Re: Segfaults with 1.9.6
On Fri, Oct 25, 2019 at 04:54:44PM +0200, GARDAIS Ionel wrote: > Hi Olivier, > > As far as I can remember, 1.9 had a series of segfaults involving H2 and HTX, > patched from release to release. > [ http://www.haproxy.org/bugs/bugs-1.9.6.html | > http://www.haproxy.org/bugs/bugs-1.9.6.html ] > > As a rule of thumb, I can only suggest you try with the latest 1.9 release > (that is 1.9.12 as of today) and see if segfaults happen again. Seconded! Since 1.9 we've faced very complex conditions triggering some sleeping bugs like these. One of the issues reported in Olivier's trace was related to the improper locking of connections that was fixed some time ago. When facing any bug (not only a crash), the first thing to do is to make sure you're up to date. If you don't update, it is guaranteed that the bug you've faced will be able to appear again under the same conditions. If you update, you have a chance that it was fixed. And if not, developers can immediately look at the issue without first asking to update. Based on the recent history with such complex bugs, I predict we'll probably face one, maybe even two other bugs of this level of severity in very rare conditions before 1.9 reaches EOL but overall the long code audit that started some time ago helped address causes more than consequences, even if that leads to more difficult backports. And despite such few issues, the internal processing in 1.9 and 2.0 is way cleaner, safer and more correct than previous versions, so it's really strongly recommended to stay up to date. Cheers, Willy
Re: Timeout defaults?
Hi, Le 25/10/2019 à 22:28, Troels Arvin a écrit : I'm trying to find out what the default values are for the following parameters for HAproxy 1.5: timeout client timeout server timeout tunnel Where can I find the values? -- I don't seem to be able to find them in the documentation at https://cbonte.github.io/haproxy-dconv/1.5/configuration.html You will find the information at several places : - in the documentation : "An unspecified timeout results in an infinite timeout" https://cbonte.github.io/haproxy-dconv/1.5/configuration.html#4.2-timeout%20client https://cbonte.github.io/haproxy-dconv/1.5/configuration.html#4.2-timeout%20server https://cbonte.github.io/haproxy-dconv/1.5/configuration.html#4.2-timeout%20connect - in the warnings logged by the haproxy process : [WARNING] 298/010006 (813) : config : missing timeouts for proxy ''. | While not properly invalid, you will certainly encounter various problems | with such a configuration. To fix this, please ensure that all following | timeouts are set to a non-zero value: 'client', 'connect', 'server'. -- Cyril Bonté
Timeout defaults?
I'm trying to find out what the default values are for the following parameters for HAproxy 1.5: timeout client timeout server timeout tunnel Where can I find the values? -- I don't seem to be able to find them in the documentation at https://cbonte.github.io/haproxy-dconv/1.5/configuration.html -- Regards, Troels Arvin
October 25, 2019 - Space tech as inexpensive as a smartphone will now help Indian fishermen navigate cyclones
Re: [PATCH] MINOR: ssl: deduplicate ca-file
Hi, add a second patch to address ca-list case. ++ Manu > Le 24 oct. 2019 à 12:14, Emmanuel Hocdet a écrit : > > Hi, > > Little patch with big win when ca-file is used in server line. > > ++ > Manu > > <0001-MINOR-ssl-deduplicate-ca-file.patch> > 0001-MINOR-ssl-deduplicate-ca-file.patch Description: Binary data 0002-MINOR-ssl-compute-ca-list-from-deduplicate-ca-file.patch Description: Binary data
Re: Segfaults with 1.9.6
Hi Olivier, As far as I can remember, 1.9 had a series of segfaults involving H2 and HTX, patched from release to release. [ http://www.haproxy.org/bugs/bugs-1.9.6.html | http://www.haproxy.org/bugs/bugs-1.9.6.html ] As a rule of thumb, I can only suggest you try with the latest 1.9 release (that is 1.9.12 as of today) and see if segfaults happen again. -- Ionel GARDAIS Tech'Advantage CIO - IT Team manager De: "Olivier D" À: "haproxy" Envoyé: Vendredi 25 Octobre 2019 14:48:20 Objet: Segfaults with 1.9.6 Hello, I know I'm reporting an issue with an old version, but I got 2 segfaults in 48h. As I only got 3 segfaults with HAProxy in +10 years, I just wanted to make sure these bugs have been caught and are now fixed. haproxy -vv output: HA-Proxy