Hi,
HAProxy 3.2-dev13 was released on 2025/04/30. It added 82 new commits
after version 3.2-dev12.
The number of bug fixes remains stable, and the ones found are essentially
old ones, so it looks like we're getting rid of possible regressions.
The main changes in this version are:
- more ACME updates: now the account key is automatically generated if
not provided, and saved if referenced but not found, and the crt-base
setting is applied to find the account key. A map can be automatically
updated to map tokens to thumbprint so that a single http-request
return line is sufficient to respond to them all. CLI command "acme ps"
lists running tasks, and "show ssl sni -A -t ..." allows to list certs
that are about to expire in less than the mentioned time.
- the worker CLI's prompt can now support a similar "interactive but
silent" mode just like the master. For this, the "prompt" command was
extended to support "n" (non-interactive = single command and close),
"i" (interactive) and "p" (prompt). The purpose is to make it easier
to external agents such as the dataplane API to access the worker via
the master by using the same prompt semantics, i.e. not flood the
response path with useless prompts that the client has to drain. Now
it's becoming more obvious that prompt mode is for humans and just
interactive one is for agents. Entering the worker from the master
with "@@" now applies the same mode in the worker as present in the
master, so that it's transparent for all types of users.
- QUIC: there's now a global setting "tune.quic.frontend.max-tx-mem" to
apply a limit to the total memory that the QUIC tx buffers can
consume. What it does it to moderate the congestion window so that the
sum of the connections don't allocate more than that. This will make
the whole thing much safer than it was till now. The default remains
unchanged (i.e. no limitation).
- The SSL code now has traces enabled. These are accessible under
"trace ssl ..." on the CLI or in the traces section. It's a first
attempt, though in my opinion they seem pretty well balanced. As
usual for the traces, be careful with the early versions, they're
mostly meant for developers but they can be useful for users. The
amount of traffic they generate can have a performance impact, and
the risk of a bug is never null on early batches.
- Linux's TCP_NOTSENT_LOWAT is now supported in global tuning via
tune.notsent-lowat.client and tune.notsent-lowat.server. This setting
allows to limit the amount of kernel-side socket buffers to the strict
minimum required by haproxy and for the non-acknowledged bytes. A few
tests with this showed that I could easily divide the total socket
memory by 10 thanks to no longer buffering more than necessary. Those
running with high memory usages might be interested in giving it a
try.
- Lua will now try to yield more quickly after calling expensive
internal functions. It was figured from a recent issue that a loop
making many calls to server stats and likely a number of other
internal accessors can cost a huge amount of CPU which will emit
warnings. Identified ones were addressed, and now we have a solution
if such expensive functions appear in the future. This will generally
lower the overall latency when running such scripts, which is always
welcome.
- The Prometheus exporter now provides "current_session_rate".
- DEBUG_THREAD now takes 3 values (0,1,2) instead of two, with the
old one (full debugging) now being 2. At value 1 (now the default),
an inexpensive lock history is recorded for each thread, which is
supposed to help us better diagnose (or rule out) certain deadlock
conditions in the future. It has no measurable impact, which is why
it's enabled by default. But if you're developing and using
-DDEBUG_THREAD, keep in mind to upgrade it to -DDEBUG_THREAD=2 to
get the previous extra debugging.
- a few internal changes to address a potential race condition between
tasklet_kill() and running ones, that was not happening a bit by pure
luck till now (it just happens the code never triggers the race). The
tasklet API now has to return the tasklet if it didn't free it. That
explains a part of the changes tagged "MEDIUM". We have no intent to
backport that series at this point.
And the usual batch of build fixes, cleanup and doc updates.
We still have a few things pending. Some improvements for the stick-tables
locking that currently competes fiercely against the peers code, causing
watchdog warnings and even panics on heavily loaded machines. Honestly
there's nothing perfect that can be done in small increments but now we
have significant improvements that avoid huge latencies and also permit to
provide pretty nice overall perf gains, so we really have to merge them.
Some other fixes for long-lasting issues are in the pipe, one of them being
a better reporting for empty arguments in the config file, that cause the
rest of the line to be ignored (sometimes silently, which is very bad).
Another one concerns a better sanitizing of a few H2/H3 pseudo headers.
We're entering the small stuff (a lot of which will, as usual, be
forgotten until the last week). One point to note, we're entering May with
its usual batch of off-days here in France (one tomorrow) so I'm not
counting much in many updates in the fortcoming weeks, everything will
slow down quite a bit. And for the brave ones, there are still
presentations to prepare for the conference in one month. Thus my guess
is that we're approaching what looks like the final state of 3.2 now. I
really want to thank those who have reported issues recently. It's never
fun for us to discover horrible bugs that late in the cycle but it's way
better than discovering them after the release!
So please continue testing with your own configs and workloads, and
report what you find abnormal.
