Hi,
HAProxy 3.0-dev13 was released on 2024/05/24. It added 66 new commits
after version 3.0-dev12.
Well, first, I really want to thank all those who've been trying 3.0-dev
recently, this has been useful to nail down various issues, some quite
recent and other ones much older, and it's way more efficient to work on
bugs before a release than after, so keep up the great work! I hope this
will encourage them to continue.
Among the latest changes this week, I'm seeing some stability fixes and
small updates here and there:
- an issue where QUIC on LibreSSL could crash when using cipher
TLS_AES_128_CCM_SHA256 that is normally not used ;
- a workaround for an issue in LibreSSL with default algo CHACHA20_POLY1305
(that is used by default when running on machines without AES-NI, i.e.
non-x86 these days), which would cause requests to hang because the
data cannot be deciphered. The work around here consists in cleanly
rejecting such connections for now on current version so that the
client instantly retries using TCP. LibreSSL 4.0 will have the fix,
and if it gets backported, we'll relax the test to include that fixed
version as well. A config-based workaround consists in forcing the
ciphers to exclude this one.
- a possible leak of backend sockets when their FD number was a small
multiple of 4096 due to the wrong variable being checked for an error
code (since dev10 only).
- rhttp's preconnect wouldn't work in single-thread due to an offset +1
on the owner thread ID when issuing connection requests. A few other
fixes concern rhttp (listener not suspending, session origin after
reversal).
- server port lost on DNS resolution timeout, causing health check errors.
- a few remaining races in stick-tables & peers (present since 2.9), super
hard to reproduce... until you manage to see them in seconds and they
cause crashes. They directly depend on the request rate and their increase
in 3.0-dev is related to the lower threading overhead that increases
performance and the probability to meet them. There are probably 2-3
deployments in the world able to trigger them, it's fortunate that they
test -dev ;-)
- the proxy protocol now also parses TLV for LOCAL mode and supports
sending them without a stream so that elements can be passed during
preconnect to a next stage that will no longer ignore them.
- made sure that %[path] is never empty when sending an absolute request
lacking the trailing /.
- two new global settings now make it possible to simply prevent HAProxy
from accepting traffic from privileged ports; one setting is for TCP
and the other one for QUIC. QUIC was configured by default to refuse
such traffic, because by relying on UDP it's particularly exposed to
DNS and NTP amplification attacks, and while it's more efficient to
filter such ports upstream, it's still very simple and cheap to just
drop such undesirable packets before processing them.
- David Carlier's VMA naming feature was generalized to various other
areas so that on Linux when checking where HAProxy allocates memory
in /proc/$pid/maps, some of these areas will appear and give hints
about what causes this.
- the name associated with servers in connection pools can now be
overridden by the expression in pool-conn-name when SNI is not
desired (useful with rhttp without SSL for example, but may also
make sense when reaching remote servers over SSL tunnels).
- the crt-store settings now properly make sure to avoid FS-based
auto-discovery when some file components are explicitly named.
- finally the thread-hard-limit global parameter was added. It allows
to only set a hard limit on the number of threads without enforcing
that value as the thread count (like nbthread does). That's convenient
to prepare portable configs with no more than X threads when one knows
it's only a waste of resources to use more.
- build warnings on various configurations were resolved
- updates to the build-ssl script to make it usable even outside of
the CI (helps for quickly testing a specific implementation).
- various doc cleanups
That still looks like a lot but these are all just tiny tasks that were
waiting for some more relaxed time to work on (aside the bugs of course).
At this point it's been tested to run fine on various flavours of Linux
on x86/arm64/mips32, FreeBSD amd64, OpenBSD mips64, Solaris sparc64. The
testing of the various last important fixes has been good so far, this
version essentially integrates everything together and I'd like it to be
the one we release on Wednesday (more or less doc updates then).
Given that remaining bugs are fixed and the small stuff done as well, I'd
like that we only focus on the doc and testing during the next days and
that the code is only changed if a significant regression is found (i.e.
we avoid last-minute breakage). Also, I know well enough that it's
sufficient to say that a version is the last -dev for about everyone to
skip it and wait for the final one! That's one more reason for not waiting
too long after it and not modifying it too much.
