IF YOU WOULD LIKE TO GET AN ACCOUNT, please write an
email to Administrator. User accounts are meant only to access repo
and report issues and/or generate pull requests.
This is a purpose-specific Git hosting for
BaseALT
projects. Thank you for your understanding!
Только зарегистрированные пользователи имеют доступ к сервису!
Для получения аккаунта, обратитесь к администратору.
As seen in GH issue #1770, peers synchronization do not cope well with
very large buffers because by default the only two reasons for stopping
the processing of updates is either that the end was reached or that
the buffer is full. This can cause high latencies, and even rightfully
trigger the watchdog when the operations are numerous and slowed down
by competition on the stick-table lock.
This patch introduces a limit to the number of messages one may send
at once, which now defaults to 200, regardless of the buffer size. This
means taking and releasing the lock up to 400 times in a row, which is
costly enough to let some other parts work.
After some observation this could be backported to 2.6. If so, however,
previous commits "BUG/MEDIUM: applet: fix incorrect check for abnormal
return condition from handler" and "BUG/MINOR: applet: make the call_rate
only count the no-progress calls" must be backported otherwise the call
rate might trigger the looping protection.
(cherry picked from commit 8bd146d8af)
Signed-off-by: Christopher Faulet <cfaulet@haproxy.com>
Released version 2.6.5 with the following main changes :
- BUG/MINOR: quic: Wrong list_for_each_entry() use when building packets from qc_do_build_pkt()
- BUG/MINOR: quic: Safer QUIC frame builders
- BUILD: tcp_sample: fix build of get_tcp_info() on OpenBSD
- BUG/MINOR: resolvers: return the correct value in resolvers_finalize_config()
- BUG/MINOR: mworker: does not create the "default" resolvers in wait mode
- BUG/MINOR: tcpcheck: Disable QUICKACK only if data should be sent after connect
- REGTESTS: Fix prometheus script to perform HTTP health-checks
- MINOR: resolvers: shut the warning when "default" resolvers is implicit
- BUG/MINOR: quic: Leak in qc_release_lost_pkts() for non in flight TX packets
- BUG/MINOR: quic: Stalled connections (missing I/O handler wakeup)
- CLEANUP: quic: No more use ->rx_list MT_LIST entry point (quic_rx_packet)
- CLEANUP: quic: Remove a useless check in qc_lstnr_pkt_rcv()
- DOC: configuration: do-resolve doesn't work with a port in the string
- MINOR: sample: add the host_only and port_only converters
- BUG/MINOR: httpclient: fix resolution with port
- DOC: configuration.txt: do-resolve must use host_only to remove its port.
- BUG/MINOR: quic: Frames added to packets even if not built.
- BUG/MEDIUM: spoe: Properly update streams waiting for a ACK in async mode
- BUG/MEDIUM: peers: Add connect and server timeut to peers proxy
- BUG/MEDIUM: peers: Don't use resync timer when local resync is in progress
- BUG/MEDIUM: peers: Don't start resync on reload if local peer is not up-to-date
- BUG/MINOR: hlua: Rely on CF_EOI to detect end of message in HTTP applets
- MINOR: quic: Replace MT_LISTs by LISTs for RX packets.
- BUG/MEDIUM: applet: fix incorrect check for abnormal return condition from handler
- BUG/MINOR: applet: make the call_rate only count the no-progress calls
- MINOR: quic: Add a trace to distinguish the datagram from the packets inside
- BUG/MINOR: tcpcheck: Disable QUICKACK for default tcp-check (with no rule)
- BUG/MINOR: ssl: fix deinit of the ca-file tree
- BUG/MINOR: ssl: leak of ckch_inst_link in ckch_inst_free()
- BUG/MEDIUM: ssl: Fix a UAF when old ckch instances are released
- MINOR: quic: Revert recent QUIC commits
- BUG/MINOR: ssl: revert two wrong fixes with ckhi_link
- BUG/MEDIUM: mux-h1: do not refrain from signaling errors after end of input
- BUG/MINOR: dev/udp: properly preset the rx address size
- MINOR: connection: support HTTP/3.0 for smp_*_http_major fetch
- CLEANUP: Re-apply xalloc_size.cocci (2)
- MINOR: mux-quic: simplify decode_qcs API
- MINOR: mux-quic/h3: adjust demuxing function return values
- BUG/MINOR: h3: fix return value on decode_qcs on error
- BUG/MINOR: h3: fix incorrect BUG_ON assert on SETTINGS parsing
- BUG/MEDIUM: h3: fix SETTINGS parsing
- MINOR: mux-quic: complete BUG_ON on TX flow-control enforcing
- CLEANUP: quic: use task_new_on() for single-threaded tasks
- MINOR: qpack: reduce dependencies on other modules
- MINOR: qpack: add ABORT_NOW on unimplemented decoding
- MINOR: qpack: improve decoding function
- MINOR: quic: Add several nonce and key definitions for Retry tag
- MINOR: quic: Parse long packet version from qc_parse_hd_form()
- CLEANUP: quid: QUIC draft-28 no more supported
- MEDIUM: quic: Add QUIC v2 draft support
- MINOR: quic: Released QUIC TLS extension for QUIC v2 draft
- MEDIUM: quic: Compatible version negotiation implementation (draft-08)
- CLEANUP: quic: Remove any reference to boringssl
- BUILD: quic: Wrong HKDF label constant variable initializations
- BUG/MINOR: qpack: abort on dynamic index field line decoding
- MINOR: quic: Dump version_information transport parameter
- CLEANUP: pool/quic: remove suffix "_pool" from certain pool names
- BUG/MINOR: qpack: fix build with QPACK_DEBUG
- BUG/MINOR: qpack: abort on dynamic index field line decoding
- CLEANUP: mux-quic: adjust comment on qcs_consume()
- CLEANUP: mux-quic: do not export qc_get_ncbuf
- REORG: mux-quic: reorganize flow-control fields
- MINOR: mux-quic: implement accessor for sedesc
- MEDIUM: mux-quic: refactor streams opening
- MINOR: mux-quic: rename qcs flag FIN_RECV to SIZE_KNOWN
- MINOR: mux-quic: emit FINAL_SIZE_ERROR on invalid STREAM size
- REORG: mux-quic: rename stream initialization function
- MINOR: mux-quic: rename stream purge function
- MINOR: mux-quic: add traces on frame parsing functions
- MINOR: mux-quic: implement qcs_alert()
- MINOR: mux-quic: filter send/receive-only streams on frame parsing
- MINOR: mux-quic: do not ack STREAM frames on unrecoverable error
- MINOR: mux-quic: support stream opening via MAX_STREAM_DATA
- MINOR: mux-quic: define basic stream states
- MINOR: mux-quic: use stream states to mark as detached
- MEDIUM: mux-quic: implement RESET_STREAM emission
