Hi willy. Am 06.02.2019 um 15:25 schrieb Willy Tarreau: > Hi, > > HAProxy 1.9.4 was released on 2019/02/06. It added 65 new commits > after version 1.9.3.
Images are updated. https://hub.docker.com/r/me2digital/haproxy-19-boringssl https://hub.docker.com/r/me2digital/haproxy19 Maybe this patch was to late for 1.9.4 please can you consider to add it to 2.0 and later 1.9.5, thanks. https://www.mail-archive.com/haproxy@formilux.org/msg32693.html Regards Aleks > The main focus in terms of time spent was clearly on end-to-end H2 > correctness, which involves both the H2 protocol itself and the idle > connections management. It's difficult to enumerate in details all the > issues that were addressed, but these generally range from not failing > a connection when failing a stream can be sufficient to counting the > number of pre-allocated streams on an idle idle outgoing connection to > make sure it still has stream IDs left. Some server-side idle timeout > errors could occasionally lead to the whole connection being closed. > > One check was added to prevent an HTX frontend from dynamically branching > to a non-HTX backend (and conversely), as only the static branches were > addressed till now. > > There were some improvements on memory allocation failures, a number of > places were not tested anymore (or this was new code). Ah and a memory > leak on the unique_id was addressed (it could happen with TCP instances > when declared in a defaults section). > > Etags are now rewritten from strong to weak by the compression. I had no > idea this concept of weak vs strong existed at all :-) > > And in addition to this, yesterday two other interesting problems were > reported and addressed : > - the first one is about using certain L7 features at the load balancing > layer (such as "balance hdr") in HTX mode which could crash haproxy. > It was in fact caused by the loss of one patch during the multiple > liftings of the code prior to the merge. That's now fixed. I'm still > amazed we managed to lose only one patch in this ocean of code! > > - the other one is quite nasty and impacts all supported versions. Haproxy > currently performs very deep compatibility tests on your rules, frontends > and backends after parsing the configuration. But a corner case remained > by which it was possible to have a frontend bound on, say, processes > 1 and 2, tracking a key stored in a table present only in process 1 that > would in turn rely on peers on process 1 as well. Here there is a problem, > when the frontend receives connections on process 2, the resolved pointers > for the table end up pointing to a completely different location in a > parallel universe, then peers are activated to push the data while the > section has been deallocated... So the relevant checks have been added > to make sure that a process doesn't try to interact with a section that > is not present for this process. This covers the track-sc* actions, the > sc_* sample keywords, and SPOE filters. I was extremely cautious to cover > the strict minimum so as not to impact any harmless config. It *is* > possible that one of your config will refuse to load if it is already > bogus. Please note that if this happens, it means this config is wrong > and already presents the risk of random crashes. *Do not* rollback if > this happens, please ask for help here instead. (I in fact expect that > nobody will see these errors, meaning that the amount of complex and > bogus configs in field is rather low). > > The rest is pretty low impact and standard. > > Please find the usual URLs below : > Site index : http://www.haproxy.org/ > Discourse : http://discourse.haproxy.org/ > Slack channel : https://slack.haproxy.org/ > Issue tracker : https://github.com/haproxy/haproxy/issues > Sources : http://www.haproxy.org/download/1.9/src/ > Git repository : http://git.haproxy.org/git/haproxy-1.9.git/ > Git Web browsing : http://git.haproxy.org/?p=haproxy-1.9.git > Changelog : http://www.haproxy.org/download/1.9/src/CHANGELOG > Cyril's HTML doc : http://cbonte.github.io/haproxy-dconv/ > > Willy > --- > Complete changelog : > Christopher Faulet (2): > BUG/MEDIUM: mux-h1: Don't add "transfer-encoding" if message-body is > forbidden > BUG/MAJOR: htx/backend: Make all tests on HTTP messages compatible with > HTX > > Jérôme Magnin (1): > DOC: add a missing space in the documentation for bc_http_major > > Kevin Zhu (1): > BUG/MINOR: deinit: tcp_rep.inspect_rules not deinit, add to deinit > > Olivier