Hi,
HAProxy 3.1-dev8 was released on 2024/09/18. It added 50 new commits
after version 3.1-dev7.
The last two weeks have been mostly dedicated to fixing bugs in order to
update stable branches, so it will be no surprise that this version mostly
contains fixes as well. They are not even particularly interesting to
describe here (frozen H1 connections, crashes with cache+compression+extra
filters, second fix for the dequeue lockup).
A few points are still worth mentioning:
- despite the code that tries to correct possible time jumps, there were
some uncovered cases (typically if the time changes outside the polling
loop instead of during poll). These were addressed as well, and since
we were already collecting the monotonic time on operating systems
supporting it, it was the right moment to opportunistically rely on it
when it ticks.
- the previously discussed choice of sending warnings for all detected
cases of conflicts on proxy names has started. Now we detect frontend
vs backend, listen after backend, defaults vs other proxies. Some
cleanups are still deserved for defaults handling (right now they're
all preserved but the duplicate ones of same names should be dropped).
Detection of server name duplicates still needs to be done.
- accept-invalid-http-response now also tolerates responses with two
"chunked" transfer-codings like before, because of a report of at
least one bogus application relying on that (GitHub issue #2677).
This is not accepted in requests though, as this remains particularly
dangerous.
- the accept-invalid-http-request/response options were more and more
used to adapt bogus applications in ways that start to pose security
concerns. Lukas suggested that we'd rename them in a way that makes
this aspect more obvious, and it was the right moment! They're now
called: "accept-unsafe-violations-in-http-request/response". The old
ones are still supported but deprecated and will issue a warning
suggesting the new one. With a bit of luck some users seeing the
warning will reconsider whether or not they still need these.
- the CLI now offers "dump ssl cert" to dump a certificate directly
in PEM format.
- speaking of the CLI, the "init-state" server keyword wasn't permitted
on the "add server" directive, it is now.
- configs with many variables should now run faster: they used to be
stored in a linked list, and lookups could take quite some time.
Now they're stored in a tree. This shows a performance gain of 67%
at max speed for 100 variables set and each read 10 times in a
section (OK that's a pretty empirical test).
We've created a new "Breaking Changes" page on the wiki. The official
purpose is to let everyone know what updates may require some efforts,
but we all know that the main goal is for me to stop forgetting about
deprecating stuff that was already planned, thus postponing that by a
year once noticed :-) That can be useful over time to help users
making big jumps from older to newer versions spanning multiple cycles.
New stable versions are coming. We're done with the backports, and are
still orking on collecting the list of changes for the announce message,
and we'll hopefully issue them this Thursday.
Oh before I forget, some might not have noticed the news, but the date
of the HAProxyConf 2025 is now fixed to June 4-5 2025 in San Francisco,
and with some workshops starting on June 3. There's currently a Call For
Papers open. If you have any ideas of topics worth presenting, some cool
tricks you figured and would like to share, report a nice success story,
or enumerate all the points that annoy you in HAProxy as well, don't be
shy and please consider proposing a talk. The Call for Papers site is:
https://www.haproxyconf.com/call-for-papers/ . You can know more by
visiting the site, which is still: https://www.haproxyconf.com/ .