- MEDIUM: mux-quic: implement STOP_SENDING handling
- CLEANUP: quic: clean up include on quic_frame-t.h
- MINOR: quic: define a generic QUIC error type
- MINOR: mux-quic: support app graceful shutdown
- MINOR: mux-quic/h3: prepare CONNECTION_CLOSE on release
- MEDIUM: quic: send CONNECTION_CLOSE on released MUX
- CLEANUP: mux-quic: move qc_release()
- MINOR: mux-quic: send one last time before release
- MINOR: h3: store control stream in h3c
- MINOR: h3: implement graceful shutdown with GOAWAY
- MINOR: mux-quic: save proxy instance into qcc
- MINOR: mux-quic: use timeout server for backend conns
- MEDIUM: mux-quic: adjust timeout refresh
- MINOR: mux-quic: count in-progress requests
- MEDIUM: mux-quic: implement http-keep-alive timeout
- MINOR: h3: support HTTP request framing state
- MINOR: mux-quic: refresh timeout on frame decoding
- MINOR: mux-quic: refactor refresh timeout function
- MEDIUM: mux-quic: implement http-request timeout
- MINOR: quic: Add two new stats counters for sendto() errors
- BUG/MINOR: quic: adjust errno handling on sendto
- MINOR: quic: Replace pool_zalloc() by pool_malloc() for fake datagrams
- MINOR: quic: replace custom buf on Tx by default struct buffer
- MINOR: quic: release Tx buffer on each send
- MINOR: quic: refactor datagram commit in Tx buffer
- MINOR: quic: skip sending if no frame to send in io-cb
- BUG/MINOR: mux-quic: open stream on STOP_SENDING
- BUG/MINOR: quic: fix crash on handshake io-cb for null next enc level
- MEDIUM: quic: xprt traces rework
- MINOR: quic: Remove useless lock for RX packets
- CLEANUP: quic: Remove trailing spaces
- MINOR: mux-quic: adjust enter/leave traces
- MINOR: mux-quic: define protocol error traces
- CLEANUP: mux-quic: adjust traces level
- MINOR: mux-quic: define new traces
- BUG/MEDIUM: mux-quic: fix crash due to invalid trace arg
- BUG/MEDIUM: quic: Possible use of uninitialized <odcid> variable in qc_lstnr_params_init()
- BUG/MEDIUM: quic: Wrong use of <token_odcid> in qc_lsntr_pkt_rcv()
- BUG/MINOR: mux-quic: fix crash with traces in qc_detach()
- BUG/MINOR: quic: MIssing check when building TX packets
- BUG/MINOR: quic: Wrong status returned by qc_pkt_decrypt()
- MINOR: quic: adjust quic_frame flag manipulation
- MINOR: h3: report error on control stream close
- MINOR: qpack: report error on enc/dec stream close
- BUG/MEDIUM: mux-quic: reject uni stream ID exceeding flow control
- MINOR: mux-quic: adjust traces on stream init
- MINOR: mux-quic: add missing args on some traces
- MINOR: quic: refactor application send
- BUG/MINOR: quic: do not notify MUX on frame retransmit
- BUG/MINOR: quic: Missing initializations for ducplicated frames.
- BUG/MEDIUM: quic: fix crash on MUX send notification
- REORG: h2: extract cookies concat function in http_htx
- REGTESTS: add test for HTTP/2 cookies concatenation
- MEDIUM: h3: concatenate multiple cookie headers
- BUG/MINOR: quic: Possible crashes when dereferencing ->pkt quic_frame struct member
- MINOR: quic: Add frame addresses to QUIC_EV_CONN_PRSAFRM event traces
- BUG/MINOR: quic: Wrong splitted duplicated frames handling
- MINOR: quic: Add the QUIC connection to mux traces
- MINOR: quic: Trace fix in qc_release_frm()
- MINOR: quic: Add reusable cipher contexts for header protection
- BUG/MINOR: mux-quic: Fix memleak on QUIC stream buffer for unacknowledged data
- BUG/MINOR: quix: Memleak for non in flight TX packets
- BUG/MINOR: quic: Wrong list_for_each_entry() use when building packets from qc_do_build_pkt()
- BUG/MINOR: quic: Safer QUIC frame builders
- MINOR: quic: Replace MT_LISTs by LISTs for RX packets.
- Revert "BUG/MINOR: quix: Memleak for non in flight TX packets"
- BUG/MINOR: quic: Leak in qc_release_lost_pkts() for non in flight TX packets
- BUG/MINOR: quic: Stalled connections (missing I/O handler wakeup)
- CLEANUP: quic: No more use ->rx_list MT_LIST entry point (quic_rx_packet)
- CLEANUP: quic: Remove a useless check in qc_lstnr_pkt_rcv()
- MINOR: quic: Remove useless traces about references to TX packets
- Revert "MINOR: quic: Remove useless traces about references to TX packets"
- BUG/MINOR: quic: Null packet dereferencing from qc_dup_pkt_frms() trace
- BUG/MINOR: quic: Frames added to packets even if not built.
- BUG/MINOR: quic: Missing header protection AES cipher context initialisations (draft-v2)
- MINOR: quic: Add a trace to distinguish the datagram from the packets inside
- MINOR: quic: Move traces about RX/TX bytes from QUIC_EV_CONN_PRSAFRM event
- BUG/MINOR: quic: TX frames memleak
- BUG/MINOR: ssl: leak of ckch_inst_link in ckch_inst_free() v2
- BUILD: ring: forward-declare struct appctx to avoid a build warning
- MINOR: ring: support creating a ring from a linear area
- MINOR: ring: add support for a backing-file
- BUILD: sink: replace S_IRUSR, S_IWUSR with their octal value
- MINOR: ring: archive a previous file-backed ring on startup
- MINOR: sink/ring: rotate non-empty file-backed contents only
- DEV: haring: add a simple utility to read file-backed rings
- DEV: haring: support remapping LF in contents with CR VT
- CLEANUP: exclude haring with .gitignore
- BUILD: debug: make sure debug macros are never empty
- BUG/MINOR: regex: Properly handle PCRE2 lib compiled without JIT support
- REGTESTS: http_request_buffer: Add a barrier to not mix up log messages
- BUG/MEDIUM: mux-h1: always use RST to kill idle connections in pools
- MINOR: backend: always satisfy the first req reuse rule with l7 retries
- BUG/MINOR: quic: Do not ack when probing
- MINOR: quic: Add TX frames addresses to traces to several trace events
- MINOR: quic: Trace typo fix in qc_release_frm()
- BUG/MINOR: quic: Frames leak during retransmissions
- BUG/MINOR: h2: properly set the direction flag on HTX response
- BUG/MEDIUM: httpclient: always detach the caller before self-killing
- BUG/MINOR: httpclient: keep-alive was accidentely disabled
- BUG/MINOR: mux-h2: fix the "show fd" dest buffer for the subscriber
- BUG/MINOR: mux-h1: fix the "show fd" dest buffer for the subscriber
- BUG/MINOR: mux-fcgi: fix the "show fd" dest buffer for the subscriber
- DEBUG: stream: minor rearrangement of a few fields in struct stream.
