Hi,
HAProxy 3.2.8 was released on 2025/11/07. It added 24 new commits
after version 3.2.7.
No serious bug were fixed in this version, but a bunch of annoying ones,
which made it worth producing a new release.
Overall, we have this:
- a fix for applets (e.g. CLI) that could trigger the spinning loop
detection when doing lots of round-trips, for example when uploading
a large map one command at a time at a high speed. This fix also has
the benefit of no longer causing single LF characters to be emitted
for batched updates, so that socat's CPU usage drops from 100% to 0,
i.e. it's no longer the bottleneck.
- a case of rare crashes was addressed when idle connections are purged,
woken up and reused at the same time. Most users will never notice it,
we triggered it around 500k req/s on 128 threads...
- internal fixes for MT lists that could permit the compiler to do some
updates in a bad order, causing deadlocks. It was only met in stress-
testing.
- the condition that decides whether to produce HTTP status 414 or 431
was incorrect and would only produce 414 (URI too long).
- occasionally when deleting a server, if a last request had arrived on
the server at the moment it was about to be deleted, a pointer to the
server ("ready_srv") could stay in the proxy and cause crashes when
idle connections would try to pick that one.
- updating a CA from the CLI could occasionally cause a crash due to
objects being still referenced.
- the dns-01 challenge emitted in the log could contain garbage from
the trash buffer.
- the dns-accept-family setting was only evaluated when resolving A/AAAA
records, but was ignored for SRV responses.
- the DNS round robin was not very fair when CNAME were used since queries
were being accounted for. this has been refined.
- on some rare occasions, stick-table keys of type strings could
sometimes be incorrectly indexed with some extra bytes past the final
zero and appear as duplicates, causing entries to get mixed. This is
one of the longest living bugs we've had, it's been there since the
feature was implemented in 1.4-dev7 almost 16 years ago!
- default HTTP 405, 431 and 501 error files had an incorrect content
length that would probably cause the front connections to be closed
after the response.
A few additions were also made, such as the srv_is_up() converter, which
takes a server name on input and returns true if it's up, and
ssl_fc_early_rcvd() which indicates if some early data were received on
a connection (and not just if the connection only had early data). The
rest is small doc updates and minor changes.
I'd say that if your version is working well for you, there's no rush to
update. In addition, Olivier and Christopher just found the likely cause of
some occasional peers desynchronization, so depending on the forthcoming
tests and demands, we may possibly emit a new one with this fixed soon,
since it looks like one of the last few known pending bugs affecting 3.2.
Please find the usual URLs below :
Site index : https://www.haproxy.org/
Documentation : https://docs.haproxy.org/
Wiki : https://github.com/haproxy/wiki/wiki
Discourse : https://discourse.haproxy.org/
Slack channel : https://slack.haproxy.org/
Issue tracker : https://github.com/haproxy/haproxy/issues
Q&A from devs : https://github.com/orgs/haproxy/discussions
Sources : https://www.haproxy.org/download/3.2/src/
Git repository : https://git.haproxy.org/git/haproxy-3.2.git/
Git Web browsing : https://git.haproxy.org/?p=haproxy-3.2.git
Changelog : https://www.haproxy.org/download/3.2/src/CHANGELOG
Dataplane API :
https://github.com/haproxytech/dataplaneapi/releases/latest
Pending bugs : https://www.haproxy.org/l/pending-bugs
Reviewed bugs : https://www.haproxy.org/l/reviewed-bugs
Code reports : https://www.haproxy.org/l/code-reports
Latest builds : https://www.haproxy.org/l/dev-packages
Willy
---
Complete changelog :
Amaury Denoyelle (1):
OPTIM: backend: skip conn reuse for incompatible proxies
Chris Staite (2):
MINOR: backend: srv_queue helper
MINOR: backend: srv_is_up converter
Christopher Faulet (2):
BUG/MEDIUM: applet: Improve again spinning loops detection with the new
API
BUG/MINOR: resolvers: Apply dns-accept-family setting on additional
records
Damien Claisse (1):
BUG/MINOR: resolvers: ensure fair round robin iteration
Huangbin Zhan (1):
MINOR: http: fix 405,431,501 default errorfile
Maximilian Moehl (1):
BUG/MEDIUM: mux-h1: fix 414 / 431 status code reporting
Olivier Houchard (2):
BUG/MEDIUM: mt_lists: Avoid el->prev = el->next = el
BUG/MEDIUM: mt_list: Use atomic operations to prevent compiler optims
Remi Tricot-Le Breton (2):
BUG/MEDIUM: ssl: Crash because of dangling ckch_store reference in a ckch
instance
BUG/MINOR: init: Do not close previously created fd in stdio_quiet
William Lallemand (3):
BUG/MINOR: ssl: returns when SSL_CTX_new failed during init
SCRIPTS: build-ssl: fix rpath in AWS-LC install for openssl and bssl bin
BUG/MINOR: acme: wrong dns-01 challenge in the log
Willy Tarreau (9):
BUG/MINOR: stick-tables: properly index string-type keys
MINOR: applet: do not put SE_FL_WANT_ROOM on rcv_buf() if the channel is
empty
MINOR: cli: create cli_raw_rcv_buf() from the generic applet_raw_rcv_buf()
BUG/MEDIUM: cli: do not return ACKs one char at a time
DOC: config: slightly clarify the ssl_fc_has_early() behavior
MINOR: ssl-sample: add ssl_fc_early_rcvd() to detect use of early data
BUG/MEDIUM: mux-h2: make sure not to move a dead connection to idle
BUG/MEDIUM: connections: permit to permanently remove an idle conn
BUG/MEDIUM: server: close a race around ready_srv when deleting a server
---
