Hi,
HAProxy 3.3-dev14 was released on 2025/11/21. It added 53 new commits
after version 3.3-dev13.
Testing was productive this week, with a number of test reports allowing
to spot small issues. I'm not going to enumerate everything but there were
various QUIC backed fixes, a case of spinning loop detection when using
pipelined commands on the CLI, a remaining case where the idle connections
purge was not safely handled, some inconsistencies in signal handling in
the master process on startup, a fix for a rare race condition affecting
queues at high loads, a fix for the default ALPN on "bind" lines when
forcing the protocol with "proto", and more ACME minor fixes.
The "make install" target no longer installs admin tools such as halog,
instead it was moved to "make install-admin". The reason is that it was
too easy to see the halog binary built on the fly during the install
phase with options that don't match existing built objects.
The default max number of reloads ("mworker-max-reloads") is now set to
50 in order to avoid piling hundreds of processes when things go wrong.
This is more than anyone should need but at least sets a reasonable limit.
The last user-visible change is that the computed automatic maxconn value
is now displayed on startup at a notice level (i.e. always except when
quiet), instead of only in verbose mode, because it appears that some
problems happen only because users don't know their maxconn on certain
systems (typically containers), so better make this more visible.
The rest is a bit more doc (mostly ACME), various cleanups and minor
changes all over the place, and more reg tests.
Overall I don't expect to see many more regression reports nor fixes in
the next days, so in my opinion at this point we have no reason to
postpone the release that was initially planned for next week. So let's
say that unless we end up with a big last-minute show-stopper, we'll
release either on wednesday or thursday (this imprecision leaves us a bit
of room for final fixes ;-)).
Many thanks to all those who have been testing and reporting issues, this
helps a lot to stabilize the forthcoming release!
Please find the usual URLs below :
Site index : https://www.haproxy.org/
Documentation : https://docs.haproxy.org/
Wiki : https://github.com/haproxy/wiki/wiki
Discourse : https://discourse.haproxy.org/
Slack channel : https://slack.haproxy.org/
Issue tracker : https://github.com/haproxy/haproxy/issues
Q&A from devs : https://github.com/orgs/haproxy/discussions
Sources : https://www.haproxy.org/download/3.3/src/
Git repository : https://git.haproxy.org/git/haproxy.git/
Git Web browsing : https://git.haproxy.org/?p=haproxy.git
Changelog : https://www.haproxy.org/download/3.3/src/CHANGELOG
Dataplane API :
https://github.com/haproxytech/dataplaneapi/releases/latest
Pending bugs : https://www.haproxy.org/l/pending-bugs
Reviewed bugs : https://www.haproxy.org/l/reviewed-bugs
Code reports : https://www.haproxy.org/l/code-reports
Latest builds : https://www.haproxy.org/l/dev-packages
Willy
---
Complete changelog :
Amaury Denoyelle (15):
MINOR: quic: do not use quic_newcid_from_hash64 on BE side
MINOR: quic: support multiple random CID generation for BE side
MINOR: quic: try to clarify quic_conn CIDs fields direction
MINOR: quic: refactor qc_new_conn() prototype
MINOR: quic: remove <ipv4> arg from qc_new_conn()
BUG/MINOR: mux-quic: implement max-reuse server parameter
MINOR: quic: fix trace on quic_conn_closed release
BUG/MINOR: quic: do not decrement jobs for backend conns
BUG/MINOR: quic: fix FD usage for quic_conn_closed on backend side
MINOR: quic: store source address for backend conns
BUG/MINOR: quic: flag conn with CO_FL_FDLESS on backend side
MINOR: h3: adjust sedesc update for known input payload len
BUG/MINOR: mux-quic: fix sedesc leak on BE side
OPTIM: mux-quic: delay FE sedesc alloc to stream creation
BUG/MINOR: mux-quic: check access on qcs stream-endpoint
Christopher Faulet (7):
MINOR: stick-tables: Rename stksess shards to use buckets
MINOR: muxes: Support an optional ALPN string when defining mux protocols
MINOR: config: Do proto detection for listeners before checks about ALPN
BUG/MEDIUM: config: Use the mux protocol ALPN by default for listeners if
forced
DOC: config: Add a note about conflict with ALPN/NPN settings and proto
keyword
BUG/MEDIUM: applet: Fix conditions to detect spinning loop with the new
API
BUG/MEDIUM: cli: State the cli have no more data to deliver if it yields
Frederic Lecaille (5):
BUG/MEDIUM: quic-be: prevent use of MUX for 0-RTT sessions without secrets
MINOR: quic/flags: add missing QUIC flags for flags dev tool.
MINOR: quic: uneeded xprt context variable passed as parameter
BUG/MEDIUM: quic-be/ssl_sock: TLS callback called without connection
BUG/MEDIUM: quic-be: quic_conn_closed buffer overflow
Lukas Tribus (1):
DOC: http: document 413 response code
Olivier Houchard (1):
BUG/MEDIUM: queues: Don't forget to unlock the queue before exiting
William Lallemand (17):
MEDIUM: mworker: set the mworker-max-reloads to 50
CLEANUP: startup: move confusing msg variable
BUG/MEDIUM: mworker: signals inconsistencies during startup and reload
BUG/MINOR: mworker: wrong signals during startup
BUG/MINOR: acme: P-256 doesn't work with openssl >= 3.0
BUILD: Makefile: make install with admin tools
CI: github: make install-bin instead of make install
BUG/MINOR: ssl: remove dead code in ssl_sock_from_buf()
BUILD: Makefile: remove halog from install-admin
BUG/MINOR: acme: alert when the map doesn't exist at startup
DOC: acme: add details about the DNS-01 support
DOC: acme: explain how to dump the certificates
DOC: acme: configuring acme needs a crt file
DOC: acme: add details about key pair generation in ACME section
ADMIN: dump-certs: let dry-run compare certificates
BUG/MINOR: acme: handle multiple auth with the same name
BUG/MINOR: acme: prevent creating map entries with dns-01
Willy Tarreau (7):
REGTESTS: ssl: split the SSL reuse test into TLS 1.2/1.3
REGTESTS: ssl: add basic 0rtt tests for TLSv1.2, TLSv1.3 and QUIC
REGTESTS: ssl: also verify that 0-rtt properly advertises early-data:1
MINOR: limits: keep a copy of the rough estimate of needed FDs in global
struct
MINOR: limits: explain a bit better what to do when fd limits are exceeded
BUG/MEDIUM: connection/ssl: also fix the ssl_sock_io_cb() regarding idle
list
MINOR: limits: display the computed maxconn using ha_notice()
---
