Hi,
HAProxy 3.4-dev3 was released on 2026/01/22. It added 80 new commits
after version 3.4-dev2.
Things are starting to move a little bit faster as new features reach
completion and get merged. The usual ~20 bugs were fixed, with no real
criticity (mostly minor, a bit of medium). And the rest of the changes
are mostly split like this:
- the work to "remove" the limit on the number of thread groups is done.
I'm placing quotes because I think that the hard limit changed from
64 groups to 32768 (of up to 64 threads each). Of course such numbers
make no sense (I think I said this about 64 threads when we started
supporting threads...). But the point is to offer more flexibility
and a more dynamic resource allocation on large systems without
having again to rebuild with different settings, and to permit wider
ranges of thread limits per group (i.e. favor locality or bandwidth).
It should theoretically have no visible impact.
- some hash algorithms employed to encrypt passwords in userlists are
sometimes far too slow and not suited at all to web environments, but
it happens that some users, customers or developers are not aware and
will provide them in config snippets that significantly inflate config
parsing time (really) and can completely ruin runtime performance. We
now have a timing test during startup that will result in a warning
being emitted if a hash takes more than 10ms (which is an eternity),
hoping that the problem will be detected before reaching production.
- the work on dynamic backends continues. It is now possible to "publish"
or "unpublish" an existing backend from the CLI. This is the equivalent
for a backend of the maintenance mode for a server: use_backend rules
pointing to it will just be ignored, letting the next matching one be
evaluated. Backends marked "disabled" in the config will now stay and
experience the same fate. The "force-persist" rules are now permitted
in the frontend as well, to recognize a secret deployment key that can
be used to force the access to such backends for testing before opening
the service. This publish/unpublish step will be necessary later before
removing / after adding a backend. The status is reflected in the stats
page. And now, named defaults sections will persist even if not used
yet (that was the initial plan in order to permit dynamic backend
creation using them later).
- the default systemd unit file was improved to support a "conf.d"
directory with multiple files in it. It defaults to /etc/haproxy/conf.d
and will be mandatory on startup (if using this unit file). It will not
be necessary however to move configs there, as the current default file
continues to be used at the primary location. This should give a bit
more flexibility to distros who prefer to place the process-wide sections
in a central file (e.g. global, peers, traces, logs etc) while having
one application per file elsewhere.
- the -dKall command line option will now also list the "userlist" section.
- JWE tokens now benefit from two new converters, jwt_decrypt_cert() and
jwt_decrypt_secret(), which respectively work with asymmetric or
symmetric algorithms. This work also opened the opportunity to add two
new converters to encrypt/decrypt AES CBC: aes_cbc_enc(), aes_cbc_dec().
- a few sample fetch functions like fc.timer.handshake() and other fc_*
retrieved from tcp_info were extended to support being called in the
connection or session rulesets. It indeed made no sense to have to call
them for each stream regarding timings that will not change, so now
their values can be stored in session variables if needed.
- a new sample fetch function, dump_all_vars(), supports dumping all or
just a subset of known variables based on scopes and name prefixes.
This can be super convenient to pass timing info or trust level to an
application server via headers for example, in a single rule instead
of having as many rules as variables. It produces a string on output
with a configurable delimiter.
The rest is roughly a handful of new regtests, build script updates for
AWS-LC and QuicTLS, build fixes for old macOS versions, build fixes for
newer compilers on latest Fedora, and doc updates. The CI was updated to
temporarily work around build issues with OpenSSL 4 reported in the ECH
builds.
And that's about all! At this point none of these changes represent a
specific risk, so deployment for testing on properly instrumented production
is still considered safe and encouraged, in order to test new features and
report about them. I already said it last time, but we really need to make
a pause in bug handling to issue a bunch of new stable releases. Time is
scarce these days, but fixed bugs accumulate for 3.3 and 3.2 and I don't
like it when -dev is more solid than -stable (at least it should give all
of us a good reason for switching to -dev ;-)).
Oh, and let me share a pleasant observation that hadn't been seen in a
long time: in this release, over the last 2 weeks, we've had no less
than 4 new first-time contributors (Egor, Hyeonggeun, Simon and @akarl10).
Welcome to them, and let's hope the trend continues!
Please find the usual URLs below :
Site index : https://www.haproxy.org/
Documentation : https://docs.haproxy.org/
Wiki : https://github.com/haproxy/wiki/wiki
Discourse : https://discourse.haproxy.org/
Slack channel : https://slack.haproxy.org/
Issue tracker : https://github.com/haproxy/haproxy/issues
Q&A from devs : https://github.com/orgs/haproxy/discussions
Sources : https://www.haproxy.org/download/3.4/src/
Git repository : https://git.haproxy.org/git/haproxy.git/
Git Web browsing : https://git.haproxy.org/?p=haproxy.git
Changelog : https://www.haproxy.org/download/3.4/src/CHANGELOG
Dataplane API :
https://github.com/haproxytech/dataplaneapi/releases/latest
Pending bugs : https://www.haproxy.org/l/pending-bugs
Reviewed bugs : https://www.haproxy.org/l/reviewed-bugs
Code reports : https://www.haproxy.org/l/code-reports
Latest builds : https://www.haproxy.org/l/dev-packages
Willy
---
Complete changelog :
Amaury Denoyelle (17):
MINOR: cfgparse: remove duplicate "force-persist" in common kw list
BUG/MEDIUM: quic: fix ACK ECN frame parsing
BUG/MINOR: proxy: free persist_rules
MEDIUM: stream: refactor switching-rules processing
REGTESTS: add test on backend switching rules selection
MEDIUM: proxy: do not select a backend if disabled
MEDIUM: proxy: implement publish/unpublish backend CLI
MINOR: stats: report BE unpublished status
MINOR: cfgparse: adapt warnif_cond_conflicts() error output
MEDIUM: proxy: force traffic on unpublished/disabled backends
BUG/MEDIUM: mux-quic: prevent BUG_ON() on aborted uni stream close
BUG/MINOR: proxy: fix deinit crash on defaults with duplicate name
MINOR: proxy: remove proxy_preset_defaults()
MINOR: proxy: refactor defaults proxies API
MINOR: proxy: simplify defaults proxies list storage
MEDIUM: cfgparse: do not store unnamed defaults in name tree
MEDIUM: proxy: implement persistent named defaults
Aurelien DARRAGON (7):
BUG/MINOR: hlua_fcn: fix broken yield for Patref:add_bulk()
BUG/MINOR: hlua_fcn: ensure Patref:add_bulk() is given a table object
before using it
BUG/MINOR: http_act: fix deinit performed on uninitialized lf_expr in
release_http_map()
MINOR: cli: use srv_drop() when server was created using new_server()
BUG/MINOR: server: ensure server is detached from proxy list before being
freed
BUG/MEDIUM: promex: server iteration may rely on stale server
BUG/MEDIUM: log: parsing log-forward options may result in segfault
Christian Ruppert (1):
REGTESTS: ssl: Fix reg-tests curve check
Egor Shestakov (4):
BUG/MINOR: cfgparse: fix "default" prefix parsing
REORG/MINOR: cfgparse: eliminate code duplication by lshift_args()
DOC: fix typos in the documentation files
DOC: fix mismatched quotes typos around words in the documentation files
Hyeonggeun Oh (6):
MINOR: cfgparse: Refactor "userlist" parser to print it in -dKall
operation
REORG: cfgparse: move peers parsing to cfgparse-peers.c
MINOR: tools: add chunk_escape_string() helper function
MINOR: vars: store variable names for runtime access
MINOR: vars: implement dump_all_vars() sample fetch
DOC: vars: document dump_all_vars() sample fetch
Ilia Shipitsin (1):
CI: github: switch monthly Fedora Rawhide build to OpenSSL
Olivier Houchard (11):
MINOR: receiver: Dynamically alloc the "members" field of shard_info
MINOR: stats: Increase the tgid from 8bits to 16bits
BUG/MINOR: stats-file: Use a 16bits variable when loading tgid
MEDIUM: counters: Dynamically allocate per-thread group counters
MEDIUM: counters: Remove some extra tests
BUG/MEDIUM: threads: Fix binding thread on bind.
MEDIUM: counters: mostly revert da813ae4d7cb77137ed
MINOR: queues: Turn non_empty_tgids into a long array.
MINOR: threads: Eliminate all_tgroups_mask.
BUG/MEDIUM: queues: Fix arithmetic when feeling non_empty_tgids
MEDIUM: thread: Turn the group mask in thread set into a group counter
Remi Tricot-Le Breton (9):
MINOR: ssl: Factorize AES GCM data processing
MINOR: ssl: Add new aes_cbc_enc/_dec converters
REGTESTS: ssl: Add tests for new aes cbc converters
MINOR: jwe: Add new jwt_decrypt_secret converter
MINOR: jwe: Add new jwt_decrypt_cert converter
REGTESTS: jwe: Add jwt_decrypt_secret and jwt_decrypt_cert tests
DOC: jwe: Add doc for jwt_decrypt converters
MINOR: jwe: Some algorithms not supported by AWS-LC
REGTESTS: jwe: Fix tests of algorithms not supported by AWS-LC
Simon Ser (1):
DOC: proxy-protocol: Add SSL client certificate TLV
Tim Duesterhus (1):
CLEANUP: connection: Remove outdated note about CO_FL `0x00002000` being
unused
William Lallemand (15):
BUILD: ssl: strchr definition changed in C23
BUILD: tools: memchr definition changed in C23
BUG/MINOR: cfgparse: wrong section name upon error
BUG/MINOR: cli/stick-tables: argument to "show table" is optional
CI: github: remove ERR=1 temporarly from the ECH job
MEDIUM: systemd: implement directory loading
SCRIPTS: build-ssl: use QUICTLS_VERSION instead of QUICTLS=yes
CI: github: define the right quictls version in each jobs
CI: github: fix vtest.yml with "not quictls"
SCRIPTS: build-ssl: clone the quictls branch directly
SCRIPTS: build-ssl: fix quictls build for 1.1.1 versions
BUG/MEDIUM: ssl: fix error path on generate-certificates
BUG/MEDIUM: ssl: fix generate-certificates option when SNI greater than
64bytes
REGTESTS: ssl: fix generate-certificates w/ LibreSSL
SCRIPTS: build: enable symbols in AWS-LC builds
Willy Tarreau (6):
BUILD: sockpair: fix build issue on macOS related to variable-length
arrays
MEDIUM: config: warn if some userlist hashes are too slow
MINOR: sample: also support retrieving fc.timer.handshake without a stream
MINOR: tcp-sample: permit retrieving tcp_info from the connection/session
stage
BUG/MINOR: net_helper: fix IPv6 header length processing
BUG/MEDIUM: debug: only dump Lua state when panicking
akarl10 (1):
BUG/MINOR: ech/quic: enable ech configuration also for quic listeners
---
