Re: [ANNOUNCE] haproxy-2.0.6
Am 13.09.2019 um 14:09 schrieb Christopher Faulet: > Hi, > > HAProxy 2.0.6 was released on 2019/09/13. It added 36 new commits > after version 2.0.5. > > A major issue was fixed in the SSL part. When a SSL socket was created, its > context was not fully initialized. Because this context is allocated from a > memory pool, it was possible to inherit some information from a previous > session. Thus, some fetches, related to client's certificate presence or its > verify status and errors, was returning erroneous values. So SSL connections > without client certificate were able to be accepted by HAProxy from the time a > previous one was already accepted with a valid client certificate. This issue > was reported on GitHub (#248). > > An AB/BA locking issue was fixed about the listeners. The functions > protocol_enable_all() and delete_listener() were using the same locks in a > reverse order. The former being used during startup and the latter during > stop, > it was possible to have a deadlock during reload floods. Note though, it is > pretty hard to hit this issue in 2.0 and above. > > Nathan Davison (@ndavison) reported that in legacy mode we didn't correctly > rejected messages featuring a transfer-encoding header missing the "chunked" > value. The impact was limited, but if combined with "http-reuse always", it > could be used as an help to construct a content smuggling attack against a > vulnerable component employing a lenient parser which would ignore the > content-length header as soon as it sees a transfer-encoding one, without even > parsing it. > > An improvement was made on the idle connections management. Now, we don't keep > more idle connections than we've ever had outstanding requests on a server. > This > way the total number of idle connections will never exceed the sum of maximum > connections. Thus highly loaded servers will be able to get many connections > and > slightly loaded servers will keep less. This address performance issues with > the > option "http-reuse safe" (the default) because of too many idle connections > kept > opened and never reused. > > An old bug on legacy HTTP analyzers was fixed. When HAProxy was waiting for a > request or a response, the parsing was delayed if the buffer appeared as not > rewritable (reserve not fully free), without any other criteria. It might > blocked > the message analysis for a while, sometime infinitely depending on > circumstances. For instance, It was happening when the cache applet used the > reserve to added the header "Age" on cached responses. This test was based an > old > implicit assumption that stated if a buffer was not rewritable, it meant some > outgoing data were pending to be sent. On recent versions, this is not true > anymore because all outgoing data are sent before starting the analysis of the > next transaction. > > Several bugs was fixed into the H1 multiplexer. The trailers of chunked > messages > were sometimes truncated on buffer boundary because the parser systematically > reported an error when the buffer was full during trailers parsing. Now, an > error is only reported if the buffer is full because trailers are too huge. In > the same spirit, errors might be reported on transfers ending if the buffer > was > full because no more space left to add the EOM block. SD termination state was > erroneously reported in HAProxy logs for successful transfers. > > Two bugs was fixed on the cache. Both concerned the way messages with a huge > header part were handled by the cache. First, messages with an header part > impinging upon the buffer's reserved were stored in the cache. Now these > messages are not cached anymore. The reserve must remain available to handle > the response processing when a cached object is served, just like any other > response. Then, in the cache, messages with an header part stored on several > shctx blocks (> 1024 bytes) were not correctly served. > > Finally, the usual bunch of bug fixes here and there. Some improvements were > made on checks to adapt them to recent changes on the connections layer. The > sample fetch url32 was fixed to really take the path part into account. A > memory > leak during configuration parsing was fixed, when an ACL expression was > parsed. Response flags are now correctly reset when 1xx messages are handled > so > it is possible to compress HTTP responses preceded by a 100-Continue. The > server > weights are now ignored for empty servers to not always pick the same server > on > low load (thanks to @malsumis and @jaroslawr for this fix). And so on. > > It is also noticeable that Luca Schimweg added the sample fetch uuid() to get > an > UUID following the format of version 4 in the RFC4122 standard. The > DRAIN/MAINT/NOLB status are now reported for servers by the Prometheus > exporter. And > the number of idle connections for each server is now reported on the stats > page > likewise the configuration limit. > > All users of the 2.0 are