- MINOR: debug: report applet pointer and handler in crashes when known
- BUG/MINOR: http-act: initialize http fmt head earlier
If the service is rechecked before a reload, that may cause the config
to be parsed twice and file-backed rings to be lost.
Here we make sure that such a ring does contain information before
deciding to rotate it. This way the first process starting after some
writes will cause a rotate but not subsequent ones until new writes
are applied.
An attempt was also made to disable rotations on checks but this was a
bad idea, as the ring is still initialized and this causes the contents
to be lost. The choice of initializing the ring during parsing is
questionable but the config check ought to be as close as possible to a
real start, and we could imagine that the ring is used by some code
during startup (e.g. lua). So this approach was abandonned and config
checks also cause a rotation, as the purpose of this rotation is to
preserve latest information against accidental removal.
(cherry picked from commit 32872db605)
Signed-off-by: Willy Tarreau <w@1wt.eu>
In order to ensure that an instant restart of the process will not wipe
precious debugging information, and to leave time for an admin to archive
a copy of a ring, now upon startup, any previously existing file will be
renamed with the extra suffix ".bak", and any previously existing file
with suffix ".bak" will be removed.
(cherry picked from commit ded77cc71f)
Signed-off-by: Willy Tarreau <w@1wt.eu>
This mmaps a file which will serve as the backing-store for the ring's
contents. The idea is to provide a way to retrieve sensitive information
(last logs, debugging traces) even after the process stops and even after
a possible crash. Right now this was possible by connecting to the CLI
and dumping the contents of the ring live, but this is not handy and
consumes quite a bit of resources before it is needed.
With a backing file, the ring is effectively RAM-mapped file, so that
contents stored there are the same as those found in the file (the OS
doesn't guarantee immediate sync but if the process dies it will be OK).
Note that doing that on a filesystem backed by a physical device is a
bad idea, as it will induce slowdowns at high loads. It's really
important that the device is RAM-based.
Also, this may have security implications: if the file is corrupted by
another process, the storage area could be corrupted, causing haproxy
to crash or to overwrite its own memory. As such this should only be
used for debugging.
(cherry picked from commit 0b8e9ceb12)
Signed-off-by: Willy Tarreau <w@1wt.eu>
The do-resolve action does not support a port in its parameter string,
the host_only converter must be used.
Must be backported to 2.6.
(cherry picked from commit b5c2cd461d)
Signed-off-by: Christopher Faulet <cfaulet@haproxy.com>
Add 2 converters that can manipulate the value of an Host header.
host_only will return the host without any port, and port_only will
return the port.
(cherry picked from commit dd754cba16)
Signed-off-by: Christopher Faulet <cfaulet@haproxy.com>
Fix the documentation about do-resolve to handle the case where a port
is associated to the hostname in the Host header.
Must be backported as far as 2.0.
(cherry picked from commit 1ef2460934)
Signed-off-by: Christopher Faulet <cfaulet@haproxy.com>
Released version 2.6.4 with the following main changes :
- BUG/MINOR: ssl/cli: error when the ca-file is empty
- BUG/MAJOR: mworker: fix infinite loop on master with no proxies.
Released version 2.6.3 with the following main changes :
- BUG/MINOR: sockpair: wrong return value for fd_send_uxst()
- Revert "BUG/MINOR: peers: set the proxy's name to the peers section name"
- DEBUG: fd: split the fd check
- MEDIUM: resolvers: continue startup if network is unavailable
- BUG/MINOR: mworker: PROC_O_LEAVING used but not updated
- BUG/MEDIUM: mux-quic: fix missing EOI flag to prevent streams leaks
- MINOR: quic: Congestion control architecture refactoring
- MEDIUM: quic: Cubic congestion control algorithm implementation
- MINOR: quic: New "quic-cc-algo" bind keyword
- BUG/MINOR: quic: loss time limit variable computed but not used
- MINOR: quic: Stop looking for packet loss asap
- BUG/MAJOR: quic: Useless resource intensive loop qc_ackrng_pkts()
- MINOR: quic: Send packets as much as possible from qc_send_app_pkts()
- BUG/MEDIUM: queue/threads: limit the number of entries dequeued at once
- MINOR: ebtree: add ebmb_lookup_shorter() to pursue lookups
- BUG/MEDIUM: pattern: only visit equivalent nodes when skipping versions
- BUG/MINOR: mux-quic: prevent crash if conn released during IO callback
- CLEANUP: mux-quic: remove useless app_ops is_active callback
- BUG/MINOR: mux-quic: do not free conn if attached streams
- MINOR: peers: Use a dedicated reconnect timeout when stopping the local peer
- BUG/MEDIUM: peers: limit reconnect attempts of the old process on reload
- BUG/MINOR: peers: Use right channel flag to consider the peer as connected
- BUG/MEDIUM: dns: Properly initialize new DNS session
- BUG/MINOR: backend: Don't increment conn_retries counter too early
- MINOR: server: Constify source server to copy its settings
- REORG: server: Export srv_settings_cpy() function
- BUG/MEDIUM: proxy: Perform a custom copy for default server settings
- MINOR: peers: Add a warning about incompatible SSL config for the local peer
- BUG/MINOR: quic: Missing in flight ack eliciting packet counter decrement
- BUG/MEDIUM: quic: Floating point exception in cubic_root()
- BUILD: http: silence an uninitialized warning affecting gcc-5
- BUG/MINOR: quic: Avoid sending truncated datagrams
- BUG/MINOR: ring/cli: fix a race condition between the writer and the reader
- BUG/MEDIUM: sink: Set the sink ref for forwarders created during ring parsing
- BUG/MINOR: sink: fix a race condition between the writer and the reader
- BUG/MINOR: quic: do not reject datagrams matching minimum permitted size
- BUG/MINOR: quic: Missing Initial packet dropping case
- MINOR: quic: explicitely ignore sendto error
- BUG/MEDIUM: quic: break out of the loop in quic_lstnr_dghdlr
- CLEANUP: assorted typo fixes in the code and comments
- BUILD: cfgparse: always defined _GNU_SOURCE for sched.h and crypt.h
- BUG/MEDIUM: quic: Wrong packet length check in qc_do_rm_hp()
- MINOR: quic: Too much useless traces in qc_build_frms()
- BUG/MEDIUM: quic: Missing AEAD TAG check after removing header protection
- CLEANUP: mux-quic: remove loop on sending frames
- BUG/MEDIUM: quic: always remove the connection from the accept list on close
- BUG/MEDIUM: poller: use fd_delete() to release the poller pipes
- BUG/MEDIUM: task: relax one thread consistency check in task_unlink_wq()
- BUILD: stconn: fix build warning at -O3 about possible null sc
- BUILD: debug: silence warning on gcc-5
- BUG/MINOR: quic: Possible infinite loop in quic_build_post_handshake_frames()
- BUG/MEDIUM: ring: fix too lax 'size' parser
- BUG/MINOR: quic: memleak on wrong datagram receipt
- MINOR: stick-table: Add table_expire() and table_idle() new converters
- BUG/MEDIUM: http-ana: fix crash or wrong header deletion by http-restrict-req-hdr-names
- MINOR: applet: add a function to reset the svcctx of an applet
- BUG/MEDIUM: cli: always reset the service context between commands
- BUG/MEDIUM: mux-h2: do not fiddle with ->dsi to indicate demux is idle
- BUG/MAJOR: log-forward: Fix log-forward proxies not fully initialized
- BUG/MAJOR: log-forward: Fix ssl layer not initialized on bind even if configured
table_expire() returns the expiration delay for a stick-table entry associated
to an input sample. Its counterpart table_idle() returns the time the entry
remained idle since the last time it was updated.
