Hi, HAProxy 2.6.2 was released on 2022/07/22. It added 58 new commits after version 2.6.1.
Several issues about QUIC were fixed in this release. A memory leak was fixed on datagrams receipt. It was possible to erroneously report a protocol violation when stream data were received with a partially new offset with some data already consumed out of the RX buffer. It was fixed by properly updating the buffer state. To respect RFC9000, a CONNECTION_CLOSE frame with APPLICATION_ERROR code is now sent instead of CONNECTION_CLOSE_APP code in an Initial or Handshake packet. the QUIC multiplexer is now properly dealing with chunk-encoded server responses. The FIN bit was missing on the last frame and the client was waiting indefinitely for it. We now ensure that all data were received to signal the end of data. Indeed, it is possible to receive the STREAM FIN while some data are missing. QUIC support was also improved. New counters were added to diagnose RX buffer overrun. The datagrams receipt was improved, reducing the latency: the RX buffer size was increased to 64kB and we try to fulfill it as much as possible at each I/O handler call. In addition, here are main other issues fixed in this release: * Some peer sessions could be blocked during a reload because the connect expiration data was reset by the frontend side while it must only be reset by the backend side. This prevented old workers to die. This issue was introduced in 2.6, during the conn-stream refactoring. * Crashes could be experienced during hot-upgrade from 2.4 to 2.6 because old worker was still identified as a running worker. * HAProxy could crash on old Glibc on dlsym() function call if it is statically built. * Several "show thread" commands running in loop could provoke segfaults because of a null pointer dereference. * Some sessions could leak because connection errors were ignored by the H1 multiplexer during a synchronous send. * tunneled H1 sessions could be blocked when raw data were received before the end of the request analysis because of a wrong assumption on the request buffer emptiness. * A bug in The "method" sample fetch could lead to a crash if it was used in logs for errors triggered at the mux level. * In HTTP/1.1, the matching between the authority and the Host header value for CONNECT requests was buggy. An exact match was performed ignoring any normalization on the port. For CONNECT request the authority must contain the port but it may be omitted from the host header value for default ports (80 or 443). The matching was fixed to properly handle this case. * Unexpected FD close using SSL async engine could be experienced because the engine and HAProxy both closed it. To fix the issue a flag is now used to instruct HAProxy to not close the FD when the it is removed from the fdtab array. * Invalid 103-early-hints messages coud be generated when some "early-hint" rules were conditioned by ACLs. * Depending on the declaration order of "http-check send" and "option httpchk" directives, the configured headers could be ignored. * Duplicate certificates in ca-file directories were not properly handled because of an OpenSSL error. The error is now ignored. * Lookup for a private key in extra files was not ignored when it was already found in the pem file, while it should. * The HTTP scheme based normalization did not properly handle the URIs with userinfo. They were not preserved after the normalization process. * An internal error was reported when loadbalancing on source IP address was impossible. It could happens with SPOE applets or with clients connected to HAPRoxy via a unix socket. Now, when this happens, a fallback to round-robin is performed. Thanks to everyone for this release. Enjoy ! Please find the usual URLs below : Site index : http://www.haproxy.org/ Documentation : http://docs.haproxy.org/ Wiki : https://github.com/haproxy/wiki/wiki Discourse : http://discourse.haproxy.org/ Slack channel : https://slack.haproxy.org/ Issue tracker : https://github.com/haproxy/haproxy/issues Sources : http://www.haproxy.org/download/2.6/src/ Git repository : http://git.haproxy.org/git/haproxy-2.6.git/ Git Web browsing : http://git.haproxy.org/?p=haproxy-2.6.git Changelog : http://www.haproxy.org/download/2.6/src/CHANGELOG