Hi,
HAProxy 2.5.8 was released on 2022/07/25. It added 100 new commits
after version 2.5.7.
The previous release is quite old. This one brings several fixes, as
usual. All of them was already described in 2.6 releases. Here is the
unsorted list :
* On HTTP/2, the maintainer of the Lighttpd web server reported a nasty
case that he observed between curl and lighttpd which is very similar to
the so called "Silly Window Syndrom" in TCP where a difference of one
byte between a buffer size and a window size may progressively make the
transfer degenerate until almost all frames are 1-byte in size. It's not
a bug in any product, just a consequence of making certain
standard-compliant stacks interoperate. Some workarounds were placed in
various components that allowed the issue to appear. We did careful
testing on HAProxy and couldn't produce it there, in part due to our
buffer management that makes it difficult to read exactly the sizes that
produce the issue. But there's nothing either that can strictly prevent
it from happening (e.g. with a sender using smaller frames maybe). So we
implemented the workaround as well, which will also result in sending
slightly less frames during uploads.
* The protocol matching for HTTP/1.X is now strict. Non-HTTP/1.X protocols
are now rejected by default. This can be relaxed by adding
"accept-invalid-http-request" option.
* To limit memory consumption in master-worker mode, the master is now
using a default maxconn value in wait-mode. It was an issue since 2.4.
* Some issues were fixed in the HTTPclient. First, CLI output is not closed
at the end of the response, which prevented to use the CLI interactive
mode. A regression which removed the first header of a response was
fixed. Finally, the response may also have been truncated in the rare
case where HAProxy internal output buffer was full.
* The CLI commands set to manage SSL certificates has been improved.
Similarly to the HTTP client, message/error reporting for "commit ssl"
commands may have been lost if HAProxy internal output buffer is full.
Also, "show ssl" commands might have produced a loop when issued in
parallel with a running certificate transaction. Finally, a crash was
reproduced on "add ssl crt-list" but this was encountered only in the
dubious case where it referenced a certificate used both by a bind and a
server instance.
* HAProxy might rewrite some parts of an HTTP request outside of
http-rules, for an example to add an X-Forwarded-For header when "option
forwardfor" is set. Previously, failures on these rewrites operations
were reported as internal errors in logs. Now, this appears as rewrite
failure, which is consistent with http-rules error reporting.
* New option "http-restrict-req-hdr-names" was added at the proxy level.
It can be used to inspect HTTP header names and decide what to do with
those having any character other than alphanumerical or dash ("-"),
either delete the header or reject the request. The purpose is to help
protect application servers that map dash to underscore due to CGI
inheritance, or worse, which crash when passed such characters. The
option is automatically set to the delete mode in backends having FastCGI
configured. This will eventually be backported, because we got reports of
such broken application servers deployed in field where site owners count
on HAProxy to work around this problem.
* In HTTP/1.1, the matching between the authority and the Host header value
for CONNECT requests was buggy. An exact match was performed ignoring any
normalization on the port. For CONNECT request the authority must contain
the port but it may be omitted from the host header value for default
ports (80 or 443). The matching was fixed to properly handle this case.
* Tunneled H1 sessions could be blocked when raw data were received before
the end of the request analysis because of a wrong assumption on the
request buffer emptiness.
* A bug in the "method" sample fetch could lead to a crash if it was used
in logs for errors triggered at the mux level. This sample requires a
stream, witch does not yet exist when an early error is reported by a
mux. Now, a non-matching is returned in this case.
* Invalid 103-early-hints messages coud be generated when some "early-hint"
rules were conditioned by ACLs.
* Some sessions could leak because connection errors were ignored by the H1
multiplexer during a synchronous send. It is only a transient leakage but
could be quite long, depending on the client or server timeout values.
* Unexpected FD close using SSL async engine could be experienced because
the engine and HAProxy both closed it. To fix the issue a flag is now
used to instruct HAProxy to not close the FD when the it is removed from
the fdtab array.
* Crashes could be experienced during hot-upgrade from 2.4 to 2.6 because
old worker was still identified as a running worker.
* An internal error was reported when loadbalancing on source IP address
was impossible. It could happens with SPOE applets or with clients
connected to HAPRoxy via a unix socket. Now, when this happens, a
fallback to round-robin is performed.
* The HTTP scheme based normalization did not properly handle the URIs with
userinfo. They were not preserved after the normalization process.
* Duplicate certificates in ca-file directories were not properly handled
because of an OpenSSL error. The error is now ignored.
* Lookup for a private key in extra files was not ignored when it was
already found in the pem file, while it should.
* HAProxy could crash on old Glibc on dlsym() function call if it is
statically built. Now, we avoid to call it in static builds.
* Depending on the declaration order of "http-check send" and "option
httpchk" directives, the configured headers could be ignored. Now a
previous list of headers is replaced by a new one only if it is not
empty.