Both converters may take a default value as second argument which is returned
when the entry is not present.
(cherry picked from commit bbeec37b31)
Signed-off-by: Willy Tarreau <w@1wt.eu>
This is 31st iteration of typo fixes
(cherry picked from commit 3b64a28e15)
[wt: dropped irrelevant entries for 2.6]
Signed-off-by: Willy Tarreau <w@1wt.eu>
As it could be interesting to be able to choose the QUIC control congestion
algorithm to be used by listener, add "quic-cc-algo" new keyword to do so.
Update the documentation consequently.
Must be backported to 2.6.
(cherry picked from commit 43910a9450)
[wt: minor ctx update in xprt_quic.c]
Signed-off-by: Willy Tarreau <w@1wt.eu>
Released version 2.6.2 with the following main changes :
- MEDIUM: mux-h2: try to coalesce outgoing WINDOW_UPDATE frames
- BUG/MINOR: ssl: Do not look for key in extra files if already in pem
- BUG/MINOR: http-ana: Set method to HTTP_METH_OTHER when an HTTP txn is created
- BUG/MINOR: http-fetch: Use integer value when possible in "method" sample fetch
- MINOR: fd: add a new FD_DISOWN flag to prevent from closing a deleted FD
- BUG/MEDIUM: ssl/fd: unexpected fd close using async engine
- BUILD: Makefile: Add Lua 5.4 autodetect
- CI: re-enable gcc asan builds
- MINOR: fd: Add BUG_ON checks on fd_insert()
- BUG/MINOR: peers/config: always fill the bind_conf's argument
- BUG/MINOR: http-check: Preserve headers if not redefined by an implicit rule
- BUG/MINOR: http-act: Properly generate 103 responses when several rules are used
- BUG/MINOR: peers: fix possible NULL dereferences at config parsing
- BUG/MINOR: http-htx: Fix scheme based normalization for URIs wih userinfo
- MINOR: http: Add function to get port part of a host
- MINOR: http: Add function to detect default port
- BUG/MEDIUM: h1: Improve authority validation for CONNCET request
- MINOR: http-htx: Use new HTTP functions for the scheme based normalization
- BUG/MEDIUM: http-fetch: Don't fetch the method if there is no stream
- REGTEESTS: filters: Fix CONNECT request in random-forwarding script
- BUG/MINOR: mux-h1: Be sure to commit htx changes in the demux buffer
- BUG/MEDIUM: http-ana: Don't wait to have an empty buf to switch in TUNNEL state
- BUG/MEDIUM: mux-h1: Handle connection error after a synchronous send
- MEDIUM: mworker: set the iocb of the socketpair without using fd_insert()
- BUG/MINOR: quic: Missing acknowledgments for trailing packets
- BUG/MINOR: quic: Wrong reuse of fulfilled dgram RX buffer
- BUG/MAJOR: quic: Big RX dgrams leak when fulfilling a buffer
- BUG/MAJOR: quic: Big RX dgrams leak with POST requests
- BUILD: quic+h3: 32-bit compilation errors fixes
- BUG/MINOR: quic: Dropped packets not counted (with RX buffers full)
- MINOR: quic: Add new stats counter to diagnose RX buffer overrun
- MINOR: quic: Duplicated QUIC_RX_BUFSZ definition
- MINOR: task: Add tasklet_wakeup_after()
- MINOR: quic: Improvements for the datagrams receipt
- MINOR: quic: Increase the QUIC connections RX buffer size (upto 64Kb)
- MINOR: ncbuf: implement ncb_is_fragmented()
- BUG/MINOR: mux-quic: do not signal FIN if gap in buffer
- MINOR: h3: add h3c pointer into h3s instance
- MINOR: h3: handle errors on HEADERS parsing/QPACK decoding
- MINOR: qpack: properly handle invalid dynamic table references
- CLEANUP: h2: Typo fix in h2_unsubcribe() traces
- BUG/MEDIUM: mux-quic: fix server chunked encoding response
- BUG/MINOR: quic: fix closing state on NO_ERROR code sent
- BUG/MEDIUM: cli/threads: make "show threads" more robust on applets
- BUG/MINOR: debug: enter ha_panic() only once
- BUG/MEDIUM: tools: avoid calling dlsym() in static builds
- BUILD: makefile: Fix install(1) handling for OpenBSD/NetBSD/Solaris/AIX
- BUG/MEDIUM: tools: avoid calling dlsym() in static builds (try 2)
- MINOR: resolvers: resolvers_destroy() deinit and free a resolver
- BUG/MINOR: resolvers: shut off the warning for the default resolvers
- BUG/MINOR: ssl: allow duplicate certificates in ca-file directories
- BUG/MINOR: tools: fix statistical_prng_range()'s output range
- BUG/MINOR: quic: do not send CONNECTION_CLOSE_APP in initial/handshake
- BUG/MINOR: mworker/cli: relative pid prefix not validated anymore
- BUG/MAJOR: mux_quic: fix invalid PROTOCOL_VIOLATION on POST data overlap
- BUG/MEDIUM: mworker: proc_self incorrectly set crashes upon reload
- BUILD: add detection for unsupported compiler models
- BUG/MEDIUM: stconn: Only reset connect expiration when processing backend side
- BUILD: quic: fix anonymous union for gcc-4.4
- BUG/MINOR: backend: Fallback on RR algo if balance on source is impossible
Released version 2.6.1 with the following main changes :
- BUG/MINOR: ssl_ckch: Free error msg if commit changes on a cert entry fails
- BUG/MINOR: ssl_ckch: Free error msg if commit changes on a CA/CRL entry fails
- BUG/MEDIUM: ssl_ckch: Don't delete a cert entry if it is being modified
- BUG/MEDIUM: ssl_ckch: Don't delete CA/CRL entry if it is being modified
- BUG/MINOR: ssl_ckch: Don't duplicate path when replacing a cert entry
- BUG/MINOR: ssl_ckch: Don't duplicate path when replacing a CA/CRL entry
- BUG/MEDIUM: ssl_ckch: Rework 'commit ssl cert' to handle full buffer cases
- BUG/MEDIUM: ssl_ckch: Rework 'commit ssl ca-file' to handle full buffer cases
- BUG/MEDIUM: ssl/crt-list: Rework 'add ssl crt-list' to handle full buffer cases
- BUG/MEDIUM: httpclient: Don't remove HTX header blocks before duplicating them
- BUG/MEDIUM: httpclient: Rework CLI I/O handler to handle full buffer cases
- MEDIUM: http-ana: Always report rewrite failures as PRXCOND in logs
- MEDIUM: httpclient: Don't close CLI applet at the end of a response
- REGTESTS: abortonclose: Add a barrier to not mix up log messages