version 1.9.6 2019/03/29 - [ https://haproxy.org/ | https://haproxy.org/ ] Build options : TARGET = linux2628 CPU = generic CC = gcc CFLAGS = -O2 -g -fno-strict-aliasing -Wdeclaration-after-statement -fwrapv -Wno-format-truncation -Wno-unused-label -Wno-sign-compare -Wno-unused-parameter -Wno-old-style-declaration -Wno-ignored-qualifiers -Wno-clobbered -Wno-missing-field-initializers -Wno-implicit-fallthrough -Wno-stringop-overflow -Wtype-limits -Wshift-negative-value -Wshift-overflow=2 -Wduplicated-cond -Wnull-dereference OPTIONS = USE_ZLIB=1 USE_OPENSSL=1 USE_LUA=1 USE_STATIC_PCRE=1 Default settings : maxconn = 2000, bufsize = 16384, maxrewrite = 1024, maxpollevents = 200 Built with OpenSSL version : OpenSSL 1.1.1b 26 Feb 2019 Running on OpenSSL version : OpenSSL 1.1.1b 26 Feb 2019 OpenSSL library supports TLS extensions : yes OpenSSL library supports SNI : yes OpenSSL library supports : TLSv1.0 TLSv1.1 TLSv1.2 TLSv1.3 Built with Lua version : Lua 5.3.5 Built with transparent proxy support using: IP_TRANSPARENT IPV6_TRANSPARENT IP_FREEBIND Built with zlib version : 1.2.11 Running on zlib version : 1.2.11 Compression algorithms supported : identity("identity"), deflate("deflate"), raw-deflate("deflate"), gzip("gzip") Built with PCRE version : 8.41 2017-07-05 Running on PCRE version : 8.41 2017-07-05 PCRE library supports JIT : no (USE_PCRE_JIT not set) Encrypted password support via crypt(3): yes Built with multi-threading support. Available polling systems : epoll : pref=300, test result OK poll : pref=200, test result OK select : pref=150, test result OK Total: 3 (3 usable), will use epoll. Available multiplexer protocols : (protocols marked as cannot be specified using 'proto' keyword) h2 : mode=HTX side=FE|BE h2 : mode=HTTP side=FE : mode=HTX side=FE|BE : mode=TCP|HTTP side=FE|BE Available filters : [SPOE] spoe [COMP] compression [CACHE] cache [TRACE] trace ### First segfault : ### Program terminated with signal 11, Segmentation fault. #0 0x004cba32 in h2_process_mux (h2c=0x9b4b300) at src/mux_h2.c:2588 (gdb) bt full #0 0x004cba32 in h2_process_mux (h2c=0x9b4b300) at src/mux_h2.c:2588 h2s = 0x98edf50 #1 h2_send (h2c=h2c@entry=0x9b4b300) at src/mux_h2.c:2716 flags = conn = 0x9aef030 done = 0 sent = 0 #2 0x004d3918 in h2_io_cb (t=, ctx=0x9b4b300, status=) at src/mux_h2.c:2778 h2c = 0x9b4b300 ret = 0 #3 0x00584456 in process_runnable_tasks () at src/task.c:437 t = 0x9e15170 state = ctx = process = t = max_processed = 194 #4 0x00503fd4 in run_poll_loop () at src/haproxy.c:2642 next = exp = #5 run_thread_poll_loop (data=data@entry=0x19a32b0) at src/haproxy.c:2707 ptif = ptdf = start_lock = 0 #6 0x004648d8 in main (argc=, argv=0x7ffccfb0cba8) at src/haproxy.c:3343 tids = 0x19a32b0 threads = 0x19a2750 i = old_sig = {__val = {68097, 0, 64, 206158430210, 532575944795, 472446402679, 0, 139791683256608, 24, 11381472, 335544638, 11392704, 26776016, 139791680031404, 0, 26699504}} blocked_sig = {__val = {1844674406710583, 18446744073709551615 }} err = retry = limit = {rlim_cur = 801167, rlim_max = 801167} errmsg = "\000\000\000\000\000\000\000\000\220Ap\312#\177\000\000\000\357\200\000\000\000\000\000(\357\200\000\000\000\000\000\231\353\200\000\000\000\000\000\000\000\000\000\002", '\000' "\350, Dp\312#\177\000\000p\311\260\317\374\177\000\000\035\000\000\000\000\000\000\000\210\311\260\317\374\177\000\000 \326\230\001\001\000\000\000\000v\000" pidfd = ### Second segfault ### Program terminated with signal 11, Segmentation fault. #0 0x005808b5 in __pendconn_unlink (p=p@entry=0x7fff694b0730) at src/queue.c:138 (gdb) bt full #0 0x005808b5 in __pendconn_unlink (p=p@entry=0x7fff694b0730) at src/queue.c:138 No locals. #1 0x00581507 in pendconn_redistribute (s=s@entry=0x6b01cd0) at src/queue.c:413 p = 0x7fff694b0730 node = 0xb781a88 #2 0x004ee2b2 in srv_update_status (s=s@entry=0x6b01cd0) at src/server.c:4805 next_admin = check = 0x6b02170 xferred = px = 0x6a357e0 prev_srv_count = 2 srv_was_stopping = log_level = tmptrash =
[ANNOUNCE] haproxy-2.1-dev3
