Released version 1.9-dev3 with the following main changes :
- BUG/MINOR: h1: don't consider the status for each header
- MINOR: h1: report in the h1m struct if the HTTP version is 1.1 or above
- MINOR: h1: parse the Connection header field
- DOC: Fix typos in lua documentation
- MINOR: h1: Add H1_MF_XFER_LEN flag
- MINOR: http: add http_hdr_del() to remove a header from a list
- MINOR: h1: add headers to the list after controls, not before
- MEDIUM: h1: better handle transfer-encoding vs content-length
- MEDIUM: h1: deduplicate the content-length header
- BUG/MEDIUM: patterns: fix possible double free when reloading a pattern list
- BUG/MEDIUM: h1: Really skip all updates when incomplete messages are parsed
- CLEANUP/CONTRIB: hpack: remove some h1 build warnings
- BUG/MINOR: tools: fix set_net_port() / set_host_port() on IPv4
- BUG/MINOR: cli: make sure the "getsock" command is only called on connections
- MINOR: stktable: provide an unchecked version of stktable_data_ptr()
- MINOR: stream-int: make si_appctx() never fail
- BUILD: ssl_sock: remove build warnings on potential null-derefs
- BUILD: stats: remove build warnings on potential null-derefs
- BUILD: stream: address null-deref build warnings at -Wextra
- BUILD: http: address a couple of null-deref warnings at -Wextra
- BUILD: log: silent build warnings due to unchecked __objt_{server,applet}
- BUILD: dns: fix null-deref build warning at -Wextra
- BUILD: checks: silence a null-deref build warning at -Wextra
- BUILD: connection: silence a couple of null-deref build warnings at -Wextra
- BUILD: backend: fix 3 build warnings related to null-deref at -Wextra
- BUILD: sockpair: silence a build warning at -Wextra
- BUILD: build with -Wextra and sort out certain warnings
- BUG/CRITICAL: hpack: fix improper sign check on the header index value
- BUG/MEDIUM: http: Don't parse chunked body if there is no input data
- DOC: Update configuration doc about the maximum number of stick counters.
- BUG/MEDIUM: process_stream: Don't use si_cs_io_cb() in process_stream().
- MINOR: h2/stream_interface: Reintroduce te wake() method.
- BUG/MEDIUM: h2: Wake the task instead of calling h2_recv()/h2_process().
- BUG/MEDIUM: process_stream(): Don't wake the task if no new data was received.
- MEDIUM: lua: Add stick table support for Lua.
This ads support for accessing stick tables from Lua. The supported
operations are reading general table info, lookup by string/IP key, and
dumping the table.
Similar to "show table", a data filter is available during dump, and as
an improvement over "show table" it's possible to use up to 4 filter
expressions instead of just one (with implicit AND clause binding the
expressions). Dumping with/without filters can take a long time for
large tables, and should be used sparingly.
Released version 1.9-dev2 with the following main changes :
- BUG/MINOR: buffers: Fix b_slow_realign when a buffer is realign without output
- BUG/MEDIUM: threads: fix the no-thread case after the change to the sync point
- BUG/MEDIUM: servers: check the queues once enabling a server
- BUG/MEDIUM: queue: prevent a backup server from draining the proxy's connections
- MEDIUM: mux: Remove const on the buffer in mux->snd_buf()
- CLEANUP: backend: Move mux install to call it at only one place
- MINOR: conn_stream: add an tx buffer to the conn_stream
- MINOR: conn_stream: add cs_send() as a default snd_buf() function
- MINOR: backend: Try to find the best mux for outgoing connections
- MEDIUM: backend: don't rely on mux_pt_ops in connect_server()
- MINOR: mux: Add info about the supported side in alpn_mux_list structure
- MINOR: mux: Unlink ALPN and multiplexers to rather speak of mux protocols
- MINOR: mux: Print the list of existing mux protocols during HA startup
- MEDIUM: checks: use the new rendez-vous point to spread check result
- MEDIUM: haproxy: don't use sync_poll_loop() anymore in the main loop
- MINOR: threads: remove the previous synchronization point
- MAJOR: server: make server state changes synchronous again
- CLEANUP: server: remove the update list and the update lock
- BUG/MINOR: threads: Remove the unexisting lock label "UPDATED_SERVERS_LOCK"
- BUG/MEDIUM: stream_int: Don't check CO_FL_SOCK_RD_SH flag to trigger cs receive
- MINOR: mux: Change get_mux_proto to get an ist as parameter
- MINOR: mux: Improve the message with the list of existing mux protocols
- MINOR: mux/frontend: Add 'proto' keyword to force the mux protocol
- MINOR: mux/server: Add 'proto' keyword to force the multiplexer's protocol
- MEDIUM: mux: Use the mux protocol specified on bind/server lines
- BUG/MEDIUM: connection/mux: take care of serverless proxies
- MINOR: queue: make sure the pendconn is released before logging
- MINOR: stream: rename {srv,prx}_queue_size to *_queue_pos
- MINOR: queue: store the queue index in the stream when enqueuing
- MINOR: queue: replace the linked list with a tree
- MEDIUM: add set-priority-class and set-priority-offset
- MEDIUM: queue: adjust position based on priority-class and priority-offset
- DOC: update the roadmap about priority queues
- BUG/MINOR: ssl: empty connections reported as errors.
- MINOR: connections: Make rcv_buf mandatory and nuke cs_recv().
- MINOR: connections: Move rxbuf from the conn_stream to the h2s.
- MINOR: connections: Get rid of txbuf.
- MINOR: tasks: Allow tasklet_wakeup() to wakeup a task.
- MINOR: connections/mux: Add the wait reason(s) to wait_list.
- MINOR: stream_interface: Don't use si_cs_send() as a task handler.
- MINOR: stream_interface: Give stream_interface its own wait_list.
- MINOR: mux_h2: Don't use h2_send() as a callback.
- MINOR: checks: Add event_srv_chk_io().
- BUG/MEDIUM: tasks: Don't insert in the global rqueue if nbthread == 1
- BUG/MEDIUM: sessions: Don't use t->state.
- BUG/MEDIUM: ssl: fix missing error loading a keytype cert from a bundle.
- BUG/MEDIUM: ssl: loading dh param from certifile causes unpredictable error.
- BUG/MINOR: map: fix map_regm with backref
- DOC: dns: explain set server ... fqdn requires resolver
- DOC: add documentation for prio_class and prio_offset sample fetches.
- DOC: ssl: Use consistent naming for TLS protocols
- DOC: update the layering design notes
- MINOR: tasks: Don't special-case when nbthreads == 1
- MINOR: fd cache: And the thread_mask with all_threads_mask.
- BUG/MEDIUM: lua: socket timeouts are not applied
- BUG/MINOR: lua: fix extra 500ms added to socket timeouts
- BUG/MEDIUM: server: update our local state before propagating changes
- BUG/MEDIUM: cli/threads: protect all "proxy" commands against concurrent updates
- DOC: server/threads: document which functions need to be called with/without locks
- BUG/MEDIUM: cli/threads: protect some server commands against concurrent operations
- BUG/MEDIUM: streams: Don't forget to remove the si from the wait list.
- BUG/MEDIUM: tasklets: Add the thread as active when waking a tasklet.
- BUG/MEDIUM: stream-int: Check if the conn_stream exist in si_cs_io_cb.
- BUG/MEDIUM: H2: Activate polling after successful h2_snd_buf().
- BUG/MEDIUM: stream_interface: Call the wake callback after sending.
- BUG/MAJOR: queue/threads: make pendconn_redistribute not lock the server
- BUG/MEDIUM: connection: don't forget to always delete the list's head
- BUG/MEDIUM: lb/threads: always properly lock LB algorithms on maintenance operations
- BUG/MEDIUM: check/threads: do not involve the rendez-vous point for status updates
- BUG/MINOR: chunks: do not store -1 into chunk_printf() in case of error
- BUG/MEDIUM: http: don't store exp_replace() result in the trash's length
- BUG/MEDIUM: http: don't store url_decode() result in the samples's length
- BUG/MEDIUM: dns: don't store dns_build_query() result in the trash's length
- BUG/MEDIUM: map: don't store exp_replace() result in the trash's length
- BUG/MEDIUM: connection: don't store recv() result into trash.data
- BUG/MEDIUM: cli/ssl: don't store base64dec() result in the trash's length
- MINOR: chunk: remove impossible tests on negative chunk->data
- MINOR: sample: remove impossible tests on negative smp->data.u.str.data
- DOC: Fix spelling error in configuration doc
- REGTEST/MINOR: Missing mandatory "ignore_unknown_macro".
- REGTEST/MINOR: Add a new class of regression testing files.
- BUG/MEDIUM: unix: provide a ->drain() function
- MINOR: connection: make conn_sock_drain() work for all socket families
- BUG/MINOR: lua: Bad HTTP client request duration.
- REGEST/MINOR: Add reg testing files.
- BUG/MEDIUM: mux_pt: dereference the connection with care in mux_pt_wake()
- REGTEST/MINOR: Add a reg testing file for b406b87 commit.
- BUG/MEDIUM: lua: reset lua transaction between http requests
- MINOR: add be_conn_free sample fetch
- MINOR: Add srv_conn_free sample fetch
- BUG/MEDIUM: hlua: Make sure we drain the output buffer when done.
- MINOR: checks: Call wake_srv_chk() when we can finally send data.
- BUG/MEDIUM: stream_interface: try to call si_cs_send() earlier.
- BUG/MAJOR: thread: lua: Wrong SSL context initialization.
- REGTEST/MINOR: Add a reg testing file for 3e60b11.
- BUG/MEDIUM: hlua: Don't call RESET_SAFE_LJMP if SET_SAFE_LJMP returns 0.
- REGTEST/MINOR: lua: Add reg testing files for 70d318c.
- BUG/MEDIUM: dns/server: fix incomatibility between SRV resolution and server state file
- BUG/MEDIUM: ECC cert should work with TLS < v1.2 and openssl >= 1.1.1
- MINOR: tools: make date2str_log() take some consts
- MINOR: thread: implement HA_ATOMIC_XADD()
- BUG/MINOR: stream: use atomic increments for the request counter
- BUG/MEDIUM: session: fix reporting of handshake processing time in the logs
- BUG/MEDIUM: h2: fix risk of memory leak on malformated wrapped frames
- BUG/MAJOR: buffer: fix incorrect check in __b_putblk()
- MINOR: log: move the log code to sess_build_logline() to add extra arguments
- MINOR: log: make the backend fall back to the frontend when there's no stream
- MINOR: log: make sess_build_logline() not dereference a NULL stream for txn
- MINOR: log: don't unconditionally pick log info from s->logs
- CLEANUP: log: make the low_level lf_{ip,port,text,text_len} functions take consts
- MINOR: log: keep a copy of the backend connection early in sess_build_logline()
- MINOR: log: do not dereference a null stream to access captures
- MINOR: log: be sure not to dereference a null stream for a target
- MINOR: log: don't check the stream-int's conn_retries if the stream is NULL
- MINOR: log: use NULL for the unique_id if there is no stream
- MINOR: log: keep a copy of s->flags early to avoid a dereference
- MINOR: log: use zero as the request counter if there is no stream
- MEDIUM: log: make sess_build_logline() support being called with no stream
- MINOR: log: provide a function to emit a log for a session
- MEDIUM: h2: produce some logs on early errors that prevent streams from being created
- BUG/MINOR: h1: fix buffer shift after realignment
- MINOR: connection: make the initialization more consistent
- MINOR: connection: add new function conn_get_proxy()
- MINOR: connection: add new function conn_is_back()
- MINOR: log: One const should be enough.
- BUG/MINOR: dns: check and link servers' resolvers right after config parsing
- BUG/MINOR: http/threads: atomically increment the error snapshot ID
- MINOR: snapshot: restart on the event ID and not the stream ID
- MINOR: snapshot: split the error snapshots into common and proto-specific parts
- MEDIUM: snapshot: start to reorder the HTTP snapshot output a little bit
- MEDIUM: snapshot: implement a show() callback and use it for HTTP
- MINOR: proxy: add a new generic proxy_capture_error()
- MINOR: http: make the HTTP error capture rely on the generic proxy code
- MINOR: http: remove the pointer to the error snapshot in http_capture_bad_message()
- REORG: cli: move the "show errors" handler from http to proxy
- BUG/MEDIUM: snapshot: take the proxy's lock while dumping errors
- MEDIUM: snapshots: dynamically allocate the snapshots
- MEDIUM: snapshot: merge the captured data after the descriptor
- MEDIUM: mworker: remove register/unregister signal functions
- MEDIUM: mworker: use the haproxy poll loop
- BUG/MINOR: mworker: no need to stop peers for each proxy
- MINOR: mworker: mworker_cleanlisteners() delete the listeners
- MEDIUM: mworker: block SIGCHLD until the master is ready
- MEDIUM: mworker: never block SIG{TERM,INT} during reload
- MEDIUM: startup: unify signal init between daemon and mworker mode
- MINOR: mworker: don't deinit the poller fd when in wait mode
- MEDIUM: mworker: master wait mode use its own initialization
- MEDIUM: mworker: replace the master pipe by socketpairs
- MINOR: mworker: keep and clean the listeners
- MEDIUM: threads: close the thread-waker pipe during deinit
- MEDIUM: mworker: call per_thread deinit in mworker_reload()
- REORG: http: move the HTTP semantics definitions to http.h/http.c
- REORG: http: move http_get_path() to http.c
- REORG: http: move error codes production and processing to http.c
- REORG: http: move the log encoding tables to log.c
- REORG: http: move some header value processing functions to http.c
- BUG/MAJOR: kqueue: Don't reset the changes number by accident.
- MEDIUM: protocol: use a custom AF_MAX to help protocol parser
- MEDIUM: protocol: sockpair protocol
- TESTS: add a python wrapper for sockpair@
- BUG/MINOR: server: Crash when setting FQDN via CLI.
- BUG/MINOR: h2: report asynchronous end of stream on closed connections
- BUILD: fix build without thread
- BUG/MEDIUM: tasks: Don't forget to decrement task_list_size in tasklet_free().
- MEDIUM: connections: Don't reset the polling flags in conn_fd_handler().
- MEDIUM: connections/mux: Add a recv and a send+recv wait list.
- MEDIUM: connections: Get rid of the recv() method.
- MINOR: h2: Let user of h2_recv() and h2_send() know xfer has been done.
- MEDIUM: h2: always subscribe to receive if allowed.
- MEDIUM: h2: Don't use a wake() method anymore.
- MEDIUM: stream_interface: Make recv() subscribe when more data is needed.
- MINOR: connections: Add a "handle" field to wait_list.
- MEDIUM: mux_h2: Revamp the send path when blocking.
- MEDIUM: stream_interfaces: Starts receiving from the upper layers.
- MINOR: checks: Give checks their own wait_list.
- MINOR: conn_streams: Remove wait_list from conn_streams.
- REORG: h1: create a new h1m_state
- MINOR: h1: add the restart offsets into struct h1m
- MINOR: h1: remove the unused states from h1m_state
- MINOR: h1: provide a distinct init() function for request and response
- MINOR: h1: add a message flag to indicate that a message carries a response
- MINOR: h2: make sure h1m->err_pos field is correct on chunk error
- MINOR: h1: properly pre-initialize err_pos to -2
- MINOR: mux_h2: replace the req,res h1 messages with a single h1 message
- MINOR: h2: pre-initialize h1m->err_pos to -1 on the output path
- MEDIUM: h1: consider err_pos before deciding to accept a header name or not
- MEDIUM: h1: make the parser support a pointer to a start line
- MEDIUM: h1: let the caller pass the initial parser's state
- MINOR: h1: make the message parser support a null <hdr> argument
- MEDIUM: h1: support partial message parsing
- MEDIUM: h1: remove the useless H1_MSG_BODY state
- MINOR: h2: store the HTTP status into the H2S, not the H1M
- MINOR: h1: remove the HTTP status from the H1M struct
- MEDIUM: h1: implement the request parser as well
- MINOR: h1: add H1_MF_TOLOWER to decide when to turn header names to lower case
- MINOR: connection: pass the proxy when creating a connection
- BUG/MEDIUM: h2: Don't forget to empty the wait lists on destroy.
- BUG/MEDIUM: h2: Don't forget to set recv_wait_list to NULL in h2_detach.
- BUG/MAJOR: h2: reset the parser's state on mux buffer full
This protocol is based on the uxst one, but it uses socketpair and FD
passing insteads of a connect()/accept().
The "sockpair@" prefix has been implemented for both bind and server
keywords.
When HAProxy wants to connect through a sockpair@, it creates 2 new
sockets using the socketpair() syscall and pass one of the socket
through the FD specified on the server line.
On the bind side, haproxy will receive the FD, and will use it like it
was the FD of an accept() syscall.
This protocol was designed for internal communication within HAProxy
between the master and the workers, but it's possible to use it
externaly with a wrapper and pass the FD through environment variabls.
The handshake processing time used to be stored per stream, which was
valid when there was exactly one stream per session. With H2 and
multiplexing it's not the case anymore and the reported handshake times
are wrong in the logs as it's computed between the TCP accept() and the
stream creation. Let's first move the handshake where it belongs, which
is the session.
However, this is not enough because we don't want to report an excessive
idle time either for H2 (since many requests use the connection).
So the solution used here is to have the stream retrieve sess->tv_accept
and the handshake duration when the stream is created, and let the mux
immediately reset them. This way, the handshake time becomes zero for the
second and subsequent requests in H2 (which was already the case in H1),
and the idle time exactly counts how long the connection remained unused
while it could be used, so in H1 it runs from the end of the previous
response and in H2 it runs from the end of the previous request since the
channel is already available.
This patch will need to be backported to 1.8.
Server state file has no indication that a server is currently managed
by a DNS SRV resolution.
And thus, both feature (DNS SRV resolution and server state), when used
together, does not provide the expected behavior: a smooth experience...
This patch introduce the "SRV record name" in the server state file and
loads and applies it if found and wherever required.
This patch applies to haproxy-dev branch only. For backport, a specific patch
is provided for 1.8.
This adds the sample fetch 'be_conn_free([<backend>])'. This sample fetch
provides the total number of unused connections across available servers in the
specified backend.
Since bbc34e2 varnish commit (for varnishtest), a new "cli"
macro is automatically created for each VTC script to dialog with
the CLI. Consequently, as this macro is unknown from higher level
code for varnishtest, it makes the scripts fail if we
we do not ask varnishtest to disregard the unknown macros.
To prevent this, from now on, for each VTC file for haproxy we MUST add
"feature ignore_unknown_macro" line to do so. This is mandatory
In most cases, "TLSv1.x" naming is used across and documentation, lazy
people tend to grep too much and may not find what they are looking for.
Fixing people is hard.
Abhishek Gupta reported on discourse that set server [...] fqdn always
fails. Further investigation showed that this requires the internal
DNS resolver to be configured. Add this requirement to the docs.
