Hi,
HAProxy 2.4.9 was released on 2021/11/23. It added 36 new commits
after version 2.4.8.
In the previous release, fixes about shutdowns management in the muxes have
exposed some hidden bugs. Since the muxes were introduced, in the 1.8,
shutdowns at the conn-stream level were not fully idempotent. Until
recently, it was not an issue. But in the 2.4.8, some users observed delays
to close client connections on the HAProxy side corresponding to the client
timeout because the silent mode was used instead of the clean one to
shutdown the connection. In addition, true silent shutdowns were not
properly handled in the H1 multiplexer when outgoing data were blocked,
leading too to delay to close connections.
A H2 multiplexer fix to drain data and be sure to send GOAWAY frame was
announced in the 2.4.8. However a patch was missing. Another side effect of
this missing patch was the TLS sessions were not cached as expected. It is
now fixed. Still on the H2 multiplexer, an old fix for H2 partial frames was
incomplete and caused some high CPU usages in h2_io_cb() on some rare
occasions.
Some users reported occasional crashes in the cache (#1284 and #1451). We
finally had an explanation (a missing break). This was fixed. "show cache"
cli command was also fixed to be thread-safe. Under high load, it was
possible to dereference a node already reassigned, leading to
crash. Finally, parsing of "max-age" or "s-maxage" was improved to properly
ignore unparsable value in quotes.
A bug with the "program" post-parser was fixed. It could be called with an
empty programs list in case of a config parsing error on reload after
another error, and could crash.
Recent adjustments about the backend support for WebSocket over HTTP/2 were
backported. They allow to fallback on a HTTP/1 connection if the WebSockets
are not support in HTTP/2. In addition the server keyword "ws" can be used
to tune this.
http-response rulesets evaluation was not aligned with what is said in the
documentation. It was possible to inhibit the frontend rules evaluation with
an "allow" rule in the backend section while it should instead only stop
backend rules evaluation. This bug exists since the beginning and only
concerns the "allow" rule. It was fixed and http-after-response rulesets
evaluation was also fixed in the same way.
The support for backend aggregated server check status in the Prometheus
exporter was backported. Thanks to this feature, the number of server per
health-check status are now reported at the backend level.
William fixed some bugs in the SSL part. First, outgoing TLS connections
involving SNI couldn't be resumed in TLS 1.3 because the call to
SSL_get_servername() on a resumed connection doesn't return the previous SNI
with TLS 1.3. Then, the wrong error was reported during SSL handshake when a
non-matching SNI was found with the strict-sni option enabled because the
clientHello callback was returning with a success code. An "handshake
failure" was reported instead of "unrecognized name". As a side effect of
this bug, the connections was accepted in case of TLS resume. Finally,
thanks to Willy, the SSL counter are now atomically updated.
The detection of the need for libatomic in the makefile was modified so that
it's not hard-coded on the architecture but instead detects what the
compiler says it needs. This allowed to remove the arm/aarch64 hacks on
linux and also allows MIPS and RISCV to work as expected. In addition it's
now trivial to force it if desired.
In addition, the usual bunch of some of small fixes and cleanups.
The 2.3.16 will be emitted quite soon. The next 2.2 and 2.0 releases are
planned for the next week.
Thanks everyone for your help and your contributions!
Please find the usual URLs below :
Site index : http://www.haproxy.org/
Discourse : http://discourse.haproxy.org/
Slack channel : https://slack.haproxy.org/
Issue tracker : https://github.com/haproxy/haproxy/issues
Wiki : https://github.com/haproxy/wiki/wiki
Sources : http://www.haproxy.org/download/2.4/src/
Git repository : http://git.haproxy.org/git/haproxy-2.4.git/
Git Web browsing : http://git.haproxy.org/?p=haproxy-2.4.git
Changelog : http://www.haproxy.org/download/2.4/src/CHANGELOG
Cyril's HTML doc : http://cbonte.github.io/haproxy-dconv/
---
Complete changelog :
Amaury Denoyelle (7):
MINOR: mux-h2: add trace on extended connect usage
BUG/MEDIUM: mux-h2: reject upgrade if no RFC8441 support
MINOR: stream/mux: implement websocket stream flag
MINOR: connection: implement function to update ALPN
MINOR: connection: add alternative mux_ops param for conn_install_mux_be
MEDIUM: server/backend: implement websocket protocol selection
MINOR: server: add ws keyword
Christopher Faulet (10):
DOC: config: Fix typo in ssl_fc_unique_id description
BUG/MINOR: http-ana: Apply stop to the current section for http-response
rules
Revert "BUG/MINOR: http-ana: Don't eval front after-response rules if stopped
on back"
DOC: lua: Be explicit with the Reply object limits
MINOR: mux-h1: Slightly Improve H1 traces
BUG/MEDIUM: conn-stream: Don't reset CS flags on close
BUG/MINOR: mux-h2: Fix H2_CF_DEM_SHORT_READ value
BUG/MINOR: stick-table/cli: Check for invalid ipv6 key
BUG/MEDIUM: mux-h1: Handle delayed silent shut in h1_process() to release
H1C
BUG/MINOR: cache: Fix loop on cache entries in "show cache"
Emeric Brun (2):
BUG/MINOR: resolvers: fix sent messages were counted twice
BUG/MINOR: resolvers: throw log message if trash not large enough for
query
William Dauchy (1):
MINOR: promex: backend aggregated server check status
William Lallemand (5):
BUG/MINOR: mworker: doesn't launch the program postparser
BUG/MEDIUM: ssl: backend TLS resumption with sni and TLSv1.3
BUG/MINOR: ssl: free correctly the sni in the backend SSL cache
CLEANUP: ssl: fix wrong #else commentary
BUG/MEDIUM: ssl: abort with the correct SSL error when SNI not found
Willy Tarreau (11):
MINOR: connection: add a new CO_FL_WANT_DRAIN flag to force drain on close
MINOR: mux-h2: perform a full cycle shutdown+drain on close
BUG/MINOR: cache: properly ignore unparsable max-age in quotes
BUG/MEDIUM: connection: make cs_shutr/cs_shutw//cs_close() idempotent
BUILD: makefile: simplify detection of libatomic
BUG/MEDIUM: mux-h2: always process a pending shut read
BUG/MEDIUM: cache/cli: make "show cache" thread-safe
BUG/MEDIUM: shctx: leave the block allocator when enough blocks are found
BUG/MINOR: shctx: do not look for available blocks when the first one is
enough
MINOR: shctx: add a few BUG_ON() for consistency checks
BUG/MINOR: ssl: make SSL counters atomic
--
Christopher Faulet
