Hi,
HAProxy 2.2.19 was released on 2021/11/29. It added 21 new commits
after version 2.2.18.
Main changes in this release are about the shutdowns management in the H1
and H2 multiplexers to be able to perform a clean shutdown when delayed.
This fixed an issue with caching of TLS sessions. Indeed, with the migration
to the muxes in 1.9-2.0, we've lost the clean shutdown at the end of
connection that's also used to commit the TLS session cache entry. That
allowed too to fix hidden bugs. The shutdowns at the conn-stream level are
now idempotent.
In addition to the above changes, the H2 multiplexer now drains data on
shutdown to be sure to send GOAWAY frame. Among other things, this fixed
issues with h2spec tests in the CI. Finally, an old and incomplete fix for
H2 partial frames causing some high CPU usages in h2_io_cb() on some rare
occasions was fixed.
Some users reported occasional crashes in the cache (#1284 and #1451). We
finally had an explanation (a missing break). This was fixed.
http-response rulesets evaluation was not aligned with what is said in the
documentation. It was possible to inhibit the frontend rules evaluation with
an "allow" rule in the backend section while it should instead only stop
backend rules evaluation. This bug exists since the beginning and only
concerns the "allow" rule. It was fixed and http-after-response rulesets
evaluation was also fixed in the same way.
William fixed some bugs in the SSL part. First, outgoing TLS connections
involving SNI couldn't be resumed in TLS 1.3 because the call to
SSL_get_servername() on a resumed connection doesn't return the previous SNI
with TLS 1.3. Then, the wrong error was reported during SSL handshake when a
non-matching SNI was found with the strict-sni option enabled because the
clientHello callback was returning with a success code. An "handshake
failure" was reported instead of "unrecognized name". As a side effect of
this bug, the connections was accepted in case of TLS resume.
A bug in the validity checks for sample fetch functions was fixed. The
checks were only applied to the frontend capability of a proxy. This means
that using a small set of sample fetch functions (like "be_name()") in
proxies that are both a frontend and a backend ("listen" or "defaults")
would lead to a config error while it is technically valid. This problem has
always been there and never reported.
A bug with the "program" post-parser was fixed. It could be called with an
empty programs list in case of a config parsing error on reload after
another error, and could crash.
In addition, the usual bunch of some of small fixes and cleanups.
The next 2.0 release will be emitted at the end of the week.
Thanks everyone for your help and your contributions!
Please find the usual URLs below :
Site index : http://www.haproxy.org/
Discourse : http://discourse.haproxy.org/
Slack channel : https://slack.haproxy.org/
Issue tracker : https://github.com/haproxy/haproxy/issues
Wiki : https://github.com/haproxy/wiki/wiki
Sources : http://www.haproxy.org/download/2.2/src/
Git repository : http://git.haproxy.org/git/haproxy-2.2.git/
Git Web browsing : http://git.haproxy.org/?p=haproxy-2.2.git
Changelog : http://www.haproxy.org/download/2.2/src/CHANGELOG
Cyril's HTML doc : http://cbonte.github.io/haproxy-dconv/
---
Complete changelog :
Christopher Faulet (11):
BUG/MEDIUM: stream-int: Block reads if channel cannot receive more data
BUG/MEDIUM: sample: Cumulate frontend and backend sample validity flags
BUG/MEDIUM: mux-h1: Fix H1C_F_ST_SILENT_SHUT value
DOC: config: Fix typo in ssl_fc_unique_id description
BUG/MINOR: http-ana: Apply stop to the current section for http-response
rules
Revert "BUG/MINOR: http-ana: Don't eval front after-response rules if stopped
on back"
DOC: lua: Be explicit with the Reply object limits
BUG/MEDIUM: conn-stream: Don't reset CS flags on close
BUG/MINOR: mux-h2: Fix H2_CF_DEM_SHORT_READ value
BUG/MINOR: stick-table/cli: Check for invalid ipv6 key
CLEANUP: ssl: Release cached SSL sessions on deinit
William Lallemand (3):
BUG/MINOR: mworker: doesn't launch the program postparser
BUG/MEDIUM: ssl: backend TLS resumption with sni and TLSv1.3
BUG/MEDIUM: ssl: abort with the correct SSL error when SNI not found
Willy Tarreau (7):
BUG/MINOR: sample: fix backend direction flags consecutive to last fix
BUG/MEDIUM: connection: make cs_shutr/cs_shutw//cs_close() idempotent
MINOR: connection: add a new CO_FL_WANT_DRAIN flag to force drain on close
MINOR: mux-h2: perform a full cycle shutdown+drain on close
BUG/MEDIUM: mux-h2: always process a pending shut read
BUG/MEDIUM: shctx: leave the block allocator when enough blocks are found
BUG/MINOR: shctx: do not look for available blocks when the first one is
enough
--
Christopher Faulet
