Released version 2.7-dev1 with the following main changes :
- BUG/MINOR: ssl_ckch: Free error msg if commit changes on a cert entry fails
- BUG/MINOR: ssl_ckch: Free error msg if commit changes on a CA/CRL entry fails
- BUG/MEDIUM: ssl_ckch: Don't delete a cert entry if it is being modified
- BUG/MEDIUM: ssl_ckch: Don't delete CA/CRL entry if it is being modified
- BUG/MINOR: ssl_ckch: Don't duplicate path when replacing a cert entry
- BUG/MINOR: ssl_ckch: Don't duplicate path when replacing a CA/CRL entry
- BUG/MEDIUM: ssl_ckch: Rework 'commit ssl cert' to handle full buffer cases
- BUG/MEDIUM: ssl_ckch: Rework 'commit ssl ca-file' to handle full buffer cases
- BUG/MEDIUM: ssl/crt-list: Rework 'add ssl crt-list' to handle full buffer cases
- BUG/MEDIUM: httpclient: Don't remove HTX header blocks before duplicating them
- BUG/MEDIUM: httpclient: Rework CLI I/O handler to handle full buffer cases
- MEDIUM: httpclient: Don't close CLI applet at the end of a response
- MEDIUM: http-ana: Always report rewrite failures as PRXCOND in logs
- CLEANUP: Re-apply xalloc_size.cocci (2)
- REGTESTS: abortonclose: Add a barrier to not mix up log messages
- REGTESTS: http_request_buffer: Increase client timeout to wait "slow" clients
- CLEANUP: ssl_ckch: Use corresponding enum for commit_cacrlfile_ctx.cafile_type
- MINOR: ssl_ckch: Simplify I/O handler to commit changes on CA/CRL entry
- BUG/MINOR: ssl_ckch: Use right type for old entry in show_crlfile_ctx
- BUG/MINOR: ssl_ckch: Dump CRL transaction only once if show command yield
- BUG/MINOR: ssl_ckch: Dump CA transaction only once if show command yield
- BUG/MINOR: ssl_ckch: Dump cert transaction only once if show command yield
- BUG/MINOR: ssl_ckch: Init right field when parsing "commit ssl crl-file" cmd
- CLEANUP: ssl_ckch: Remove unused field in commit_cacrlfile_ctx structure
- MINOR: ssl_ckch: Simplify structure used to commit changes on CA/CRL entries
- MINOR: ssl_ckch: Remove service context for "set ssl cert" command
- MINOR: ssl_ckch: Remove service context for "set ssl ca-file" command
- MINOR: ssl_ckch: Remove service context for "set ssl crl-file" command
- BUG/MINOR: ssl_ckch: Fix possible uninitialized value in show_cert I/O handler
- BUG/MINOR: ssl_ckch: Fix possible uninitialized value in show_cafile I/O handler
- BUG/MINOR: ssl_ckch: Fix possible uninitialized value in show_crlfile I/O handler
- BUILD: ssl_ckch: Fix build error about a possible uninitialized value
- BUG/MINOR: ssl_ckch: Fix another possible uninitialized value
- REGTESTS: http_abortonclose: Extend supported versions
- REGTESTS: restrict_req_hdr_names: Extend supported versions
- MINOR: connection: support HTTP/3.0 for smp_*_http_major fetch
- MINOR: h3: add h3c pointer into h3s instance
- MINOR: mux-quic: simplify decode_qcs API
- MINOR: mux-quic/h3: adjust demuxing function return values
- BUG/MINOR: h3: fix return value on decode_qcs on error
- BUILD: quic: fix anonymous union for gcc-4.4
- BUILD: compiler: implement unreachable for older compilers too
- DEV: tcploop: reorder options in the usage message
- DEV: tcploop: make the current address the default address
- DEV: tcploop: make it possible to change the target address of a connect()
- DEV: tcploop: factor out the socket creation
- DEV: tcploop: permit port 0 to ease handling of default options
- DEV: tcploop: add a new "bind" command to bind to ip/port.
- DEV: tcploop: add minimal UDP support
- BUG/MINOR: trace: Test server existence for health-checks to get proxy
- BUG/MINOR: checks: Properly handle email alerts in trace messages
- BUG/MEDIUM: mailers: Set the object type for check attached to an email alert
- REGTESTS: healthcheckmail: Update the test to be functionnal again
- REGTESTS: healthcheckmail: Relax health-check failure condition
- BUG/MINOR: h3: fix incorrect BUG_ON assert on SETTINGS parsing
- MEDIUM: mux-h2: try to coalesce outgoing WINDOW_UPDATE frames
- OPTIM: mux-h2: increase h2_settings_initial_window_size default to 64k
- BUG/MINOR: h3: fix frame type definition
- BUG/MEDIUM: h3: fix SETTINGS parsing
- BUG/MINOR: cli/stats: add missing trailing LF after JSON outputs
- BUG/MINOR: server: do not enable DNS resolution on disabled proxies
- BUG/MINOR: cli/stats: add missing trailing LF after "show info json"
- DOC: design: update the notes on thread groups
- BUG/MEDIUM: mux-quic: fix flow control connection Tx level
- MINOR: mux-quic: complete BUG_ON on TX flow-control enforcing
- BUG/MINOR: mux-quic: fix memleak on frames rejected by transport
- BUG/MINOR: tcp-rules: Make action call final on read error and delay expiration
- CLEANUP: check: Remove useless tests on check's stream-connector
- BUG/MEDIUM: stconn: Don't wakeup applet for send if it won't consume data
- BUG/MEDIUM: cli: Notify cli applet won't consume data during request processing
- BUG/MEDIUM: mux-quic: fix segfault on flow-control frame cleanup
- MINOR: task: move profiling bit to per-thread
- CLEANUP: quic: use task_new_on() for single-threaded tasks
- MINOR: tinfo: remove the global thread ID bit (tid_bit)
- CLEANUP: hlua: check for at least 2 threads on a task
- MINOR: thread: get rid of MAX_THREADS_MASK
- OPTIM: task: do not consult shared WQ when we're already full
- DOC: design: update the task vs thread affinity requirements
- MINOR: qpack: add comments and remove a useless trace
- MINOR: qpack: reduce dependencies on other modules
- BUG/MINOR: qpack: support header litteral name decoding
- MINOR: qpack: add ABORT_NOW on unimplemented decoding
- BUG/MINOR: h3/qpack: deal with too many headers
- MINOR: qpack: improve decoding function
- MINOR: qpack: implement standalone decoder tool
- BUG/BUILD: h3: fix wrong label name
- BUG/MINOR: quic: Stop hardcoding Retry packet Version field
- MINOR: quic: Add several nonce and key definitions for Retry tag
- BUG/MINOR: quic: Wrong PTO calculation
- MINOR: quic: Parse long packet version from qc_parse_hd_form()
- CLEANUP: quid: QUIC draft-28 no more supported
- MEDIUM: quic: Add QUIC v2 draft support
- MINOR: quic: Released QUIC TLS extension for QUIC v2 draft
- MEDIUM: quic: Compatible version negotiation implementation (draft-08)
- CLEANUP: quic: Remove any reference to boringssl
- BUG/MINOR: task: fix thread assignment in tasklet_kill()
- BUG/MEDIUM: stream: Properly handle destructive client connection upgrades
- MINOR: stream: Rely on stconn flags to abort stream destructive upgrade
- CLEANUP: stconn: Don't expect to have no sedesc on detach
- BUG/MINOR: log: Properly test connection retries to fix dontlog-normal option
- MINOR: hlua: don't dump empty entries in hlua_traceback()
- MINOR: hlua: add a new hlua_show_current_location() function
- MEDIUM: debug: add a tainted flag when a shared library is loaded
- MEDIUM: debug: detect redefinition of symbols upon dlopen()
- BUILD: quic: Wrong HKDF label constant variable initializations
- BUG/MINOR: quic: Unexpected half open connection counter wrapping
- BUG/MINOR: quic_stats: Duplicate "quic_streams_data_blocked_bidi" field name
- BUG/MINOR: quic: purge conn Rx packet list on release
- BUG/MINOR: quic: free rejected Rx packets
- BUG/MINOR: qpack: abort on dynamic index field line decoding
- BUG/MEDIUM: ssl/cli: crash when crt inserted into a crt-list
- REGTESTS: ssl: add the same cert for client/server
- BUG/MINOR: quic: Acknowledgement must be forced during handshake
- MINOR: quic: Dump version_information transport parameter
- BUG/MEDIUM: mworker: use default maxconn in wait mode
- MINOR: intops: add a function to return a valid bit position from a mask
- TESTS: add a unit test for one_among_mask()
- BUILD: ssl_ckch: fix "maybe-uninitialized" build error on gcc-9.4 + ARM
- BUG/MINOR: ssl: Do not look for key in extra files if already in pem
- BUG/MINOR: quic: Missing acknowledgments for trailing packets
- BUG/MINOR: http-ana: Set method to HTTP_METH_OTHER when an HTTP txn is created
- BUG/MINOR: http-fetch: Use integer value when possible in "method" sample fetch
- MINOR: freq_ctr: Add a function to get events excess over the current period
- BUG/MINOR: stream: only free the req/res captures when set
- CLEANUP: pool/tree-wide: remove suffix "_pool" from certain pool names
- MEDIUM: debug: improve DEBUG_MEM_STATS to also report pool alloc/free
- BUG/MINOR: quic: Wrong reuse of fulfilled dgram RX buffer
- BUG/MAJOR: quic: Big RX dgrams leak when fulfilling a buffer
- BUG/MAJOR: quic: Big RX dgrams leak with POST requests
- BUILD: quic+h3: 32-bit compilation errors fixes
- MEDIUM: bwlim: Add support of bandwith limitation at the stream level
This patch adds a filter to limit bandwith at the stream level. Several
filters can be defined. A filter may limit incoming data (upload) or
outgoing data (download). The limit can be defined per-stream or shared via
a stick-table. For a given stream, the bandwith limitation filters can be
enabled using the "set-bandwidth-limit" action.
