Hi, HAProxy 3.2-dev17 was released on 2025/05/21. It added 45 new commits after version 3.2-dev16.
During the more intense testing of this version, 3 scary but quite old bugs were found, in relation with leastconn + saturated queues. And while that makes adrenaline levels blow up during discovery, it also makes me think that if they've been there for a while, it's probably because we're now scraping the bottom of the barrel to find new bugs. The recent watchdog fixes had reintroduced (in a different way) an issue by which it was possible to see a stuck task in some cases when two consecutive tasks had been interrupted by the alarm while working. This issue is also present in 3.1.7 and explains some occasional watchdog reports lately. This perfectly illustrates the principle of "backport only after a period of observation" that we're placing in some sensitive fixes' commit messages. We've also addressed the detection of forbidden chars in the Host header, and limited the number of peers updates processed at once (those having huge buffers could get watchdogs on reload due to this). While fixing a build warning on SLZ I noticed that we hadn't updated it, and the updates were minor enough so better take them now. That may result in slightly less CPU being used during compression with a slightly higher compression ratio (though we're speaking about single percent here). The QUIC TLS API was ported to OpenSSL 3.5 so that the compat layer is not needed on this one. Thus it will work like with all other libs, except that it's a different API. But at least it makes sense that haproxy's LTS version supports the LTS openssl version released at the same time. Lua now has its function to change the advertised body length of an HTTP message for those who replace contents (see HTTPMessage.set_body_len()). The previously discussed ability to disable killing misbehaving connections when the CPU usage is low was implemented (see the global "tune.glitches.kill.cpu-usage" setting). The idea is that if you configure a glitches threshold but a misbehaving connection is harmless, sometimes it's fine not to kill it. The acme subsystem now sends a notification over the DPAPI ring to inform it that certs had been renewed. This will permit the DPAPI to retrieve them and save them on disk. There were a few more acme fixes and cleanups, and some build fixes for less common archs/platforms. More doc cleanups and updates, some tiny harmless code cleanups as well. We've received an interesting patch that could theoretically improve performance on large modern ARM systems (Graviton4 etc). I just need more time to qualify the risk of performance degradation on current platforms, if any, and any possible alternatives if this does happen (it's during these tests that the leastconn bugs were spotted). This will now be for 3.3, with a possible later backport to 3.2 if we see that it does bring a real benefit. Overall I don't expect to see many more changes before the release on next wednesday. At this point I'm not even seeing what else to test so I'm going to revisit all announce messages to advance my work for the final announce. We'll also have to emit at least a new 3.1, and likely a new 3.0 as well. Not sure they'll be done before 3.2 though. As usual, thanks to all testers and bug reporters! Please find the usual URLs below : Site index : https://www.haproxy.org/ Documentation : https://docs.haproxy.org/ Wiki : https://github.com/haproxy/wiki/wiki Discourse : https://discourse.haproxy.org/ Slack channel : https://slack.haproxy.org/ Issue tracker : https://github.com/haproxy/haproxy/issues Sources : https://www.haproxy.org/download/3.2/src/ Git repository : https://git.haproxy.org/git/haproxy.git/ Git Web browsing : https://git.haproxy.org/?p=haproxy.git Changelog : https://www.haproxy.org/download/3.2/src/CHANGELOG Dataplane API : https://github.com/haproxytech/dataplaneapi/releases/latest Pending bugs : https://www.haproxy.org/l/pending-bugs Reviewed bugs : https://www.haproxy.org/l/reviewed-bugs Code reports : https://www.haproxy.org/l/code-reports Latest builds : https://www.haproxy.org/l/dev-packages Willy --- Complete changelog : Amaury Denoyelle (7): BUG/MINOR: quic: fix crash on quic_conn alloc failure BUG/MEDIUM: mux-quic: fix BUG_ON() on rxbuf alloc error CLEANUP: quic: remove unused cbuf module MINOR: quic: move function to check stream type in utils MINOR: quic: refactor handling of streams after MUX release MINOR: quic: add some missing includes MINOR: quic: adjust quic_conn-t.h include list Aurelien DARRAGON (1): BUG/MINOR: sink: detect and warn when using "send-proxy" options with ring servers Baptiste Assmann (1): EXAMPLES: lua: avoid screen refresh effect in "trisdemo" Basha Mougamadou (1): DOC: configuration: explicit multi-choice on bind shards option Christopher Faulet (2): MEDIUM: hlua: Add function to change the body length of an HTTP Message BUG/MEDIUM: stconn: Disable 0-copy forwarding for filters altering the payload Frederic Lecaille (7): CLEANUP: quic: Useless BIO_METHOD initialization MINOR: quic: Add useful error traces about qc_ssl_sess_init() failures MINOR: quic: Allow the use of the new OpenSSL 3.5.0 QUIC TLS API (to be completed) MINOR: quic: implement all remaining callbacks for OpenSSL 3.5 QUIC API MINOR: quic: OpenSSL 3.5 internal QUIC custom extension for transport parameters reset MINOR: quic: OpenSSL 3.5 trick to support 0-RTT DOC: update INSTALL for QUIC with OpenSSL 3.5 usages William Lallemand (5): DOC: management: change reference to configuration manual MINOR: acme: renewal notification over the dpapi sink DOC: management: update 'acme status' BUG/MEDIUM: acme: check if acme domains are configured BUG/MINOR: acme: fix formatting issue in error and logs Willy Tarreau (21): BUG/MEDIUM: peers: also limit the number of incoming updates BUG/MINOR: h3: don't insert more than one Host header BUG/MEDIUM: h1/h2/h3: reject forbidden chars in the Host header field DOC: config: properly index "table and "stick-table" in their section BUILD: debug: mark ha_crash_now() as attribute(noreturn) IMPORT: slz: avoid multiple shifts on 64-bits IMPORT: slz: support crc32c for lookup hash on sse4 but only if requested IMPORT: slz: use a better hash for machines with a fast multiply IMPORT: slz: fix header used for empty zlib message IMPORT: slz: silence a build warning on non-x86 non-arm BUG/MAJOR: leastconn: do not loop forever when facing saturated servers BUG/MAJOR: queue: properly keep count of the queue length BUG/MAJOR: leastconn: never reuse the node after dropping the lock BUG/MEDIUM: wdt: always ignore the first watchdog wakeup CLEANUP: wdt: clarify the comments on the common exit path BUILD: ssl: avoid possible printf format warning in traces BUILD: acme: fix build issue on 32-bit archs with 64-bit time_t DOC: management: precise some of the fields of "show servers conn" DOC: watchdog: update the doc to reflect the recent changes CLEANUP: cfgparse: alphabetically sort the global keywords MINOR: glitches: add global setting "tune.glitches.kill.cpu-usage" ---