Must be backported to 1.8.
This adds the set-priority-class and set-priority-offset actions to
http-request and tcp-request content. At this point they are not used
yet, which is the purpose of the next commit, but all the logic to
set and clear the values is there.
Released version 1.9-dev1 with the following main changes :
- BUG/MEDIUM: kqueue: Don't bother closing the kqueue after fork.
- DOC: cache: update sections and fix some typos
- BUILD/MINOR: deviceatlas: enable thread support
- BUG/MEDIUM: tcp-check: Don't lock the server in tcpcheck_main
- BUG/MEDIUM: ssl: don't allocate shctx several time
- BUG/MEDIUM: cache: bad computation of the remaining size
- BUILD: checks: don't include server.h
- BUG/MEDIUM: stream: fix session leak on applet-initiated connections
- BUILD/MINOR: haproxy : FreeBSD/cpu affinity needs pthread_np header
- BUILD/MINOR: Makefile : enabling USE_CPU_AFFINITY
- BUG/MINOR: ssl: CO_FL_EARLY_DATA removal is managed by stream
- BUG/MEDIUM: threads/peers: decrement, not increment jobs on quitting
- BUG/MEDIUM: h2: don't report an error after parsing a 100-continue response
- BUG/MEDIUM: peers: fix some track counter rules dont register entries for sync.
- BUG/MAJOR: thread/peers: fix deadlock on peers sync.
- BUILD/MINOR: haproxy: compiling config cpu parsing handling when needed
- MINOR: config: report when "monitor fail" rules are misplaced
- BUG/MINOR: mworker: fix validity check for the pipe FDs
- BUG/MINOR: mworker: detach from tty when in daemon mode
- MINOR: threads: Fix pthread_setaffinity_np on FreeBSD.
- BUG/MAJOR: thread: Be sure to request a sync between threads only once at a time
- BUILD: Fix LDFLAGS vs. LIBS re linking order in various makefiles
- BUG/MEDIUM: checks: Be sure we have a mux if we created a cs.
- BUG/MINOR: hpack: fix debugging output of pseudo header names
- BUG/MINOR: hpack: must reject huffman literals padded with more than 7 bits
- BUG/MINOR: hpack: reject invalid header index
- BUG/MINOR: hpack: dynamic table size updates are only allowed before headers
- BUG/MAJOR: h2: correctly check the request length when building an H1 request
- BUG/MINOR: h2: immediately close if receiving GOAWAY after the last stream
- BUG/MINOR: h2: try to abort closed streams as soon as possible
- BUG/MINOR: h2: ":path" must not be empty
- BUG/MINOR: h2: fix a typo causing PING/ACK to be responded to
- BUG/MINOR: h2: the TE header if present may only contain trailers
- BUG/MEDIUM: h2: enforce the per-connection stream limit
- BUG/MINOR: h2: do not accept SETTINGS_ENABLE_PUSH other than 0 or 1
- BUG/MINOR: h2: reject incorrect stream dependencies on HEADERS frame
- BUG/MINOR: h2: properly check PRIORITY frames
- BUG/MINOR: h2: reject response pseudo-headers from requests
- BUG/MEDIUM: h2: remove connection-specific headers from request
- BUG/MEDIUM: h2: do not accept upper case letters in request header names
- BUG/MINOR: h2: use the H2_F_DATA_* macros for DATA frames
- BUG/MINOR: action: Don't check http capture rules when no id is defined
- BUG/MAJOR: hpack: don't pretend large headers fit in empty table
- BUG/MINOR: ssl: support tune.ssl.cachesize 0 again
- BUG/MEDIUM: mworker: also close peers sockets in the master
- BUG/MEDIUM: ssl engines: Fix async engines fds were not considered to fix fd limit automatically.
- BUG/MEDIUM: checks: a down server going to maint remains definitely stucked on down state.
- BUG/MEDIUM: peers: set NOLINGER on the outgoing stream interface
- BUG/MEDIUM: h2: fix handling of end of stream again
- MINOR: mworker: Update messages referencing exit-on-failure
- MINOR: mworker: Improve wording in `void mworker_wait()`
- CONTRIB: halog: Add help text for -s switch in halog program
- BUG/MEDIUM: email-alert: don't set server check status from a email-alert task
- BUG/MEDIUM: threads/vars: Fix deadlock in register_name
- MINOR: systemd: remove comment about HAPROXY_STATS_SOCKET
- DOC: notifications: add precisions about thread usage
- BUG/MEDIUM: lua/notification: memory leak
- MINOR: conn_stream: add new flag CS_FL_RCV_MORE to indicate pending data
- BUG/MEDIUM: stream-int: always set SI_FL_WAIT_ROOM on CS_FL_RCV_MORE
- BUG/MEDIUM: h2: automatically set CS_FL_RCV_MORE when the output buffer is full
- BUG/MEDIUM: h2: enable recv polling whenever demuxing is possible
- BUG/MEDIUM: h2: work around a connection API limitation
- BUG/MEDIUM: h2: debug incoming traffic in h2_wake()
- MINOR: h2: store the demux padding length in the h2c struct
- BUG/MEDIUM: h2: support uploading partial DATA frames
- MINOR: h2: don't demand that a DATA frame is complete before processing it
- BUG/MEDIUM: h2: don't switch the state to HREM before end of DATA frame
- BUG/MEDIUM: h2: don't close after the first DATA frame on tunnelled responses
- BUG/MEDIUM: http: don't disable lingering on requests with tunnelled responses
- BUG/MEDIUM: h2: fix stream limit enforcement
- BUG/MINOR: stream-int: don't try to receive again after receiving an EOS
- MINOR: sample: add len converter
- BUG: MAJOR: lb_map: server map calculation broken
- BUG: MINOR: http: don't check http-request capture id when len is provided
- MINOR: sample: rename the "len" converter to "length"
- BUG/MEDIUM: mworker: Set FD_CLOEXEC flag on log fd
- DOC/MINOR: intro: typo, wording, formatting fixes
- MINOR: netscaler: respect syntax
- MINOR: netscaler: remove the use of cip_magic only used once
- MINOR: netscaler: rename cip_len to clarify its uage
- BUG/MEDIUM: netscaler: use the appropriate IPv6 header size
- BUG/MAJOR: netscaler: address truncated CIP header detection
- MINOR: netscaler: check in one-shot if buffer is large enough for IP and TCP header
- MEDIUM: netscaler: do not analyze original IP packet size
- MEDIUM: netscaler: add support for standard NetScaler CIP protocol
- MINOR: spoe: add force-set-var option in spoe-agent configuration
- CONTRIB: iprange: Fix compiler warning in iprange.c
- CONTRIB: halog: Fix compiler warnings in halog.c
- BUG/MINOR: h2: properly report a stream error on RST_STREAM
- MINOR: mux: add flags to describe a mux's capabilities
- MINOR: stream-int: set flag SI_FL_CLEAN_ABRT when mux supports clean aborts
- BUG/MEDIUM: stream: don't consider abortonclose on muxes which close cleanly
- BUG/MEDIUM: checks: a server passed in maint state was not forced down.
- BUG/MEDIUM: lua: fix crash when using bogus mode in register_service()
- MINOR: http: adjust the list of supposedly cacheable methods
- MINOR: http: update the list of cacheable status codes as per RFC7231
- MINOR: http: start to compute the transaction's cacheability from the request
- BUG/MINOR: http: do not ignore cache-control: public
- BUG/MINOR: http: properly detect max-age=0 and s-maxage=0 in responses
- BUG/MINOR: cache: do not force the TX_CACHEABLE flag before checking cacheability
- MINOR: http: add a function to check request's cache-control header field
- BUG/MEDIUM: cache: do not try to retrieve host-less requests from the cache
- BUG/MEDIUM: cache: replace old object on store
- BUG/MEDIUM: cache: respect the request cache-control header
- BUG/MEDIUM: cache: don't cache the response on no-cache="set-cookie"
- BUG/MAJOR: connection: refine the situations where we don't send shutw()
- BUG/MEDIUM: checks: properly set servers to stopping state on 404
- BUG/MEDIUM: h2: properly handle and report some stream errors
- BUG/MEDIUM: h2: improve handling of frames received on closed streams
- DOC/MINOR: configuration: typo, formatting fixes
- BUG/MEDIUM: h2: ensure we always know the stream before sending a reset
- BUG/MEDIUM: mworker: don't close stdio several time
- MINOR: don't close stdio anymore
- BUG/MEDIUM: http: don't automatically forward request close
- BUG/MAJOR: hpack: don't return direct references to the dynamic headers table
- MINOR: h2: add a function to report pseudo-header names
- DEBUG: hpack: make hpack_dht_dump() expose the output file
- DEBUG: hpack: add more traces to the hpack decoder
- CONTRIB: hpack: add an hpack decoder
- MEDIUM: h2: prepare a graceful shutdown when the frontend is stopped
- BUG/MEDIUM: h2: properly handle the END_STREAM flag on empty DATA frames
- BUILD: ssl: silence a warning when building without NPN nor ALPN support
- CLEANUP: rbtree: remove
- BUG/MEDIUM: ssl: cache doesn't release shctx blocks
- BUG/MINOR: lua: Fix default value for pattern in Socket.receive
- DOC: lua: Fix typos in comments of hlua_socket_receive
- BUG/MEDIUM: lua: Fix IPv6 with separate port support for Socket.connect
- BUG/MINOR: lua: Fix return value of Socket.settimeout
- MINOR: dns: Handle SRV record weight correctly.
- BUG/MEDIUM: mworker: execvp failure depending on argv[0]
- MINOR: hathreads: add support for gcc < 4.7
- BUILD/MINOR: ancient gcc versions atomic fix
- BUG/MEDIUM: stream: properly handle client aborts during redispatch
- MINOR: spoe: add register-var-names directive in spoe-agent configuration
- MINOR: spoe: Don't queue a SPOE context if nothing is sent
- DOC: clarify the scope of ssl_fc_is_resumed
- CONTRIB: debug: fix a few flags definitions
- BUG/MINOR: poll: too large size allocation for FD events
- MINOR: sample: add date_us sample
- BUG/MEDIUM: peers: fix expire date wasn't updated if entry is modified remotely.
- MINOR: servers: Don't report duplicate dyncookies for disabled servers.
- MINOR: global/threads: move cpu_map at the end of the global struct
- MINOR: threads: add a MAX_THREADS define instead of LONGBITS
- MINOR: global: add some global activity counters to help debugging
- MINOR: threads/fd: Use a bitfield to know if there are FDs for a thread in the FD cache
- BUG/MEDIUM: threads/polling: Use fd_cache_mask instead of fd_cache_num
- BUG/MEDIUM: fd: maintain a per-thread update mask
- MINOR: fd: add a bitmask to indicate that an FD is known by the poller
- BUG/MEDIUM: epoll/threads: use one epoll_fd per thread
- BUG/MEDIUM: kqueue/threads: use one kqueue_fd per thread
- BUG/MEDIUM: threads/mworker: fix a race on startup
- BUG/MINOR: mworker: only write to pidfile if it exists
- MINOR: threads: Fix build when we're not compiling with threads.
- BUG/MINOR: threads: always set an owner to the thread_sync pipe
- BUG/MEDIUM: threads/server: Fix deadlock in srv_set_stopping/srv_set_admin_flag
- BUG/MEDIUM: checks: Don't try to release undefined conn_stream when a check is freed
- BUG/MINOR: kqueue/threads: Don't forget to close kqueue_fd[tid] on each thread
- MINOR: threads: Use __decl_hathreads instead of #ifdef/#endif
- BUILD: epoll/threads: Add test on MAX_THREADS to avoid warnings when complied without threads
- BUILD: kqueue/threads: Add test on MAX_THREADS to avoid warnings when complied without threads
- CLEANUP: sample: Fix comment encoding of sample.c
- CLEANUP: sample: Fix outdated comment about sample casts functions
- BUG/MINOR: sample: Fix output type of c_ipv62ip
- CLEANUP: Fix typo in ARGT_MSK6 comment
- CLEANUP: standard: Use len2mask4 in str2mask
- MINOR: standard: Add str2mask6 function
- MINOR: config: Add support for ARGT_MSK6
- MEDIUM: sample: Add IPv6 support to the ipmask converter
- MINOR: config: Enable tracking of up to MAX_SESS_STKCTR stick counters.
- BUG/MINOR: cli: use global.maxsock and not maxfd to list all FDs
- MINOR: polling: make epoll and kqueue not depend on maxfd anymore
- MINOR: fd: don't report maxfd in alert messages
- MEDIUM: polling: start to move maxfd computation to the pollers
- CLEANUP: fd/threads: remove the now unused fdtab_lock
- MINOR: poll: more accurately compute the new maxfd in the loop
- CLEANUP: fd: remove the unused "new" field
- MINOR: fd: move the hap_fd_{clr,set,isset} functions to fd.h
- MEDIUM: select: make use of hap_fd_* functions
- MEDIUM: fd: use atomic ops for hap_fd_{clr,set} and remove poll_lock
- MEDIUM: select: don't use the old FD state anymore
- MEDIUM: poll: don't use the old FD state anymore
- MINOR: fd: pass the iocb and owner to fd_insert()
- BUG/MINOR: threads: Update labels array because of changes in lock_label enum
- MINOR: stick-tables: Adds support for new "gpc1" and "gpc1_rate" counters.
- BUG/MINOR: epoll/threads: only call epoll_ctl(DEL) on polled FDs
- DOC: don't suggest using http-server-close
- MINOR: introduce proxy-v2-options for send-proxy-v2
- BUG/MEDIUM: spoe: Always try to receive or send the frame to detect shutdowns
- BUG/MEDIUM: spoe: Allow producer to read and to forward shutdown on request side
- MINOR: spoe: Remove check on min_applets number when a SPOE context is queued
- MINOR: spoe: Always link a SPOE context with the applet processing it
- MINOR: spoe: Replace sending_rate by a frequency counter
- MINOR: spoe: Count the number of frames waiting for an ack for each applet
- MEDIUM: spoe: Use an ebtree to manage idle applets
- MINOR: spoa_example: Count the number of frames processed by each worker
- MINOR: spoe: Add max-waiting-frames directive in spoe-agent configuration
- MINOR: init: make stdout unbuffered
- MINOR: early data: Don't rely on CO_FL_EARLY_DATA to wake up streams.
- MINOR: early data: Never remove the CO_FL_EARLY_DATA flag.
- MINOR: compiler: introduce offsetoff().
- MINOR: threads: Introduce double-width CAS on x86_64 and arm.
- MINOR: threads: add test and set/reset operations
- MINOR: pools/threads: Implement lockless memory pools.
- MAJOR: fd/threads: Make the fdcache mostly lockless.
- MEDIUM: fd/threads: Make sure we don't miss a fd cache entry.
- MAJOR: fd: compute the new fd polling state out of the fd lock
- MINOR: epoll: get rid of the now useless fd_compute_new_polled_status()
- MINOR: kqueue: get rid of the now useless fd_compute_new_polled_status()
- MINOR: poll: get rid of the now useless fd_compute_new_polled_status()
- MINOR: select: get rid of the now useless fd_compute_new_polled_status()
- CLEANUP: fd: remove the now unused fd_compute_new_polled_status() function
- MEDIUM: fd: make updt_fd_polling() use atomics
- MEDIUM: poller: use atomic ops to update the fdtab mask
- MINOR: fd: move the fd_{add_to,rm_from}_fdlist functions to fd.c
- BUG/MINOR: fd/threads: properly dereference fdcache as volatile
- MINOR: fd: remove the unneeded last CAS when adding an fd to the list
- MINOR: fd: reorder fd_add_to_fd_list()
- BUG/MINOR: time/threads: ensure the adjusted time is always correct
- BUG/MEDIUM: standard: Fix memory leak in str2ip2()
- MINOR: init: emit warning when -sf/-sd cannot parse argument
- BUILD: fd/threads: fix breakage build breakage without threads
- DOC: Describe routing impact of using interface keyword on bind lines
- DOC: Mention -Ws in the list of available options
- BUG/MINOR: config: don't emit a warning when global stats is incompletely configured
- BUG/MINOR: fd/threads: properly lock the FD before adding it to the fd cache.
- BUG/MEDIUM: threads: fix the double CAS implementation for ARMv7
- BUG/MEDIUM: ssl: Don't always treat SSL_ERROR_SYSCALL as unrecovarable.
- BUILD/MINOR: memory: stdint is needed for uintptr_t
- BUG/MINOR: init: Add missing brackets in the code parsing -sf/-st
- DOC: lua: new prototype for function "register_action()"
- DOC: cfgparse: Warn on option (tcp|http)log in backend
- BUG/MINOR: ssl/threads: Make management of the TLS ticket keys files thread-safe
- MINOR: sample: add a new "concat" converter
- BUG/MEDIUM: ssl: Shutdown the connection for reading on SSL_ERROR_SYSCALL
- BUG/MEDIUM: http: Switch the HTTP response in tunnel mode as earlier as possible
- BUG/MEDIUM: ssl/sample: ssl_bc_* fetch keywords are broken.
- MINOR: ssl/sample: adds ssl_bc_is_resumed fetch keyword.
- CLEANUP: cfgparse: Remove unused label end
- CLEANUP: spoe: Remove unused label retry
- CLEANUP: h2: Remove unused labels from mux_h2.c
- CLEANUP: pools: Remove unused end label in memory.h
- CLEANUP: standard: Fix typo in IPv6 mask example
- BUG/MINOR: pools/threads: don't ignore DEBUG_UAF on double-word CAS capable archs
- BUG/MINOR: debug/pools: properly handle out-of-memory when building with DEBUG_UAF
- MINOR: debug/pools: make DEBUG_UAF also detect underflows
- MINOR: stats: display the number of threads in the statistics.
- BUG/MINOR: h2: Set the target of dbuf_wait to h2c
- BUG/MEDIUM: h2: always consume any trailing data after end of output buffers
- BUG/MEDIUM: buffer: Fix the wrapping case in bo_putblk
- BUG/MEDIUM: buffer: Fix the wrapping case in bi_putblk
- BUG/MEDIUM: spoe: Remove idle applets from idle list when HAProxy is stopping
- Revert "BUG/MINOR: send-proxy-v2: string size must include ('\0')"
- MINOR: ssl: extract full pkey info in load_certificate
- MINOR: ssl: add ssl_sock_get_pkey_algo function
- MINOR: ssl: add ssl_sock_get_cert_sig function
- MINOR: connection: add proxy-v2-options ssl-cipher,cert-sig,cert-key
- MINOR: connection: add proxy-v2-options authority
- MINOR: systemd: Add section for SystemD sandboxing to unit file
- MINOR: systemd: Add SystemD's Protect*= options to the unit file
- MINOR: systemd: Add SystemD's SystemCallFilter option to the unit file
- CLEANUP: h2: rename misleading h2c_stream_close() to h2s_close()
- MINOR: h2: provide and use h2s_detach() and h2s_free()
- MEDIUM: h2: use a single buffer allocator
- MINOR/BUILD: fix Lua build on Mac OS X
- BUILD/MINOR: fix Lua build on Mac OS X (again)
- BUG/MINOR: session: Fix tcp-request session failure if handshake.