A bandwith limitation filter can be used indifferently for HTTP or TCP
stream. For HTTP stream, only the payload transfer is limited. The filter is
pretty simple for now. But it was designed to be extensible. The current
design tries, as far as possible, to never exceed the limit. There is no
burst.
It looks like we'll need:
- one share timers queue for the rare tasks that need to wake up
anywhere
- one private timers queue per thread
- one global queue per group
- one local queue per thread
And may be we can simply get rid of any global/shared run queue as
we don't seem to have any task bound to a subset of threads.
This macro was used both for binding and for lookups. When binding tasks
or FDs, using all_threads_mask instead is better as it will later be per
group. For lookups, ~0UL always does the job. Thus in practice the macro
was already almost not used anymore since the rest of the code could run
fine with a constant of all ones there.
Instead of having a global mask of all the profiled threads, let's have
one flag per thread in each thread's flags. They are never accessed more
than one at a time an are better located inside the threads' contexts for
both performance and scalability.
This changes the default from RFC 7540's default 65535 (64k-1) to avoid
avoid some degenerative WINDOW_UPDATE behaviors in the wild observed with
clients using 65536 as their buffer size, and have to complete each block
with a 1-byte frame, which with some servers tend to degenerate in 1-byte
WU causing more 1-byte frames to be sent until the transfer almost only
uses 1-byte frames.
More details here: https://github.com/nghttp2/nghttp2/issues/1722
As mentioned in previous commit (MEDIUM: mux-h2: try to coalesce outgoing
WINDOW_UPDATE frames) the issue could not be reproduced with haproxy but
individual WU frames are sent so theoretically nothing prevents this from
happening. As such it should be backported as a workaround for already
deployed clients after watching for any possible side effect with rare
clients. As an added benefit, uploads from curl now use less DATA frames
(all are 16384 now). Note that the previous patch alone is sufficient to
stop the issue with curl in case this one would need to be reverted.
[wt: edited commit messaged, updated doc]
Released version 2.6.0 with the following main changes :
- DOC: Fix formatting in configuration.txt to fix dconv
- CLEANUP: tcpcheck: Remove useless test on the stream-connector in tcpcheck_main
- CLEANUP: muxes: Consider stream's sd as defined in .show_fd callback functions
- MINOR: quic: Ignore out of packet padding.
- CLEANUP: quic: Useless QUIC_CONN_TX_BUF_SZ definition
- CLEANUP: quic: No more used handshake output buffer
- MINOR: quic: QUIC transport parameters split.
- MINOR: quic: Transport parameters dump
- DOC: quic: Update documentation for QUIC Retry
- MINOR: quic: Tunable "max_idle_timeout" transport parameter
- MINOR: quic: Tunable "initial_max_streams_bidi" transport parameter
- MINOR: quic: Clarifications about transport parameters value
- MINOIR: quic_stats: add QUIC connection errors counters
- BUG/MINOR: quic: Largest RX packet numbers mixing
- MINOR: quic_stats: Add transport new counters (lost, stateless reset, drop)
- DOC: quic: Documentation update for QUIC
- MINOR: quic: Connection TX buffer setting renaming.
- MINOR: h3: Add a statistics module for h3
- MINOR: quic: Send STOP_SENDING frames if mux is released
- MINOR: quic: Do not drop packets with RESET_STREAM frames
- BUG/MINOR: qpack: fix buffer API usage on prefix integer encoding
- BUG/MINOR: qpack: support bigger prefix-integer encoding
- BUG/MINOR: h3: do not report bug on unknown method
- SCRIPTS: add make-releases-json to recreate a releases.json file in download dirs
- SCRIPTS: make publish-release try to launch make-releases-json
- MINOR: htx: add an unchecked version of htx_get_head_blk()
- BUILD: htx: use the unchecked version of htx_get_head_blk() where needed
- BUILD: quic: use inttypes.h instead of stdint.h
- DOC: internal: remove totally outdated diagrams
- DOC: remove the outdated ROADMAP file
- DOC: add maintainers for QUIC and HTTP/3
- MINOR: h3: define h3 trace module
- MINOR: h3: add traces on frame recv
- MINOR: h3: add traces on frame send
- MINOR: h3: add traces on h3s init/end
- EXAMPLES: remove completely outdated acl-content-sw.cfg
- BUILD: makefile: reorder objects by build time
- DOC: fix a few spelling mistakes in the docs
- BUG/MEDIUM: peers/cli: fix "show peers" crash
- CLEANUP: peers/cli: stop misusing the appctx local variable
- CLEANUP: peers/cli: make peers_dump_peer() take an appctx instead of an stconn
- BUG/MINOR: peers: set the proxy's name to the peers section name
- MINOR: server: indicate when no address was expected for a server
- BUG/MINOR: peers: detect and warn on init_addr/resolvers/check/agent-check
- DOC: peers: indicate that some server settings are not usable
- DOC: peers: clarify when entry expiration date is renewed.
- DOC: peers: fix port number and addresses on new peers section format
- DOC: gpc/gpt: add commments of gpc/gpt array definitions on stick tables.
- DOC: install: update supported OpenSSL versions in the INSTALL doc
- MINOR: ncbuf: adjust ncb_data with NCBUF_NULL
- BUG/MINOR: h3: fix frame demuxing
- BUG/MEDIUM: h3: fix H3_EXCESSIVE_LOAD when receiving H3 frame header only
- BUG/MINOR: quic: Fix QUIC_EV_CONN_PRSAFRM event traces
- CLEANUP: quic: remove useless check on local UNI stream reception
- BUG/MINOR: qpack: do not consider empty enc/dec stream as error
- DOC: intro: adjust the numbering of paragrams to keep the output ordered
- MINOR: version: mention that it's LTS now.