Hi, HAProxy 2.1-dev3 was released on 2019/10/25. It added 155 new commits after version 2.1-dev2. It's two weeks later than initially expected due to being diverted by bugs but the main point is that we're converging towards something better :-) So now we've finally merged the tail of pending features. There are still some rough edges but these ones will be progressively addressed in the upcoming weeks. The last user-visible changes since 2.1-dev2 include : - SSL: refactoring of how certificates are loaded and indexed in memory so that they're loaded only once each even if referenced on multiple bind lines (CPU and memory savings), and ability to update them from the CLI ("set ssl cert"), as well as OCSP/issuer/SCTL etc. There are still a few limitations, I think certain corner cases are not supported (yet) but I can't tell what so I'll rather shut up. At least it's a great improvement because certs updates were one reason for some users to reload often, and these ones were experiencing long reload operations due to a massive amount of certs. - H1/H2: properly handle authority and scheme. When H2 was implemented on top of H1, H2 requests were turned to H1 requests in "origin form" (i.e. GET /path/to/file + Host header). But H2 agents are encouraged to use absolute form (GET https://authority/path/to/file) which they do. Our conversion always used the origin form, which resulted in the loss of the scheme on end-to-end transfers, and a loss of representation if using H2 to convery H1 requests. Now that HTX is the only internal representation, it was possible to maintain the request in its original form (typically absolute for H2 and origin for H1) and preserve all elements end-to-end. One visible effect though is that logs will now show "GET https://authority/path; instead of "GET /path" since the URI really is this. Some will find this better, others may be annoyed but it's still possible to change the format if desired. What matters is that we do not denaturate requests anymore. - the cache can now cache requests for absolute URIs as well, as a byproduct of having to support these for H2. - HTX: we now maintain the authority and the host synchronized when using set-uri or when touching the Host header. In addition, requests with conflicting Host/authority are now rejected as required by the standards. - H1/FCGI: implement traces just like in H2, this can be used to provide detailed captures of issues to developers, or just for you to observe the traffic. - H2: add the ability to emit CONTINUATION frames for too large headers or trailers to fit into a single frame. This was needed in environments where more than 16kB of headers need to be sent to a client. So now our support for CONTINUATION is complete, we can both receive and send large header blocks. Note that this part is easy to backport and might at some point be backported into 2.0 if there is demand for it. - HTTP: http-send-name-header would previously not remove any existing occurrence of the header in HTX mode, this is now done so that it behaves exactly like in old legacy mode. - H1: smarter handler of internally generated responses (mostly errorfiles) which now support keep-alive when the messages are properly formatted. - stats: the new output modifier "desc" to "show info" and "show stat" will provide a short description of the meaning of each metric. This is an attempt at saving a few monthly hours of sleep to a number of admins :-) - build: threads and CPU affinity are now enabled on OSX. Performance improvements: - the scheduler now uses a combination of a locked and a lockfree list to regain 5-10% performance on workloads involving high connection rates. Debugging: - the "debug dev" commands that were only available when building with -DDEBUG_DEV are now always built-in, but only shown and available when the CLI is in "expert-mode". These are sometimes needed by developers to extract some extra information about a sick session, or to perform fault injection. Do not try to use them in production without being invited to do so, you'll very likely crash your process before you understand what you did. - more prominent version strings: among the difficulties faced when analyzing a core for a very strange issue, there is the permanent doubt about whether or not the core file was really issued from the reported version. The version string used to be built as a constant and as such did not appear in core files. Now it's copied into a variable so that it is as simple as running "strings core | fgrep -A2 'HAProxy version'" to see the exact version string. And roughly 50 bugs were addressed since -dev2, many of which were already backported into 2.0.8. We've noticed that a few issues that are still being worked
