Hi,
HAProxy 3.4-dev13 was released on 2026/05/20. It added 78 new commits
after version 3.4-dev12.
The number and the severity of bugs is significantly shrinking (36 total,
10 medium and 26 minor), and they almost all come from code review,
indicating that they're getting increasingly difficult to trigger.
Among the other changes, we have:
- the QUIC mux now supports the streams elasticity and contributes
to its measurement so that both QUIC and H2 will be able to share
the same total number of streams in order to regulate the overall
load.
- some last minute cleanups revealed that an old API issue in the
mux selection code was not completely addressed (confusion between
the "proto" token and the alpn token, stemming from the fact that
both arrived with h2 first where both the mux and the protocol have
the same name). But after an amazinly productive engineering meeting,
this was fixed in an afternoon by Olivier and Amaury so that we
shouldn't have to revisit this any time soon.
- the mux selection fix above now allows h1,h2, and h3 to coexist on a
same "bind" line (when using QMUX over TCP+SSL+ALPN). Previously, h3
would require to dedicate a port to "proto qmux" only. QMUX remains
conditioned to the experimental directive regardless.
- on Linux with CONFIG_USER_NS (yeah, I know, precisely the one that
everyone is having fun with these days, but we had the idea before
this became popular :-)), unprivileged users may chroot as well.
This can be very convenient as the lack of chroot is always the main
reason I explain that starting unprivileged is less secure.
- a new directive, "chroot auto" supports the creation of an empty
chroot on the fly: we create the directory, enter it, remove it and
chroot there. This way it's guaranteed to be totally empty, to lack
"." and ".." and that it's impossible to create anything into it, and
it no longer requires to know the path to another empty directory on
the operating system. This could help distro packaging (one less FS
entry to care about). I'm still thinking about switching to
"chroot auto" by default in 3.5.
- speaking about chroot, when starting as root with no chroot directive,
a warning is now emitted reminding that it is an extremely bad idea
and that if that's really what's desired, "chroot /" is the way to
go to silence the warning. At least insecure configs will now be
explicit!
- a trace provided by Christian showing extreme stick-table contention
revealed that we were still freeing some elements under a lock and
that it was likely further increasing contention. This was modified
so that the elements are moved to a temporary list and released out
of the lock. First tests indicate an even lower load (or higher perf
as you prefer). At least the peak CPU usage in this situation should
be lower now.
And a few smaller changes that had been waiting in the todo list:
- server's "hash-key" directive now supports "id32" (to use the full
32 bits of the ID instead of 28) and "guid" (to hash on the GUID,
convenient across large deployments).
- haterm's master pipe and splice settings are no longer initialized
when not used (setting large pipe sizes would previously report
warnings about haterm even if unrelated since not used).
- cleanup of multiplies in malloc() and related calls. It was one of the
suggested low-hanging fruits after the audit a few months ago, that
we ought to avoid multiplying size by counts in malloc() arguments
but do it in a dedicated function to catch possible overflows coming
from too large configuration settings. That was done (25 places). It's
very possible that a number of other ones remain but that's not a
problem, the principle is to be proactive and show the good practices
for the future.
- as previously planned depending on feedback (which was limited but
very positive), the "experimental" directive is now no longer
necessary to add or delete dynamic backends via the CLI.
- it's now possible to disable traces by passing USE_TRACE=0. This may
be useful for those trying to build packages with the smallest
footprint in embedded environments, as it reduces the smallest binary
by up to 10%. Other parts could come in the future (disabling H2,
disabling QUIC while keeping QMUX without SSL etc). It's a small step
in the right direction.
- more code cleanups (typos, unused declarations, ...)
- a few more doc updates
I remember that we mentioned dropping the experimental status for the shared
stats, which would make sense since we didn't need to touch it anymore since
February. I'll ask Aurélien who knows better than me, but there's no point in
hiding a feature behind this status if it's stable.
Honestly I think we're good. I'm pretty sure we'll find more cleanups,
doc typos and small issues to address but we're already back to regular
maintenance as if it were a stable release. Thus I think we have no more
road block against a release next week. Please give it a try, beat it,
report unusual warnings or strange things before the release so that we
still have time to address your concerns, and... have fun.