Please find the usual URLs below :
Site index : https://www.haproxy.org/
Documentation : https://docs.haproxy.org/
Wiki : https://github.com/haproxy/wiki/wiki
Discourse : https://discourse.haproxy.org/
Slack channel : https://slack.haproxy.org/
Issue tracker : https://github.com/haproxy/haproxy/issues
Sources : https://www.haproxy.org/download/3.0/src/
Git repository : https://git.haproxy.org/git/haproxy.git/
Git Web browsing : https://git.haproxy.org/?p=haproxy.git
Changelog : https://www.haproxy.org/download/3.0/src/CHANGELOG
Dataplane API :
https://github.com/haproxytech/dataplaneapi/releases/latest
Pending bugs : https://www.haproxy.org/l/pending-bugs
Reviewed bugs : https://www.haproxy.org/l/reviewed-bugs
Code reports : https://www.haproxy.org/l/code-reports
Latest builds : https://www.haproxy.org/l/dev-packages
Willy
---
Complete changelog :
Amaury Denoyelle (20):
BUG/MINOR: connection: parse PROXY TLV for LOCAL mode
BUG/MINOR: server: free PROXY v2 TLVs on srv drop
MINOR: rhttp: add log on connection allocation failure
BUG/MEDIUM: rhttp: fix preconnect on single-thread
BUG/MINOR: rhttp: prevent listener suspend
BUG/MINOR: rhttp: fix task_wakeup state
MINOR: session: define flag to explicitely release listener on free
MEDIUM: rhttp: create session for active preconnect
MINOR: rhttp: support PROXY emission on preconnect
MINOR: connection: support PROXY v2 TLV emission without stream
BUILD: trace: fix warning on null dereference
MEDIUM: config: prevent communication with privileged ports
MAJOR: config: prevent QUIC with clients privileged port by default
BUG/MINOR: quic: adjust restriction for stateless reset emission
MINOR: quic: clarify doc for quic_recv()
MINOR: server: generalize sni expr parsing
MINOR: server: define pool-conn-name keyword
MEDIUM: connection: use pool-conn-name instead of sni on reuse
BUG/MINOR: rhttp: initialize session origin after preconnect reversal
DOC: quic: specify that connection migration is not supported
Aurelien DARRAGON (11):
BUG/MINOR: ring: free ring's allocated area not ring's usable area when
using maps
DEBUG: tools: add vma_set_name() helper
DEBUG: shctx: name shared memory using vma_set_name()
DEBUG: sink: add name hint for memory area used by memory-backed sinks
DEBUG: pollers: add name hint for large memory areas used by pollers
DEBUG: errors: add name hint for startup-logs memory area
DEBUG: fd: add name hint for large memory areas
CLEANUP: tools: fix vma_set_name() function comment
DEBUG: tools: add vma_set_name_id() helper
DEBUG: pollers/fd: add thread id suffix to per-thread memory areas name
hints
BUG/MEDIUM: server/dns: preserve server's port upon resolution timeout or
error
Christopher Faulet (8):
BUG/MINOR: http-ana: Don't crush stream termination condition on internal
error
MAJOR: spoe: Let the SPOE back into the game
BUG/MEDIUM: mux-quic: Create sedesc in same time of the QUIC stream
MINOR: mux-quic: Set abort info for SC-less QCS on STOP_SENDING frame
BUG/MEDIUM: stick-tables: Fix race with peers when trashing oldest entries
BUG/MEDIUM: stick-tables: Fix race with peers when killing a sticky
session
BUG/MINOR: http-htx: Support default path during scheme based
normalization
BUG/MINOR: server: Don't reset resolver options on a new default-server
line
Frederic Lecaille (1):
BUG/MAJOR: quic: Crash with TLS_AES_128_CCM_SHA256 (libressl only)
Ilia Shipitsin (1):
CI: scripts/build-ssl.sh: loudly fail on unsupported platforms
Valentine Krasnobaeva (4):
BUG/MEDIUM: proto: fix fd leak in <proto>_connect_server
MINOR: sock: set conn->err_code in case of EPERM
BUG/MINOR: sock: fix sock_create_server_socket
MINOR: proto: fix coding style
William Lallemand (9):
CLEANUP: ssl/cli: remove unused code in dump_crtlist_conf
MINOR: ssl: check parameter in ckch_conf_cmp()
DOC: configuration: rework the crt-store load documentation
MEDIUM: ssl: don't load file by discovering them in crt-store
DOC: configuration: update the crt-list documentation
DOC: configuration: add the supported crt-store options in crt-list
REGTESTS: scripts: allow to change the vtest timeout
CI: scripts/build-ssl: add a DESTDIR and TMPDIR variable
CI: scripts/buil-ssl: cleanup the boringssl and quictls build
Willy Tarreau (12):
MINOR: traces: enumerate the list of levels/verbosities when not found
BUG/MEDIUM: quic_tls: prevent LibreSSL < 4.0 from negotiating
CHACHA20_POLY1305
MINOR: config: add thread-hard-limit to set an upper bound to nbthread
BUILD: quic: fix unused variable warning when threads are disabled
BUG/MEDIUM: stick-tables: make sure never to create two same remote
entries
CLEANUP: stick-tables: remove a few unneeded tests for use_wrlock
MINOR: stick-tables: remove the uneeded read lock in stksess_free()
DOC: config: fix aes_gcm_enc() description text
DOC: config: fix incorrect section reference about custom log format
DOC: config: uniformize the naming and description of custom log format
args
DOC: config: clarify the fact that custom log format is not just for
logging
REGTESTS: acl_cli_spaces: avoid a warning caused by undefined logs
---