- CLEANUP: .gitignore: Ignore binaries from the contrib directory
- BUG/MINOR: unix: Don't mess up when removing the socket from the xfer_sock_list.
- DOC: buffers: clarify the purpose of the <from> pointer in offer_buffers()
- BUG/MEDIUM: h2: also arm the h2 timeout when sending
- BUG/MINOR: cli: Fix a crash when passing a negative or too large value to "show fd"
- CLEANUP: ssl: Remove a duplicated #include
- CLEANUP: cli: Remove a leftover debug message
- BUG/MINOR: cli: Fix a typo in the 'set rate-limit' usage
- BUG/MEDIUM: fix a 100% cpu usage with cpu-map and nbthread/nbproc
- BUG/MINOR: force-persist and ignore-persist only apply to backends
- BUG/MEDIUM: threads/unix: Fix a deadlock when a listener is temporarily disabled
- BUG/MAJOR: threads/queue: Fix thread-safety issues on the queues management
- BUG/MINOR: dns: don't downgrade DNS accepted payload size automatically
- TESTS: Add a testcase for multi-port + multi-server listener issue
- CLEANUP: dns: remove duplicate code in src/dns.c
- BUG/MINOR: seemless reload: Fix crash when an interface is specified.
- BUG/MINOR: cli: Ensure all command outputs end with a LF
- BUG/MINOR: cli: Fix a crash when sending a command with too many arguments
- BUILD: ssl: Fix build with OpenSSL without NPN capability
- BUG/MINOR: spoa-example: unexpected behavior for more than 127 args
- BUG/MINOR: lua: return bad error messages
- CLEANUP: lua/syntax: lua is a name and not an acronym
- BUG/MEDIUM: tcp-check: single connect rule can't detect DOWN servers
- BUG/MINOR: tcp-check: use the server's service port as a fallback
- BUG/MEDIUM: threads/queue: wake up other threads upon dequeue
- MINOR: log: stop emitting alerts when it's not possible to write on the socket
- BUILD/BUG: enable -fno-strict-overflow by default
- BUG/MEDIUM: fd/threads: ensure the fdcache_mask always reflects the cache contents
- DOC: log: more than 2 log servers are allowed
- MINOR: hash: add new function hash_crc32c
- MINOR: proxy-v2-options: add crc32c
- MINOR: accept-proxy: support proxy protocol v2 CRC32c checksum
- REORG: compact "struct server"
- MINOR: samples: add crc32c converter
- BUG/MEDIUM: h2: properly account for DATA padding in flow control
- BUG/MINOR: h2: ensure we can never send an RST_STREAM in response to an RST_STREAM
- BUG/MINOR: listener: Don't decrease actconn twice when a new session is rejected
- CLEANUP: map, stream: remove duplicate code in src/map.c, src/stream.c
- BUG/MINOR: lua: the function returns anything
- BUG/MINOR: lua funtion hlua_socket_settimeout don't check negative values
- CLEANUP: lua: typo fix in comments
- BUILD/MINOR: fix build when USE_THREAD is not defined
- MINOR: lua: allow socket api settimeout to accept integers, float, and doubles
- BUG/MINOR: hpack: fix harmless use of uninitialized value in hpack_dht_insert
- MINOR: cli/threads: make "show fd" report thread_sync_io_handler instead of "unknown"
- MINOR: cli: make "show fd" report the mux and mux_ctx pointers when available
- BUILD/MINOR: cli: fix a build warning introduced by last commit
- BUG/MAJOR: h2: remove orphaned streams from the send list before closing
- MINOR: h2: always call h2s_detach() in h2_detach()
- MINOR: h2: fuse h2s_detach() and h2s_free() into h2s_destroy()
- BUG/MEDIUM: h2/threads: never release the task outside of the task handler
- BUG/MEDIUM: h2: don't consider pending data on detach if connection is in error
- BUILD/MINOR: threads: always export thread_sync_io_handler()
- MINOR: mux: add a "show_fd" function to dump debugging information for "show fd"
- MINOR: h2: implement a basic "show_fd" function
- MINOR: cli: report cache indexes in "show fd"
- BUG/MINOR: h2: remove accidental debug code introduced with show_fd function
- BUG/MEDIUM: h2: always add a stream to the send or fctl list when blocked
- BUG/MINOR: checks: check the conn_stream's readiness and not the connection
- BUG/MINOR: fd: Don't clear the update_mask in fd_insert.
- BUG/MINOR: email-alert: Set the mailer port during alert initialization
- BUG/MINOR: cache: fix "show cache" output
- BUG/MAJOR: cache: fix random crashes caused by incorrect delete() on non-first blocks
- BUG/MINOR: spoe: Initialize variables used during conf parsing before any check
- BUG/MINOR: spoe: Don't release the context buffer in .check_timeouts callbaclk
- BUG/MINOR: spoe: Register the variable to set when an error occurred
- BUG/MINOR: spoe: Don't forget to decrement fpa when a processing is interrupted
- MINOR: spoe: Add metrics in to know time spent in the SPOE
- MINOR: spoe: Add options to store processing times in variables
- MINOR: log: move 'log' keyword parsing in dedicated function
- MINOR: log: Keep the ref when a log server is copied to avoid duplicate entries
- MINOR: spoe: Add loggers dedicated to the SPOE agent
- MINOR: spoe: Add support for option dontlog-normal in the SPOE agent section
- MINOR: spoe: use agent's logger to log SPOE messages
- MINOR: spoe: Add counters to log info about SPOE agents
- BUG/MAJOR: cache: always initialize newly created objects
- MINOR: servers: Support alphanumeric characters for the server templates names
- BUG/MEDIUM: threads: Fix the max/min calculation because of name clashes
- BUG/MEDIUM: connection: Make sure we have a mux before calling detach().
- BUG/MINOR: http: Return an error in proxy mode when url2sa fails
- MINOR: proxy: Add fe_defbe fetcher
- MINOR: config: Warn if resolvers has no nameservers
- BUG/MINOR: cli: Guard against NULL messages when using CLI_ST_PRINT_FREE
- MINOR: cli: Ensure the CLI always outputs an error when it should
- MEDIUM: sample: Extend functionality for field/word converters
- MINOR: export localpeer as an environment variable
- BUG/MEDIUM: kqueue: When adding new events, provide an output to get errors.
- BUILD: sample: avoid build warning in sample.c
- BUG/CRITICAL: h2: fix incorrect frame length check
- DOC: lua: update the links to the config and Lua API
- BUG/MINOR: pattern: Add a missing HA_SPIN_INIT() in pat_ref_newid()
- BUG/MAJOR: channel: Fix crash when trying to read from a closed socket
- BUG/MINOR: log: t_idle (%Ti) is not set for some requests
- BUG/MEDIUM: lua: Fix segmentation fault if a Lua task exits
- MINOR: h2: detect presence of CONNECT and/or content-length
- BUG/MEDIUM: h2: implement missing support for chunked encoded uploads
- BUG/MINOR: spoe: Fix counters update when processing is interrupted
- BUG/MINOR: spoe: Fix parsing of dontlog-normal option
- MEDIUM: cli: Add payload support
- MINOR: map: Add payload support to "add map"
- MINOR: ssl: Add payload support to "set ssl ocsp-response"
- BUG/MINOR: lua/threads: Make lua's tasks sticky to the current thread
- MINOR: sample: Add strcmp sample converter
- MINOR: http: Add support for 421 Misdirected Request
- BUG/MINOR: config: disable http-reuse on TCP proxies
- MINOR: ssl: disable SSL sample fetches when unsupported
- MINOR: ssl: add fetch 'ssl_fc_session_key' and 'ssl_bc_session_key'
- BUG/MINOR: checks: Fix check->health computation for flapping servers
- BUG/MEDIUM: threads: Fix the sync point for more than 32 threads
- BUG/MINOR, BUG/MINOR: lua: Put tasks to sleep when waiting for data
- MINOR: backend: implement random-based load balancing
- DOC/MINOR: clean up LUA documentation re: servers & array/table.
- MINOR: lua: Add server name & puid to LUA Server class.
- MINOR: lua: add get_maxconn and set_maxconn to LUA Server class.
- BUG/MINOR: map: correctly track reference to the last ref_elt being dumped
- BUG/MEDIUM: task: Don't free a task that is about to be run.
- MINOR: fd: Make the lockless fd list work with multiple lists.
- BUG/MEDIUM: pollers: Use a global list for fd shared between threads.
- MINOR: pollers: move polled_mask outside of struct fdtab.
- BUG/MINOR: lua: schedule socket task upon lua connect()
- BUG/MINOR: lua: ensure large proxy IDs can be represented
- BUG/MEDIUM: pollers/kqueue: use incremented position in event list
- BUG/MINOR: cli: don't stop cli_gen_usage_msg() when kw->usage == NULL
- BUG/MEDIUM: http: don't always abort transfers on CF_SHUTR
- BUG/MEDIUM: ssl: properly protect SSL cert generation
- BUG/MINOR: lua: Socket.send threw runtime error: 'close' needs 1 arguments.
- BUG/MINOR: spoe: Mistake in error message about SPOE configuration
- BUG/MEDIUM: spoe: Flags are not encoded in network order
- CLEANUP: spoe: Remove unused variables the agent structure
- DOC: spoe: fix a typo
- BUG/MEDIUM: contrib/mod_defender: Use network order to encode/decode flags
- BUG/MEDIUM: contrib/modsecurity: Use network order to encode/decode flags
- DOC: add some description of the pending rework of the buffer structure
- BUG/MINOR: ssl/lua: prevent lua from affecting automatic maxconn computation
- MINOR: lua: Improve error message
- BUG/MEDIUM: cache: don't cache when an Authorization header is present
- MINOR: ssl: set SSL_OP_PRIORITIZE_CHACHA
- BUG/MEDIUM: dns: Delay the attempt to run a DNS resolution on check failure.
- BUG/BUILD: threads: unbreak build without threads
- BUG/MEDIUM: servers: Add srv_addr default placeholder to the state file
- BUG/MEDIUM: lua/socket: Length required read doesn't work
- MINOR: tasks: Change the task API so that the callback takes 3 arguments.
- MAJOR: tasks: Create a per-thread runqueue.
- MAJOR: tasks: Introduce tasklets.
- MINOR: tasks: Make the number of tasks to run at once configurable.
- MAJOR: applets: Use tasks, instead of rolling our own scheduler.
- BUG/MEDIUM: stick-tables: Decrement ref_cnt in table_* converters
- MINOR: http: Log warning if (add|set)-header fails
- DOC: management: add the new wrew stats column
- MINOR: stats: also report the failed header rewrites warnings on the stats page
- BUG/MEDIUM: tasks: Don't forget to increase/decrease tasks_run_queue.
- BUG/MEDIUM: task: Don't forget to decrement max_processed after each task.
- MINOR: task: Also consider the task list size when getting global tasks.
- MINOR: dns: Implement `parse-resolv-conf` directive
- BUG/MEDIUM: spoe: Return an error when the wrong ACK is received in sync mode
- MINOR: task/notification: Is notifications registered ?
- BUG/MEDIUM: lua/socket: wrong scheduling for sockets
- BUG/MAJOR: lua: Dead lock with sockets
- BUG/MEDIUM: lua/socket: Notification error
- BUG/MEDIUM: lua/socket: Sheduling error on write: may dead-lock
- BUG/MEDIUM: lua/socket: Buffer error, may segfault
- DOC: contrib/modsecurity: few typo fixes
- DOC: SPOE.txt: fix a typo
- MAJOR: spoe: upgrade the SPOP version to 2.0 and remove the support for 1.0
- BUG/MINOR: contrib/spoa_example: Don't reset the status code during disconnect
- BUG/MINOR: contrib/mod_defender: Don't reset the status code during disconnect
- BUG/MINOR: contrib/modsecurity: Don't reset the status code during disconnect
- BUG/MINOR: contrib/mod_defender: update pointer on the end of the frame
- BUG/MINOR: contrib/modsecurity: update pointer on the end of the frame
- MINOR: task: Fix a compiler warning by adding a cast.
- MINOR: stats: also report the nice and number of calls for applets
- MINOR: applet: assign the same nice value to a new appctx as its owner task
- MINOR: task: Fix compiler warning.
- BUG/MEDIUM: tasks: Use the local runqueue when building without threads.
- MINOR: tasks: Don't define rqueue if we're building without threads.
- BUG/MINOR: unix: Make sure we can transfer abns sockets on seamless reload.
- MINOR: lua: Increase debug information
- BUG/MEDIUM: threads: handle signal queue only in thread 0
- BUG/MINOR: don't ignore SIG{BUS,FPE,ILL,SEGV} during signal processing
- BUG/MINOR: signals: ha_sigmask macro for multithreading
- BUG/MAJOR: map: fix a segfault when using http-request set-map
- DOC: regression testing: Add a short starting guide.
- MINOR: tasks: Make sure we correctly init and deinit a tasklet.
- BUG/MINOR: tasklets: Just make sure we don't pass a tasklet to the handler.
- BUG/MINOR: lua: Segfaults with wrong usage of types.
- BUG/MAJOR: ssl: Random crash with cipherlist capture
- BUG/MAJOR: ssl: OpenSSL context is stored in non-reserved memory slot
- BUG/MEDIUM: ssl: do not store pkinfo with SSL_set_ex_data
- MINOR: tests: First regression testing file.
- MINOR: reg-tests: Add reg-tests/README file.
- MINOR: reg-tests: Add a few regression testing files.
- DOC: Add new REGTEST tag info about reg testing.
- BUG/MEDIUM: fd: Don't modify the update_mask in fd_dodelete().
- MINOR: Some spelling cleanup in the comments.
- BUG/MEDIUM: threads: Use the sync point to check active jobs and exit
- MINOR: threads: Be sure to remove threads from all_threads_mask on exit
- REGTEST/MINOR: Wrong URI in a reg test for SSL/TLS.
- REGTEST/MINOR: Set HAPROXY_PROGRAM default value.
- REGTEST/MINOR: Add levels to reg-tests target.
- BUG/MAJOR: Stick-tables crash with segfault when the key is not in the stick-table
- BUG/BUILD: threads: unbreak build without threads
- BUG/MAJOR: stick_table: Complete incomplete SEGV fix
- MINOR: stick-tables: make stktable_release() do nothing on NULL
- BUG/MEDIUM: lua: possible CLOSE-WAIT state with '\n' headers
- MINOR: startup: change session/process group settings
- MINOR: systemd: consider exit status 143 as successful
- REGTEST/MINOR: Wrong URI syntax.
- CLEANUP: dns: remove obsolete macro DNS_MAX_IP_REC
- CLEANUP: dns: inacurate comment about prefered IP score
- MINOR: dns: fix wrong score computation in dns_get_ip_from_response
- MINOR: dns: new DNS options to allow/prevent IP address duplication
- REGTEST/MINOR: Unexpected curl URL globling.
- BUG/MINOR: ssl: properly ref-count the tls_keys entries
- MINOR: h2: keep a count of the number of conn_streams attached to the mux
- BUG/MEDIUM: h2: don't accept new streams if conn_streams are still in excess
- MINOR: h2: add the mux and demux buffer lengths on "show fd"
- BUG/MEDIUM: h2: never leave pending data in the output buffer on close
- BUG/MEDIUM: h2: make sure the last stream closes the connection after a timeout
- MINOR: tasklet: Set process to NULL.
- MINOR: buffer: implement a new file for low-level buffer manipulation functions
- MINOR: buffer: switch buffer sizes and offsets to size_t
- MINOR: buffer: add a few basic functions for the new API
- MINOR: buffer: Introduce b_sub(), b_add(), and bo_add()
- MINOR: buffer: Add b_set_data().
- MINOR: buffer: introduce b_realign_if_empty()
- MINOR: compression: pass the channel to http_compression_buffer_end()
- MINOR: channel: add a few basic functions for the new buffer API
- MINOR: channel/buffer: use c_realign_if_empty() instead of buffer_realign()
- MINOR: channel/buffer: replace buffer_slow_realign() with channel_slow_realign() and b_slow_realign()
- MEDIUM: channel: make channel_slow_realign() take a swap buffer
- MINOR: h2: use b_slow_realign() with the trash as a swap buffer
- MINOR: buffer: remove buffer_slow_realign() and the swap_buffer allocation code
- MINOR: channel/buffer: replace b_{adv,rew} with c_{adv,rew}
- MINOR: buffer: replace calls to buffer_space_wraps() with b_space_wraps()
- MINOR: buffer: remove bi_getblk() and bi_getblk_nc()
- MINOR: buffer: split bi_contig_data() into ci_contig_data and b_config_data()
- MINOR: buffer: remove bi_ptr()
- MINOR: buffer: remove bo_ptr()
- MINOR: buffer: remove bo_end()
- MINOR: buffer: remove bi_end()
- MINOR: buffer: remove bo_contig_data()
- MINOR: buffer: merge b{i,o}_contig_space()
- MINOR: buffer: replace bo_getblk() with direction agnostic b_getblk()
- MINOR: buffer: replace bo_getblk_nc() with b_getblk_nc() which takes an offset
- MINOR: buffer: replace bi_del() and bo_del() with b_del()
- MINOR: buffer: convert most b_ptr() calls to c_ptr()
- MINOR: h1: make h1_measure_trailers() take the byte count in argument
- MINOR: h2: clarify the fact that the send functions are unsigned
- MEDIUM: h2: prevent the various mux encoders from modifying the buffer
- MINOR: h1: make h1_skip_chunk_crlf() not depend on b_ptr() anymore
- MINOR: h1: make h1_parse_chunk_size() not depend on b_ptr() anymore
- MINOR: h1: make h1_measure_trailers() use an offset and a count
- MEDIUM: h2: do not use buf->o anymore inside h2_snd_buf's loop
- MEDIUM: h2: don't use b_ptr() nor b_end() anymore
- MINOR: buffer: get rid of b_end() and b_to_end()
- MINOR: buffer: make b_getblk_nc() take const pointers
- MINOR: buffer: make b_getblk_nc() take size_t for the block sizes
- MEDIUM: connection: make xprt->snd_buf() take the byte count in argument
- MEDIUM: mux: make mux->snd_buf() take the byte count in argument
- MEDIUM: connection: make xprt->rcv_buf() use size_t for the count
- MEDIUM: mux: make mux->rcv_buf() take a size_t for the count
- MINOR: connection: add a flags argument to rcv_buf()
- MINOR: connection: add a new receive flag : CO_RFL_BUF_WET
- MINOR: buffer: get rid of b_ptr() and convert its last users
- MINOR: buffer: use b_room() to determine available space in a buffer
- MINOR: buffer: replace buffer_not_empty() with b_data() or c_data()
- MINOR: buffer: replace buffer_empty() with b_empty() or c_empty()
- MINOR: buffer: make bo_putchar() use b_tail()
- MINOR: buffer: replace buffer_full() with channel_full()
- MINOR: buffer: replace bi_space_for_replace() with ci_space_for_replace()
- MINOR: buffer: replace buffer_pending() with ci_data()
- MINOR: buffer: replace buffer_flush() with c_adv(chn, ci_data(chn))
- MINOR: buffer: use c_head() instead of buffer_wrap_sub(c->buf, p-o)
- MINOR: buffer: use b_orig() to replace most references to b->data
- MINOR: buffer: Use b_add()/bo_add() instead of accessing b->i/b->o.
