Hi,

HAProxy 1.9.2 was released on 2019/01/16. It added 58 new commits
after version 1.9.1.

It addresses a number of lower importance pending issues that were not
yet merged into 1.9.1, one bug in the cache and fixes some long-standing
limitations that were affecting H2.

The highest severity issue but the hardest to trigger as well is the
one affecting the cache, as it's possible to corrupt the shared memory
segment when using some asymmetric caching rules, and crash the process.
There is a workaround though, which consists in always making sure an
"http-request cache-use" action is always performed before an
"http-response cache-store" action (i.e.  the conditions must match).
This bug already affects 1.8 and nobody noticed so I'm not worried :-)

The rest is of lower importance but mostly annoyance. One issue was
causing the mailers to spam the server in loops. Another one affected
idle server connections (I don't remember the details after seeing
several of them to be honest), apparently the stats page could crash
when using HTX, and there were still a few cases where stale HTTP/1
connections would never leave in HTX (after certain situations of client
timeout). The 0-RTT feature was broken when openssl 1.1.1 was released
due to the anti-replay protection being enabled by default there (which
makes sense since not everyone uses it with HTTP and proper support),
this is now fixed.

While we have been observing a slowly growing amount of orphaned connections
on haproxy.org last week (several per hour), and since the recent fixes we
could confirm that it's perfectly clean now.

There's a small improvement regarding the encryption of TLS tickets. We
used to support 128 bits only and it looks like the default setting
changed 2 years ago without us noticing. Some users were asking for 256
bit support, so that was implemented and backported. It will work
transparently as the key size is determined automatically. We don't
think it would make sense at this point to backport this to 1.8, but if
there is compelling demand for this Emeric knows how to do it.

Regarding the long-standing limitations affecting H2, some of you
probably remember that haproxy used not to support CONTINUATION frames,
which was causing an issue with one very old version of chromium, and
that it didn't support trailers, making it incompatible with gRPC (which
may also use CONTINUATION). This has constantly resulted in h2spec to
return 6 failed tests. These limitations could be addressed in 2.0-dev
relatively easily thanks to the much better new architecture, and I
considered it was right to backport these patches so that we don't have
to work around them anymore. I'd say that while from a developer's
perspective these limitations were not bugs ("works as designed"), from
the user's perspective they definitely were.

I could try this with the gRPC helloworld tests (which by the way support
H2 in clear text) :

   haproxy$ cat h2grpc.cfg
   defaults
        mode http
        timeout client 5s
        timeout server 5s
        timeout connect 1s

   listen grpc
        log stdout format raw local0
        option httplog
        option http-use-htx
        bind :50052 proto h2
        server srv1 127.0.0.1:50051 proto h2
   haproxy$ ./haproxy -d -f h2grpc.cfg

   grpc$ go run examples/helloworld/greeter_server/main.go &
   grpc$ go run examples/helloworld/greeter_client/main.go haproxy 
   2019/01/04 11:11:40 Received: haproxy
   2019/01/04 11:11:40 Greeting: Hello haproxy

   (...)haproxy$ ./haproxy -d -f h2grpc.cfg
   00000000:grpc.accept(0008)=000b from [127.0.0.1:37538] ALPN=<none>  
   00000000:grpc.clireq[000b:ffffffff]: POST /helloworld.Greeter/SayHello 
HTTP/2.0
   00000000:grpc.clihdr[000b:ffffffff]: content-type: application/grpc 
   00000000:grpc.clihdr[000b:ffffffff]: user-agent: grpc-go/1.18.0-dev   
   00000000:grpc.clihdr[000b:ffffffff]: te: trailers
   00000000:grpc.clihdr[000b:ffffffff]: grpc-timeout: 994982u
   00000000:grpc.clihdr[000b:ffffffff]: host: localhost:50052
   00000000:grpc.srvrep[000b:000c]: HTTP/2.0 200
   00000000:grpc.srvhdr[000b:000c]: content-type: application/grpc
   00000000:grpc.srvcls[000b:000c]
   00000000:grpc.clicls[000b:000c]
   00000000:grpc.closed[000b:000c]
   127.0.0.1:37538 [04/Jan/2019:11:11:40.705] grpc grpc/srv1 0/0/0/1/1 200 116 
- - ---- 1/1/0/0/0 0/0 "POST /helloworld.Greeter/SayHello HTTP/2.0"

In the past we'd get an error from the client saying that the response
came without trailers. So now this limitation is expected to be just bad
old memories.

Last, some might have followed the updates around varnishtest. It
evolved into an autonomous project called VTest, but it used to be very
difficult to build due to remaining intimate dependencies with Varnish.
Poul-Henning and Fred and have addressed this and now it's trivial to
build and works like a charm. Given that varnishtest was still affected
by a few issues causing crashes on certain tests, it was about time to
complete the switch. Thus the Makefile now checks for a VTEST_PROGRAM
variable instead of VARNISHTEST_PROGRAM. Nothing else changes except it
doesn't fail on certain tests leaving zombie haproxy processes anymore.
We thought about keeping a fallback to the VARNISHTEST_PROGRAM variable
but quite frankly, there is only a handful of people using it at the
moment, all skilled enough to remove 6 characters in a variable name, so
it's better not to keep old dependencies like this as soon as possible,
and make sure 1.9 and 2.0-dev continue to use the same setups. Ah, and 5
new reg tests were backported. Please keep sending them, this definitely
improves the overall stability.

That's about all. With each major release we feel like version dot-2
works pretty well. This one is no exception. We'll see in 6 months if
it was wise :-)

Oh, I forgot one point. Lukas and Tim are currently working on setting
up the issue tracker on github. You may see things move around a bit
there. Please do not interfer with their activity for now and wait for
their signal to start using it. Big thanks to them for working on this,
it should save us from losing issues in the future and should help
getting better reports.

