Hi,
HAProxy 3.2-dev7 was released on 2025/03/07. It added 87 new commits
after version 3.2-dev6.
25 bugs were fixed in this release, among which 9 tagged medium, half of
which aimed at making thread dumps more reliable ("show threads" and
backtraces from the watchdog timer).
Aside the usual bug fixes, we're also having more sensitive changes in
this version:
- Just like H2, QUIC now alwo supports a larger Rx window in order to
significantly speed up uploads (POST requests). By default, up to 90%
of the allocatable rx buffers can be assigned to rx buffers, which
can easily multiply the upload speed by 20-30 on high latency links.
Please if you are using QUIC with a site dealing with uploads, give
this a try and share some feedback. This will help us decide what
tunables we might want to make accessible from the configutation.
- unit tests: now when building with -DDEBUG_UNIT, a new -U argument
will allow to name a function to be called after the conf is parsed,
in order to run a unit test. A new build target "unit-tests" runs
over them all. Hopefully this will encourage all devs to provide more
unit tests directly in the code that can directly benefit from all
the internal infrastructure without having to write extra programs in
the tests/ subdirs.
- idle backend connections are normally never shared between thread
groups, they're only shared between threads. The reason is the
possibly high cost of accessible other groups' lists. But when using
reverse-http, this poses a problem in case all pre-established
connections are in use on a different thread group from the one
having to process a request, because it's not possible to establish
new ones. Thus it now becomes possible to also steal idle connections
from other groups in situations like this one where there is no other
solution. And given that this is super rare, the extra cost of doing
so remains imperceptible.
- there's now a new option "strict-maxconn" on the servers that allows
to enforce a strict maxconn check. Indeed, originally when there was
no keep-alive, the number of connections was the same as the number
of outgoing requests. When keep-alive arrived with idle connections,
the decision was made not to break existing setups and to subject
concurrent requests to the maxconn limit since it's what describes
the processing cost incurred to the server. But this means that a
server can see more connections when idle ones are accounted. In some
rare cases, limited servers which cannot deal with idle connections
could refrain from processing new connections. This was essentially
observed with SPOE though we could imagine the same if someone uses,
say, netcat as an HTTP server with a single connection. The new option
enforces the strict limit and will either enforce the reuse of existing
connections even from other thread groups, or actively kill unusable
idle conns before opening new ones. Of course one must only use that
as a last resort since it may reduce the connection reuse ratio, but
it may be useful to work around certain components' limitations.
- HTTP compression can now specifiy with "minsize-req" and "minsize-res"
below which size the payload is not worth compressing. Indeed, for
small objects, it's just a waste of time on both ends, and even of
bandwidth if the savings are lower than the extra Content-Encoding
header!
- the "accept-unsafe-violations-in-http-request" and its response
counter part now also accept websocket upgrade requests lacking the
sec-websocket-key and sec-websocket-accept, as a use case was
reported from API clients not producing them on internal networks.
However, just like for H2, a fresh new header will still be produced
on output, so this can also be used to make a non-compliant client
talk to a compliant server.
- the log-forward sections now support options to relax the message
validation (dont-parse-log and assume-rfc6587-ntf).
- the "accept_date" and "request_date" sample fetch functions now take
care of falling back to the session's date if no stream was instantiated
yet, e.g. when logging SSL handshake errors, instead of leaving empty
fields. Now I'm wondering if we shouldn't consider this as a bug fix
and backport it. Probably.
- "show sess" on the CLI can now filter streams attached to a server,
a backend or a frontend. The real use case is typically to automatically
dump streams refusing to die after "shutdown server sessions", but there
may be plenty of other valid cases such as focusing only on certain
applications.
- the changes needed to made stream dumps more reliable have an impact
which is that warning dumps and "show threads" will not always resolve
symbols (only for their own threads but no longer for others), as
we've found cases where if another one was already doing the same,
we could deadlock in the libc... Since the vast majority of users are
not particularly interested in looking at the detailed output of
"show threads", this is not a problem but I preferred to mention it
as a visible change.
The rest is the usual CI updates, and cleanups over doc, regtests, etc.
Last point, time flies, and at the end of the month we'll be 2 months
from the release, so we'll have to calm down on changes to reserve time
for fixes coming from late testing. Let's leave sensitive changes for
the next two dev releases only, i.e. till dev9 and from that point we'll
have to focus on lighter stuff. Thus if you still have tricky changes
pending, don't wait for upstreaming them.
