Hi,
HAProxy 2.8-dev2 was released on 2023/01/22. It added 91 new commits
after version 2.8-dev1. There's the usual dose of bug fixes, most of
which were also backported to 2.7.2.
* core:
- error handling: a first batch of error handling improvement was
merged. Error handling is among the oldest code that we're always
extremely cautious to touch so that's slowly distilled over multiple
versions. There used to be rare situations where a request error could
cause an abort of the response and sometimes report the error on the
wrong side. These ones should now be gone. One possibly visible effect
is that some client aborts before an end of request that could result
in status -1 being logged will now properly report 400 in the logs.
- The bandwidth limiter now supports numeric expressions in addition to
sample expressions, making it easier to configure for constant rates.
- small performance improvement by making some byte counters per-thread
* QUIC/H3:
- As mentioned in he 2.7.2 announce, QUIC should work better with
multiple long streams as the available bandwidth is now distributed
fairly between them.
- source addresses of response packets should now be correctly selected
for listeners bound to 0.0.0.0 (at least on Linux).
- a lot of other less visible fixes and improvements already mentioned
(trailers, traces, "no-quic", etc)
* SSL:
- various improvements and fixes to the dynamic OCSP handling
Like 2.7.2 vs 2.7.1, the bug fixes should improve stability (especially
those affecting thread isolation on reload). The sensitive change here is
the error handling. It's expected to be safe (and safer than before), but
should you notice any form of unhandled events such as CPU loops, CLOSE_WAIT
sockets, or an old process not quitting, do not hesitate to report them!
Please find the usual URLs below :
Site index : https://www.haproxy.org/
Documentation : https://docs.haproxy.org/
Wiki : https://github.com/haproxy/wiki/wiki
Discourse : https://discourse.haproxy.org/
Slack channel : https://slack.haproxy.org/
Issue tracker : https://github.com/haproxy/haproxy/issues
Sources : https://www.haproxy.org/download/2.8/src/
Git repository : https://git.haproxy.org/git/haproxy.git/
Git Web browsing : https://git.haproxy.org/?p=haproxy.git
Changelog : https://www.haproxy.org/download/2.8/src/CHANGELOG
Dataplane API :
https://github.com/haproxytech/dataplaneapi/releases/latest
Pending bugs : https://www.haproxy.org/l/pending-bugs
Reviewed bugs : https://www.haproxy.org/l/reviewed-bugs
Code reports : https://www.haproxy.org/l/code-reports
Latest builds : https://www.haproxy.org/l/dev-packages
Willy
---
Complete changelog :
Amaury Denoyelle (11):
BUG/MINOR: mux-quic: fix transfer of empty HTTP response
MINOR: mux-quic: add traces for flow-control limit reach
MAJOR: mux-quic: rework stream sending priorization
MEDIUM: h3: send SETTINGS before STREAM frames
MINOR: mux-quic: use send-list for STOP_SENDING/RESET_STREAM emission
MINOR: mux-quic: use send-list for immediate sending retry
BUG/MINOR: h3: properly handle connection headers
MINOR: h3: extend function for QUIC varint encoding
MINOR: h3: implement TRAILERS encoding
MINOR: h3: implement TRAILERS decoding
MEDIUM: quic-sock: fix udp source address for send on listener socket
Christopher Faulet (27):
MINOR: channel: Don't test CF_READ_NULL while CF_SHUTR is enough
REORG: channel: Rename CF_READ_NULL to CF_READ_EVENT
REORG: channel: Rename CF_WRITE_NULL to CF_WRITE_EVENT
MEDIUM: channel: Use CF_READ_EVENT instead of CF_READ_PARTIAL
MEDIUM: channel: Use CF_WRITE_EVENT instead of CF_WRITE_PARTIAL
MINOR: channel: Remove CF_READ_ACTIVITY
MINOR: channel: Remove CF_WRITE_ACTIVITY
MINOR: channel: Remove CF_ANA_TIMEOUT and report CF_READ_EVENT instead
MEDIUM: channel: Remove CF_READ_ATTACHED and report CF_READ_EVENT instead
MINOR: channel: Stop to test CF_READ_ERROR flag if CF_SHUTR is enough
MINOR: channel/applets: Stop to test CF_WRITE_ERROR flag if CF_SHUTW is
enough
BUG/MINOR: h1-htx: Remove flags about protocol upgrade on non-101
responses
BUG/MINOR: hlua: Fix Channel.line and Channel.data behavior regarding the
doc
BUG/MINOR: resolvers: Wait the resolution execution for a do_resolv action
BUG/MINOR: promex: Don't forget to consume the request on error
MINOR: http-ana: Add a function to set HTTP termination flags
MINOR: http-ana: Use http_set_term_flags() in most of HTTP analyzers
