Hi,
HAProxy 1.8-dev2 was released on 2017/06/02. It added 101 new commits
after version 1.8-dev1. Given that a lot of new stuff got merged, I
prefer to issue a new release to make it easier for testers to give it
a try.
Some of the expected breakage in -dev1 was addressed (-fwrapv, dns+kqueue,
server args after "source", OCSP not working with BoringSSL). But that's
not what is the most interesting for this release.
What's interesting is that two months after -dev1 was issued, a part of
the pending stuff was already completed and merged, and we managed to
mostly focus on this stuff, resulting in more progress than when we all
walk on each other's feet, so that looks like a better long term
organisation :
- ability to pass the listening FDs from the old to the new process
during a reload to workaround the painful (rare but existing) RST
issue under Linux when closing the listener (Olivier). Please note
for those who might have deployed the initial patch that some minor
changes were applied a few days ago, you need an option on the stats
socket to indicate that you want it to be usable to pass fds
("expose-fd listeners").
- openssl async API (Grant Zhang, reviewed by Emeric). Interestingly
this has unveiled a limitation in the openssl async API when used
with symmetric algorithms that Emeric tried to work around with no
luck for now, but we may get more info on this later. Anyway that's
mostly interesting for asymmetric crypto so it's not really an issue.
- master/worker model to get rid of systemd-wrapper (William)
- server-template (Fred) : pre-provisionning of disabled servers that
can easily be enabled over CLI/DNS/whatever.
- dns updates (Baptiste) : now the DNS resolution doesn't depend anymore
on health checks, it's totally autonomous and can even be smarter at
distributing addresses to servers using the same FQDN.
- dealing with the openssl version configuration mess revealed by
the new APIs (Manu and Emeric) -- this will impact some server
keywords, these are now ssl-min-ver and ssl-max-ver.
- the maximum length of the log URI can now be configured (Stéphane Cottin)
- modsecurity SPOA module (Thierry Fournier)
- mod_defender SPOA module (Dragan Dosen)
Already Queued :
- ssl-min-ver/ssl-max-ver with crt-list (Emeric just gave me his ACK)
Still in progress with active work :
- initial multi-threading support (Emeric and Christopher)
- HTTP/2 frontend (me)
- RAM-based "favicon" cache (William)
For later as time permits :
- make userlists updatable from the CLI (William) -- turning them to
maps was done already but never merged, it didn't appear sustainable
so a new approach will be followed
- a few connection management fixes/improvements that are pending
in a few of my branches (improved close handling & polling
accuracy), possibly a hack to use eBPF to destroy empty ACKs during
reload to prevent empty connections from getting killed by close().
- improve handling of error-file by splitting headers and body -- I
don't know if someone is still working on this, but it's still
welcome and should not interfer with the other devs
I hope I didn't forget anything, the commit log is long enough, otherwise
feel free to blame me.
All in all, I'm pretty satisfied with the progress made. And even on the
work in progress I've seen some encouraging stuff.
There were reports of slow downloads which I'm going to work on next week.
In short, when we migrated to the new frontend server, we also replaced the
cache and I thought it would be as efficient but apparently I was optimistic,
so some objects get downloaded from the (slow) master and once it happens I
think some errors invalidate the objects resulting in everyone getting them
at the same time from the slow server, making the situation even worse. I'm
not worried though as there are more solutions than problems, they will just
require some changes in my publication process, which is what I tried hard
to avoid.
Please test, play and report, as usual. This is still development code,
so no prod! BTW, some scary bugs were reported on 1.7.5 and are being
worked on, they almost certainly affect 1.8-dev2 as well. So don't be
surprized if you manage to crash it (and then report it)! That's also
why there is no 1.7.6 yet.
Please find the usual URLs below :
Site index : http://www.haproxy.org/
Discourse : http://discourse.haproxy.org/
Sources : http://www.haproxy.org/download/1.8/src/
Git repository : http://git.haproxy.org/git/haproxy.git/
Git Web browsing : http://git.haproxy.org/?p=haproxy.git
Changelog : http://www.haproxy.org/download/1.8/src/CHANGELOG
Cyril's HTML doc : http://cbonte.github.io/haproxy-dconv/
Willy
---
Complete changelog :
Adam Spiers (1):
DOC: stick-table is available in frontend sections
Andrew Rodland (1):
BUG/MINOR: hash-balance-factor isn't effective in certain circumstances
Baptiste Assmann (11):
CLEANUP: server.c: missing prototype of srv_free_dns_resolution
MINOR: dns: smallest DNS fqdn size
MINOR: dns: functions to manage memory for a DNS resolution structure
MINOR: dns: parse_server() now uses srv_alloc_dns_resolution()
REORG: dns: dns_option structure, storage of hostname_dn
MINOR: dns: new snr_check_ip_callback function
MAJOR: dns: save a copy of the DNS response in struct resolution
MINOR: dns: implement a LRU cache for DNS resolutions
MINOR: dns: make 'ancount' field to match the number of saved records
MINOR: dns: introduce roundrobin into the internal cache (WIP)
MAJOR/REORG: dns: DNS resolution task and requester queues
Christopher Faulet (1):
BUG/MEDIUM: http: Drop the connection establishment when a redirect is
performed
David CARLIER (1):
BUG/MINOR: contrib/mod_security: fix build on FreeBSD
David Carlier (2):
CLEANUP: server: moving netinet/tcp.h inclusion
BUG/MINOR: server : no transparent proxy for DragonflyBSD
Dmitry Sivachenko (1):
CLEANUP: retire obsoleted USE_GETSOCKNAME build option
Dragan Dosen (1):
MINOR: Add Mod Defender integration as contrib
Emeric Brun (2):
BUG/MINOR: ssl: fix warnings about methods for opensslv1.1.