Please find the usual URLs below :
Site index : https://www.haproxy.org/
Documentation : https://docs.haproxy.org/
Wiki : https://github.com/haproxy/wiki/wiki
Discourse : https://discourse.haproxy.org/
Slack channel : https://slack.haproxy.org/
Issue tracker : https://github.com/haproxy/haproxy/issues
Sources : https://www.haproxy.org/download/3.2/src/
Git repository : https://git.haproxy.org/git/haproxy.git/
Git Web browsing : https://git.haproxy.org/?p=haproxy.git
Changelog : https://www.haproxy.org/download/3.2/src/CHANGELOG
Dataplane API :
https://github.com/haproxytech/dataplaneapi/releases/latest
Pending bugs : https://www.haproxy.org/l/pending-bugs
Reviewed bugs : https://www.haproxy.org/l/reviewed-bugs
Code reports : https://www.haproxy.org/l/code-reports
Latest builds : https://www.haproxy.org/l/dev-packages
Willy
---
Complete changelog :
Amaury Denoyelle (8):
MINOR: quic: rename min/max fields for congestion window algo
MINOR: quic: refactor BBR API
BUG/MINOR: quic: ensure cwnd limits are always enforced
MINOR: thread: define cshared type
MINOR: quic: account for global congestion window
MEDIUM: quic: limit global Tx memory
MEDIUM: mux-quic: increase flow-control on each bufsize
MINOR: mux-quic: limit emitted MSD frames count per qcs
Aurelien DARRAGON (11):
DOC: config: fix ACME paragraph rendering issue
DOC: config: clarify log-forward "host" option
MINOR: promex: expose ST_I_PX_RATE (current_session_rate)
MINOR: applet: add appctx_schedule() macro
BUG/MINOR: dns: add tempo between 2 connection attempts for dns servers
CLEANUP: dns: remove unused dns_stream_server struct member
BUG/MINOR: dns: prevent ds accumulation within dss
CLEANUP: proxy: mention that px->conn_retries isn't relevant in some cases
MINOR: add hlua_yield_asap() helper
MINOR: hlua_fcn: enforce yield after *_get_stats() methods
DOC: config: restore default values for resolvers hold directive
Christopher Faulet (5):
BUG/MEDIUM: mux-spop: Wait end of handshake to declare a spop connection
ready
BUG/MEDIUM: mux-spop: Handle CLOSING state and wait for AGENT DISCONNECT
frame
BUG/MINOR: mux-h1: Don't pretend connection was released for TCP>H1>H2
upgrade
BUG/MINOR: mux-h1: Fix trace message in h1_detroy() to not relay on
connection
BUG/MINOR: mux-spop: Use the right bitwise operator in spop_ctl()
Lukas Tribus (1):
DOC: ring: refer to newer RFC5424
Olivier Houchard (14):
MEDIUM: checks: Make sure we return the tasklet from srv_chk_io_cb
MEDIUM: listener: Make sure w ereturn the tasklet from
accept_queue_process
MEDIUM: mux_fcgi: Make sure we return the tasklet from fcgi_deferred_shut
MEDIUM: quic: Make sure we return the tasklet from qcc_io_cb
MEDIUM: quic: Make sure we return NULL in quic_conn_app_io_cb if needed
MEDIUM: quic: Make sure we return the tasklet from quic_accept_run
BUG/MAJOR: tasklets: Make sure he tasklet can't run twice
MEDIUM: tasks: Mutualize code between tasks and tasklets.
MEDIUM: tasks: More code factorization
MEDIUM: tasks: Remove TASK_IN_LIST and use TASK_QUEUED instead.
MINOR: tasks: Remove unused tasklet_remove_from_tasklet_list
MEDIUM: tasks: Mutualize the TASK_KILLED code between tasks and tasklets
BUG/MEDIUM: connections: Report connection closing in conn_create_mux()
BUILD/MEDIUM: quic: Make sure we build with recent changes
Remi Tricot-Le Breton (11):
MINOR: Add "sigalg" to "sigalg name" helper function
MINOR: ssl: Add traces to ssl init/close functions
MINOR: ssl: Add traces to recv/send functions
MINOR: ssl: Add traces to ssl_sock_io_cb function
MINOR: ssl: Add traces around SSL_do_handshake call
MINOR: ssl: Add traces to verify callback
MINOR: ssl: Add ocsp stapling callback traces
MINOR: ssl: Add traces to the switchctx callback
MINOR: ssl: Add traces about sigalg extension parsing in clientHello
callback
MINOR: Add 'conn' param to ssl_sock_chose_sni_ctx
BUILD: ssl: Fix wolfssl build
William Lallemand (16):
MINOR: ssl/cli: add a '-t' option to 'show ssl sni'
BUG/MINOR: ssl/acme: free EVP_PKEY upon error
MINOR: acme: separate the code generating private keys
MINOR: acme: failure when no directory is specified
MEDIUM: acme: generate the account file when not found
MEDIUM: acme: use 'crt-base' to load the account key
DOC: configuration: acme account key are auto generated
CLEANUP: acme: remove old TODO for account key
DOC: configuration: add quic4 to the ssl-f-use example
BUG/MINOR: acme: does not try to unlock after a failed trylock
BUG/MINOR: acme: creating an account should not end the task
MEDIUM: acme: use a map to store tokens and thumbprints
BUG/MINOR: acme: remove references to virt@acme
MINOR: ssl/cli: "acme ps" shows the acme tasks
MINOR: acme: acme_ctx_destroy() returns upon NULL
MINOR: acme: use acme_ctx_destroy() upon error
Willy Tarreau (16):
BUG/MAJOR: listeners: transfer connection accounting when switching
listeners
BUILD: acme: use my_strndup() instead of strndup()
BUILD: leastconn: fix build warning when building without threads on old
machines
MINOR: threads: prepare DEBUG_THREAD to receive more values
MINOR: threads: turn the full lock debugging to DEBUG_THREAD=2
MEDIUM: threads: keep history of taken locks with DEBUG_THREAD > 0
MINOR: threads/cli: display the lock history on "show threads"
MEDIUM: thread: set DEBUG_THREAD to 1 by default
MINOR: compiler: add more macros to detect macro definitions
MINOR: cli: split APPCTX_CLI_ST1_PROMPT into two distinct flags
MEDIUM: cli: make the prompt mode configurable between n/i/p
MEDIUM: mcli: make the prompt mode configurable between i/p
MEDIUM: mcli: replicate the current mode when enterin the worker process
BUG/MINOR: mux-h2: fix the offset of the pattern for the ping frame
MINOR: tcp: add support for setting TCP_NOTSENT_LOWAT on both sides
MINOR: tools: make my_strndup() take a size_t len instead of and int
---
