HAProxy 2.6.1 was released on 2022/06/21. It added 59 new commits
after version 2.6.0.

This version was primarily prepared to distribute a set of fixes related
to the QUIC stack. It is nonetheless also shipped with improvements on
other areas as well. Here is a brief summary.

QUIC is in experimental phase on 2.6 and as expected we received users
reports early on. The most important was a defect in our QPACK
implementation which filtered some HTTP headers to the backend. This
caused most advanced web applications to malfunction, with browsers
automatically switching back to legacy HTTP. Now that is has been
resolved, the situation has been fairly improved and it is now possible
to navigate on complex webapps powered by QUIC/HTTP-3. Other bugs with
less impact were fixed such as the PTO timer which was not properly
initialized on connection initialization. This could cause some
connections to be instantly closed when dealing with ClientHello
messages splitted over several QUIC packets. Also, the process half open
connection counter was wrongly calculated and frequently wrapped. This
information is most notably used to detect suspect client behavior which
will automatically activate address validation with Retry packets,
provided that a cluster-secret is specified in haproxy configuration.

Asides of this bugs, we also resolved some crashes and memleaks.
Overall, the QUIC stability so far seems pretty good, even if we still
suspect memory leaks. We frequently deploy the development version on
haproxy.org which give us a good confidence on it, completed with a
daily interop test suite. For QUIC enthusiats, you are welcome to give
it a try and test it despite its experimental status. Users feedback is
always welcome to determine our next steps. In particular, I would like
to thank here Tristan of mangadex and Shawn Heisey for their reports and
help on the subject.

Outside of QUIC, a bug report was issued on the memory consumption of
the docker image which has significantly risen since 2.4. Actually, it
is linked to the master/worker mode, and can be observed in environments
with a high file descriptors limit. The culprit was the master process
which now is re-exec to release memory allocated after configuration
loading. However, its allocated fdtab was not limited anymore by the
configured maxconn parameter. To resolve this situation, a sane fixed
internal maxconn limit has been applied on the master process.

Mailers healthchecks were causing a crash since the refactoring of the
internal haproxy connection stack introduced in 2.6. This is now fixed.

Speaking of the massive refactoring of the 2.6, the first weeks of this
new version seems to indicate that it is fairly stable; this should
facilitate code maintenance, in particular when dealing with applets.
One of the only regression caused by it was identified when performing
TCP to HTTP upgrade. This could have caused a crash but it is now

The HTTP client also received some fixes. First, CLI output is not
closed at the end of the response, which prevented to use the CLI
interactive mode. A regression which removed the first header of a
response is solved. Finally, the reponse may also have been truncated in
the rare case where haproxy internal output buffer was full.

The CLI commands set to manage SSL certificates has been improved.
Similarly to the HTTP client, message/error reporting for "commit ssl"
commands may have been lost if haproxy internal output buffer is full.
Also, "show ssl" commands might have produced a loop when issued in
parallel with a running certificate transaction. Finally, a crash was
reproduced on "add ssl crt-list" but this was encountered only in the
dubious case where it referenced a certificate used both by a bind and a
server instance.

The option "dontlog" was broken since 2.6.0. This was caused by a
previous fix on the server connection retries counter. This has been
reported on our github issue tracker and it's now functional again.

Haproxy might rewrite some parts of an HTTP request outside of
http-rules, for an example to add an X-Forwarded-For header when "option
forwardfor" is set. Previously, failures on these rewrites operations
were reported as internal errors in logs. Now, this appears as rewrite
failure, which is consistent with http-rules error reporting.

Thanks to everyone for this release. Enjoy !

Please find the usual URLs below :
   Site index       : http://www.haproxy.org/
   Documentation    : http://docs.haproxy.org/
   Wiki             : https://github.com/haproxy/wiki/wiki
   Discourse        : http://discourse.haproxy.org/
   Slack channel    : https://slack.haproxy.org/
   Issue tracker    : https://github.com/haproxy/haproxy/issues
   Sources          : http://www.haproxy.org/download/2.6/src/
   Git repository   : http://git.haproxy.org/git/haproxy-2.6.git/
   Git Web browsing : http://git.haproxy.org/?p=haproxy-2.6.git
   Changelog        : http://www.haproxy.org/download/2.6/src/CHANGELOG
   Pending bugs     : http://www.haproxy.org/l/pending-bugs
   Reviewed bugs    : http://www.haproxy.org/l/reviewed-bugs
   Code reports     : http://www.haproxy.org/l/code-reports
   Latest builds    : http://www.haproxy.org/l/dev-packages