Please find the usual URLs below :
   Site index       : http://www.haproxy.org/
   Discourse        : http://discourse.haproxy.org/
   Slack channel    : https://slack.haproxy.org/
   Sources          : http://www.haproxy.org/download/1.9/src/
   Git repository   : http://git.haproxy.org/git/haproxy-1.9.git/
   Git Web browsing : http://git.haproxy.org/?p=haproxy-1.9.git
   Changelog        : http://www.haproxy.org/download/1.9/src/CHANGELOG
   Cyril's HTML doc : http://cbonte.github.io/haproxy-dconv/

Willy
---
Complete changelog :
Ben51Degrees (1):
      BUG: 51d: Changes to the buffer API in 1.9 were not applied to the 
51Degrees code.

Christopher Faulet (4):
      BUG/MINOR: lua/htx: Respect the reserve when data are send from an HTX 
applet
      MINOR: spoe: Make the SPOE filter compatible with HTX proxies
      BUG/MEDIUM: h1: Get the h1m state when restarting the headers parsing
      BUG/MEDIUM: stats: Get the right scope pointer depending on HTX is used 
or not

Daniel Corbett (1):
      BUG/MEDIUM: init: Initialize idle_orphan_conns for first server in 
server-template

David Carlier (1):
      BUILD/MEDIUM: da: Necessary code changes for new buffer API.

Emeric Brun (3):
      BUG/MEDIUM: ssl: missing allocation failure checks loading tls key file
      BUG/MINOR: base64: dec func ignores padding for output size checking
      MINOR: ssl: add support of aes256 bits ticket keys on file and cli.

Frédéric Lécaille (3):
      REGTEST: "capture (request|response)" regtest.
      REGTEST: Switch to vtest.
      REGTEST: Adapt reg test doc files to vtest.

Jarno Huuskonen (4):
      REGTESTS: test case for map_regm commit 271022150d
      REGTESTS: Basic tests for concat,strcmp,word,field,ipmask converters
      REGTESTS: Basic tests for using maps to redirect requests / select backend
      DOC: REGTESTS README varnishtest -Dno-htx= define.

Olivier Houchard (6):
      BUG/MEDIUM: h1: Make sure we destroy an inactive connectin that did shutw.
      MEDIUM: sessions: Keep track of which connections are idle.
      MINOR: checks: Store the proxy in checks.
      BUG/MEDIUM: checks: Avoid having an associated server for email checks.
      BUG/MEDIUM: ssl: Disable anti-replay protection and set max data with 
0RTT.
      DOC: Be a bit more explicit about allow-0rtt security implications.

PiBa-NL (1):
      REGTEST: filters: add compression test

Tim Duesterhus (1):
      BUG/MINOR: stick_table: Prevent conn_cur from underflowing

Willy Tarreau (33):
      BUG/MAJOR: cache: fix confusion between zero and uninitialized cache key
      BUG/MEDIUM: connection: properly unregister the mux on failed 
initialization
      BUG/MINOR: backend: don't use url_param_name as a hint for BE_LB_ALGO_PH
      BUG/MINOR: backend: balance uri specific options were lost across defaults
      BUG/MINOR: backend: BE_LB_LKUP_CHTREE is a value, not a bit
      MINOR: h2: add a bit-based frame type representation
      MEDIUM: mux-h2: remove padlen during headers phase
      MINOR: mux-h2: remove useless check for empty frame length in 
h2s_decode_headers()
      MEDIUM: mux-h2: decode HEADERS frames before allocating the stream
      MINOR: mux-h2: make h2c_send_rst_stream() use the dummy stream's error 
code
      MINOR: mux-h2: add a new dummy stream for the REFUSED_STREAM error code
      MINOR: mux-h2: fail stream creation more cleanly using RST_STREAM
      MINOR: buffers: add a new b_move() function
      MINOR: mux-h2: make h2_peek_frame_hdr() support an offset
      MEDIUM: mux-h2: handle decoding of CONTINUATION frames
      BUG/MINOR: mux-h2: set the stream-full flag when leaving 
h2c_decode_headers()
      BUG/MINOR: mux-h2: mark end-of-stream after processing response HEADERS, 
not before
      BUG/MINOR: mux-h2: only update rxbuf's length for H1 headers
      MINOR: mux-h2: make h2c_decode_headers() return a status, not a count
      MINOR: mux-h2: add a new dummy stream : h2_error_stream
      MEDIUM: mux-h2: make h2c_decode_headers() support recoverable errors
      BUG/MINOR: mux-h2: detect when the HTX EOM block cannot be added after 
headers
      MINOR: mux-h2: check for too many streams only for idle streams
      MINOR: mux-h2: set H2_SF_HEADERS_RCVD when a HEADERS frame was decoded
      BUG/MEDIUM: mux-h2: decode trailers in HEADERS frames
      MINOR: h2: add h2_make_h1_trailers to turn H2 headers to H1 trailers
      MEDIUM: mux-h2: pass trailers to H1 (legacy mode)
      MINOR: htx: add a new function to add a block without filling it
      MINOR: h2: add h2_make_htx_trailers to turn H2 headers to HTX trailers
      MEDIUM: mux-h2: pass trailers to HTX
      MINOR: mux-h2: make HTX_BLK_EOM processing idempotent
      MINOR: h1: make the H1 headers block parser able to parse headers only
      MEDIUM: mux-h2: emit HEADERS frames when facing HTX trailers blocks

---

Reply via email to