* Mailers healthchecks were causing a crash since the refactoring of the
internal HAProxy connection stack introduced in 2.6. This is now fixed.
* It was possible to crash HAProxy by defining multiple bind lines in a
peers section. An error is now reported during configuration parsing.
* A warning is now reported when some unsupported keywords are used in
peers section instead of silently ignoring them. init_addr, resolvers,
check, agent-check are concerned.
* The DNS resolution is now ignored for disabled proxies preventing some
crashes.
Thanks everyone for your help and your contributions!
Please find the usual URLs below :
Site index : http://www.haproxy.org/
Documentation : http://docs.haproxy.org/
Wiki : https://github.com/haproxy/wiki/wiki
Discourse : http://discourse.haproxy.org/
Slack channel : https://slack.haproxy.org/
Issue tracker : https://github.com/haproxy/haproxy/issues
Sources : http://www.haproxy.org/download/2.5/src/
Git repository : http://git.haproxy.org/git/haproxy-2.5.git/
Git Web browsing : http://git.haproxy.org/?p=haproxy-2.5.git
Changelog : http://www.haproxy.org/download/2.5/src/CHANGELOG
Pending bugs : http://www.haproxy.org/l/pending-bugs
Reviewed bugs : http://www.haproxy.org/l/reviewed-bugs
Code reports : http://www.haproxy.org/l/code-reports
Latest builds : http://www.haproxy.org/l/dev-packages
---
Complete changelog :
Brad Smith (1):
BUILD: makefile: Fix install(1) handling for OpenBSD/NetBSD/Solaris/AIX
Christian Ruppert (1):
BUILD: Makefile: Add Lua 5.4 autodetect
Christopher Faulet (51):
MEDIUM: http-ana: Add a proxy option to restrict chars in request header
names
REGTESTS: abortonclose: Fix some race conditions
BUG/MEDIUM: config: Reset outline buffer size on realloc error in
readcfgfile()
BUG/MINOR: check: Reinit the buffer wait list at the end of a check
BUG/MEDIUM: resolvers: Don't defer resolutions release in deinit function
BUG/MINOR: ssl_ckch: Free error msg if commit changes on a cert entry
fails
BUG/MINOR: ssl_ckch: Free error msg if commit changes on a CA/CRL entry
fails
BUG/MEDIUM: ssl_ckch: Don't delete a cert entry if it is being modified
BUG/MEDIUM: ssl_ckch: Don't delete CA/CRL entry if it is being modified
BUG/MINOR: ssl_ckch: Don't duplicate path when replacing a cert entry
BUG/MINOR: ssl_ckch: Don't duplicate path when replacing a CA/CRL entry
BUG/MEDIUM: ssl_ckch: Rework 'commit ssl cert' to handle full buffer cases
BUG/MEDIUM: ssl_ckch: Rework 'commit ssl ca-file' to handle full buffer
cases
BUG/MEDIUM: ssl/crt-list: Rework 'add ssl crt-list' to handle full buffer
cases
BUG/MEDIUM: httpclient: Don't remove HTX header blocks before duplicating
them
BUG/MEDIUM: httpclient: Rework CLI I/O handler to handle full buffer cases
MEDIUM: http-ana: Always report rewrite failures as PRXCOND in logs
MEDIUM: httpclient: Don't close CLI applet at the end of a response
REGTESTS: abortonclose: Add a barrier to not mix up log messages
REGTESTS: http_request_buffer: Increase client timeout to wait "slow"
clients
BUG/MINOR: ssl_ckch: Dump CRL transaction only once if show command yield
BUG/MINOR: ssl_ckch: Dump CA transaction only once if show command yield
BUG/MINOR: ssl_ckch: Dump cert transaction only once if show command yield
BUG/MINOR: ssl_ckch: Init right field when parsing "commit ssl crl-file"
cmd
BUG/MINOR: ssl_ckch: Fix possible uninitialized value in show_cert I/O
handler
BUG/MINOR: ssl_ckch: Fix possible uninitialized value in show_cafile I/O
handler
BUG/MINOR: ssl_ckch: Fix possible uninitialized value in show_crlfile I/O
handler
REGTESTS: http_abortonclose: Extend supported versions
REGTESTS: restrict_req_hdr_names: Extend supported versions
BUG/MEDIUM: mailers: Set the object type for check attached to an email
alert
BUG/MINOR: trace: Test server existence for health-checks to get proxy
BUG/MINOR: checks: Properly handle email alerts in trace messages
REGTESTS: healthcheckmail: Update the test to be functionnal again
REGTESTS: healthcheckmail: Relax health-check failure condition
BUG/MINOR: tcp-rules: Make action call final on read error and delay
expiration
BUG/MINOR: http-ana: Set method to HTTP_METH_OTHER when an HTTP txn is
created
BUG/MINOR: http-fetch: Use integer value when possible in "method" sample
fetch
BUG/MINOR: http-check: Preserve headers if not redefined by an implicit
rule
BUG/MINOR: http-act: Properly generate 103 responses when several rules
are used
BUG/MINOR: http-htx: Fix scheme based normalization for URIs wih userinfo
MINOR: http: Add function to get port part of a host
MINOR: http: Add function to detect default port
BUG/MEDIUM: h1: Improve authority validation for CONNCET request
MINOR: http-htx: Use new HTTP functions for the scheme based normalization
BUG/MEDIUM: http-fetch: Don't fetch the method if there is no stream
REGTEESTS: filters: Fix CONNECT request in random-forwarding script
BUG/MINOR: mux-h1: Be sure to commit htx changes in the demux buffer
BUG/MEDIUM: http-ana: Don't wait to have an empty buf to switch in TUNNEL
state
BUG/MEDIUM: mux-h1: Handle connection error after a synchronous send
BUG/MINOR: backend: Fallback on RR algo if balance on source is impossible
Revert "BUG/MINOR: peers: set the proxy's name to the peers section name"
David CARLIER (1):
BUILD/MINOR: cpuset fix build for FreeBSD 13.1
David Carlier (2):
BUILD: fix build warning on solaris based systems with __maybe_unused.