The HTML version appeared with sections in a different order where
3.3.10..3.3.16 were placed between 3.3.1 and 3.3.2. This patch just slips
them into an intermediary section so that we now have "basic features",
"standard features", and "advanced features".
Some users misunderstood that the parameter of gpc() gpt()
store types on the table line presents the number of elements
of the array to store and not an index of gpt/gpc tag/counter.
This patch adds some explanations.
This patch addresses github issue #1630
It should be backorted in until branch 2.5.
This patch fix the port number and addresses on the example
to match those of the old format.
This patch address the github issue #1492
This patch should be backported until version 2.0
This patch add some details to know which rules are updating
the expiration timer of an entry.
It also adds a comment to know how to fetch a value without renewing
this timer.
This patch addresses github issue #615
This patch should be backported on all still supported branches
Let's make it clear in the peers documentation that not all server
parameters may be used, as there is some confusion around this, and
the doc was even misleading by saying that all parameters were
supported.
This should address github issue #919.
The "sequence" and "entities" diagrams have become so much outdated that
they are at best confusing, but more generally wrong. Let's simply remove
them.
Rename "tune.quic.conn-buf-limit" to "tune.quic.frontend.conn-tx-buffers.limit"
to reflect the stream direction (TX) and the objects (frontends) which are
concerned.
Add tunable "tune.quic.frontend.max_streams_bidi" setting for QUIC frontends
to set the "initial_max_streams_bidi" transport parameter.
Add some documentation for this new setting.
Add two tunable settings both for backends and frontends "max_idle_timeout"
QUIC transport parameter, "tune.quic.frontend.max-idle-timeout" and
"tune.quic.backend.max-idle-timeout" respectively.
cfg_parse_quic_time() has been implemented to parse a time value thanks
to parse_time_err(). It should be reused for any tunable time value to be
parsed.
Add the documentation for this tunable setting only for frontend.
Released version 2.6-dev12 with the following main changes :
- CLEANUP: tools: Clean up non-QUIC error message handling in str2sa_range()
- BUG/MEDIUM: tools: Fix `inet_ntop` usage in sa2str
- CLEANUP: tools: Crash if inet_ntop fails due to ENOSPC in sa2str
- BUG/MEDIUM: mux-quic: adjust buggy proxy closing support
- Revert "MINOR: quic: activate QUIC traces at compilation"
- Revert "MINOR: mux-quic: activate qmux traces on stdout via macro"
- CLEANUP: init: address a coverity warning about possible multiply overflow
- BUG/MEDIUM: http: Properly reject non-HTTP/1.x protocols
- MEDIUM: h1: enlarge the scope of accepted version chars with accept-invalid-http-request
- BUG/MEDIUM: resolvers: Don't defer resolutions release in deinit function
- BUG/MEDIUM: peers: fix segfault using multiple bind on peers sections
- BUG/MEDIUM: peers: prevent unitialized multiple listeners on peers section
- BUG/MINOR: task: Don't defer tasks release when HAProxy is stopping
- MINOR: h3: mark ncbuf as const on h3_b_dup
- MINOR: mux-quic: do not alloc quic_stream_desc for uni remote stream
- MINOR: mux-quic: delay cs_endpoint allocation
- MINOR: mux-quic: add traces in qc_recv()
- MINOR: mux-quic: adjust return value of decode_qcs
- CLEANUP: h3: rename struct h3 -> h3c
- CLEANUP: h3: rename uni stream type constants
- BUG/MINOR: h3: prevent overflow when parsing SETTINGS
- MINOR: h3: refactor h3_control_send()
- MINOR: quic: support CONNECTION_CLOSE_APP emission
- MINOR: mux-quic: disable read on CONNECTION_CLOSE emission
- MINOR: h3: reject too big frames
- MINOR: mux-quic: emit STREAM_STATE_ERROR in qcc_recv
- BUG/MINOR: mux-quic: refactor uni streams TX/send H3 SETTINGS
- MINOR: h3/qpack: use qcs as type in decode callbacks
- MINOR: h3: define stream type
- MINOR: h3: refactor uni streams initialization
- MINOR: h3: check if frame is valid for stream type
- MINOR: h3: define non-h3 generic parsing function
- MEDIUM: quic: refactor uni streams RX
- CLEANUP: h3: remove h3 uni tasklet
- MINOR: h3: abort read on unknown uni stream
- MINOR: h3: refactor SETTINGS parsing/error reporting
- Revert "BUG/MINOR: task: Don't defer tasks release when HAProxy is stopping"
- DOC: configuration: add a warning for @system-ca on bind
- CLEANUP: init: address another coverity warning about a possible multiply overflow
- BUG/MINOR: ssl/lua: use correctly cert_ext in CertCache.set()
- BUG/MEDIUM: sample: Fix adjusting size in word converter
- REGTESTS: Do not use REQUIRE_VERSION for HAProxy 2.5+ (2)
- CLEANUP: conn_stream: remove unneeded exclusion of RX_WAIT_EP from RXBLK_ANY
- CLEANUP: conn_stream: rename the cs_endpoint's context to "conn"
- MINOR: conn_stream: add new sets of functions to set/get endpoint flags
- DEV: coccinelle: add cs_endp_flags.cocci
- CLEANUP: conn_stream: apply cs_endp_flags.cocci tree-wide
- DEV: coccinelle: add endp_flags.cocci
- CLEANUP: conn_stream: apply endp_flags.cocci tree-wide
- CLEANUP: conn_stream: rename the stream endpoint flags CS_EP_* to SE_FL_*
- CLEANUP: conn_stream: rename the cs_endpoint's target to "se"
- CLEANUP: conn_stream: rename cs_endpoint to sedesc (stream endpoint descriptor)
- CLEANUP: applet: rename the sedesc pointer from "endp" to "sedesc"
- CLEANUP: conn_stream: rename the conn_stream's endp to sedesc
- CLEANUP: conn_stream: rename cs_app_* to sc_app_*
- CLEANUP: conn_stream: tree-wide rename to stconn (stream connector)
- CLEANUP: mux-h1: add and use h1s_sc() to retrieve the stream connector
- CLEANUP: mux-h2: add and use h2s_sc() to retrieve the stream connector
- CLEANUP: mux-fcgi: add and use fcgi_strm_sc() to retrieve the stream connector
- CLEANUP: mux-pt: add and use pt_sc() to retrieve the stream connector
- CLEANUP: stdesc: rename the stream connector ->cs field to ->sc
- CLEANUP: stream: rename "csf" and "csb" to "scf" and "scb"
- CLEANUP: stconn: tree-wide rename stream connector flags CS_FL_* to SC_FL_*
- CLEANUP: stconn: tree-wide rename stconn states CS_ST/SB_* to SC_ST/SB_*
- MINOR: check: export wake_srv_chk()
- MINOR: conn_stream: test the various ops functions before calling them
- MEDIUM: stconn: merge the app_ops and the data_cb fields
- MINOR: applet: add new wrappers to put chk/blk/str/chr to channel from appctx
- CLEANUP: applet: use applet_put*() everywhere possible
- CLEANUP: stconn: rename cs_{i,o}{b,c} to sc_{i,o}{b,c}
- CLEANUP: stconn: rename cs_{check,strm,strm_task} to sc_strm_*