- MINOR: channel: remove almost all references to buf->i and buf->o
- MINOR: channel: Add co_set_data().
- MEDIUM: channel: adapt to the new buffer API
- MINOR: checks: adapt to the new buffer API
- MEDIUM: h2: update to the new buffer API
- MINOR: buffer: remove unused bo_add()
- MEDIUM: spoe: use the new buffer API for the SPOE buffer
- MINOR: stats: adapt to the new buffers API
- MINOR: cli: use the new buffer API
- MINOR: cache: use the new buffer API
- MINOR: stream-int: use the new buffer API
- MINOR: stream: use wrappers instead of directly manipulating buffers
- MINOR: backend: use new buffer API
- MEDIUM: http: use wrappers instead of directly manipulating buffers states
- MINOR: filters: convert to the new buffer API
- MINOR: payload: convert to the new buffer API
- MEDIUM: h1: port to new buffer API.
- MINOR: flt_trace: adapt to the new buffer API
- MEDIUM: compression: start to move to the new buffer API
- MINOR: lua: use the wrappers instead of directly manipulating buffer states
- MINOR: buffer: convert part bo_putblk() and bi_putblk() to the new API
- MINOR: buffer: adapt buffer_slow_realign() and buffer_dump() to the new API
- MAJOR: start to change buffer API
- MINOR: buffer: remove the check for output on b_del()
- MINOR: buffer: b_set_data() doesn't truncate output data anymore
- MINOR: buffer: rename the "data" field to "area"
- MEDIUM: buffers: move "output" from struct buffer to struct channel
- MINOR: buffer: replace bi_fast_delete() with b_del()
- MINOR: buffer: replace b{i,o}_put* with b_put*
- MINOR: buffer: add a new file for ist + buffer manipulation functions
- MINOR: checks: use b_putist() instead of b_putstr()
- MINOR: buffers: remove b_putstr()
- CLEANUP: buffer: minor cleanups to buffer.h
- MINOR: buffers/channel: replace buffer_insert_line2() with ci_insert_line2()
- MINOR: buffer: replace buffer_replace2() with b_rep_blk()
- MINOR: buffer: rename the data length member to '->data'
- MAJOR: buffer: finalize buffer detachment
- MEDIUM: chunks: make the chunk struct's fields match the buffer struct
- MAJOR: chunks: replace struct chunk with struct buffer
- DOC: buffers: document the new buffers API
- DOC: buffers: remove obsolete docs about buffers
- MINOR: tasklets: Don't attempt to add a tasklet in the list twice.
- MINOR: connections/mux: Add a new "subscribe" method.
- MEDIUM: connections/mux: Revamp the send direction.
- MINOR: connection: simplify subscription by adding a registration function
- BUG/MINOR: http: Set brackets for the unlikely macro at the right place
- BUG/MINOR: build: Fix compilation with debug mode enabled
- BUILD: Generate sha256 checksums in publish-release
- MINOR: debug: Add check for CO_FL_WILL_UPDATE
- MINOR: debug: Add checks for conn_stream flags
- MINOR: ist: Add the function isteqi
- BUG/MEDIUM: threads: Fix the exit condition of the thread barrier
- BUG/MEDIUM: mux_h2: Call h2_send() before updating polling.
- MINOR: buffers: simplify b_contig_space()
- MINOR: buffers: split b_putblk() into __b_putblk()
- MINOR: buffers: add b_xfer() to transfer data between buffers
- DOC: add some design notes about the new layering model
- MINOR: conn_stream: add a new CS_FL_REOS flag
- MINOR: conn_stream: add an rx buffer to the conn_stream
- MEDIUM: conn_stream: add cs_recv() as a default rcv_buf() function
- MEDIUM: stream-int: automatically call si_cs_recv_cb() if the cs has data on wake()
- MINOR: h2: make each H2 stream support an intermediary input buffer
- MEDIUM: h2: make h2_frt_decode_headers() use an intermediary buffer
- MEDIUM: h2: make h2_frt_transfer_data() copy via an intermediary buffer
- MEDIUM: h2: centralize transfer of decoded frames in h2_rcv_buf()
- MEDIUM: h2: move headers and data frame decoding to their respective parsers
- MEDIUM: buffers: make b_xfer() automatically swap buffers when possible
- MEDIUM: h2: perform a single call to the data layer in demux()
- MEDIUM: h2: don't call data_cb->recv() anymore
- MINOR: h2: make use of CS_FL_REOS to indicate that end of stream was seen
- MEDIUM: h2: use the default conn_stream's receive function
- DOC: add more design feedback on the new layering model
- MINOR: h2: add the error code and the max/last stream IDs to "show fd"
- BUG/MEDIUM: stream-int: don't immediately enable reading when the buffer was reportedly full
- BUG/MEDIUM: stats: don't ask for more data as long as we're responding
- BUG/MINOR: servers: Don't make "server" in a frontend fatal.
- BUG/MEDIUM: tasks: make sure we pick all tasks in the run queue
- BUG/MEDIUM: tasks: Decrement rqueue_size at the right time.
- BUG/MEDIUM: tasks: use atomic ops for active_tasks_mask
- BUG/MEDIUM: tasks: Make sure there's no task left before considering inactive.
- MINOR: signal: don't pass the signal number anymore as the wakeup reason
- MINOR: tasks: extend the state bits from 8 to 16 and remove the reason
- MINOR: tasks: Add a flag that tells if we're in the global runqueue.
- BUG/MEDIUM: tasks: make __task_unlink_rq responsible for the rqueue size.
- MINOR: queue: centralize dequeuing code a bit better
- MEDIUM: queue: make pendconn_free() work on the stream instead
- DOC: queue: document the expected locking model for the server's queue
- MINOR: queue: make sure pendconn->strm->pend_pos is always valid
- MINOR: queue: use a distinct variable for the assigned server and the queue
- MINOR: queue: implement pendconn queue locking functions
- MEDIUM: queue: get rid of the pendconn lock
- MINOR: tasks: Make active_tasks_mask volatile.
- MINOR: tasks: Make global_tasks_mask volatile.
- MINOR: pollers: Add a way to wake a thread sleeping in the poller.
- MINOR: threads/queue: Get rid of THREAD_WANT_SYNC in the queue code.
- BUG/MEDIUM: threads/sync: use sched_yield when available
- MINOR: ssl: BoringSSL matches OpenSSL 1.1.0
- BUG/MEDIUM: h2: prevent orphaned streams from blocking a connection forever
- BUG/MINOR: config: stick-table is not supported in defaults section
- BUILD/MINOR: threads: unbreak build with threads disabled
- BUG/MINOR: threads: Handle nbthread == MAX_THREADS.
- BUG/MEDIUM: threads: properly fix nbthreads == MAX_THREADS
- MINOR: threads: move "nbthread" parsing to hathreads.c
- BUG/MEDIUM: threads: unbreak "bind" referencing an incorrect thread number
- MEDIUM: proxy_protocol: Convert IPs to v6 when protocols are mixed
- BUILD/MINOR: compiler: fix offsetof() on older compilers
- SCRIPTS: git-show-backports: add missing quotes to "echo"
- MINOR: threads: add more consistency between certain variables in no-thread case
- MEDIUM: hathreads: implement a more flexible rendez-vous point
- BUG/MEDIUM: cli: make "show fd" thread-safe
A number of outdated docs dating 2012 about buffers implementation
and management were totally irrelevant to the current code (and even
to most 1.8 code as well). These docs have all been removed so that
only the up to date documentation remains.
Now all the code used to manipulate chunks uses a struct buffer instead.
The functions are still called "chunk*", and some of them will progressively
move to the generic buffer handling code as they are cleaned up.
These ones manipulate the output data count which will be specific to
the channel soon, so prepare the call points to use the channel only.
The b_* functions are now unused and were removed.
By default, HAProxy's DNS resolution at runtime ensure that there is no
IP address duplication in a backend (for servers being resolved by the
same hostname).
There are a few cases where people want, on purpose, to disable this
feature.
This patch introduces a couple of new server side options for this purpose:
"resolve-opts allow-dup-ip" or "resolve-opts prevent-dup-ip".
This introduces a new directive for the `resolvers` section:
`parse-resolv-conf`. When present, it will attempt to add any
nameservers in `/etc/resolv.conf` to the list of nameservers
for the current `resolvers` section.
[Mailing list thread][1].
[1]: https://www.mail-archive.com/haproxy@formilux.org/msg29600.html
Sets OpenSSL 1.1.1's SSL_OP_PRIORITIZE_CHACHA unconditionally, as per [1]:
When SSL_OP_CIPHER_SERVER_PREFERENCE is set, temporarily reprioritize
ChaCha20-Poly1305 ciphers to the top of the server cipher list if a
ChaCha20-Poly1305 cipher is at the top of the client cipher list. This
helps those clients (e.g. mobile) use ChaCha20-Poly1305 if that cipher
is anywhere in the server cipher list; but still allows other clients to
use AES and other ciphers. Requires SSL_OP_CIPHER_SERVER_PREFERENCE.
[1] https://www.openssl.org/docs/man1.1.1/man3/SSL_CTX_clear_options.html
RFC 7234 says:
A cache MUST NOT store a response to any request, unless:
[...] the Authorization header field (see Section 4.2 of [RFC7235]) does
not appear in the request, if the cache is shared, unless the
response explicitly allows it (see Section 3.2), [...]
In this patch we completely disable the cache upon the receipt of an
Authorization header in the request. In this case it's not possible to
either use the cache or store into the cache anymore.
Thanks to Adam Eijdenberg of Digital Transformation Agency for raising
this issue.
This patch must be backported to 1.8.
* A few typos
* Fix definitions of values which are tables, not arrays.
* Consistent US English naming for "server" instead of "serveur".
[tfo: should be backported to 1.6 and higher]
For large farms where servers are regularly added or removed, picking
a random server from the pool can ensure faster load transitions than
when using round-robin and less traffic surges on the newly added
servers than when using leastconn.
This commit introduces "balance random". It internally uses a random as
the key to the consistent hashing mechanism, thus all features available
in consistent hashing such as weights and bounded load via hash-balance-
factor are usable. It is extremely convenient because one common concern
when using random is what happens when a server is hammered a bit too
much. Here that can trivially be avoided, like in the configuration below :
backend bk0
balance random
hash-balance-factor 110
server-template s 1-100 127.0.0.1:8000 check inter 1s
Note that while "balance random" internally relies on a hash algorithm,
it holds the same properties as round-robin and as such is compatible with
reusing an existing server connection with "option prefer-last-server".
This converter supplements the existing string matching by allowing
strings to be converted to a variable.
Example usage:
http-request set-var(txn.host) hdr(host)
# Check whether the client is attempting domain fronting.
acl ssl_sni_http_host_match ssl_fc_sni,strcmp(txn.host) eq 0
It is now possible to use a payload with the "set ssl ocsp-response"
command. These syntaxes will work the same way:
# echo "set ssl ocsp-response $(base64 -w 10000 ocsp.der)" | \
socat /tmp/sock1 -
# echo -e "set ssl ocsp-response <<\n$(base64 ocsp.der)\n" | \
socat /tmp/sock1 -
Signed-off-by: Aurlien Nephtali <aurelien.nephtali@corp.ovh.com>
It is now possible to use a payload with the "add map" command.
These syntaxes will work the same way:
# echo "add map #-1 key value" | socat /tmp/sock1 -
# echo -e "add map #-1 <<\n$(cat data)\n" | socat /tmp/sock1 -
with
# cat data
key1 value1 with spaces
key2 value2
key3 value3 also with spaces
Signed-off-by: Aurlien Nephtali <aurelien.nephtali@corp.ovh.com>
In order to use arbitrary data in the CLI (multiple lines or group of words
that must be considered as a whole, for example), it is now possible to add a
payload to the commands. To do so, the first line needs to end with a special
pattern: <<\n. Everything that follows will be left untouched by the CLI parser
and will be passed to the commands parsers.
Per-command support will need to be added to take advantage of this
feature.
Signed-off-by: Aurlien Nephtali <aurelien.nephtali@corp.ovh.com>
The links were still stuck to version 1.6. Let's update them.
The patch needs to be carefully backported to 1.8 and 1.7 after
editing the respective version (replace 1.9dev with 1.8 or 1.7).
Export localpeer as the environment variable $HAPROXY_LOCALPEER,
allowing to use this variable in the configuration file.
It's useful to use this variable in the case of synchronized
configuration between peers.
Patch adds ability to fetch frontend's default backend name in your
logic, so it can be used later to derive other backend names to make routing
decisions.
In addition to metrics about time spent in the SPOE, following counters have
been added:
* applets : number of SPOE applets.
* idles : number of idle applets.
* nb_sending : number of streams waiting to send data.
* nb_waiting : number of streams waiting for a ack.
* nb_processed : number of events/groups processed by the SPOE (from the
stream point of view).
* nb_errors : number of errors during the processing (from the stream point of
view).
Log messages has been updated to report these counters. Following pattern has
been added at the end of the log message:
... <idles>/<applets> <nb_sending>/<nb_waiting> <nb_error>/<nb_processed>
Now it is possible to configure a logger in a spoe-agent section using a "log"
line, as for a proxy. "no log", "log global" and "log <address> ..." syntaxes
are supported.
"set-process-time" and "set-total-time" options have been added to store
processing times in the transaction scope, at each event and group processing,
the current one and the total one. So it is possible to get them.
TODO: documentation
Following metrics are added for each event or group of messages processed in the
SPOE:
* processing time: the delay to process the event or the group. From the
stream point of view, it is the latency added by the SPOE
processing.
* request time : It is the encoding time. It includes ACLs processing, if
any. For fragmented frames, it is the sum of all fragments.
* queue time : the delay before the request gets out the sending queue. For
fragmented frames, it is the sum of all fragments.
* waiting time: the delay before the reponse is received. No fragmentation
supported here.
* response time: the delay to process the response. No fragmentation supported
here.
* total time: (unused for now). It is the sum of all events or groups
processed by the SPOE for a specific threads.
Log messages has been updated. Before, only errors was logged (status_code !=
0). Now every processing is logged, following this format:
SPOE: [AGENT] <TYPE:NAME> sid=STREAM-ID st=STATUC-CODE reqT/qT/wT/resT/pT
where:
AGENT is the agent name
TYPE is EVENT of GROUP
NAME is the event or the group name
STREAM-ID is an integer, the unique id of the stream
STATUS_CODE is the processing's status code
reqT/qT/wT/resT/pT are delays descrive above
For all these delays, -1 means the processing was interrupted before the end. So
-1 for the queue time means the request was never dequeued. For fragmented
frames it is harder to know when the interruption happened.
For now, messages are logged using the same logger than the backend of the
stream which initiated the request.
Instead of hlua_socket_settimeout() accepting only integers, allow user
to specify float and double as well. Convert to milliseconds much like
cli_parse_set_timeout but also sanity check the value.
http://w3.impa.br/~diego/software/luasocket/tcp.html#settimeout
T. Fournier edit:
The main goal is to keep compatibility with the LuaSocket API. This
API only accept seconds, so using a float to specify milliseconds is
an acceptable way.
Update doc.
This patch add option crc32c (PP2_TYPE_CRC32C) to proxy protocol v2.
It compute the checksum of proxy protocol v2 header as describe in
"doc/proxy-protocol.txt".
Automatic downgrade of DNS accepted payload size may have undesired side
effect, which could make a backend with all servers DOWN.
After talking with Lukas on the ML, I realized this "feature" introduces
more issues that it fixes problem.
The "best" way to handle properly big responses will be to implement DNS
over TCP.
To be backported to 1.8.
>From the very first day of force-persist and ignore-persist features,
they only applied to backends, except that the documentation stated it
could also be applied to frontends.
In order to make it clear, the documentation is updated and the parser
will raise a warning if the keywords are used in a frontend section.
This patch should be backported up to the 1.5 branch.
This patch implement proxy protocol v2 options related to crypto information:
ssl-cipher (PP2_SUBTYPE_SSL_CIPHER), cert-sig (PP2_SUBTYPE_SSL_SIG_ALG) and
cert-key (PP2_SUBTYPE_SSL_KEY_ALG).
Returns true when the back connection was made over an SSL/TLS transport
layer and the newly created SSL session was resumed using a cached
session or a TLS ticket.
It's always a pain not to be able to combine variables. This commit
introduces the "concat" converter, which appends a delimiter, a variable's
contents and another delimiter to an existing string. The result is a string.
This makes it easier to build composite variables made of other variables.
This is the maximum number of frames waiting for an acknowledgement on the same
connection. This value is only used when the pipelinied or asynchronus exchanges
between HAProxy and SPOA are enabled. By default, it is set to 20.
Proxy protocol v2 can transport many optional informations. To avoid
send-proxy-v2-* explosion, this patch introduce proxy-v2-options parameter
and will allow to write: "send-proxy-v2 proxy-v2-options ssl,cert-cn".
Remove the old suggestion to use http-server-close mode, from the
beginnings of keep-alive mode in commit 16bfb021 "MINOR: config: add
option http-keep-alive").
We made http-keep-alive default in commit 70dffdaa "MAJOR: http:
switch to keep-alive mode by default".
Add an optional second parameter to the ipmask converter that specifies
the number of bits to mask off IPv6 addresses.
If the second parameter is not given IPv6 addresses fail to mask (resulting
in an empty string), preserving backwards compatibility: Previously
a sample like `src,ipmask(24)` failed to give a result for IPv6 addresses.
This feature can be tested like this:
defaults
log global
mode http
option httplog
option dontlognull
timeout connect 5000
timeout client 50000
timeout server 50000
frontend fe
bind :::8080 v4v6
# Masked IPv4 for IPv4, empty for IPv6 (with and without this commit)
http-response set-header Test %[src,ipmask(24)]
# Correctly masked IP addresses for both IPv4 and IPv6
http-response set-header Test2 %[src,ipmask(24,ffff:ffff:ffff:ffff::)]
# Correctly masked IP addresses for both IPv4 and IPv6
http-response set-header Test3 %[src,ipmask(24,64)]
default_backend be
backend be
server s example.com:80
Tested-By: Jarno Huuskonen <jarno.huuskonen@uef.fi>
A number of counters have been added at special places helping better
understanding certain bug reports. These counters are maintained per
thread and are shown using "show activity" on the CLI. The "clear
counters" commands also reset these counters. The output is sent as a
single write(), which currently produces up to about 7 kB of data for
64 threads. If more counters are added, it may be necessary to write
into multiple buffers, or to reset the counters.