MINOR: tools: add get_exec_path implementation for solaris based systems.
Emeric Brun (8):
BUG/MEDIUM: peers: fix segfault using multiple bind on peers sections
BUG/MEDIUM: peers: prevent unitialized multiple listeners on peers section
DOC: peers: clarify when entry expiration date is renewed.
DOC: peers: fix port number and addresses on new peers section format
DOC: gpc/gpt: add commments of gpc/gpt array definitions on stick tables.
MINOR: fd: add a new FD_DISOWN flag to prevent from closing a deleted FD
BUG/MEDIUM: ssl/fd: unexpected fd close using async engine
MINOR: fd: Add BUG_ON checks on fd_insert()
Ilya Shipitsin (3):
CI: determine actual LibreSSL version dynamically
CI: determine actual OpenSSL version dynamically
CI: re-enable gcc asan builds
Remi Tricot-Le Breton (2):
BUG/MINOR: ssl: Fix crash when no private key is found in pem
BUG/MINOR: ssl: Do not look for key in extra files if already in pem
Thayne McCombs (1):
BUG/MEDIUM: sample: Fix adjusting size in word converter
Tim Duesterhus (3):
BUG/MEDIUM: tools: Fix `inet_ntop` usage in sa2str
BUG/MEDIUM: http: Properly reject non-HTTP/1.x protocols
REGTESTS: Do not use REQUIRE_VERSION for HAProxy 2.5+ (2)
William Lallemand (8):
BUG/MEDIUM: ssl/cli: crash when crt inserted into a crt-list
BUG/MEDIUM: mworker: use default maxconn in wait mode
REGTESTS: ssl: add the same cert for client/server
BUG/MINOR: peers: fix possible NULL dereferences at config parsing
MEDIUM: mworker: set the iocb of the socketpair without using fd_insert()
BUG/MINOR: mworker/cli: relative pid prefix not validated anymore
BUG/MEDIUM: mworker: proc_self incorrectly set crashes upon reload
BUG/MINOR: sockpair: wrong return value for fd_send_uxst()
Willy Tarreau (19):
BUG/MINOR: cfgparse: abort earlier in case of allocation error
BUG/MINOR: peers: fix error reporting of "bind" lines
SCRIPTS: add make-releases-json to recreate a releases.json file in
download dirs
SCRIPTS: make publish-release try to launch make-releases-json
BUG/MINOR: peers: set the proxy's name to the peers section name
BUG/MINOR: peers: detect and warn on init_addr/resolvers/check/agent-check
DOC: peers: indicate that some server settings are not usable
DOC: intro: adjust the numbering of paragrams to keep the output ordered
BUILD: compiler: implement unreachable for older compilers too
BUG/MINOR: cli/stats: add missing trailing LF after JSON outputs
BUG/MINOR: server: do not enable DNS resolution on disabled proxies
BUG/MINOR: cli/stats: add missing trailing LF after "show info json"
BUG/MINOR: task: fix thread assignment in tasklet_kill()
MEDIUM: mux-h2: try to coalesce outgoing WINDOW_UPDATE frames
BUG/MINOR: peers/config: always fill the bind_conf's argument
BUG/MEDIUM: tools: avoid calling dlsym() in static builds
BUG/MEDIUM: tools: avoid calling dlsym() in static builds (try 2)
BUG/MINOR: tools: fix statistical_prng_range()'s output range
BUILD: add detection for unsupported compiler models
--
Christopher
