Hi, HAProxy 3.3-dev8 was released on 2025/09/05. It added 124 new commits after version 3.3-dev7.
The activity sped up a bit, I'm seeing around 45 patches which are bug fixes all over the place, and some new features and architectural updates. I'll skip the bugs to focus on the rest: - rework of the server-side idle connections: working on QUIC backend support exhibited some limitations of the management of idle conns, which had relations to the runtime server deletion. The whole stuff was reworked to be cleaner and more flexible, and it will also address some possible corner cases which were not well addressed previously. For example deleting a server will now work more reliably because the preliminary shutdown will have killed idle connections as well (previously it didn't). Also, private connections can now be purged, which was not possible before (it's the connections in reuse-never mode or with basic auth). - the stats counters can now be preserved across reloads (experimental). By designating a shared file (preferably in a ramfs/tmpfs) with the "shm-stats-file" directive, the listener/frontend/backend/server counters will be mapped there, and all processes attached to the same map will use the same counters. I.e. the old, fading away process can continue to update counters as the traffic finishes while the new process also updates them. There are some prerequisites though: just like with the stats-file that is meant to be loaded on startup, objects that produce such counters must have a GUID configured to uniquely identify them. This means that config ordering, addition/removal etc will have no undesired effect. Note that it will equally work across restarts or even crashes, as long as the restart is quick. Each attached process emits a heartbeat to indicate its presence and the file remains valid some time after the last process has quit (I seem to remember it's 30s). Please give this a test, I know that some users were interested in seeing shared stats to get smooth transitions in their graphs. You might have great suggestions that would be better addressed before the release. - as previously discussed, there was an opportunity to change the default LB algorithm from "roundrobin" to "random", and it was well supported (approvals and no objection). So this was changed in this version. It only concerns configs which do not have the "balance" keyword or have it with no algorithm specified. The rest is of course unchanged. - in last announce, we proposed to bump the minimum default linux kernel version to 4.17 since it's older than all currently maintained LTS distros and will allow us to enable KTLS support by default. Given that nobody objected either, it was now done. Those who build on older kernels (unmaintainted systems) can continue to do so using the linux-glibc-legacy target or keeping the same target and disabling unsupported settings (e.g. USE_KTLS=0). - we've seen an increase of configs not setting any "user" directives and started as root, hence running as root. From a security perspective this is a bad practice, but given how some configs are generated and deployed nowadays, it feels very likely that users didn't even notice, and do not even set chroots etc. So a warning was added when a config is started like this, suggesting to set a user or uid, either to something non-root to stay secure, or to root if that's what is desired, in which case it will be explicit. It then also recommends the use of a chroot, to try to encourage users to adopt secure practices. - another warning was added for static builds if user/groups are used because in such cases it's common that it will not properly resolve (depending how the libc delegates such resolutions to other libs), and we've even seen crashes in the libc itself (unchecked function returns it seems). - The http-send-name-header directive is sometimes abused to a point where it denaturates the HTTP protocol and violates its integrity in possibly dangerous ways, and it seems that users do not realize it. It's no longer permitted to set it to "connection", "content-length", "host", "transfer-encoding". To be honest, I wouldn't be surprised if we discover horrors after the release justified by "for me it was convenient to do that", but at least it will make sure that users no longer expose themselves to dirty bugs or even smuggling, and that they properly configure their servers instead. - a warning is now emitted when "strict-sni" and "default-crt" are used together, because it makes no sense and likely results from a mistake or a misunderstanding. - the ACL parser was a bit lax and silently used the last matching method on a line if multiple ones were specified with "-m". Now it will reject such errors. Also in the same vein, some configs show a common mistake consisting in using a keyword implying a match method but replacing it with another