- CLEANUP: stconn: rename cs_conn() to sc_conn()
- CLEANUP: stconn: rename cs_mux() to sc_mux_strm()
- CLEANUP: stconn: rename cs_conn_mux() to sc_mux_ops()
- CLEANUP: stconn: rename cs_appctx() to sc_appctx()
- CLEANUP: stconn: rename __cs_endp_target() to __sc_endp()
- CLEANUP: stconn: rename cs_get_data_name() to sc_get_data_name()
- CLEANUP: stconn: rename cs_conn_*() to sc_conn_*()
- CLEANUP: stconn: rename cs_conn_get_first() to conn_get_first_sc()
- CLEANUP: stconn: rename cs_ep_set_error() to se_fl_set_error()
- CLEANUP: stconn: make a few functions take a const argument
- CLEANUP: stconn: use a single function to know if SC may send to SE
- MINOR: stconn: consider CF_SHUTW for sc_is_send_allowed()
- MINOR: stconn: remove calls to cs_done_get()
- MEDIUM: stconn: always rely on CF_SHUTR in addition to cs_rx_blocked()
- MEDIUM: stconn: remove SE_FL_RXBLK_SHUT
- MINOR: stconn: rename SE_FL_RXBLK_CONN to SE_FL_APPLET_NEED_CONN
- MEDIUM: stconn: take SE_FL_APPLET_NEED_CONN out of the RXBLK_ANY flags
- CLEANUP: stconn: rename cs_rx_room_{blk,rdy} to sc_{need,have}_room()
- CLEANUP: stconn: rename cs_rx_chan_{blk,rdy} to sc_{wont,will}_read()
- CLEANUP: stconn: rename cs_rx_buff_{blk,rdy} to sc_{need,have}_buff()
- MINOR: stconn: start to rename cs_rx_endp_{more,done}() to se_have_{no_,}more_data()
- MINOR: stconn: add sc_is_recv_allowed() to check for ability to receive
- CLEANUP: stconn: rename SE_FL_RX_WAIT_EP to SE_FL_HAVE_NO_DATA
- MEDIUM: stconn: move the RXBLK flags to the stream connector
- CLEANUP: stconn: rename SE_FL_WANT_GET to SE_FL_WILL_CONSUME
- CLEANUP: stconn: remove cs_tx_blocked() and cs_tx_endp_ready()
- CLEANUP: stconn: rename cs_{want,stop}_get() to se_{will,wont}_consume()
- CLEANUP: stconn: rename cs_cant_get() to se_need_more_data()
- CLEANUP: stconn: rename cs_{new,create,free,destroy}_* to sc_*
- CLEANUP: stconn: rename remaining management functions from cs_* to sc_*
- CLEANUP: stconn: rename cs{,_get}_{src,dst} to sc_*
- CLEANUP: stconn: rename cs_{shut,chk}* to sc_*
- CLEANUP: stconn: rename final state manipulation functions from cs_* to sc_*
- CLEANUP: quic: drop the name "conn_stream" from the pool variable names
- REORG: rename cs_utils.h to sc_strm.h
- REORG: stconn: rename conn_stream.{c,h} to stconn.{c,h}
- CLEANUP: muxes: rename "get_first_cs" to "get_first_sc"
- DEV: flags: use "sc" for stream conns instead of "cs"
- CLEANUP: check: rename all occurrences of stconn "cs" to "sc"
- CLEANUP: connection: rename all occurrences of stconn "cs" to "sc"
- CLEANUP: stconn: rename all occurrences of stconn "cs" to "sc"
- CLEANUP: quic/h3: rename all occurrences of stconn "cs" to "sc"
- CLEANUP: stream: rename all occurrences of stconn "cs" to "sc"
- CLEANUP: promex: rename all occurrences of stconn "cs" to "sc"
- CLEANUP: stats: rename all occurrences of stconn "cs" to "sc"
- CLEANUP: cli: rename all occurrences of stconn "cs" to "sc"
- CLEANUP: applet: rename all occurrences of stconn "cs" to "sc"
- CLEANUP: cache: rename all occurrences of stconn "cs" to "sc"
- CLEANUP: dns: rename all occurrences of stconn "cs" to "sc"
- CLEANUP: spoe: rename all occurrences of stconn "cs" to "sc"
- CLEANUP: hlua: rename all occurrences of stconn "cs" to "sc"
- CLEANUP: log-forward: rename all occurrences of stconn "cs" to "sc"
- CLEANUP: http-client: rename all occurrences of stconn "cs" to "sc"
- CLEANUP: mux-fcgi: rename all occurrences of stconn "cs" to "sc"
- CLEANUP: mux-h1: rename all occurrences of stconn "cs" to "sc"
- CLEANUP: mux-h2: rename all occurrences of stconn "cs" to "sc"
- CLEANUP: mux-pt: rename all occurrences of stconn "cs" to "sc"
- CLEANUP: peers: rename all occurrences of stconn "cs" to "sc"
- CLEANUP: sink: rename all occurrences of stconn "cs" to "sc"
- CLEANUP: sslsock: remove only occurrence of local variable "cs"
- CLEANUP: applet: rename appctx_cs() to appctx_sc()
- CLEANUP: stream: rename stream_upgrade_from_cs() to stream_upgrade_from_sc()
- CLEANUP: obj_type: rename OBJ_TYPE_CS to OBJ_TYPE_SC
- CLEANUP: stconn: replace a few remaining occurrences of CS in comments or traces
- DOC: internal: update the muxes doc to mention the stconn
- CLEANUP: mux-quic: rename the "endp" field to "sd"
- CLEANUP: mux-h1: rename the "endp" field to "sd"
- CLEANUP: mux-h2: rename the "endp" field to "sd"
- CLEANUP: mux-fcgi: rename the "endp" field to "sd"
- CLEANUP: mux-pt: rename the "endp" field to "sd"
- CLEANUP: stconn: rename a few "endp" arguments and variables to "sd"
- MINOR: stconn: turn SE_FL_WILL_CONSUME to SE_FL_WONT_CONSUME
- CLEANUP: stream: remove unneeded test on appctx during initialization
- CLEANUP: stconn: remove the new unneeded SE_FL_APP_MASK
- DEV: flags: fix "siet" shortcut name
- DEV: flags: rename the "endp" shortcut to "sd" for "stream descriptor"
- DEV: flags: reorder a few SC/SE flags
- DOC: internal: add a description of the stream connectors and descriptors
The "layers" mini-doc shows how streams, stconn, sedesc, conns, applets
and muxes interact, with field names, pointers and invariants. It should
be completed but already provides a quick overview about what can be
guaranteed at any step and at different layers.
The stream connector replaced the conn_stream and the sc_conn_io_cb()
function appeared. There's no place there to mention the endpoint
descriptor, but a separate diagram showing the relation between stream
and endpoint via the connector would be nice.
We used to support both RTSP and HTTP protocol version names with and
without accept-invalid-http-request, but since this is based on the
characters themselves, any protocol made of chars {0-9/.HPRST} was
possible and not others. Now that such non-standard protocols are
restricted to accept-invalid-http-request, there's no reason for not
allowing other letters. With this patch, characters {0-9./A-Z} are
permitted when the option is set.
Released version 2.6-dev11 with the following main changes :
- CI: determine actual LibreSSL version dynamically
- BUG/MEDIUM: ncbuf: fix null buffer usage
- MINOR: ncbuf: fix warnings for testing build
- MEDIUM: http-ana: Add a proxy option to restrict chars in request header names
- MEDIUM: ssl: Delay random generator initialization after config parsing
- MINOR: ssl: Add 'ssl-propquery' global option
- MINOR: ssl: Add 'ssl-provider' global option
- CLEANUP: Add missing header to ssl_utils.c
- CLEANUP: Add missing header to hlua_fcn.c
- CLEANUP: Remove unused function hlua_get_top_error_string
- BUILD: fix build warning on solaris based systems with __maybe_unused.
- MINOR: tools: add get_exec_path implementation for solaris based systems.
