Hi, HAProxy 3.0-dev12 was released on 2024/05/18. It added 54 new commits after version 3.0-dev11.
In terms of bugs, we're starting to scratch the low importance or less visible stuff, which generally is a good hint that we're getting close to have something releasable. We've also fixed a few build regressions on less common platforms. A noticeable change concerns HTTP/1. Historically non-standard compliant URIs that wouldn't cause trouble were forwarded as-is, for example "index.html" missing the leading slash, because long ago some rare applications exposed to broken clients would rely on that. Now that path, authority, scheme etc are split apart and can appear separately in logs or can be processed individually, this is really starting to cause confusion (e.g. a request not starting by either '/' or '*' has no path to act on nor to log). It's long past the time to get rid of this old compatibility behavior so better get rid of it now before having to maintain that for another 5 years period. We are now stricter on the request target validation during H1 message parsing. Some invalid request targets are now rejected with a 400-Bad-Request error. The asterisk-form is now only allowed for OPTIONS and OTHER methods. This last point was added to not reject the H2 preface. We also take care of having only one asterisk and nothing more. For the CONNECT method, we take care of having a valid authority-form. All other forms are rejected. The authority-form is now only supported for CONNECT method. No specific check is performed on the origin-form (except for the CONNECT method). For the absolute-form, we take care to have a scheme and a valid authority. It was tagged as a bug since the behavior was still non-compliant, and marked as major not due to the severity but the sensitivity. We have no intent to backport this, and we'd rather avoid to add an option to re-enable the old behavior since it's really expected that no application has been relying on this for the last decade at least. Thus if you get reports of users facing 400 bad request (or more likely tools reporting this), please report it and we'll see if another broken option is needed. Another point worth being noted is that a previous fix for Solaris' evports poller that permitted to poll for more than one event at once was reverted as it used to occasionally miss some events. It's no big deal anyway given that in 2024 I guess nobody uses Solaris for anything performance-sensitive, it's mostly to continue to run legacy apps. For the other improvements: - The Lua latency improvement with threads that we spoke about a month ago or so was finally merged. As a reminder, it consists in dividing the max number of instructions by the number of threads when running single-threaded "lua-load" scripts so that waiting threads don't wait as long as they currently do. - During the 2.9 dev cycle, to be able to support zero-copy data forwarding, a change on the H1 mux was performed to ignore the headers modifications about payload representation (Content-Length and Transfer-Encoding headers). It appears there are some use-cases where it could be handy to change values of these headers or just remove them. For instance, we can imagine to remove these headers on a server response to force the old HTTP/1.0 close mode behavior. So, we decided to relax the rules to support suppressions of "Content-Length" and "Transfer-Encoding" headers. If this happens on a request, on server side, a "Content-Length: 0" header is added and the payload is skipped. For the response, on client side, we fallback on the close mode. - The support of 'crt-store' keywords from a 'crt-list' was merged. The 'ocsp-update' keyword was also migrated from 'crt-list' to 'crt-store' in order to use a more generic parsing. There are still remaining changes to do regarding the PEM loading, but most of the features are there. - The "tune.ssl.ocsp-update.*" global keywords were renamed "ocsp-update.*" since the ocsp-update has nothing to do with SSL connection tuning and is a separate feature. - the QUIC mux adopted the minimal infrastructure needed to start to count glitches on border-line protocol behaviors, and the HTTP/3 decoder now starts to count glitches on protocol anomalies. Just like with H2, the goal is first and foremost to be able to later catch new special cases with this. - the reverse-http was slightly relaxed so that a server doesn't require SSL to look up a specific name with the 'sni' keyword. This should later ease the creation of clear-text connections named from other inputs than an SSL certificate name (e.g. some elements extracted from PROXY protocol, or a mapping of the source IP to a name, etc). Among the remaining issues, it was found that QUIC doesn't work on OpenBSD 7.5 with LibreSSL 3.9, it looks as if some messages were not properly deciphered. Investigations are in progress. We'll also check if it's a regression or if it has never worked, because I don't want to release with a regression compared to 2.8 or 2.9, but if the issue was already there, it will not be a showstopper. Another point currently being worked on is that for high-traffic