Hi, HAProxy 3.1-dev8 was released on 2024/09/18. It added 50 new commits after version 3.1-dev7.
The last two weeks have been mostly dedicated to fixing bugs in order to update stable branches, so it will be no surprise that this version mostly contains fixes as well. They are not even particularly interesting to describe here (frozen H1 connections, crashes with cache+compression+extra filters, second fix for the dequeue lockup). A few points are still worth mentioning: - despite the code that tries to correct possible time jumps, there were some uncovered cases (typically if the time changes outside the polling loop instead of during poll). These were addressed as well, and since we were already collecting the monotonic time on operating systems supporting it, it was the right moment to opportunistically rely on it when it ticks. - the previously discussed choice of sending warnings for all detected cases of conflicts on proxy names has started. Now we detect frontend vs backend, listen after backend, defaults vs other proxies. Some cleanups are still deserved for defaults handling (right now they're all preserved but the duplicate ones of same names should be dropped). Detection of server name duplicates still needs to be done. - accept-invalid-http-response now also tolerates responses with two "chunked" transfer-codings like before, because of a report of at least one bogus application relying on that (GitHub issue #2677). This is not accepted in requests though, as this remains particularly dangerous. - the accept-invalid-http-request/response options were more and more used to adapt bogus applications in ways that start to pose security concerns. Lukas suggested that we'd rename them in a way that makes this aspect more obvious, and it was the right moment! They're now called: "accept-unsafe-violations-in-http-request/response". The old ones are still supported but deprecated and will issue a warning suggesting the new one. With a bit of luck some users seeing the warning will reconsider whether or not they still need these. - the CLI now offers "dump ssl cert" to dump a certificate directly in PEM format. - speaking of the CLI, the "init-state" server keyword wasn't permitted on the "add server" directive, it is now. - configs with many variables should now run faster: they used to be stored in a linked list, and lookups could take quite some time. Now they're stored in a tree. This shows a performance gain of 67% at max speed for 100 variables set and each read 10 times in a section (OK that's a pretty empirical test). We've created a new "Breaking Changes" page on the wiki. The official purpose is to let everyone know what updates may require some efforts, but we all know that the main goal is for me to stop forgetting about deprecating stuff that was already planned, thus postponing that by a year once noticed :-) That can be useful over time to help users making big jumps from older to newer versions spanning multiple cycles. New stable versions are coming. We're done with the backports, and are still orking on collecting the list of changes for the announce message, and we'll hopefully issue them this Thursday. Oh before I forget, some might not have noticed the news, but the date of the HAProxyConf 2025 is now fixed to June 4-5 2025 in San Francisco, and with some workshops starting on June 3. There's currently a Call For Papers open. If you have any ideas of topics worth presenting, some cool tricks you figured and would like to share, report a nice success story, or enumerate all the points that annoy you in HAProxy as well, don't be shy and please consider proposing a talk. The Call for Papers site is: https://www.haproxyconf.com/call-for-papers/ . You can know more by visiting the site, which is still: https://www.haproxyconf.com/ . Please find the usual URLs below : Site index : https://www.haproxy.org/ Documentation : https://docs.haproxy.org/ Wiki : https://github.com/haproxy/wiki/wiki Discourse : https://discourse.haproxy.org/ Slack channel : https://slack.haproxy.org/ Issue tracker : https://github.com/haproxy/haproxy/issues Sources : https://www.haproxy.org/download/3.1/src/ Git repository : https://git.haproxy.org/git/haproxy.git/ Git Web browsing : https://git.haproxy.org/?p=haproxy.git Changelog : https://www.haproxy.org/download/3.1/src/CHANGELOG Dataplane API : https://github.com/haproxytech/dataplaneapi/releases/latest Pending bugs : https://www.haproxy.org/l/pending-bugs Reviewed bugs : https://www.haproxy.org/l/reviewed-bugs Code reports : https://www.haproxy.org/l/code-reports Latest builds : https://www.haproxy.org/l/dev-packages Willy --- Complete changelog : Amaury Denoyelle (1): BUG/MINOR: mux-quic: report glitches to session Aurelien DARRAGON (7): BUG/MINOR: pattern: prevent const sample from being tampered in pat_match_beg() BUG/MEDIUM: pattern: prevent uninitialized reads in pat_match_{str,beg} BUG/MEDIUM: pattern: prevent UAF on reused pattern expr BUG/MINOR: peers: local entries updates may not be advertised after resync BUG/MINOR: fix missing "log-format overrides previous 'option tcplog clf'..." detection BUG/MINOR: fix missing "'option httpslog' overrides previous 'option tcplog clf'..." detection BUG/MINOR: cfgparse-listen: fix option httpslog override warning message Christopher Faulet (12): MINOR: mux-h1: Set EOI on SE during demux when both side are in DONE state BUG/MEDIUM: mux-h1/mux-h2: Reject upgrades with payload on H2 side only REGTESTS: h1/h2: Update script testing H1/H2 protocol upgrades BUG/MAJOR: mux-h1: Wake SC to perform 0-copy forwarding in CLOSING state BUG/MINOR: h1-htx: Don't flag response as bodyless when a tunnel is established MEDIUM: h1: Accept invalid T-E values with accept-invalid-http-response option DOC: config: Explicitly list relaxing rules for accept-invalid-http-* options MINOR: proxy: Rename accept-invalid-http-* options DOC: configuration: Remove dangerous directives from the proxy matrix BUG/MEDIUM: sc_strm/applet: Wake applet after a successfull synchronous send BUG/MEDIUM: cache/stats: Wait to have the request before sending the response BUG/MEDIUM: promex: Wait to have the request before sending the response Damien Claisse (2): MINOR: server: allow init-state for dynamic servers DOC: management: add init-state to add server keywords William Lallemand (1): MEDIUM: ssl/cli: "dump ssl cert" allow to dump a certificate in PEM format Willy Tarreau (27): DOC: configuration: place the HAPROXY_HTTP_LOG_FMT example on the correct line BUG/MEDIUM: clock: detect and cover jumps during execution REGTESTS: fix random failures with wrong_ip_port_logging.vtc under load BUG/MINOR: pattern: do not leave a leading comma on "set" error messages REGTESTS: shorten a bit the delay for the h1/h2 upgrade test DOC: server: document what to check for when adding new server keywords BUG/MINOR: polling: fix time reporting when using busy polling BUG/MINOR: clock: make time jump corrections a bit more accurate BUG/MINOR: clock: validate that now_offset still applies to the current date BUG/MEDIUM: queue: implement a flag to check for the dequeuing OPTIM: sample: don't check casts for samples of same type OPTIM: vars: remove the unneeded lock in vars_prune_* OPTIM: vars: inline vars_prune() to avoid many calls MINOR: vars: remove the emptiness tests in callers before pruning IMPORT: import cebtree (compact elastic binary trees) OPTIM: vars: use a cebtree instead of a list for variable names OPTIM: vars: use multiple name heads in the vars struct MINOR: clock: test all clock_gettime() return values MEDIUM: clock: collect the monotonic time in clock_local_update_date() MEDIUM: clock: opportunistically use CLOCK_MONOTONIC for the internal time MEDIUM: clock: use the monotonic clock for idle time calculation MEDIUM: clock: don't compute before_poll when using monotonic clock BUG/MINOR: cfgparse: detect incorrect overlap of same backend names MEDIUM: cfgparse: warn about proxies having the same names BUILD: cebtree: silence a bogus gcc warning on impossible code paths MEDIUM: cfgparse: warn about colliding names between defaults and proxies MEDIUM: cfgparse: detect collisions between defaults and log-forward ---