[ANNOUNCE] haproxy-2.0.6
Hi, HAProxy 2.0.6 was released on 2019/09/13. It added 36 new commits after version 2.0.5. A major issue was fixed in the SSL part. When a SSL socket was created, its context was not fully initialized. Because this context is allocated from a memory pool, it was possible to inherit some information from a previous session. Thus, some fetches, related to client's certificate presence or its verify status and errors, was returning erroneous values. So SSL connections without client certificate were able to be accepted by HAProxy from the time a previous one was already accepted with a valid client certificate. This issue was reported on GitHub (#248). An AB/BA locking issue was fixed about the listeners. The functions protocol_enable_all() and delete_listener() were using the same locks in a reverse order. The former being used during startup and the latter during stop, it was possible to have a deadlock during reload floods. Note though, it is pretty hard to hit this issue in 2.0 and above. Nathan Davison (@ndavison) reported that in legacy mode we didn't correctly rejected messages featuring a transfer-encoding header missing the "chunked" value. The impact was limited, but if combined with "http-reuse always", it could be used as an help to construct a content smuggling attack against a vulnerable component employing a lenient parser which would ignore the content-length header as soon as it sees a transfer-encoding one, without even parsing it. An improvement was made on the idle connections management. Now, we don't keep more idle connections than we've ever had outstanding requests on a server. This way the total number of idle connections will never exceed the sum of maximum connections. Thus highly loaded servers will be able to get many connections and slightly loaded servers will keep less. This address performance issues with the option "http-reuse safe" (the default) because of too many idle connections kept opened and never reused. An old bug on legacy HTTP analyzers was fixed. When HAProxy was waiting for a request or a response, the parsing was delayed if the buffer appeared as not rewritable (reserve not fully free), without any other criteria. It might blocked the message analysis for a while, sometime infinitely depending on circumstances. For instance, It was happening when the cache applet used the reserve to added the header "Age" on cached responses. This test was based an old implicit assumption that stated if a buffer was not rewritable, it meant some outgoing data were pending to be sent. On recent versions, this is not true anymore because all outgoing data are sent before starting the analysis of the next transaction. Several bugs was fixed into the H1 multiplexer. The trailers of chunked messages were sometimes truncated on buffer boundary because the parser systematically reported an error when the buffer was full during trailers parsing. Now, an error is only reported if the buffer is full because trailers are too huge. In the same spirit, errors might be reported on transfers ending if the buffer was full because no more space left to add the EOM block. SD termination state was erroneously reported in HAProxy logs for successful transfers. Two bugs was fixed on the cache. Both concerned the way messages with a huge header part were handled by the cache. First, messages with an header part impinging upon the buffer's reserved were stored in the cache. Now these messages are not cached anymore. The reserve must remain available to handle the response processing when a cached object is served, just like any other response. Then, in the cache, messages with an header part stored on several shctx blocks (> 1024 bytes) were not correctly served. Finally, the usual bunch of bug fixes here and there. Some improvements were made on checks to adapt them to recent changes on the connections layer. The sample fetch url32 was fixed to really take the path part into account. A memory leak during configuration parsing was fixed, when an ACL expression was parsed. Response flags are now correctly reset when 1xx messages are handled so it is possible to compress HTTP responses preceded by a 100-Continue. The server weights are now ignored for empty servers to not always pick the same server on low load (thanks to @malsumis and @jaroslawr for this fix). And so on. It is also noticeable that Luca Schimweg added the sample fetch uuid() to get an UUID following the format of version 4 in the RFC4122 standard. The DRAIN/MAINT/NOLB status are now reported for servers by the Prometheus exporter. And the number of idle connections for each server is now reported on the stats page likewise the configuration limit. All users of the 2.0 are encouraged to upgrade, especially those using authentication with SSL client certificate. Please find the usual URLs below : Site index : http://www.haproxy.org/ Discourse: http://discourse.haproxy.org/ Slack channel: https:
