HAProxy 2.6.18 was released on 2024/06/18. It added 82 new commits after
version 2.6.17.

This version follows the first release of 3.0. Here is a summary of the
most notable changes.

Several fixes are applied for better HTTP conformance. In some cases,
502 server initial errors were incorrectly hidden and are now properly
logged.  CONNECT requests with a scheme are now rejected as they are
invalid according to RFC 7230. Empty paths are normalized to "/" for
aboslute-form URI.

Dynamic servers testing under heavy load have been performed during 3.0
development cycle. This revealed that crashes could occur due to the
removal of a server currently in used. Removal conditions were thus
adjusted to reject such operation. Also, some settings were not
completely initialized for dynamic servers which cause a difference of
behavior with static ones.

Still on the backend side, an issue was found when NTLM headers are
used. This caused the backend connection to be marked dynamically as
private to prevent HTTP reuse. However, this is conceptually wrong when
using HTTP/2 multiplexer on the backend side with http-reuse mode set to
aggressive or higher, as this connection can already be shared accross
several clients. Thus, NTLM headers are simply ignored in this case.

Minor fixes were merged for QUIC. Most of them are related to improve
the LibreSSL compatibility. Other than that, error handling was improved
to report more specific error codes from the different layers of QUIC
multiplexer, HTTP/3 or QPACK decoder.

For the SSL stack, cipher algorithm negotiation was adjusted as haproxy
could have chosen an ECDSA certificate even if not compatible with
client algorithms instead of fallback to RSA.

A bug was fixed for the peer applet where a blocking condition could
occured when reaching max-updates-at-once limit.

Cache hits should be increased as previously cached HTTP responses which
used Vary header on anything other than Accept-encoding but with
Encoding header present were never returned from the cache.

It is now possible to disable seamless reload on master-worker mode by
using the argument '-x /dev/null'. This may be necessary for some usage
since the introduction of automatic seamless reload for master-worker

An interesting security feature was backported to block traffic with
clients which use privileged port as their source port value. Such
behavior is highly suspect as it is often the sign of an amplification
attack. This can be activated using
harden.reject-privileged-ports.{tcp|quic} keywords. Note that on 3.0, we
chose to set it by default for QUIC. However, it remains disabled on 2.9
and lesser versions to keep the current behavior on stable haproxy
branches, but users are free to activate it if needed. It is
particularly useful when QUIC listeners are active to prevent DNS/NTP
amplification attack.  However, on TCP this protection may break some
protocols such as FTP.

On the LUA side, a serie of cleanups and minor bugfixes are merged. Most
of them are relevant to error handling which may improve script
debugging. Also a crash was fixed when using CacheCert module from init

A Solaris user reported that external checks were causing an infinite
loop. In fact, this was due to a wrong signal handling in evports,
Solaris polling mechanism, present since its first introduction in

Thanks to everyone who contributed to this release.

Please find the usual URLs below :
   Site index       : https://www.haproxy.org/
   Documentation    : https://docs.haproxy.org/
   Wiki             : https://github.com/haproxy/wiki/wiki
   Discourse        : https://discourse.haproxy.org/
   Slack channel    : https://slack.haproxy.org/
   Issue tracker    : https://github.com/haproxy/haproxy/issues
   Sources          : https://www.haproxy.org/download/2.6/src/
   Git repository   : https://git.haproxy.org/git/haproxy-2.6.git/
   Git Web browsing : https://git.haproxy.org/?p=haproxy-2.6.git
   Changelog        : https://www.haproxy.org/download/2.6/src/CHANGELOG
   Dataplane API    : 
   Pending bugs     : https://www.haproxy.org/l/pending-bugs
   Reviewed bugs    : https://www.haproxy.org/l/reviewed-bugs
   Code reports     : https://www.haproxy.org/l/code-reports
   Latest builds    : https://www.haproxy.org/l/dev-packages

Complete changelog :
Amaury Denoyelle (17):
      BUG/MEDIUM: mux-quic: report early error on stream
      BUG/MEDIUM: quic: remove unsent data from qc_stream_desc buf
      MINOR: server: allow cookie for dynamic servers
      BUG/MINOR: backend: use cum_sess counters instead of cum_conn
      BUG/MINOR: mux-quic: fix error code on shutdown for non HTTP/3
      BUG/MINOR: qpack: fix error code reported on QPACK decoding failure
      BUG/MINOR: connection: parse PROXY TLV for LOCAL mode
      MEDIUM: config: prevent communication with privileged ports
      BUG/MINOR: quic: adjust restriction for stateless reset emission
      DOC: quic: specify that connection migration is not supported
      BUG/MINOR: quic: prevent crash on qc_kill_conn()
      BUG/MEDIUM: server: fix dynamic servers initial settings
      BUG/MEDIUM: quic: fix connection freeze on post handshake
      MINOR: session: rename private conns elements
      BUG/MAJOR: server: do not delete srv referenced by session
      BUG/MEDIUM: http_ana: ignore NTLM for reuse aggressive/always and no H1
      BUG/MAJOR: connection: fix server used_conns with H2 + reuse safe