Please find the usual URLs below :
Site index : https://www.haproxy.org/
Documentation : https://docs.haproxy.org/
Wiki : https://github.com/haproxy/wiki/wiki
Discourse : https://discourse.haproxy.org/
Slack channel : https://slack.haproxy.org/
Issue tracker : https://github.com/haproxy/haproxy/issues
Sources : https://www.haproxy.org/download/3.1/src/
Git repository : https://git.haproxy.org/git/haproxy.git/
Git Web browsing : https://git.haproxy.org/?p=haproxy.git
Changelog : https://www.haproxy.org/download/3.1/src/CHANGELOG
Dataplane API :
https://github.com/haproxytech/dataplaneapi/releases/latest
Pending bugs : https://www.haproxy.org/l/pending-bugs
Reviewed bugs : https://www.haproxy.org/l/reviewed-bugs
Code reports : https://www.haproxy.org/l/code-reports
Latest builds : https://www.haproxy.org/l/dev-packages
Willy
---
Complete changelog :
Amaury Denoyelle (1):
BUG/MINOR: mux-quic: report glitches to session
Aurelien DARRAGON (7):
BUG/MINOR: pattern: prevent const sample from being tampered in
pat_match_beg()
BUG/MEDIUM: pattern: prevent uninitialized reads in pat_match_{str,beg}
BUG/MEDIUM: pattern: prevent UAF on reused pattern expr
BUG/MINOR: peers: local entries updates may not be advertised after resync
BUG/MINOR: fix missing "log-format overrides previous 'option tcplog
clf'..." detection
BUG/MINOR: fix missing "'option httpslog' overrides previous 'option
tcplog clf'..." detection
BUG/MINOR: cfgparse-listen: fix option httpslog override warning message
Christopher Faulet (12):
MINOR: mux-h1: Set EOI on SE during demux when both side are in DONE state
BUG/MEDIUM: mux-h1/mux-h2: Reject upgrades with payload on H2 side only
REGTESTS: h1/h2: Update script testing H1/H2 protocol upgrades
BUG/MAJOR: mux-h1: Wake SC to perform 0-copy forwarding in CLOSING state
BUG/MINOR: h1-htx: Don't flag response as bodyless when a tunnel is
established
MEDIUM: h1: Accept invalid T-E values with accept-invalid-http-response
option
DOC: config: Explicitly list relaxing rules for accept-invalid-http-*
options
MINOR: proxy: Rename accept-invalid-http-* options
DOC: configuration: Remove dangerous directives from the proxy matrix
BUG/MEDIUM: sc_strm/applet: Wake applet after a successfull synchronous
send
BUG/MEDIUM: cache/stats: Wait to have the request before sending the
response
BUG/MEDIUM: promex: Wait to have the request before sending the response
Damien Claisse (2):
MINOR: server: allow init-state for dynamic servers
DOC: management: add init-state to add server keywords
William Lallemand (1):
MEDIUM: ssl/cli: "dump ssl cert" allow to dump a certificate in PEM format
Willy Tarreau (27):
DOC: configuration: place the HAPROXY_HTTP_LOG_FMT example on the correct
line
BUG/MEDIUM: clock: detect and cover jumps during execution
REGTESTS: fix random failures with wrong_ip_port_logging.vtc under load
BUG/MINOR: pattern: do not leave a leading comma on "set" error messages
REGTESTS: shorten a bit the delay for the h1/h2 upgrade test
DOC: server: document what to check for when adding new server keywords
BUG/MINOR: polling: fix time reporting when using busy polling
BUG/MINOR: clock: make time jump corrections a bit more accurate
BUG/MINOR: clock: validate that now_offset still applies to the current
date
BUG/MEDIUM: queue: implement a flag to check for the dequeuing
OPTIM: sample: don't check casts for samples of same type
OPTIM: vars: remove the unneeded lock in vars_prune_*
OPTIM: vars: inline vars_prune() to avoid many calls
MINOR: vars: remove the emptiness tests in callers before pruning
IMPORT: import cebtree (compact elastic binary trees)
OPTIM: vars: use a cebtree instead of a list for variable names
OPTIM: vars: use multiple name heads in the vars struct
MINOR: clock: test all clock_gettime() return values
MEDIUM: clock: collect the monotonic time in clock_local_update_date()
MEDIUM: clock: opportunistically use CLOCK_MONOTONIC for the internal time
MEDIUM: clock: use the monotonic clock for idle time calculation
MEDIUM: clock: don't compute before_poll when using monotonic clock
BUG/MINOR: cfgparse: detect incorrect overlap of same backend names
MEDIUM: cfgparse: warn about proxies having the same names
BUILD: cebtree: silence a bogus gcc warning on impossible code paths
MEDIUM: cfgparse: warn about colliding names between defaults and proxies
MEDIUM: cfgparse: detect collisions between defaults and log-forward
---