Pending bugs : http://www.haproxy.org/l/pending-bugs Reviewed bugs : http://www.haproxy.org/l/reviewed-bugs Code reports : http://www.haproxy.org/l/code-reports Latest builds : http://www.haproxy.org/l/dev-packages --- Complete changelog : Amaury Denoyelle (8): MINOR: ncbuf: implement ncb_is_fragmented() BUG/MINOR: mux-quic: do not signal FIN if gap in buffer MINOR: h3: add h3c pointer into h3s instance MINOR: h3: handle errors on HEADERS parsing/QPACK decoding MINOR: qpack: properly handle invalid dynamic table references BUG/MEDIUM: mux-quic: fix server chunked encoding response BUG/MINOR: quic: fix closing state on NO_ERROR code sent BUG/MINOR: quic: do not send CONNECTION_CLOSE_APP in initial/handshake Benoit DOLEZ (1): BUILD: quic: fix anonymous union for gcc-4.4 Brad Smith (1): BUILD: makefile: Fix install(1) handling for OpenBSD/NetBSD/Solaris/AIX Christian Ruppert (1): BUILD: Makefile: Add Lua 5.4 autodetect Christopher Faulet (16): BUG/MINOR: http-ana: Set method to HTTP_METH_OTHER when an HTTP txn is created BUG/MINOR: http-fetch: Use integer value when possible in "method" sample fetch BUG/MINOR: http-check: Preserve headers if not redefined by an implicit rule BUG/MINOR: http-act: Properly generate 103 responses when several rules are used BUG/MINOR: http-htx: Fix scheme based normalization for URIs wih userinfo MINOR: http: Add function to get port part of a host MINOR: http: Add function to detect default port BUG/MEDIUM: h1: Improve authority validation for CONNCET request MINOR: http-htx: Use new HTTP functions for the scheme based normalization BUG/MEDIUM: http-fetch: Don't fetch the method if there is no stream REGTEESTS: filters: Fix CONNECT request in random-forwarding script BUG/MINOR: mux-h1: Be sure to commit htx changes in the demux buffer BUG/MEDIUM: http-ana: Don't wait to have an empty buf to switch in TUNNEL state BUG/MEDIUM: mux-h1: Handle connection error after a synchronous send BUG/MEDIUM: stconn: Only reset connect expiration when processing backend side BUG/MINOR: backend: Fallback on RR algo if balance on source is impossible Emeric Brun (3): MINOR: fd: add a new FD_DISOWN flag to prevent from closing a deleted FD BUG/MEDIUM: ssl/fd: unexpected fd close using async engine MINOR: fd: Add BUG_ON checks on fd_insert() Frédéric Lécaille (13): BUG/MINOR: quic: Missing acknowledgments for trailing packets BUG/MINOR: quic: Wrong reuse of fulfilled dgram RX buffer BUG/MAJOR: quic: Big RX dgrams leak when fulfilling a buffer BUG/MAJOR: quic: Big RX dgrams leak with POST requests BUILD: quic+h3: 32-bit compilation errors fixes BUG/MINOR: quic: Dropped packets not counted (with RX buffers full) MINOR: quic: Add new stats counter to diagnose RX buffer overrun MINOR: quic: Duplicated QUIC_RX_BUFSZ definition MINOR: task: Add tasklet_wakeup_after() MINOR: quic: Improvements for the datagrams receipt MINOR: quic: Increase the QUIC connections RX buffer size (upto 64Kb) CLEANUP: h2: Typo fix in h2_unsubcribe() traces BUG/MAJOR: mux_quic: fix invalid PROTOCOL_VIOLATION on POST data overlap Ilya Shipitsin (1): CI: re-enable gcc asan builds Remi Tricot-Le Breton (1): BUG/MINOR: ssl: Do not look for key in extra files if already in pem William Lallemand (7): BUG/MINOR: peers: fix possible NULL dereferences at config parsing MEDIUM: mworker: set the iocb of the socketpair without using fd_insert() MINOR: resolvers: resolvers_destroy() deinit and free a resolver BUG/MINOR: resolvers: shut off the warning for the default resolvers BUG/MINOR: ssl: allow duplicate certificates in ca-file directories BUG/MINOR: mworker/cli: relative pid prefix not validated anymore BUG/MEDIUM: mworker: proc_self incorrectly set crashes upon reload Willy Tarreau (8): MEDIUM: mux-h2: try to coalesce outgoing WINDOW_UPDATE frames BUG/MINOR: peers/config: always fill the bind_conf's argument BUG/MEDIUM: cli/threads: make "show threads" more robust on applets BUG/MINOR: debug: enter ha_panic() only once BUG/MEDIUM: tools: avoid calling dlsym() in static builds BUG/MEDIUM: tools: avoid calling dlsym() in static builds (try 2) BUG/MINOR: tools: fix statistical_prng_range()'s output range BUILD: add detection for unsupported compiler models -- Christopher Faulet