Aurelien DARRAGON (17):
      BUG/MINOR: ext-check: cannot use without preserve-env
      BUG/MINOR: log: fix lf_text_len() truncate inconsistency
      BUG/MINOR: tools/log: invalid encode_{chunk,string} usage
      BUG/MINOR: log: invalid snprintf() usage in sess_build_logline()
      CLEANUP: log: lf_text_len() returns a pointer not an integer
      DOC: lua: fix filters.txt file location
      MINOR: log: add dup_logsrv() helper function
      BUG/MINOR: log: keep the ref in dup_logger()
      BUG/MINOR: log: smp_rgs array issues with inherited global log directives
      BUG/MEDIUM: fd: prevent memory waste in fdtab array
      BUG/MINOR: hlua: use CertCache.set() from various hlua contexts
      CLEANUP: hlua: use hlua_pusherror() where relevant
      BUG/MINOR: hlua: don't use lua_pushfstring() when we don't expect LJMP
      BUG/MINOR: hlua: fix unsafe hlua_pusherror() usage
      BUG/MINOR: hlua: prevent LJMP in hlua_traceback()
      BUG/MINOR: hlua: fix leak in hlua_ckch_set() error path
      CLEANUP: hlua: simplify ambiguous lua_insert() usage in hlua_ctx_resume()

Christopher Faulet (14):
      MINOR: cli: Remove useless loop on commands to find unescaped semi-colon
      BUG/MEDIUM: cli: Warn if pipelined commands are delimited by a \n
      BUG/MEDIUM: http-ana: Deliver 502 on keep-alive for fressh server 
      BUG/MINOR: http-ana: Fix TX_L7_RETRY and TX_D_L7_RETRY values
      BUG/MEDIUM: stconn: Don't forward channel data if input data must be 
      BUG/MEDIUM: peers: Fix exit condition when max-updates-at-once is reached
      BUG/MINOR: stconn: Fix sc_mux_strm() return value
      BUG/MINOR: h1: Check authority for non-CONNECT methods only if a scheme 
is found
      BUG/MEDIUM: h1: Reject CONNECT request if the target has a scheme
      BUG/MINOR: htpp-ana/stats: Specify that HTX redirect messages have a C-L 
      BUG/MINOR: stats: Don't state the 303 redirect response is chunked
      BUG/MEDIUM: mux-quic: Create sedesc in same time of the QUIC stream
      BUG/MINOR: http-htx: Support default path during scheme based 
      BUG/MINOR: server: Don't reset resolver options on a new default-server 

Damien Claisse (1):
      BUG/MINOR: server: fix slowstart behavior

Frederic Lecaille (3):
      MINOR: net_helper: Add support for floats/doubles.
      BUG/MEDIUM: grpc: Fix several unaligned 32/64 bits accesses
      BUG/MAJOR: quic: Crash with TLS_AES_128_CCM_SHA256 (libressl only)

Ilia Shipitsin (1):
      BUILD: clock: improve check for pthread_getcpuclockid()

Ilya Shipitsin (1):
      CI: revert kernel addr randomization introduced in 3a0fc864

Remi Tricot-Le Breton (1):
      BUG/MEDIUM: cache: Vary not working properly on anything other than 

Valentine Krasnobaeva (3):
      BUG/MINOR: ssl/ocsp: init callback func ptr as NULL
      BUG/MINOR: activity: fix Delta_calls and Delta_bytes count
      BUG/MINOR: haproxy: only tid 0 must not sleep if got signal

William Lallemand (3):
      BUG/MINOR: mworker: reintroduce way to disable seamless reload with -x 
      CLEANUP: ssl/cli: remove unused code in dump_crtlist_conf
      BUG/MEDIUM: ssl: wrong priority whem limiting ECDSA ciphers in ECDSA+RSA 

Willy Tarreau (21):
      BUG/MEDIUM: cli: fix once for all the problem of missing trailing LFs
      MINOR: ext-check: add an option to preserve environment variables
      BUG/MINOR: debug: make sure DEBUG_STRICT=0 does work as documented
      BUG/MEDIUM: peers/trace: fix crash when listing event types
      BUG/MEDIUM: evports: do not clear returned events list on signal
      BUG/MINOR: sock: handle a weird condition with connect()
      BUG/MINOR: fd: my_closefrom() on Linux could skip contiguous series of 
      BUG/MINOR: h1: fix detection of upper bytes in the URI
      BUG/MEDIUM: htx: mark htx_sl as packed since it may be realigned
      BUG/MEDIUM: stick-tables: properly mark stktable_data as packed
      BUILD: stick-tables: better mark the stktable_data as 32-bit aligned
      BUG/MEDIUM: quic_tls: prevent LibreSSL < 4.0 from negotiating 
      DOC: config: fix incorrect section reference about custom log format
      REGTESTS: acl_cli_spaces: avoid a warning caused by undefined logs
      CI: scripts: fix build of vtest regarding option -C
      BUILD: fd: errno is also needed without poll()
      BUG/MINOR: cfgparse: remove the correct option on httpcheck send-state 
      BUG/MINOR: tcpcheck: report correct error in tcp-check rule parser
      BUG/MINOR: tools: fix possible null-deref in env_expand() on out-of-memory
      MINOR: hlua: don't dump empty entries in hlua_traceback()
      BUG/MEDIUM: quic: don't blindly rely on unaligned accesses

Amaury Denoyelle

Reply via email to