Hi,
HAProxy 2.6-dev11 was released on 2022/05/20. It added 106 new commits
after version 2.6-dev10.
Yes, there were still too many changes for a final version, that's often
like this when getting close to a release. And I couldn't finish the
renaming of the confusing stuff in the conn_stream layer, for which I'll
rely on Christopher's help next week. I now understand the trouble some
developers face when creating an applet and why the only practical
solution is to copy-paste existing stuff, because even some of the
existing functions' comments are ambiguous if you stumble on them with
the wrong idea of what they do, and I absolutely want to address this
for the release, or it will further complicate development in new
versions, or maintenance of 2.6 if we rename later.
Most of the changes are of minor importance, or bug fixes though, but
some are particularly interesting:
- on the SSL front, a few global settings were added to configure the
ssl-providers that come with OpenSSL 3 to replace the engines. At this
point it's not totally clear to me how this will evolve, but since
these are just global settings that are very likely to become necessary
mid-term, it's better if they're readily available.
- QUIC now provides a number of counters of retries, errors etc, and
finally supports the Retry mechanism, which is the QUIC equivalent of
the TCP SYN cookies. These are used to validate a client's connection
request and make sure it's not a spoofed packet. They can be forced, or
will be automatically enabled when a configurable number of incoming
connections are not yet confirmed. This is done via the global
"tune.quic.retry-threshold" parameter. BTW I'm just seeing that it's
not documented yet; Fred, please do not forget to update it!
- outgoing applets now support delayed initialization. I know it's a bit
late for merging this but it addresses a long-existing problem with the
peers and that could possibly be further emphasized with the http client.
The problem was that outgoing applets were only created on the thread
that required them, and for peers it was created during config parsing,
thus all outgoing applets were on thread 1, possibly eating a lot of
CPU on this thread. That's the issue that Maciej Zdeb reported a month
ago. Maciej tried to address this but there was a chicken-and-egg issue
that made it impossible to create the applets on another thread. Now
that they can be initialized later, it's possible to schedule them on
any thread, and Maciej's patches could be integrated as well, so the
peers will no longer aggregate mostly on one thread.
- a QUIC flow-control limitation that was preventing large POST requests
from working was addressed, so with this last limitation removed, the
stack is expected to be fully operational. In addition, the HTTP/3
decoder now has better latency as it doesn't need to wait for a full
data frame anymore before starting to decode and forward it.
- a new global setting "cluster-secret" was added. For now it's only used
by QUIC for cluster-wide crypto such as retries so that a connection
retry can be validated by any node. It will likely be used for more QUIC
stuff, and it makes sense to use it for anything else that is cluster-wide
in the future so the option was named without "quic" in its name.
- New option "http-restrict-req-hdr-names" was added at the proxy level.
It can be used to inspect HTTP header names and decide what to do with
those having any character other than alphanumerical or dash ("-"),
either delete the header or reject the request. The purpose is to help
protect application servers that map dash to underscore due to CGI
inheritance, or worse, which crash when passed such characters. The
option is automatically set to the delete mode in backends having
FastCGI configured. This will eventually be backported, because we got
reports of such broken application servers deployed in field where site
owners count on haproxy to work around this problem.
- some configuration issues related to QUIC remained, by which it was
possible to combine incompatible values of "proto" and sockets, such
as a QUIC bind with a "proto h2" or no "proto", or "proto quic" on a
TCP line, or a QUIC address used in peers, or "quic" without "ssl" etc.
And such combinations were problematic at runtime because the QUIC mux
and transport cannot be split apart, so each being used with the wrong
other part caused immediate crashes. This is what made "proto quic"
mandatory for QUIC bind lines. This was finally sorted out so that
incompatible combinations are now rejected at parsing time, "ssl" is
implied but warns that it's missing, and that "proto quic" is no more
necessary, as implied by the presence of "quic" in the address which
implies the use of QUIC connections.
- some build fixes on FreeBSD 13.1 and Solaris
- the rest is essentially code cleanups
I essentially expect cleanups and fixes next week. If we face trouble,
there will be a dev12 by the end of the week. Otherwise we could imagine
releasing on Monday or Tuesday. So please test it, beat it, and report
problems. If you're curious about a feature that you expect to use soon,
please have a look at the related doc and report any confusing part you
would notice (or better, please propose fixes).
