Hi, HAProxy 2.5.8 was released on 2022/07/25. It added 100 new commits after version 2.5.7.
The previous release is quite old. This one brings several fixes, as usual. All of them was already described in 2.6 releases. Here is the unsorted list : * On HTTP/2, the maintainer of the Lighttpd web server reported a nasty case that he observed between curl and lighttpd which is very similar to the so called "Silly Window Syndrom" in TCP where a difference of one byte between a buffer size and a window size may progressively make the transfer degenerate until almost all frames are 1-byte in size. It's not a bug in any product, just a consequence of making certain standard-compliant stacks interoperate. Some workarounds were placed in various components that allowed the issue to appear. We did careful testing on HAProxy and couldn't produce it there, in part due to our buffer management that makes it difficult to read exactly the sizes that produce the issue. But there's nothing either that can strictly prevent it from happening (e.g. with a sender using smaller frames maybe). So we implemented the workaround as well, which will also result in sending slightly less frames during uploads. * The protocol matching for HTTP/1.X is now strict. Non-HTTP/1.X protocols are now rejected by default. This can be relaxed by adding "accept-invalid-http-request" option. * To limit memory consumption in master-worker mode, the master is now using a default maxconn value in wait-mode. It was an issue since 2.4. * Some issues were fixed in the HTTPclient. First, CLI output is not closed at the end of the response, which prevented to use the CLI interactive mode. A regression which removed the first header of a response was fixed. Finally, the response may also have been truncated in the rare case where HAProxy internal output buffer was full. * The CLI commands set to manage SSL certificates has been improved. Similarly to the HTTP client, message/error reporting for "commit ssl" commands may have been lost if HAProxy internal output buffer is full. Also, "show ssl" commands might have produced a loop when issued in parallel with a running certificate transaction. Finally, a crash was reproduced on "add ssl crt-list" but this was encountered only in the dubious case where it referenced a certificate used both by a bind and a server instance. * HAProxy might rewrite some parts of an HTTP request outside of http-rules, for an example to add an X-Forwarded-For header when "option forwardfor" is set. Previously, failures on these rewrites operations were reported as internal errors in logs. Now, this appears as rewrite failure, which is consistent with http-rules error reporting. * New option "http-restrict-req-hdr-names" was added at the proxy level. It can be used to inspect HTTP header names and decide what to do with those having any character other than alphanumerical or dash ("-"), either delete the header or reject the request. The purpose is to help protect application servers that map dash to underscore due to CGI inheritance, or worse, which crash when passed such characters. The option is automatically set to the delete mode in backends having FastCGI configured. This will eventually be backported, because we got reports of such broken application servers deployed in field where site owners count on HAProxy to work around this problem. * In HTTP/1.1, the matching between the authority and the Host header value for CONNECT requests was buggy. An exact match was performed ignoring any normalization on the port. For CONNECT request the authority must contain the port but it may be omitted from the host header value for default ports (80 or 443). The matching was fixed to properly handle this case. * Tunneled H1 sessions could be blocked when raw data were received before the end of the request analysis because of a wrong assumption on the request buffer emptiness. * A bug in the "method" sample fetch could lead to a crash if it was used in logs for errors triggered at the mux level. This sample requires a stream, witch does not yet exist when an early error is reported by a mux. Now, a non-matching is returned in this case. * Invalid 103-early-hints messages coud be generated when some "early-hint" rules were conditioned by ACLs. * Some sessions could leak because connection errors were ignored by the H1 multiplexer during a synchronous send. It is only a transient leakage but could be quite long, depending on the client or server timeout values. * Unexpected FD close using SSL async engine could be experienced because the engine and HAProxy both closed it. To fix the issue a flag is now used to instruct HAProxy to not close the FD when the it is removed from the