Hi, HAProxy 2.9.8 was released on 2024/06/11. It added 106 new commits after version 2.9.7.
This release is pretty huge as HAProxy development team was mainly focused on finalizing the new 3.0 version. Now we are catching up the delay and are preparing to emit a serie of new stable releases. I won't enter into any details of this release but here is a summary of the most notable changes. Several fixes are applied for better HTTP conformance. Final responses following an interim HTTP status code are now properly forwarded when using HTTP/2 as frontend protocol. In some cases, 502 server initial errors were incorrectly hidden and are now properly logged. CONNECT requests with a scheme are now rejected as they are invalid according to RFC 7230. Empty paths are normalized to "/" for aboslute-form URI. Finally, manual removal or modification of Content-Length and Transfer-Encoding headers via http-rules is now supported again, as it was incompatible with the first zero-copy forwarding implementation. However, this should never be used for production unless for testing purpose. Compression filter could have produce truncated responses. This was due to an improper internal stream forwarding which is now correctly handled. Dynamic servers testing under heavy load have been performed during 3.0 development cycle. This revealed that crashes could occur due to the removal of a server currently in used. Removal conditions were thus adjusted to reject such operation. Also, some settings were not completely initialized for dynamic servers which cause a difference of behavior with static ones. Still on the backend side, an issue was found when NTLM headers are used. This caused the backend connection to be marked dynamically as private to prevent HTTP reuse. However, this is conceptually wrong when using HTTP/2 multiplexer on the backend side with http-reuse mode set to aggressive or higher, as this connection can already be shared accross several clients. Thus, NTLM headers are simply ignored in this case. Minor fixes were merged for QUIC. Most of them are related to improve the LibreSSL compatibility. Other than that, error handling was improved to report more specific error codes from the different layers of QUIC multiplexer, HTTP/3 or QPACK decoder. For the SSL stack, a few fixes were done, in particular for better OCSP support. Two patches also concern cipher algorithm negotiation. Firstly, haproxy could have chosen an ECDSA certificate even if not compatible with client algorithms instead of fallback to RSA. Secondly, ClientHello handler for WolfSSL with TLSv1.2 was not behaving correctly. A serie of patches were written on peers and stick-tables areas to improve the multithreading contention. However, in one occurence a race condition appeared due to a relaxed lock. This was corrected while still preserving the performance improvment. Also a blocking condition could have occured for the peer applet when reaching max-updates-at-once limit. Cache hits should be increased as previously cached HTTP responses which used Vary header on anything other than Accept-encoding but with Encoding header present were never returned from the cache. It is now possible to disable seamless reload on master-worker mode by using the argument '-x /dev/null'. This may be necessary for some usage since the introduction of automatic seamless reload for master-worker mode. Reverse HTTP feature has been extended for the new 3.0 rendering it more flexible. Along this, a fix was backported to the current 2.9 version to properly support reverse HTTP on single thread mode. Previously, active connections creation via rhttp@ bind lines would not be performed under this particular condition. An interesting security feature was backported to block traffic with clients which use privileged port as their source port value. Such behavior is highly suspect as it is often the sign of an amplification attack. This can be activated using harden.reject-privileged-ports.