Hi, HAProxy 2.6-dev11 was released on 2022/05/20. It added 106 new commits after version 2.6-dev10.
Yes, there were still too many changes for a final version, that's often like this when getting close to a release. And I couldn't finish the renaming of the confusing stuff in the conn_stream layer, for which I'll rely on Christopher's help next week. I now understand the trouble some developers face when creating an applet and why the only practical solution is to copy-paste existing stuff, because even some of the existing functions' comments are ambiguous if you stumble on them with the wrong idea of what they do, and I absolutely want to address this for the release, or it will further complicate development in new versions, or maintenance of 2.6 if we rename later. Most of the changes are of minor importance, or bug fixes though, but some are particularly interesting: - on the SSL front, a few global settings were added to configure the ssl-providers that come with OpenSSL 3 to replace the engines. At this point it's not totally clear to me how this will evolve, but since these are just global settings that are very likely to become necessary mid-term, it's better if they're readily available. - QUIC now provides a number of counters of retries, errors etc, and finally supports the Retry mechanism, which is the QUIC equivalent of the TCP SYN cookies. These are used to validate a client's connection request and make sure it's not a spoofed packet. They can be forced, or will be automatically enabled when a configurable number of incoming connections are not yet confirmed. This is done via the global "tune.quic.retry-threshold" parameter. BTW I'm just seeing that it's not documented yet; Fred, please do not forget to update it! - outgoing applets now support delayed initialization. I know it's a bit late for merging this but it addresses a long-existing problem with the peers and that could possibly be further emphasized with the http client. The problem was that outgoing applets were only created on the thread that required them, and for peers it was created during config parsing, thus all outgoing applets were on thread 1, possibly eating a lot of CPU on this thread. That's the issue that Maciej Zdeb reported a month ago. Maciej tried to address this but there was a chicken-and-egg issue that made it impossible to create the applets on another thread. Now that they can be initialized later, it's possible to schedule them on any thread, and Maciej's patches could be integrated as well, so the peers will no longer aggregate mostly on one thread. - a QUIC flow-control limitation that was preventing large POST requests from working was addressed, so with this last limitation removed, the stack is expected to be fully operational. In addition, the HTTP/3 decoder now has better latency as it doesn't need to wait for a full data frame anymore before starting to decode and forward it. - a new global setting "cluster-secret" was added. For now it's only used by QUIC for cluster-wide crypto such as retries so that a connection retry can be validated by any node. It will likely be used for more QUIC stuff, and it makes sense to use it for anything else that is cluster-wide in the future so the option was named without "quic" in its name. - New option "http-restrict-req-hdr-names" was added at the proxy level. It can be used to inspect HTTP header names and decide what to do with those having any character other than alphanumerical or dash ("-"), either delete the header or reject the request. The purpose is to help protect application servers that map dash to underscore due to CGI inheritance, or worse, which crash when passed such characters. The option is automatically set to the delete mode in backends having FastCGI configured. This will eventually be backported, because we got reports of such broken application servers deployed in field where site owners count on haproxy to work around this problem. - some configuration issues related to QUIC remained, by which it was possible to combine incompatible values of "proto" and sockets, such as a QUIC bind with a "proto h2" or no "proto", or "proto quic" on a TCP line, or a QUIC address used in peers, or "quic" without "ssl" etc. And such combinations were problematic at runtime because the QUIC mux and transport cannot be split apart, so each being used with the wrong other part caused immediate crashes. This is what made "proto quic" mandatory for QUIC bind lines. This was finally sorted out so that incompatible combinations are now rejected at parsing time, "ssl" is implied but warns that it's missing, and that "proto quic" is no more necessary, as implied by the presence of "quic" in the address which implies the use of QUIC connections. - some build fixes on FreeBSD 13.1 and Solaris - the rest is essentially code cleanups I essentially expect cleanups and fixes next week. If we face trouble, there will be a dev12 by the end of the week. Otherwise we could imagine releasing on Monday or Tuesday. So please test it, beat it, and report problems. If you're curious about a feature that you expect to use soon, please have a look at the related doc and report any confusing part you would notice (or better, please propose fixes). Please find the usual URLs below : Site index : http://www.haproxy.org/ Documentation : http://docs.haproxy.org/ Wiki : https://github.com/haproxy/wiki/wiki Discourse : http://discourse.haproxy.org/ Slack channel : https://slack.haproxy.org/ Issue tracker : https://github.com/haproxy/haproxy/issues Sources : http://www.haproxy.org/download/2.6/src/ Git repository : http://git.haproxy.org/git/haproxy.git/ Git Web browsing : http://git.haproxy.org/?p=haproxy.git Changelog : http://www.haproxy.org/download/2.6/src/CHANGELOG Pending bugs : http://www.haproxy.org/l/pending-bugs Reviewed bugs : http://www.haproxy.org/l/reviewed-bugs Code reports : http://www.haproxy.org/l/code-reports Latest builds : http://www.haproxy.org/l/dev-packages Willy --- Complete changelog : Amaury Denoyelle (25): BUG/MEDIUM: ncbuf: fix null buffer usage MINOR: ncbuf: fix warnings for testing build BUG/MEDIUM: quic: fix Rx buffering OPTIM: quic: realign empty Rx buffer BUG/MINOR: ncbuf: fix ncb_is_empty() MINOR: ncbuf: refactor ncb_advance() BUG/MINOR: mux-quic: update session's idle delay before stream creation MINOR: h3: do not wait a complete frame for demuxing MINOR: h3: flag demux as full on HTX full MEDIUM: mux-quic: implement recv on io-cb MINOR: mux-quic: remove qcc_decode_qcs() call in XPRT MINOR: mux-quic: reorganize flow-control frames emission MINOR: mux-quic: implement MAX_STREAM_DATA emission MINOR: mux-quic: implement MAX_DATA emission BUG/MINOR: mux-quic: support nul buffer with qc_free_ncbuf() MINOR: mux-quic: free RX buf if empty BUG/MINOR: quic: break for error on sendto MINOR: quic: abort on unlisted errno on sendto() MINOR: quic: detect EBADF on sendto() BUG/MEDIUM: quic: fix initialization for local/remote TPs CLEANUP: quic: adjust comment/coding style for TPs init MINOR: quic/mux-quic: define CONNECTION_CLOSE send API MINOR: mux-quic: emit FLOW_CONTROL_ERROR MINOR: mux-quic: emit STREAM_LIMIT_ERROR MINOR: mux-quic: close connection on error if different data at offset Christopher Faulet (30): MEDIUM: http-ana: Add a proxy option to restrict chars in request header names CLEANUP: conn-stream: Remove cs_applet_shut declaration from header file MINOR: applet: Prepare appctx to own the session on frontend side MINOR: applet: Let the frontend appctx release the session MINOR: applet: Change return value for .init callback function MINOR: stream: Export stream_free() MINOR: applet: Add appctx_init() helper fnuction MINOR: applet: Add a function to finalize frontend appctx startup MINOR: applet: Add function to release appctx on error during init stage MEDIUM: dns: Refactor dns appctx creation MEDIUM: spoe: Refactor SPOE appctx creation MEDIUM: lua: Refactor cosocket appctx creation MEDIUM: httpclient: Refactor http-client appctx creation MINOR: sink: Add a ref to sink in the sink_forward_target structure MEDIUM: sink: Refactor sink forwarder appctx creation MINOR: peers: Add a ref to peers section in the peer structure MEDIUM: peers: Refactor peer appctx creation MINOR: applet: Add API to start