Hi,
HAProxy 2.8.10 was released on 2024/06/14. It added 80 new commits after
version 2.8.9.
This version is part of the serie of new stable releases which follows the new
3.0. Here is a summary of the most notable changes.
Several fixes are applied for better HTTP conformance. In some cases, 502
server initial errors were incorrectly hidden and are now properly logged.
CONNECT requests with a scheme are now rejected as they are invalid according
to RFC 7230. Empty paths are normalized to "/" for aboslute-form URI.
Dynamic servers testing under heavy load have been performed during 3.0
development cycle. This revealed that crashes could occur due to the removal of
a server currently in used. Removal conditions were thus adjusted to reject
such operation. Also, some settings were not completely initialized for dynamic
servers which cause a difference of behavior with static ones.
Still on the backend side, an issue was found when NTLM headers are used. This
caused the backend connection to be marked dynamically as private to prevent
HTTP reuse. However, this is conceptually wrong when using HTTP/2 multiplexer
on the backend side with http-reuse mode set to aggressive or higher, as this
connection can already be shared accross several clients. Thus, NTLM headers
are simply ignored in this case.
Minor fixes were merged for QUIC. Most of them are related to improve the
LibreSSL compatibility. Other than that, error handling was improved to report
more specific error codes from the different layers of QUIC multiplexer, HTTP/3
or QPACK decoder.
For the SSL stack, a few fixes were done, in particular for better OCSP
support. Also, cipher algorithm negotiation was adjusted as haproxy could have
chosen an ECDSA certificate even if not compatible with client algorithms
instead of fallback to RSA.
A bug was fixed for the peer applet where a blocking condition could occured
when reaching max-updates-at-once limit.
Cache hits should be increased as previously cached HTTP responses which used
Vary header on anything other than Accept-encoding but with Encoding header
present were never returned from the cache.
It is now possible to disable seamless reload on master-worker mode by using
the argument '-x /dev/null'. This may be necessary for some usage since the
introduction of automatic seamless reload for master-worker mode.
An interesting security feature was backported to block traffic with clients
which use privileged port as their source port value. Such behavior is highly
suspect as it is often the sign of an amplification attack. This can be
activated using harden.reject-privileged-ports.{tcp|quic} keywords. Note that
on 3.0, we chose to set it by default for QUIC. However, it remains disabled on
2.9 and lesser versions to keep the current behavior on stable haproxy
branches, but users are free to activate it if needed. It is particularly
useful when QUIC listeners are active to prevent DNS/NTP amplification attack.
However, on TCP this protection may break some protocols such as FTP.
Not so much on the SPOE front. A single bug-fix is merged which allowed applet
to retry later when reaching buffer exhaustion instead of returning a definite
I/O error.
On the LUA side, a serie of cleanups and minor bugfixes are merged. Most of
them are relevant to error handling which may improve script debugging. Also a
crash was fixed when using CacheCert module from init context.
The CLI applet now reports a proper error message when command larger than
buffer size is rejected. Previously, the CLI connection was silently closed
without further information.
A Solaris user reported that external checks were causing an infinite loop. In
fact, this was due to a wrong signal handling in evports, Solaris polling
mechanism, present since its first introduction in haproxy.
Thanks to everyone who contributed to this release.
Please find the usual URLs below :
Site index : https://www.haproxy.org/
Documentation : https://docs.haproxy.org/
Wiki : https://github.com/haproxy/wiki/wiki
Discourse : https://discourse.haproxy.org/
Slack channel : https://slack.haproxy.org/
Issue tracker : https://github.com/haproxy/haproxy/issues
Sources : https://www.haproxy.org/download/2.8/src/
Git repository : https://git.haproxy.org/git/haproxy-2.8.git/
Git Web browsing : https://git.haproxy.org/?p=haproxy-2.8.git
Changelog : https://www.haproxy.org/download/2.8/src/CHANGELOG
Dataplane API :
https://github.com/haproxytech/dataplaneapi/releases/latest
Pending bugs : https://www.haproxy.org/l/pending-bugs
Reviewed bugs : https://www.haproxy.org/l/reviewed-bugs
Code reports : https://www.haproxy.org/l/code-reports
Latest builds : https://www.haproxy.org/l/dev-packages
---
Complete changelog :
Amaury Denoyelle (14):
BUG/MINOR: backend: use cum_sess counters instead of cum_conn
BUG/MINOR: mux-quic: fix error code on shutdown for non HTTP/3
BUG/MINOR: qpack: fix error code reported on QPACK decoding failure
BUG/MINOR: connection: parse PROXY TLV for LOCAL mode