Complete changelog :
Amaury Denoyelle (10):
      BUG/MINOR: h3: fix frame type definition
      BUG/MEDIUM: mux-quic: fix flow control connection Tx level
      BUG/MINOR: mux-quic: fix memleak on frames rejected by transport
      BUG/MEDIUM: mux-quic: fix segfault on flow-control frame cleanup
      BUG/MINOR: qpack: support header litteral name decoding
      MINOR: qpack: add comments and remove a useless trace
      BUG/MINOR: h3/qpack: deal with too many headers
      BUG/BUILD: h3: fix wrong label name
      BUG/MINOR: quic: purge conn Rx packet list on release
      BUG/MINOR: quic: free rejected Rx packets

Christopher Faulet (36):
      BUG/MINOR: ssl_ckch: Free error msg if commit changes on a cert entry 
      BUG/MINOR: ssl_ckch: Free error msg if commit changes on a CA/CRL entry 
      BUG/MEDIUM: ssl_ckch: Don't delete a cert entry if it is being modified
      BUG/MEDIUM: ssl_ckch: Don't delete CA/CRL entry if it is being modified
      BUG/MINOR: ssl_ckch: Don't duplicate path when replacing a cert entry
      BUG/MINOR: ssl_ckch: Don't duplicate path when replacing a CA/CRL entry
      BUG/MEDIUM: ssl_ckch: Rework 'commit ssl cert' to handle full buffer cases
      BUG/MEDIUM: ssl_ckch: Rework 'commit ssl ca-file' to handle full buffer 
      BUG/MEDIUM: ssl/crt-list: Rework 'add ssl crt-list' to handle full buffer 
      BUG/MEDIUM: httpclient: Don't remove HTX header blocks before duplicating 
      BUG/MEDIUM: httpclient: Rework CLI I/O handler to handle full buffer cases
      MEDIUM: http-ana: Always report rewrite failures as PRXCOND in logs
      MEDIUM: httpclient: Don't close CLI applet at the end of a response
      REGTESTS: abortonclose: Add a barrier to not mix up log messages
      REGTESTS: http_request_buffer: Increase client timeout to wait "slow" 
      BUG/MINOR: ssl_ckch: Use right type for old entry in show_crlfile_ctx
      BUG/MINOR: ssl_ckch: Dump CRL transaction only once if show command yield
      BUG/MINOR: ssl_ckch: Dump CA transaction only once if show command yield
      BUG/MINOR: ssl_ckch: Dump cert transaction only once if show command yield
      BUG/MINOR: ssl_ckch: Init right field when parsing "commit ssl crl-file" 
      BUG/MINOR: ssl_ckch: Fix possible uninitialized value in show_cert I/O 
      BUG/MINOR: ssl_ckch: Fix possible uninitialized value in show_cafile I/O 
      BUG/MINOR: ssl_ckch: Fix possible uninitialized value in show_crlfile I/O 
      REGTESTS: http_abortonclose: Extend supported versions
      REGTESTS: restrict_req_hdr_names: Extend supported versions
      BUG/MEDIUM: mailers: Set the object type for check attached to an email 
      BUG/MINOR: trace: Test server existence for health-checks to get proxy
      BUG/MINOR: checks: Properly handle email alerts in trace messages
      REGTESTS: healthcheckmail: Update the test to be functionnal again
      REGTESTS: healthcheckmail: Relax health-check failure condition
      BUG/MINOR: tcp-rules: Make action call final on read error and delay 
      BUG/MEDIUM: stconn: Don't wakeup applet for send if it won't consume data
      BUG/MEDIUM: cli: Notify cli applet won't consume data during request 
      BUG/MEDIUM: stream: Properly handle destructive client connection upgrades
      MINOR: stream: Rely on stconn flags to abort stream destructive upgrade
      BUG/MINOR: log: Properly test connection retries to fix dontlog-normal 

Frédéric Lécaille (5):
      BUG/MINOR: quic: Stop hardcoding Retry packet Version field
      BUG/MINOR: quic: Wrong PTO calculation
      BUG/MINOR: quic: Unexpected half open connection counter wrapping
      BUG/MINOR: quic_stats: Duplicate "quic_streams_data_blocked_bidi" field 
      BUG/MINOR: quic: Acknowledgement must be forced during handshake

William Lallemand (3):
      BUG/MEDIUM: ssl/cli: crash when crt inserted into a crt-list
      BUG/MEDIUM: mworker: use default maxconn in wait mode
      REGTESTS: ssl: add the same cert for client/server

Willy Tarreau (5):
      BUILD: compiler: implement unreachable for older compilers too
      BUG/MINOR: cli/stats: add missing trailing LF after JSON outputs
      BUG/MINOR: server: do not enable DNS resolution on disabled proxies
      BUG/MINOR: cli/stats: add missing trailing LF after "show info json"
      BUG/MINOR: task: fix thread assignment in tasklet_kill()


Amaury Denoyelle

Reply via email to