To backport to 1.8 to help collect more detailed bug reports.
Add date_us sample that returns the microsecond part of the timeval
structure representing the date of the structure. The "second" part of
the timeval can already be fetched by the "date" sample
In addition to "option force-set-var", recently added, this directive can be
used to selectivelly register unknown variable names, without totally relaxing
their registration during the runtime, like "option force-set-var" does.
So there is no way for a malicious agent to exhaust memory by defining a too
high number of variable names. In other hand, you need to enumerate all
variable names. This could be painfull in some circumstances.
Remember, this directive is only usefull when the variable names are not
referenced anywhere in the HAProxy configuration or the SPOE one.
Thanks to Etienne Carrire for his help on this part.
The `socket.tcp.connect` method of Lua requires at least two parameters:
The host and the port. The `Socket.connect` method of haproxy requires
only one when a host with a combined port is provided. This stems from
the fact that `str2sa_range` is used internally in `hlua_socket_connect`.
This very fact unfortunately causes a diversion in the behaviour of
Lua's socket class and haproxy's for IPv6 addresses:
sock:connect("::1", "80")
works fine with Lua, but fails with:
connect: cannot parse destination address '::1'
in haproxy, because `str2sa_range` parses the trailing `:1` as the port.
This patch forcefully adds a `:` to the end of the address iff a port
number greater than `0` is given as the second parameter.
Technically this breaks backwards compatibility, because the docs state:
> The syntax "127.0.0.1:1234" is valid. in this case, the
> parameter *port* is ignored.
But: The connect() call can only succeed if the second parameter is left
out (which causes no breakage) or if the second parameter is an integer
or a numeric string.
It seems unlikely that someone would provide an address with a port number
and would also provide a second parameter containing a number other than
zero. Thus I feel this breakage is warranted to fix the mismatch between
haproxy's socket class and Lua's one.
This commit should be backported to haproxy 1.8 only, because of the
possible breakage of existing Lua scripts.
Since RFC2616, the following codes were added to the list of codes
cacheable by default : 204, 404, 405, 414, 501. For now this it only
checked by the checkcache option to detect cacheable cookies.
We used to have a rule inherited from RFC2616 saying that the POST
method was the only uncacheable one, but things have changed since
and RFC7231+7234 made it clear that in fact only GET/HEAD/OPTIONS/TRACE
are cacheable. Currently this rule is only used to detect cacheable
cookies.
For security reasons, the spoe filter was only able to change values of
existing variables. In specific cases (ex : with LUA code), the name of
variables are unknown at the configuration parsing phase.
The force-set-var option can be enabled to register all variables.
It looks like two version of the protocol exist as reported by
Andreas Mahnke. This patch add support for both legacy and standard CIP
protocol according to NetScaler specifications.
- Fix a couple typos
- Introduce a couple simple rewordings
- Eliminate > 80 column lines
Changes do not affect technical content and can be backported.
This converter was recently introduced by commit ed0d24e ("MINOR:
sample: add len converter").
As found by Cyril, it causes an issue in "http-request capture"
statements. The non-obvious problem is that an old syntax for sample
expressions and converters used to support a series of words, each
representing a converter. This used to be how the "stick" directives
were created initially. By having a converter called "len", a
statement such as "http-request capture foo len 10" considers "len"
as a converter and not as the capture length.
This obsolete syntax needs to be changed in 1.9 but it's too late
for other versions. It's worth noting that the same problem can
happen if converters are registered on the fly using Lua. Other
language keywords that currently have to be avoided in converters
include "id", "table", "if", "unless".
"monitor-uri" may rely on "monitor fail" rules, which are processed
very early, immediately after the HTTP request is parsed and before
any http rulesets. It's not reported by the config parser when this
ruleset is misplaces, causing some configurations not to work like
users would expect. Let's just add the warning for a misplaced rule.
Cache sections were not defined as the others, preventing them to be
correctly parsed by the HTML converter. Also, the "Cache" subsections
where not added to the summary.
This patch should be backported to the 1.8 branch.
Released version 1.9-dev0 with the following main changes :
- BUG/MEDIUM: stream: don't automatically forward connect nor close
- BUG/MAJOR: stream: ensure analysers are always called upon close
- BUG/MINOR: stream-int: don't try to read again when CF_READ_DONTWAIT is set
- MEDIUM: mworker: Add systemd `Type=notify` support
- BUG/MEDIUM: cache: free callback to remove from tree
- CLEANUP: cache: remove unused struct
- MEDIUM: cache: enable the HTTP analysers
- CLEANUP: cache: remove wrong comment
- MINOR: threads/atomic: rename local variables in macros to avoid conflicts
- MINOR: threads/plock: rename local variables in macros to avoid conflicts
- MINOR: threads/atomic: implement pl_mb() in asm on x86
- MINOR: threads/atomic: implement pl_bts() on non-x86
- MINOR: threads/build: atomic: replace the few inlines with macros
- BUILD: threads/plock: fix a build issue on Clang without optimization
- BUILD: ebtree: don't redefine types u32/s32 in scope-aware trees
- BUILD: compiler: add a new type modifier __maybe_unused
- BUILD: h2: mark some inlined functions "unused"
- BUILD: server: check->desc always exists
- BUG/MEDIUM: h2: properly report connection errors in headers and data handlers
- MEDIUM: h2: add a function to emit an HTTP/1 request from a headers list
- MEDIUM: h2: change hpack_decode_headers() to only provide a list of headers
- BUG/MEDIUM: h2: always reassemble the Cookie request header field
- BUG/MINOR: systemd: ignore daemon mode
- CONTRIB: spoa_example: allow to compile outside HAProxy.
- CONTRIB: spoa_example: remove bref, wordlist, cond_wordlist
- CONTRIB: spoa_example: remove last dependencies on type "sample"
- CONTRIB: spoa_example: remove SPOE enums that are useless for clients
- CLEANUP: cache: reorder includes
- MEDIUM: shctx: use unsigned int for len and block_count
- MEDIUM: cache: "show cache" on the cli
- BUG/MEDIUM: cache: use key=0 as a condition for freeing
- BUG/MEDIUM: cache: refcount forbids to free the objects
- BUG/MEDIUM: cache fix cli_kws structure
- BUG/MEDIUM: deinit: correctly deinitialize the proxy and global listener tasks
- BUG/MINOR: ssl: Always start the handshake if we can't send early data.
- MINOR: ssl: Don't disable early data handling if we could not write.
- MINOR: pools: prepare functions to override malloc/free in pools
- MINOR: pools: implement DEBUG_UAF to detect use after free
- BUG/MEDIUM: threads/time: fix time drift correction
- BUG/MEDIUM: threads/time: maintain a common time reference between all threads
- MINOR: sample: Add "thread" sample fetch
- BUG/MINOR: Use crt_base instead of ca_base when crt is parsed on a server line
- BUG/MINOR: stream: fix tv_request calculation for applets
- BUG/MAJOR: h2: always remove a stream from the send list before freeing it
- BUG/MAJOR: threads/task: dequeue expired tasks under the WQ lock
- MINOR: ssl: Handle reading early data after writing better.
- MINOR: mux: Make sure every string is woken up after the handshake.
- MEDIUM: cache: store sha1 for hashing the cache key
- MINOR: http: implement the "http-request reject" rule
- MINOR: h2: send RST_STREAM before GOAWAY on reject
- MEDIUM: h2: don't gracefully close the connection anymore on Connection: close
- MINOR: h2: make use of client-fin timeout after GOAWAY
- MEDIUM: config: ensure that tune.bufsize is at least 16384 when using HTTP/2
- MINOR: ssl: Handle early data with BoringSSL
- BUG/MEDIUM: stream: always release the stream-interface on abort
- BUG/MEDIUM: cache: free ressources in chn_end_analyze
- MINOR: cache: move the refcount decrease in the applet release
- BUG/MINOR: listener: Allow multiple "process" options on "bind" lines
- MINOR: config: Support a range to specify processes in "cpu-map" parameter
- MINOR: config: Slightly change how parse_process_number works
- MINOR: config: Export parse_process_number and use it wherever it's applicable
- MINOR: standard: Add my_ffsl function to get the position of the bit set to one
- MINOR: config: Add auto-increment feature for cpu-map
- MINOR: config: Support partial ranges in cpu-map directive
- MINOR:: config: Remove thread-map directive
- MINOR: config: Add the threads support in cpu-map directive
- MINOR: config: Add threads support for "process" option on "bind" lines
- MEDIUM: listener: Bind listeners on a thread subset if specified
- CLEANUP: debug: Use DPRINTF instead of fprintf into #ifdef DEBUG_FULL/#endif
- CLEANUP: log: Rename Alert/Warning in ha_alert/ha_warning
- MINOR/CLEANUP: proxy: rename "proxy" to "proxies_list"
- CLEANUP: pools: rename all pool functions and pointers to remove this "2"
- DOC: update the roadmap file with the latest changes merged in 1.8
- DOC: fix mangled version in peers protocol documentation
- DOC: add initial peers protovol v2.0 documentation.
- DOC: mention William as maintainer of the cache and master-worker
- DOC: add Christopher and Emeric as maintainers of the threads
- MINOR: cache: replace a fprint() by an abort()
- MEDIUM: cache: max-age configuration keyword
- DOC: explain HTTP2 timeout behavior
- DOC: cache: configuration and management
- MAJOR: mworker: exits the master on failure
- BUG/MINOR: threads: don't drop "extern" on the lock in include files
- MINOR: task: keep a pointer to the currently running task
- MINOR: task: align the rq and wq locks
- MINOR: fd: cache-align fdtab and fdcache locks
- MINOR: buffers: cache-align buffer_wq_lock
- CLEANUP: server: reorder some fields in struct server to save 40 bytes
- CLEANUP: proxy: slightly reorder the struct proxy to reduce holes
- CLEANUP: checks: remove 16 bytes of holes in struct check
- CLEANUP: cache: more efficiently pack the struct cache
- CLEANUP: fd: place the lock at the beginning of struct fdtab
- CLEANUP: pools: align pools on a cache line
- DOC: config: add a few bits about how to configure HTTP/2
- BUG/MAJOR: threads/queue: avoid recursive locking in pendconn_get_next_strm()
- BUILD: Makefile: reorder object files by size
Released version 1.8.0 with the following main changes :
- BUG/MEDIUM: stream: don't automatically forward connect nor close
- BUG/MAJOR: stream: ensure analysers are always called upon close
- BUG/MINOR: stream-int: don't try to read again when CF_READ_DONTWAIT is set
- MEDIUM: mworker: Add systemd `Type=notify` support
- BUG/MEDIUM: cache: free callback to remove from tree
- CLEANUP: cache: remove unused struct
- MEDIUM: cache: enable the HTTP analysers
- CLEANUP: cache: remove wrong comment
- MINOR: threads/atomic: rename local variables in macros to avoid conflicts
- MINOR: threads/plock: rename local variables in macros to avoid conflicts
- MINOR: threads/atomic: implement pl_mb() in asm on x86
- MINOR: threads/atomic: implement pl_bts() on non-x86
- MINOR: threads/build: atomic: replace the few inlines with macros
- BUILD: threads/plock: fix a build issue on Clang without optimization
- BUILD: ebtree: don't redefine types u32/s32 in scope-aware trees
- BUILD: compiler: add a new type modifier __maybe_unused
- BUILD: h2: mark some inlined functions "unused"
- BUILD: server: check->desc always exists
- BUG/MEDIUM: h2: properly report connection errors in headers and data handlers
- MEDIUM: h2: add a function to emit an HTTP/1 request from a headers list
- MEDIUM: h2: change hpack_decode_headers() to only provide a list of headers
- BUG/MEDIUM: h2: always reassemble the Cookie request header field
- BUG/MINOR: systemd: ignore daemon mode
- CONTRIB: spoa_example: allow to compile outside HAProxy.
- CONTRIB: spoa_example: remove bref, wordlist, cond_wordlist
- CONTRIB: spoa_example: remove last dependencies on type "sample"
- CONTRIB: spoa_example: remove SPOE enums that are useless for clients
- CLEANUP: cache: reorder includes
- MEDIUM: shctx: use unsigned int for len and block_count
- MEDIUM: cache: "show cache" on the cli
- BUG/MEDIUM: cache: use key=0 as a condition for freeing
- BUG/MEDIUM: cache: refcount forbids to free the objects
- BUG/MEDIUM: cache fix cli_kws structure
- BUG/MEDIUM: deinit: correctly deinitialize the proxy and global listener tasks
- BUG/MINOR: ssl: Always start the handshake if we can't send early data.
- MINOR: ssl: Don't disable early data handling if we could not write.
- MINOR: pools: prepare functions to override malloc/free in pools
- MINOR: pools: implement DEBUG_UAF to detect use after free
- BUG/MEDIUM: threads/time: fix time drift correction
- BUG/MEDIUM: threads/time: maintain a common time reference between all threads
- MINOR: sample: Add "thread" sample fetch
- BUG/MINOR: Use crt_base instead of ca_base when crt is parsed on a server line
- BUG/MINOR: stream: fix tv_request calculation for applets
- BUG/MAJOR: h2: always remove a stream from the send list before freeing it
- BUG/MAJOR: threads/task: dequeue expired tasks under the WQ lock
- MINOR: ssl: Handle reading early data after writing better.
- MINOR: mux: Make sure every string is woken up after the handshake.
- MEDIUM: cache: store sha1 for hashing the cache key
- MINOR: http: implement the "http-request reject" rule
- MINOR: h2: send RST_STREAM before GOAWAY on reject
- MEDIUM: h2: don't gracefully close the connection anymore on Connection: close
- MINOR: h2: make use of client-fin timeout after GOAWAY
- MEDIUM: config: ensure that tune.bufsize is at least 16384 when using HTTP/2
- MINOR: ssl: Handle early data with BoringSSL
- BUG/MEDIUM: stream: always release the stream-interface on abort
- BUG/MEDIUM: cache: free ressources in chn_end_analyze
- MINOR: cache: move the refcount decrease in the applet release
- BUG/MINOR: listener: Allow multiple "process" options on "bind" lines
- MINOR: config: Support a range to specify processes in "cpu-map" parameter
- MINOR: config: Slightly change how parse_process_number works
- MINOR: config: Export parse_process_number and use it wherever it's applicable
- MINOR: standard: Add my_ffsl function to get the position of the bit set to one
- MINOR: config: Add auto-increment feature for cpu-map
- MINOR: config: Support partial ranges in cpu-map directive
- MINOR:: config: Remove thread-map directive
- MINOR: config: Add the threads support in cpu-map directive
- MINOR: config: Add threads support for "process" option on "bind" lines
- MEDIUM: listener: Bind listeners on a thread subset if specified
- CLEANUP: debug: Use DPRINTF instead of fprintf into #ifdef DEBUG_FULL/#endif
- CLEANUP: log: Rename Alert/Warning in ha_alert/ha_warning
- MINOR/CLEANUP: proxy: rename "proxy" to "proxies_list"
- CLEANUP: pools: rename all pool functions and pointers to remove this "2"
- DOC: update the roadmap file with the latest changes merged in 1.8
- DOC: fix mangled version in peers protocol documentation
- DOC: add initial peers protovol v2.0 documentation.
- DOC: mention William as maintainer of the cache and master-worker
- DOC: add Christopher and Emeric as maintainers of the threads
- MINOR: cache: replace a fprint() by an abort()
- MEDIUM: cache: max-age configuration keyword
- DOC: explain HTTP2 timeout behavior
- DOC: cache: configuration and management
- MAJOR: mworker: exits the master on failure
- BUG/MINOR: threads: don't drop "extern" on the lock in include files
- MINOR: task: keep a pointer to the currently running task
- MINOR: task: align the rq and wq locks
- MINOR: fd: cache-align fdtab and fdcache locks
- MINOR: buffers: cache-align buffer_wq_lock
- CLEANUP: server: reorder some fields in struct server to save 40 bytes
- CLEANUP: proxy: slightly reorder the struct proxy to reduce holes
- CLEANUP: checks: remove 16 bytes of holes in struct check
- CLEANUP: cache: more efficiently pack the struct cache
- CLEANUP: fd: place the lock at the beginning of struct fdtab
- CLEANUP: pools: align pools on a cache line
- DOC: config: add a few bits about how to configure HTTP/2
- BUG/MAJOR: threads/queue: avoid recursive locking in pendconn_get_next_strm()
- BUILD: Makefile: reorder object files by size
This patch changes the behavior of the master during the exit of a
worker.
When a worker exits with an error code, for example in the case of a
segfault, all workers are now killed and the master leaves.
If you don't want this behavior you can use the option
"master-worker no-exit-on-failure".
[wt: the new version is 2.1 but it's useful to document the different
versions since they're found in field. There's some overlap with the
new one and they complement on certain areas. Most likely they'll
ultimately be merged.]
Tim Dsterhus noticed that the create-release script had mangled the
version in the peers protocol doc, forcing it to 1.8 due to its syntax
matching the format of an haproxy version. Let's just slightly readjust
the header not to match this by removing the word "version" and placing
it on the same line as the title.
During the migration to the second version of the pools, the new
functions and pool pointers were all called "pool_something2()" and
"pool2_something". Now there's no more pool v1 code and it's a real
pain to still have to deal with this. Let's clean this up now by
removing the "2" everywhere, and by renaming the pool heads
"pool_head_something".
It is now possible on a "bind" line (or a "stats socket" line) to specify the
thread set allowed to process listener's connections. For instance:
# HTTPS connections will be processed by all threads but the first and HTTP
# connection will be processed on the first thread.
bind *:80 process 1/1
bind *:443 ssl crt mycert.pem process 1/2-
Now, it is possible to bind CPU at the thread level instead of the process level
by defining a thread set in "cpu-map" directives. Thus, its format is now:
cpu-map [auto:]<process-set>[/<thread-set>] <cpu-set>...
where <process-set> and <thread-set> must follow the format:
all | odd | even | number[-[number]]
Having a process range and a thread range in same time with the "auto:" prefix
is not supported. Only one range is supported, the other one must be a fixed
number. But it is allowed when there is no "auto:" prefix.
Because it is possible to define a mapping for a process and another for a
thread on this process, threads will be bound on the intersection of their
mapping and the one of the process on which they are attached. If the
intersection is null, no specific binding will be set for the threads.
It was a temporary directive used for development purpose. Now, CPU mapping for
at the thread level should be done using the cpu-map directive. This feature
will be added in a next commit.
Now, processa and CPU ranges can be partially defined. The higher bound can be
omitted. In such case, it is replaced by the corresponding maximum value, 32 or
64 depending on the machine's word size.