Houchard (11): > BUG/MEDIUM: connections: Don't forget to remove CO_FL_SESS_IDLE. > MINOR: xref: Add missing barriers. > BUG/MEDIUM: peers: Handle mux creation failure. > BUG/MEDIUM: checks: Check that conn_install_mux succeeded. > BUG/MEDIUM: servers: Only destroy a conn_stream we just allocated. > BUG/MEDIUM: servers: Don't add an incomplete conn to the server idle > list. > BUG/MEDIUM: checks: Don't try to set ALPN if connection failed. > BUG/MEDIUM: h2: In h2_send(), stop the loop if we failed to alloc a buf. > BUG/MEDIUM: servers: Close the connection if we failed to install the > mux. > BUG/MEDIUM: buffer: Make sure b_is_null handles buffers waiting for > allocation. > BUG/MEDIUM: stream: Don't forget to free s->unique_id in stream_free(). > > Tim Duesterhus (2): > BUG/MEDIUM: compression: Rewrite strong ETags > DOC: compression: Update the reasons for disabled compression > > Willy Tarreau (48): > SCRIPTS: add the issue tracker URL to the announce script > BUG/MINOR: server: fix logic flaw in idle connection list management > BUG/MINOR: stream: don't close the front connection when facing a > backend error > DOC: htx: make it clear that htxbuf() and htx_from_buf() always return > valid pointers > MINOR: htx: never check for null htx pointer in htx_is_{,not_}empty() > MEDIUM: stream-int: always mark pending outgoing SI_ST_CON > MINOR: stream: don't wait before retrying after a failed connection > reuse > MEDIUM: h2: always parse and deduplicate the content-length header > BUG/MINOR: mux-h2: always compare content-length to the sum of DATA > frames > BUG/MEDIUM: mux-h2: only close connection on request frames on closed > streams > BUG/MEDIUM: mux-h2: wake up flow-controlled streams on initial window > update > BUG/MEDIUM: mux-h2: fix two half-closed to closed transitions > BUG/MEDIUM: mux-h2: make sure never to send GOAWAY on too old streams > BUG/MEDIUM: mux-h2: do not abort HEADERS frame before decoding them > BUG/MINOR: mux-h2: make sure response HEADERS are not received in other > states than OPEN and HLOC > MINOR: h2: add a generic frame checker > MEDIUM: mux-h2: check the frame validity before considering the stream > state > CLEANUP: mux-h2: remove misleading leftover test on h2s' nullity > CLEANUP: mux-h2: clean the stream error path on HEADERS frame processing > CLEANUP: mux-h2: remove stream ID and frame length checks from the > frame parsers > BUG/MINOR: mux-h2: make sure request trailers on aborted streams don't > break the connection > MINOR: mux-h2: consistently rely on the htx variable to detect the mode > BUG/MEDIUM: mux-h2: wait for the mux buffer to be empty before closing > the connection > MINOR: stream-int: add a new flag to mention that we want the > connection to be killed > MINOR: connstream: have a new flag CS_FL_KILL_CONN to kill a connection > BUG/MEDIUM: mux-h2: do not close the connection on aborted streams > MINOR: mux-h2: max-concurrent-streams should be unsigned > MINOR: mux-h2: make sure to only check concurrency limit on the frontend > MINOR: mux-h2: learn and store the peer's advertised > MAX_CONCURRENT_STREAMS setting > BUG/MEDIUM: mux-h2: properly consider the peer's advertised > max-concurrent-streams > BUG/MEDIUM: backend: always release the previous connection into its > own target srv_list > BUG/MEDIUM: htx: check the HTX compatibility in dynamic use-backend > rules > BUG/MINOR: backend: check srv_conn before dereferencing it > BUG/MEDIUM: mux-h2: always omit :scheme and :path for the CONNECT method > BUG/MEDIUM: mux-h2: always set :authority on request output > BUG/MINOR: config: fix bind line thread mask validation > BUG/MINOR: compression: properly report compression stats in HTX mode > BUG/MINOR: task: close a tiny race in the inter-thread wakeup > BUG/MAJOR: config: verify that targets of track-sc and stick rules are > present > BUG/MAJOR: spoe: verify that backends used by SPOE cover all their > callers' processes > MINOR: backend: move url_param_name/len to lbprm.arg_str/len > MINOR: backend: make headers and RDP cookie also use arg_str/len > MINOR: backend: add new fields in lbprm to store more LB options > MINOR: backend: make the header hash use arg_opt1 for use_domain_only > MINOR: backend: remap the balance uri settings to lbprm.arg_opt{1,2,3} > MINOR: backend: move hash_balance_factor out of chash > MEDIUM: backend: move all LB algo parameters into an union > BUG/MINOR: config: make sure to count the error on incorrect > track-sc/stick rules > > --- >