applet on a thread subset MEDIUM: applet: Add support for async appctx startup on a thread subset MINOR: conn-stream/applet: Stop setting appctx as the endpoint context CLEANUP: proxy: Remove dead code when parsing "http-restrict-req-hdr-names" option REGTESTS: abortonclose: Fix some race conditions BUG/MINOR: spoe: Fix error handling in spoe_init_appctx() CLEANUP: peers: Remove unreachable code in peer_session_create() CLEANUP: httpclient: Remove useless test on ss_dst in httpclient_applet_init() BUG/MEDIUM: config: Reset outline buffer size on realloc error in readcfgfile() BUG/MINOR: check: Reinit the buffer wait list at the end of a check MEDIUM: check: No longer shutdown the connection in .wake callback function REORG: check: Rename and export I/O callback function MEDIUM: check: Use the CS to handle subscriptions for read/write events David CARLIER (1): BUILD/MINOR: cpuset fix build for FreeBSD 13.1 David Carlier (2): BUILD: fix build warning on solaris based systems with __maybe_unused. MINOR: tools: add get_exec_path implementation for solaris based systems. Frédéric Lécaille (15): MINOR: quic: Dump initial derived secrets MINOR: quic_tls: Add quic_tls_derive_retry_token_secret() MINOR: quic_tls: Add quic_tls_decrypt2() implementation MINOR: quic: Retry implementation MINOR: cfgparse: Update for "cluster-secret" keyword for QUIC Retry MINOR: quic: Move quic_lstnr_dgram_dispatch() out of xprt_quic.c BUILD: stats: Missing headers inclusions from stats.h MINOR: quic_stats: Add a new stats module for QUIC MINOR: quic: Attach proxy QUIC stats counters to the QUIC connection BUG/MINOR: quic: Fix potential memory leak during QUIC connection allocations MINOR: quic: QUIC stats counters handling MINOR: quic: Add tune.quic.retry-threshold keyword MINOR: quic: Dynamic Retry implementation BUG/MINOR: quic: Fixe a typo in qc_idle_timer_task() BUG/MINOR: quic: Missing <conn_opening> stats counter decrementation Ilya Shipitsin (2): CI: determine actual LibreSSL version dynamically CI: determine actual OpenSSL version dynamically Maciej Zdeb (2): MINOR: peers: Track number of applets run by thread MEDIUM: peers: Balance applets across threads Remi Tricot-Le Breton (5): MEDIUM: ssl: Delay random generator initialization after config parsing MINOR: ssl: Add 'ssl-propquery' global option MINOR: ssl: Add 'ssl-provider' global option BUG/MINOR: ssl: Fix crash when no private key is found in pem MINOR: ssl: Add 'ssl-provider-path' global option Tim Duesterhus (4): CLEANUP: Add missing header to ssl_utils.c CLEANUP: Add missing header to hlua_fcn.c CLEANUP: Remove unused function hlua_get_top_error_string CLEANUP: http_ana: Make use of the return value of stream_generate_unique_id() Willy Tarreau (20): BUG/MINOR: cfgparse: abort earlier in case of allocation error BUG/MINOR: peers: fix error reporting of "bind" lines CLEANUP: config: improve address parser error report for unmatched protocols CLEANUP: config: provide cleare hints about unsupported QUIC addresses MINOR: protocol: replace ctrl_type with xprt_type and clarify it MINOR: listener: provide a function to process all of a bind_conf's arguments MINOR: config: use the new bind_parse_args_list() to parse a "bind" line CLEANUP: listener: add a comment about what the BC_SSL_O_* flags are for MINOR: listener: add a new "options" entry in bind_conf CLEANUP: listener: replace all uses of bind_conf->is_ssl with BC_O_USE_SSL CLEANUP: listener: replace bind_conf->generate_cers with BC_O_GENERATE_CERTS CLEANUP: listener: replace bind_conf->quic_force_retry with BC_O_QUIC_FORCE_RETRY CLEANUP: listener: store stream vs dgram at the bind_conf level MINOR: listener: detect stream vs dgram conflict during parsing MINOR: listener: set the QUIC xprt layer immediately after parsing the args MINOR: listener/ssl: set the SSL xprt layer only once the whole config is known MINOR: connection: add flag MX_FL_FRAMED to mark muxes relying on framed xprt MINOR: config: detect and report mux and transport incompatibilities MINOR: listener: automatically select a QUIC mux with a QUIC transport MINOR: listener: automatically enable SSL if a QUIC transport is found ---