Hi,
HAProxy 2.6.2 was released on 2022/07/22. It added 58 new commits
after version 2.6.1.
Several issues about QUIC were fixed in this release. A memory leak was
fixed on datagrams receipt. It was possible to erroneously report a protocol
violation when stream data were received with a partially new offset with
some data already consumed out of the RX buffer. It was fixed by properly
updating the buffer state. To respect RFC9000, a CONNECTION_CLOSE frame with
APPLICATION_ERROR code is now sent instead of CONNECTION_CLOSE_APP code in
an Initial or Handshake packet. the QUIC multiplexer is now properly dealing
with chunk-encoded server responses. The FIN bit was missing on the last
frame and the client was waiting indefinitely for it. We now ensure that all
data were received to signal the end of data. Indeed, it is possible to
receive the STREAM FIN while some data are missing. QUIC support was also
improved. New counters were added to diagnose RX buffer overrun. The
datagrams receipt was improved, reducing the latency: the RX buffer size was
increased to 64kB and we try to fulfill it as much as possible at each I/O
handler call.
In addition, here are main other issues fixed in this release:
* Some peer sessions could be blocked during a reload because the connect
expiration data was reset by the frontend side while it must only be
reset by the backend side. This prevented old workers to die. This issue
was introduced in 2.6, during the conn-stream refactoring.
* Crashes could be experienced during hot-upgrade from 2.4 to 2.6 because
old worker was still identified as a running worker.
* HAProxy could crash on old Glibc on dlsym() function call if it is
statically built.
* Several "show thread" commands running in loop could provoke segfaults
because of a null pointer dereference.
* Some sessions could leak because connection errors were ignored by the H1
multiplexer during a synchronous send.
* tunneled H1 sessions could be blocked when raw data were received before
the end of the request analysis because of a wrong assumption on the
request buffer emptiness.
* A bug in The "method" sample fetch could lead to a crash if it was used
in logs for errors triggered at the mux level.
* In HTTP/1.1, the matching between the authority and the Host header value
for CONNECT requests was buggy. An exact match was performed ignoring any
normalization on the port. For CONNECT request the authority must contain
the port but it may be omitted from the host header value for default
ports (80 or 443). The matching was fixed to properly handle this case.
* Unexpected FD close using SSL async engine could be experienced because
the engine and HAProxy both closed it. To fix the issue a flag is now
used to instruct HAProxy to not close the FD when the it is removed from
the fdtab array.
* Invalid 103-early-hints messages coud be generated when some
"early-hint" rules were conditioned by ACLs.
* Depending on the declaration order of "http-check send" and "option
httpchk" directives, the configured headers could be ignored.
* Duplicate certificates in ca-file directories were not properly handled
because of an OpenSSL error. The error is now ignored.
* Lookup for a private key in extra files was not ignored when it was
already found in the pem file, while it should.
* The HTTP scheme based normalization did not properly handle the URIs
with userinfo. They were not preserved after the normalization process.
* An internal error was reported when loadbalancing on source IP address
was impossible. It could happens with SPOE applets or with clients
connected to HAPRoxy via a unix socket. Now, when this happens, a
fallback to round-robin is performed.
Thanks to everyone for this release. Enjoy !