By extension, It is also true for the "bind-process" directive and "process"
parameter on a "bind" or a "stats socket" line.
The prefix "auto:" can be added before the process set to let HAProxy
automatically bind a process to a CPU by incrementing process and CPU sets. To
be valid, both sets must have the same size. No matter the declaration order of
the CPU sets, it will be bound from the lower to the higher bound.
Examples:
# all these lines bind the process 1 to the cpu 0, the process 2 to cpu 1
# and so on.
cpu-map auto:1-4 0-3
cpu-map auto:1-4 0-1 2-3
cpu-map auto:1-4 3 2 1 0
# bind each process to exaclty one CPU using all/odd/even keyword
cpu-map auto:all 0-63
cpu-map auto:even 0-31
cpu-map auto:odd 32-63
# invalid cpu-map because process and CPU sets have different sizes.
cpu-map auto:1-4 0 # invalid
cpu-map auto:1 0-3 # invalid
Now, you can define processes concerned by a cpu-map line using a range. For
instance, the following line binds the first 32 processes on CPUs 0 to 3:
cpu-map 1-32 0-3
HTTP/2 mandates the support of 16384 bytes frames by default, so we need
a large enough buffer to process them. Till now if tune.bufsize was too
small, H2 connections were simply rejected during their establishment,
making it quite hard to troubleshoot the issue.
Now we detect when HTTP/2 is enabled on an HTTP frontend and emit an
error if tune.bufsize is not large enough, with the appropriate
recommendation.
At the moment, the "client" timeout is used on an HTTP/2 connection once
it's idle with no active stream. With this patch, this timeout is replaced
by client-fin once a GOAWAY frame is sent. This closely matches what is
done on HTTP/1 since the principle is the same, as it indicates a willing
ness to quickly close a connection on which we don't expect to see anything
anymore.
This one acts similarly to its tcp-request counterpart. It immediately
closes the request without emitting any response. It can be suitable in
certain DoS conditions, as well as to close an HTTP/2 connection.
Since we switched to notify mode in the systemd unit file in commit
d6942c8, haproxy won't start if the daemon keyword is present in the
configuration.
This change makes sure that haproxy remains in foreground when using
systemd mode and adds a note in the documentation.
Released version 1.8-rc4 with the following main changes :
- BUG/MEDIUM: cache: does not cache if no Content-Length
- BUILD: thread/pipe: fix build without threads
- BUG/MINOR: spoe: check buffer size before acquiring or releasing it
- MINOR: debug/flags: Add missing flags
- MINOR: threads: Use __decl_hathreads to declare locks
- BUG/MINOR: buffers: Fix b_alloc_margin to be "fonctionnaly" thread-safe
- BUG/MAJOR: ebtree/scope: fix insertion and removal of duplicates in scope-aware trees
- BUG/MAJOR: ebtree/scope: fix lookup of next node in scope-aware trees
- MINOR: ebtree/scope: add a function to find next node from a parent
- MINOR: ebtree/scope: simplify the lookup functions by using eb32sc_next_with_parent()
- BUG/MEDIUM: mworker: Fix re-exec when haproxy is started from PATH
- BUG/MEDIUM: cache: use msg->sov to forward header
- MINOR: cache: forward data with headers
- MINOR: cache: disable cache if shctx_row_data_append fail
- BUG/MINOR: threads: tid_bit must be a unsigned long
- CLEANUP: tasks: Remove useless double test on rq_next
- BUG/MEDIUM: standard: itao_str/idx and quote_str/idx must be thread-local
- MINOR: tools: add a function to dump a scope-aware tree to a file
- MINOR: tools: improve the DOT dump of the ebtree
- MINOR: tools: emphasize the node being worked on in the tree dump
- BUG/MAJOR: ebtree/scope: properly tag upper nodes during insertion
- DOC: peers: Add a first version of peers protocol v2.1.
- CONTRIB: Wireshark dissector for HAProxy Peer Protocol.
- MINOR: mworker: display an accurate error when the reexec fail
- BUG/MEDIUM: mworker: wait again for signals when execvp fail
- BUG/MEDIUM: mworker: does not deinit anymore
- BUG/MEDIUM: mworker: does not close inherited FD
- MINOR: tests: add a python wrapper to test inherited fd
- BUG/MINOR: Allocate the log buffers before the proxies startup
- MINOR: tasks: Use a bitfield to track tasks activity per-thread
- MAJOR: polling: Use active_tasks_mask instead of tasks_run_queue
- MINOR: applets: Use a bitfield to track applets activity per-thread
- MAJOR: polling: Use active_appels_mask instead of applets_active_queue
- MEDIUM: applets: Don't process more than 200 active applets at once
- MINOR: stream: Add thread-mask of tasks/FDs/applets in "show sess all" command
- MINOR: SSL: Store the ASN1 representation of client sessions.
- MINOR: ssl: Make sure we don't shutw the connection before the handshake.
- BUG/MEDIUM: deviceatlas: ignore not valuable HTTP request data
Released version 1.8-rc3 with the following main changes :
- BUILD: use MAXPATHLEN instead of NAME_MAX.
- BUG/MAJOR: threads/checks: add 4 missing spin_unlock() in various functions
- BUG/MAJOR: threads/server: missing unlock in CLI fqdn parser
- BUG/MINOR: cli: do not perform an invalid action on "set server check-port"
- BUG/MAJOR: threads/checks: wrong use of SPIN_LOCK instead of SPIN_UNLOCK
- CLEANUP: checks: remove return statements in locked functions
- BUG/MINOR: cli: add severity in "set server addr" parser
- CLEANUP: server: get rid of return statements in the CLI parser
- BUG/MAJOR: cli/streams: missing unlock on exit "show sess"
- BUG/MAJOR: threads/dns: add missing unlock on allocation failure path
- BUG/MAJOR: threads/lb: fix missing unlock on consistent hash LB
- BUG/MAJOR: threads/lb: fix missing unlock on map-based hash LB
- BUG/MEDIUM: threads/stick-tables: close a race condition on stktable_trash_expired()
- BUG/MAJOR: h2: set the connection's task to NULL when no client timeout is set
- BUG/MAJOR: thread/listeners: enable_listener must not call unbind_listener()
- BUG/MEDIUM: threads: don't try to free build option message on exit
- MINOR: applets: no need to check for runqueue's emptiness in appctx_res_wakeup()
- MINOR: add master-worker in the warning about nbproc
- MINOR: mworker: allow pidfile in mworker + foreground
- MINOR: mworker: write parent pid in the pidfile
- MINOR: mworker: do not store child pid anymore in the pidfile
- MINOR: ebtree: implement the scope-aware functions for eb32
- MEDIUM: ebtree: specify the scope of every node inserted via eb32sc
- MINOR: ebtree: update the eb32sc parent node's scope on delete
- MEDIUM: ebtree: only consider the branches matching the scope in lookups
- MINOR: ebtree: implement eb32sc_lookup_ge_or_first()
- MAJOR: task: make use of the scope-aware ebtree functions
- MINOR: task: simplify wake_expired_tasks() to avoid unlocking in the loop
- MEDIUM: task: change the construction of the loop in process_runnable_tasks()
- MINOR: threads: use faster locks for the spin locks
- MINOR: tasks: only visit filled task slots after processing them
- MEDIUM: tasks: implement a lockless scheduler for single-thread usage
- BUG/MINOR: dns: Don't try to get the server lock if it's already held.
- BUG/MINOR: dns: Don't lock the server lock in snr_check_ip_callback().
- DOC: Add note about encrypted password CPU usage
- BUG/MINOR: h2: set the "HEADERS_SENT" flag on stream, not connection
- BUG/MEDIUM: h2: properly send an RST_STREAM on mux stream error
- BUG/MEDIUM: h2: properly send the GOAWAY frame in the mux
- BUG/MEDIUM: h2: don't try (and fail) to send non-existing data in the mux
- MEDIUM: h2: remove the H2_SS_RESET intermediate state
- BUG/MEDIUM: h2: fix some wrong error codes on connections
- BUILD: threads: Rename SPIN/RWLOCK macros using HA_ prefix
- BUILD: enable USE_THREAD for Solaris build.
- BUG/MEDIUM: h2: don't close the connection is there are data left
- MINOR: h2: don't re-enable the connection's task when we're closing
- BUG/MEDIUM: h2: properly set H2_SF_ES_SENT when sending the final frame
- BUG/MINOR: h2: correctly check for H2_SF_ES_SENT before closing
- MINOR: h2: add new stream flag H2_SF_OUTGOING_DATA
- BUG/MINOR: h2: don't send GOAWAY on failed response
- BUG/MEDIUM: splice/threads: pipe reuse list was not protected.
- BUG/MINOR: comp: fix compilation warning compiling without compression.
- BUG/MINOR: stream-int: don't set MSG_MORE on closed request path
- BUG/MAJOR: threads/tasks: fix the scheduler again
- BUG/MINOR; ssl: Don't assume we have a ssl_bind_conf because a SNI is matched.
- MINOR: ssl: Handle session resumption with TLS 1.3
- MINOR: ssl: Spell 0x10101000L correctly.
- MINOR: ssl: Handle sending early data to server.
- BUILD: ssl: fix build of backend without ssl
- BUILD: shctx: do not depend on openssl anymore
- BUG/MINOR: h1: the HTTP/1 make status code parser check for digits
- BUG/MEDIUM: h2: reject non-3-digit status codes
- BUG/MEDIUM: stream-int: Don't loss write's notifs when a stream is woken up
- BUG/MINOR: pattern: Rely on the sample type to copy it in pattern_exec_match
- BUG/MEDIUM: h2: split the function to send RST_STREAM
- BUG/MEDIUM: h1: ensure the chunk size parser can deal with full buffers
- MINOR: tools: don't use unlikely() in hex2i()
- BUG/MEDIUM: h2: support orphaned streams
- BUG/MEDIUM: threads/cli: fix "show sess" locking on release
- CLEANUP: mux: remove the unused "release()" function
- MINOR: cli: make "show fd" report the fd's thread mask
- BUG/MEDIUM: stream: don't ignore res.analyse_exp anymore
- CLEANUP: global: introduce variable pid_bit to avoid shifts with relative_pid
- MEDIUM: http: always reject the "PRI" method
From first-hand experience I realized that using encrypted passwords in
userlists can quickly become overwhelming for busy sites. In my case
just about 100 rq/s were enough to drive (user) CPU usage from 2-3% up
to >90%. While it is perfectly explicable why this is the case, having
it mentioned in the relevant documentation section might spare someone
some confusion in the future.
Released version 1.8-rc2 with the following main changes :
- BUG/MINOR: send-proxy-v2: fix dest_len in make_tlv call
- BUG/MINOR: send-proxy-v2: string size must include ('\0')
- MINOR: mux: Only define pipe functions on linux.
- MINOR: cache: Remove useless test for nonzero.
- MINOR: cache: Don't confuse act_return and act_parse_ret.
- BUG/MEDIUM: h2: don't try to parse incomplete H1 responses
- BUG/MEDIUM: checks/mux: always enable send-polling after connecting
- BUG/MAJOR: fix deadlock on healthchecks.
- BUG/MINOR: thread: fix a typo in the debug code
- BUILD: shctx: allow to be built without openssl
- BUG/MEDIUM: cache: don't try to resolve wrong filters
- BUG/MAJOR: buffers: fix get_buffer_nc() for data at end of buffer
- BUG/MINOR: freq: fix infinite loop on freq_ctr_period.
- BUG/MINOR: stdarg.h inclusion
- BUG/MINOR: dns: fix missing lock protection on server.
- BUG/MINOR: lua: fix missing lock protection on server.
- BUILD: enable USE_THREAD for OpenBSD build.
- BUG/MAJOR: mux_pt: don't dereference a connstream after ->wake()
- MINOR: thread: report multi-thread support in haproxy -vv
Released version 1.8-rc1 with the following main changes :
- BUG/MEDIUM: server: Allocate tmptrash before using it.
- CONTRIB: trace: add the possibility to place trace calls in the code
- CONTRIB: trace: try to display the function's return value on exit
- CONTRIB: trace: report the base name only for file names
- BUILD: ssl: support OPENSSL_NO_ASYNC #define
- MINOR: ssl: build with recent BoringSSL library
- BUG/MINOR: ssl: OCSP_single_get0_status can return -1
- BUG/MINOR: cli: restore "set ssl tls-key" command
- CLEANUP: cli: remove undocumented "set ssl tls-keys" command
- IMPORT: sha1: import SHA1 functions
- MINOR: sample: add the sha1 converter
- MINOR: sample: add the hex2i converter
- MINOR: stream-int: stop checking for useless connection flags in chk_snd_conn
- MINOR: ssl: don't abort after sending 16kB
- MINOR: connection: move the cleanup of flag CO_FL_WAIT_ROOM
- MINOR: connection: add flag CO_FL_WILL_UPDATE to indicate when updates are granted
- MEDIUM: connection: make use of CO_FL_WILL_UPDATE in conn_sock_shutw()
- MINOR: raw_sock: make use of CO_FL_WILL_UPDATE
- MINOR: ssl_sock: make use of CO_FL_WILL_UPDATE
- BUG/MINOR: checks: Don't forget to release the connection on error case.
- MINOR: buffer: add the buffer input manipulation functions
- BUG/MEDIUM: prevent buffers being overwritten during build_logline() execution
- MEDIUM: cfgparse: post section callback
- MEDIUM: cfgparse: post parsing registration
- MINOR: lua: add uuid to the Class Proxy
- MINOR: hlua: Add regex class
- MINOR: http: Mark the 425 code as "Too Early".
- MEDIUM: ssl: convert CBS (BoringSSL api) usage to neutral code
- MINOR: ssl: support Openssl 1.1.1 early callback for switchctx
- MINOR: ssl: generated certificate is missing in switchctx early callback
- MEDIUM: ssl: Handle early data with OpenSSL 1.1.1
- BUILD: Makefile: disable -Wunused-label
- MINOR: ssl/proto_http: Add keywords to take care of early data.
- BUG/MINOR: lua: const attribute of a string is overridden
- MINOR: ssl: Don't abuse ssl_options.
- MINOR: update proxy-protocol-v2 #define
- MINOR: merge ssl_sock_get calls for log and ppv2
- MINOR: add ALPN information to send-proxy-v2
- MEDIUM: h1: ensure that 1xx, 204 and 304 don't have a payload body
- CLEANUP: shctx: get ride of the shsess_packet{_hdr} structures
- MEDIUM: lists: list_for_each_entry{_safe}_from functions
- REORG: shctx: move lock functions and struct
- MEDIUM: shctx: allow the use of multiple shctx
- REORG: shctx: move ssl functions to ssl_sock.c
- MEDIUM: shctx: separate ssl and shctx
- MINOR: shctx: rename lock functions
- MINOR: h1: store the status code in the H1 message
- BUG/MINOR: spoe: Don't compare engine name and SPOE scope when both are NULL
- BUG/MINOR: spoa: Update pointer on the end of the frame when a reply is encoded
- MINOR: action: Add trk_idx inline function
- MINOR: action: Use trk_idx instead of tcp/http_trk_idx
- MINOR: action: Add a function pointer in act_rule struct to check its validity
- MINOR: action: Add function to check rules using an action ACT_ACTION_TRK_*
- MINOR: action: Add a functions to check http capture rules
- MINOR: action: Factorize checks on rules calling check_ptr if defined
- MINOR: acl: Pass the ACLs as an explicit parameter of build_acl_cond
- MEDIUM: spoe: Add support of ACLS to enable or disable sending of SPOE messages
- MINOR: spoe: Check uniqness of SPOE engine names during config parsing
- MEDIUM: spoe: Parse new "spoe-group" section in SPOE config file
- MEDIUM: spoe/rules: Add "send-spoe-group" action for tcp/http rules
- MINOR: spoe: Move message encoding in its own function
- MINOR: spoe: Add a type to qualify the message list during encoding
- MINOR: spoe: Add a generic function to encode a list of SPOE message
- MEDIUM: spoe/rules: Process "send-spoe-group" action
- BUG/MINOR: dns: Fix CLI keyword declaration
- MAJOR: dns: Refactor the DNS code
- BUG/MINOR: mailers: Fix a memory leak when email alerts are released
- MEDIUM: mailers: Init alerts during conf parsing and refactor their processing
- MINOR: mailers: Use pools to allocate email alerts and its tcpcheck_rules
- MINOR: standard: Add memvprintf function
- MINOR: log: Save alerts and warnings emitted during HAProxy startup
- MINOR: cli: Add "show startup-logs" command
- MINOR: startup: Extend the scope the MODE_STARTING flag
- MINOR: threads: Prepare makefile to link with pthread
- MINOR: threads: Add THREAD_LOCAL macro
- MINOR: threads: Add atomic-ops and plock includes in import dir
- MEDIUM: threads: Add hathreads header file
- MINOR: threads: Add mechanism to register per-thread init/deinit functions
- MINOR: threads: Add nbthread parameter
- MEDIUM: threads: Adds a set of functions to handle sync-point
- MAJOR: threads: Start threads to experiment multithreading
- MINOR: threads: Define the sync-point inside run_poll_loop
- MEDIUM: threads/buffers: Define and register per-thread init/deinit functions
- MEDIUM: threads/chunks: Transform trash chunks in thread-local variables
- MEDIUM: threads/time: Many global variables from time.h are now thread-local
- MEDIUM: threads/logs: Make logs thread-safe
- MEDIUM: threads/pool: Make pool thread-safe by locking all access to a pool
- MAJOR: threads/fd: Make fd stuffs thread-safe
- MINOR: threads/fd: Add a mask of threads allowed to process on each fd in fdtab array
- MEDIUM: threads/fd: Initialize the process mask during the call to fd_insert
- MINOR: threads/fd: Process cached events of FDs depending on the process mask
- MINOR: threads/polling: pollers now handle FDs depending on the process mask
- WIP: SQUASH WITH SYNC POINT
- MAJOR: threads/task: handle multithread on task scheduler
- MEDIUM: threads/signal: Add a lock to make signals thread-safe
- MEDIUM: threads/listeners: Make listeners thread-safe
- MEDIUM: threads/proxy: Add a lock per proxy and atomically update proxy vars
- MEDIUM: threads/server: Make connection list (priv/idle/safe) thread-safe
- MEDIUM: threads/server: Add a lock per server and atomically update server vars
- MINOR: threads/server: Add a lock to deal with insert in updates_servers list
- MEDIUM: threads/lb: Make LB algorithms (lb_*.c) thread-safe
- MEDIUM: threads/stick-tables: handle multithreads on stick tables
- MINOR: threads/sample: Change temp_smp into a thread local variable
- MEDIUM: threads/http: Make http_capture_bad_message thread-safe
- MINOR: threads/regex: Change Regex trash buffer into a thread local variable
- MAJOR: threads/applet: Handle multithreading for applets
- MAJOR: threads/peers: Make peers thread safe
- MAJOR: threads/buffer: Make buffer wait queue thread safe
- MEDIUM: threads/stream: Make streams list thread safe
- MAJOR: threads/ssl: Make SSL part thread-safe
- MEDIUM: threads/queue: Make queues thread-safe
- MAJOR: threads/map: Make acls/maps thread safe
- MEDIUM: threads/freq_ctr: Make the frequency counters thread-safe
- MEDIUM: thread/vars: Make vars thread-safe
- MEDIUM: threads/filters: Add init/deinit callback per thread
- MINOR: threads/filters: Update trace filter to add _per_thread callbacks
- MEDIUM: threads/compression: Make HTTP compression thread-safe
- MEDIUM: threads/lua: Makes the jmpbuf and some other buffers local to the current thread.