RE: [PR/FEATURE] support for virtual hosts / Host header per server
Hello, Patch attached. Adding an option "http-check send-name-header ". It adds a header per server in healthchecks, similar usage to "http-send-name-header". Built and tested locally. frontend myfrontend bind *:8080 mode http default_backend mybackend backend mybackend mode http balance roundrobin stats enable stats uri /stats http-send-name-header Host option httpchk GET / http-check send-name-header Host http-check expect status 200 default-server inter 5s fall 2 rise 2 server myapp.example.com myapp.example.com:1234 check -Original Message- From: Willy Tarreau [mailto:w...@1wt.eu] Sent: 23 October 2019 03:37 To: Igor Cicimov Cc: Morotti, Romain D (CIB Tech, GBR) ; HAProxy ; Sayar, Guy H (CIB Tech, GBR) Subject: Re: [PR/FEATURE] support for virtual hosts / Host header per server On Wed, Oct 23, 2019 at 08:52:58AM +1100, Igor Cicimov wrote: > Sorry misread your issue. It is a strange setup you got there wonder > why do you need cross DC load balancing on the k8s ingress when you > are already doing it globally via DNS? Agreed, for me the setup is completely shifted by one level. There's a reason many people set their backend section names to the virtual host names: an application or a service corresponds to a virtual host name. And that's not something related to haproxy but to the HTTP protocol. Servers will emit redirects and cookies mentioning the same host name, HTML pages will contain URLs mentioning the same host name thus all servers part of a same farm must absolutely use the same Host header. Here my impression is that the application is strangely architected and tries to use haproxy to work around an architecture mistake. In short, instead of using the frontend to route to different backends, it uses the backend to route to different servers. Since header manipulation rules are per-backend, here obviously it creates an issue as the manipulation unsurprizingly happens at the wrong step. I'm not against seeing how we can make haproxy easier to use to work around such broken setups, but I'm really not willing to make it more confusing to use for everyone just for the sake of working around such mistakes. Typically we need to rework health checks to make them easier to configure and make it possible to send per-server variations as I proposed in a previous e-mail in this thread. Cheers, Willy This message is confidential and subject to terms at: https://www.jpmorgan.com/emaildisclaimer including on confidential, privileged or legal entity information, viruses and monitoring of electronic messages. If you are not the intended recipient, please delete this message and notify the sender immediately. Any unauthorized use is strictly prohibited. patch.diff Description: patch.diff
Setting SSL/TLS options but still allow some exceptions
Hello, I'm rewriting a complex HAProxy config file and would like to be sure how ssl-default-bind-options and bind options work together. I would like to configure safe options by default, but still allow less-safe protocols on some frontend. I'm puzzled by "force-X" documentation (does it really "force" protocol or just allow it ? What if I use several force-X options all together ?) and want to be sure of the behaviour. Here is what I would like to do : frontend foo : supports TLS 1.2 and TLS 1.3 frontend foo-unsecure : supports everything from sslv3 to TLS 1.3 frontend foo-unsecure2 : supports TLS 1.1 to TLS 1.3 And here is how I would write it down : # Default (safe) config : ssl-default-bind-options no-sslv3 no-tls10 no-tls11 frontend foo bind 127.0.0.1:8080 ssl frontend foo-unsecure bind 127.0.0.1:1234 ssl force-sslv3 force-tls10 force-tls11 frontend foo-unsecure2 bind 127.0.0.1:4321 ssl force-tls11 I dont want to use 'ssl-min-ver' or 'ssl-max-ver' because the config file is auto-generated from a database, and it would make the code more difficult. Thank you for your feedback. Olivier
Segfaults with 1.9.6