- BUG/MINOR: ssl: Fix crash when no private key is found in pem
- CLEANUP: conn-stream: Remove cs_applet_shut declaration from header file
- MINOR: applet: Prepare appctx to own the session on frontend side
- MINOR: applet: Let the frontend appctx release the session
- MINOR: applet: Change return value for .init callback function
- MINOR: stream: Export stream_free()
- MINOR: applet: Add appctx_init() helper fnuction
- MINOR: applet: Add a function to finalize frontend appctx startup
- MINOR: applet: Add function to release appctx on error during init stage
- MEDIUM: dns: Refactor dns appctx creation
- MEDIUM: spoe: Refactor SPOE appctx creation
- MEDIUM: lua: Refactor cosocket appctx creation
- MEDIUM: httpclient: Refactor http-client appctx creation
- MINOR: sink: Add a ref to sink in the sink_forward_target structure
- MEDIUM: sink: Refactor sink forwarder appctx creation
- MINOR: peers: Add a ref to peers section in the peer structure
- MEDIUM: peers: Refactor peer appctx creation
- MINOR: applet: Add API to start applet on a thread subset
- MEDIUM: applet: Add support for async appctx startup on a thread subset
- MINOR: peers: Track number of applets run by thread
- MEDIUM: peers: Balance applets across threads
- MINOR: conn-stream/applet: Stop setting appctx as the endpoint context
- CLEANUP: proxy: Remove dead code when parsing "http-restrict-req-hdr-names" option
- REGTESTS: abortonclose: Fix some race conditions
- MINOR: ssl: Add 'ssl-provider-path' global option
- CLEANUP: http_ana: Make use of the return value of stream_generate_unique_id()
- BUG/MINOR: spoe: Fix error handling in spoe_init_appctx()
- CLEANUP: peers: Remove unreachable code in peer_session_create()
- CLEANUP: httpclient: Remove useless test on ss_dst in httpclient_applet_init()
- BUG/MEDIUM: quic: fix Rx buffering
- OPTIM: quic: realign empty Rx buffer
- BUG/MINOR: ncbuf: fix ncb_is_empty()
- MINOR: ncbuf: refactor ncb_advance()
- BUG/MINOR: mux-quic: update session's idle delay before stream creation
- MINOR: h3: do not wait a complete frame for demuxing
- MINOR: h3: flag demux as full on HTX full
- MEDIUM: mux-quic: implement recv on io-cb
- MINOR: mux-quic: remove qcc_decode_qcs() call in XPRT
- MINOR: mux-quic: reorganize flow-control frames emission
- MINOR: mux-quic: implement MAX_STREAM_DATA emission
- MINOR: mux-quic: implement MAX_DATA emission
- BUG/MINOR: mux-quic: support nul buffer with qc_free_ncbuf()
- MINOR: mux-quic: free RX buf if empty
- BUG/MEDIUM: config: Reset outline buffer size on realloc error in readcfgfile()
- BUG/MINOR: check: Reinit the buffer wait list at the end of a check
- MEDIUM: check: No longer shutdown the connection in .wake callback function
- REORG: check: Rename and export I/O callback function
- MEDIUM: check: Use the CS to handle subscriptions for read/write events
- BUG/MINOR: quic: break for error on sendto
- MINOR: quic: abort on unlisted errno on sendto()
- MINOR: quic: detect EBADF on sendto()
- BUG/MEDIUM: quic: fix initialization for local/remote TPs
- CLEANUP: quic: adjust comment/coding style for TPs init
- BUG/MINOR: cfgparse: abort earlier in case of allocation error
- MINOR: quic: Dump initial derived secrets
- MINOR: quic_tls: Add quic_tls_derive_retry_token_secret()
- MINOR: quic_tls: Add quic_tls_decrypt2() implementation
- MINOR: quic: Retry implementation
- MINOR: cfgparse: Update for "cluster-secret" keyword for QUIC Retry
- MINOR: quic: Move quic_lstnr_dgram_dispatch() out of xprt_quic.c
- BUILD: stats: Missing headers inclusions from stats.h
- MINOR: quic_stats: Add a new stats module for QUIC
- MINOR: quic: Attach proxy QUIC stats counters to the QUIC connection
- BUG/MINOR: quic: Fix potential memory leak during QUIC connection allocations
- MINOR: quic: QUIC stats counters handling
- MINOR: quic: Add tune.quic.retry-threshold keyword
- MINOR: quic: Dynamic Retry implementation
- MINOR: quic/mux-quic: define CONNECTION_CLOSE send API
- MINOR: mux-quic: emit FLOW_CONTROL_ERROR
- MINOR: mux-quic: emit STREAM_LIMIT_ERROR
- MINOR: mux-quic: close connection on error if different data at offset
- BUG/MINOR: peers: fix error reporting of "bind" lines
- CLEANUP: config: improve address parser error report for unmatched protocols
- CLEANUP: config: provide cleare hints about unsupported QUIC addresses
- MINOR: protocol: replace ctrl_type with xprt_type and clarify it
- MINOR: listener: provide a function to process all of a bind_conf's arguments
- MINOR: config: use the new bind_parse_args_list() to parse a "bind" line
- CLEANUP: listener: add a comment about what the BC_SSL_O_* flags are for
- MINOR: listener: add a new "options" entry in bind_conf
- CLEANUP: listener: replace all uses of bind_conf->is_ssl with BC_O_USE_SSL
- CLEANUP: listener: replace bind_conf->generate_cers with BC_O_GENERATE_CERTS
- CLEANUP: listener: replace bind_conf->quic_force_retry with BC_O_QUIC_FORCE_RETRY
- CLEANUP: listener: store stream vs dgram at the bind_conf level
- MINOR: listener: detect stream vs dgram conflict during parsing
- MINOR: listener: set the QUIC xprt layer immediately after parsing the args
- MINOR: listener/ssl: set the SSL xprt layer only once the whole config is known
- MINOR: connection: add flag MX_FL_FRAMED to mark muxes relying on framed xprt
- MINOR: config: detect and report mux and transport incompatibilities
- MINOR: listener: automatically select a QUIC mux with a QUIC transport
- MINOR: listener: automatically enable SSL if a QUIC transport is found
- BUG/MINOR: quic: Fixe a typo in qc_idle_timer_task()
- BUG/MINOR: quic: Missing <conn_opening> stats counter decrementation
- BUILD/MINOR: cpuset fix build for FreeBSD 13.1
- CI: determine actual OpenSSL version dynamically
When loading providers with 'ssl-provider' global options, this
ssl-provider-path option can be used to set the search path that is to
be used by openssl. It behaves the same way as the OPENSSL_MODULES
environment variable.
When HAProxy is linked to an OpenSSLv3 library, this option can be used
to load a provider during init. You can specify multiple ssl-provider
options, which will be loaded in the order they appear. This does not
prevent OpenSSL from parsing its own configuration file in which some
other providers might be specified.
A linked list of the providers loaded from the configuration file is
kept so that all those providers can be unloaded during cleanup. The
providers loaded directly by OpenSSL will be freed by OpenSSL.
This option can be used to define a default property query used when
fetching algorithms in OpenSSL providers. It follows the format
described in https://www.openssl.org/docs/man3.0/man7/property.html.
It is only available when haproxy is built with SSL support and linked
to OpenSSLv3 libraries.
The "http-restrict-req-hdr-names" option can now be set to restrict allowed
characters in the request header names to the "[a-zA-Z0-9-]" charset.
Idea of this option is to not send header names with non-alphanumeric or
hyphen character. It is especially important for FastCGI application because
all those characters are converted to underscore. For instance,
"X-Forwarded-For" and "X_Forwarded_For" are both converted to
"HTTP_X_FORWARDED_FOR". So, header names can be mixed up by FastCGI
applications. And some HAProxy rules may be bypassed by mangling header
names. In addition, some non-HTTP compliant servers may incorrectly handle
requests when header names contain characters ouside the "[a-zA-Z0-9-]"
charset.
When this option is set, the policy must be specify:
* preserve: It disables the filtering. It is the default mode for HTTP
proxies with no FastCGI application configured.
* delete: It removes request headers with a name containing a character
outside the "[a-zA-Z0-9-]" charset. It is the default mode for
HTTP backends with a configured FastCGI application.
* reject: It rejects the request with a 403-Forbidden response if it
contains a header name with a character outside the
"[a-zA-Z0-9-]" charset.
The option is evaluated per-proxy and after http-request rules evaluation.