- MEDIUM: threads/lua: Add locks around the Lua execution parts.
- MEDIUM: threads/lua: Ensure that the launched tasks runs on the same threads than me
- MEDIUM: threads/lua: Cannot acces to the socket if we try to access from another thread.
- MEDIUM: threads/xref: Convert xref function to a thread safe model
- MEDIUM: threads/tasks: Add lock around notifications
- MEDIUM: thread/spoe: Make the SPOE thread-safe
- MEDIUM: thread/dns: Make DNS thread-safe
- MINOR: threads: Add thread-map config parameter in the global section
- MINOR: threads/checks: Add a lock to protect the pid list used by external checks
- MINOR: threads/checks: Set the task process_mask when a check is executed
- MINOR: threads/mailers: Add a lock to protect queues of email alerts
- MEDIUM: threads/server: Use the server lock to protect health check and cli concurrency
- MINOR: threads: Don't start when device a detection module is used
- BUG/MEDIUM: threads: Run the poll loop on the main thread too
- BUG/MINOR: threads: Add missing THREAD_LOCAL on static here and there
- MAJOR: threads: Offically enable the threads support in HAProxy
- BUG/MAJOR: threads/freq_ctr: fix lock on freq counters.
- BUG/MAJOR: threads/time: Store the time deviation in an 64-bits integer
- BUILD: stick-tables: silence an uninitialized variable warning
- BUG/MINOR: dns: Fix SRV records with the new thread code.
- MINOR: ssl: Remove the global allow-0rtt option.
- CLEANUP: threads: replace the last few 1UL<<tid with tid_bit
- CLEANUP: threads: rename process_mask to thread_mask
- MINOR: h1: add a function to measure the trailers length
- MINOR: threads: add a portable barrier for threads and non-threads
- BUG/MAJOR: threads/freq_ctr: use a memory barrier to detect changes
- BUG/MEDIUM: threads: Initialize the sync-point
- MEDIUM: connection: start to introduce a mux layer between xprt and data
- MINOR: connection: implement alpn registration of muxes
- MINOR: mux: register the pass-through mux for any ALPN string
- MEDIUM: session: use the ALPN token and proxy mode to select the mux
- MINOR: connection: report the major HTTP version from the MUX for logging (fc_http_major)
- MINOR: connection: introduce conn_stream
- MINOR: mux: add more methods to mux_ops
- MINOR: connection: introduce the conn_stream manipulation functions
- MINOR: mux_pt: implement remaining mux_ops methods
- MAJOR: connection : Split struct connection into struct connection and struct conn_stream.
- MINOR: connection: make conn_stream users also check for per-stream error flag
- MINOR: conn_stream: new shutr/w status flags
- MINOR: conn_stream: modify cs_shut{r,w} API to pass the desired mode
- MEDIUM: connection: make conn_sock_shutw() aware of lingering
- MINOR: connection: add cs_close() to close a conn_stream
- MEDIUM: mux_pt: make cs_shutr() / cs_shutw() properly close the connection
- MEDIUM: connection: replace conn_full_close() with cs_close()
- MEDIUM: connection: make mux->detach() release the connection
- MEDIUM: stream: do not forcefully close the client connection anymore
- MEDIUM: checks: exclusively use cs_destroy() to release a connection
- MEDIUM: connection: add a destroy callback
- MINOR: session: release the listener with the session, not the stream
- MEDIUM: session: make use of the connection's destroy callback
- CONTRIB: hpack: implement a reverse huffman table generator for hpack
- MINOR: hpack: implement the HPACK Huffman table decoder
- MINOR: hpack: implement the header tables management
- MINOR: hpack: implement the decoder
- MEDIUM: hpack: implement basic hpack encoding
- MINOR: h2: centralize all HTTP/2 protocol elements and constants
- MINOR: h2: create a very minimalistic h2 mux
- MINOR: h2: expose tune.h2.header-table-size to configure the table size
- MINOR: h2: expose tune.h2.initial-window-size to configure the window size
- MINOR: h2: expose tune.h2.max-concurrent-streams to limit the number of streams
- MINOR: h2: create the h2c struct and allocate its pool
- MINOR: h2: create the h2s struct and the associated pool
- MINOR: h2: handle two extra stream states for errors
- MINOR: h2: add a frame header descriptor for incoming frames
- MEDIUM: h2: allocate and release the h2c context on connection init/end
- MEDIUM: h2: implement basic recv/send/wake functions
- MEDIUM: h2: dynamically allocate the demux buffer on Rx
- MEDIUM: h2: implement the mux buffer allocator
- MINOR: h2: add the connection and stream flags listing the causes for blocking
- MINOR: h2: add function h2s_id() to report a stream's ID
- MINOR: h2: small function to know when the mux is busy
- MINOR: h2: new function h2c_error to mark an error on the connection
- MINOR: h2: new function h2s_error() to mark an error on a stream
- MINOR: h2: add h2_set_frame_size() to update the size in a binary frame
- MINOR: h2: new function h2_peek_frame_hdr() to retrieve a new frame header
- MINOR: h2: add a few functions to retrieve contents from a wrapping buffer
- MINOR: h2: add stream lookup function based on the stream ID
- MINOR: h2: create dummy idle and closed streams
- MINOR: h2: add the function to create a new stream
- MINOR: h2: update the {MUX,DEM}_{M,D}ALLOC flags on buffer availability
- MEDIUM: h2: start to consider the H2_CF_{MUX,DEM}_* flags for polling
- MINOR: h2: also terminate the connection on shutr
- MEDIUM: h2: properly consider all conditions for end of connection
- MEDIUM: h2: wake the connection up for send on pending streams
- MEDIUM: h2: start to implement the frames processing loop
- MINOR: h2: add a function to send a GOAWAY error frame
- MINOR: h2: match the H2 connection preface on init
- MEDIUM: h2: enable connection polling for send when a cs wants to emit
- MEDIUM: h2: enable reading again on the connection if it was blocked on stream buffer full
- MEDIUM: h2: process streams pending for sending
- MINOR: h2: send a real SETTINGS frame based on the configuration
- MEDIUM: h2: detect the presence of the first settings frame
- MINOR: h2: create a stream parser for the demuxer
- MINOR: h2: implement PING frames
- MEDIUM: h2: decode SETTINGS frames and extract relevant settings
- MINOR: h2: lookup the stream during demuxing
- MEDIUM: h2: honor WINDOW_UPDATE frames
- MINOR: h2: implement h2_send_rst_stream() to send RST_STREAM frames
- MINOR: h2: handle CONTINUATION frames
- MEDIUM: h2: partial implementation of h2_detach()
- MEDIUM: h2: unblock a connection when its current stream detaches
- MEDIUM: h2: basic processing of HEADERS frame
- MEDIUM: h2: don't use trash to decode headers!
- MEDIUM: h2: implement the response HEADERS frame to encode the H1 response
- MEDIUM: h2: send the H1 response body as DATA frames
- MEDIUM: h2: skip the response trailers if any
- MEDIUM: h2: properly continue to parse header block when facing a 1xx response
- MEDIUM: h2: send WINDOW_UPDATE frames for connection
- MEDIUM: h2: handle request body in DATA frames
- MINOR: h2: handle RST_STREAM frames
- MEDIUM: h2: send DATA+ES or RST_STREAM on shutw/shutr
- MINOR: h2: use a common function to signal some and all streams.
- MEDIUM: h2: handle GOAWAY frames
- MINOR: h2: centralize the check for the idle streams
- MINOR: h2: centralize the check for the half-closed(remote) streams
- MEDIUM: h2: silently ignore frames higher than last_id after GOAWAY
- MINOR: h2: properly reject PUSH_PROMISE frames coming from the client
- MEDIUM: h2: perform a graceful shutdown on "Connection: close"
- MEDIUM: h2: send a GOAWAY frame when dealing with an empty response
- MEDIUM: h2: apply a timeout to h2 connections
- BUG/MEDIUM: h2: fix incorrect timeout handling on the connection
- MEDIUM: shctx: forbid shctx to read more than expected
- MEDIUM: cache: configuration parsing and initialization
- MEDIUM: cache: store objects in cache
- MEDIUM: cache: deliver objects from cache
A new sample fetch function reports either 1 or 2 for the on-wire encoding,
to indicate if the request was received using the HTTP/1.x format or HTTP/2
format. Note that it reports the on-wire encoding, not the version presented
in the request header.
This will possibly have to evolve if it becomes necessary to report the
encoding on the server side as well.
By default, no affinity is set for threads. To bind threads on CPU, you must
define a "thread-map" in the global section. The format is the same than the
"cpu-map" parameter, with a small difference. The process number must be
defined, with the same format than cpu-map ("all", "even", "odd" or a number
between 1 and 31/63).
A thread will be bound on the intersection of its mapping and the one of the
process on which it is attached. If the intersection is null, no specific bind
will be set for the thread.
Now, it is possible to define init_per_thread and deinit_per_thread callbacks to
deal with ressources allocation for each thread.
This is the filter responsibility to deal with concurrency. This is also the
filter responsibility to know if HAProxy is started with some threads. A good
way to do so is to check "global.nbthread" value. If it is greater than 1, then
_per_thread callbacks will be called.
This is a huge patch with many changes, all about the DNS. Initially, the idea
was to update the DNS part to ease the threads support integration. But quickly,
I started to refactor some parts. And after several iterations, it was
impossible for me to commit the different parts atomically. So, instead of
adding tens of patches, often reworking the same parts, it was easier to merge
all my changes in a uniq patch. Here are all changes made on the DNS.
First, the DNS initialization has been refactored. The DNS configuration parsing
remains untouched, in cfgparse.c. But all checks have been moved in a post-check
callback. In the function dns_finalize_config, for each resolvers, the
nameservers configuration is tested and the task used to manage DNS resolutions
is created. The links between the backend's servers and the resolvers are also
created at this step. Here no connection are kept alive. So there is no needs
anymore to reopen them after HAProxy fork. Connections used to send DNS queries
will be opened on demand.
Then, the way DNS requesters are linked to a DNS resolution has been
reworked. The resolution used by a requester is now referenced into the
dns_requester structure and the resolution pointers in server and dns_srvrq
structures have been removed. wait and curr list of requesters, for a DNS
resolution, have been replaced by a uniq list. And Finally, the way a requester
is removed from a DNS resolution has been simplified. Now everything is done in
dns_unlink_resolution.
srv_set_fqdn function has been simplified. Now, there is only 1 way to set the
server's FQDN, independently it is done by the CLI or when a SRV record is
resolved.
The static DNS resolutions pool has been replaced by a dynamoc pool. The part
has been modified by Baptiste Assmann.
The way the DNS resolutions are triggered by the task or by a health-check has
been totally refactored. Now, all timeouts are respected. Especially
hold.valid. The default frequency to wake up a resolvers is now configurable
using "timeout resolve" parameter.
Now, as documented, as long as invalid repsonses are received, we really wait
all name servers responses before retrying.
As far as possible, resources allocated during DNS configuration parsing are
releases when HAProxy is shutdown.
Beside all these changes, the code has been cleaned to ease code review and the
doc has been updated.
The messages processing is done using existing functions. So here, the main task
is to find the SPOE engine to use. To do so, we loop on all filter instances
attached to the stream. For each, we check if it is a SPOE filter and, if yes,
if its name is the one used to declare the "send-spoe-group" action.
We also take care to return an error if the action processing is interrupted by
HAProxy (because of a timeout or an error at the HAProxy level). This is done by
checking if the flag ACT_FLAG_FINAL is set.
The function spoe_send_group is the action_ptr callback ot
This action is used to trigger sending of a group of SPOE messages. To do so,
the SPOE engine used to send messages must be defined, as well as the SPOE group
to send. Of course, the SPOE engine must refer to an existing SPOE filter. If
not engine name is provided on the SPOE filter line, the SPOE agent name must be
used. For example:
http-request send-spoe-group my-engine some-group
This action is available for "tcp-request content", "tcp-response content",
"http-request" and "http-response" rulesets. It cannot be used for tcp
connection/session rulesets because actions for these rulesets cannot yield.
For now, the action keyword is parsed and checked. But it does nothing. Its
processing will be added in another patch.
For now, this section is only parsed. It should have the following format:
spoe-group <grp-name>
messages <msg-name> ...
And then SPOE groups must be referenced in spoe-agent section:
spoe-agnt <name>
...
groups <grp-name> ...
The purpose of these groups is to trigger messages sending from TCP or HTTP
rules, directly from HAProxy configuration, and not on specific event. This part
will be added in another patch.
It is important to note that a message belongs at most to a group.
The engine name is now kept in "spoe_config" struture. Because a SPOE filter can
be declared without engine name, we use the SPOE agent name by default. Then,
its uniqness is checked against all others SPOE engines configured for the same
proxy.
* TODO: Add documentation
Now, it is possible to conditionnaly send a SPOE message by adding an ACL-based
condition on the "event" line, in a "spoe-message" section. Here is the example
coming for the SPOE documentation:
spoe-message get-ip-reputation
args ip=src
event on-client-session if ! { src -f /etc/haproxy/whitelist.lst }
To avoid mixin with proxy's ACLs, each SPOE message has its private ACL list. It
possible to declare named ACLs in "spoe-message" section, using the same syntax
than for proxies. So we can rewrite the previous example to use a named ACL:
spoe-message get-ip-reputation
args ip=src
acl ip-whitelisted src -f /etc/haproxy/whitelist.lst
event on-client-session if ! ip-whitelisted
ACL-based conditions are executed in the context of the stream that handle the
client and the server connections.
A bind_conf does contain a ssl_bind_conf, which already has a flag to know
if early data are activated, so use that, instead of adding a new flag in
the ssl_options field.
Add a new sample fetch, "ssl_fc_has_early", a boolean that will be true
if early data were sent, and a new action, "wait-for-handshake", if used,
the request won't be forwarded until the SSL handshake is done.
When compiled with Openssl >= 1.1.1, before attempting to do the handshake,
try to read any early data. If any early data is present, then we'll create
the session, read the data, and handle the request before we're doing the
handshake.
For this, we add a new connection flag, CO_FL_EARLY_SSL_HS, which is not
part of the CO_FL_HANDSHAKE set, allowing to proceed with a session even
before an SSL handshake is completed.
As early data do have security implication, we let the origin server know
the request comes from early data by adding the "Early-Data" header, as
specified in this draft from the HTTP working group :
https://datatracker.ietf.org/doc/html/draft-ietf-httpbis-replay
Use Openssl-1.1.1 SSL_CTX_set_client_hello_cb to mimic BoringSSL early callback.
Native multi certificate and SSL/TLS method per certificate is now supported by
Openssl >= 1.1.1.
This patch simply brings HAProxy internal regex system to the Lua API.
Lua doesn't embed regexes, now it inherits from the regexes compiled
with haproxy.
Released version 1.8-dev3 with the following main changes :
- REORG: ssl: move defines and methodVersions table upper
- MEDIUM: ssl: ctx_set_version/ssl_set_version func for methodVersions table
- MINOR: ssl: support ssl-min-ver and ssl-max-ver with crt-list
- MEDIUM: ssl: disable SSLv3 per default for bind
- BUG/MAJOR: ssl: fix segfault on connection close using async engines.
- BUG/MAJOR: ssl: buffer overflow using offloaded ciphering on async engine
- BUG/MINOR: ssl: do not call directly the conn_fd_handler from async_fd_handler
- BUG/MINOR: haproxy/cli : fix for solaris/illumos distros for CMSG* macros
- BUG/MEDIUM: build without openssl broken
- BUG/MINOR: warning: need_resend may be used uninitialized
- BUG/MEDIUM: misplaced exit and wrong exit code
- BUG/MINOR: Makefile: fix compile error with USE_LUA=1 in ubuntu16.04
- BUILD: scripts: make publish-release support bare repositories
- BUILD: scripts: add an automatic mode for publish-release
- BUILD: scripts: add a "quiet" mode to publish-release
- BUG/MAJOR: http: call manage_client_side_cookies() before erasing the buffer
- BUG/MINOR: buffers: Fix bi/bo_contig_space to handle full buffers
- CONTRIB: plug qdiscs: Plug queuing disciplines mini HOWTO.
- BUG/MINOR: acls: Set the right refflag when patterns are loaded from a map
- BUG/MINOR: ssl: Be sure that SSLv3 connection methods exist for openssl < 1.1.0
- BUG/MINOR: http/filters: Be sure to wait if a filter loops in HTTP_MSG_ENDING
- BUG/MEDIUM: peers: Peers CLOSE_WAIT issue.
- BUG/MAJOR: server: Segfault after parsing server state file.
- BUG/MEDIUM: unix: never unlink a unix socket from the file system
- scripts: create-release pass -n to tail
- SCRIPTS: create-release: enforce GIT_COMMITTER_{NAME|EMAIL} validity
- BUG/MEDIUM: fix segfault when no argument to -x option
- MINOR: warning on multiple -x
- MINOR: mworker: don't copy -x argument anymore in copy_argv()
- BUG/MEDIUM: mworker: don't reuse PIDs passed to the master
- BUG/MINOR: Wrong peer task expiration handling during synchronization processing.
- BUG/MINOR: cfgparse: Check if tune.http.maxhdr is in the range 1..32767
- BUG/MINOR: log: pin the front connection when front ip/ports are logged
- DOC: fix references to the section about the unix socket
- BUG/MINOR: stream: flag TASK_WOKEN_RES not set if task in runqueue
- MAJOR: task: task scheduler rework.
- MINOR: task/stream: tasks related to a stream must be init by the caller.
- MINOR: queue: Change pendconn_get_next_strm into private function
- MINOR: backends: Change get_server_sh/get_server_uh into private function
- MINOR: queue: Change pendconn_from_srv/pendconn_from_px into private functions
- MEDIUM: stream: make stream_new() always set the target and analysers
- MINOR: frontend: initialize HTTP layer after the debugging code
- MINOR: connection: add a .get_alpn() method to xprt_ops
- MINOR: ssl: add a get_alpn() method to ssl_sock
- MINOR: frontend: retrieve the ALPN name when available
- MINOR: frontend: report the connection's ALPN in the debug output
- MINOR: stream: don't set backend's nor response analysers on SF_TUNNEL
- MINOR: connection: send data before receiving
- MAJOR: applet: applet scheduler rework.