Hello, I know I'm reporting an issue with an old version, but I got 2 segfaults in 48h. As I only got 3 segfaults with HAProxy in +10 years, I just wanted to make sure these bugs have been caught and are now fixed. haproxy -vv output: HA-Proxy version 1.9.6 2019/03/29 - https://haproxy.org/ Build options : TARGET = linux2628 CPU = generic CC = gcc CFLAGS = -O2 -g -fno-strict-aliasing -Wdeclaration-after-statement -fwrapv -Wno-format-truncation -Wno-unused-label -Wno-sign-compare -Wno-unused-parameter -Wno-old-style-declaration -Wno-ignored-qualifiers -Wno-clobbered -Wno-missing-field-initializers -Wno-implicit-fallthrough -Wno-stringop-overflow -Wtype-limits -Wshift-negative-value -Wshift-overflow=2 -Wduplicated-cond -Wnull-dereference OPTIONS = USE_ZLIB=1 USE_OPENSSL=1 USE_LUA=1 USE_STATIC_PCRE=1 Default settings : maxconn = 2000, bufsize = 16384, maxrewrite = 1024, maxpollevents = 200 Built with OpenSSL version : OpenSSL 1.1.1b 26 Feb 2019 Running on OpenSSL version : OpenSSL 1.1.1b 26 Feb 2019 OpenSSL library supports TLS extensions : yes OpenSSL library supports SNI : yes OpenSSL library supports : TLSv1.0 TLSv1.1 TLSv1.2 TLSv1.3 Built with Lua version : Lua 5.3.5 Built with transparent proxy support using: IP_TRANSPARENT IPV6_TRANSPARENT IP_FREEBIND Built with zlib version : 1.2.11 Running on zlib version : 1.2.11 Compression algorithms supported : identity("identity"), deflate("deflate"), raw-deflate("deflate"), gzip("gzip") Built with PCRE version : 8.41 2017-07-05 Running on PCRE version : 8.41 2017-07-05 PCRE library supports JIT : no (USE_PCRE_JIT not set) Encrypted password support via crypt(3): yes Built with multi-threading support. Available polling systems : epoll : pref=300, test result OK poll : pref=200, test result OK select : pref=150, test result OK Total: 3 (3 usable), will use epoll. Available multiplexer protocols : (protocols marked as cannot be specified using 'proto' keyword) h2 : mode=HTXside=FE|BE h2 : mode=HTTP side=FE : mode=HTXside=FE|BE : mode=TCP|HTTP side=FE|BE Available filters : [SPOE] spoe [COMP] compression [CACHE] cache [TRACE] trace ### First segfault : ### Program terminated with signal 11, Segmentation fault. #0 0x004cba32 in h2_process_mux (h2c=0x9b4b300) at src/mux_h2.c:2588 (gdb) bt full #0 0x004cba32 in h2_process_mux (h2c=0x9b4b300) at src/mux_h2.c:2588 h2s = 0x98edf50 #1 h2_send (h2c=h2c@entry=0x9b4b300) at src/mux_h2.c:2716 flags = conn = 0x9aef030 done = 0 sent = 0 #2 0x004d3918 in h2_io_cb (t=, ctx=0x9b4b300, status=) at src/mux_h2.c:2778 h2c = 0x9b4b300 ret = 0 #3 0x00584456 in process_runnable_tasks () at src/task.c:437 t = 0x9e15170 state = ctx = process = t = max_processed = 194 #4 0x00503fd4 in run_poll_loop () at src/haproxy.c:2642 next = exp = #5 run_thread_poll_loop (data=data@entry=0x19a32b0) at src/haproxy.c:2707 ptif = ptdf = start_lock = 0 #6 0x004648d8 in main (argc=, argv=0x7ffccfb0cba8) at src/haproxy.c:3343 tids = 0x19a32b0 threads = 0x19a2750 i = old_sig = {__val = {68097, 0, 64, 206158430210, 532575944795, 472446402679, 0, 139791683256608, 24, 11381472, 335544638, 11392704, 26776016, 139791680031404, 0, 26699504}} blocked_sig = {__val = {1844674406710583, 18446744073709551615 }} err = retry = limit = {rlim_cur = 801167, rlim_max = 801167} errmsg = "\000\000\000\000\000\000\000\000\220Ap\312#\177\000\000\000\357\200\000\000\000\000\000(\357\200\000\000\000\000\000\231\353\200\000\000\000\000\000\000\000\000\000\002", '\000' "\350, Dp\312#\177\000\000p\311\260\317\374\177\000\000\035\000\000\000\000\000\000\000\210\311\260\317\374\177\000\000 \326\230\001\001\000\000\000\000v\000" pidfd = ### Second segfault ### Program terminated with signal 11, Segmentation fault. #0 0x005808b5 in __pendconn_unlink (p=p@entry=0x7fff694b0730) at src/queue.c:138 (gdb) bt full #0 0x005808b5 in __pendconn_unlink (p=p@entry=0x7fff694b0730) at src/queue.c:138 No locals. #1 0x00581507 in pendconn_redistribute (s=s@entry=0x6b01cd0) at src/queue.c:413 p = 0x7fff694b0730 node = 0xb781a88 #2 0x004ee2b2 in srv_update_status (s=s@entry=0x6b01cd0) at src/server.c:4805 next_admin = check = 0x6b02170 xferred = px = 0x6a357e0 prev_srv_count = 2 srv_was_stopping = log_level = tmptrash = 0x0 #3 0x004eef04 in srv_set_stopped (s=0x6b01cd0, reason=reason@entry=0x0, check=) at src/server.c:1016 srv = #4 0x004eefc1 in srv_set_stopped (s=, reason=reason@entry=0x0, check=) at
Re: Lock contention in pat_match_str in threaded mode
Hi Brian, On Thu, Oct 24, 2019 at 05:10:40PM +, Brian Diekelman wrote: > Thank you for turning that around so quickly, Willy. > > We'll pull down the new release when it's available. So just FYI, 1.8.22 was released with the fix. Cheers, Willy
Status of 1.5 ?