{tcp|quic} keywords. Note that on 3.0, we chose to set it by default for QUIC. However, it remains disabled on 2.9 and lesser versions to keep the current behavior on stable haproxy branches, but users are free to activate it if needed. It is particularly useful when QUIC listeners are active to prevent DNS/NTP amplification attack. However, on TCP this protection may break some protocols such as FTP. Not so much on the SPOE front, with a proper rewrite fo the engine now scheduled for upcoming releases. In 2.9, a single bug-fix is merged which allowed applet to retry later when reaching buffer exhaustion instead of returning a definite I/O error. On the LUA side, a serie of cleanups and minor bugfixes are merged. Most of them are relevant to error handling which may improve script debugging. Also a crash was fixed when using CacheCert module from init context. The CLI applet now reports a proper error message when command larger than buffer size is rejected. Previously, the CLI connection was silently closed without further information. A Solaris user reported that external checks were causing an infinite loop. In fact, this was due to a wrong signal handling in evports, Solaris polling mechanism, present since its first introduction in haproxy. Thanks to everyone who contributed to this release. Please find the usual URLs below : Site index : https://www.haproxy.org/ Documentation : https://docs.haproxy.org/ Wiki : https://github.com/haproxy/wiki/wiki Discourse : https://discourse.haproxy.org/ Slack channel : https://slack.haproxy.org/ Issue tracker : https://github.com/haproxy/haproxy/issues Sources : https://www.haproxy.org/download/2.9/src/ Git repository : https://git.haproxy.org/git/haproxy-2.9.git/ Git Web browsing : https://git.haproxy.org/?p=haproxy-2.9.git Changelog : https://www.haproxy.org/download/2.9/src/CHANGELOG Dataplane API : https://github.com/haproxytech/dataplaneapi/releases/latest Pending bugs : https://www.haproxy.org/l/pending-bugs Reviewed bugs : https://www.haproxy.org/l/reviewed-bugs Code reports : https://www.haproxy.org/l/code-reports Latest builds : https://www.haproxy.org/l/dev-packages --- Complete changelog : Amaury Denoyelle (19): BUG/MEDIUM: server: fix dynamic servers initial settings BUG/MEDIUM: quic: fix connection freeze on post handshake MINOR: session: rename private conns elements BUG/MAJOR: server: do not delete srv referenced by session BUG/MEDIUM: http_ana: ignore NTLM for reuse aggressive/always and no H1 BUG/MAJOR: connection: fix server used_conns with H2 + reuse safe BUG/MINOR: backend: use cum_sess counters instead of cum_conn BUG/MINOR: mux-quic: fix error code on shutdown for non HTTP/3 BUG/MINOR: qpack: fix error code reported on QPACK decoding failure BUG/MINOR: connection: parse PROXY TLV for LOCAL mode BUG/MINOR: server: free PROXY v2 TLVs on srv drop BUG/MEDIUM: rhttp: fix preconnect on single-thread BUG/MINOR: rhttp: prevent listener suspend BUG/MINOR: rhttp: fix task_wakeup state MEDIUM: config: prevent communication with privileged ports BUG/MINOR: quic: adjust restriction for stateless reset emission DOC: quic: specify that connection migration is not supported BUG/MINOR: quic: prevent crash on qc_kill_conn() CI: scripts: reset backported changes on macOS version Aurelien DARRAGON (15): BUG/MINOR: log: fix lf_text_len() truncate inconsistency BUG/MINOR: tools/log: invalid encode_{chunk,string} usage BUG/MINOR: log: invalid snprintf() usage in sess_build_logline() CLEANUP: log: lf_text_len() returns a pointer not an integer DOC: lua: fix filters.txt file location BUG/MINOR: log: smp_rgs array issues with inherited global log directives BUG/MEDIUM: fd: prevent memory waste in fdtab array DOC: config: add %ID logformat alias alternative BUG/MINOR: hlua: use CertCache.set() from various hlua contexts CLEANUP: hlua: use hlua_pusherror() where relevant BUG/MINOR: hlua: don't use lua_pushfstring() when we don't expect LJMP BUG/MINOR: hlua: fix unsafe hlua_pusherror() usage BUG/MINOR: hlua: prevent LJMP in hlua_traceback() BUG/MINOR: hlua: fix leak in hlua_ckch_set() error path CLEANUP: hlua: simplify ambiguous lua_insert() usage in hlua_ctx_resume() Christopher Faulet (25): MINOR: mux-h1: Move checks performed before a shutdown in a dedicated function MINOR: mux-h1: Move all stuff to detach a stream in an internal function MAJOR: mux-h1: Drain requests on client side before shut a stream down MEDIUM: htx/http-ana: No longer close connection on early HAProxy response BUG/MINOR: cli: Report an error to user if command or payload is too big BUG/MEDIUM: http-ana: Deliver 502 on keep-alive for fressh server connection BUG/MINOR: http-ana: Fix TX_L7_RETRY and TX_D_L7_RETRY values BUG/MEDIUM: stconn: Don't forward channel data if input data must be filtered