- BUG/MAJOR: frontend: don't dereference a null conn on outgoing connections
- BUG/MAJOR: cli: fix custom io_release was crushed by NULL.
- BUG/MAJOR: map: fix segfault during 'show map/acl' on cli.
- BUG/MAJOR: compression: Be sure to release the compression state in all cases
- MINOR: compression: Use a memory pool to allocate compression states
- BUG/MAJOR: applet: fix a freeze if data is immedately forwarded.
- DOC: fix references to the section about time format.
- BUG/MEDIUM: map/acl: fix unwanted flags inheritance.
- BUG/MAJOR: http: fix buffer overflow on loguri buffer.
- MINOR: ssl: compare server certificate names to the SNI on outgoing connections
- BUG/MINOR: stream: Don't forget to remove CF_WAKE_ONCE flag on response channel
- BUG/MINOR: http: Don't reset the transaction if there are still data to send
- BUG/MEDIUM: filters: Be sure to call flt_end_analyze for both channels
- MINOR: peers: Add additional information to stick-table definition messages.
- BUG/MINOR: http: properly handle all 1xx informational responses
- OPTIM: ssl: don't consider a small ssl_read() as an indication of end of buffer
- BUG/MINOR: peers: peer synchronization issue (with several peers sections).
- CLEANUP: hdr_idx: make some function arguments const where possible
- BUG/MINOR: Prevent a use-after-free on error scenario on option "-x".
- BUG/MINOR: lua: In error case, the safe mode is not removed
- BUG/MINOR: lua: executes the function destroying the Lua session in safe mode
- BUG/MAJOR: lua/socket: resources not detroyed when the socket is aborted
- BUG/MEDIUM: lua: bad memory access
- BUG/MINOR: Lua: variable already initialized
- DOC: update CONTRIBUTING regarding optional parts and message format
- DOC: update the list of OpenSSL versions in the README
- BUG/MINOR: http: Set the response error state in http_sync_res_state
- MINOR: http: Reorder/rewrite checks in http_resync_states
- MINOR: http: Switch requests/responses in TUNNEL mode only by checking txn flags
- BUG/MEDIUM: http: Switch HTTP responses in TUNNEL mode when body length is undefined
- MINOR: http: Rely on analyzers mask to end processing in forward_body functions
- BUG/MINOR: http: Fix bug introduced in previous patch in http_resync_states
- BUG/MINOR: contrib/modsecurity: BSD build fix
- BUG/MINOR: contrib/mod_defender: build fix
- BUG/MINOR: ssl: remove haproxy SSLv3 support when ssl lib have no SSLv3
- MINOR: ssl: remove an unecessary SSL_OP_NO_* dependancy
- BUILD: ssl: fix compatibility with openssl without TLSEXT_signature_*
- MINOR: tools: add a portable timegm() alternative
- BUILD: lua: replace timegm() with my_timegm() to fix build on Solaris 10
- DOC: Updated 51Degrees git URL to point to a stable version.
- BUG/MAJOR: http: Fix possible infinity loop in http_sync_(req|res)_state
- MINOR: memory: remove macros
- BUG/MINOR: lua: Fix Server.get_addr() port values
- BUG/MINOR: lua: Correctly use INET6_ADDRSTRLEN in Server.get_addr()
- MINOR: samples: Handle the type SMP_T_METH when we duplicate a sample in smp_dup
- MINOR: samples: Handle the type SMP_T_METH in smp_is_safe and smp_is_rw
- MINOR: samples: Don't allocate memory for SMP_T_METH sample when method is known
- BUG/MINOR: lua: always detach the tcp/http tasks before freeing them
- MINOR: task: always preinitialize the task's timeout in task_init()
- CLEANUP: task: remove all initializations to TICK_ETERNITY after task_new()
- BUG/MAJOR: lua: properly dequeue hlua_applet_wakeup() for new scheduler
- MINOR: lua: Add proxy as member of proxy object.
- DOC: lua: Proxy class doc update
- MINOR: lua: Add lists of frontends and backends
- BUG/MINOR: ssl: Fix check against SNI during server certificate verification
- BUG/MINOR: ssl: make use of the name in SNI before verifyhost
- MINOR: ssl: add a new error codes for wrong server certificates
- BUG/MEDIUM: stream: don't retry SSL connections which fail the SNI name check
- MINOR: ssl: add "no-ca-names" parameter for bind
- BUG/MINOR: lua: Fix bitwise logic for hlua_server_check_* functions.
- DOC: fix alphabetical order of "show commands" in management.txt
- MINOR: listener: add a function to return a listener's state as a string
- MINOR: cli: add a new "show fd" command
- BUG/MEDIUM: ssl: Fix regression about certificates generation
- MINOR: Add server port field to server state file.
- MINOR: ssl: allow to start without certificate if strict-sni is set
- MINOR: dns: Cache previous DNS answers.
- MINOR: obj: Add a new type of object, OBJ_TYPE_SRVRQ.
- Add a few functions to do unaligned access.
- MINOR: dns: Handle SRV records.
- MINOR: check: Fix checks when using SRV records.
- MINOR: doc: Document SRV label usage.
- BUILD/MINOR: cli: shut a minor gcc warning in "show fd"
- BUILD: ssl: replace SSL_CTX_get0_privatekey for openssl < 1.0.2
- BUILD/MINOR: build without openssl still broken
- BUG/MAJOR: stream: in stream_free(), close the front endpoint and not the origin
- CLEANUP: raw_sock: Use a better name for the constructor than __ssl_sock_deinit()
- MINOR: init: Fix CPU affinity setting on FreeBSD.
- MINOR: dns: Update analysis of TRUNCATED response for SRV records
- MINOR: dns: update record dname matching for SRV query types
- MINOR: dns: update dns response buffer reading pointer due to SRV record
- MINOR: dns: duplicate entries in resolution wait queue for SRV records
- MINOR: dns: make debugging function dump_dns_config() compatible with SRV records
- MINOR: dns: ability to use a SRV resolution for multiple backends
- MINOR: dns: enable caching of responses for server set by a SRV record
- MINOR: dns: new dns record type (RTYPE) for OPT
- MINOR: dns: enabled edns0 extension and make accpeted payload size tunable
- MINOR: dns: default "hold obsolete" timeout set to 0
- MINOR: chunks: add chunk_memcpy() and chunk_memcat()
- MINOR: session: add a streams field to the session struct
- MINOR: stream: link the stream to its session
- MEDIUM: session: do not free a session until no stream references it
- MINOR: ist: implement very simple indirect strings
- TESTS: ist: add a test file for the functions
- MINOR: http: export some of the HTTP parser macros
- BUG/MINOR: Wrong type used as argument for spoe_decode_buffer().
- BUG/MINOR: dns: server set by SRV records stay in "no resolution" status
- MINOR: dns: Maximum DNS udp payload set to 8192
- MINOR: dns: automatic reduction of DNS accpeted payload size
- MINOR: dns: make SRV record processing more verbose
- CLEANUP: dns: remove duplicated code in dns_resolve_recv()
- CLEANUP: dns: remove duplicated code in dns_validate_dns_response()
- BUG/MINOR: dns: wrong resolution interval lead to 100% CPU
- BUG/MEDIUM: dns: fix accepted_payload_size parser to avoid integer overflow
- BUG/MAJOR: lua: fix the impact of the scheduler changes again
- BUG/MEDIUM: lua: HTTP services must take care of body-less status codes
- MINOR: lua: properly process the contents of the content-length field
- BUG/MEDIUM: stream: properly set the required HTTP analysers on use-service
- OPTIM: lua: don't use expensive functions to parse headers in the HTTP applet
- OPTIM: lua: don't add "Connection: close" on the response
- REORG/MEDIUM: connection: introduce the notion of connection handle
- BUG/MINOR: stream-int: don't check the CO_FL_CURR_WR_ENA flag
- MEDIUM: connection: get rid of data->init() which was not for data
- MEDIUM: stream: make stream_new() allocate its own task
- CLEANUP: listener: remove the unused handler field
- MEDIUM: session: add a pointer to a struct task in the session
- MINOR: stream: provide a new stream creation function for connections
- MEDIUM: connection: remove useless flag CO_FL_DATA_RD_SH
- CLEANUP: connection: remove the unused conn_sock_shutw_pending()
- MEDIUM: connection: remove useless flag CO_FL_DATA_WR_SH
- DOC: add CLI info on privilege levels
- DOC: Refer to Mozilla TLS info / config generator
- MINOR: ssl: remove duplicate ssl_methods in struct bind_conf
- BUG/MEDIUM: http: Fix a regression bug when a HTTP response is in TUNNEL mode
- DOC: Add note about "* " prefix in CSV stats
- CLEANUP: memory: Remove unused function pool_destroy
- MINOR: listeners: Change listener_full and limit_listener into private functions
- MINOR: listeners: Change enable_listener and disable_listener into private functions
- MINOR: fd: Don't forget to reset fdtab[fd].update when a fd is added/removed
- MINOR: fd: Set owner and iocb field before inserting a new fd in the fdtab
- MINOR: backends: Make get_server_* functions explicitly static
- MINOR: applet: Check applets_active_queue before processing applets queue
- MINOR: chunks: Use dedicated function to init/deinit trash buffers
- MEDIUM: chunks: Realloc trash buffers only after the config is parsed and checked
- MINOR: logs: Use dedicated function to init/deinit log buffers
- MINOR: logs: Realloc log buffers only after the config is parsed and checked
- MINOR: buffers: Move swap_buffer into buffer.c and add deinit_buffer function
- MINOR: stick-tables: Make static_table_key a struct variable instead of a pointer
- MINOR: http: Use a trash chunk to store decoded string of the HTTP auth header
- MINOR: fd: Add fd_active function
- MINOR: fd: Use inlined functions to check fd state in fd_*_send/recv functions
- MINOR: fd: Move (de)allocation of fdtab and fdinfo in (de)init_pollers
- MINOR: freq_ctr: Return the new value after an update
- MEDIUM: check: server states and weight propagation re-work
- BUG/MEDIUM: epoll: ensure we always consider HUP and ERR
- MINOR: fd: Add fd_update_events function
- MINOR: polling: Use fd_update_events to update events seen for a fd
- BUG/MINOR: server: Remove FQDN requirement for using init-addr and state file
- Revert "BUG/MINOR: server: Remove FQDN requirement for using init-addr and state file"
- MINOR: ssl: rework smp_fetch_ssl_fc_cl_str without internal ssl use
- BUG/MEDIUM: http: Close streams for connections closed before a redirect
- BUG/MINOR: Lua: The socket may be destroyed when we try to access.
- MINOR: xref: Add a new xref system
- MEDIUM: xref/lua: Use xref for referencing cosocket relation between stream and lua
- MINOR: tasks: Move Lua notification from Lua to tasks
- MINOR: net_helper: Inline functions meant to be inlined.
- MINOR: cli: add socket commands and config to prepend informational messages with severity
- MINOR: add severity information to cli feedback messages
- BUILD: Makefile: add a function to detect support by the compiler of certain options
- BUILD: Makefile: shut certain gcc/clang stupid warnings
- BUILD: Makefile: improve detection of support for compiler warnings
- MINOR: peers: don't reference the incoming listener on outgoing connections
- MINOR: frontend: don't retrieve ALPN on the critical path
- MINOR: protocols: always pass a "port" argument to the listener creation
- MINOR: protocols: register the ->add function and stop calling them directly
- MINOR: unix: remove the now unused proto_uxst.h file
- MINOR: listeners: new function create_listeners
- MINOR: listeners: make listeners count consistent with reality
- MEDIUM: session: take care of incrementing/decrementing jobs
- MINOR: listener: new function listener_release
- MINOR: session: small cleanup of conn_complete_session()
- MEDIUM: session: factor out duplicated code for conn_complete_session
- MEDIUM: session: count the frontend's connections at a single place
- BUG/MEDIUM: compression: Fix check on txn in smp_fetch_res_comp_algo
- BUG/MINOR: compression: Check response headers before http-response rules eval
- BUG/MINOR: spoe: Don't rely on SPOE ctx in debug message when its creation failed
- BUG/MINOR: dns: Fix check on nameserver in snr_resolution_cb
- MINOR: ssl: Remove useless checks on bind_conf or bind_conf->is_ssl
- BUG/MINOR: contrib/mod_defender: close the va_list argp before return
- BUG/MINOR: contrib/modsecurity: close the va_list ap before return
- MINOR: tools: make my_htonll() more efficient on x86_64
- MINOR: buffer: add b_del() to delete a number of characters
- MINOR: buffer: add b_end() and b_to_end()
- MINOR: net_helper: add functions to read from vectors
- MINOR: net_helper: add write functions
- MINOR: net_helper: add 64-bit read/write functions
- MINOR: connection: adjust CO_FL_NOTIFY_DATA after removal of flags
- MINOR: ist: add a macro to ease const array initialization
- BUG/MEDIUM: server: unwanted behavior leaving maintenance mode on tracked stopping server
- BUG/MEDIUM: server: unwanted behavior leaving maintenance mode on tracked stopping server (take2)
- BUG/MINOR: log: fixing small memory leak in error code path.
- BUG/MINOR: contrib/halog: fixing small memory leak
- BUG/MEDIUM: tcp/http: set-dst-port action broken
- CLEANUUP: checks: don't set conn->handle.fd to -1
- BUG/MEDIUM: tcp-check: properly indicate polling state before performing I/O
- BUG/MINOR: tcp-check: don't quit with pending data in the send buffer
- BUG/MEDIUM: tcp-check: don't call tcpcheck_main() from the I/O handlers!
- BUG/MINOR: unix: properly check for octal digits in the "mode" argument
- MINOR: checks: make chk_report_conn_err() take a check, not a connection
- CLEANUP: checks: remove misleading comments and statuses for external process
- CLEANUP: checks: don't report report the fork() error twice
- CLEANUP: checks: do not allocate a connection for process checks
- TESTS: checks: add a simple test config for external checks
- BUG/MINOR: tcp-check: don't initialize then break a connection starting with a comment
- TESTS: checks: add a simple test config for tcp-checks
- MINOR: tcp-check: make tcpcheck_main() take a check, not a connection
- MINOR: checks: don't create then kill a dummy connection before tcp-checks
- MEDIUM: checks: make tcpcheck_main() indicate if it recycled a connection
- MEDIUM: checks: do not allocate a permanent connection anymore
- BUG/MEDIUM: cli: fix "show fd" crash when dumping closed FDs
- BUG/MEDIUM: http: Return an error when url_dec sample converter failed
- BUG/MAJOR: stream-int: don't re-arm recv if send fails
- BUILD/MINOR: 51d: fix warning when building with 51Degrees release version 3.2.12.12
- DOC: 51d: add 51Degrees git URL that points to release version 3.2.12.12
- DOC: 51d: Updated git URL and instructions for getting Hash Trie data files.
- MINOR: compiler: restore the likely() wrapper for gcc 5.x
- MINOR: session: remove the list of streams from struct session
- DOC: fix some typos
- MINOR: server: add the srv_queue() sample fetch method
- MINOR: payload: add new sample fetch functions to process distcc protocol
- MAJOR: servers: propagate server status changes asynchronously.
- BUG/MEDIUM: ssl: fix OCSP expiry calculation
- BUG/MINOR: stream-int: don't set MSG_MORE on SHUTW_NOW without AUTO_CLOSE
- MINOR: server: Handle weight increase in consistent hash.
- MINOR: checks: Add a new keyword to specify a SNI when doing SSL checks.
- BUG/MINOR: tools: fix my_htonll() on x86_64
- BUG/MINOR: stats: Clear a bit more counters with in cli_parse_clear_counters().
- BUG/MAJOR: lua: scheduled task is freezing.
- MINOR: buffer: add bo_del() to delete a number of characters from output
- MINOR: buffer: add a function to match against string patterns
- MINOR: buffer: add two functions to inject data into buffers
- MINOR: buffer: add buffer_space_wraps()
- REORG: channel: finally rename the last bi_* / bo_* functions
- MINOR: buffer: add bo_getblk() and bo_getblk_nc()
- MINOR: channel: make use of bo_getblk{,_nc} for their channel equivalents
- MINOR: channel: make the channel be a const in all {ci,co}_get* functions
- MINOR: ist: add ist0() to add a trailing zero to a string.
- BUG/MEDIUM: log: check result details truncated.
- MINOR: buffer: make bo_getblk_nc() not return 2 for a full buffer
- REORG: http: move some very http1-specific parts to h1.{c,h}
- REORG: http: move the HTTP/1 chunk parser to h1.{c,h}
- REORG: http: move the HTTP/1 header block parser to h1.c
- MEDIUM: http: make the chunk size parser only depend on the buffer
- MEDIUM: http: make the chunk crlf parser only depend on the buffer
- MINOR: h1: add struct h1m for basic HTTP/1 messages
- MINOR: http: add very simple header management based on double strings
- MEDIUM: h1: reimplement the http/1 response parser for the gateway
- REORG: connection: rename CO_FL_DATA_* -> CO_FL_XPRT_*
- MEDIUM: connection: make conn_sock_shutw() aware of lingering
- MINOR: connection: ensure conn_ctrl_close() also resets the fd
- MINOR: connection: add conn_stop_tracking() to disable tracking
- MINOR: tcp: use conn_full_close() instead of conn_force_close()
- MINOR: unix: use conn_full_close() instead of conn_force_close()
- MINOR: checks: use conn_full_close() instead of conn_force_close()
- MINOR: session: use conn_full_close() instead of conn_force_close()
- MINOR: stream: use conn_full_close() instead of conn_force_close()
- MINOR: stream: use conn_full_close() instead of conn_force_close()
- MINOR: backend: use conn_full_close() instead of conn_force_close()
- MINOR: stream-int: use conn_full_close() instead of conn_force_close()
- MINOR: connection: remove conn_force_close()
- BUG/MINOR: ssl: ocsp response with 'revoked' status is correct
When using haproxy in front of distccd, it's possible to provide significant
improvements by only connecting when the preprocessing is completed, and by
selecting different farms depending on the payload size. This patch provides
two new sample fetch functions :
distcc_param(<token>[,<occ>]) : integer
distcc_body(<token>[,<occ>]) : binary
srv_queue([<backend>/]<server>) : integer
Returns an integer value corresponding to the number of connections currently
pending in the designated server's queue. If <backend> is omitted, then the
server is looked up in the current backend. It can sometimes be used together
with the "use-server" directive to force to use a known faster server when it
is not much loaded. See also the "srv_conn", "avg_queue" and "queue" sample
fetch methods.
Adds cli commands to change at runtime whether informational messages
are prepended with severity level or not, with support for numeric and
worded severity in line with syslog severity level.
Adds stats socket config keyword severity-output to set default behavior
per socket on startup.
