Hi, HAProxy 2.7.5 was released on 2023/03/17. It added 26 new commits after version 2.7.4.
This version primarily focuses on fixes: - Christopher fixed the issue mentioned last week affecting the CLI on UNIX sockets that was causing some connections not to close properly, so the workaround consisting in increasing "stats maxconn" is no longer needed. - The security researchers team "CertiK Skyfall Team" found a possible crash in the QPACK decoder used by HTTP/3 due to an insufficiently checked index causing an out-of-bounds read. - Some SSL-only errors could be reported at the connection level but that error prevented the mux H1 from consulting and flushing last data and the error, possibly causing loops involving mux-h1 until the stream times out and closes. - A recent fix for the idle connections was insufficient and/or incorrect, because it could result in a connection removal being counted twice, and the number of idle conns either growing a lot, or underflowing. The effect could be an excess of idle connections to a server possibly preventing new connections from establishing. - Upon reload, health checks were not properly stopped in pure backends, that was only done in listen sections because only proxies having listeners were stopped. This has been the case since 2.4 despite the doc, and resolvers experienced the same since 2.6. - It could happen that in HTTP/1 the 408-Request-timeout wasn't delivered to the client because the timeout was promoted to error, preventing any future write from being done. - Aurélien found that fc_dst_port() and fc_dst_is_local() could occasionally fail because a condition was placed on the ability to retrieve the source instead of the destination, so if the destination had already been retrieved it would work otherwise not. - Fred addressed a few possible QUIC crashes related to invalid stream frame lengths triggering assertions. - The H2 mux supports chaining multiple buffers at the connection level in order to store the data from many streams. However if a connection is severely congested, we could go back to the initial single-buffer situation where releasing a few kB of data would cause all waiting streams to be woken up, with only one of them succeeding in sending something. The symptoms are a lower H2 bit rate, a high CPU usage, an important presence of sc_conn_io_cb() in the run queue in "show tasks" (typically 90% of places) and 5-20 times more calls to sc_conn_io_cb() from h2_resume_each_sending_h2s() than other ones in "show profiling tasks". The correct way of proceeding consists in only restarting streams once the ring of connection buffers goes down to a single buffer. This also reduces memory usage under congestion. - The recent fix for multiple "bind fd@0" that could crash on start was finally backported. - The H2 mux was always sending its data using short SSL records, which explains why the performance was not as good as with HTTP/1. The reason is that the dynamic SSL records predates the muxes, and that the mechanism involved to use them was moved to the mux-H1 during the transition, without the mux-H2 being aware that there was something to be done. Now we continue to use small records when sending single buffers, but we use large records when sending more than one record, indicating large objects are being downloaded in parallel or that the link is congested. - The H2 mux could sometimes crash when detaching a stream on a congested connection with no client timeout. - Some rare bind errors on UNIX sockets were not correctly reported on startup. And there were a few tiny improvements as well: - the support for constant limits in the bandwidth limiter was backported as planned 2 months ago - the H2 traces can now dump H2 headers (useful for debugging) - a few more fields are printed in "show fd" - a suboptimal recv() sequence in the HTTP/1 mux resulted in a short 16-byte recv() call for objects larger than bufsize-maxrewrite. This was addressed. Please find the usual URLs below : Site index : https://www.haproxy.org/ Documentation : https://docs.haproxy.org/ Wiki : https://github.com/haproxy/wiki/wiki Discourse : https://discourse.haproxy.org/ Slack channel : https://slack.haproxy.org/ Issue tracker : https://github.com/haproxy/haproxy/issues Sources : https://www.haproxy.org/download/2.7/src/ Git repository : https://git.haproxy.org/git/haproxy-2.7.git/ Git Web browsing : https://git.haproxy.org/?p=haproxy-2.7.git Changelog : https://www.haproxy.org/download/2.7/src/CHANGELOG Dataplane API : https://github.com/haproxytech/dataplaneapi/releases/latest Pending bugs : https://www.haproxy.org/l/pending-bugs Reviewed bugs : https://www.haproxy.org/l/reviewed-bugs Code reports : https://www.haproxy.org/l/code-reports Latest builds : https://www.haproxy.org/l/dev-packages Willy --- Complete changelog : Aurelien DARRAGON (4): BUG/MINOR: tcp_sample: fix a bug in fc_dst_port and fc_dst_is_local sample fetches BUG/MINOR: proto_ux: report correct error when bind_listener fails BUG/MINOR: protocol: fix minor memory leak in protocol_bind_all() BUG/MINOR: sock_unix: match finalname with tempname in sock_unix_addrcmp() Christopher Faulet (11): BUG/MEDIUM: mux-pt: Set EOS on error on sending path if read0 was received BUG/MINOR: mux-h1: Don't report an H1C error on client timeout BUG/MEDIUM: proxy: properly stop backends on soft-stop BUG/MEDIUM: resolvers: Properly stop server resolutions on soft-stop DEBUG: cli/show_fd: Display connection error code DEBUG: ssl-sock/show_fd: Display SSL error code BUG/MEDIUM: mux-h1: Don't block SE_FL_ERROR if EOS is not reported on H1C BUG/MEDIUM: connection: Preserve flags when a conn is removed from an idle list MEDIUM: bwlim: Support constants limit or period on set-bandwidth-limit actions BUG/MINOR: mux-h2: Fix possible null pointer deref on h2c in _h2_trace_header() BUG/MEDIUM: spoe: Don't set the default traget for the SPOE agent frontend Frédéric Lécaille (2): BUG/MINOR: quic: Missing STREAM frame length updates BUG/MINOR: quic: Missing STREAM frame data pointer updates Willy Tarreau (9): BUG/MINOR: mux-h2: make sure the h2c task exists before refreshing it MINOR: buffer: add br_single() to check if a buffer ring has more than one buf BUG/MEDIUM: mux-h2: only restart sending when mux buffer is decongested BUG/MINOR: mux-h2: set CO_SFL_STREAMER when sending lots of data BUG/MEDIUM: listener: duplicate inherited FDs if needed MINOR: h2: add h2_phdr_to_ist() to make ISTs from pseudo headers MEDIUM: mux-h2/trace: add tracing support for headers BUG/MAJOR: qpack: fix possible read out of bounds in static table OPTIM: mux-h1: limit first read size to avoid wrapping ---