one, e.g. "path_beg -m reg" (hint, here it's the last one which works). These ambiguous ones will now emit a warning explaining how to fix them. And the rest has less impact. We have a new "base2" converter to turn raw data or IP addresses to binary forms, useful for combining address prefixes with other patterns in a same acl/map entry, new cmdline options to show only the version in various forms (branch, base, full) using -vq/vqb/vqs, and various CLI, CI and DOC updates. There hasn't been much feedback on 3.3 during the summer vacation period recently, let's hope that persistent stats, KTLS and QUIC backend will encourage more testing from now on. Please find the usual URLs below : Site index : https://www.haproxy.org/ Documentation : https://docs.haproxy.org/ Wiki : https://github.com/haproxy/wiki/wiki Discourse : https://discourse.haproxy.org/ Slack channel : https://slack.haproxy.org/ Issue tracker : https://github.com/haproxy/haproxy/issues Q&A from devs : https://github.com/orgs/haproxy/discussions Sources : https://www.haproxy.org/download/3.3/src/ Git repository : https://git.haproxy.org/git/haproxy.git/ Git Web browsing : https://git.haproxy.org/?p=haproxy.git Changelog : https://www.haproxy.org/download/3.3/src/CHANGELOG Dataplane API : https://github.com/haproxytech/dataplaneapi/releases/latest Pending bugs : https://www.haproxy.org/l/pending-bugs Reviewed bugs : https://www.haproxy.org/l/reviewed-bugs Code reports : https://www.haproxy.org/l/code-reports Latest builds : https://www.haproxy.org/l/dev-packages Willy --- Complete changelog : Alexander Stephan (6): BUG/MINOR: halog: Add OOM checks for calloc() in filter_count_srv_status() and filter_count_url() BUG/MINOR: log: Add OOM checks for calloc() and malloc() in logformat parser and dup_logger() BUG/MINOR: acl: Add OOM check for calloc() in smp_fetch_acl_parse() BUG/MINOR: cfgparse: Add OOM check for calloc() in cfg_parse_listen() BUG/MINOR: compression: Add OOM check for calloc() in parse_compression_options() BUG/MINOR: tools: Add OOM check for malloc() in indent_msg() Amaury Denoyelle (44): BUG/MEDIUM: mux-h2: fix crash on idle-ping due to unwanted ABORT_NOW BUG/MEDIUM: quic: reset padding when building GSO datagrams BUG/MINOR: quic: do not emit probe data if CONNECTION_CLOSE requested BUG/MAJOR: quic: fix INITIAL padding with probing packet only BUG/MINOR: quic: don't coalesce probing and ACK packet of same type MINOR: quic: centralize padding for HP sampling on packet building BUG/MINOR: connection: rearrange union list members BUG/MINOR: connection: remove extra session_unown_conn() on reverse MINOR: cli: display failure reason on wait command BUG/MINOR: server: decrement session idle_conns on del server BUG/MINOR: mux-quic: do not access conn after idle list insert MINOR: session: document explicitely that session_add_conn() is safe MINOR: session: uninline functions related to BE conns management MINOR: session: refactor alloc/lookup of sess_conns elements MEDIUM: session: protect sess conns list by idle_conns_lock MINOR: server: shard by thread sess_conns member MEDIUM: server: close new idle conns if server in maintenance MEDIUM: session: close new idle conns if server in maintenance MINOR: server: cleanup idle conns for server in maint already stopped MINOR: muxes: enforce thread-safety for private idle conns MEDIUM: conn/muxes/ssl: reinsert BE priv conn into sess on IO completion MEDIUM: conn/muxes/ssl: remove BE priv idle conn from sess on IO MEDIUM: mux-quic: enforce thread-safety of backend idle conns MAJOR: server: implement purging of private idle connections MEDIUM: session: account on server idle conns attached to session MAJOR: server: do not remove idle conns in del server MINOR: muxes: adjust takeover with buf_wait interaction OPTIM: backend: set release on takeover for strict maxconn MINOR: doc: add missing statistics column MINOR: doc: add missing statistics column MINOR: stats: display new curr_sess_idle_conns server counter MINOR: proxy: extend "show servers conn" output BUG/BUILD: stats: fix build due to missing stat enum definition BUG/MAJOR: mux-quic: fix crash on reload during emission MINOR: conn/muxes/ssl: add ASSUME_NONNULL() prior to _srv_add_idle MINOR: quic/flags: complete missing flags BUG/MINOR: quic: fix room check if padding requested BUG/MINOR: quic: fix padding issue on INITIAL retransmit BUG/MINOR: quic: pad Initial pkt with CONNECTION_CLOSE on client MEDIUM: quic: strengthen BUG_ON() for unpad Initial packet on client BUG/MINOR: check: ensure check-reuse is compatible with SSL BUG/MINOR: check: fix dst address when reusing a connection BUG/MEDIUM: conn: fix UAF on connection after reversal on edge BUG/MINOR: connection: streamline conn detach from lists Aurelien DARRAGON (17): MINOR: http_ana: fix typo in http_res_get_intercept_rule BUG/MEDIUM: http_ana: handle yield for "stats http-request" evaluation