Hi,
HAProxy 3.2.2 was released on 2025/07/02. It added 26 new commits
after version 3.2.1.
Finally we've seen two other reports for the leastconn issue so it seems
less rare than what I wrongly assumed, so better emit a new 3.2 right now
to avoid more problems as users start to adopt it.
Among the other relevant issues solved in this version:
- BUG/MEDIUM: check: Set SOCKERR by default when a connection error is
reported
=> possibly no effect
- a risk of wakeup loops on CLI commands with output full was addressed.
It could consume lots of CPU while waiting, possibly leading to a crash
(though not reported since 3.0 where the issue appeared).
- L6/L7 sample fetch functions cannot be used in Lua services since they
don't have access to the channel, yet L6 was not rejected, possibly
wasting time when users would try to implement them and figure why they
don't work.
- H2 on backend side could mishandle a connection error before the preface
and cause a wakeup loop while data from other streams were waiting to be
evacuated to the client. It caused a loop and a crash reported for the
first time in issue #3020 though it's been there since backend H2 is
supported.
- using a QUIC address format on a server line is inappropriate and should
be rejected (and now is). I have no idea what it would do till now,
probably just fail to connect or blindly use TCP, none of which are
acceptable nor future-proof anyway.
- the "keep-query" redirect option would cause an error in case of absence
of query string instead of ignoring it.
- the way buffers were used in the jwt_verify() converter could sometimes
result in the input data to be overwritten before being processed.
- the %ID log alias is not suitable for use in unique-id-format
construction, where it would cause an infinite recursive loop during
evaluation. Now it will detect the situation and evaluate to empty in
this case. In addition, the evaluation of the ID is now made closer to
where it's evaluated so as to avoid inconsistencies (e.g.
unique-id-format referencing elements not available at log production
time).
- BUG/MINOR: mux-quic/h3: properly handle too low peer fctl initial stream
=> no impact, mostly backend
- an obscure issue affecting the OpenSSL-3.5 QUIC handshake was fixed
- an erroneous encoding of QUIC frame type CONNECTION_CLOSE resulted in
CONNECTION_CLOSE_APP instead to be emitted. The impact is unclear to
me though :-)
- the config parser hints regarding empty args were incorrect since latest
fixes and would report arg #1 with an incorrect position. This was now
fixed. Note: I'm aware of yet another case where empty args are not
properly handled, I'll work on this soon.
- the use of unsetenv() to clear the environment when re-execing is not
reliable due to "environ" being suject to change on some OS in this
case (e.g. illumos). This was fixed by using our dedicated function.
- the rest is essentially doc clarifications about crt-list, prefer-ciphers
or jwt_verify.
Except for the leastconn issue, all of these were already present before
3.2, so if you upgraded and are using leastconn, you should definitely
update again to avoid a possible crash. For the rest, there's less emergency
if till now it has been working fine, but as I often say, updating when
there's no pending issue is also the right approach to avoid trouble
later ;-)
Please find the usual URLs below :
Site index : https://www.haproxy.org/
Documentation : https://docs.haproxy.org/
Wiki : https://github.com/haproxy/wiki/wiki
Discourse : https://discourse.haproxy.org/
Slack channel : https://slack.haproxy.org/
Issue tracker : https://github.com/haproxy/haproxy/issues
Q&A from devs : https://github.com/orgs/haproxy/discussions
Sources : https://www.haproxy.org/download/3.2/src/
Git repository : https://git.haproxy.org/git/haproxy-3.2.git/
Git Web browsing : https://git.haproxy.org/?p=haproxy-3.2.git
Changelog : https://www.haproxy.org/download/3.2/src/CHANGELOG
Dataplane API :
https://github.com/haproxytech/dataplaneapi/releases/latest
Pending bugs : https://www.haproxy.org/l/pending-bugs
Reviewed bugs : https://www.haproxy.org/l/reviewed-bugs
Code reports : https://www.haproxy.org/l/code-reports
Latest builds : https://www.haproxy.org/l/dev-packages
Willy
---
Complete changelog :
Amaury Denoyelle (2):
BUG/MINOR: config/server: reject QUIC addresses
BUG/MINOR: mux-quic/h3: properly handle too low peer fctl initial stream
Christopher Faulet (8):
BUG/MINOR: http-ana: Properly handle keep-query redirect option if no QS
BUG/MEDIUM: cli: Don't consume data if outbuf is full or not available
MINOR: cli: handle EOS/ERROR first
BUG/MEDIUM: check: Set SOCKERR by default when a connection error is
reported
BUG/MINOR: stream: Avoid recursive evaluation for unique-id based on
itself
BUG/MINOR: log: Be able to use %ID alias at anytime of the stream's
evaluation
BUG/MEDIUM: hlua: Forbid any L6/L7 sample fetche functions from lua
services
BUG/MEDIUM: mux-h2: Properly handle connection error during preface
sending
Frederic Lecaille (3):
BUG/MINOR: quic: Fix OSSL_FUNC_SSL_QUIC_TLS_got_transport_params_fn
callback (OpenSSL3.5)
BUG/MINOR: quic: wrong QUIC_FT_CONNECTION_CLOSE(0x1c) frame encoding
MINOR: quic: Useless TX buffer size reduction in closing state
Maximilian Moehl (1):
DOC: config: crt-list clarify default cert + cert-bundle
Olivier Houchard (2):
BUG/MAJOR: fwlc: Count an avoided server as unusable.
MINOR: fwlc: Factorize code.
Remi Tricot-Le Breton (2):
BUG/MINOR: jwt: Copy input and parameters in dedicated buffers in
jwt_verify converter
DOC: Fix 'jwt_verify' converter doc
Valentine Krasnobaeva (2):
DOC: config: prefer-last-server: add notes for non-deterministic
algorithms
BUG/MINOR: tools: use my_unsetenv instead of unsetenv
William Lallemand (3):
DOC: configuration: add details on prefer-client-ciphers
MINOR: ssl: check TLS1.3 ciphersuites again in clienthello with recent
AWS-LC
BUG/MINOR: httpclient: wrongly named httpproxy flag
Willy Tarreau (3):
BUG/MINOR: tools: only reset argument start upon new argument
SCRIPTS: drop the HTML generation from announce-release
BUILD: dev/phash: remove the accidentally committed a.out file
---