BUG/MINOR: http-ana: Report SF_FINST_R flag on error waiting the request
body
MINOR: http-ana: Use http_set_term_flags() when waiting the request body
BUG/MINOR: http-fetch: Don't block HTTP sample fetch eval in
HTTP_MSG_ERROR state
MAJOR: http-ana: Review error handling during HTTP payload forwarding
CLEANUP: http-ana: Remove HTTP_MSG_ERROR state
BUG/MEDIUM: mux-h2: Don't send CANCEL on shutw when response length is
unkown
MINOR: htx: Add an HTX value for the extra field is payload length is
unknown
BUG/MINOR: bwlim: Check scope for period expr for set-bandwitdh-limit
actions
MEDIUM: bwlim: Support constants limit or period on set-bandwidth-limit
actions
BUG/MINOR: bwlim: Fix parameters check for set-bandwidth-limit actions
Daniel Corbett (1):
DOC: config: fix "Address formats" chapter syntax
Frédéric Lécaille (6):
MINOR: quic: Useless test about datagram destination addresses
MINOR: quic: Disable the active connection migrations
MINOR: quic: Add "no-quic" global option
MINOR: sample: Add "quic_enabled" sample fetch
MINOR: quic: Replace v2 draft definitions by those of the final 2 version
BUG/MINOR: quic: Do not request h3 clients to close its unidirection
streams
Manu Nicolas (1):
CLEANUP: htx: fix a typo in an error message of http_str_to_htx
Mathias Weiersmueller (1):
DOC: config: added optional rst-ttl argument to silent-drop in action
lists
Paul Barnetta (1):
BUG/MINOR: mux-fcgi: Correctly set pathinfo
Remi Tricot-Le Breton (19):
BUG/MINOR: ssl: Fix crash in 'update ssl ocsp-response' CLI command
BUG/MINOR: ssl: Crash during cleanup because of ocsp structure pointer UAF
MINOR: ssl: Create temp X509_STORE filled with cert chain when checking
ocsp response
MINOR: ssl: Only set ocsp->issuer if issuer not in cert chain
MINOR: ssl: Release ssl_ocsp_task_ctx.cur_ocsp when destroying task
MINOR: ssl: Detect more OCSP update inconsistencies
BUG/MINOR: ssl: Fix OCSP_CERTID leak when same certificate is used
multiple times
MINOR: ssl: Limit ocsp_uri buffer size to minimum
MINOR: ssl: Remove mention of ckch_store in error message of cli command
BUG/MINOR: ssl: Remove unneeded pointer check in ocsp cli release function
BUG/MINOR: ssl: Missing ssl_conf pointer check when checking ocsp update
inconsistencies
BUG/MINOR: ssl: OCSP minimum update threshold not properly set
MINOR: ssl: Treat ocsp-update inconsistencies as fatal errors
MINOR: ssl: Do not wake ocsp update task if update tree empty
MINOR: ssl: Reinsert updated ocsp response later in tree in case of http
error
REGTEST: ssl: Add test for 'update ssl ocsp-response' CLI command
BUG/MEDIUM: jwt: Properly process ecdsa signatures (concatenated R and S
params)
BUG/MINOR: ssl: Fix compilation with OpenSSL 1.0.2 (missing
ECDSA_SIG_set0)
BUG/MINOR: jwt: Wrong return value checked
William Lallemand (3):
DOC: management: add details on "Used" status
DOC: management: add details about @system-ca in "show ssl ca-file"
Revert "BUILD: ssl: add ECDSA_SIG_set0() for openssl < 1.1 or libressl <
2.7"
Willy Tarreau (21):
DEV: tcploop: add minimal support for unix sockets
BUG/MEDIUM: listener: duplicate inherited FDs if needed
OPTIM: global: move byte counts out of global and per-thread
BUG/MEDIUM: peers: make "show peers" more careful about partial
initialization
BUG/MINOR: http-ana: make set-status also update txn->status
BUG/MINOR: listeners: fix suspend/resume of inherited FDs
DOC: config: fix wrong section number for "protocol prefixes"
DOC: config: fix aliases for protocol prefixes "udp4@" and "udp6@"
DOC: config: mention the missing "quic4@" and "quic6@" in protocol
prefixes
MINOR: listener: also support "quic+" as an address prefix
CLEANUP: stconn: always use se_fl_set_error() to set the pending error
BUG/MEDIUM: stconn: also consider SE_FL_EOI to switch to SE_FL_ERROR
BUILD: ssl: add ECDSA_SIG_set0() for openssl < 1.1 or libressl < 2.7
BUG/MINOR: listener: close tiny race between resume_listener() and
stopping
BUG/MEDIUM: fd/threads: fix again incorrect thread selection in wakeup
broadcast
BUG/MINOR: thread: always reload threads_enabled in loops
MINOR: threads: add a thread_harmless_end() version that doesn't wait
BUG/MEDIUM: debug/thread: make the debug handler not wait for
!rdv_requests
BUG/MINOR: mux-h2: make sure to produce a log on invalid requests
BUG/MINOR: mux-h2: add missing traces on failed headers decoding
BUILD: hpack: include global.h for the trash that is needed in debug mode
---