- REGTESTS: http_request_buffer: Increase client timeout to wait "slow" clients
- BUG/MINOR: ssl_ckch: Use right type for old entry in show_crlfile_ctx
- BUG/MINOR: ssl_ckch: Dump CRL transaction only once if show command yield
- BUG/MINOR: ssl_ckch: Dump CA transaction only once if show command yield
- BUG/MINOR: ssl_ckch: Dump cert transaction only once if show command yield
- BUG/MINOR: ssl_ckch: Init right field when parsing "commit ssl crl-file" cmd
- BUG/MINOR: ssl_ckch: Fix possible uninitialized value in show_cert I/O handler
- BUG/MINOR: ssl_ckch: Fix possible uninitialized value in show_cafile I/O handler
- BUG/MINOR: ssl_ckch: Fix possible uninitialized value in show_crlfile I/O handler
- REGTESTS: http_abortonclose: Extend supported versions
- REGTESTS: restrict_req_hdr_names: Extend supported versions
- BUILD: compiler: implement unreachable for older compilers too
- BUG/MEDIUM: mailers: Set the object type for check attached to an email alert
- BUG/MINOR: trace: Test server existence for health-checks to get proxy
- BUG/MINOR: checks: Properly handle email alerts in trace messages
- REGTESTS: healthcheckmail: Update the test to be functionnal again
- REGTESTS: healthcheckmail: Relax health-check failure condition
- BUG/MINOR: h3: fix frame type definition
- BUG/MINOR: cli/stats: add missing trailing LF after JSON outputs
- BUG/MINOR: server: do not enable DNS resolution on disabled proxies
- BUG/MINOR: cli/stats: add missing trailing LF after "show info json"
- BUG/MEDIUM: mux-quic: fix flow control connection Tx level
- BUG/MINOR: mux-quic: fix memleak on frames rejected by transport
- BUG/MINOR: tcp-rules: Make action call final on read error and delay expiration
- BUG/MEDIUM: stconn: Don't wakeup applet for send if it won't consume data
- BUG/MEDIUM: cli: Notify cli applet won't consume data during request processing
- BUG/MEDIUM: mux-quic: fix segfault on flow-control frame cleanup
- BUG/MINOR: qpack: support header litteral name decoding
- MINOR: qpack: add comments and remove a useless trace
- BUG/MINOR: h3/qpack: deal with too many headers
- BUG/BUILD: h3: fix wrong label name
- BUG/MINOR: quic: Stop hardcoding Retry packet Version field
- BUG/MINOR: quic: Wrong PTO calculation
- BUG/MINOR: task: fix thread assignment in tasklet_kill()
- BUG/MEDIUM: stream: Properly handle destructive client connection upgrades
- MINOR: stream: Rely on stconn flags to abort stream destructive upgrade
- BUG/MINOR: log: Properly test connection retries to fix dontlog-normal option
- BUG/MINOR: quic: Unexpected half open connection counter wrapping
- BUG/MINOR: quic_stats: Duplicate "quic_streams_data_blocked_bidi" field name
- BUG/MINOR: quic: purge conn Rx packet list on release
- BUG/MINOR: quic: free rejected Rx packets
- BUG/MEDIUM: ssl/cli: crash when crt inserted into a crt-list
- BUG/MINOR: quic: Acknowledgement must be forced during handshake
- BUG/MEDIUM: mworker: use default maxconn in wait mode
- REGTESTS: ssl: add the same cert for client/server
Released version 2.6.0 with the following main changes :
- DOC: Fix formatting in configuration.txt to fix dconv
- CLEANUP: tcpcheck: Remove useless test on the stream-connector in tcpcheck_main
- CLEANUP: muxes: Consider stream's sd as defined in .show_fd callback functions
- MINOR: quic: Ignore out of packet padding.
- CLEANUP: quic: Useless QUIC_CONN_TX_BUF_SZ definition
- CLEANUP: quic: No more used handshake output buffer
- MINOR: quic: QUIC transport parameters split.
- MINOR: quic: Transport parameters dump
- DOC: quic: Update documentation for QUIC Retry
- MINOR: quic: Tunable "max_idle_timeout" transport parameter
- MINOR: quic: Tunable "initial_max_streams_bidi" transport parameter
- MINOR: quic: Clarifications about transport parameters value
- MINOIR: quic_stats: add QUIC connection errors counters
- BUG/MINOR: quic: Largest RX packet numbers mixing
- MINOR: quic_stats: Add transport new counters (lost, stateless reset, drop)
- DOC: quic: Documentation update for QUIC
- MINOR: quic: Connection TX buffer setting renaming.
- MINOR: h3: Add a statistics module for h3
- MINOR: quic: Send STOP_SENDING frames if mux is released
- MINOR: quic: Do not drop packets with RESET_STREAM frames
- BUG/MINOR: qpack: fix buffer API usage on prefix integer encoding
- BUG/MINOR: qpack: support bigger prefix-integer encoding
- BUG/MINOR: h3: do not report bug on unknown method
- SCRIPTS: add make-releases-json to recreate a releases.json file in download dirs
- SCRIPTS: make publish-release try to launch make-releases-json
- MINOR: htx: add an unchecked version of htx_get_head_blk()
- BUILD: htx: use the unchecked version of htx_get_head_blk() where needed
- BUILD: quic: use inttypes.h instead of stdint.h
- DOC: internal: remove totally outdated diagrams
- DOC: remove the outdated ROADMAP file
- DOC: add maintainers for QUIC and HTTP/3
- MINOR: h3: define h3 trace module
- MINOR: h3: add traces on frame recv
- MINOR: h3: add traces on frame send
- MINOR: h3: add traces on h3s init/end
- EXAMPLES: remove completely outdated acl-content-sw.cfg
- BUILD: makefile: reorder objects by build time
- DOC: fix a few spelling mistakes in the docs
- BUG/MEDIUM: peers/cli: fix "show peers" crash
- CLEANUP: peers/cli: stop misusing the appctx local variable
- CLEANUP: peers/cli: make peers_dump_peer() take an appctx instead of an stconn
- BUG/MINOR: peers: set the proxy's name to the peers section name
- MINOR: server: indicate when no address was expected for a server
- BUG/MINOR: peers: detect and warn on init_addr/resolvers/check/agent-check
- DOC: peers: indicate that some server settings are not usable
- DOC: peers: clarify when entry expiration date is renewed.