BUG/MEDIUM: applet: Fix applet API to put input data in a buffer BUG/MEDIUM: spoe: Always retry when an applet fails to send a frame BUG/MEDIUM: peers: Fix exit condition when max-updates-at-once is reached BUG/MINOR: stconn: Fix sc_mux_strm() return value BUG/MINOR: h1: Check authority for non-CONNECT methods only if a scheme is found BUG/MEDIUM: h1: Reject CONNECT request if the target has a scheme BUG/MINOR: stats: Don't state the 303 redirect response is chunked MINOR: mux-h1: Add a flag to ignore the request payload MEDIUM: mux-h1: Support C-L/T-E header suppressions when sending messages BUG/MINOR: http-ana: Don't crush stream termination condition on internal error BUG/MEDIUM: mux-quic: Create sedesc in same time of the QUIC stream BUG/MEDIUM: stick-tables: Fix race with peers when trashing oldest entries BUG/MEDIUM: stick-tables: Fix race with peers when killing a sticky session BUG/MINOR: http-htx: Support default path during scheme based normalization BUG/MINOR: server: Don't reset resolver options on a new default-server line BUG/MEDIUM: h1-htx: Don't state interim responses are bodyless BUG/MEDIUM: stick-tables: Fix locking of updt_lock when trashing oldest entries Damien Claisse (1): BUG/MINOR: server: fix slowstart behavior Frederic Lecaille (3): MINOR: net_helper: Add support for floats/doubles. BUG/MEDIUM: grpc: Fix several unaligned 32/64 bits accesses BUG/MAJOR: quic: Crash with TLS_AES_128_CCM_SHA256 (libressl only) Ilia Shipitsin (1): BUILD: clock: improve check for pthread_getcpuclockid() Ilya Shipitsin (2): CI: revert kernel addr randomization introduced in 3a0fc864 CI: modernize macos matrix Patrick Hemmer (3): REGTEST: add tests for acl() sample fetch BUG/MINOR: acl: support built-in ACLs with acl() sample BUG/MINOR: cfgparse: use curproxy global var from config post validation Remi Tricot-Le Breton (4): BUG/MAJOR: ocsp: Separate refcount per instance and per store BUG/MEDIUM: ssl: Fix crash when calling "update ssl ocsp-response" when an update is ongoing BUG/MEDIUM: cache: Vary not working properly on anything other than accept-encoding REGTESTS: cache: Add test on 'vary' other than accept-encoding Valentine Krasnobaeva (4): BUG/MINOR: haproxy: only tid 0 must not sleep if got signal CLEANUP: ssl/ocsp: readable ifdef in ssl_sock_load_ocsp BUG/MINOR: ssl/ocsp: init callback func ptr as NULL BUG/MINOR: activity: fix Delta_calls and Delta_bytes count William Lallemand (6): MEDIUM: ssl: initialize the SSL stack explicitely BUG/MINOR: mworker: reintroduce way to disable seamless reload with -x /dev/null CLEANUP: ssl/cli: remove unused code in dump_crtlist_conf DOC: configuration: update the crt-list documentation BUG/MEDIUM: ssl: wrong priority whem limiting ECDSA ciphers in ECDSA+RSA configuration BUG/MEDIUM: ssl: bad auth selection with TLS1.2 and WolfSSL Willy Tarreau (23): BUG/MEDIUM: quic: don't blindly rely on unaligned accesses BUG/MINOR: listener: always assign distinct IDs to shards BUG/MINOR: debug: make sure DEBUG_STRICT=0 does work as documented BUILD: cache: fix non-inline vs inline declaration mismatch to silence a warning BUG/MEDIUM: peers/trace: fix crash when listing event types BUG/MAJOR: stick-tables: fix race with peers in entry expiration BUG/MEDIUM: evports: do not clear returned events list on signal BUG/MINOR: sock: handle a weird condition with connect() BUG/MINOR: fd: my_closefrom() on Linux could skip contiguous series of sockets BUG/MINOR: h1: fix detection of upper bytes in the URI BUG/MEDIUM: htx: mark htx_sl as packed since it may be realigned BUG/MEDIUM: stick-tables: properly mark stktable_data as packed BUILD: stick-tables: better mark the stktable_data as 32-bit aligned BUG/MEDIUM: quic_tls: prevent LibreSSL < 4.0 from negotiating CHACHA20_POLY1305 BUILD: quic: fix unused variable warning when threads are disabled BUG/MEDIUM: stick-tables: make sure never to create two same remote entries DOC: config: fix incorrect section reference about custom log format REGTESTS: acl_cli_spaces: avoid a warning caused by undefined logs CI: scripts: fix build of vtest regarding option -C BUILD: fd: errno is also needed without poll() BUG/MINOR: cfgparse: remove the correct option on httpcheck send-state warning BUG/MINOR: tcpcheck: report correct error in tcp-check rule parser BUG/MINOR: tools: fix possible null-deref in env_expand() on out-of-memory --- -- Amaury Denoyelle