Hi, HAProxy 3.2-dev6 was released on 2025/02/19. It added 51 new commits after version 3.2-dev5.
This release fixed 17 bugs (all already described in the 3.1.4 announce). In addition, it brought a few updates: - Threads: the lock debugger now shows waiting times per bucket of 1ns to 1s. This allows to better focus on areas that show long tail wait times and even figure more suitable solutions. - H2: a pure Lua-based H2 framing decoder was added to dev/h2. It's convenient to observe frame exchanged between two sides through a TCP proxy and helped analyze certain reports or observe some behaviors. It makes use of the Lua filters which is rather easy to use for such tools, so let's hope it will spark ideas to implement other analyzers in the future :-) - leastconn: the algorithm uses more locking than other ones because a server has to be moved once it gets a new connection and once one is released, so it's more sensitive to thread contention under high loads. It turns out that it does not need to be more accurate than the number of threads under extreme contention, so now we're only trying to move it back to its position upon release otherwise we do it asynchronously. This has tremendously improved the performance (+60% on x86 with 48 threads, and +260% on ARM with 64 threads), and no divergence nor bad distribution could be measured. Those running on leastconn should observe a lower peak CPU usage or peaks happening less often. - the frontends now support a "crt" frontend that uses the same format as in crt-lists and that is common to all "bind" lines in the frontend. This has several purposes: first, make it easier to deal with a few tens of certificates without necessarily having to manage extra files. Second, it simplifies the declaration of sections featuring H1+H2+H3 that need multiple "bind" lines. Later it will be possible to specific on each bind line which set of crt it's going to use, but that's already a nice first step which will allow many of us to clean up their configs. - some QUIC mux internal architecture cleanups for better factorization - "show ssl cert <crt>" now displays all the file names associated with that certificate entry, not just the main one. - a few doc, regtest and CI updates This will stabilize the situation for those who tested dev5 and had to revert consecutive to the APPCTX error on reload. Please note, I've noticed a few old sessions (several days) on the haproxy.org server running on 3.2-dev5, all accessing the cache with compression. Not sure yet what caused them in dev5, we'll debug this. I'm not worried for 0.00157% sessions leaking, it's just that it proves we have a bug that we'll need to find :-) Those upgrading from dev5, just pay attention to your previous process to check if they eventually quit. Before restarting, it could be worth checking if you also have any: $ socat /path/to/socket - <<< "show sess" | grep -m5 -o 'age=[0-9mhd]*' The ages should be reasonably small if everything works well. Otherwise you might possibly have to manually kill the old process after the reload if you don't have the "hard-stop-after" directive. Please find the usual URLs below : Site index : https://www.haproxy.org/ Documentation : https://docs.haproxy.org/ Wiki : https://github.com/haproxy/wiki/wiki Discourse : https://discourse.haproxy.org/ Slack channel : https://slack.haproxy.org/ Issue tracker : https://github.com/haproxy/haproxy/issues Sources : https://www.haproxy.org/download/3.2/src/ Git repository : https://git.haproxy.org/git/haproxy.git/ Git Web browsing : https://git.haproxy.org/?p=haproxy.git Changelog : https://www.haproxy.org/download/3.2/src/CHANGELOG Dataplane API : https://github.com/haproxytech/dataplaneapi/releases/latest Pending bugs : https://www.haproxy.org/l/pending-bugs Reviewed bugs : https://www.haproxy.org/l/reviewed-bugs Code reports : https://www.haproxy.org/l/code-reports Latest builds : https://www.haproxy.org/l/dev-packages Willy --- Complete changelog : Amaury Denoyelle (11): BUG/MINOR: quic: reserve length field for long header encoding BUG/MINOR: quic: fix CRYPTO payload size calcul for encoding MINOR: quic: simplify length calculation for STREAM/CRYPTO frames MINOR: quic: refactor STREAM encoding and splitting MINOR: quic: refactor CRYPTO encoding and splitting MINOR: quic: support frame type as a varint BUG/MINOR: quic: prevent crash on conn access after MUX init failure BUG/MINOR: mux-quic: prevent crash after MUX init failure MINOR: mux-quic: define a QCC application state member MINOR: mux-quic/h3: emit SETTINGS via MUX tasklet handler MINOR: mux-quic/h3: support temporary blocking on control stream sending Christopher Faulet (7): BUG/MEDIUM: cli: Be sure to drop all input data in END state BUG/MINOR: cli: Wait for the last ACK when FDs are xferred from the old worker BUG/MEDIUM: filters: Handle filters registered on data with no payload callback BUG/MINOR: fcgi: Don't set the status to 302 if it is already set REGTESTS: Fix truncated.vtc to send 0-CRLF BUG/MINOR: mux-h2: Properly handle full or truncated HTX messages on shut Revert "REGTESTS: stop using truncated.vtc on freebsd" William Lallemand (19): BUG/MINOR: mworker: section ignored in discovery after a post_section_parser BUG/MINOR: mworker: post_section_parser for the last section in discovery CLEANUP: mworker: "program" section does not have a post_section_parser anymore MEDIUM: initcall: allow to register mutiple post_section_parser per section CI: cirrus-ci: bump FreeBSD image to 14-2 DOC: initcall: name correctly REGISTER_CONFIG_POST_SECTION() REGTESTS: stop using truncated.vtc on freebsd BUG/MINOR: ssl/cli: "show ssl crt-list" lacks client-sigals BUG/MINOR: ssl/cli: "show ssl crt-list" lacks sigals MINOR: ssl/cli: display more filenames in 'show ssl cert' MINOR: ssl: store the filenames resulting from a lookup in ckch_conf MINOR: startup: allow hap_register_feature() to enable a feature in the list BUG/MINOR: startup: leave at first post_section_parser which fails BUG/MINOR: startup: hap_register_feature() fix for partial feature name MINOR: ssl/crtlist: split the ckch_conf loading from the crtlist line parsing MINOR: ssl/crtlist: handle crt_path == cc->crt in crtlist_load_crt() MINOR: ssl/ckch: return from ckch_conf_clean() when conf is NULL MEDIUM: ssl/crtlist: "crt" keyword in frontend DOC: configuration: document the "crt" frontend keyword Willy Tarreau (14): BUG/MEDIUM: debug: close a possible race between thread dump and panic() DEBUG: thread: report the spin lock counters as seek locks DEBUG: thread: make lock time computation more consistent DEBUG: thread: report the wait time buckets for lock classes DEBUG: thread: don't keep the redundant _locked counter DEBUG: thread: make lock_stat per operation instead of for all operations DEBUG: thread: reduce the struct lock_stat to store only 30 buckets MINOR: lbprm: add a new callback ->server_requeue to the lbprm MEDIUM: server: allocate a tasklet for asyncronous requeuing MAJOR: leastconn: postpone the server's repositioning under contention BUG/MEDIUM: fd: mark FD transferred to another process as FD_CLONED DOC: watchdog: document the sequence of the watchdog and panic DEV: h2: add a Lua-based HTTP/2 connection tracer DEV: h2: fix flags for the continuation frame ---
