Hi,
HAProxy 2.9.2 was released on 2024/01/11. It added 37 new commits
after version 2.9.1.
A major issue about the zero-copy forwarding in TCP mode was fixed in this
release. A regression was introduced to the 2.9.1, blocking connection
closure on producer side and leading to loop consuming all the CPU. It is
pretty easy to be impacted by this bug. However, there is a workaround which
consists of disabling the zero-copy forwarding in TCP mode by setting
'tune.pt.zero-copy-forwarding' global option to 'on'.
The H3 encoding of DATA frames was fixed to properly handle room issues when
several frames were encoded. Buffer allocation failures management was also
fixed at several places: zero-copy forwarding is now disabled when this
happens and the connection is closed for failures on sending path.
When a H3 HEADERS frame is encoded, an error is now triggered and the
connection is closed if there are too many headers in the response. The
maximum number of headers can be configured by setting 'tune.http.maxhdr'
global parameter.
Finally, when a H3 RESET_STREAM is emitted, the error is now properly
reported to the upper layer. It is important to do so, to interrupt futur
send operations. However, this issue should have no visible impact.
QUIC OpenSSL compatibility module was fixed to be able to handle TLS capture
of client hello information and to properly log TLS keys when enabled.
An issue with the SPOE was fixed to avoid applet creation loop when all
servers of the SPOE backend were detected as down.
The stats applet was fixed to retrieve the stats URI from the right proxy
entity. It is especially important if the applet is configured in a frontend
proxy. This fix prevents a crash when the frontend is in TCP mode.
List-based matching for maps was fixed to prevent a potential ordering
regression.
Write timeout are now properly handle when sends are blocked during
zero-copy forwarding. In addition, we now take care to not truncate the
responses, especially internal responses, when write timeouts are triggered.
A regression about the initial resolution for server addresses was
fixed. "ipv4@" and "ipv6@" prefixes were ignored at this staged. The
regression was introduced at the end of the 2.9 development cycle.
During the startup, the errors are no longer reported when network failures
are encountered for the default resolver .
A new global setting was added to the H2 multiplexer to limit the total
number of H2 streams per client connection. To do so,
'tune.h2.fe.max-total-streams' can now be used. It sets the HTTP/2 maximum
number of total streams processed per incoming connection. Once this limit
is reached, HAProxy will send a graceful GOAWAY frame informing the client
that it will close the connection after all pending streams have been
closed. In practice, clients tend to close as fast as possible when
receiving this, and to establish a new connection for next requests. Doing
this is sometimes useful and desired in situations where clients stay
connected for a very long time and cause some imbalance inside a farm. For
example, in some highly dynamic environments, it is possible that new load
balancers are instantiated on the fly to adapt to a load increase, and that
once the load goes down they should be stopped without breaking established
connections. By setting a limit here, the connections will have a limited
lifetime and will be frequently renewed, with some possibly being
established to other nodes, so that existing resources are quickly released.
And to finish, "show dev" CLI command was improved to dump the build options
and the build features.
If you are running the 2.9.0 or the 2.9.1, you must upgrade. Thanks everyone
for your help and your contributions !
Please find the usual URLs below :
Site index : https://www.haproxy.org/
Documentation : https://docs.haproxy.org/
Wiki : https://github.com/haproxy/wiki/wiki
Discourse : https://discourse.haproxy.org/
Slack channel : https://slack.haproxy.org/
Issue tracker : https://github.com/haproxy/haproxy/issues
Sources : https://www.haproxy.org/download/2.9/src/
Git repository : https://git.haproxy.org/git/haproxy-2.9.git/
Git Web browsing : https://git.haproxy.org/?p=haproxy-2.9.git
Changelog : https://www.haproxy.org/download/2.9/src/CHANGELOG
Dataplane API :
https://github.com/haproxytech/dataplaneapi/releases/latest
Pending bugs : https://www.haproxy.org/l/pending-bugs
Reviewed bugs : https://www.haproxy.org/l/reviewed-bugs
Code reports : https://www.haproxy.org/l/code-reports
Latest builds : https://www.haproxy.org/l/dev-packages
---
Complete changelog :
Amaury Denoyelle (11):
DOC: fix typo for fastfwd QUIC option
BUG/MINOR: mux-quic: always report error to SC on RESET_STREAM emission
BUG/MINOR: mux-quic: disable fast-fwd if connection on error
MINOR: h3: check connection error during sending
BUG/MINOR: h3: close connection on header list too big
MINOR: h3: add traces for connection init stage
BUG/MINOR: h3: properly handle alloc failure on finalize
BUG/MINOR: h3: close connection on sending alloc errors
BUG/MINOR: h3: disable fast-forward on buffer alloc failure
REGTESTS: check attach-srv out of order declaration
BUG/MEDIUM: h3: fix incorrect snd_buf return value
Aurelien DARRAGON (7):
MINOR: stats: store the parent proxy in stats ctx (http)
BUG/MEDIUM: stats: unhandled switching rules with TCP frontend
MINOR: server/event_hdl: add server_inetaddr struct to facilitate event
data usage
MINOR: server/event_hdl: update _srv_event_hdl_prepare_inetaddr prototype
BUG/MINOR: server/event_hdl: propagate map port info through inetaddr
event
BUG/MINOR: map: list-based matching potential ordering regression
REGTESTS: add a test to ensure map-ordering is preserved
Christopher Faulet (6):
DOC: config: Update documentation about local haproxy response
BUG/MINOR: server: Use the configured address family for the initial
resolution
BUG/MAJOR: stconn: Disable zero-copy forwarding if consumer is shut or
in error
BUG/MEDIUM: stconn: Forward shutdown on write timeout only if it is
forwardable
BUG/MEDIUM: stconn: Set fsb date if zero-copy forwarding is blocked
during nego
BUG/MEDIUM: spoe: Never create new spoe applet if there is no server up
Frédéric Lécaille (1):
BUILD: quic: Missing quic_ssl.h header protection
Frédéric Lécaille (4):
BUG/MINOR: quic: Wrong keylog callback setting.
BUG/MINOR: quic: Missing call to TLS message callbacks
CLEANUP: quic: Remaining useless code into server part
CLEANUP: quic: Double quic_dgram_parse() prototype declaration.
Ilya Shipitsin (1):
CI: use semantic version compare for determing "latest" OpenSSL
Mariam John (1):
MINOR: ssl: Update ssl_fc_curve/ssl_bc_curve to use SSL_get0_group_name
Miroslav Zagorac (2):
MINOR: ot: logsrv struct becomes logger
DOC: configuration: corrected description of keyword
tune.ssl.ocsp-update.mindelay
William Lallemand (1):
BUG/MINOR: resolvers: default resolvers fails when network not configured
Willy Tarreau (3):
MINOR: global: export a way to list build options
MINOR: debug: add features and build options to "show dev"
MINOR: mux-h2: support limiting the total number of H2 streams per
connection
--
Christopher Faulet
