Hi,
HAProxy 1.9.2 was released on 2019/01/16. It added 58 new commits
after version 1.9.1.
It addresses a number of lower importance pending issues that were not
yet merged into 1.9.1, one bug in the cache and fixes some long-standing
limitations that were affecting H2.
The highest severity issue but the hardest to trigger as well is the
one affecting the cache, as it's possible to corrupt the shared memory
segment when using some asymmetric caching rules, and crash the process.
There is a workaround though, which consists in always making sure an
"http-request cache-use" action is always performed before an
"http-response cache-store" action (i.e. the conditions must match).
This bug already affects 1.8 and nobody noticed so I'm not worried :-)
The rest is of lower importance but mostly annoyance. One issue was
causing the mailers to spam the server in loops. Another one affected
idle server connections (I don't remember the details after seeing
several of them to be honest), apparently the stats page could crash
when using HTX, and there were still a few cases where stale HTTP/1
connections would never leave in HTX (after certain situations of client
timeout). The 0-RTT feature was broken when openssl 1.1.1 was released
due to the anti-replay protection being enabled by default there (which
makes sense since not everyone uses it with HTTP and proper support),
this is now fixed.
While we have been observing a slowly growing amount of orphaned connections
on haproxy.org last week (several per hour), and since the recent fixes we
could confirm that it's perfectly clean now.
There's a small improvement regarding the encryption of TLS tickets. We
used to support 128 bits only and it looks like the default setting
changed 2 years ago without us noticing. Some users were asking for 256
bit support, so that was implemented and backported. It will work
transparently as the key size is determined automatically. We don't
think it would make sense at this point to backport this to 1.8, but if
there is compelling demand for this Emeric knows how to do it.
Regarding the long-standing limitations affecting H2, some of you
probably remember that haproxy used not to support CONTINUATION frames,
which was causing an issue with one very old version of chromium, and
that it didn't support trailers, making it incompatible with gRPC (which
may also use CONTINUATION). This has constantly resulted in h2spec to
return 6 failed tests. These limitations could be addressed in 2.0-dev
relatively easily thanks to the much better new architecture, and I
considered it was right to backport these patches so that we don't have
to work around them anymore. I'd say that while from a developer's
perspective these limitations were not bugs ("works as designed"), from
the user's perspective they definitely were.
I could try this with the gRPC helloworld tests (which by the way support
H2 in clear text) :
haproxy$ cat h2grpc.cfg
defaults
mode http
timeout client 5s
timeout server 5s
timeout connect 1s
listen grpc
log stdout format raw local0
option httplog
option http-use-htx
bind :50052 proto h2
server srv1 127.0.0.1:50051 proto h2
haproxy$ ./haproxy -d -f h2grpc.cfg
grpc$ go run examples/helloworld/greeter_server/main.go &
grpc$ go run examples/helloworld/greeter_client/main.go haproxy
2019/01/04 11:11:40 Received: haproxy
2019/01/04 11:11:40 Greeting: Hello haproxy
(...)haproxy$ ./haproxy -d -f h2grpc.cfg
00000000:grpc.accept(0008)=000b from [127.0.0.1:37538] ALPN=<none>
00000000:grpc.clireq[000b:ffffffff]: POST /helloworld.Greeter/SayHello
HTTP/2.0
00000000:grpc.clihdr[000b:ffffffff]: content-type: application/grpc
00000000:grpc.clihdr[000b:ffffffff]: user-agent: grpc-go/1.18.0-dev
00000000:grpc.clihdr[000b:ffffffff]: te: trailers
00000000:grpc.clihdr[000b:ffffffff]: grpc-timeout: 994982u
00000000:grpc.clihdr[000b:ffffffff]: host: localhost:50052
00000000:grpc.srvrep[000b:000c]: HTTP/2.0 200
00000000:grpc.srvhdr[000b:000c]: content-type: application/grpc
00000000:grpc.srvcls[000b:000c]
00000000:grpc.clicls[000b:000c]
00000000:grpc.closed[000b:000c]
127.0.0.1:37538 [04/Jan/2019:11:11:40.705] grpc grpc/srv1 0/0/0/1/1 200 116
- - ---- 1/1/0/0/0 0/0 "POST /helloworld.Greeter/SayHello HTTP/2.0"
In the past we'd get an error from the client saying that the response
came without trailers. So now this limitation is expected to be just bad
old memories.
Last, some might have followed the updates around varnishtest. It
evolved into an autonomous project called VTest, but it used to be very
difficult to build due to remaining intimate dependencies with Varnish.
Poul-Henning and Fred and have addressed this and now it's trivial to
build and works like a charm. Given that varnishtest was still affected
by a few issues causing crashes on certain tests, it was about time to
complete the switch. Thus the Makefile now checks for a VTEST_PROGRAM
variable instead of VARNISHTEST_PROGRAM. Nothing else changes except it
doesn't fail on certain tests leaving zombie haproxy processes anymore.
We thought about keeping a fallback to the VARNISHTEST_PROGRAM variable
but quite frankly, there is only a handful of people using it at the
moment, all skilled enough to remove 6 characters in a variable name, so
it's better not to keep old dependencies like this as soon as possible,
and make sure 1.9 and 2.0-dev continue to use the same setups. Ah, and 5
new reg tests were backported. Please keep sending them, this definitely
improves the overall stability.