MEDIUM: ssl: handle multiple async engines
Emmanuel Hocdet (9):
MEDIUM: ssl: revert ssl/tls version settings relative to default-server.
MEDIUM: ssl: ssl_methods implementation is reworked and factored for
min/max tlsxx
MEDIUM: ssl: calculate the real min/max TLS version and find holes
MINOR: ssl: support TLSv1.3 for bind and server
MINOR: ssl: show methods supported by openssl
MEDIUM: ssl: add ssl-min-ver and ssl-max-ver parameters for bind and
server
MEDIUM: ssl: ssl-min-ver and ssl-max-ver compatibility.
MINOR: boringssl: basic support for OCSP Stapling
BUILD: ssl: fix build with OPENSSL_NO_ENGINE
Frédéric Lécaille (11):
BUG/MINOR: dns: Wrong address family used when creating IPv6 sockets.
BUG/MINOR: server: Fix a wrong error message during 'usesrc' keyword
parsing.
BUG/MAJOR: Broken parsing for valid keywords provided after 'source'
setting.
BUG/MINOR: server: missing default server 'resolvers' setting duplication.
MINOR: server: Extract the code responsible of copying default-server
settings.
MINOR: server: Extract the code which finalizes server initializations
after 'server' lines parsing.
MINOR: server: Add 'server-template' new keyword supported in backend
sections.
MINOR: server: Add server_template_init() function to initialize servers
from a templates.
DOC: Add documentation for new "server-template" keyword.
MINOR: server: cli: Add server FQDNs to server-state file and stats
socket.
BUG/MAJOR: dns: Broken kqueue events handling (BSD systems).
Glenn Strauss (2):
DOC: update sample code for PROXY protocol
DOC: mention lighttpd 1.4.46 implements PROXY
Grant Zhang (2):
MEDIUM: ssl: add basic support for OpenSSL crypto engine
MAJOR: ssl: add openssl async mode support
Holger Just (1):
MINOR: sample: Add b64dec sample converter
Jarno Huuskonen (5):
DOC: changed "block"(deprecated) examples to http-request deny
DOC: add few comments to examples.
DOC: add layer 4 links/cross reference to "block" keyword.
DOC: errloc/errorloc302/errorloc303 missing status codes.
CLEANUP: str2mask return code comment: non-zero -> zero.
Jim Freeman (1):
CLEANUP: logs: typo: simgle => single
Lukas Tribus (2):
DOC: update RFC references
MINOR: ssl: add prefer-client-ciphers
Michal Idzikowski (1):
MEDIUM: server: Inherit CLI weight changes and agent-check weight
responses
Olivier Houchard (10):
MINOR server: Restrict dynamic cookie check to the same proxy.
MINOR: cli: Add a command to send listening sockets.
MINOR: global: Add an option to get the old listening sockets.
MINOR: tcp: When binding socket, attempt to reuse one from the old proc.
MINOR: doc: document the -x flag
MINOR: proxy: Don't close FDs if not our proxy.
MINOR: socket transfer: Set a timeout on the socket.
MINOR: systemd wrapper: add support for passing the -x option.
BUG/MAJOR: Use -fwrapv.
BUG/MINOR: server: don't use "proxy" when px is really meant.
Stéphane Cottin (1):
MINOR: log: Add logurilen tunable.
Thierry FOURNIER (8):
BUG/MEDIUM: lua: memory leak
CLEANUP: lua: remove test
BUG/MINOR: change header-declared function to static inline
REORG: spoe: move spoe_encode_varint / spoe_decode_varint from spoe to
common
MINOR: Add binary encoding request header sample fetch
MINOR: proto-http: Add sample fetch wich returns all HTTP headers
MINOR: Add ModSecurity wrapper as contrib
BUG/MEDIUM: lua: segfault if a converter or a sample doesn't return
anything
William Lallemand (12):
MINOR: cli: add ACCESS_LVL_MASK to store the access level
MINOR: cli: add 'expose-fd listeners' to pass listeners FDs
MEDIUM: proxy: zombify proxies only when the expose-fd socket is bound
MEDIUM: mworker: replace systemd mode by master worker mode
MEDIUM: mworker: handle reload and signals
MEDIUM: mworker: wait mode on reload failure
MEDIUM: mworker: try to guess the next stats socket to use with -x
MEDIUM: mworker: exit-on-failure option
MEDIUM: mworker: workers exit when the master leaves
DOC: add documentation for the master-worker mode
MEDIUM: systemd: Type=forking in unit file
MAJOR: systemd-wrapper: get rid of the wrapper
Willy Tarreau (15):
BUILD/MINOR: stats: remove unexpected argument to stats_dump_json_header()
BUILD/MINOR: tools: fix build warning in debug_hexdump()
BUG/MINOR: config: missing goto out after parsing an incorrect ACL
character
BUG/MINOR: arg: don't try to add an argument on failed memory allocation
BUG/MEDIUM: arg: ensure that we properly unlink unresolved arguments on
error
BUG/MEDIUM: acl: don't free unresolved args in prune_acl_expr()
BUG/MEDIUM: servers: unbreak server weight propagation
MINOR: lua: ensure the memory allocator is used all the time
BUG/MEDIUM: acl: proprely release unused args in prune_acl_expr()
MEDIUM: config: don't check config validity when there are fatal errors
CONTRIB: tcploop: add action "X" to execute a command
BUG/MINOR: checks: don't send proxy protocol with agent checks
MINOR: tools: make debug_hexdump() use a const char for the string
MINOR: tools: make debug_hexdump() take a string prefix
CLEANUP: connection: remove unused CO_FL_WAIT_DATA
---
