ср, 7 авг. 2024 г. в 18:48, Willy Tarreau <w...@1wt.eu>: > Hi, > > HAProxy 3.1-dev5 was released on 2024/08/07. It added 88 new commits > after version 3.1-dev4. > > There were quite a bunch of fixes this time, spread over various areas > (h2, analysers, jwt, quic, 0-rtt, queues, traces), though nothing exciting > at this point. >
I'm not sure about roadmap of aws-lc support in HAProxy, but from my observation it reached parity with QuicTLS (*) performance of OpenSSL-1.1.1 (in some cases even 20% faster due to assembler implementation) (*) being actively developed by AWS (derived from BoringSSL) (*) all major QUIC features implemented (*) no LTS cycles (( > > We've got a report of a user facing higher loads due to one of the new > safety rules enforcements in the HTTP spec mandating that requests that > contain both Transfer-Encoding and Content-Length had to work in close > mode (to avoid smuggling on possible incompatible intermediary HTTP/1.0 > proxies), so we've added an option to relax this rule when the chain is > trusted. > > On the QUIC side, Chacha20 and 0-RTT were fixed when using the aws-lc > crypto library. A new ruleset "quic-initial" allows to filter packets > during the QUIC handshake. The currently supported actions are "reject", > "accept", "dgram-drop" (for a silent drop), and "send-retry" (to force > a retry when in 0-RTT for example). It can significantly help against > abuses or simply to enforce source-based filtering so that the client > cannot even engage in a handshake. The quic traces will now also indicate > how long a stream spent waiting for flow control, buffers, etc, which > should help us explain why certain requests appear to be slow. Some > Cubic-specific info are now also dumped in "show quic". > > The traces now permit some sources to follow other ones, so that when > a source automatically triggers, the followers will automatically be > enabled as well. One use case is to track the session, allowing to > watch a communication between the frontend and the backend without > being disturbed by the rest of the traffic. We've verified that we > can follow a series of requests from a front QUIC connection to an > HTTP/2 backend. This will allow us to simplify some captures. Also > a new meta-source "all" is supported for some "trace" commands, to > set the sink, the level and the source to follow. This will save a > lot of debugging commands. > > A new pair of sample fetch functions, fs.debug_str() and bs.debug_str() > can be used to complete the logs with useful debugging info from the > lower layers (stream ID, flow-control etc). It appears important to > continue to provide detailed troubleshooting elements because it has > happened quite a few times since we have muxes that some logs would > report an error, a timeout or something unusual and that it was a bit > hard to figure what happened at the lower layers. Obviously with > protocols like H2 and QUIC we can't tell the whole history but it should > help quite a bit. For example the stream's pause times mentioned above > will be there so it will be possible to correlate the request timers > with some such elements. > > A more significant change concerns the loading of configuration files. > Previously they were opened and parsed on the fly just once. With the > pending master startup changes, the starting process will need to check > in the global section if it's supposed to be the master process and stop > there, and the worker will parse its own config. Since /dev/stdin works > and is supported, it's not possible to open it twice. Instead it was > decided that the config is pre-loaded in memory and processed from there > so that it stays buffered. The config size in memory is not much of a > concern given the huge amplification factor (40 to 100x) of a config > represented in memory, so the temporary extra copy of the text-based one > is small. There could be pitfalls, though and it's always interesting to > know if you find something that breaks it. We already know that loading > /dev/zero will make it eat a lot of RAM for example, but we'll rather > address all corner cases as a whole than each of them individually. > > And the rest is as usual, some build fixes, CI updates and doc updates. > > Quite honestly, if you're running large configs and/or are streaming your > configs over SSH to a remote daemon for example, or doing anything fancy, > your feedback on the config loading changes is really important to those > working on this. Normally you should not notice a difference at this step. > > Please find the usual URLs below : > Site index : https://www.haproxy.org/ > Documentation : https://docs.haproxy.org/ > Wiki : https://github.com/haproxy/wiki/wiki > Discourse : https://discourse.haproxy.org/ > Slack channel : https://slack.haproxy.org/ > Issue tracker : https://github.com/haproxy/haproxy/issues > Sources : https://www.haproxy.org/download/3.1/src/ > Git repository : https://git.haproxy.org/git/haproxy.git/ > Git Web browsing : https://git.haproxy.org/?p=haproxy.git > Changelog : https://www.haproxy.org/download/3.1/src/CHANGELOG > Dataplane API : > https://github.com/haproxytech/dataplaneapi/releases/latest > Pending bugs : https://www.haproxy.org/l/pending-bugs > Reviewed bugs : https://www.haproxy.org/l/reviewed-bugs > Code reports : https://www.haproxy.org/l/code-reports > Latest builds : https://www.haproxy.org/l/dev-packages > > Willy > --- > Complete changelog : > Amaury Denoyelle (23): > MINOR: quic: delay Retry emission on quic-force-retry > MEDIUM: quic: implement quic-initial rules > MINOR: quic: support ACL for quic-initial rules > MINOR: quic: pass quic_dgram as obj_type for quic-initial rules > MINOR: quic: implement reject quic-initial action > MINOR: quic: implement send-retry quic-initial rules > BUG/MEDIUM: quic: fix invalid conn reject with CONNECTION_REFUSED > BUG/MEDIUM: quic: prevent conn freeze on 0RTT undeciphered content > MINOR: flags/mux-quic: decode qcc and qcs flags > BUG/MINOR: quic: fix fc_rtt/srtt values > BUG/MIONR: quic: fix fc_lost > BUG/MINOR: h1: do not forward h2c upgrade header token > BUG/MINOR: h2: reject extended connect for h2c protocol > MINOR: quic: convert qc_stream_desc release field to flags > MINOR: quic: implement function to check if STREAM is fully acked > BUG/MEDIUM: quic: handle retransmit for standalone FIN STREAM > MINOR: quic: enforce ACK reception is handled in order > MINOR: mux-quic: define dump functions for QCC and QCS > MINOR: mux-quic: implement debug string for logs > MINOR: quic: dump quic_conn debug string for logs > MINOR: time: define tot_time structure > MINOR: mux-quic: measure QCS lifetime and its blocking state > BUG/MINOR: quic: prevent freeze after early QCS closure > > Aurelien DARRAGON (3): > MEDIUM: sink: assume sft appctx stickiness > BUG/MEDIUM: server/addr: fix tune.events.max-events-at-once event > miss and leak > MINOR: server: ensure max_events_at_once > 0 in server_atomic_sync() > > Christopher Faulet (9): > BUG/MEDIUM: jwt: Clear SSL error queue on error when checking the > signature > DOC: config: Add documentation about spop mode for backends > BUG/MEDIUM: stconn: Report error on SC on send if a previous SE > error was set > BUG/MEDIUM: mux-pt/mux-h1: Release the pipe on connection error on > sending path > BUILD: mux-pt: Use the right name for the sedesc variable > BUG/MEDIUM: http-ana: Report error on write error waiting for the > response > BUG/MEDIUM: h2: Only report early HTX EOM for tunneled streams > BUG/MEDIUM: mux-h2: Propagate term flags to SE on error in > h2s_wake_one_stream > BUG/MEDIUM: peer: Notify the applet won't consume data when it waits > for sync > > Frederic Lecaille (7): > BUG/MINOR: quic: Lack of precision when computing K (cubic only cc) > MINOR: quic: Add information to "show quic" for CUBIC cc. > MINOR: quic: Dump TX in flight bytes vs window values ratio. > MINOR: tcp_sample: Move TCP low level sample fetch function to > control layer > MINOR: quic: Define ->get_info() control layer callback for QUIC > BUG/MINOR: quic: Too shord datagram during O-RTT handshakes (aws-lc > only) > BUG/MINOR: quic: Too short datagram during packet building failures > (aws-lc only) > > Ilia Shipitsin (4): > CI: add weekly QUIC Interop regression against AWS-LC > CI: harden NetBSD builds by ERR=1 > DEV: coccinelle: add a test to detect unchecked strdup() > BUG/MINOR: fcgi-app: handle a possible strdup() failure > > Valentine Krasnobaeva (9): > MINOR: cfgparse: add struct cfgfile to represent config in memory > REORG: tools: move list_append_word to cfgparse > MINOR: startup: adapt list_append_word to use cfgfile > MINOR: cfgparse: add load_cfg_in_mem > MINOR: cfgparse: load_cfg_in_mem: take in account file size > MINOR: tools: add fgets_from_mem > MEDIUM: startup: make read_cfg() return immediately on ENOMEM > MEDIUM: startup: load and parse configs from memory > MINOR: startup: rename readcfgfile in parse_cfg > > William Lallemand (7): > MEDIUM: ssl/quic: implement quic crypto with EVP_AEAD > MINOR: quic: rename confusing wording aes to hp > MEDIUM: quic: add key argument to header protection crypto functions > MEDIUM: quic: implement CHACHA20_POLY1305 for AWS-LC > BUG/MEDIUM: ssl: reactivate 0-RTT for AWS-LC > BUG/MEDIUM: ssl: 0-RTT initialized at the wrong place for AWS-LC > BUILD: ssl: replace USE_OPENSSL_AWSLC by OPENSSL_IS_AWSLC > > Willy Tarreau (26): > MEDIUM: h1: allow to preserve keep-alive on T-E + C-L > BUILD: cfgparse-quic: fix build error on Solaris due to missing > netinet/in.h > MINOR: queue: add a function to check for TOCTOU after queueing > BUG/MEDIUM: queue: deal with a rare TOCTOU in > assign_server_and_queue() > BUG/MINOR: stconn: bs.id and fs.id had their dependencies incorrect > DOC: configuration: fix alphabetical ordering of {bs,fs}.aborted > MINOR: stconn: add a new pair of sf functions {bs,fs}.debug_str > MINOR: mux-h2: implement the debug string for logs > BUG/MINOR: trace/quic: enable conn/session pointer recovery from > quic_conn > BUG/MINOR: trace/quic: permit to lock on frontend/connect/session etc > BUG/MEDIUM: trace: fix null deref in lockon mechanism since > TRACE_ENABLED() > BUG/MINOR: trace: automatically start in waiting mode with "start > <evt>" > BUG/MINOR: trace/quic: make "qconn" selectable as a lockon criterion > BUG/MINOR: quic/trace: make quic_conn_enc_level_init() emit NEW not > CLOSE > MINOR: trace: support setting the sink and level for all sources at > once > MINOR: session/trace: enable very minimal session tracing > MEDIUM: trace: implement a "follow" mechanism > MINOR: trace: move the known trace context into a dedicated struct > MINOR: trace: add a per-source helper to pre-fill the context > MINOR: mux-h2: add a trace context filling helper > MINOR: mux-h1: add a trace context filling helper > MINOR: mux-quic: don't leave dangling pointer after freeing qcs->sd > MINOR: mux-quic: add a trace context filling helper > MINOR: mux-h1/trace: add a state trace on stream creation/upgrade > MINOR: mux-h2/trace: add a state trace on stream creation/destruction > MINOR: mux-h3/trace: add a state trace on stream creation/destruction > > --- > > >