Hi all, I'm just wondering what to do with 1.5. I've checked and it didn't receive any fix in almost 3 years. The ones recently merged into 1.6 that were possible candidates for 1.5 were not critical enough to warrant a new release for a long time. Now I'm wondering, is anyone interested in this branch to still be maintained ? Should I emit a new release with a few pending fixes just to flush the pipe and pursue its "critical fixes only" status a bit further, or should we simply declare it unmaintained ? I'm fine with either option, it's just that I hate working for no reason, and this version was released a bit more than 5 years ago now, so I can easily expect that it has few to no user by now. Please just let me know what you think, Thanks, Willy
[ANNOUNCE] haproxy-1.6.15
Hi, HAProxy 1.6.15 was released on 2019/10/25. It added 109 new commits after version 1.6.14. These are essentially the same fixes that went into 1.7.12 (as I said in the other thread, 1.6 and 1.7 were very similar). The last 1.6 was even 3 months older than the latest 1.7, so it's about time to turn it to "critical fixes only" status. I've seen a bunch of 1.6 in field, I know that some are still running at various places (this version is rock solid by now), no need to worry, we can keep it in this state for one or two extra years if needed. Having less fixes to deal with also means easier releases when required. If you're running on 1.6.14 and never faced an issue I'm not even sure it's worth upgrading. The major issues there concern acl/map managements, or traffic patterns that are either easily met or irrelevant to your use case. However if you deploy new instances or maintain packages, better stay on the safe side and deploy the last one. Similarly if you're running on a snapshot, at least you can update to a release now. Please have a look at the changelog below for more details. Please find the usual URLs below : Site index : http://www.haproxy.org/ Discourse: http://discourse.haproxy.org/ Slack channel: https://slack.haproxy.org/ Issue tracker: https://github.com/haproxy/haproxy/issues Sources : http://www.haproxy.org/download/1.6/src/ Git repository : http://git.haproxy.org/git/haproxy-1.6.git/ Git Web browsing : http://git.haproxy.org/?p=haproxy-1.6.git Changelog: http://www.haproxy.org/download/1.6/src/CHANGELOG Cyril's HTML doc : http://cbonte.github.io/haproxy-dconv/ Willy --- Complete changelog : Aurélien Nephtali (1): CLEANUP: ssl: Remove a duplicated #include Baptiste Assmann (1): BUG/MEDIUM: tcp-check: single connect rule can't detect DOWN servers Christopher Faulet (19): BUG/MEDIUM: buffer: Fix the wrapping case in bo_putblk BUG/MINOR: http: Return an error in proxy mode when url2sa fails BUG/MINOR: checks: Fix check->health computation for flapping servers BUG/MINOR: config: Copy default error messages when parsing of a backend starts BUG/MAJOR: stream-int: Update the stream expiration date in stream_int_notify() BUG/MINOR: check: Wake the check task if the check is finished in wake_srv_chk() BUG/MAJOR: stats: Fix how huge POST data are read from the channel BUG/MINOR: http: Call stream_inc_be_http_req_ctr() only one time per request BUG/MEDIUM: proto-http: Always start the parsing if there is no outgoing data BUG/MINOR: acl: Fix memory leaks when an ACL expression is parsed MINOR: config: Test validity of tune.maxaccept during the config parsing CLEANUP: config: Don't alter listener->maxaccept when nbproc is set to 1 BUG/MEDIUM: hlua: Check the calling direction in lua functions of the HTTP class MINOR: hlua: Don't set request analyzers on response channel for lua actions MINOR: hlua: Add a flag on the lua txn to know in which context it can be used BUG/MINOR: hlua: Only execute functions of HTTP class if the txn is HTTP ready BUG/MINOR: lua: Set right direction and flags on new HTTP objects BUG/MEDIUM: lb-chash: Fix the realloc() when the number of nodes is increased BUG/MEDIUM: lb-chash: Ensure the tree integrity when server weight is increased Cyril Bonté (3): BUG/MINOR: force-persist and ignore-persist only apply to backends DOC: log: more than 2 log servers are allowed BUG/MEDIUM: lua: socket timeouts are not applied David Carlier (1): BUG/MEDIUM: da: cast the chunk to string. Dragan Dosen (2): BUG/MINOR: map: correctly track reference to the last ref_elt being dumped BUG/MEDIUM: 51d: fix possible segfault on deinit_51degrees() Frédéric Lécaille (2): BUG/MINOR: lua: Segfaults with wrong usage of types. BUG/MINOR: lua: Bad HTTP client request duration. Jérôme Magnin (3): DOC: clarify the scope of ssl_fc_is_resumed DOC: Describe routing impact of using interface keyword on bind lines BUG/MINOR: server: don't always trust srv_check_health when loading a server state Kevin Zhu (1): BUG/MINOR: deinit: tcp_rep.inspect_rules not deinit, add to deinit Krisztian Kovacs (1): BUG/MEDIUM: namespace: close open namespaces during soft shutdown Lukas Tribus (3): DOC: don't suggest using http-server-close DOC: fix reference to map files in MAINTAINERS DOC: restore note about "independant" typo Moemen MHEDHBI (1): DOC: Update configuration doc about the maximum number of stick counters. Olivier Houchard (6): BUG/MEDIUM: hlua: Make sure we drain the output buffer when done. BUG/MEDIUM: buffers: Make sure we don't wrap in buffer_insert_line2/replace2. MINOR: server: Use memcpy() instead of strncpy(). MINOR: cfgparse: Write 130 as 128 as 0x82 and 0x80.
