Hi, HAProxy 3.3-dev2 was released on 2025/06/26. It added 114 new commits after version 3.3-dev1.
As usual a few bug fixes but nothing really alarming, 3.2 for now seems to be a pretty good one. This version now applied the pending list of breaking changes (listed there: https://github.com/haproxy/wiki/wiki/Breaking-changes ): - "dispatch" and "option transparent" are now deprecated and will emit a warning indicating how to replace them, and how to silence the warning during the transition period. - the deprecated "program" section is gone as well, it has never been really used in fact and was a source of headache for process management. - naming collisions between frontends and backends that was deprecated since 3.1 is no longer supported. Note that the warning was turned into an error, but a lot of code cleanup is still needed due to all the hacks in place to work with that specificity. - naming collisions between servers with different IDs that was also deprecated since 3.1 is no longer supported either. Same as above, some cleanup still has to be done (essentially removing handling for a ton of special cases that can no longer happen and that will make haproxy start faster with large configs). - the deprecated "native mailers" based on hacked TCP checks are no longer supported, only the Lua-based ones will make use of the mailers section. That makes me think that I'm not sure we have a way to ensure that such a script is loaded, as we don't want to have a mailers section not emit any error if the Lua script is not loaded. Will check that. As previously indicated, the "performance" cpu-policy is now the default starting with 3.3, which means that large machines will by default use all their CPUs (no longer limited to 64 threads, multiple nodes will be used and split into groups). Those with large systems and no specific binding might observe a small increase in memory usage and an increase in overall performance as well, as witnessed by Basha in his talk at HAProxyConf. Performance regressions, if any, should be reported, of course! There's also a new option to enable/disable secure TLS renegotiation on the backend. Do not ask me what it's used for, though, I'm mostly summarizing what I'm seeing :-) And almost all the remaining changes (~75%) are preparatory work to support QUIC on the backend side. It is still extremely experimental and under active development (hence requires "expose-experimental-directives") but it already starts to work for current tests. While the initial use cases probably don't seem obvious, the long term goal will be to support QUIC on the whole chain so that we don't miss opportunities to adapt to an ever growing ecosystem which we've adopted early, and can continue to participate to the QMux experiments and development. As a bonus it should help us implement the regression tests for H3 and QUIC that we've been missing for so long, and even simplify experiments on new congestion control algorithms. Note to myself: I should take vacation more often if it permits my coworker to progress this fast when I'm not there ;-) And the rest is essentially doc clarifications and minor stuff. Due to the number of possibly breaking config changes (that were planned and used to cause warnings but we know how we all are...) and the fact that for now virtually nothing on the critical path was touched, it's a good moment to give it a try just to make sure your configs continue to load and work, as this version is very close to latest 3.2 but with these changes. At least it's loading and working on haproxy.org! I think we'll have to produce a new 3.2 maybe next week since there remains a rare race in the leastconn algo, but that's about all that's needed for it and it seems hard to trigger, so I think we can still wait a little bit more to see if other fixes are needed. We'll see. Please find the usual URLs below : Site index : https://www.haproxy.org/ Documentation : https://docs.haproxy.org/ Wiki : https://github.com/haproxy/wiki/wiki Discourse : https://discourse.haproxy.org/ Slack channel : https://slack.haproxy.org/ Issue tracker : https://github.com/haproxy/haproxy/issues Q&A from devs : https://github.com/orgs/haproxy/discussions Sources : https://www.haproxy.org/download/3.3/src/ Git repository : https://git.haproxy.org/git/haproxy.git/ Git Web browsing : https://git.haproxy.org/?p=haproxy.git Changelog : https://www.haproxy.org/download/3.3/src/CHANGELOG Dataplane API : https://github.com/haproxytech/dataplaneapi/releases/latest Pending bugs : https://www.haproxy.org/l/pending-bugs Reviewed bugs : https://www.haproxy.org/l/reviewed-bugs Code reports : https://www.haproxy.org/l/code-reports Latest builds : https://www.haproxy.org/l/dev-packages Willy --- Complete changelog : Amaury Denoyelle (40): BUG/MINOR: config/server: reject QUIC addresses MINOR: server: implement helper to identify QUIC servers MINOR: server: mark QUIC support as experimental MINOR: mux-quic-be: allow QUIC proto on backend side MINOR: quic: define proper proto on QUIC servers BUG/MEDIUM: mux-quic: adjust wakeup behavior MEDIUM: backend: delay MUX init with ALPN even if proto is forced MINOR: quic: mark ctrl layer as ready on quic_connect_server() MINOR: mux-quic: improve documentation for snd/rcv app-ops MINOR: mux-quic: define flag for backend side MINOR: mux-quic: set expect data only on frontend side MINOR: mux-quic: instantiate first stream on backend side MINOR: quic: wakeup backend MUX on handshake completed MINOR: hq-interop: decode response into HTX for backend side support MINOR: hq-interop: encode request from HTX for backend side support BUG/MINOR: quic: prevent crash on startup with -dt MINOR: server: reject QUIC servers without explicit SSL BUG/MINOR: quic: work around NEW_TOKEN parsing error on backend side BUG/MINOR: quic: don't restrict reception on backend privileged ports MINOR: hq-interop: handle HTX response forward if not enough space BUG/MINOR: quic: fix ODCID initialization on frontend side BUG/MINOR: mux-quic: check sc_attach_mux return value MINOR: h3: support basic HTX start-line conversion into HTTP/3 request MINOR: h3: encode request headers MINOR: h3: complete HTTP/3 request method encoding MINOR: h3: complete HTTP/3 request scheme encoding MINOR: h3: adjust path request encoding MINOR: h3: adjust auth request encoding or fallback to host MINOR: h3: prepare support for response parsing MINOR: h3: convert HTTP/3 response into HTX for backend side support MINOR: h3: complete response status transcoding MINOR: h3: transcode H3 response headers into HTX blocks MINOR: h3: use BUG_ON() on missing request start-line MINOR: h3: reject invalid :status in response CLEANUP: connection: remove unused mux-ops dedicated to QUIC BUG/MINOR: mux-quic/h3: properly handle too low peer fctl initial stream MINOR: mux-quic: support max bidi streams value set by the peer MINOR: mux-quic: abort conn if cannot create stream due to fctl MEDIUM: mux-quic: implement attach for new streams on backend side BUG/MEDIUM: quic: do not release BE quic-conn prior to upper conn Aurelien DARRAGON (3): BUILD: listener: fix 'for' loop inline variable declaration MINOR: hlua: emit a log instead of an alert for aborted actions due to unavailable yield MAJOR: mailers: remove native mailers support Christopher Faulet (9): BUG/MINOR: hlua: Don't forget the return statement after a hlua_yieldk() BUILD: hlua: Fix warnings about uninitialized variables BUILD: hlua: Fix warnings about uninitialized variables (2) BUG/MINOR: http-ana: Properly handle keep-query redirect option if no QS BUG/MEDIUM: cli: Don't consume data if outbuf is full or not available MINOR: cli: handle EOS/ERROR first BUG/MEDIUM: check: Set SOCKERR by default when a connection error is reported BUG/MINOR: stream: Avoid recursive evaluation for unique-id based on itself BUG/MINOR: log: Be able to use %ID alias at anytime of the stream's evaluation Frederic Lecaille (40): MINOR: quic-be: Correct Version Information transp. param encoding MINOR: quic-be: Version Information transport parameter check MINOR: quic-be: Call ->prepare_srv() callback at parsing time MINOR: quic-be: QUIC backend XPRT and transport parameters init during parsing MINOR: quic-be: QUIC server xprt already set when preparing their CTXs MINOR: quic-be: Add a function for the TLS context allocations MINOR: quic-be: Correct the QUIC protocol lookup MINOR: quic-be: ssl_sock contexts allocation and misc adaptations MINOR: quic-be: SSL sessions initializations MINOR: quic-be: Add a function to initialize the QUIC client transport parameters MINOR: sock: Add protocol and socket types parameters to sock_create_server_socket() MINOR: quic-be: ->connect() protocol callback adaptations MINOR: quic-be: QUIC connection allocation adaptation (qc_new_conn()) MINOR: quic-be: xprt ->init() adapatations MINOR: quic-be: add field for max_udp_payload_size into quic_conn MINOR: quic-be: Do not redispatch the datagrams MINOR: quic-be: Datagrams and packet parsing support MINOR: quic-be: Handshake packet number space discarding MINOR: h3-be: Correctly retrieve h3 counters MINOR: quic-be: Store asap the DCID MINOR: quic-be: Build post handshake frames MINOR: quic-be: Add the conn object to the server SSL context MINOR: quic-be: Initial packet number space discarding. MINOR: quic-be: I/O handler switch adaptation MINOR: quic-be: Store the remote transport parameters asap MINOR: quic-be: Missing callbacks initializations (USE_QUIC_OPENSSL_COMPAT) MINOR: quic-be: Make the secret derivation works for QUIC backends (USE_QUIC_OPENSSL_COMPAT) MINOR: quic-be: SSL_get_peer_quic_transport_params() not defined by OpenSSL 3.5 QUIC API MINOR: quic-be: get rid of ->li quic_conn member MINOR: quic-be: Prevent the MUX to send/receive data MEDIUM: quic-be: initialize MUX on handshake completion CLEANUP: quic-be: Add comments about qc_new_conn() usage BUG/MINOR: quic-be: CID double free upon qc_new_conn() failures MINOR: quic-be: Avoid SSL context unreachable code without USE_QUIC_OPENSSL_COMPAT BUG/MINOR: quic: Fix OSSL_FUNC_SSL_QUIC_TLS_got_transport_params_fn callback (OpenSSL3.5) BUG/MINOR: quic: wrong QUIC_FT_CONNECTION_CLOSE(0x1c) frame encoding MINOR: quic-be: add a "CC connection" backend TX buffer pool MINOR: quic: Useless TX buffer size reduction in closing state MINOR: quic-be: Allow sending 1200 bytes Initial datagrams MINOR: quic-be: address validation support implementation (RETRY) Maximilian Moehl (1): DOC: config: crt-list clarify default cert + cert-bundle Olivier Houchard (2): BUG/MAJOR: fwlc: Count an avoided server as unusable. MINOR: fwlc: Factorize code. Remi Tricot-Le Breton (1): MINOR: ssl: Add "renegotiate" server option Valentine Krasnobaeva (3): DOC: config: prefer-last-server: add notes for non-deterministic algorithms BUG/MINOR: tools: use my_unsetenv instead of unsetenv CLEANUP: startup: move comment about nbthread where it's more appropriate William Lallemand (4): BUG/MEDIUM: ssl/clienthello: ECDSA with ssl-max-ver TLSv1.2 and no ECDSA ciphers DOC: configuration: add details on prefer-client-ciphers DOC: remove the program section from the documentation MAJOR: mworker: remove program section support Willy Tarreau (11): MAJOR: cfgparse: turn the same proxy name warning to an error MAJOR: cfgparse: make sure server names are unique within a backend BUG/MINOR: tools: only reset argument start upon new argument MEDIUM: proxy: deprecate the "transparent" and "option transparent" directives REGTESTS: update http_reuse_be_transparent with "transparent" deprecated REGTESTS: script: also add a line pointing to the log file DOC: config: explain how to deal with "transparent" deprecation MEDIUM: proxy: mark the "dispatch" directive as deprecated MEDIUM: cpu-topo: switch to the "performance" cpu-policy by default SCRIPTS: drop the HTML generation from announce-release BUILD: qpack: fix a build issue on older compilers ---