This patch may be backported to avoid any secuirty issue with FastCGI
application (so as far as 2.2).
Released version 2.6-dev10 with the following main changes :
- MINOR: ssl: ignore dotfiles when loading a dir w/ ca-file
- MEDIUM: ssl: ignore dotfiles when loading a dir w/ crt
- BUG/MINOR: ssl: Fix typos in crl-file related CLI commands
- MINOR: compiler: add a new macro to set an attribute on an enum when possible
- BUILD: stats: conditionally mark obsolete stats states as deprecated
- BUILD: ssl: work around bogus warning in gcc 12's -Wformat-truncation
- BUILD: debug: work around gcc-12 excessive -Warray-bounds warnings
- BUILD: listener: shut report of possible null-deref in listener_accept()
- BUG/MEDIUM: ssl: fix the gcc-12 broken fix :-(
- DOC: install: update gcc version requirements
- BUILD: makefile: add -Wfatal-errors to the default flags
- BUG/MINOR: server: Make SRV_STATE_LINE_MAXLEN value from 512 to 2kB (2000 bytes).
- BUG/MAJOR: dns: multi-thread concurrency issue on UDP socket
- BUG/MINOR: mux-h2: mark the stream as open before processing it not after
- MINOR: mux-h2: report a trace event when failing to create a new stream
- DOC: configuration: add the httpclient keywords to the global keywords index
- MINOR: quic: Add a debug counter for sendto() errors
- BUG/MINOR: quic: Dropped peer transport parameters
- BUG/MINOR: quic: Wrong unit for ack delay for incoming ACK frames
- MINOR: quic: Congestion controller event trace fix (loss)
- MINOR: quic: Add correct ack delay values to ACK frames
- MINOR: config: Add "cluster-secret" new global keyword
- MINOR: quic-tls: Add quic_hkdf_extract_and_expand() for HKDF
- MINOR: quic: new_quic_cid() code moving
- MINOR: quic: Initialize stateless reset tokens with HKDF secrets
- MINOR: qc_new_conn() rework for stateless reset
- MINOR: quic: Stateless reset token copy to transport parameters
- MINOR: quic: Send stateless reset tokens
- MINOR: quic: Short packets always embed a trailing AEAD TAG
- CLEANUP: quic: wrong use of eb*entry() macro
- CLEANUP: quic: Useless use of pointer for quic_hkdf_extract()
- CLEANUP: quic_tls: QUIC_TLS_IV_LEN defined two times
- MINOR: ncbuf: define non-contiguous buffer
- MINOR: ncbuf: complete API and define block interal abstraction
- MINOR: ncbuf: optimize storage for the last gap
- MINOR: ncbuf: implement insertion
- MINOR: ncbuf: define various insertion modes
- MINOR: ncbuf: implement advance
- MINOR: ncbuf: write unit tests
- BUG/MEDIUM: lua: fix argument handling in data removal functions
- DOC/MINOR: fix typos in the lua-api document
- BUG/MEDIUM: wdt: don't trigger the watchdog when p is unitialized
- MINOR: mux-h1: Add global option accpet payload for any HTTP/1.0 requests
- CLEANUP: mux-h1: Fix comments and error messages for global options
- MINOR: conn_stream: make cs_set_error() work on the endpoint instead
- CLEANUP: mux-h1: always take the endp from the h1s not the cs
- CLEANUP: mux-h2: always take the endp from the h2s not the cs
- CLEANUP: mux-pt: always take the endp from the context not the cs
- CLEANUP: mux-fcgi: always take the endp from the fstrm not the cs
- CLEANUP: mux-quic: always take the endp from the qcs not the cs
- CLEANUP: applet: use the appctx's endp instead of cs->endp
- MINOR: conn_stream: add a pointer back to the cs from the endpoint
- MINOR: mux-h1: remove the now unneeded h1s->cs
- MINOR: mux-h2: make sure any h2s always has an endpoint
- MINOR: mux-h2: remove the now unneeded conn_stream from the h2s
- MINOR: mux-fcgi: make sure any stream always has an endpoint
- MINOR: mux-fcgi: remove the now unneeded conn_stream from the fcgi_strm
- MINOR: mux-quic: remove the now unneeded conn_stream from the qcs
- MINOR: mux-pt: remove the now unneeded conn_stream from the context
- CLEANUP: muxes: make mux->attach/detach take a conn_stream endpoint
- MINOR: applet: replace cs_applet_shut() with appctx_shut()
- MINOR: applet: add appctx_strm() and appctx_cs() to access common fields
- CLEANUP: applet: remove the unneeded appctx->owner
- CLEANUP: conn_stream: merge cs_new_from_{mux,applet} into cs_new_from_endp()
- MINOR: ext-check: indicate the transport and protocol of a server
- BUG/MEDIUM: mux-quic: fix a thinko in the latest cs/endpoint cleanup
- MINOR: tools: improve error message accuracy in str2sa_range
- MINOR: config: make sure never to mix dgram and stream protocols on a bind line
- BUG/MINOR: ncbuf: fix coverity warning on uninit sz_data
- MINOR: xprt_quic: adjust flow-control according to bufsize
- MEDIUM: mux-quic/h3/hq-interop: use ncbuf for bidir streams
- MEDIUM: mux-quic/h3/qpack: use ncbuf for uni streams
- CLEANUP: mux-quic: remove unused fields for Rx
- CLEANUP: quic: remove unused quic_rx_strm_frm
Valerio Pachera explained [1] that external checks would benefit from
having a variable indicating if SSL is being used or not on the server
being checked, and the discussion derived to also indicating the protocol
in use.
This patch adds two environment variables for external checks:
- HAPROXY_SERVER_SSL: equals "0" when SSL is not used, "1" when it is
- HAPROXY_SERVER_PROTO: contains one of the following words to describe
the protocol used with this server:
- "cli": the haproxy CLI. Normally not seen
- "syslog": this is a syslog TCP server
- "peers": this is a peers TCP server
- "h1": this is an HTTP/1.x server
- "h2": this is an HTTP/2 server
- "tcp": this is any other TCP server
The patch is very simple, and may be backported to recent versions if
needed. This closes github issue #1692.
[1] https://www.mail-archive.com/haproxy@formilux.org/msg42233.html
Since the 2.5, for security reason, HTTP/1.0 GET/HEAD/DELETE requests with a
payload are rejected (See e136bd12a "MEDIUM: mux-h1: Reject HTTP/1.0
GET/HEAD/DELETE requests with a payload" for details). However it may be an
issue for old clients.
To avoid any compatibility issue with such clients,
"h1-accept-payload-with-any-method" global option was added. It must only be
set if there is a good reason to do so because it may lead to a request
smuggling attack on some servers or intermediaries.
This patch should solve the issue #1691. it may be backported to 2.5.
It could be usefull to set a ASCII secret which could be used for different
usages. For instance, it will be used to derive QUIC stateless reset tokens.