- DOC: peers: fix port number and addresses on new peers section format
- DOC: gpc/gpt: add commments of gpc/gpt array definitions on stick tables.
- DOC: install: update supported OpenSSL versions in the INSTALL doc
- MINOR: ncbuf: adjust ncb_data with NCBUF_NULL
- BUG/MINOR: h3: fix frame demuxing
- BUG/MEDIUM: h3: fix H3_EXCESSIVE_LOAD when receiving H3 frame header only
- BUG/MINOR: quic: Fix QUIC_EV_CONN_PRSAFRM event traces
- CLEANUP: quic: remove useless check on local UNI stream reception
- BUG/MINOR: qpack: do not consider empty enc/dec stream as error
- DOC: intro: adjust the numbering of paragrams to keep the output ordered
- MINOR: version: mention that it's LTS now.
The HTML version appeared with sections in a different order where
3.3.10..3.3.16 were placed between 3.3.1 and 3.3.2. This patch just slips
them into an intermediary section so that we now have "basic features",
"standard features", and "advanced features".
Some users misunderstood that the parameter of gpc() gpt()
store types on the table line presents the number of elements
of the array to store and not an index of gpt/gpc tag/counter.
This patch adds some explanations.
This patch addresses github issue #1630
It should be backorted in until branch 2.5.
This patch fix the port number and addresses on the example
to match those of the old format.
This patch address the github issue #1492
This patch should be backported until version 2.0
This patch add some details to know which rules are updating
the expiration timer of an entry.
It also adds a comment to know how to fetch a value without renewing
this timer.
This patch addresses github issue #615
This patch should be backported on all still supported branches
Let's make it clear in the peers documentation that not all server
parameters may be used, as there is some confusion around this, and
the doc was even misleading by saying that all parameters were
supported.
This should address github issue #919.
The "sequence" and "entities" diagrams have become so much outdated that
they are at best confusing, but more generally wrong. Let's simply remove
them.
Rename "tune.quic.conn-buf-limit" to "tune.quic.frontend.conn-tx-buffers.limit"
to reflect the stream direction (TX) and the objects (frontends) which are
concerned.
Add tunable "tune.quic.frontend.max_streams_bidi" setting for QUIC frontends
to set the "initial_max_streams_bidi" transport parameter.
Add some documentation for this new setting.
Add two tunable settings both for backends and frontends "max_idle_timeout"
QUIC transport parameter, "tune.quic.frontend.max-idle-timeout" and
"tune.quic.backend.max-idle-timeout" respectively.
cfg_parse_quic_time() has been implemented to parse a time value thanks
to parse_time_err(). It should be reused for any tunable time value to be
parsed.
Add the documentation for this tunable setting only for frontend.
Released version 2.6-dev12 with the following main changes :
- CLEANUP: tools: Clean up non-QUIC error message handling in str2sa_range()
- BUG/MEDIUM: tools: Fix `inet_ntop` usage in sa2str
- CLEANUP: tools: Crash if inet_ntop fails due to ENOSPC in sa2str
- BUG/MEDIUM: mux-quic: adjust buggy proxy closing support
- Revert "MINOR: quic: activate QUIC traces at compilation"
- Revert "MINOR: mux-quic: activate qmux traces on stdout via macro"
- CLEANUP: init: address a coverity warning about possible multiply overflow
- BUG/MEDIUM: http: Properly reject non-HTTP/1.x protocols
- MEDIUM: h1: enlarge the scope of accepted version chars with accept-invalid-http-request
- BUG/MEDIUM: resolvers: Don't defer resolutions release in deinit function
- BUG/MEDIUM: peers: fix segfault using multiple bind on peers sections
- BUG/MEDIUM: peers: prevent unitialized multiple listeners on peers section
- BUG/MINOR: task: Don't defer tasks release when HAProxy is stopping
- MINOR: h3: mark ncbuf as const on h3_b_dup
- MINOR: mux-quic: do not alloc quic_stream_desc for uni remote stream
- MINOR: mux-quic: delay cs_endpoint allocation
- MINOR: mux-quic: add traces in qc_recv()
- MINOR: mux-quic: adjust return value of decode_qcs
- CLEANUP: h3: rename struct h3 -> h3c
- CLEANUP: h3: rename uni stream type constants
- BUG/MINOR: h3: prevent overflow when parsing SETTINGS
- MINOR: h3: refactor h3_control_send()
- MINOR: quic: support CONNECTION_CLOSE_APP emission
- MINOR: mux-quic: disable read on CONNECTION_CLOSE emission
- MINOR: h3: reject too big frames
- MINOR: mux-quic: emit STREAM_STATE_ERROR in qcc_recv
- BUG/MINOR: mux-quic: refactor uni streams TX/send H3 SETTINGS
- MINOR: h3/qpack: use qcs as type in decode callbacks
- MINOR: h3: define stream type
- MINOR: h3: refactor uni streams initialization
- MINOR: h3: check if frame is valid for stream type
- MINOR: h3: define non-h3 generic parsing function
- MEDIUM: quic: refactor uni streams RX
- CLEANUP: h3: remove h3 uni tasklet
- MINOR: h3: abort read on unknown uni stream
- MINOR: h3: refactor SETTINGS parsing/error reporting
- Revert "BUG/MINOR: task: Don't defer tasks release when HAProxy is stopping"
- DOC: configuration: add a warning for @system-ca on bind
- CLEANUP: init: address another coverity warning about a possible multiply overflow
- BUG/MINOR: ssl/lua: use correctly cert_ext in CertCache.set()
- BUG/MEDIUM: sample: Fix adjusting size in word converter
- REGTESTS: Do not use REQUIRE_VERSION for HAProxy 2.5+ (2)
- CLEANUP: conn_stream: remove unneeded exclusion of RX_WAIT_EP from RXBLK_ANY
- CLEANUP: conn_stream: rename the cs_endpoint's context to "conn"
- MINOR: conn_stream: add new sets of functions to set/get endpoint flags
- DEV: coccinelle: add cs_endp_flags.cocci
- CLEANUP: conn_stream: apply cs_endp_flags.cocci tree-wide
- DEV: coccinelle: add endp_flags.cocci
- CLEANUP: conn_stream: apply endp_flags.cocci tree-wide
- CLEANUP: conn_stream: rename the stream endpoint flags CS_EP_* to SE_FL_*
- CLEANUP: conn_stream: rename the cs_endpoint's target to "se"
- CLEANUP: conn_stream: rename cs_endpoint to sedesc (stream endpoint descriptor)
- CLEANUP: applet: rename the sedesc pointer from "endp" to "sedesc"
- CLEANUP: conn_stream: rename the conn_stream's endp to sedesc
- CLEANUP: conn_stream: rename cs_app_* to sc_app_*