fdtab array. * Crashes could be experienced during hot-upgrade from 2.4 to 2.6 because old worker was still identified as a running worker. * An internal error was reported when loadbalancing on source IP address was impossible. It could happens with SPOE applets or with clients connected to HAPRoxy via a unix socket. Now, when this happens, a fallback to round-robin is performed. * The HTTP scheme based normalization did not properly handle the URIs with userinfo. They were not preserved after the normalization process. * Duplicate certificates in ca-file directories were not properly handled because of an OpenSSL error. The error is now ignored. * Lookup for a private key in extra files was not ignored when it was already found in the pem file, while it should. * HAProxy could crash on old Glibc on dlsym() function call if it is statically built. Now, we avoid to call it in static builds. * Depending on the declaration order of "http-check send" and "option httpchk" directives, the configured headers could be ignored. Now a previous list of headers is replaced by a new one only if it is not empty. * Mailers healthchecks were causing a crash since the refactoring of the internal HAProxy connection stack introduced in 2.6. This is now fixed. * It was possible to crash HAProxy by defining multiple bind lines in a peers section. An error is now reported during configuration parsing. * A warning is now reported when some unsupported keywords are used in peers section instead of silently ignoring them. init_addr, resolvers, check, agent-check are concerned. * The DNS resolution is now ignored for disabled proxies preventing some crashes. Thanks everyone for your help and your contributions! Please find the usual URLs below : Site index : http://www.haproxy.org/ Documentation : http://docs.haproxy.org/ Wiki : https://github.com/haproxy/wiki/wiki Discourse : http://discourse.haproxy.org/ Slack channel : https://slack.haproxy.org/ Issue tracker : https://github.com/haproxy/haproxy/issues Sources : http://www.haproxy.org/download/2.5/src/ Git repository : http://git.haproxy.org/git/haproxy-2.5.git/ Git Web browsing : http://git.haproxy.org/?p=haproxy-2.5.git Changelog : http://www.haproxy.org/download/2.5/src/CHANGELOG Pending bugs : http://www.haproxy.org/l/pending-bugs Reviewed bugs : http://www.haproxy.org/l/reviewed-bugs Code reports : http://www.haproxy.org/l/code-reports Latest builds : http://www.haproxy.org/l/dev-packages --- Complete changelog : Brad Smith (1): BUILD: makefile: Fix install(1) handling for OpenBSD/NetBSD/Solaris/AIX Christian Ruppert (1): BUILD: Makefile: Add Lua 5.4 autodetect Christopher Faulet (51): MEDIUM: http-ana: Add a proxy option to restrict chars in request header names REGTESTS: abortonclose: Fix some race conditions BUG/MEDIUM: config: Reset outline buffer size on realloc error in readcfgfile() BUG/MINOR: check: Reinit the buffer wait list at the end of a check BUG/MEDIUM: resolvers: Don't defer resolutions release in deinit function BUG/MINOR: ssl_ckch: Free error msg if commit changes on a cert entry fails BUG/MINOR: ssl_ckch: Free error msg if commit changes on a CA/CRL entry fails BUG/MEDIUM: ssl_ckch: Don't delete a cert entry if it is being modified BUG/MEDIUM: ssl_ckch: Don't delete CA/CRL entry if it is being modified BUG/MINOR: ssl_ckch: Don't duplicate path when replacing a cert entry BUG/MINOR: ssl_ckch: Don't duplicate path when replacing a CA/CRL entry BUG/MEDIUM: ssl_ckch: Rework 'commit ssl cert' to handle full buffer cases BUG/MEDIUM: ssl_ckch: Rework 'commit ssl ca-file' to handle full buffer cases BUG/MEDIUM: ssl/crt-list: Rework 'add ssl crt-list' to handle full buffer cases BUG/MEDIUM: httpclient: Don't remove HTX header blocks before duplicating them BUG/MEDIUM: httpclient: Rework CLI I/O handler to handle full buffer cases MEDIUM: http-ana: Always report rewrite failures as PRXCOND in logs MEDIUM: httpclient: Don't close CLI applet at the end of a response REGTESTS: abortonclose: Add a barrier to not mix up log messages REGTESTS: http_request_buffer: Increase client timeout to wait "slow" clients BUG/MINOR: ssl_ckch: Dump CRL transaction only once if show command yield BUG/MINOR: ssl_ckch: Dump CA transaction only once if show command yield BUG/MINOR: ssl_ckch: Dump cert transaction only once if show command yield BUG/MINOR: ssl_ckch: Init right field when parsing "commit ssl crl-file" cmd BUG/MINOR: ssl_ckch: Fix possible uninitialized value in show_cert I/O handler BUG/MINOR: ssl_ckch: Fix possible uninitialized value in show_cafile I/O handler BUG/MINOR: ssl_ckch: Fix possible uninitialized value in show_crlfile I/O handler REGTESTS: http_abortonclose: Extend supported versions REGTESTS: restrict_req_hdr_names: Extend supported versions BUG/MEDIUM: mailers: Set the object type for check attached to an email alert BUG/MINOR: trace: Test server existence for health-checks to get proxy BUG/MINOR: checks: Properly handle email alerts in trace messages REGTESTS: healthcheckmail: Update the test to be functionnal again REGTESTS: healthcheckmail: Relax health-check failure condition BUG/MINOR: tcp-rules: Make action call final on read error and delay expiration BUG/MINOR: http-ana: Set method to HTTP_METH_OTHER when an HTTP txn is created BUG/MINOR: http-fetch: Use integer value when possible in "method" sample fetch BUG/MINOR: http-check: Preserve headers if not redefined by an implicit rule BUG/MINOR: http-act: Properly generate 103 responses when several rules are used BUG/MINOR: http-htx: Fix scheme based normalization for URIs wih userinfo MINOR: http: Add function to get port part of a host MINOR: http: Add function to detect default port BUG/MEDIUM: h1: Improve authority validation for CONNCET request MINOR: http-htx: Use new HTTP functions for the scheme based normalization BUG/MEDIUM: http-fetch: Don't fetch the method if there is no stream REGTEESTS: filters: Fix CONNECT request in random-forwarding script BUG/MINOR: mux-h1: Be sure to commit htx changes in the demux buffer BUG/MEDIUM: http-ana: Don't wait to have an empty buf to switch in TUNNEL state BUG/MEDIUM: mux-h1: Handle connection error after a synchronous send BUG/MINOR: backend: Fallback on RR algo if balance on source is impossible Revert "BUG/MINOR: peers: set the proxy's name to the peers section name" David CARLIER (1): BUILD/MINOR: cpuset fix build for FreeBSD 13.1 David Carlier (2): BUILD: fix build warning on solaris based systems with __maybe_unused. MINOR: tools: add get_exec_path implementation for solaris based systems. Emeric Brun (8): BUG/MEDIUM: peers: fix segfault using multiple bind on peers sections BUG/MEDIUM: peers: prevent unitialized multiple listeners on peers section DOC: peers: clarify when entry expiration date is renewed. DOC: peers: fix port number and addresses on new peers section format DOC: gpc/gpt: add commments of gpc/gpt array definitions on stick tables. MINOR: fd: add a new FD_DISOWN flag to prevent from closing a deleted FD BUG/MEDIUM: ssl/fd: unexpected fd close using async engine MINOR: fd: Add BUG_ON checks on fd_insert() Ilya Shipitsin (3): CI: determine actual LibreSSL version dynamically CI: determine actual OpenSSL version dynamically CI: re-enable gcc asan builds Remi Tricot-Le Breton (2): BUG/MINOR: ssl: Fix crash when no private key is found in pem BUG/MINOR: ssl: Do not look for key in extra files if already in pem Thayne McCombs (1): BUG/MEDIUM: sample: Fix adjusting size in word converter Tim Duesterhus (3): BUG/MEDIUM: tools: Fix `inet_ntop` usage in sa2str BUG/MEDIUM: http: Properly reject non-HTTP/1.x protocols REGTESTS: Do not use REQUIRE_VERSION for HAProxy 2.5+ (2) William Lallemand (8): BUG/MEDIUM: ssl/cli: crash when crt inserted into a crt-list BUG/MEDIUM: mworker: use default maxconn in wait mode REGTESTS: ssl: add the same cert for client/server BUG/MINOR: peers: fix possible NULL dereferences at config parsing MEDIUM: mworker: set the iocb of the socketpair without using fd_insert() BUG/MINOR: mworker/cli: relative pid prefix not validated anymore BUG/MEDIUM: mworker: proc_self incorrectly set crashes upon reload BUG/MINOR: sockpair: wrong return value for fd_send_uxst() Willy Tarreau (19): BUG/MINOR: cfgparse: abort earlier in case of allocation error BUG/MINOR: peers: fix error reporting of "bind" lines SCRIPTS: add make-releases-json to recreate a releases.json file in download dirs SCRIPTS: make publish-release try to launch make-releases-json BUG/MINOR: peers: set the proxy's name to the peers section name BUG/MINOR: peers: detect and warn on init_addr/resolvers/check/agent-check DOC: peers: indicate that some server settings are not usable DOC: intro: adjust the numbering of paragrams to keep the output ordered BUILD: compiler: implement unreachable for older compilers too BUG/MINOR: cli/stats: add missing trailing LF after JSON outputs BUG/MINOR: server: do not enable DNS resolution on disabled proxies BUG/MINOR: cli/stats: add missing trailing LF after "show info json" BUG/MINOR: task: fix thread assignment in tasklet_kill() MEDIUM: mux-h2: try to coalesce outgoing WINDOW_UPDATE frames BUG/MINOR: peers/config: always fill the bind_conf's argument BUG/MEDIUM: tools: avoid calling dlsym() in static builds BUG/MEDIUM: tools: avoid calling dlsym() in static builds (try 2) BUG/MINOR: tools: fix statistical_prng_range()'s output range BUILD: add detection for unsupported compiler models -- Christopher