Hi,
HAProxy 2.6.6 was released on 2022/09/21. It added 68 new commits
after version 2.6.5.
As usual, this release fixed several bugs:
* Several bugs on the QUIC and h3 parts were fixed. Mainly:
- It was possible to experience crashes when an HTTP/3 connection was
released before having sent any data. The API was updated to properly
handle this case.
- The QUIC connection's nb_hreq counter, used to track the number of
active HTTP requests, could be decremented too often. This led to
crashes when HAProxy was built with DEBUG_STRICT=2. Otherwise, it was
breaking the timeout logic for QUIC connections.
- Data forwarded from the application layer to a reset QUIC stream
instance were fully accounted but not consumed, leaving the
corresponding channel into an inconsistent state. Because of this bug,
some sessions were blocked infinitely with no activity and no way to
recover.
- QUIC streams could be remotely closed to early if the FIN bit was
received before having reveived all the data. It was only an issue
when HAProxy was built with DEBUG_STRICT=2.
- It was possible to crash HAProxy when verifying certificates because,
most of time, the connection object was not yet initialized at this
stage. A special case was added for QUIC to retrieve the quic_conn.
- Crashes for the same reason could be experienced if "tls-ticket-keys"
is used on QUIC bind lines.
* It was possible to trigger the watchdog because of an extreme contention
on the proxy's lock while the libc was in malloc()/free(). It was mainly
due to the errors capture. A call to free() was under the lock with no
special reason. The object is now released outside of the proxy's lock.
* Pause or resume a proxy from lua code could lead to some race because
these operations were performed outside the proxy's lock. To fix the
issue and prevent any trouble, the proxy's API was slightly refactored
to be sure the proxy's lock is always acquired by low-level functions.
* It was possible to crash HAPRoxy when adding a server with hostname from
the CLI. In itself, it is not an issue but the server is created with no
address and an operation was not guarded against NULL addresses.
* TCP sinks initialization was performed too early leading to crashes when
SSL is configured.
* Characters escaping process in log messages was not correctly processing
strings coming from sample fetches truncating the output string.
In addition, some improvement were brought:
* Headers case adjustment in H1 is now available for TCP proxies. It was
an issue for HTTP health-checks on backend side or for TCP connections
upgraded to HTTP on frontend side.
* The task profiling was fixed to be more accurate.
* The stats applet was reported paused frontends as OPEN. Now, these
frontends are reported as PAUSED.
* The number of updates sent at once during peers synchronization can now
be limited. By default the maximum of updates is limited to 200 and this
can be tuned via "tune.peers.max-updates-at-once" global parameter.
Idea is to avoid some latency issues with large buffers which may
trigger the watchdog in worst cases.
* Encrypted password in Userlists are now supported on NetBSD
Thanks everyone for your help. A special thanks to Tristan for his help to
debug QUIC issues and make it more reliable. A 2.5 and 2.4 will be emitted
soon to bring some fixes shipped in the 2.6.5 and 2.6.6.
Please find the usual URLs below :
Site index : https://www.haproxy.org/
Documentation : https://docs.haproxy.org/
Wiki : https://github.com/haproxy/wiki/wiki
Discourse : https://discourse.haproxy.org/
Slack channel : https://slack.haproxy.org/
Issue tracker : https://github.com/haproxy/haproxy/issues
Sources : https://www.haproxy.org/download/2.6/src/
Git repository : https://git.haproxy.org/git/haproxy-2.6.git/
Git Web browsing : https://git.haproxy.org/?p=haproxy-2.6.git
Changelog : https://www.haproxy.org/download/2.6/src/CHANGELOG
Pending bugs : https://www.haproxy.org/l/pending-bugs
Reviewed bugs : https://www.haproxy.org/l/reviewed-bugs
Code reports : https://www.haproxy.org/l/code-reports
Latest builds : https://www.haproxy.org/l/dev-packages
---
Complete changelog :
Amaury Denoyelle (9):
BUG/MEDIUM: mux-quic: fix crash on early app-ops release
CLEANUP: mux-quic: remove stconn usage in h3/hq
BUG/MINOR: mux-quic: do not remotely close stream too early
BUG/MEDIUM: mux-quic: fix nb_hreq decrement
BUG/MINOR: mux-quic: do not keep detached qcs with empty Tx buffers
REORG: mux-quic: extract traces in a dedicated source file
REORG: mux-quic: export HTTP related function in a dedicated file
MINOR: mux-quic: refactor snd_buf
BUG/MEDIUM: mux-quic: properly trim HTX buffer on snd_buf reset
Aurelien DARRAGON (8):
BUG/MEDIUM: proxy: ensure pause_proxy() and resume_proxy() own PROXY_LOCK
MINOR: listener: small API change
MINOR: proxy/listener: support for additional PAUSED state
BUG/MINOR: stats: fixing stat shows disabled frontend status as 'OPEN'
CLEANUP: listener: function comment typo in stop_listener()
BUG/MINOR: listener: null pointer dereference suspected by coverity
BUG/MEDIUM: server: segv when adding server with hostname from CLI
BUG/MINOR: log: improper behavior when escaping log data
Brad Smith (2):
MINOR: Revert part of clarifying samples support per os commit
BUILD: makefile: enable crypt(3) for NetBSD
Christopher Faulet (4):
BUG/MINOR: h1: Support headers case adjustment for TCP proxies
BUG/MINOR: task: Fix detection of tasks profiling in
tasklet_wakeup_after()
BUG/MINOR: mux-h1: Increment open_streams counter when H1 stream is
created
REGTESTS: healthcheckmail: Relax matching on the healthcheck log message
Emeric Brun (1):
BUG/MEDIUM: sink: bad init sequence on tcp sink from a ring.
