Hi, HAProxy 2.6-dev8 was released on 2022/04/30. It added 91 new commits after version 2.6-dev7.
Things are overall getting better. The HTTP client will disable SSL if it couldn't load the system's CA files, and emit a warning at boot. We've had a discussion about this with William because I found that during QUIC tests with a locally built QuicTLS library I would always get this warning despite not using the client, which is both confusing and annoying, so there is an option to disable verify, but maybe another option would just be to emit the warning at runtime if trying to use the client with SSL. Tests, feedback and suggestions on this topic would be welcome (e.g. in shared environments where a non-privileged user cannot fix a partially bogus installation). QUIC got its incomplete POST requests fixed, and another fixed happened in the congestion controller, allowing the window to grow better and downloads over a lossy network to significantly improve. Another batch of improvements and fixes happened at various levels (retransmission etc). The "balance hash <expression>" algo was finally added. One could say that it overlaps with "balance src", "balance uri", "balance hdr()" and "balance urlparam" but it's generic and can take any sample expression with a fetch function and converters which allows to extract and process the exact part on which to apply the hash. Maybe in a future version the older algos will be silently remapped to this one, we'll see. It's now possible to request that idle connections are not actively closed when stopping during reloads by using "close-spread-time infinite". The "fd-hard-limit" setting was finally implemented. It allows to cap the number of FDs that will be used while still adapting to the per-process limits set by the OS. This will mean "as many as possible but no more than this number". That's important for distros which set their hard FD limit to a billion or so! And finally the new "tune.ssl.hard-maxrecord" setting complements the existing "tune.ssl.maxrecord" that was only used during low-latency transfers to permit browsers to start to parse the response during the first RTT. The new one enforces the limit on all records, and helps interoperate with low-memory footprint IoT devices which cannot deal with a 16kB record. The rest were mostly code cleanups aiming at avoiding warnings with ASAN or valgrind, and easing the port to less common systems (always welcome to avoid OS-specific mistakes). Overall I think we can aim at a final release in 3-4 weeks. Some parts are still moving a bit too fast, but that's mostly related to problems pre-dating 2.6-dev. There are still opportunities for nice cleanups before the release, which would be nice to have since it's an LTS version but it's time to become prudent and focus mostly on cosmetic stuff now, and of course on significant problems when they pop up. Please find the usual URLs below : Site index : http://www.haproxy.org/ Documentation : http://docs.haproxy.org/ Wiki : https://github.com/haproxy/wiki/wiki Discourse : http://discourse.haproxy.org/ Slack channel : https://slack.haproxy.org/ Issue tracker : https://github.com/haproxy/haproxy/issues Sources : http://www.haproxy.org/download/2.6/src/ Git repository : http://git.haproxy.org/git/haproxy.git/ Git Web browsing : http://git.haproxy.org/?p=haproxy.git Changelog : http://www.haproxy.org/download/2.6/src/CHANGELOG Pending bugs : http://www.haproxy.org/l/pending-bugs Reviewed bugs : http://www.haproxy.org/l/reviewed-bugs Code reports : http://www.haproxy.org/l/code-reports Latest builds : http://www.haproxy.org/l/dev-packages Willy --- Complete changelog : Amaury Denoyelle (16): BUG/MINOR: quic: fix use-after-free with trace on ACK consume BUG/MINOR: mux-quic: fix build in release mode MINOR: mux-quic: adjust comment on emission function MINOR: mux-quic: remove unused bogus qcc_get_stream() BUG/MINOR: mux-quic: fix leak if cs alloc failure MINOR: mux-quic: count local flow-control stream limit on reception BUG/MINOR: h3: fix incomplete POST requests BUG/MEDIUM: h3: fix use-after-free on mux Rx buffer wrapping MINOR: mux-quic: partially copy Rx frame if almost full buf MINOR: h3: change frame demuxing API MINOR: mux-quic: add a app-layer context in qcs MINOR: h3: implement h3 stream context MINOR: h3: support DATA demux if buffer full MINOR: quic: decode as much STREAM as possible MEDIUM: quic: do not ACK packet with STREAM if MUX not present MEDIUM: quic: do not ack packet with invalid STREAM Christopher Faulet (9): BUG/MINOR: rules: Forbid captures in defaults section if used by a