That's about all. With each major release we feel like version dot-2
works pretty well. This one is no exception. We'll see in 6 months if
it was wise :-)
Oh, I forgot one point. Lukas and Tim are currently working on setting
up the issue tracker on github. You may see things move around a bit
there. Please do not interfer with their activity for now and wait for
their signal to start using it. Big thanks to them for working on this,
it should save us from losing issues in the future and should help
getting better reports.
Please find the usual URLs below :
Site index : http://www.haproxy.org/
Discourse : http://discourse.haproxy.org/
Slack channel : https://slack.haproxy.org/
Sources : http://www.haproxy.org/download/1.9/src/
Git repository : http://git.haproxy.org/git/haproxy-1.9.git/
Git Web browsing : http://git.haproxy.org/?p=haproxy-1.9.git
Changelog : http://www.haproxy.org/download/1.9/src/CHANGELOG
Cyril's HTML doc : http://cbonte.github.io/haproxy-dconv/
Willy
---
Complete changelog :
Ben51Degrees (1):
BUG: 51d: Changes to the buffer API in 1.9 were not applied to the
51Degrees code.
Christopher Faulet (4):
BUG/MINOR: lua/htx: Respect the reserve when data are send from an HTX
applet
MINOR: spoe: Make the SPOE filter compatible with HTX proxies
BUG/MEDIUM: h1: Get the h1m state when restarting the headers parsing
BUG/MEDIUM: stats: Get the right scope pointer depending on HTX is used
or not
Daniel Corbett (1):
BUG/MEDIUM: init: Initialize idle_orphan_conns for first server in
server-template
David Carlier (1):
BUILD/MEDIUM: da: Necessary code changes for new buffer API.
Emeric Brun (3):
BUG/MEDIUM: ssl: missing allocation failure checks loading tls key file
BUG/MINOR: base64: dec func ignores padding for output size checking
MINOR: ssl: add support of aes256 bits ticket keys on file and cli.
Frédéric Lécaille (3):
REGTEST: "capture (request|response)" regtest.
REGTEST: Switch to vtest.
REGTEST: Adapt reg test doc files to vtest.
Jarno Huuskonen (4):
REGTESTS: test case for map_regm commit 271022150d
REGTESTS: Basic tests for concat,strcmp,word,field,ipmask converters
REGTESTS: Basic tests for using maps to redirect requests / select backend
DOC: REGTESTS README varnishtest -Dno-htx= define.
Olivier Houchard (6):
BUG/MEDIUM: h1: Make sure we destroy an inactive connectin that did shutw.
MEDIUM: sessions: Keep track of which connections are idle.
MINOR: checks: Store the proxy in checks.
BUG/MEDIUM: checks: Avoid having an associated server for email checks.
BUG/MEDIUM: ssl: Disable anti-replay protection and set max data with
0RTT.
DOC: Be a bit more explicit about allow-0rtt security implications.
PiBa-NL (1):
REGTEST: filters: add compression test
Tim Duesterhus (1):
BUG/MINOR: stick_table: Prevent conn_cur from underflowing
Willy Tarreau (33):
BUG/MAJOR: cache: fix confusion between zero and uninitialized cache key
BUG/MEDIUM: connection: properly unregister the mux on failed
initialization
BUG/MINOR: backend: don't use url_param_name as a hint for BE_LB_ALGO_PH
BUG/MINOR: backend: balance uri specific options were lost across defaults
BUG/MINOR: backend: BE_LB_LKUP_CHTREE is a value, not a bit
MINOR: h2: add a bit-based frame type representation
MEDIUM: mux-h2: remove padlen during headers phase
MINOR: mux-h2: remove useless check for empty frame length in
h2s_decode_headers()
MEDIUM: mux-h2: decode HEADERS frames before allocating the stream
MINOR: mux-h2: make h2c_send_rst_stream() use the dummy stream's error
code
MINOR: mux-h2: add a new dummy stream for the REFUSED_STREAM error code
MINOR: mux-h2: fail stream creation more cleanly using RST_STREAM
MINOR: buffers: add a new b_move() function
MINOR: mux-h2: make h2_peek_frame_hdr() support an offset
MEDIUM: mux-h2: handle decoding of CONTINUATION frames
BUG/MINOR: mux-h2: set the stream-full flag when leaving
h2c_decode_headers()
BUG/MINOR: mux-h2: mark end-of-stream after processing response HEADERS,
not before
BUG/MINOR: mux-h2: only update rxbuf's length for H1 headers
MINOR: mux-h2: make h2c_decode_headers() return a status, not a count
MINOR: mux-h2: add a new dummy stream : h2_error_stream
MEDIUM: mux-h2: make h2c_decode_headers() support recoverable errors
BUG/MINOR: mux-h2: detect when the HTX EOM block cannot be added after
headers
MINOR: mux-h2: check for too many streams only for idle streams
MINOR: mux-h2: set H2_SF_HEADERS_RCVD when a HEADERS frame was decoded
BUG/MEDIUM: mux-h2: decode trailers in HEADERS frames
MINOR: h2: add h2_make_h1_trailers to turn H2 headers to H1 trailers
MEDIUM: mux-h2: pass trailers to H1 (legacy mode)
MINOR: htx: add a new function to add a block without filling it
MINOR: h2: add h2_make_htx_trailers to turn H2 headers to HTX trailers
MEDIUM: mux-h2: pass trailers to HTX
MINOR: mux-h2: make HTX_BLK_EOM processing idempotent
MINOR: h1: make the H1 headers block parser able to parse headers only
MEDIUM: mux-h2: emit HEADERS frames when facing HTX trailers blocks
---