- CLEANUP: conn_stream: tree-wide rename to stconn (stream connector)
- CLEANUP: mux-h1: add and use h1s_sc() to retrieve the stream connector
- CLEANUP: mux-h2: add and use h2s_sc() to retrieve the stream connector
- CLEANUP: mux-fcgi: add and use fcgi_strm_sc() to retrieve the stream connector
- CLEANUP: mux-pt: add and use pt_sc() to retrieve the stream connector
- CLEANUP: stdesc: rename the stream connector ->cs field to ->sc
- CLEANUP: stream: rename "csf" and "csb" to "scf" and "scb"
- CLEANUP: stconn: tree-wide rename stream connector flags CS_FL_* to SC_FL_*
- CLEANUP: stconn: tree-wide rename stconn states CS_ST/SB_* to SC_ST/SB_*
- MINOR: check: export wake_srv_chk()
- MINOR: conn_stream: test the various ops functions before calling them
- MEDIUM: stconn: merge the app_ops and the data_cb fields
- MINOR: applet: add new wrappers to put chk/blk/str/chr to channel from appctx
- CLEANUP: applet: use applet_put*() everywhere possible
- CLEANUP: stconn: rename cs_{i,o}{b,c} to sc_{i,o}{b,c}
- CLEANUP: stconn: rename cs_{check,strm,strm_task} to sc_strm_*
- CLEANUP: stconn: rename cs_conn() to sc_conn()
- CLEANUP: stconn: rename cs_mux() to sc_mux_strm()
- CLEANUP: stconn: rename cs_conn_mux() to sc_mux_ops()
- CLEANUP: stconn: rename cs_appctx() to sc_appctx()
- CLEANUP: stconn: rename __cs_endp_target() to __sc_endp()
- CLEANUP: stconn: rename cs_get_data_name() to sc_get_data_name()
- CLEANUP: stconn: rename cs_conn_*() to sc_conn_*()
- CLEANUP: stconn: rename cs_conn_get_first() to conn_get_first_sc()
- CLEANUP: stconn: rename cs_ep_set_error() to se_fl_set_error()
- CLEANUP: stconn: make a few functions take a const argument
- CLEANUP: stconn: use a single function to know if SC may send to SE
- MINOR: stconn: consider CF_SHUTW for sc_is_send_allowed()
- MINOR: stconn: remove calls to cs_done_get()
- MEDIUM: stconn: always rely on CF_SHUTR in addition to cs_rx_blocked()
- MEDIUM: stconn: remove SE_FL_RXBLK_SHUT
- MINOR: stconn: rename SE_FL_RXBLK_CONN to SE_FL_APPLET_NEED_CONN
- MEDIUM: stconn: take SE_FL_APPLET_NEED_CONN out of the RXBLK_ANY flags
- CLEANUP: stconn: rename cs_rx_room_{blk,rdy} to sc_{need,have}_room()
- CLEANUP: stconn: rename cs_rx_chan_{blk,rdy} to sc_{wont,will}_read()
- CLEANUP: stconn: rename cs_rx_buff_{blk,rdy} to sc_{need,have}_buff()
- MINOR: stconn: start to rename cs_rx_endp_{more,done}() to se_have_{no_,}more_data()
- MINOR: stconn: add sc_is_recv_allowed() to check for ability to receive
- CLEANUP: stconn: rename SE_FL_RX_WAIT_EP to SE_FL_HAVE_NO_DATA
- MEDIUM: stconn: move the RXBLK flags to the stream connector
- CLEANUP: stconn: rename SE_FL_WANT_GET to SE_FL_WILL_CONSUME
- CLEANUP: stconn: remove cs_tx_blocked() and cs_tx_endp_ready()
- CLEANUP: stconn: rename cs_{want,stop}_get() to se_{will,wont}_consume()
- CLEANUP: stconn: rename cs_cant_get() to se_need_more_data()
- CLEANUP: stconn: rename cs_{new,create,free,destroy}_* to sc_*
- CLEANUP: stconn: rename remaining management functions from cs_* to sc_*
- CLEANUP: stconn: rename cs{,_get}_{src,dst} to sc_*
- CLEANUP: stconn: rename cs_{shut,chk}* to sc_*
- CLEANUP: stconn: rename final state manipulation functions from cs_* to sc_*
- CLEANUP: quic: drop the name "conn_stream" from the pool variable names
- REORG: rename cs_utils.h to sc_strm.h
- REORG: stconn: rename conn_stream.{c,h} to stconn.{c,h}
- CLEANUP: muxes: rename "get_first_cs" to "get_first_sc"
- DEV: flags: use "sc" for stream conns instead of "cs"
- CLEANUP: check: rename all occurrences of stconn "cs" to "sc"
- CLEANUP: connection: rename all occurrences of stconn "cs" to "sc"
- CLEANUP: stconn: rename all occurrences of stconn "cs" to "sc"
- CLEANUP: quic/h3: rename all occurrences of stconn "cs" to "sc"
- CLEANUP: stream: rename all occurrences of stconn "cs" to "sc"
- CLEANUP: promex: rename all occurrences of stconn "cs" to "sc"
- CLEANUP: stats: rename all occurrences of stconn "cs" to "sc"
- CLEANUP: cli: rename all occurrences of stconn "cs" to "sc"
- CLEANUP: applet: rename all occurrences of stconn "cs" to "sc"
- CLEANUP: cache: rename all occurrences of stconn "cs" to "sc"
- CLEANUP: dns: rename all occurrences of stconn "cs" to "sc"
- CLEANUP: spoe: rename all occurrences of stconn "cs" to "sc"
- CLEANUP: hlua: rename all occurrences of stconn "cs" to "sc"
- CLEANUP: log-forward: rename all occurrences of stconn "cs" to "sc"
- CLEANUP: http-client: rename all occurrences of stconn "cs" to "sc"
- CLEANUP: mux-fcgi: rename all occurrences of stconn "cs" to "sc"
- CLEANUP: mux-h1: rename all occurrences of stconn "cs" to "sc"
- CLEANUP: mux-h2: rename all occurrences of stconn "cs" to "sc"
- CLEANUP: mux-pt: rename all occurrences of stconn "cs" to "sc"
- CLEANUP: peers: rename all occurrences of stconn "cs" to "sc"
- CLEANUP: sink: rename all occurrences of stconn "cs" to "sc"
- CLEANUP: sslsock: remove only occurrence of local variable "cs"
- CLEANUP: applet: rename appctx_cs() to appctx_sc()
- CLEANUP: stream: rename stream_upgrade_from_cs() to stream_upgrade_from_sc()
- CLEANUP: obj_type: rename OBJ_TYPE_CS to OBJ_TYPE_SC
- CLEANUP: stconn: replace a few remaining occurrences of CS in comments or traces
- DOC: internal: update the muxes doc to mention the stconn
- CLEANUP: mux-quic: rename the "endp" field to "sd"
- CLEANUP: mux-h1: rename the "endp" field to "sd"
- CLEANUP: mux-h2: rename the "endp" field to "sd"
- CLEANUP: mux-fcgi: rename the "endp" field to "sd"
- CLEANUP: mux-pt: rename the "endp" field to "sd"
- CLEANUP: stconn: rename a few "endp" arguments and variables to "sd"
- MINOR: stconn: turn SE_FL_WILL_CONSUME to SE_FL_WONT_CONSUME
- CLEANUP: stream: remove unneeded test on appctx during initialization
- CLEANUP: stconn: remove the new unneeded SE_FL_APP_MASK
- DEV: flags: fix "siet" shortcut name
- DEV: flags: rename the "endp" shortcut to "sd" for "stream descriptor"
- DEV: flags: reorder a few SC/SE flags
- DOC: internal: add a description of the stream connectors and descriptors
The "layers" mini-doc shows how streams, stconn, sedesc, conns, applets
and muxes interact, with field names, pointers and invariants. It should
be completed but already provides a quick overview about what can be
guaranteed at any step and at different layers.