users, there still remain a few cases where extreme loads on stick-tables with many peers occasionally cause heavy contention. We have a solution to this that should be ready early next week. This alone could be a good motivation for some users of 2.8/2.9 to upgrade if they're running extreme loads. The goal for next weeks is to emit a last dev release next week, and if all is good, the final one a few days later the week after, probably on Wednesday or so. BTW after 3.0 release, I think I'll try to emit releases another day of the week. Friday is not easy and often ends up on the week- end. I think that Wednesdays should be easier and would leave some room for quick post-release fixes that allow some users to test it on their dev platforms before the week-end. We'll see anyway. As usual, beat it, break it, and show us the remains :-) Please find the usual URLs below : Site index : https://www.haproxy.org/ Documentation : https://docs.haproxy.org/ Wiki : https://github.com/haproxy/wiki/wiki Discourse : https://discourse.haproxy.org/ Slack channel : https://slack.haproxy.org/ Issue tracker : https://github.com/haproxy/haproxy/issues Sources : https://www.haproxy.org/download/3.0/src/ Git repository : https://git.haproxy.org/git/haproxy.git/ Git Web browsing : https://git.haproxy.org/?p=haproxy.git Changelog : https://www.haproxy.org/download/3.0/src/CHANGELOG Dataplane API : https://github.com/haproxytech/dataplaneapi/releases/latest Pending bugs : https://www.haproxy.org/l/pending-bugs Reviewed bugs : https://www.haproxy.org/l/reviewed-bugs Code reports : https://www.haproxy.org/l/code-reports Latest builds : https://www.haproxy.org/l/dev-packages Willy --- Complete changelog : Amaury Denoyelle (10): BUG/MEDIUM: server: clear purgeable conns before server deletion BUG/MINOR: mux-quic: fix error code on shutdown for non HTTP/3 BUG/MINOR: qpack: fix error code reported on QPACK decoding failure MINOR: qpack: prepare error renaming MINOR: h3/qpack: adjust naming for errors MINOR: h3: adjust error reporting on sending MINOR: h3: adjust error reporting on receive MINOR: mux-quic: support glitches MINOR: h3: report glitch on RFC violation BUILD: stats: remove non portable getline() usage Aurelien DARRAGON (6): BUG/MINOR: log: fix leak in add_sample_to_logformat_list() error path BUG/MINOR: log: smp_rgs array issues with inherited global log directives MINOR: hlua: add hlua_nb_instruction getter MEDIUM: hlua: take nbthread into account in hlua_get_nb_instruction() BUILD: log: get rid of non-portable strnlen() func BUG/MEDIUM: fd: prevent memory waste in fdtab array Christopher Faulet (8): BUG/MINOR: h1: Check authority for non-CONNECT methods only if a scheme is found BUG/MEDIUM: h1: Reject CONNECT request if the target has a scheme BUG/MAJOR: h1: Be stricter on request target validation during message parsing BUG/MINOR: stats: Don't state the 303 redirect response is chunked MINOR: mux-h1: Add a flag to ignore the request payload REORG: mux-h1: Group H1S_F_BODYLESS_* flags CLEANUP: mux-h1: Remove unused H1S_F_ERROR_MASK mask value MEDIUM: mux-h1: Support C-L/T-E header suppressions when sending messages Ilia Shipitsin (1): CI: drop asan.log umbrella completely Tim Duesterhus (1): DOC: Update UUID references to RFC 9562 Valentine Krasnobaeva (1): DOC: capabilities: fix chapter header rendering William Lallemand (17): REGTESTS: ssl: be more verbose with ocsp_compat_check.vtc MINOR: ssl: rename tune.ssl.ocsp-update.mode in ocsp-update.mode REGTESTS: update the ocsp-update tests MEDIUM: ssl: add ocsp-update.mindelay and ocsp-update.maxdelay MINOR: ssl: ckch_store_new_load_files_conf() loads filenames from ckch_conf MEDIUM: ssl/crtlist: loading crt-store keywords from a crt-list CLEANUP: ssl/ocsp: remove the deprecated parsing code for "ocsp-update" MINOR: ssl: pass ckch_store instead of ckch_data to ssl_sock_load_ocsp() MEDIUM: ssl: ckch_conf_parse() uses -1/0/1 for off/default/on MINOR: ssl: handle PARSE_TYPE_INT and PARSE_TYPE_ONOFF in ckch_store_load_files() MINOR: ssl/ocsp: use 'ocsp-update' in crt-store MINOR: ssl: ckch_conf_clean() utility function for ckch_conf MEDIUM: ssl: add ocsp-update.disable global option MEDIUM: ssl/cli: handle crt-store keywords in crt-list over the CLI MINOR: ssl: ckch_conf_cmp() compare multiple ckch_conf structures MEDIUM: ssl: temporarily load files by detecting their presence in crt-store REGTESTS: ocsp-update: change the reg-test to support the new crt-store mode William Manley (1): MINOR: rhttp: Don't require SSL when attach-srv name parsing Willy Tarreau (9): BUG/MEDIUM: htx: mark htx_sl as packed since it may be realigned BUG/MEDIUM: stick-tables: properly mark stktable_data as packed SCRIPTS: run-regtests: fix a few occurrences of extended regexes BUG/MINOR: ssl_sock: fix xprt_set_used() to properly clear the TASK_F_USR1 bit MINOR: dynbuf: provide a b_dequeue() variant for multi-thread BUG/MEDIUM: muxes: enforce buf_wait check in takeover() BUILD: stick-tables: better mark the stktable_data as 32-bit aligned CLEANUP: compat: make the MIN/MAX macros more reliable Revert: MEDIUM: evports: permit to report multiple events at once" ---