Re: [ANNOUNCE] haproxy-2.6.0

[Vincent Bernat]

On 6/14/22 14:22, Artur wrote:


No plan to prepare 2.6 packages for Debian 10 ?

If you can, I'm interested. Thank you.


No particular reason, just nobody asked for it. It will land shortly.

Re: [ANNOUNCE] haproxy-2.6.0

[Artur]

Hello Vincent,

No plan to prepare 2.6 packages for Debian 10 ?

If you can, I'm interested. Thank you.

Le 03/06/2022 à 23:43, Vincent Bernat a écrit :

  ❦ 31 May 2022 17:56 +02, Willy Tarreau:


HAProxy 2.6.0 was released on 2022/05/31. It added 57 new commits
after version 2.6-dev12, essentially small bug fixes, QUIC counters
and doc updates.

It's available on haproxy.debian.net. No QUIC support as neither Debian
nor Ubuntu has the appropriate library.


--
Best regards,
Artur

Re: [ANNOUNCE] haproxy-2.6.0

[Willy Tarreau]

On Fri, Jun 03, 2022 at 11:43:32PM +0200, Vincent Bernat wrote:
>  ? 31 May 2022 17:56 +02, Willy Tarreau:
> 
> > HAProxy 2.6.0 was released on 2022/05/31. It added 57 new commits
> > after version 2.6-dev12, essentially small bug fixes, QUIC counters
> > and doc updates.
> 
> It's available on haproxy.debian.net. No QUIC support as neither Debian
> nor Ubuntu has the appropriate library.

Many thanks for this, Vincent!

Willy

Re: [ANNOUNCE] haproxy-2.6.0

[Vincent Bernat]

 ❦ 31 May 2022 17:56 +02, Willy Tarreau:

> HAProxy 2.6.0 was released on 2022/05/31. It added 57 new commits
> after version 2.6-dev12, essentially small bug fixes, QUIC counters
> and doc updates.

It's available on haproxy.debian.net. No QUIC support as neither Debian
nor Ubuntu has the appropriate library.
-- 
The better part of valor is discretion.
-- William Shakespeare, "Henry IV"

Re: [ANNOUNCE] haproxy-2.6.0

[Willy Tarreau]

On Tue, May 31, 2022 at 07:16:31PM +0200, Tim Düsterhus wrote:
> Willy,
> 
> you're probably expected this type of email from me :-)
> 
> On 5/31/22 17:56, Willy Tarreau wrote:
> > HAProxy 2.6.0 was released on 2022/05/31. It added 57 new commits
> 
> I guess the release of 2.6.0 is an appropriate time to put 2.0 into
> "critical fixes" only. Back in January we discussed doing that in May and
> luckily it's may for another ~5 hours here in central Europe :-)
> 
> see https://www.mail-archive.com/haproxy@formilux.org/msg41672.html

Ah yes, nice reminder, now done just in time!

> With that HAProxy 2.3 can likely get its final release for the last two
> commits and then be EOL'd.

Yes, we can either release as-is or have a quick check for anything
absolutely earth-shattering and backport yet a few more fixes, or we
could completely ignore it. I'm going to mark it unmaintained right
now, and we'll likely issue a last one in a few days, for those who
are a bit late to upgrade.

> On another note: For the Docker fans, I've already created a Pull Request to
> add 2.6 proper / 2.7 dev, so those should be available soon-ish:
> 
> https://github.com/docker-library/haproxy/pull/185

Thank you!

> Enough of being partypooper Tim. Enjoy your release party!

Will likely happen next week, I'm busy at Kernel Recipes till the
end of the week now. 2.5 years without a conf was too much, let's
switch back a little bit to kernel mode for a few days ;-)

Cheers,
Willy

Re: [ANNOUNCE] haproxy-2.6.0

[Tim Düsterhus]

Willy,

you're probably expected this type of email from me :-)

On 5/31/22 17:56, Willy Tarreau wrote:

HAProxy 2.6.0 was released on 2022/05/31. It added 57 new commits


I guess the release of 2.6.0 is an appropriate time to put 2.0 into 
"critical fixes" only. Back in January we discussed doing that in May 
and luckily it's may for another ~5 hours here in central Europe :-)


see https://www.mail-archive.com/haproxy@formilux.org/msg41672.html

With that HAProxy 2.3 can likely get its final release for the last two 
commits and then be EOL'd.