Please find the usual URLs below :
Site index : https://www.haproxy.org/
Documentation : https://docs.haproxy.org/
Wiki : https://github.com/haproxy/wiki/wiki
Discourse : https://discourse.haproxy.org/
Slack channel : https://slack.haproxy.org/
Issue tracker : https://github.com/haproxy/haproxy/issues
Q&A from devs : https://github.com/orgs/haproxy/discussions
Sources : https://www.haproxy.org/download/3.4/src/
Git repository : https://git.haproxy.org/git/haproxy.git/
Git Web browsing : https://git.haproxy.org/?p=haproxy.git
Changelog : https://www.haproxy.org/download/3.4/src/CHANGELOG
Dataplane API :
https://github.com/haproxytech/dataplaneapi/releases/latest
OpenTelemetry : https://github.com/haproxytech/haproxy-opentelemetry
Pending bugs : https://www.haproxy.org/l/pending-bugs
Reviewed bugs : https://www.haproxy.org/l/reviewed-bugs
Code reports : https://www.haproxy.org/l/code-reports
Latest builds : https://www.haproxy.org/l/dev-packages
Willy
---
Complete changelog :
Amaury Denoyelle (15):
BUG/MINOR: httpclient-cli: fix uninit variable in error label
MINOR: connection: define conn_select_mux_fe()
MINOR: connection: define conn_select_mux_be()
MINOR: connection/mux_quic: add MUX <init_xprt> field for QMux handshake
MINOR: proxy/server: reject TCP ALPN h3 without experimental
MEDIUM: ssl: allow h3/QMux negotiation without explicit proto
MINOR: h2: explain committed_extra_streams dec on h2_init() error
OPTIM: h2: do not update committed streams if elasticity disabled
MINOR: mux_quic: implement basic committed_extra_streams accounting
MINOR: quic: use stream elasticity value for initial advertisement
MINOR: mux_quic: define ms_bidi_rel QCC member
MAJOR: mux_quic: support stream elasticity during connection lifetime
BUG/MINOR: prevent conn leak in case of xprt_qmux init failure
DOC: fix typo on QUIC stream.max-concurrent reference
BUG/MINOR: mux_quic: do not exceed stream.max-concurrent on backend side
Christopher Faulet (10):
BUG/MINOR: server: Properly handle init-state value during haproxy startup
BUG/MINOR: httpclient-cli: Destroy http-client context if failing to
start it
BUG/MEDIUM: h1: Skip all h2c values from Upgrade headers during parsing
BUG/MINOR: h1: Don't mask websocket protocol if multiple protocols used
MINOR: haterm: Don't init haterm master pipe if not used
CLEANUP: haterm: Remove "(too old kernel)" from warning message during
init
BUG/MINOR: htx: Fix value of HTX_XFER_HDRS_ONLY flag
MEDIUM: htx: Improve htx_xfer API to not count HTX meta-data
BUG/MEDIUM: applet: Fix transfer of HTX data to the applet
BUG/MEDIUM: htx: Alloc a chunk of right size in htx_replace_blk_value()
Maxime Henrion (2):
MINOR: startup: support unprivileged chroot if possible
MEDIUM: startup: add automatic chroot feature
Olivier Houchard (5):
MINOR: mux: Rename the "token" from mux_proto_list to mux_proto
MEDIUM: connections: Use both mux_proto and alpn to pick a mux
BUG/MEDIUM: servers: Store the connection hash with the parameter cache
BUG/MEDIUM: servers: Don't forget to set srv_hash when needed
MEDIUM: stick-tables: Avoid freeing elements while holding a lock
Remi Tricot-Le Breton (1):
BUG/MINOR: jws: Add missing return value check (EVP_PKEY_get_bn_param)
Willy Tarreau (45):
BUG/MINOR: backend: correct parameter value validation in
get_server_ph_post()
BUG/MINOR: config/dns: properly fail on duplicate nameserver name
detection
BUG/MEDIUM: dns: fix long loops in additional records parse on name
failure
BUG/MEDIUM: resolvers: fix name compression pointer validation in
resolv_read_name()
BUG/MEDIUM: dns: fix memory leak of sockaddr in dns_session_init() error
path
CLEANUP: proxy: fix tiny mistakes in parse error messages
CLEANUP: dns: fix misleading error messages in dns_stream_init()
BUG/MINOR: server: better handling of OOM in srv_set_fqdn()
BUG/MINOR: servers: use proper source of pool_conn_name in
srv_settings_cpy()
BUG/MEDIUM: server/cli: unlock server lock on failure in
cli_parse_set_server
BUG/MINOR: resolvers: fix dangling list pointer in resolvers_new() error
paths
BUG/MINOR: dns: fix dangling dgram pointer on dns_dgram_init() failure
path
BUG/MINOR: proxy: use proxy_drop() in parse_new_proxy() error path
CLEANUP: resolvers: properly initialize the sample in
resolv_action_do_resolve()
BUG/MINOR: resolvers: report the expression error in the do-resolve()
action parser
BUG/MINOR: resolvers: fix leaked dgram and dns_ring struct in
parse_resolve_conf()
BUG/MINOR: resolvers: fix leaked fields on cfg_parse_resolvers() error
paths
BUG/MINOR: resolvers: fix missing task_idle destruction in
resolvers_destroy()
CLEANUP: proxy: fix duplicate declaration of cli_find_frontend in proxy.h
CLEANUP: address a few typos and copy-paste errors in httpclient and dns
DOC: internal: add a few rules about internal core principles
BUG/MINOR: session/trace: use distinct flags for SESS_EV_END and _ERR
CLEANUP: stick-table: uniformize the different action_inc_gpc*()
REGTESTS: do not run quic/tls13_ssl_crt-list_filters in quic openssl
compat mode
REGTESTS: quic/issuers_chain_path: do not forget to enable QUIC compat
mode
BUG/MINOR: sock: store the connection error status
BUG/MINOR: check: properly report errno in chk_report_conn_err()
CLEANUP: tcpcheck: mention that we're a bit far for a sync errno
BUG/MINOR: jwt: fix possible memory leak in convert_ecdsa_sig() error path
CLEANUP: jwe: fix theoretical overflow in AAD length calculation
DOC: config: further clarify that resolvers "default" exists
MINOR: proxy: remove the experimental status on dynamic backends
BUG/MEDIUM: limits: properly account for global.maxpipes in
compute_ideal_maxconn()
BUG/MINOR: jws: fix OpenSSL 3.0 version check from > to >=
BUG/MINOR: server: accept server IDs above 2^31 and clarify error message
BUG/MINOR: backend: fix balance hash calculation when using hash-type none
MINOR: server: support hash-key id32 for a cleaner distribution
MINOR: backend: support hash-key guid for a stabler distribution
BUILD: traces: set a few __maybe_unused on vars used only for traces
BUILD: traces: add USE_TRACE allowing to disable traces
MINOR: startup: do not execute chroot() when "/"
MEDIUM: startup: warn when chroot is not set for root
MINOR: intops: add a multiply overflow detection for ulong and size_t
CLEANUP: tree-wide: use array_size_or_fail() in array size for allocations
DOC: update supported gcc and openssl versions in INSTALL
---