Released version 2.6-dev9 with the following main changes :
- MINOR: mux-quic: support full request channel buffer
- BUG/MINOR: h3: fix parsing of unknown frame type with null length
- CLEANUP: backend: make alloc_{bind,dst}_address() idempotent
- MEDIUM: stream: remove the confusing SF_ADDR_SET flag
- MINOR: conn_stream: remove the now unused CS_FL_ADDR_*_SET flags
- CLEANUP: protocol: make sure the connect_* functions always receive a dst
- MINOR: connection: get rid of the CO_FL_ADDR_*_SET flags
- MINOR: session: get rid of the now unused SESS_FL_ADDR_*_SET flags
- CLEANUP: mux: Useless xprt_quic-t.h inclusion
- MINOR: quic: Make the quic_conn be aware of the number of streams
- BUG/MINOR: quic: Dropped retransmitted STREAM frames
- BUG/MINOR: mux_quic: Dropped packet upon retransmission for closed streams
- MEDIUM: httpclient: remove url2sa to use a more flexible parser
- MEDIUM: httpclient: http-request rules for resolving
- MEDIUM: httpclient: allow address and port change for resolving
- CLEANUP: httpclient: remove the comment about resolving
- MINOR: httpclient: handle unix and other socket types in dst
- MINOR: httpclient: rename dash by dot in global option
- MINOR: init: exit() after pre-check upon error
- MINOR: httpclient: cleanup the error handling in init
- MEDIUM: httpclient: hard-error when SSL is configured
- MINOR: httpclient: allow to configure the ca-file
- MINOR: httpclient: configure the resolvers section to use
- MINOR: httpclient: allow ipv4 or ipv6 preference for resolving
- DOC: configuration: httpclient global option
- MINOR: conn-stream: Add mask from flags set by endpoint or app layer
- BUG/MEDIUM: conn-stream: Only keep app layer flags of the endpoint on reset
- BUG/MEDIUM: mux-fcgi: Be sure to never set EOM flag on an empty HTX message
- BUG/MEDIUM: mux-h1: Be able to handle trailers when C-L header was specified
- DOC: config: Update doc for PR/PH session states to warn about rewrite failures
- MINOR: resolvers: cleanup alert/warning in parse-resolve-conf
- MINOR: resolvers: move the resolv.conf parser in parse_resolv_conf()
- MINOR: resolvers: resolvers_new() create a resolvers with default values
- BUILD: debug: unify the definition of ha_backtrace_to_stderr()
- BUG/MINOR: tcp/http: release the expr of set-{src,dst}[-port]
- MEDIUM: resolvers: create a "default" resolvers section at startup
- DOC: resolvers: default resolvers section
- BUG/MINOR: startup: usage() when no -cc arguments
- BUG/MEDIUM: resolvers: make "show resolvers" properly yield
- BUG/MEDIUM: cli: make "show cli sockets" really yield
- BUG/MINOR: proxy/cli: don't enumerate internal proxies on "show backend"
- BUG/MINOR: map/cli: protect the backref list during "show map" errors
- BUG/MINOR: map/cli: make sure patterns don't vanish under "show map"'s init
- BUG/MINOR: ssl/cli: fix "show ssl ca-file/crl-file" not to mix cli+ssl contexts
- BUG/MINOR: ssl/cli: fix "show ssl ca-file <name>" not to mix cli+ssl contexts
- BUG/MINOR: ssl/cli: fix "show ssl crl-file" not to mix cli+ssl contexts
- BUG/MINOR: ssl/cli: fix "show ssl cert" not to mix cli+ssl contexts
- CLEANUP: ssl/cli: do not loop on unknown states in "add ssl crt-list" handler
- MINOR: applet: reserve some generic storage in the applet's context
- CLEANUP: applet: make appctx_new() initialize the whole appctx
- CLEANUP: stream/cli: take the "show sess" context definition out of the appctx
- CLEANUP: stream/cli: stop using appctx->st2 for the dump state
- CLEANUP: stream/cli: remove the unneeded init state from "show sess"
- CLEANUP: stream/cli: remove the unneeded STATE_FIN state from "show sess"
- CLEANUP: stream/cli: remove the now unneeded dump state from "show sess"
- CLEANUP: proxy/cli: take the "show errors" context definition out of the appctx
- CLEANUP: stick-table/cli: take the "show table" context definition out of the appctx
- CLEANUP: stick-table/cli: stop using appctx->st2 for the dump state
- CLEANUP: stick-table/cli: remove the unneeded STATE_INIT for "show table"
- CLEANUP: map/cli: take the "show map" context definition out of the appctx
- CLEANUP: map/cli: stop using cli.i0/i1 to store the generation numbers
- CLEANUP: map/cli: stop using appctx->st2 for the dump state
- CLEANUP: map/cli: always detach the backref from the list after "show map"
- CLEANUP: peers/cli: take the "show peers" context definition out of the appctx
- CLEANUP: peers/cli: stop using appctx->st2 for the dump state
- CLEANUP: peers/cli: remove unneeded state STATE_INIT
- CLEANUP: cli: initialize the whole appctx->ctx, not just the stats part
- CLEANUP: promex: make the applet use its own context
- CLEANUP: promex: stop using appctx->st2
- CLEANUP: stats/cli: take the "show stat" context definition out of the appctx
- CLEANUP: stats/cli: stop using appctx->st2
- CLEANUP: hlua/cli: take the hlua_cli context definition out of the appctx
- CLEANUP: ssl/cli: use a local context for "show cafile"
- CLEANUP: ssl/cli: use a local context for "show crlfile"
- CLEANUP: ssl/cli: use a local context for "show ssl cert"
- CLEANUP: ssl/cli: use a local context for "commit ssl cert"
- CLEANUP: ssl/cli: stop using appctx->st2 for "commit ssl cert"
- CLEANUP: ssl/cli: use a local context for "set ssl cert"
- CLEANUP: ssl/cli: use a local context for "set ssl cafile"
- CLEANUP: ssl/cli: use a local context for "set ssl crlfile"
- CLEANUP: ssl/cli: use a local context for "commit ssl {ca|crl}file"
- CLEANUP: ssl/cli: stop using appctx->st2 for "commit ssl ca/crl"
- CLEANUP: ssl/cli: stop using ctx.cli.i0/i1/p0 for "show tls-keys"
- CLEANUP: ssl/cli: add a new "dump_entries" field to "show_keys_ref"
- CLEANUP: ssl/cli: make "show tlskeys" not use appctx->st2 anymore
- CLEANUP: ssl/cli: make "show ssl ocsp-response" not use cli.p0 anymore
- CLEANUP: ssl/cli: make "{show|dump} ssl crtlist" use its own context
- CLEANUP: ssl/cli: make "add ssl crtlist" use its own context
- CLEANUP: ssl/cli: make "add ssl crtlist" not use st2 anymore
- CLEANUP: dns: stop abusing the sink forwarder's context
- CLEANUP: sink: use the generic context to store the forwarder's context
- CLEANUP: activity/cli: make "show profiling" not use ctx.cli anymore
- CLEANUP: debug/cli: make "debug dev fd" not use ctx.cli anymore
- CLEANUP: debug/cli: make "debug dev memstats" not use ctx.cli anymore
- CLEANUP: ring: pass the ring watch flags to ring_attach_cli(), not in ctx.cli
- CLEANUP: ring/cli: use a locally-defined context instead of using ctx.cli
- CLEANUP: resolvers/cli: make "show resolvers" use a locally-defined context
- CLEANUP: resolvers/cli: remove the unneeded appctx->st2 from "show resolvers"
- CLEANUP: cache/cli: make use of a locally defined context for "show cache"
- CLEANUP: proxy/cli: make use of a locally defined context for "show servers"
- CLEANUP: proxy/cli: get rid of appctx->st2 in "show servers"
- CLEANUP: proxy/cli: make "show backend" only use the generic context
- CLEANUP: cli: make "show fd" use its own context
- CLEANUP: cli: make "show env" use its own context
- CLEANUP: cli: simplify the "show cli sockets" I/O handler
- CLEANUP: cli: make "show cli sockets" use its own context
- CLEANUP: httpclient/cli: use a locally-defined context instead of ctx.cli
- CLEANUP: httpclient: do not use the appctx.ctx anymore
- CLEANUP: peers: do not use appctx.ctx anymore
- CLEANUP: spoe: do not use appctx.ctx anymore
- BUILD: applet: mark the CLI's generic variables as deprecated
- BUILD: applet: mark the appctx's st2 variable as deprecated
- CLEANUP: cache: take the context out of appctx.ctx
- MEDIUM: lua: move the cosocket storage outside of appctx.ctx
- MINOR: lua: move the tcp service storage outside of appctx.ctx
- MINOR: lua: move the http service context out of appctx.ctx
- CLEANUP: cli: move the status print context into its own context
- CLEANUP: stats: rename the stats state values an mark the old ones deprecated
- DOC: internal: document the new cleaner approach to the appctx
- MINOR: tcp: socket translate TCP_KEEPIDLE for macOs equivalent
- DOC: fix typo "ant" for "and" in INSTALL
- CI: dynamically determine actual version of h2spec
When an HTTP header rewrite failure is triggered, and 500-internal-error
response is returned. A "PR" termination state is logged if the error
occurred on the request and "PH" if the error is reported for the response.