[ANNOUNCE] haproxy-1.7.12
Hi, HAProxy 1.7.12 was released on 2019/10/25. It added 114 new commits after version 1.7.11. I noticed that due to the vast majority of the recent bugs being related to modern changes like threads, muxes, connection scheduling etc, very few fixes affect older versions like 1.7 and 1.6 and we tend to constantly postpone their releases. The last 1.7 was issued no less than 1.5 years ago with nobody complaining loudly. That tells me 3 things: - 1.7 is not that much used anymore - it is stable enough for most use cases where it's relevant - time is better spent working on recent versions than backporting minor fixes there at the risk of breaking existing setups Thus I consider it reasonable to mark it "critical fixes only" since it really reflects its practical status, and continue to keep it this way for a while. With less fixes backported to it, we'll more easily handle future releases, should any critical fix have to be backported in the future. I'll do the same soon with 1.6. No need to run away screaming yet, I think we can safely keep them one or two more years in this state before dropping support. I had a look at all the fixes pending there, and to be honest I don't remember about most of them. However one thing is interesting, most of those tagged "major" there were much less likely to be encountered than the ones we've got since 1.8 so overall I think it has reached a level of reliability that we should maintain instead of risking to degrade it by failing to backport some unimportant fixes. It's also worth noting that we reached such a state with only 12 releases in 1.7 while we'll likely at least double this before 1.8 may reach the same status! It looks like 1.7 was very calm overall, mostly because it does not much differ from 1.6. Those running on a git snapshot will probably want to update to this new release, and those used to deploy 1.7.11 may want to jump to 1.7.12 and stay away from several risks of crashes. Please check the changelog below for more details. Please find the usual URLs below : Site index : http://www.haproxy.org/ Discourse: http://discourse.haproxy.org/ Slack channel: https://slack.haproxy.org/ Issue tracker: https://github.com/haproxy/haproxy/issues Sources : http://www.haproxy.org/download/1.7/src/ Git repository : http://git.haproxy.org/git/haproxy-1.7.git/ Git Web browsing : http://git.haproxy.org/?p=haproxy-1.7.git Changelog: http://www.haproxy.org/download/1.7/src/CHANGELOG Cyril's HTML doc : http://cbonte.github.io/haproxy-dconv/ Willy --- Complete changelog : Christopher Faulet (21): BUG/MINOR: checks: Fix check->health computation for flapping servers BUG/MINOR: config: Copy default error messages when parsing of a backend starts BUG/MAJOR: stream-int: Update the stream expiration date in stream_int_notify() BUG/MINOR: check: Wake the check task if the check is finished in wake_srv_chk() BUG/MAJOR: stats: Fix how huge POST data are read from the channel BUG/MINOR: tcp: Don't alter counters returned by tcp info fetchers BUG/MINOR: http: Call stream_inc_be_http_req_ctr() only one time per request BUG/MEDIUM: proto-http: Always start the parsing if there is no outgoing data BUG/MINOR: acl: Fix memory leaks when an ACL expression is parsed MINOR: config: Test validity of tune.maxaccept during the config parsing CLEANUP: config: Don't alter listener->maxaccept when nbproc is set to 1 BUG/MEDIUM: hlua: Check the calling direction in lua functions of the HTTP class MINOR: hlua: Don't set request analyzers on response channel for lua actions MINOR: hlua: Add a flag on the lua txn to know in which context it can be used BUG/MINOR: hlua: Only execute functions of HTTP class if the txn is HTTP ready BUG/MINOR: lua: Set right direction and flags on new HTTP objects BUG/MEDIUM: lb-chash: Fix the realloc() when the number of nodes is increased BUG/MEDIUM: lb-chash: Ensure the tree integrity when server weight is increased BUG/MINOR: ssl: Fix fd leak on error path when a TLS ticket keys file is parsed BUG/MINOR: stick-table: Never exceed (MAX_SESS_STKCTR-1) when fetching a stkctr DOC: Fix documentation about the cli command to get resolver stats Cyril Bonté (1): BUG/MEDIUM: lua: socket timeouts are not applied David Carlier (1): BUG/MEDIUM: da: cast the chunk to string. Dragan Dosen (3): BUG/MINOR: map: correctly track reference to the last ref_elt being dumped BUG/MEDIUM: 51d: fix possible segfault on deinit_51degrees() BUG/MINOR: haproxy: fix rule->file memory leak Emeric Brun (5): BUG/MEDIUM: ssl: fix missing error loading a keytype cert from a bundle. BUG/MEDIUM: ssl: loading dh param from certifile causes unpredictable error. BUG/MINOR: map: fix map_regm with backref BUG/MEDIUM: ssl: missing