---

On another note: For the Docker fans, I've already created a Pull 
Request to add 2.6 proper / 2.7 dev, so those should be available soon-ish:


https://github.com/docker-library/haproxy/pull/185


and the following returning contributors:

Aleksandar Lazic, Amaury Denoyelle, Bertrand Jacquin,
Christian Ruppert, Christopher Faulet, Daniel Jakots,
David Carlier, Emeric Brun, Frédéric Lécaille, Ilya Shipitsin,
Lukas Tribus, Maciej Zdeb, Marno Krahmer, Miroslav Zagorac,
Remi Tricot-Le Breton, Thayne McCombs, Thierry Fournier,
Tim Duesterhus, William Dauchy, William Lallemand, Willy Tarreau


Cheers!


Many thanks to everyone involved in the new greatest release!
As usual, HAProxy-2.7-dev0 was just created.



Enough of being partypooper Tim. Enjoy your release party!

Best regards
Tim Düsterhus

[ANNOUNCE] haproxy-2.6.0

[Willy Tarreau]

Hi,

HAProxy 2.6.0 was released on 2022/05/31. It added 57 new commits
after version 2.6-dev12, essentially small bug fixes, QUIC counters
and doc updates.

This is a long term supported version that will be maintained till 2027.

I'll sum up the changes from 2.5 here without entering into details as I
was told that my coworkers Nick and Baptiste are working on a blog article
that will show up on https://haproxy.com/blog/ to cover all these updates
in details, and that's a tough work I'm definitely not going to replicate!

First, this version aims at helping users stay up to date with modern
protocols through the support of QUIC & HTTP/3. After having served
haproxy.org without any major issues for two months, we now consider that
it is stable enough to be deployed in production, but we'll maintain its
experimental status for now, because you must be aware that being a young
protocol and an even younger implementation, it's perfectly possible that
some future issues might take time to get fixed, during which it will be
required to disable it.

In addition, QUIC currently relies on the QuicTLS library for the TLS
layer, which is a community effort to maintain a patch set on top of
OpenSSL. And given that the OpenSSL team has deliberately rejected the
opportunity to reintegrate this work, nobody knows how long the QuicTLS
team will have the patience and energy to maintain QuicTLS up to date.
And unless distributions adopt the patch set in their OpenSSL package,
HAProxy as provided by distros will not be built with QUIC support.

In summary, use QUIC, deploy it and have fun with it, but never forget
that maybe one day in 1 year or in 4 years there could be changes around
it in (new config settings, adoption of a new library etc) and that
certain steps in the maintenance cycle could be less smooth than for the
rest of the code only because of OpenSSL not being capable to follow
evolving standards anymore.

Speaking of OpenSSL, HAProxy 2.6 fully supports OpenSSL 3.0 which, among
other API changes, has deprecated support for the old "engines" API,
causing build warnings that would be a nightmare to deal with for package
maintainers. It has come to our attention that engines were almost never
used in the past, that when used, they were most often misused (we still
commonly see the irrelevant "rdrand" engine being configured), and that
those using real engines generally have to rebuild both haproxy and
openssl to adapt to various specificities and/or patches. As such it was
decided to simply disable engines support by default (the "ssl-engine"
keyword will not work anymore), but it may be re-enabled by building with
"USE_ENGINE=1" and ignoring the warnings. Finally, OpenSSL 0.9.8 support
was dropped after we discovered that nobody noticed that it broke in 2.5
with the introduction of JWT. That's usually a sign that it can safely
be abandonned.

HAProxy 2.6 also focuses on usability improvements (remember, simplicity
is key to reliability). Among these, the native HTTP client now supports
DNS resolution and server certificate checking. Both can default to the
default system files, thanks to the "default" resolvers section that is
now inherited from the system files by default, and the "@system-ca"
pseudo ca-file that uses the up-to-date list of CA present on the local
system. This means that safe communication with external agents or service
providers should now be incredibly easier.

On the content processing front, we've seen ugly and complicated configs
that were trying to work around certain misses. The two common examples
are setting dummy a HTTP header to perform a hash on certain key, or
having many conditional rules to append values to lists or assign
variables based on presence or absence of the source or the destination.
This resulted in a new "balance hash" algorithm that directly takes an
expression, the "add_item()" converter that deals with concatenation of
list elements with their respective delimiters, and a list of conditions
to the "set-var" family of actions that will allow to filter in which
case to update a variable (when set/not set, greater/lower etc). When
tested on real world configurations, this could divide the number of
rules by 4.

Some users refrained from upgrading to 2.5 after HTTP/1.0 request body
was rejected by default from body-less requests, and some of their old
agents used to rely on this. A new option was added to preserve the
feature when it's known that the servers are compliant and will not open
a vulnerability ("h1-accept-payload-with-any-method").

It is no longer necessary to specify "expose-fd listeners" nor to pass
"-x" on the command line to inherit the previous process' listening
sockets in master-worker deployments; the new master process will
automatically retrieve them from the old one over one of the dedicated
management sockets.

Version 2.6 also improves management: the dynamic servers feature is
no longer experimental, so those who were waiting for a