Hi,
HAProxy 3.3-dev4 was released on 2025/07/26. It added 98 new commits
after version 3.3-dev3.
This one contains an average number of fixes (27) sprayed over mostly
quic/h3, lua, acme, applets. Nothing scary here.
For the rest:
- all remaining applets have been reworked to use their own buffers
according to the modern API and not share them with the stream's
channel anymore. This touches DNS, http-client, Lua, logs, peers,
Prometheus. If you happen to maintain your own patches to add your own
applets and have not converted them, you may see a warning indicating
they're working in legacy mode.
- configs involving many proxies will use much less memory, as the
storage for the "default-server" settings was now extracted from
the proxy struct and is released after the section is parsed (~4kB
saved per proxy)
- some configs using lots of servers with a "track" keyword should now
start faster. Ditto for "use-server". It happens that these mechanisms
were still using the outdated O(N) server list traversal instead of
the tree to look up the designated server's name.
- SSL traces now contain the ciphers, curves and sigalgs when known.
- QUIC on the backend side now supports connection reuse, but only in
private mode for now (i.e. no sharing yet between multiple front
connections)
- debugging: "show dev" now reports the thread->CPU bindings, and
haproxy+OS versions are now reported in panic dumps to help sort
out deployment issues and confusion that sometimes stems from using
a different binary than believed in containers. ACME is also listed
in the output of haproxy -vv's feature list.
- stats: a performance degradation caused by one extra pointer dereference
was observed since the introduction of counters sharding. It was now
addressed and the original performance is recovered (and even slightly
surpassed)
- the HTTP client will now try to be nicer to servers by sending both
headers and body at once when available.
Then there are some cleanups, mostly in the server code, developers doc
and extra tools.
Overall there's nothing absolutely amazing nor scary here. The only
slightly sensitive area are the applets, so if you'd observe new issues
with the ones mentioned above, as usual, please do report!
On a side note, the site is now being crawled by AI bots a lot, and the
access to the dynamic git stuff induces high CPU and I/O usage that could
even cause some regular git access to fail. We've mitigated the effects
by better adjusting the queue management so that git clone/pull always
has priority and for now it's OK. But this also means that visiting the
gitweb pages can occasionally experience long delays (I've seen up to
more than 300 concurrent requests there, as if there were so many people
interested in suddenly reading some objects!). I don't want to go towards
more defensive measures for now, but if you're experiencing difficulties
to access some resource, just please let me know so that we can figure
better solutions.
Please find the usual URLs below :
Site index : https://www.haproxy.org/
Documentation : https://docs.haproxy.org/
Wiki : https://github.com/haproxy/wiki/wiki
Discourse : https://discourse.haproxy.org/
Slack channel : https://slack.haproxy.org/
Issue tracker : https://github.com/haproxy/haproxy/issues
Q&A from devs : https://github.com/orgs/haproxy/discussions
Sources : https://www.haproxy.org/download/3.3/src/
Git repository : https://git.haproxy.org/git/haproxy.git/
Git Web browsing : https://git.haproxy.org/?p=haproxy.git
Changelog : https://www.haproxy.org/download/3.3/src/CHANGELOG
Dataplane API :
https://github.com/haproxytech/dataplaneapi/releases/latest
Pending bugs : https://www.haproxy.org/l/pending-bugs
Reviewed bugs : https://www.haproxy.org/l/reviewed-bugs
Code reports : https://www.haproxy.org/l/code-reports
Latest builds : https://www.haproxy.org/l/dev-packages
Willy
---
Complete changelog :
Amaury Denoyelle (20):
BUG/MEDIUM: h3: do not overwrite interim with final response
BUG/MINOR: h3: properly realloc buffer after interim response encoding
BUG/MINOR: h3: ensure that invalid status code are not encoded (FE side)
MINOR: qmux: change API for snd_buf FIN transmission
BUG/MEDIUM: h3: handle interim response properly on FE side
BUG/MINOR: h3: properly handle interim response on BE side
MINOR: h3: remove unused outbuf in h3_resp_headers_send()
BUG/MINOR: hq-interop: fix FIN transmission
MINOR: h3: use smallbuf for request header emission
MINOR: h3: add traces to h3_req_headers_send()
BUG/MINOR: h3: fix uninitialized value in h3_req_headers_send()
BUG/MINOR mux-quic: apply correctly timeout on output pending data
BUG/MINOR: mux-quic: ensure close-spread-time is properly applied
MINOR: mux-quic: refactor timeout code
MINOR: mux-quic: correctly implement backend timeout
MINOR: mux-quic: disable glitch on backend side
MINOR: mux-quic: store session in QCS instance
MEDIUM: mux-quic: implement be connection reuse
MINOR: mux-quic: do not reuse connection if app already shut
MEDIUM: mux-quic: support backend private connection
Aurelien DARRAGON (6):
BUG/MINOR: logs: fix log-steps extra log origins selection
MINOR: log: explicitly ignore "log-steps" on backends
BUG/MEDIUM: logs: fix sess_build_logline_orig() recursion with options
MEDIUM: stats: avoid 1 indirection by storing the shared stats directly
in counters struct
CLEANUP: peers: remove unused peer_session_target()
OPTIM: stats: store fast sharded counters pointers at session and stream
level
Ben Kallus (2):
CLEANUP: compiler: prefer char * over void * for pointer arithmetic
CLEANUP: include: replace hand-rolled offsetof to avoid UB
Christopher Faulet (29):
BUG/MINOR: applet: Don't trigger BUG_ON if the tid is not on appctx init
BUG/MINOR: hlua: Skip headers when a receive is performed on an HTTP
applet
BUG/MEDIUM: applet: State inbuf is no longer full if input data are
skipped
BUG/MEDIUM: stconn: Fix conditions to know an applet can get data from
stream
BUG/MINOR: applet: Fix applet_getword() to not return one extra byte
BUG/MEDIUM: Remove sync sends from streams to applets
MINOR: applet: Add HTX versions for applet_input_data() and
applet_output_room()
MINOR: applet: Improve applet API to take care of inbuf/outbuf alloc
failures
MEDIUM: hlua: Update the tcp applet to use its own buffers
MINOR: hlua: Fill the request array on the first HTTP applet run
MINOR: hlua: Use the buffer instead of the HTTP message to get HTTP
headers
MEDIUM: hlua: Update the http applet to use its own buffers
BUG/MEDIUM: hlua: Report to SC when data were consumed on a lua socket
BUG/MEDIUM: hlua: Report to SC when output data are blocked on a lua
socket
MEDIUM: hlua: Update the socket applet to use its own buffers
BUG/MEDIUM: dns: Reset reconnect tempo when connection is finally
established
MEDIUM: dns: Update the dns_session applet to use its own buffers
CLEANUP: http-client: Remove useless indentation when sending request body
MINOR: http-client: Try to send request body with headers if possible
MINOR: http-client: Trigger an error if first response block isn't a
start-line
BUG/MINOR: httpclient-cli: Don't try to dump raw headers in HTX mode
MINOR: httpclient-cli: Reset httpclient HTX buffer instead of removing
blocks
MEDIUM: http-client: Update the http-client applet to use its own buffers
MEDIUM: log: Update the log applet to use its own buffers
MEDIUM: sink: Update the sink applets to use their own buffers
MEDIUM: peers: Update the peer applet to use its own buffers
MEDIUM: promex: Update the promex applet to use their own buffers
MINOR: applet: Add support for flags on applets with a flag about the new
API
MEDIUM: applet: Emit a warning when a legacy applet is spawned
Frederic Lecaille (4):
BUG/MINOR: quic: Wrong source address use on FreeBSD
MINOR: quic: Get rid of qc_is_listener()
BUG/MEDIUM: quic-be: CC buffer released from wrong pool
MINOR: quic: Remove pool_head_quic_be_cc_buf pool
Ilia Shipitsin (1):
CLEANUP: acme: fix wrong spelling of "resources"
Olivier Houchard (1):
BUG/MEDIUM: threads: Disable the workaround to load libgcc_s on macOS
Remi Tricot-Le Breton (6):
MINOR: ssl: Add ciphers in ssl traces
MINOR: ssl: Add curve id to curve name table and mapping functions
MINOR: ssl: Add curves in ssl traces
MINOR: ssl: Dump ciphers and sigalgs details in trace with 'advanced'
verbosity
MINOR: ssl: Remove ClientHello specific traces if
!HAVE_SSL_CLIENT_HELLO_CB
CLEANUP: ssl: Use only NIDs in curve name to id table
Valentine Krasnobaeva (6):
BUG/MINOR: halog: exit with error when some output filters are set
simultaneosly
MINOR: cpu-topo: split cpu_dump_topology() to show its summary in show dev
MINOR: cpu-topo: write thread-cpu bindings into trash buffer
MINOR: debug: align output style of debug_parse_cli_show_dev with
cpu_dump_topology
MINOR: debug: add thread-cpu bindings info in 'show dev' output
BUILD: debug: add missed guard USE_CPU_AFFINITY to show cpu bindings
William Lallemand (4):
BUG/MEDIUM: acme: use POST-as-GET instead of GET for resources
MINOR: acme: remove acme_req_auth() and use acme_post_as_get() instead
BUG/MINOR: acme: allow "processing" in challenge requests
MINOR: acme: add ACME to the haproxy -vv feature list
Willy Tarreau (19):
CLEANUP: server: do not check for duplicates anymore in findserver()
REORG: server: move findserver() from proxy.c to server.c
MINOR: server: use the tree to look up the server name in findserver()
CLEANUP: server: rename server_find_by_name() to server_find()
CLEANUP: server: rename findserver() to server_find_by_name()
CLEANUP: server: use server_find_by_name() where relevant
CLEANUP: cfgparse: lookup proxy ID using existing functions
CLEANUP: stream: lookup server ID using standard functions
CLEANUP: server: simplify server_find_by_id()
CLEANUP: server: add server_find_by_addr()
CLEANUP: stream: use server_find_by_addr() in sticking_rule_find_target()
CLEANUP: server: be sure never to compare src against a non-existing
defsrv
MEDIUM: proxy: take the defsrv out of the struct proxy
MINOR: proxy: add checks for defsrv's validity
MEDIUM: proxy: no longer allocate the default-server entry by default
MEDIUM: proxy: register a post-section cleanup function
MINOR: debug: report haproxy and operating system info in panic dumps
DEV: gdb: add a memprofile decoder to the debug tools
DOC: connection: explain the rules for idle/safe/avail connections
---