Please find the usual URLs below :
Site index : http://www.haproxy.org/
Documentation : http://docs.haproxy.org/
Wiki : https://github.com/haproxy/wiki/wiki
Discourse : http://discourse.haproxy.org/
Slack channel : https://slack.haproxy.org/
Issue tracker : https://github.com/haproxy/haproxy/issues
Sources : http://www.haproxy.org/download/2.6/src/
Git repository : http://git.haproxy.org/git/haproxy.git/
Git Web browsing : http://git.haproxy.org/?p=haproxy.git
Changelog : http://www.haproxy.org/download/2.6/src/CHANGELOG
Pending bugs : http://www.haproxy.org/l/pending-bugs
Reviewed bugs : http://www.haproxy.org/l/reviewed-bugs
Code reports : http://www.haproxy.org/l/code-reports
Latest builds : http://www.haproxy.org/l/dev-packages
Willy
---
Complete changelog :
Amaury Denoyelle (25):
BUG/MEDIUM: ncbuf: fix null buffer usage
MINOR: ncbuf: fix warnings for testing build
BUG/MEDIUM: quic: fix Rx buffering
OPTIM: quic: realign empty Rx buffer
BUG/MINOR: ncbuf: fix ncb_is_empty()
MINOR: ncbuf: refactor ncb_advance()
BUG/MINOR: mux-quic: update session's idle delay before stream creation
MINOR: h3: do not wait a complete frame for demuxing
MINOR: h3: flag demux as full on HTX full
MEDIUM: mux-quic: implement recv on io-cb
MINOR: mux-quic: remove qcc_decode_qcs() call in XPRT
MINOR: mux-quic: reorganize flow-control frames emission
MINOR: mux-quic: implement MAX_STREAM_DATA emission
MINOR: mux-quic: implement MAX_DATA emission
BUG/MINOR: mux-quic: support nul buffer with qc_free_ncbuf()
MINOR: mux-quic: free RX buf if empty
BUG/MINOR: quic: break for error on sendto
MINOR: quic: abort on unlisted errno on sendto()
MINOR: quic: detect EBADF on sendto()
BUG/MEDIUM: quic: fix initialization for local/remote TPs
CLEANUP: quic: adjust comment/coding style for TPs init
MINOR: quic/mux-quic: define CONNECTION_CLOSE send API
MINOR: mux-quic: emit FLOW_CONTROL_ERROR
MINOR: mux-quic: emit STREAM_LIMIT_ERROR
MINOR: mux-quic: close connection on error if different data at offset
Christopher Faulet (30):
MEDIUM: http-ana: Add a proxy option to restrict chars in request header
names
CLEANUP: conn-stream: Remove cs_applet_shut declaration from header file
MINOR: applet: Prepare appctx to own the session on frontend side
MINOR: applet: Let the frontend appctx release the session
MINOR: applet: Change return value for .init callback function
MINOR: stream: Export stream_free()
MINOR: applet: Add appctx_init() helper fnuction
MINOR: applet: Add a function to finalize frontend appctx startup
MINOR: applet: Add function to release appctx on error during init stage
MEDIUM: dns: Refactor dns appctx creation
MEDIUM: spoe: Refactor SPOE appctx creation
MEDIUM: lua: Refactor cosocket appctx creation
MEDIUM: httpclient: Refactor http-client appctx creation
MINOR: sink: Add a ref to sink in the sink_forward_target structure
MEDIUM: sink: Refactor sink forwarder appctx creation
MINOR: peers: Add a ref to peers section in the peer structure
MEDIUM: peers: Refactor peer appctx creation
MINOR: applet: Add API to start applet on a thread subset
MEDIUM: applet: Add support for async appctx startup on a thread subset
MINOR: conn-stream/applet: Stop setting appctx as the endpoint context
CLEANUP: proxy: Remove dead code when parsing
"http-restrict-req-hdr-names" option
REGTESTS: abortonclose: Fix some race conditions
BUG/MINOR: spoe: Fix error handling in spoe_init_appctx()
CLEANUP: peers: Remove unreachable code in peer_session_create()
CLEANUP: httpclient: Remove useless test on ss_dst in
httpclient_applet_init()
BUG/MEDIUM: config: Reset outline buffer size on realloc error in
readcfgfile()
BUG/MINOR: check: Reinit the buffer wait list at the end of a check
MEDIUM: check: No longer shutdown the connection in .wake callback
function
REORG: check: Rename and export I/O callback function
MEDIUM: check: Use the CS to handle subscriptions for read/write events
David CARLIER (1):
BUILD/MINOR: cpuset fix build for FreeBSD 13.1
David Carlier (2):
BUILD: fix build warning on solaris based systems with __maybe_unused.