Frédéric Lécaille (12):
BUG/MINOR: quic: Retransmitted frames marked as acknowledged
BUG/MINOR: quic: Possible crash with "tls-ticket-keys" on QUIC bind lines
BUG/MINOR: quic: Possible crash when verifying certificates
MINOR: quic: Add traces about sent or resent TX frames
MINOR: quic: No TRACE_LEAVE() in retrieve_qc_conn_from_cid()
BUG/MINOR: quic: Wrong connection ID to thread ID association
BUG/MINOR: quic: Speed up the handshake completion only one time
BUG/MINOR: quic: Trace fix about packet number space information.
BUG/MINOR: h3: Crash when h3 trace verbosity is "minimal"
MINOR: h3: Add the quic_conn object to h3 traces
MINOR: h3: Missing connection argument for a TRACE_LEAVE() argument
MINOR: h3: Send the h3 settings with others streams (requests)
Ilya Shipitsin (4):
CI: cirrus-ci: bump FreeBSD image to 13-1
REGTESTS: ssl: adopt tests to OpenSSL-3.0.N
REGTESTS: ssl: adopt tests to OpenSSL-3.0.N
REGTESTS: ssl: fix grep invocation to use extended regex in
ssl_generate_certificate.vtc
Mathias Weiersmueller (1):
DOC: fix TOC in starter guide for subsection 3.3.8. Statistics
Matthias Wirth (1):
BUG/MINOR: signals/poller: ensure wakeup from signals
William Lallemand (11):
BUILD: quic: add some ifdef around the SSL_ERROR_* for libressl
BUILD: ssl: fix ssl_sock_switchtx_cbk when no client_hello_cb
BUILD: quic: temporarly ignore chacha20_poly1305 for libressl
BUILD: quic: enable early data only with >= openssl 1.1.1
BUILD: ssl: fix the ifdef mess in ssl_sock_initial_ctx
BUILD: quic: fix the #ifdef in ssl_quic_initial_ctx()
MINOR: quic: add QUIC support when no client_hello_cb
BUG/MINOR: signals/poller: set the poller timeout to 0 when there are
signals
REGTESTS: log: test the log-forward feature
REGTESTS: ssl/log: test the log-forward with SSL
MEDIUM: quic: separate path for rx and tx with set_encryption_secrets
Willy Tarreau (14):
MEDIUM: peers: limit the number of updates sent at once
BUG/MINOR: task: always reset a new tasklet's call date
BUG/MINOR: task: make task_instant_wakeup() work on a task not a tasklet
MINOR: task: permanently enable latency measurement on tasklets
CLEANUP: task: rename ->call_date to ->wake_date
BUG/MINOR: sched: properly account for the CPU time of dying tasks
MINOR: sched: store the current profile entry in the thread context
BUG/MINOR: stream/sched: take into account CPU profiling for the last call
DEV: flags: fix usage message to reflect available options
DEV: flags: add missing CO_FL_FDLESS connection flag
CLEANUP: pollers: remove dead code in the polling loop
BUG/MEDIUM: captures: free() an error capture out of the proxy lock
BUILD: fd: fix a build warning on the DWCAS
SCRIPTS: announce-release: update some URLs to https
cui fliter (1):
CLEANUP: quic,ssl: fix tiny typos in C comments
--
Christopher Faulet