MINOR: haproxy: abort config parsing on fatal errors for post parsing hooks MEDIUM: server: split srv_init() in srv_preinit() + srv_postinit() MINOR: proxy: handle shared listener counters preparation from proxy_postcheck() MINOR: counters: retrieve detailed errmsg upon failure with counters_{fe,be}_shared_prepare() MINOR: stats-file: introduce shm-stats-file directive MEDIUM: stats-file: processes share the same clock source from shm-stats-file MINOR: stats-file: add process slot management for shm stats file MEDIUM: stats-file/counters: store and preload stats counters as shm file objects DOC: config: document "shm-stats-file" directive OPTIM: stats-file: don't unnecessarily die hard on shm_stats_file_reuse_object() MINOR: compiler: add ALWAYS_PAD() macro BUILD: stats-file: fix aligment issues MINOR: stats-file: reserve some bytes in exported structs MEDIUM: stats-file: add some BUG_ON() guards to ensure exported structs are not changed by accident BUG/MINOR: log: fix potential memory leak upon error in add_to_logformat_list() Christopher Faulet (15): BUG/MAJOR: stream: Remove READ/WRITE events on channels after analysers eval MINOR: applet: Rely on applet flag to detect the new api MINOR: applet: Add function to test applet flags from the appctx MINOR: applet: Add a flag to know an applet is using HTX buffers MINOR: applet: Make some applet functions HTX aware MEDIUM: applet: Set .rcv_buf and .snd_buf functions on default ones if not set BUG/MEDIUM: mux-spop: Reject connection attempts from a non-spop frontend BUG/MEDIUM: spoe: Improve error detection in SPOE applet on client abort MEDIUM: proxy: Reject some header names for 'http-send-name-header' directive REG-TESTS: map_redirect: Don't use hdr_dom in ACLs with "-m end" matching method MINOR: acl: Only allow one '-m' matching method MINOR: acl; Warn when matching method based on a suffix is overwritten BUG/MEDIUM: server: Duplicate healthcheck's alpn inherited from default server BUG/MINOR: server: Duplicate healthcheck's sni inherited from default server BUG/MINOR: acl: Properly detect overwritten matching method Collison, Steven (1): DOC: proxy-protocol: Make example for PP2_SUBTYPE_SSL_SIG_ALG accurate Frederic Lecaille (11): BUG/MINOR: quic-be: missing Initial packet number space discarding BUG/MEDIUM: quic-be: crash after backend CID allocation failures BUG/MEDIUM: quic-be: avoid crashes when releasing Initial pktns BUG/MINOR: quic: reorder fragmented RX CRYPTO frames by their offsets MINOR: quic: remove ->offset qf_crypto struct field BUG/MINOR: mux-quic: trace with non initialized qcc CLEANUP: quic: remove a useless CRYPTO frame variable assignment BUG/MEDIUM: quic: CRYPTO frame freeing without eb_delete() BUG/MINOR: quic: ignore AGAIN ncbuf err when parsing CRYPTO frames MINOR: quic: Add more information about RX packets BUG/MEDIUM: quic-be: too early SSL_SESSION initialization Ilia Shipitsin (1): CI: fix syntax of Quic Interop pipelines Maximilian Moehl (1): MINOR: sample: Add base2 converter Nikita Kurashkin (1): MINOR: version: add -vq, -vqb, and -vqs flags for concise version output Valentine Krasnobaeva (2): MINOR: dns: dns_connect_nameserver: fix fd leak at error path BUG/MINOR: acl: set arg_list->kw to aclkw->kw string literal if aclkw is found William Lallemand (12): BUG/MEDIUM: ssl: apply ssl-f-use on every "ssl" bind REGTESTS: jwt: create dynamically "cert.ecdsa.pem" DOC: configuration: reword 'generate-certificates' MINOR: ssl: diagnostic warning when both 'default-crt' and 'strict-sni' are used MEDIUM: ssl: convert diag to warning for strict-sni + default-crt DOC: configuration: clarify 'default-crt' and implicit default certificates BUG/MEDIUM: mworker: fix startup and reload on macOS BUILD: mworker: fix ignoring return value of 'read' DOC: unreliable sockpair@ on macOS DOC: configuration: confuse "strict-mode" with "zero-warning" DOC: configuration: rework the jwt_verify keyword documentation MEDIUM: cfgparse: warn when using user/group when built statically Willy Tarreau (13): BUG/MINOR: haproxy: be sure not to quit too early on soft stop BUILD: acl: silence a possible null deref warning in parse_acl_expr() BUG/MEDIUM: stick-tables: don't leave the expire loop with elements deleted BUG/MINOR: stick-tables: never leave used entries without expiration BUG/MEDIUM: peers: don't fail twice to grab the update lock MINOR: stick-tables: limit the number of visited nodes during expiration OPTIM: stick-tables: exit expiry faster when the update lock is held REGTESTS: explicitly use "balance roundrobin" where RR is needed MAJOR: backend: switch the default balancing algo to "random" MEDIUM: init: always warn when running as root without being asked to BUILD: trace: silence a bogus build warning at -Og MINOR: trace: accept trace spec right after "-dt" on the command line BUILD: makefile: bump the default minimum linux version to 4.17 ---