MINOR: tools: add get_exec_path implementation for solaris based systems.
Frédéric Lécaille (15):
MINOR: quic: Dump initial derived secrets
MINOR: quic_tls: Add quic_tls_derive_retry_token_secret()
MINOR: quic_tls: Add quic_tls_decrypt2() implementation
MINOR: quic: Retry implementation
MINOR: cfgparse: Update for "cluster-secret" keyword for QUIC Retry
MINOR: quic: Move quic_lstnr_dgram_dispatch() out of xprt_quic.c
BUILD: stats: Missing headers inclusions from stats.h
MINOR: quic_stats: Add a new stats module for QUIC
MINOR: quic: Attach proxy QUIC stats counters to the QUIC connection
BUG/MINOR: quic: Fix potential memory leak during QUIC connection
allocations
MINOR: quic: QUIC stats counters handling
MINOR: quic: Add tune.quic.retry-threshold keyword
MINOR: quic: Dynamic Retry implementation
BUG/MINOR: quic: Fixe a typo in qc_idle_timer_task()
BUG/MINOR: quic: Missing <conn_opening> stats counter decrementation
Ilya Shipitsin (2):
CI: determine actual LibreSSL version dynamically
CI: determine actual OpenSSL version dynamically
Maciej Zdeb (2):
MINOR: peers: Track number of applets run by thread
MEDIUM: peers: Balance applets across threads
Remi Tricot-Le Breton (5):
MEDIUM: ssl: Delay random generator initialization after config parsing
MINOR: ssl: Add 'ssl-propquery' global option
MINOR: ssl: Add 'ssl-provider' global option
BUG/MINOR: ssl: Fix crash when no private key is found in pem
MINOR: ssl: Add 'ssl-provider-path' global option
Tim Duesterhus (4):
CLEANUP: Add missing header to ssl_utils.c
CLEANUP: Add missing header to hlua_fcn.c
CLEANUP: Remove unused function hlua_get_top_error_string
CLEANUP: http_ana: Make use of the return value of
stream_generate_unique_id()
Willy Tarreau (20):
BUG/MINOR: cfgparse: abort earlier in case of allocation error
BUG/MINOR: peers: fix error reporting of "bind" lines
CLEANUP: config: improve address parser error report for unmatched
protocols
CLEANUP: config: provide cleare hints about unsupported QUIC addresses
MINOR: protocol: replace ctrl_type with xprt_type and clarify it
MINOR: listener: provide a function to process all of a bind_conf's
arguments
MINOR: config: use the new bind_parse_args_list() to parse a "bind" line
CLEANUP: listener: add a comment about what the BC_SSL_O_* flags are for
MINOR: listener: add a new "options" entry in bind_conf
CLEANUP: listener: replace all uses of bind_conf->is_ssl with BC_O_USE_SSL
CLEANUP: listener: replace bind_conf->generate_cers with
BC_O_GENERATE_CERTS
CLEANUP: listener: replace bind_conf->quic_force_retry with
BC_O_QUIC_FORCE_RETRY
CLEANUP: listener: store stream vs dgram at the bind_conf level
MINOR: listener: detect stream vs dgram conflict during parsing
MINOR: listener: set the QUIC xprt layer immediately after parsing the
args
MINOR: listener/ssl: set the SSL xprt layer only once the whole config is
known
MINOR: connection: add flag MX_FL_FRAMED to mark muxes relying on framed
xprt
MINOR: config: detect and report mux and transport incompatibilities
MINOR: listener: automatically select a QUIC mux with a QUIC transport
MINOR: listener: automatically enable SSL if a QUIC transport is found
---
