Hi,
HAProxy 2.2.25 was released on 2022/07/27. It added 57 new commits
after version 2.2.24.
Here is the unsorted list of main issues fixed in this released, cut-pasted
from the 2.4.18 announce:
* On HTTP/2, the maintainer of the Lighttpd web server reported a nasty
case that he observed between curl and lighttpd which is very similar to
the so called "Silly Window Syndrom" in TCP where a difference of one
byte between a buffer size and a window size may progressively make the
transfer degenerate until almost all frames are 1-byte in size. It's not
a bug in any product, just a consequence of making certain
standard-compliant stacks interoperate. Some workarounds were placed in
various components that allowed the issue to appear. We did careful
testing on HAProxy and couldn't produce it there, in part due to our
buffer management that makes it difficult to read exactly the sizes that
produce the issue. But there's nothing either that can strictly prevent
it from happening (e.g. with a sender using smaller frames maybe). So we
implemented the workaround as well, which will also result in sending
slightly less frames during uploads.
* The protocol matching for HTTP/1.X is now strict. Non-HTTP/1.X protocols
are now rejected by default. This can be relaxed by adding
"accept-invalid-http-request" option.
* The CLI commands set to manage SSL certificates has been improved.
Message/error reporting for "commit ssl" commands may have been lost if
HAProxy internal output buffer is full. And a crash was reproduced on
"add ssl crt-list" but this was encountered only in the dubious case
where it referenced a certificate used both by a bind and a server
instance.
* HAProxy might rewrite some parts of an HTTP request outside of
http-rules, for an example to add an X-Forwarded-For header when "option
forwardfor" is set. Previously, failures on these rewrites operations
were reported as internal errors in logs. Now, this appears as rewrite
failure, which is consistent with http-rules error reporting.
* New option "http-restrict-req-hdr-names" was added at the proxy level.
It can be used to inspect HTTP header names and decide what to do with
those having any character other than alphanumerical or dash ("-"),
either delete the header or reject the request. The purpose is to help
protect application servers that map dash to underscore due to CGI
inheritance, or worse, which crash when passed such characters. The
option is automatically set to the delete mode in backends having FastCGI
configured.
* Tunneled H1 sessions could be blocked when raw data were received before
the end of the request analysis because of a wrong assumption on the
request buffer emptiness.
* A bug in the "method" sample fetch could lead to a crash if it was used
in logs for errors triggered at the mux level. This sample requires a
stream, witch does not yet exist when an early error is reported by a
mux. Now, a non-matching is returned in this case.
* Invalid 103-early-hints messages could be generated when some "early-hint"
rules were conditioned by ACLs.
* Some sessions could leak because connection errors were ignored by the H1
multiplexer during a synchronous send. It is only a transient leakage but
could be quite long, depending on the client or server timeout values.
* An internal error was reported when loadbalancing on source IP address
was impossible. It could happens with SPOE applets or with clients
connected to HAProxy via a unix socket. Now, when this happens, a
fallback to round-robin is performed.
* Lookup for a private key in extra files was not ignored when it was
already found in the pem file, while it should.
* Depending on the declaration order of "http-check send" and "option
httpchk" directives, the configured headers could be ignored. Now a
previous list of headers is replaced by a new one only if it is not
empty.
* It was possible to crash HAProxy by defining multiple bind lines in a
peers section. An error is now reported during configuration parsing.
* A warning is now reported when some unsupported keywords are used in
peers section instead of silently ignoring them. init_addr, resolvers,
check, agent-check are concerned.
* The DNS resolution is now ignored for disabled proxies preventing some
crashes.
Thanks everyone for your help and your contributions!
Please find the usual URLs below :
Site index : http://www.haproxy.org/
Documentation: http://docs.haproxy.org/
Wiki : https://github.com/haproxy/wiki/wiki
Discourse: http://discourse.haproxy.org/
Slack channel: https://slack.haproxy.org/
Issue tracker: https://github.com/haproxy/haproxy/issues
Sources : http://www.haproxy.org/download/2.2/src/
Git repository : http://git.haproxy.org/git/haproxy-2.2.git/
Git Web