Hi, HAProxy 2.4.23 was released on 2023/06/09. It added 83 new commits after version 2.4.22.
As you can imagine, after 4 months since the last release, this one brings several fixes. To sum up: * The SPOE was fixed to limit the number of idle applets on edge cases. On sporadic bursts, it was possible to systematically start new applets because the SPOE processing frequency was lower than the messages rate, and this independently on the number of idle applets. The idle applets tracking was improved to be able to properly reuse them. This fix revealed a flaw in the way synchronous frames were handled, leading to a raise of the message processing latency. To fix this issue, in synchronous mode, a SPOE applet will now systematically try to send a frame when it is woken up, except if it is still waiting for a ACK frame after a receive attempt. Finally, a crash for engines configured on disabled proxies was fixed. SPOE engines must not be released for such proxies during the startup because some resources may be shared with other engines, for instance the ACLs. * The total boot time is now measured. It is used to postpone the startup of health checks. It is pretty useful for very large configurations taking up few seconds to start, to not schedule some servers' checks in past. This also helps to have a better distribution of health-checks when "spread-checks" option is used. In addition, the spread-checks is also used at boot time, making the load much smoother from the start. * We now force the connect timeout for the DNS resolution. The "resolve" timeout is used to set its value. Have no connect timeout was an issue for resolution over TCP. Connection failures might take quite long to report, leading to an excess of unusable DNS sessions in connecting state. It was especially visible on soft-stop because this prevented the process to quickly exit. Still on the DNS, errors are now properly handled when a response is consumed. This was an issue for truncated responses followed by an abort. The applet could ignore the abort and loop waiting for more data until a timeout is triggered. A similar issue was fixed in the syslog applet. * A lua bug was fixed. Except for lua tasks, it is no longer possible to register functions at runtime. It was clearly stated in the documentation, but nothing forbidden it in the code. An error is now triggered if this happens, preventing potential segfaults. * Aurélien fixed wrong report for tracking servers leaving drain state. He also centralized proxy and server stats updates on server state transition to be sure to not miss an update on some transitions. * The idle connections detection was improved to not consider connections waiting to be removed as idle. * The pool_gc() calls that were made a bit too often on stopping proxies were relaxed. Sometimes they were causing excess memory contention and were even competing against malloc_trim(). * It was possible to trigger the watchdog purging stick-tables on soft-stop. To not spend too much time purging expired entries, we now enforce a budget limitation and the purge is performed in several steps. In addition, memory is reclaimed only when entries are released. Indeed, this operation involves a call to malloc_trim() on glibc, which is rather expensive. * ssl-min-ver and ss-max-ver parameters are now duplicated for bundles in crt-list. * The read expiration date is now updated on synchronous sends for all streams except independent ones. This fixed an old bug when a filter is configured. Write activities on synchronous sends were lost. With slow clients uploading large object, it was possible to reach the server timeout. * An error is now reported during configuration parsing when the "len" argument of a stick table type contains incorrect characters. * The strict-sni documentation was updated to state it is possible to start without certificate on a bind line. * a section about size format was added in the configuration manual. * The cache failed to cache a response for a request that had the "no-cache" directive (typically a forced reload). This prevented from refreshing the cache this way, this is now fixed. * Layer7 retries did not work anymore on the "empty-response" condition due to a change that was made in 2.4. * Some rare bind errors on UNIX sockets were not correctly reported on startup. * an issue affecting the H1 multiplexer was fixed. If the reponse was fully transferred before the whole request is read, there was a risk that the channel is left open without any further processing. In the end, this caused the stream to enter a spinning loop which triggered an assertion failure crash. There are other minor fixes but I can't remember the context. Check the changelog above for the full list of changes. Thanks everyone for your contributions and you hepl ! Please find the usual URLs below : Site index : https://www.haproxy.org/ Documentation : https://docs.haproxy.org/ Wiki : https://github.com/haproxy/wiki/wiki Discourse : https://discourse.haproxy.org/ Slack channel : https://slack.haproxy.org/ Issue tracker : https://github.com/haproxy/haproxy/issues Sources : https://www.haproxy.org/download/2.4/src/ Git repository : https://git.haproxy.org/git/haproxy-2.4.git/ Git Web browsing : https://git.haproxy.org/?p=haproxy-2.4.git Changelog : https://www.haproxy.org/download/2.4/src/CHANGELOG Dataplane API : https://github.com/haproxytech/dataplaneapi/releases/latest Pending bugs : https://www.haproxy.org/l/pending-bugs Reviewed bugs : https://www.haproxy.org/l/reviewed-bugs Code reports : https://www.haproxy.org/l/code-reports Latest builds : https://www.haproxy.org/l/dev-packages --- Complete changelog : Aurelien DARRAGON (22): DEV: hpack: fix `trash` build regression BUG/MINOR: proto_ux: report correct error when bind_listener fails BUG/MINOR: protocol: fix minor memory leak in protocol_bind_all() BUG/MINOR: sock_unix: match finalname with tempname in sock_unix_addrcmp() MINOR: proxy/pool: prevent unnecessary calls to pool_gc() BUG/MINOR: sink: free forward_px on deinit() BUG/MINOR: log: free log forward proxies on deinit() BUG/MINOR: hlua: enforce proper running context for register_x functions CLEANUP: hlua: fix conflicting comment in hlua_ctx_destroy() BUG/MEDIUM: proxy/sktable: prevent watchdog trigger on soft-stop BUG/MINOR: hlua: unsafe hlua_lua2smp() usage BUG/MINOR: log: fix memory error handling in parse_logsrv() BUG/MINOR: proxy: missing free in free_proxy for redirect rules BUG/MINOR: server: incorrect report for tracking servers leaving drain MINOR: server: explicitly commit state change in srv_update_status() BUG/MINOR: server: don't miss proxy stats update on server state transitions BUG/MINOR: server: don't miss server stats update on server state transitions BUG/MINOR: server: don't use date when restoring last_change from state file MINOR: proxy: add http_free_redirect_rule() function BUG/MINOR: http_rules: fix errors paths in http_parse_redirect_rule() BUG/MINOR: cfgparse-tcp: leak when re-declaring interface from bind line BUG/MINOR: proxy: add missing interface bind free in free_proxy Christopher Faulet (25): DOC: config: Fix description of options about HTTP connection modes DOC: config: Add the missing tune.fail-alloc option from global listing DOC: config: Clarify the meaning of 'hold' in the 'resolvers' section BUG/MINOR: http-check: Don't set HTX_SL_F_BODYLESS flag with a log-format body BUG/MINOR: http-check: Skip C-L header for empty body when it's not mandatory BUG/MINOR: http-ana: Do a L7 retry on read error if there is no response BUG/MEDIUM: spoe: Don't set the default traget for the SPOE agent frontend BUG/MEDIUM: connection: Clear flags when a conn is removed from an idle list BUG/MEDIUM: connection: Preserve flags when a conn is removed from an idle list BUG/MEDIUM: mux-h1: Wakeup H1C on shutw if there is no I/O subscription BUG/MEDIUM: channel: Improve reports for shut in co_getblk() BUG/MEDIUM: dns: Properly handle error when a response consumed BUG/MEDIUM: resolvers: Force the connect timeout for DNS resolutions REGTESTS: fix the race conditions in log_uri.vtc BUG/MEDIUM: log: Properly handle client aborts in syslog applet CLEANUP: backend: Remove useless debug message in assign_server() BUG/MEDIUM: Update read expiration date on synchronous send BUG/MINOR: tcp-rules: Don't shortened the inspect-delay when EOI is set DOC: config: Clarify conditions to shorten the inspect-delay for TCP rules MINOR: spoe: Don't stop disabled proxies BUILD: mjson: Fix warning about unused variables BUG/MEDIUM: spoe: Don't start new applet if there are enough idle ones BUG/MEDIUM: filters: Don't deinit filters for disabled proxies during startup DOC: config: Fix bind/server/peer documentation in the peers section BUG/MINOR: spoe: Only skip sending new frame after a receive attempt Daniel Epperson (1): DOC: add size format section to manual David Carlier (1): BUILD: da: extends CFLAGS to support API v3 from 3.1.7 and onwards. Frédéric Lécaille (1): CONTRIB: Add vi file extensions to .gitignore Ilia Shipitsin (2): CI: switch to Fastly CDN to download LibreSSL BUILD: ssl: switch LibreSSL to Fastly CDN Ilya Shipitsin (2): CI: bump "actions/checkout" to v3 for cross zoo matrix CI: cirrus-ci: bump FreeBSD image to 13-1 Mariam John (1): DOC/MINOR: config: Fix typo in description for `ssl_bc` in configuration.txt Michael Prokop (1): DOC/CLEANUP: fix typos Remi Tricot-Le Breton (4): BUG/MINOR: ssl: ssl-(min|max)-ver parameter not duplicated for bundles in crt-list BUG/MINOR: cache: Cache response even if request has "no-cache" directive BUG/MINOR: cache: Check cache entry is complete in case of Vary BUG/MINOR: ssl: Use 'date' instead of 'now' in ocsp stapling callback William Lallemand (7): BUG/MINOR: mworker: stop doing strtok directly from the env BUG/MEDIUM: mworker: don't register mworker_accept_wrapper() when master FD is wrong MINOR: startup: HAPROXY_STARTUP_VERSION contains the version used to start BUG/MINOR: mworker: prevent incorrect values in uptime DOC: config: strict-sni allows to start without certificate MINOR: proxy: check if p is NULL in free_proxy() BUG/MINOR: stick_table: alert when type len has incorrect characters Willy Tarreau (16): BUG/MINOR: sched: properly report long_rq when tasks remain in the queue BUG/MEDIUM: sched: allow a bit more TASK_HEAVY to be processed when needed BUG/MINOR: ring: do not realign ring contents on resize BUG/MINOR: init: properly detect NUMA bindings on large systems BUG/MINOR: init: make sure to always limit the total number of threads BUG/MINOR: mux-h2: make sure the h2c task exists before refreshing it BUG/MEDIUM: listener: duplicate inherited FDs if needed BUG/MEDIUM: mux-h2: erase h2c->wait_event.tasklet on error path BUG/MINOR: cfgparse: make sure to include openssl-compat BUG/MINOR: mux-h2: make sure to produce a log on invalid requests MINOR: checks: make sure spread-checks is used also at boot time MINOR: clock: measure the total boot time BUG/MINOR: checks: postpone the startup of health checks by the boot time BUG/MINOR: clock: fix the boot time measurement method for 2.6 and older SCRIPTS: publish-release: update the umask to keep group write access BUG/MINOR: debug: do not emit empty lines in thread dumps -- Christopher Faulet