The documentation was updated accordingly.
This patch is related to issue #1597.
Documentation about the 4 options in the global section for the
httpclient:
- httpclient.ssl.verify
- httpclient.ssl.ca-file
- httpclient.resolvers.id
- httpclient.resolvers.prefer
Released version 2.6-dev8 with the following main changes :
- BUG/MINOR: quic: fix use-after-free with trace on ACK consume
- BUG/MINOR: rules: Forbid captures in defaults section if used by a backend
- BUG/MEDIUM: rules: Be able to use captures defined in defaults section
- BUG/MINOR: rules: Fix check_capture() function to use the right rule arguments
- BUG/MINOR: http-act: make release_http_redir() more robust
- BUG/MINOR: sample: add missing use_backend/use-server contexts in smp_resolve_args
- MINOR: sample: don't needlessly call c_none() in sample_fetch_as_type()
- MINOR: sample: make the bool type cast to bin
- MEDIUM: backend: add new "balance hash <expr>" algorithm
- MINOR: init: add global setting "fd-hard-limit" to bound system limits
- BUILD: pollers: use an initcall to register the pollers
- BUILD: xprt: use an initcall to register the transport layers
- BUILD: thread: use initcall instead of a constructor
- BUILD: http: remove the two unused constructors in rules and ana
- CLEANUP: compression: move the default setting of maxzlibmem to defaults
- MINOR: tree-wide: always consider EWOULDBLOCK in addition to EAGAIN
- BUG/MINOR: connection: "connection:close" header added despite 'close-spread-time'
- MINOR: fd: add functions to set O_NONBLOCK and FD_CLOEXEC
- CLEANUP: tree-wide: use fd_set_nonblock() and fd_set_cloexec()
- CLEANUP: tree-wide: remove 25 occurrences of unneeded fcntl.h
- REGTESTS: fix the race conditions in be2dec.vtc ad field.vtc
- REGTESTS: webstats: remove unused stats socket in /tmp
- MEDIUM: httpclient: disable SSL when the ca-file couldn't be loaded
- BUG/MINOR: httpclient/lua: error when the httpclient_start() fails
- BUG/MINOR: ssl: free the cafile entries on deinit
- BUG/MINOR: ssl: memory leak when trying to load a directory with ca-file
- MEDIUM: httpclient: re-enable the verify by default
- BUG/MEDIUM: ssl/cli: fix yielding in show_cafile_detail
- BUILD: compiler: properly distinguish weak and global symbols
- MINOR: connection: Add way to disable active connection closing during soft-stop
- BUG/MEDIUM: http-ana: Fix memleak in redirect rules with ignore-empty option
- CLEANUP: Destroy `http_err_chunks` members during deinit
- BUG/MINOR: resolvers: Fix memory leak in resolvers_deinit()
- MINOR: Call deinit_and_exit(0) for `haproxy -vv`
- BUILD: fd: disguise the fd_set_nonblock/cloexec result
- BUG/MINOR: pools: make sure to also destroy shared pools in pool_destroy_all()
- MINOR: ssl: add a new global option "tune.ssl.hard-maxrecord"
- CLEANUP: errors: also call deinit_errors_buffers() on deinit()
- CLEANUP: chunks: release trash also in deinit
- CLEANUP: deinit: release the pre-check callbacks
- CLEANUP: deinit: release the config postparsers
- CLEANUP: listeners/deinit: release accept queue tasklets on deinit
- CLEANUP: connections/deinit: destroy the idle_conns tasks
- BUG/MINOR: mux-quic: fix build in release mode
- MINOR: mux-quic: adjust comment on emission function
- MINOR: mux-quic: remove unused bogus qcc_get_stream()
- BUG/MINOR: mux-quic: fix leak if cs alloc failure
- MINOR: mux-quic: count local flow-control stream limit on reception
- BUG/MINOR: h3: fix incomplete POST requests
- BUG/MEDIUM: h3: fix use-after-free on mux Rx buffer wrapping
- MINOR: mux-quic: partially copy Rx frame if almost full buf
- MINOR: h3: change frame demuxing API
- MINOR: mux-quic: add a app-layer context in qcs
- MINOR: h3: implement h3 stream context
- MINOR: h3: support DATA demux if buffer full
- MINOR: quic: decode as much STREAM as possible
- MINOR: quic: Improve qc_prep_pkts() flexibility
- MINOR: quic: Prepare quic_frame struct duplication
- MINOR: quic: Do not retransmit frames from coalesced packets
- MINOR: quic: Add traces about TX frame memory releasing
- MINOR: quic: process_timer() rework
- MEDIUM: quic: New functions for probing rework
- MEDIUM: quic: Retransmission functions rework
- MEDIUM: quic: qc_requeue_nacked_pkt_tx_frms() rework
- MINOR: quic: old data distinction for qc_send_app_pkt()
- MINOR: quic: Mark packets as probing with old data
- MEDIUM: quic: Mark copies of acknowledged frames as acknowledged
- MEDIUM: quic: Enable the new datagram probing process
- MINOR: quic: Do not send ACK frames when probing
- BUG/MINOR: quic: Wrong returned status by qc_build_frms()
- BUG/MINOR: quic: Avoid sending useless PADDING frame
- BUG/MINOR: quic: Traces fix about remaining frames upon packet build failure
- MINOR: quic: Wake up the mux to probe with new data
- BUG/MEDIUM: quic: Possible crash on STREAM frame loss
- BUG/MINOR: quic: Missing Initial packet length check
- CLEANUP: quic: Rely on the packet length set by qc_lstnr_pkt_rcv()
- MINOR: quic: Drop 0-RTT packets if not allowed
- BUG/MINOR: httpclient/ssl: use the correct verify constant
- BUG/MEDIUM: conn-stream: Don't erase endpoint flags on reset
- BUG/MEDIUM: httpclient: Fix loop consuming HTX blocks from the response channel
- BUG/MINOR: httpclient: Count metadata in size to transfer via htx_xfer_blks()
- MINOR: httpclient: Don't use co_set_data() to decrement output
- BUG/MINOR: conn_stream: do not confirm a connection from the frontend path
- MEDIUM: quic: do not ACK packet with STREAM if MUX not present
- MEDIUM: quic: do not ack packet with invalid STREAM
- MINOR: quic: Drop 0-RTT packets without secrets
- CLEANUP: quic: Remaining fprintf() debug trace
- MINOR: quic: moving code for QUIC loss detection
- BUG/MINOR: quic: Missing time threshold multiplifier for loss delay computation
- CI: github actions: update LibreSSL to 3.5.2
- SCRIPTS: announce-release: add URL of dev packages
Low footprint client machines may not have enough memory to download a
complete 16KB TLS record at once. With the new option the maximum
record size can be defined on the server side.
Note: Before limiting the the record size on the server side, a client should
consider using the TLS Maximum Fragment Length Negotiation Extension defined
in RFC6066.
This patch fixes GitHub issue #1679.
If the "close-spread-time" option is set to "infinite", active
connection closing during a soft-stop can be disabled. The 'connection:
close' header or the GOAWAY frame will not be added anymore to the
server's response and active connections will only be closed once the
clients disconnect. Idle connections will not be closed all at once when
the soft-stop starts anymore, and each idle connection will follow its
own timeout based on the multiple timeouts set in the configuration (as
is the case during regular execution).
This feature request was described in GitHub issue #1614.
This patch should be backported to 2.5. It depends on 'MEDIUM: global:
Add a "close-spread-time" option to spread soft-stop on time window'.
