Hi, HAProxy 3.1-dev5 was released on 2024/08/07. It added 88 new commits after version 3.1-dev4.
There were quite a bunch of fixes this time, spread over various areas (h2, analysers, jwt, quic, 0-rtt, queues, traces), though nothing exciting at this point. We've got a report of a user facing higher loads due to one of the new safety rules enforcements in the HTTP spec mandating that requests that contain both Transfer-Encoding and Content-Length had to work in close mode (to avoid smuggling on possible incompatible intermediary HTTP/1.0 proxies), so we've added an option to relax this rule when the chain is trusted. On the QUIC side, Chacha20 and 0-RTT were fixed when using the aws-lc crypto library. A new ruleset "quic-initial" allows to filter packets during the QUIC handshake. The currently supported actions are "reject", "accept", "dgram-drop" (for a silent drop), and "send-retry" (to force a retry when in 0-RTT for example). It can significantly help against abuses or simply to enforce source-based filtering so that the client cannot even engage in a handshake. The quic traces will now also indicate how long a stream spent waiting for flow control, buffers, etc, which should help us explain why certain requests appear to be slow. Some Cubic-specific info are now also dumped in "show quic". The traces now permit some sources to follow other ones, so that when a source automatically triggers, the followers will automatically be enabled as well. One use case is to track the session, allowing to watch a communication between the frontend and the backend without being disturbed by the rest of the traffic. We've verified that we can follow a series of requests from a front QUIC connection to an HTTP/2 backend. This will allow us to simplify some captures. Also a new meta-source "all" is supported for some "trace" commands, to set the sink, the level and the source to follow. This will save a lot of debugging commands. A new pair of sample fetch functions, fs.debug_str() and bs.debug_str() can be used to complete the logs with useful debugging info from the lower layers (stream ID, flow-control etc). It appears important to continue to provide detailed troubleshooting elements because it has happened quite a few times since we have muxes that some logs would report an error, a timeout or something unusual and that it was a bit hard to figure what happened at the lower layers. Obviously with protocols like H2 and QUIC we can't tell the whole history but it should help quite a bit. For example the stream's pause times mentioned above will be there so it will be possible to correlate the request timers with some such elements. A more significant change concerns the loading of configuration files. Previously they were opened and parsed on the fly just once. With the pending master startup changes, the starting process will need to check in the global section if it's supposed to be the master process and stop there, and the worker will parse its own config. Since /dev/stdin works and is supported, it's not possible to open it twice. Instead it was decided that the config is pre-loaded in memory and processed from there so that it stays buffered. The config size in memory is not much of a concern given the huge amplification factor (40 to 100x) of a config represented in memory, so the temporary extra copy of the text-based one is small. There could be pitfalls, though and it's always interesting to know if you find something that breaks it. We already know that loading /dev/zero will make it eat a lot of RAM for example, but we'll rather address all corner cases as a whole than each of them individually. And the rest is as usual, some build fixes, CI updates and doc updates. Quite honestly, if you're running large configs and/or are streaming your configs over SSH to a remote daemon for example, or doing anything fancy, your feedback on the config loading changes is really important to those working on this. Normally you should not notice a difference at this step. Please find the usual URLs below : Site index : https://www.haproxy.org/ Documentation : https://docs.haproxy.org/ Wiki : https://github.com/haproxy/wiki/wiki Discourse : https://discourse.haproxy.org/ Slack channel : https://slack.haproxy.org/ Issue tracker : https://github.com/haproxy/haproxy/issues Sources : https://www.haproxy.org/download/3.1/src/ Git repository : https://git.haproxy.org/git/haproxy.git/ Git Web browsing : https://git.haproxy.org/?p=haproxy.git Changelog : https://www.haproxy.org/download/3.1/src/CHANGELOG Dataplane API : https://github.com/haproxytech/dataplaneapi/releases/latest Pending bugs : https://www.haproxy.org/l/pending-bugs Reviewed bugs : https://www.haproxy.org/l/reviewed-bugs Code reports : https://www.haproxy.org/l/code-reports Latest builds : https://www.haproxy.org/l/dev-packages Willy --- Complete changelog : Amaury Denoyelle (23): MINOR: quic: delay Retry emission on quic-force-retry MEDIUM: quic: implement quic-initial rules MINOR: quic: support ACL for quic-initial rules MINOR: quic: pass quic_dgram as obj_type for quic-initial rules MINOR: quic: implement reject quic-initial action MINOR: quic: implement send-retry quic-initial rules BUG/MEDIUM: quic: fix invalid conn reject with CONNECTION_REFUSED BUG/MEDIUM: quic: prevent conn freeze on 0RTT undeciphered content MINOR: flags/mux-quic: decode qcc and qcs flags BUG/MINOR: quic: fix fc_rtt/srtt values BUG/MIONR: quic: fix fc_lost BUG/MINOR: h1: do not forward h2c upgrade header token BUG/MINOR: h2: reject extended connect for h2c protocol MINOR: quic: convert qc_stream_desc release field to flags MINOR: quic: implement function to check if STREAM is fully acked BUG/MEDIUM: quic: handle retransmit for standalone FIN STREAM MINOR: quic: enforce ACK reception is handled in order MINOR: mux-quic: define dump functions for QCC and QCS MINOR: mux-quic: implement debug string for logs MINOR: quic: dump quic_conn debug string for logs MINOR: time: define tot_time structure MINOR: mux-quic: measure QCS lifetime and its blocking state BUG/MINOR: quic: prevent freeze after early QCS closure Aurelien DARRAGON (3): MEDIUM: sink: assume sft appctx stickiness BUG/MEDIUM: server/addr: fix tune.events.max-events-at-once event miss and leak MINOR: server: ensure max_events_at_once > 0 in server_atomic_sync() Christopher Faulet (9): BUG/MEDIUM: jwt: Clear SSL error queue on error when checking the signature DOC: config: Add documentation about spop mode for backends BUG/MEDIUM: stconn: Report error on SC on send if a previous SE error was set BUG/MEDIUM: mux-pt/mux-h1: Release the pipe on connection error on sending path BUILD: mux-pt: Use the right name for the sedesc variable BUG/MEDIUM: http-ana: Report error on write error waiting for the response BUG/MEDIUM: h2: Only report early HTX EOM for tunneled streams BUG/MEDIUM: mux-h2: Propagate term flags to SE on error in h2s_wake_one_stream BUG/MEDIUM: peer: Notify the applet won't consume data when it waits for sync Frederic Lecaille (7): BUG/MINOR: quic: Lack of precision when computing K (cubic only cc) MINOR: quic: Add information to "show quic" for CUBIC cc. MINOR: quic: Dump TX in flight bytes vs window values ratio. MINOR: tcp_sample: Move TCP low level sample fetch function to control layer MINOR: quic: Define ->get_info() control layer callback for QUIC BUG/MINOR: quic: Too shord datagram during O-RTT handshakes (aws-lc only) BUG/MINOR: quic: Too short datagram during packet building failures (aws-lc only) Ilia Shipitsin (4): CI: add weekly QUIC Interop regression against AWS-LC CI: harden NetBSD builds by ERR=1 DEV: coccinelle: add a test to detect unchecked strdup() BUG/MINOR: fcgi-app: handle a possible strdup() failure Valentine Krasnobaeva (9): MINOR: cfgparse: add struct cfgfile to represent config in memory REORG: tools: move list_append_word to cfgparse MINOR: startup: adapt list_append_word to use cfgfile MINOR: cfgparse: add load_cfg_in_mem MINOR: cfgparse: load_cfg_in_mem: take in account file size MINOR: tools: add fgets_from_mem MEDIUM: startup: make read_cfg() return immediately on ENOMEM MEDIUM: startup: load and parse configs from memory MINOR: startup: rename readcfgfile in parse_cfg William Lallemand (7): MEDIUM: ssl/quic: implement quic crypto with EVP_AEAD MINOR: quic: rename confusing wording aes to hp MEDIUM: quic: add key argument to header protection crypto functions MEDIUM: quic: implement CHACHA20_POLY1305 for AWS-LC BUG/MEDIUM: ssl: reactivate 0-RTT for AWS-LC BUG/MEDIUM: ssl: 0-RTT initialized at the wrong place for AWS-LC BUILD: ssl: replace USE_OPENSSL_AWSLC by OPENSSL_IS_AWSLC Willy Tarreau (26): MEDIUM: h1: allow to preserve keep-alive on T-E + C-L BUILD: cfgparse-quic: fix build error on Solaris due to missing netinet/in.h MINOR: queue: add a function to check for TOCTOU after queueing BUG/MEDIUM: queue: deal with a rare TOCTOU in assign_server_and_queue() BUG/MINOR: stconn: bs.id and fs.id had their dependencies incorrect DOC: configuration: fix alphabetical ordering of {bs,fs}.aborted MINOR: stconn: add a new pair of sf functions {bs,fs}.debug_str MINOR: mux-h2: implement the debug string for logs BUG/MINOR: trace/quic: enable conn/session pointer recovery from quic_conn BUG/MINOR: trace/quic: permit to lock on frontend/connect/session etc BUG/MEDIUM: trace: fix null deref in lockon mechanism since TRACE_ENABLED() BUG/MINOR: trace: automatically start in waiting mode with "start <evt>" BUG/MINOR: trace/quic: make "qconn" selectable as a lockon criterion BUG/MINOR: quic/trace: make quic_conn_enc_level_init() emit NEW not CLOSE MINOR: trace: support setting the sink and level for all sources at once MINOR: session/trace: enable very minimal session tracing MEDIUM: trace: implement a "follow" mechanism MINOR: trace: move the known trace context into a dedicated struct MINOR: trace: add a per-source helper to pre-fill the context MINOR: mux-h2: add a trace context filling helper MINOR: mux-h1: add a trace context filling helper MINOR: mux-quic: don't leave dangling pointer after freeing qcs->sd MINOR: mux-quic: add a trace context filling helper MINOR: mux-h1/trace: add a state trace on stream creation/upgrade MINOR: mux-h2/trace: add a state trace on stream creation/destruction MINOR: mux-h3/trace: add a state trace on stream creation/destruction ---
