Hi, HAProxy 1.8-dev2 was released on 2017/06/02. It added 101 new commits after version 1.8-dev1. Given that a lot of new stuff got merged, I prefer to issue a new release to make it easier for testers to give it a try.
Some of the expected breakage in -dev1 was addressed (-fwrapv, dns+kqueue, server args after "source", OCSP not working with BoringSSL). But that's not what is the most interesting for this release. What's interesting is that two months after -dev1 was issued, a part of the pending stuff was already completed and merged, and we managed to mostly focus on this stuff, resulting in more progress than when we all walk on each other's feet, so that looks like a better long term organisation : - ability to pass the listening FDs from the old to the new process during a reload to workaround the painful (rare but existing) RST issue under Linux when closing the listener (Olivier). Please note for those who might have deployed the initial patch that some minor changes were applied a few days ago, you need an option on the stats socket to indicate that you want it to be usable to pass fds ("expose-fd listeners"). - openssl async API (Grant Zhang, reviewed by Emeric). Interestingly this has unveiled a limitation in the openssl async API when used with symmetric algorithms that Emeric tried to work around with no luck for now, but we may get more info on this later. Anyway that's mostly interesting for asymmetric crypto so it's not really an issue. - master/worker model to get rid of systemd-wrapper (William) - server-template (Fred) : pre-provisionning of disabled servers that can easily be enabled over CLI/DNS/whatever. - dns updates (Baptiste) : now the DNS resolution doesn't depend anymore on health checks, it's totally autonomous and can even be smarter at distributing addresses to servers using the same FQDN. - dealing with the openssl version configuration mess revealed by the new APIs (Manu and Emeric) -- this will impact some server keywords, these are now ssl-min-ver and ssl-max-ver. - the maximum length of the log URI can now be configured (Stéphane Cottin) - modsecurity SPOA module (Thierry Fournier) - mod_defender SPOA module (Dragan Dosen) Already Queued : - ssl-min-ver/ssl-max-ver with crt-list (Emeric just gave me his ACK) Still in progress with active work : - initial multi-threading support (Emeric and Christopher) - HTTP/2 frontend (me) - RAM-based "favicon" cache (William) For later as time permits : - make userlists updatable from the CLI (William) -- turning them to maps was done already but never merged, it didn't appear sustainable so a new approach will be followed - a few connection management fixes/improvements that are pending in a few of my branches (improved close handling & polling accuracy), possibly a hack to use eBPF to destroy empty ACKs during reload to prevent empty connections from getting killed by close(). - improve handling of error-file by splitting headers and body -- I don't know if someone is still working on this, but it's still welcome and should not interfer with the other devs I hope I didn't forget anything, the commit log is long enough, otherwise feel free to blame me. All in all, I'm pretty satisfied with the progress made. And even on the work in progress I've seen some encouraging stuff. There were reports of slow downloads which I'm going to work on next week. In short, when we migrated to the new frontend server, we also replaced the cache and I thought it would be as efficient but apparently I was optimistic, so some objects get downloaded from the (slow) master and once it happens I think some errors invalidate the objects resulting in everyone getting them at the same time from the slow server, making the situation even worse. I'm not worried though as there are more solutions than problems, they will just require some changes in my publication process, which is what I tried hard to avoid. Please test, play and report, as usual. This is still development code, so no prod! BTW, some scary bugs were reported on 1.7.5 and are being worked on, they almost certainly affect 1.8-dev2 as well. So don't be surprized if you manage to crash it (and then report it)! That's also why there is no 1.7.6 yet. Please find the usual URLs below : Site index : http://www.haproxy.org/ Discourse : http://discourse.haproxy.org/ Sources : http://www.haproxy.org/download/1.8/src/ Git repository : http://git.haproxy.org/git/haproxy.git/ Git Web browsing : http://git.haproxy.org/?p=haproxy.git Changelog : http://www.haproxy.org/download/1.8/src/CHANGELOG Cyril's HTML doc : http://cbonte.github.io/haproxy-dconv/ Willy --- Complete changelog : Adam Spiers (1): DOC: stick-table is available in frontend sections Andrew Rodland (1): BUG/MINOR: hash-balance-factor isn't effective in certain circumstances Baptiste Assmann (11): CLEANUP: server.c: missing prototype of srv_free_dns_resolution MINOR: dns: smallest DNS fqdn size MINOR: dns: functions to manage memory for a DNS resolution structure MINOR: dns: parse_server() now uses srv_alloc_dns_resolution() REORG: dns: dns_option structure, storage of hostname_dn MINOR: dns: new snr_check_ip_callback function MAJOR: dns: save a copy of the DNS response in struct resolution MINOR: dns: implement a LRU cache for DNS resolutions MINOR: dns: make 'ancount' field to match the number of saved records MINOR: dns: introduce roundrobin into the internal cache (WIP) MAJOR/REORG: dns: DNS resolution task and requester queues Christopher Faulet (1): BUG/MEDIUM: http: Drop the connection establishment when a redirect is performed David CARLIER (1): BUG/MINOR: contrib/mod_security: fix build on FreeBSD David Carlier (2): CLEANUP: server: moving netinet/tcp.h inclusion BUG/MINOR: server : no transparent proxy for DragonflyBSD Dmitry Sivachenko (1): CLEANUP: retire obsoleted USE_GETSOCKNAME build option Dragan Dosen (1): MINOR: Add Mod Defender integration as contrib Emeric Brun (2): BUG/MINOR: ssl: fix warnings about methods for opensslv1.1. MEDIUM: ssl: handle multiple async engines Emmanuel Hocdet (9): MEDIUM: ssl: revert ssl/tls version settings relative to default-server. MEDIUM: ssl: ssl_methods implementation is reworked and factored for min/max tlsxx MEDIUM: ssl: calculate the real min/max TLS version and find holes MINOR: ssl: support TLSv1.3 for bind and server MINOR: ssl: show methods supported by openssl MEDIUM: ssl: add ssl-min-ver and ssl-max-ver parameters for bind and server MEDIUM: ssl: ssl-min-ver and ssl-max-ver compatibility. MINOR: boringssl: basic support for OCSP Stapling BUILD: ssl: fix build with OPENSSL_NO_ENGINE Frédéric Lécaille (11): BUG/MINOR: dns: Wrong address family used when creating IPv6 sockets. BUG/MINOR: server: Fix a wrong error message during 'usesrc' keyword parsing. BUG/MAJOR: Broken parsing for valid keywords provided after 'source' setting. BUG/MINOR: server: missing default server 'resolvers' setting duplication. MINOR: server: Extract the code responsible of copying default-server settings. MINOR: server: Extract the code which finalizes server initializations after 'server' lines parsing. MINOR: server: Add 'server-template' new keyword supported in backend sections. MINOR: server: Add server_template_init() function to initialize servers from a templates. DOC: Add documentation for new "server-template" keyword. MINOR: server: cli: Add server FQDNs to server-state file and stats socket. BUG/MAJOR: dns: Broken kqueue events handling (BSD systems). Glenn Strauss (2): DOC: update sample code for PROXY protocol DOC: mention lighttpd 1.4.46 implements PROXY Grant Zhang (2): MEDIUM: ssl: add basic support for OpenSSL crypto engine MAJOR: ssl: add openssl async mode support Holger Just (1): MINOR: sample: Add b64dec sample converter Jarno Huuskonen (5): DOC: changed "block"(deprecated) examples to http-request deny DOC: add few comments to examples. DOC: add layer 4 links/cross reference to "block" keyword. DOC: errloc/errorloc302/errorloc303 missing status codes. CLEANUP: str2mask return code comment: non-zero -> zero. Jim Freeman (1): CLEANUP: logs: typo: simgle => single Lukas Tribus (2): DOC: update RFC references MINOR: ssl: add prefer-client-ciphers Michal Idzikowski (1): MEDIUM: server: Inherit CLI weight changes and agent-check weight responses Olivier Houchard (10): MINOR server: Restrict dynamic cookie check to the same proxy. MINOR: cli: Add a command to send listening sockets. MINOR: global: Add an option to get the old listening sockets. MINOR: tcp: When binding socket, attempt to reuse one from the old proc. MINOR: doc: document the -x flag MINOR: proxy: Don't close FDs if not our proxy. MINOR: socket transfer: Set a timeout on the socket. MINOR: systemd wrapper: add support for passing the -x option. BUG/MAJOR: Use -fwrapv. BUG/MINOR: server: don't use "proxy" when px is really meant. Stéphane Cottin (1): MINOR: log: Add logurilen tunable. Thierry FOURNIER (8): BUG/MEDIUM: lua: memory leak CLEANUP: lua: remove test BUG/MINOR: change header-declared function to static inline REORG: spoe: move spoe_encode_varint / spoe_decode_varint from spoe to common MINOR: Add binary encoding request header sample fetch MINOR: proto-http: Add sample fetch wich returns all HTTP headers MINOR: Add ModSecurity wrapper as contrib BUG/MEDIUM: lua: segfault if a converter or a sample doesn't return anything William Lallemand (12): MINOR: cli: add ACCESS_LVL_MASK to store the access level MINOR: cli: add 'expose-fd listeners' to pass listeners FDs MEDIUM: proxy: zombify proxies only when the expose-fd socket is bound MEDIUM: mworker: replace systemd mode by master worker mode MEDIUM: mworker: handle reload and signals MEDIUM: mworker: wait mode on reload failure MEDIUM: mworker: try to guess the next stats socket to use with -x MEDIUM: mworker: exit-on-failure option MEDIUM: mworker: workers exit when the master leaves DOC: add documentation for the master-worker mode MEDIUM: systemd: Type=forking in unit file MAJOR: systemd-wrapper: get rid of the wrapper Willy Tarreau (15): BUILD/MINOR: stats: remove unexpected argument to stats_dump_json_header() BUILD/MINOR: tools: fix build warning in debug_hexdump() BUG/MINOR: config: missing goto out after parsing an incorrect ACL character BUG/MINOR: arg: don't try to add an argument on failed memory allocation BUG/MEDIUM: arg: ensure that we properly unlink unresolved arguments on error BUG/MEDIUM: acl: don't free unresolved args in prune_acl_expr() BUG/MEDIUM: servers: unbreak server weight propagation MINOR: lua: ensure the memory allocator is used all the time BUG/MEDIUM: acl: proprely release unused args in prune_acl_expr() MEDIUM: config: don't check config validity when there are fatal errors CONTRIB: tcploop: add action "X" to execute a command BUG/MINOR: checks: don't send proxy protocol with agent checks MINOR: tools: make debug_hexdump() use a const char for the string MINOR: tools: make debug_hexdump() take a string prefix CLEANUP: connection: remove unused CO_FL_WAIT_DATA ---