Hi, HAProxy 2.8-dev2 was released on 2023/01/22. It added 91 new commits after version 2.8-dev1. There's the usual dose of bug fixes, most of which were also backported to 2.7.2.
* core: - error handling: a first batch of error handling improvement was merged. Error handling is among the oldest code that we're always extremely cautious to touch so that's slowly distilled over multiple versions. There used to be rare situations where a request error could cause an abort of the response and sometimes report the error on the wrong side. These ones should now be gone. One possibly visible effect is that some client aborts before an end of request that could result in status -1 being logged will now properly report 400 in the logs. - The bandwidth limiter now supports numeric expressions in addition to sample expressions, making it easier to configure for constant rates. - small performance improvement by making some byte counters per-thread * QUIC/H3: - As mentioned in he 2.7.2 announce, QUIC should work better with multiple long streams as the available bandwidth is now distributed fairly between them. - source addresses of response packets should now be correctly selected for listeners bound to 0.0.0.0 (at least on Linux). - a lot of other less visible fixes and improvements already mentioned (trailers, traces, "no-quic", etc) * SSL: - various improvements and fixes to the dynamic OCSP handling Like 2.7.2 vs 2.7.1, the bug fixes should improve stability (especially those affecting thread isolation on reload). The sensitive change here is the error handling. It's expected to be safe (and safer than before), but should you notice any form of unhandled events such as CPU loops, CLOSE_WAIT sockets, or an old process not quitting, do not hesitate to report them! Please find the usual URLs below : Site index : https://www.haproxy.org/ Documentation : https://docs.haproxy.org/ Wiki : https://github.com/haproxy/wiki/wiki Discourse : https://discourse.haproxy.org/ Slack channel : https://slack.haproxy.org/ Issue tracker : https://github.com/haproxy/haproxy/issues Sources : https://www.haproxy.org/download/2.8/src/ Git repository : https://git.haproxy.org/git/haproxy.git/ Git Web browsing : https://git.haproxy.org/?p=haproxy.git Changelog : https://www.haproxy.org/download/2.8/src/CHANGELOG Dataplane API : https://github.com/haproxytech/dataplaneapi/releases/latest Pending bugs : https://www.haproxy.org/l/pending-bugs Reviewed bugs : https://www.haproxy.org/l/reviewed-bugs Code reports : https://www.haproxy.org/l/code-reports Latest builds : https://www.haproxy.org/l/dev-packages Willy --- Complete changelog : Amaury Denoyelle (11): BUG/MINOR: mux-quic: fix transfer of empty HTTP response MINOR: mux-quic: add traces for flow-control limit reach MAJOR: mux-quic: rework stream sending priorization MEDIUM: h3: send SETTINGS before STREAM frames MINOR: mux-quic: use send-list for STOP_SENDING/RESET_STREAM emission MINOR: mux-quic: use send-list for immediate sending retry BUG/MINOR: h3: properly handle connection headers MINOR: h3: extend function for QUIC varint encoding MINOR: h3: implement TRAILERS encoding MINOR: h3: implement TRAILERS decoding MEDIUM: quic-sock: fix udp source address for send on listener socket Christopher Faulet (27): MINOR: channel: Don't test CF_READ_NULL while CF_SHUTR is enough REORG: channel: Rename CF_READ_NULL to CF_READ_EVENT REORG: channel: Rename CF_WRITE_NULL to CF_WRITE_EVENT MEDIUM: channel: Use CF_READ_EVENT instead of CF_READ_PARTIAL MEDIUM: channel: Use CF_WRITE_EVENT instead of CF_WRITE_PARTIAL MINOR: channel: Remove CF_READ_ACTIVITY MINOR: channel: Remove CF_WRITE_ACTIVITY MINOR: channel: Remove CF_ANA_TIMEOUT and report CF_READ_EVENT instead MEDIUM: channel: Remove CF_READ_ATTACHED and report CF_READ_EVENT instead MINOR: channel: Stop to test CF_READ_ERROR flag if CF_SHUTR is enough MINOR: channel/applets: Stop to test CF_WRITE_ERROR flag if CF_SHUTW is enough BUG/MINOR: h1-htx: Remove flags about protocol upgrade on non-101 responses BUG/MINOR: hlua: Fix Channel.line and Channel.data behavior regarding the doc BUG/MINOR: resolvers: Wait the resolution execution for a do_resolv action BUG/MINOR: promex: Don't forget to consume the request on error MINOR: http-ana: Add a function to set HTTP termination flags MINOR: http-ana: Use http_set_term_flags() in most of HTTP analyzers BUG/MINOR: http-ana: Report SF_FINST_R flag on error waiting the request body MINOR: http-ana: Use http_set_term_flags() when waiting the request body BUG/MINOR: http-fetch: Don't block HTTP sample fetch eval in HTTP_MSG_ERROR state MAJOR: http-ana: Review error handling during HTTP payload forwarding CLEANUP: http-ana: Remove HTTP_MSG_ERROR state BUG/MEDIUM: mux-h2: Don't send CANCEL on shutw when response length is unkown MINOR: htx: Add an HTX value for the extra field is payload length is unknown BUG/MINOR: bwlim: Check scope for period expr for set-bandwitdh-limit actions MEDIUM: bwlim: Support constants limit or period on set-bandwidth-limit actions BUG/MINOR: bwlim: Fix parameters check for set-bandwidth-limit actions Daniel Corbett (1): DOC: config: fix "Address formats" chapter syntax Frédéric Lécaille (6): MINOR: quic: Useless test about datagram destination addresses MINOR: quic: Disable the active connection migrations MINOR: quic: Add "no-quic" global option MINOR: sample: Add "quic_enabled" sample fetch MINOR: quic: Replace v2 draft definitions by those of the final 2 version BUG/MINOR: quic: Do not request h3 clients to close its unidirection streams Manu Nicolas (1): CLEANUP: htx: fix a typo in an error message of http_str_to_htx Mathias Weiersmueller (1): DOC: config: added optional rst-ttl argument to silent-drop in action lists Paul Barnetta (1): BUG/MINOR: mux-fcgi: Correctly set pathinfo Remi Tricot-Le Breton (19): BUG/MINOR: ssl: Fix crash in 'update ssl ocsp-response' CLI command BUG/MINOR: ssl: Crash during cleanup because of ocsp structure pointer UAF MINOR: ssl: Create temp X509_STORE filled with cert chain when checking ocsp response MINOR: ssl: Only set ocsp->issuer if issuer not in cert chain MINOR: ssl: Release ssl_ocsp_task_ctx.cur_ocsp when destroying task MINOR: ssl: Detect more OCSP update inconsistencies BUG/MINOR: ssl: Fix OCSP_CERTID leak when same certificate is used multiple times MINOR: ssl: Limit ocsp_uri buffer size to minimum MINOR: ssl: Remove mention of ckch_store in error message of cli command BUG/MINOR: ssl: Remove unneeded pointer check in ocsp cli release function BUG/MINOR: ssl: Missing ssl_conf pointer check when checking ocsp update inconsistencies BUG/MINOR: ssl: OCSP minimum update threshold not properly set MINOR: ssl: Treat ocsp-update inconsistencies as fatal errors MINOR: ssl: Do not wake ocsp update task if update tree empty MINOR: ssl: Reinsert updated ocsp response later in tree in case of http error REGTEST: ssl: Add test for 'update ssl ocsp-response' CLI command BUG/MEDIUM: jwt: Properly process ecdsa signatures (concatenated R and S params) BUG/MINOR: ssl: Fix compilation with OpenSSL 1.0.2 (missing ECDSA_SIG_set0) BUG/MINOR: jwt: Wrong return value checked William Lallemand (3): DOC: management: add details on "Used" status DOC: management: add details about @system-ca in "show ssl ca-file" Revert "BUILD: ssl: add ECDSA_SIG_set0() for openssl < 1.1 or libressl < 2.7" Willy Tarreau (21): DEV: tcploop: add minimal support for unix sockets BUG/MEDIUM: listener: duplicate inherited FDs if needed OPTIM: global: move byte counts out of global and per-thread BUG/MEDIUM: peers: make "show peers" more careful about partial initialization BUG/MINOR: http-ana: make set-status also update txn->status BUG/MINOR: listeners: fix suspend/resume of inherited FDs DOC: config: fix wrong section number for "protocol prefixes" DOC: config: fix aliases for protocol prefixes "udp4@" and "udp6@" DOC: config: mention the missing "quic4@" and "quic6@" in protocol prefixes MINOR: listener: also support "quic+" as an address prefix CLEANUP: stconn: always use se_fl_set_error() to set the pending error BUG/MEDIUM: stconn: also consider SE_FL_EOI to switch to SE_FL_ERROR BUILD: ssl: add ECDSA_SIG_set0() for openssl < 1.1 or libressl < 2.7 BUG/MINOR: listener: close tiny race between resume_listener() and stopping BUG/MEDIUM: fd/threads: fix again incorrect thread selection in wakeup broadcast BUG/MINOR: thread: always reload threads_enabled in loops MINOR: threads: add a thread_harmless_end() version that doesn't wait BUG/MEDIUM: debug/thread: make the debug handler not wait for !rdv_requests BUG/MINOR: mux-h2: make sure to produce a log on invalid requests BUG/MINOR: mux-h2: add missing traces on failed headers decoding BUILD: hpack: include global.h for the trash that is needed in debug mode ---