[ANNOUNCE] haproxy-1.8.22
Hi, HAProxy 1.8.22 was released on 2019/10/25. It added 46 new commits after version 1.8.21. The main issue addressed in this release is an occasional risk of crash in H2 on skipped frames. The other issues are less important, and were already addressed in 1.9 and 2.0 released since last August. If you've been facing issues with threads not stopping on reload, FD leaks in SSL in master-worker mode, reliability issues with external checks or performance issues with threads and lots of ACLs or patterns, you should consider updating. Please check the changelog below for more details. Please find the usual URLs below : Site index : http://www.haproxy.org/ Discourse: http://discourse.haproxy.org/ Slack channel: https://slack.haproxy.org/ Issue tracker: https://github.com/haproxy/haproxy/issues Sources : http://www.haproxy.org/download/1.8/src/ Git repository : http://git.haproxy.org/git/haproxy-1.8.git/ Git Web browsing : http://git.haproxy.org/?p=haproxy-1.8.git Changelog: http://www.haproxy.org/download/1.8/src/CHANGELOG Cyril's HTML doc : http://cbonte.github.io/haproxy-dconv/ Willy --- Complete changelog : Christopher Faulet (10): BUG/MEDIUM: spoe: Be sure the sample is found before setting its context BUG/MEDIUM: proto-http: Always start the parsing if there is no outgoing data BUG/MINOR: filters: Properly set the HTTP status code on analysis error BUG/MINOR: acl: Fix memory leaks when an ACL expression is parsed BUG/MAJOR: mux_h2: Don't consume more payload than received for skipped frames DOC: Fix documentation about the cli command to get resolver stats BUG/MINOR: chunk: Fix tests on the chunk size in functions copying data BUG/MINOR: tcp: Don't alter counters returned by tcp info fetchers BUG/MINOR: ssl: Fix fd leak on error path when a TLS ticket keys file is parsed BUG/MINOR: stick-table: Never exceed (MAX_SESS_STKCTR-1) when fetching a stkctr Dragan Dosen (1): BUG/MINOR: haproxy: fix rule->file memory leak Emeric Brun (5): CLEANUP: ssl: make ssl_sock_put_ckch_into_ctx handle errcode/warn CLEANUP: ssl: make ssl_sock_load_dh_params handle errcode/warn CLEANUP: bind: handle warning label on bind keywords parsing. BUG/MEDIUM: ssl: 'tune.ssl.default-dh-param' value ignored with openssl > 1.1.1 BUG/MINOR: ssl: fix memcpy overlap without consequences. Kevin Zhu (1): BUG/MEDIUM: spoe: Use a different engine-id per process Krisztian Kovacs (1): BUG/MEDIUM: namespace: close open namespaces during soft shutdown Krisztián Kovács (kkovacs) (1): BUG/MEDIUM: namespace: fix fd leak in master-worker mode Miroslav Zagorac (1): BUG/MINOR: WURFL: fix send_log() function arguments Olivier Houchard (2): BUG/MEDIUM: ssl: Use the early_data API the right way. MINOR: doc: Document allow-0rtt on the server line. Rob Allen (1): BUG/MINOR: mworker/ssl: close OpenSSL FDs on reload Tim Duesterhus (2): BUG/MINOR: lua: Properly initialize the buffer's fields for string samples in hlua_lua2(smp|arg) BUG/MINOR: sample: Make the `field` converter compatible with `-m found` William Lallemand (4): BUG/MINOR: ssl: free the sni_keytype nodes BUG/MINOR: ssl: abort on sni allocation failure BUG/MINOR: ssl: abort on sni_keytypes allocation failure BUG/MINOR: mworker/ssl: close openssl FDs unconditionally Willy Tarreau (16): BUILD/MINOR: stream: avoid a build warning with threads disabled MINOR: connection: add new function conn_is_back() BUG/MEDIUM: checks: make sure the warmup task takes the server lock BUG/MINOR: logs/threads: properly split the log area upon startup BUG/MINOR: mworker: disable SIGPROF on re-exec BUG/MEDIUM: listener/threads: fix an AB/BA locking issue in delete_listener() BUG/MEDIUM: http: also reject messages where "chunked" is missing from transfer-enoding BUG/MEDIUM: check/threads: make external checks run exclusively on thread 1 MINOR: tools: implement my_flsl() BUG/MEDIUM: cache: make sure not to cache requests with absolute-uri DOC: clarify some points around http-send-name-header's behavior MINOR: stats: mention in the help message support for "json" and "typed" CLEANUP: ssl: make ssl_sock_load_cert*() return real error codes BUILD: ssl: fix again a libressl build failure after the openssl FD leak fix BUG/MINOR: stick-table: fix an incorrect 32 to 64 bit key conversion BUG/MEDIUM: pattern: make the pattern LRU cache thread-local and lockless n...@users.noreply.github.com (1): DOC: fixed typo in management.txt ---