Please find the usual URLs below :
Site index : http://www.haproxy.org/
Documentation : http://docs.haproxy.org/
Wiki : https://github.com/haproxy/wiki/wiki
Discourse : http://discourse.haproxy.org/
Slack channel : https://slack.haproxy.org/
Issue tracker : https://github.com/haproxy/haproxy/issues
Sources : http://www.haproxy.org/download/2.6/src/
Git repository : http://git.haproxy.org/git/haproxy-2.6.git/
Git Web browsing : http://git.haproxy.org/?p=haproxy-2.6.git
Changelog : http://www.haproxy.org/download/2.6/src/CHANGELOG
Pending bugs : http://www.haproxy.org/l/pending-bugs
Reviewed bugs : http://www.haproxy.org/l/reviewed-bugs
Code reports : http://www.haproxy.org/l/code-reports
Latest builds : http://www.haproxy.org/l/dev-packages
---
Complete changelog :
Amaury Denoyelle (8):
MINOR: ncbuf: implement ncb_is_fragmented()
BUG/MINOR: mux-quic: do not signal FIN if gap in buffer
MINOR: h3: add h3c pointer into h3s instance
MINOR: h3: handle errors on HEADERS parsing/QPACK decoding
MINOR: qpack: properly handle invalid dynamic table references
BUG/MEDIUM: mux-quic: fix server chunked encoding response
BUG/MINOR: quic: fix closing state on NO_ERROR code sent
BUG/MINOR: quic: do not send CONNECTION_CLOSE_APP in initial/handshake
Benoit DOLEZ (1):
BUILD: quic: fix anonymous union for gcc-4.4
Brad Smith (1):
BUILD: makefile: Fix install(1) handling for OpenBSD/NetBSD/Solaris/AIX
Christian Ruppert (1):
BUILD: Makefile: Add Lua 5.4 autodetect
Christopher Faulet (16):
BUG/MINOR: http-ana: Set method to HTTP_METH_OTHER when an HTTP txn is
created
BUG/MINOR: http-fetch: Use integer value when possible in "method" sample
fetch
BUG/MINOR: http-check: Preserve headers if not redefined by an implicit
rule
BUG/MINOR: http-act: Properly generate 103 responses when several rules
are used
BUG/MINOR: http-htx: Fix scheme based normalization for URIs wih userinfo
MINOR: http: Add function to get port part of a host
MINOR: http: Add function to detect default port
BUG/MEDIUM: h1: Improve authority validation for CONNCET request
MINOR: http-htx: Use new HTTP functions for the scheme based normalization
BUG/MEDIUM: http-fetch: Don't fetch the method if there is no stream
REGTEESTS: filters: Fix CONNECT request in random-forwarding script
BUG/MINOR: mux-h1: Be sure to commit htx changes in the demux buffer
BUG/MEDIUM: http-ana: Don't wait to have an empty buf to switch in TUNNEL
state
BUG/MEDIUM: mux-h1: Handle connection error after a synchronous send
BUG/MEDIUM: stconn: Only reset connect expiration when processing backend
side
BUG/MINOR: backend: Fallback on RR algo if balance on source is impossible
Emeric Brun (3):
MINOR: fd: add a new FD_DISOWN flag to prevent from closing a deleted FD
BUG/MEDIUM: ssl/fd: unexpected fd close using async engine
MINOR: fd: Add BUG_ON checks on fd_insert()
Frédéric Lécaille (13):
BUG/MINOR: quic: Missing acknowledgments for trailing packets
BUG/MINOR: quic: Wrong reuse of fulfilled dgram RX buffer
BUG/MAJOR: quic: Big RX dgrams leak when fulfilling a buffer
BUG/MAJOR: quic: Big RX dgrams leak with POST requests
BUILD: quic+h3: 32-bit compilation errors fixes
BUG/MINOR: quic: Dropped packets not counted (with RX buffers full)
MINOR: quic: Add new stats counter to diagnose RX buffer overrun
MINOR: quic: Duplicated QUIC_RX_BUFSZ definition
MINOR: task: Add tasklet_wakeup_after()
MINOR: quic: Improvements for the datagrams receipt
MINOR: quic: Increase the QUIC connections RX buffer size (upto 64Kb)
CLEANUP: h2: Typo fix in h2_unsubcribe() traces
BUG/MAJOR: mux_quic: fix invalid PROTOCOL_VIOLATION on POST data overlap
Ilya Shipitsin (1):
CI: re-enable gcc asan builds
Remi Tricot-Le Breton (1):
BUG/MINOR: ssl: Do not look for key in extra files if already in pem
William Lallemand (7):
BUG/MINOR: peers: fix possible NULL dereferences at config parsing
MEDIUM: mworker: set the iocb of the socketpair without using fd_insert()
MINOR: resolvers: resolvers_destroy() deinit and free a resolver
BUG/MINOR: resolvers: shut off the warning for the default resolvers
BUG/MINOR: ssl: allow duplicate certificates in ca-file directories
BUG/MINOR: mworker/cli: relative pid prefix not validated anymore
BUG/MEDIUM: mworker: proc_self incorrectly set crashes upon reload
Willy Tarreau (8):
MEDIUM: mux-h2: try to coalesce outgoing WINDOW_UPDATE frames
BUG/MINOR: peers/config: always fill the bind_conf's argument
BUG/MEDIUM: cli/threads: make "show threads" more robust on applets
BUG/MINOR: debug: enter ha_panic() only once
BUG/MEDIUM: tools: avoid calling dlsym() in static builds
BUG/MEDIUM: tools: avoid calling dlsym() in static builds (try 2)
BUG/MINOR: tools: fix statistical_prng_range()'s output range
BUILD: add detection for unsupported compiler models
--
Christopher Faulet
