server: do not enable DNS resolution on disabled proxies BUG/MINOR: cli/stats: add missing trailing LF after "show info json" BUG/MINOR: task: fix thread assignment in tasklet_kill() --- -- Amaury Denoyelle