MEDIUM: config: prevent communication with privileged ports
BUG/MINOR: quic: adjust restriction for stateless reset emission
DOC: quic: specify that connection migration is not supported
BUG/MINOR: quic: prevent crash on qc_kill_conn()
BUG/MEDIUM: server: fix dynamic servers initial settings
BUG/MEDIUM: quic: fix connection freeze on post handshake
MINOR: session: rename private conns elements
BUG/MAJOR: server: do not delete srv referenced by session
BUG/MEDIUM: http_ana: ignore NTLM for reuse aggressive/always and no H1
BUG/MAJOR: connection: fix server used_conns with H2 + reuse safe
Aurelien DARRAGON (16):
BUG/MINOR: log: fix lf_text_len() truncate inconsistency
BUG/MINOR: tools/log: invalid encode_{chunk,string} usage
BUG/MINOR: log: invalid snprintf() usage in sess_build_logline()
CLEANUP: log: lf_text_len() returns a pointer not an integer
DOC: lua: fix filters.txt file location
MINOR: log: add dup_logsrv() helper function
BUG/MINOR: log: keep the ref in dup_logger()
BUG/MINOR: log: smp_rgs array issues with inherited global log directives
BUG/MEDIUM: fd: prevent memory waste in fdtab array
BUG/MINOR: hlua: use CertCache.set() from various hlua contexts
CLEANUP: hlua: use hlua_pusherror() where relevant
BUG/MINOR: hlua: don't use lua_pushfstring() when we don't expect LJMP
BUG/MINOR: hlua: fix unsafe hlua_pusherror() usage
BUG/MINOR: hlua: prevent LJMP in hlua_traceback()
BUG/MINOR: hlua: fix leak in hlua_ckch_set() error path
CLEANUP: hlua: simplify ambiguous lua_insert() usage in hlua_ctx_resume()
Christopher Faulet (15):
BUG/MINOR: cli: Report an error to user if command or payload is too big
BUG/MEDIUM: http-ana: Deliver 502 on keep-alive for fressh server
connection
BUG/MINOR: http-ana: Fix TX_L7_RETRY and TX_D_L7_RETRY values
BUG/MEDIUM: stconn: Don't forward channel data if input data must be
filtered
BUG/MEDIUM: applet: Fix applet API to put input data in a buffer
BUG/MEDIUM: spoe: Always retry when an applet fails to send a frame
BUG/MEDIUM: peers: Fix exit condition when max-updates-at-once is reached
BUG/MINOR: stconn: Fix sc_mux_strm() return value
BUG/MINOR: h1: Check authority for non-CONNECT methods only if a scheme
is found
BUG/MEDIUM: h1: Reject CONNECT request if the target has a scheme
BUG/MINOR: htpp-ana/stats: Specify that HTX redirect messages have a C-L
header
BUG/MINOR: stats: Don't state the 303 redirect response is chunked
BUG/MEDIUM: mux-quic: Create sedesc in same time of the QUIC stream
BUG/MINOR: http-htx: Support default path during scheme based
normalization
BUG/MINOR: server: Don't reset resolver options on a new default-server
line
Damien Claisse (1):
BUG/MINOR: server: fix slowstart behavior
Frederic Lecaille (3):
MINOR: net_helper: Add support for floats/doubles.
BUG/MEDIUM: grpc: Fix several unaligned 32/64 bits accesses
BUG/MAJOR: quic: Crash with TLS_AES_128_CCM_SHA256 (libressl only)
Ilia Shipitsin (1):
BUILD: clock: improve check for pthread_getcpuclockid()
Ilya Shipitsin (1):
CI: revert kernel addr randomization introduced in 3a0fc864
Remi Tricot-Le Breton (1):
BUG/MEDIUM: cache: Vary not working properly on anything other than
accept-encoding
Valentine Krasnobaeva (4):
BUG/MINOR: haproxy: only tid 0 must not sleep if got signal
CLEANUP: ssl/ocsp: readable ifdef in ssl_sock_load_ocsp
BUG/MINOR: ssl/ocsp: init callback func ptr as NULL
BUG/MINOR: activity: fix Delta_calls and Delta_bytes count
William Lallemand (4):
BUG/MINOR: mworker: reintroduce way to disable seamless reload with -x
/dev/null
CLEANUP: ssl/cli: remove unused code in dump_crtlist_conf
DOC: configuration: update the crt-list documentation
BUG/MEDIUM: ssl: wrong priority whem limiting ECDSA ciphers in ECDSA+RSA
configuration
Willy Tarreau (20):
BUG/MINOR: listener: always assign distinct IDs to shards
BUG/MINOR: debug: make sure DEBUG_STRICT=0 does work as documented
BUG/MEDIUM: peers/trace: fix crash when listing event types
BUG/MEDIUM: evports: do not clear returned events list on signal
BUG/MINOR: sock: handle a weird condition with connect()
BUG/MINOR: fd: my_closefrom() on Linux could skip contiguous series of
sockets
BUG/MINOR: h1: fix detection of upper bytes in the URI
BUG/MEDIUM: htx: mark htx_sl as packed since it may be realigned
BUG/MEDIUM: stick-tables: properly mark stktable_data as packed
BUILD: stick-tables: better mark the stktable_data as 32-bit aligned
BUG/MEDIUM: quic_tls: prevent LibreSSL < 4.0 from negotiating
CHACHA20_POLY1305
BUILD: quic: fix unused variable warning when threads are disabled
DOC: config: fix incorrect section reference about custom log format
REGTESTS: acl_cli_spaces: avoid a warning caused by undefined logs
CI: scripts: fix build of vtest regarding option -C
BUILD: fd: errno is also needed without poll()
BUG/MINOR: cfgparse: remove the correct option on httpcheck send-state
warning
BUG/MINOR: tcpcheck: report correct error in tcp-check rule parser
BUG/MINOR: tools: fix possible null-deref in env_expand() on out-of-memory
BUG/MEDIUM: quic: don't blindly rely on unaligned accesses
---
--
Amaury Denoyelle