Please find the usual URLs below :
Site index : https://www.haproxy.org/
Documentation : https://docs.haproxy.org/
Wiki : https://github.com/haproxy/wiki/wiki
Discourse : https://discourse.haproxy.org/
Slack channel : https://slack.haproxy.org/
Issue tracker : https://github.com/haproxy/haproxy/issues
Sources : https://www.haproxy.org/download/3.2/src/
Git repository : https://git.haproxy.org/git/haproxy.git/
Git Web browsing : https://git.haproxy.org/?p=haproxy.git
Changelog : https://www.haproxy.org/download/3.2/src/CHANGELOG
Dataplane API :
https://github.com/haproxytech/dataplaneapi/releases/latest
Pending bugs : https://www.haproxy.org/l/pending-bugs
Reviewed bugs : https://www.haproxy.org/l/reviewed-bugs
Code reports : https://www.haproxy.org/l/code-reports
Latest builds : https://www.haproxy.org/l/dev-packages
Willy
---
Complete changelog :
Amaury Denoyelle (16):
BUG/MINOR: h3: do not report transfer as aborted on preemptive response
CLEANUP: h3: fix documentation of h3_rcv_buf()
MINOR: hq-interop: properly handle incomplete request
BUG/MINOR: hq-interop: fix leak in case of rcv_buf early return
TESTS: quic: create first quic unittest
MINOR: h3/hq-interop: restore function for standalone FIN receive
MINOR/OPTIM: mux-quic: do not allocate rxbuf on standalone FIN
MINOR: mux-quic: refine reception of standalone STREAM FIN
MINOR: mux-quic: define globally stream rxbuf size
MINOR: mux-quic: define rxbuf wrapper
MINOR: mux-quic: store QCS Rx buf in a single-entry tree
MINOR: mux-quic: adjust Rx data consumption API
MINOR: mux-quic: adapt return value of qcc_decode_qcs()
MAJOR: mux-quic: support multiple QCS RX buffers
MEDIUM: mux-quic: handle too short data splitted on multiple rxbuf
MAJOR: mux-quic: increase stream flow-control for multi-buffer alloc
Aurelien DARRAGON (14):
REGTESTS: fix reg-tests/server/abnsz.vtc
BUG/MINOR: log: fix outgoing abns address family
BUG/MINOR: sink: add tempo between 2 connection attempts for sft servers
MINOR: clock: always use atomic ops for global_now_ms
CLEANUP: log: removing "log-balance" references
BUG/MINOR: log: set proper smp size for balance log-hash
MINOR: log: use __send_log() with exact payload length
MEDIUM: log: postpone the decision to send or not log with empty messages
MINOR: proxy: make pr_mode enum bitfield compatible
MINOR: cfgparse-listen: add and use cfg_parse_listen_match_option() helper
BUG/MINOR: cfgparse/peers: fix inconsistent check for missing peer server
BUG/MINOR: cfgparse/peers: properly handle ignored local peer case
BUG/MINOR: server: dont return immediately from parse_server() when
skipping checks
MINOR: cfgparse/peers: provide more info when ignoring invalid "peer" or
"server" lines
Christopher Faulet (3):
BUG/MEDIUM: applet: Don't handle EOI/EOS/ERROR is applet is waiting for
room
BUG/MEDIUM: spoe/mux-spop: Introduce an NOOP action to deal with empty ACK
BUG/MEDIUM: mux-fcgi: Try to fully fill demux buffer on receive if not
empty
Damien Claisse (1):
BUG/MINOR: cfgparse-tcp: relax namespace bind check
Dragan Dosen (2):
BUG/MEDIUM: server: properly initialize PROXY v2 TLVs
BUG/MINOR: server: fix the "server-template" prefix memory leak
Ilia Shipitsin (2):
CI: QUIC Interop: clean old docker images
BUILD: add possibility to use different QuicTLS variants
Olivier Houchard (8):
MEDIUM: fd: Wait if locked in fd_grab_tgid() and fd_take_tgid().
MINOR: fd: Add fd_lock_tgid_cur().
MEDIUM: epoll: Make sure we can add a new event
MINOR: pollers: Add a fixup_tgid_takeover() method.
MEDIUM: pollers: Drop fd events after a takeover to another tgid.
MEDIUM: connections: Allow taking over connections from other tgroups.
MEDIUM: servers: Add strict-maxconn.
DEBUG: init: Add a macro to register unit tests
Roberto Moreda (3):
MINOR: log: add options eval for log-forward
MINOR: log: detach prepare from parse message
MINOR: log: add dont-parse-log and assume-rfc6587-ntf options
Valentine Krasnobaeva (4):
BUG/MINOR: cfgparse: fix NULL ptr dereference in cfg_parse_peers
MINOR: sample: allow custom date format in error-log-format
BUG/MEIDUM: startup: return to initial cwd only after
check_config_validity()
MINOR: startup: adjust alert messages, when capabilities are missed
Vincent Dechenaux (1):
MINOR: compression: Introduce minimum size
William Lallemand (15):
MINOR: jws: implement a JWK public key converter
DEBUG: init: add a way to register functions for unit tests
TESTS: add a unit test runner in the Makefile
TESTS: jws: register a unittest for jwk
CI: github: run make unit-tests on the CI
TESTS: add config smoke checks in the unit tests
MINOR: jws: conversion to NIST curves name
CI: github: remove smoke tests from vtest.yml
TESTS: ist: fix wrong array size
TESTS: ist: use the exit code to return a verdict
TESTS: ist: add a ist.sh to launch in make unit-tests
CI: github: fix h2spec.config proxy names
TESTS: change the output of run-unittests.sh
TESTS: unit-tests: store sh -x in a result file
CI: github: show results of the Unit tests
Willy Tarreau (18):
BUG/MEDIUM: uxst: fix outgoing abns address family in connect()
BUG/MINOR: stream: do not call co_data() from __strm_dump_to_buffer()
BUG/MINOR: mux-h1: always make sure h1s->sd exists in h1_dump_h1s_info()
MINOR: tinfo: add a new thread flag to indicate a call from a sig handler
BUG/MEDIUM: stream: never allocate connection addresses from signal
handler
MINOR: freq_ctr: provide non-blocking read functions
BUG/MEDIUM: stream: use non-blocking freq_ctr calls from the stream dumper
MINOR: tools: use only opportunistic symbols resolution
CLEANUP: task: move the barrier after clearing th_ctx->current
BUG/MINOR: h2: always trim leading and trailing LWS in header values
MINOR: tinfo: split the signal handler report flags into 3
BUG/MEDIUM: stream: don't use localtime in dumps from a signal handler
OPTIM: connection: don't try to kill other threads' connection when
!shared
MINOR: h1: permit to relax the websocket checks for missing mandatory
headers
BUG/MINOR: server: check for either proxy-protocol v1 or v2 to send hedaer
BUG/MINOR: stream: fix age calculation in "show sess" output
MINOR: stream/cli: rework "show sess" to better consider optional
arguments
MINOR: stream/cli: make "show sess" support filtering on front/back/server
---
