Hi,
HAProxy 2.8.0 was released on 2023/05/31. It added 27 new commits
after version 2.8-dev13.
Only a small minor issues were addressed this time, the rest was
mostly doc polishing and cleanups. 2.8 is entering LTS status and will
be supported till 2028-Q2, and 2.9-dev0 was just created to pursue the
development, with an expected release around end of November this year.
Let's try to summarize the changes from 37 participants in the 1382
commits that were merged since 2.7.0 from a high level perspective:
- Lua/Mailers: there's now a full-Lua implementations of the mailers
subsystem. It's provided as a Lua script (examples/lua/mailers.lua)
which relies on the new internal event notification API. As such the
script subscribes to server state change events and emits mails when
the defined criteria are matched. It continues to rely on the
"mailers" section, but being a Lua script, it's totally customizable.
You can imagine to change the contents, change the notification
conditions, send to multiple destinations etc. With this change, the
internal Lua view of the servers was made fully dynamic so that added
or removed servers are always seen in their current state. In fact the
new event notification API goes way beyond this but better read the Lua
API documentation to know more. The next step will be to completely
deprecate the old Mailers subsystem in 2.9 and 3.0 and to remove it in
3.1.
- HTTP/2 is advertised by default in ALPN on TLS listeners. It was about
time, 5 years have passed since it was introduced, it's been enabled by
default in clear text as an HTTP/1 upgrade for 4 years, yet some users
do not know how to enable it. From now on, ALPN defaults to "h2,http/1.1"
on TCP and "h3" on QUIC so that these protocol versions work by default.
It's still possible to set/reset the ALPN to disable them of course. The
old concern some users were having about window sizes was addressed by
having a setting for each side (front vs back).
- Threading: thread groups are now usable by default by "bind" lines
without requiring to replicate these lines once per thread group. This
means that by default a bind line is bound to all threads, regardless
of the number of groups (up to 64 groups of 64 threads or 4096 threads
total). As such it becomes possible to enable multiple groups on a large
system to benefit from all the processing power available if you're
running heavy rules, Lua, compression, SSL or whatever. We still default
to a single NUMA node because the cases where it brings solid benefits
are not frequent enough, compared to the cost of having more listening
sockets. Note that on systems with non-uniform L3 caches like AMD EPYC,
this can bring important performance gains with only one setting in the
config. We noticed a doubling of the request rate on a 24-core EPYC 74F3
by enabling 8 groups instead of the default 1, to map to the L3 cache
topology. The maximum tested so far was 224 threads with 4 & 8 groups on
a dual-socket intel Sapphire Rapids system. That was blazingly fast :-)
- SSL: there are quite a bunch of updates on the SSL front in this release:
- it's possible to adjust the signature algorithms to improve
interoperability with some other TLSv1.2/1.3 clients. These
algorithms are used to sign the ephemeral keys used during the
handshake. Changing these algorithms are useful for buggy clients
that negociate algorithms they don't support. Though the usage is
very specific. It's also possible to adjust this parameter for
Client Authentication.
- SSL hanshake failure logs now dump the OpenSSL error string by
default. No need to configure an error-log-format anymore to show
details on the handshake error. It can be helpful to debug SSL
problems (e.g. you'll now see "tlsv1 alert unknown ca" instead
of just "SSL handshake failure").
- OCSP: in 2.8 the OCSP responses for certificates can be automatically
updated by a background task (by default every 5 minutes) so that it is
no longer necessary to feed them over the CLI from an external script.
Of course, this requires that your load balancers have outgoing HTTP
access. This is enabled in crt-list files by adding "ocsp-update on" on
the certificate's line. All this is observable on the CLI via
"show ssl-ocsp-update" and "show ssl-ocsp-response".
- LetsEncrypt: there's an acme.sh script in admin/acme.sh that can be used
with your existing deployments (pull request for upstream still pending).
It will permit to handle the renewal of LE certificates in stateless mode
with no hassle (no need to proxy to a local port anymore).
- OpenSSL: version 3.1 is now supported. It's less slow than 3.0 but still
significantly slower than 1.1.1, but might be usable for most users with
a low enough traffic.
- wolfSSL: we've worked quite a bit with the wolfSSL team to make sure
their latest version w