backend BUG/MEDIUM: rules: Be able to use captures defined in defaults section BUG/MINOR: rules: Fix check_capture() function to use the right rule arguments REGTESTS: fix the race conditions in be2dec.vtc ad field.vtc BUG/MEDIUM: http-ana: Fix memleak in redirect rules with ignore-empty option BUG/MEDIUM: conn-stream: Don't erase endpoint flags on reset BUG/MEDIUM: httpclient: Fix loop consuming HTX blocks from the response channel BUG/MINOR: httpclient: Count metadata in size to transfer via htx_xfer_blks() MINOR: httpclient: Don't use co_set_data() to decrement output Frédéric Lécaille (25): MINOR: quic: Improve qc_prep_pkts() flexibility MINOR: quic: Prepare quic_frame struct duplication MINOR: quic: Do not retransmit frames from coalesced packets MINOR: quic: Add traces about TX frame memory releasing MINOR: quic: process_timer() rework MEDIUM: quic: New functions for probing rework MEDIUM: quic: Retransmission functions rework MEDIUM: quic: qc_requeue_nacked_pkt_tx_frms() rework MINOR: quic: old data distinction for qc_send_app_pkt() MINOR: quic: Mark packets as probing with old data MEDIUM: quic: Mark copies of acknowledged frames as acknowledged MEDIUM: quic: Enable the new datagram probing process MINOR: quic: Do not send ACK frames when probing BUG/MINOR: quic: Wrong returned status by qc_build_frms() BUG/MINOR: quic: Avoid sending useless PADDING frame BUG/MINOR: quic: Traces fix about remaining frames upon packet build failure MINOR: quic: Wake up the mux to probe with new data BUG/MEDIUM: quic: Possible crash on STREAM frame loss BUG/MINOR: quic: Missing Initial packet length check CLEANUP: quic: Rely on the packet length set by qc_lstnr_pkt_rcv() MINOR: quic: Drop 0-RTT packets if not allowed MINOR: quic: Drop 0-RTT packets without secrets CLEANUP: quic: Remaining fprintf() debug trace MINOR: quic: moving code for QUIC loss detection BUG/MINOR: quic: Missing time threshold multiplifier for loss delay computation Ilya Shipitsin (1): CI: github actions: update LibreSSL to 3.5.2 Remi Tricot-Le Breton (2): BUG/MINOR: connection: "connection:close" header added despite 'close-spread-time' MINOR: connection: Add way to disable active connection closing during soft-stop Thomas Prückl (1): MINOR: ssl: add a new global option "tune.ssl.hard-maxrecord" Tim Duesterhus (3): CLEANUP: Destroy `http_err_chunks` members during deinit BUG/MINOR: resolvers: Fix memory leak in resolvers_deinit() MINOR: Call deinit_and_exit(0) for `haproxy -vv` William Lallemand (8): REGTESTS: webstats: remove unused stats socket in /tmp MEDIUM: httpclient: disable SSL when the ca-file couldn't be loaded BUG/MINOR: httpclient/lua: error when the httpclient_start() fails BUG/MINOR: ssl: free the cafile entries on deinit BUG/MINOR: ssl: memory leak when trying to load a directory with ca-file MEDIUM: httpclient: re-enable the verify by default BUG/MEDIUM: ssl/cli: fix yielding in show_cafile_detail BUG/MINOR: httpclient/ssl: use the correct verify constant Willy Tarreau (26): BUG/MINOR: http-act: make release_http_redir() more robust BUG/MINOR: sample: add missing use_backend/use-server contexts in smp_resolve_args MINOR: sample: don't needlessly call c_none() in sample_fetch_as_type() MINOR: sample: make the bool type cast to bin MEDIUM: backend: add new "balance hash <expr>" algorithm MINOR: init: add global setting "fd-hard-limit" to bound system limits BUILD: pollers: use an initcall to register the pollers BUILD: xprt: use an initcall to register the transport layers BUILD: thread: use initcall instead of a constructor BUILD: http: remove the two unused constructors in rules and ana CLEANUP: compression: move the default setting of maxzlibmem to defaults MINOR: tree-wide: always consider EWOULDBLOCK in addition to EAGAIN MINOR: fd: add functions to set O_NONBLOCK and FD_CLOEXEC CLEANUP: tree-wide: use fd_set_nonblock() and fd_set_cloexec() CLEANUP: tree-wide: remove 25 occurrences of unneeded fcntl.h BUILD: compiler: properly distinguish weak and global symbols BUILD: fd: disguise the fd_set_nonblock/cloexec result BUG/MINOR: pools: make sure to also destroy shared pools in pool_destroy_all() CLEANUP: errors: also call deinit_errors_buffers() on deinit() CLEANUP: chunks: release trash also in deinit CLEANUP: deinit: release the pre-check callbacks CLEANUP: deinit: release the config postparsers CLEANUP: listeners/deinit: release accept queue tasklets on deinit CLEANUP: connections/deinit: destroy the idle_conns tasks BUG/MINOR: conn_stream: do not confirm a connection from the frontend path SCRIPTS: announce-release: add URL of dev packages ---