The stream connector replaced the conn_stream and the sc_conn_io_cb()
function appeared. There's no place there to mention the endpoint
descriptor, but a separate diagram showing the relation between stream
and endpoint via the connector would be nice.
We used to support both RTSP and HTTP protocol version names with and
without accept-invalid-http-request, but since this is based on the
characters themselves, any protocol made of chars {0-9/.HPRST} was
possible and not others. Now that such non-standard protocols are
restricted to accept-invalid-http-request, there's no reason for not
allowing other letters. With this patch, characters {0-9./A-Z} are
permitted when the option is set.
Released version 2.6-dev11 with the following main changes :
- CI: determine actual LibreSSL version dynamically
- BUG/MEDIUM: ncbuf: fix null buffer usage
- MINOR: ncbuf: fix warnings for testing build
- MEDIUM: http-ana: Add a proxy option to restrict chars in request header names
- MEDIUM: ssl: Delay random generator initialization after config parsing
- MINOR: ssl: Add 'ssl-propquery' global option
- MINOR: ssl: Add 'ssl-provider' global option
- CLEANUP: Add missing header to ssl_utils.c
- CLEANUP: Add missing header to hlua_fcn.c
- CLEANUP: Remove unused function hlua_get_top_error_string
- BUILD: fix build warning on solaris based systems with __maybe_unused.
- MINOR: tools: add get_exec_path implementation for solaris based systems.
- BUG/MINOR: ssl: Fix crash when no private key is found in pem
- CLEANUP: conn-stream: Remove cs_applet_shut declaration from header file
- MINOR: applet: Prepare appctx to own the session on frontend side
- MINOR: applet: Let the frontend appctx release the session
- MINOR: applet: Change return value for .init callback function
- MINOR: stream: Export stream_free()
- MINOR: applet: Add appctx_init() helper fnuction
- MINOR: applet: Add a function to finalize frontend appctx startup
- MINOR: applet: Add function to release appctx on error during init stage
- MEDIUM: dns: Refactor dns appctx creation
- MEDIUM: spoe: Refactor SPOE appctx creation
- MEDIUM: lua: Refactor cosocket appctx creation
- MEDIUM: httpclient: Refactor http-client appctx creation
- MINOR: sink: Add a ref to sink in the sink_forward_target structure
- MEDIUM: sink: Refactor sink forwarder appctx creation
- MINOR: peers: Add a ref to peers section in the peer structure
- MEDIUM: peers: Refactor peer appctx creation
- MINOR: applet: Add API to start applet on a thread subset
- MEDIUM: applet: Add support for async appctx startup on a thread subset
- MINOR: peers: Track number of applets run by thread
- MEDIUM: peers: Balance applets across threads
- MINOR: conn-stream/applet: Stop setting appctx as the endpoint context
- CLEANUP: proxy: Remove dead code when parsing "http-restrict-req-hdr-names" option
- REGTESTS: abortonclose: Fix some race conditions
- MINOR: ssl: Add 'ssl-provider-path' global option
- CLEANUP: http_ana: Make use of the return value of stream_generate_unique_id()
- BUG/MINOR: spoe: Fix error handling in spoe_init_appctx()
- CLEANUP: peers: Remove unreachable code in peer_session_create()
- CLEANUP: httpclient: Remove useless test on ss_dst in httpclient_applet_init()
- BUG/MEDIUM: quic: fix Rx buffering
- OPTIM: quic: realign empty Rx buffer
- BUG/MINOR: ncbuf: fix ncb_is_empty()
- MINOR: ncbuf: refactor ncb_advance()
- BUG/MINOR: mux-quic: update session's idle delay before stream creation
- MINOR: h3: do not wait a complete frame for demuxing
- MINOR: h3: flag demux as full on HTX full
- MEDIUM: mux-quic: implement recv on io-cb
- MINOR: mux-quic: remove qcc_decode_qcs() call in XPRT
- MINOR: mux-quic: reorganize flow-control frames emission
- MINOR: mux-quic: implement MAX_STREAM_DATA emission
- MINOR: mux-quic: implement MAX_DATA emission
- BUG/MINOR: mux-quic: support nul buffer with qc_free_ncbuf()
- MINOR: mux-quic: free RX buf if empty
- BUG/MEDIUM: config: Reset outline buffer size on realloc error in readcfgfile()
- BUG/MINOR: check: Reinit the buffer wait list at the end of a check
- MEDIUM: check: No longer shutdown the connection in .wake callback function
- REORG: check: Rename and export I/O callback function
- MEDIUM: check: Use the CS to handle subscriptions for read/write events
- BUG/MINOR: quic: break for error on sendto
- MINOR: quic: abort on unlisted errno on sendto()
- MINOR: quic: detect EBADF on sendto()
- BUG/MEDIUM: quic: fix initialization for local/remote TPs
- CLEANUP: quic: adjust comment/coding style for TPs init
- BUG/MINOR: cfgparse: abort earlier in case of allocation error
- MINOR: quic: Dump initial derived secrets
- MINOR: quic_tls: Add quic_tls_derive_retry_token_secret()
- MINOR: quic_tls: Add quic_tls_decrypt2() implementation
- MINOR: quic: Retry implementation
- MINOR: cfgparse: Update for "cluster-secret" keyword for QUIC Retry
- MINOR: quic: Move quic_lstnr_dgram_dispatch() out of xprt_quic.c
- BUILD: stats: Missing headers inclusions from stats.h
- MINOR: quic_stats: Add a new stats module for QUIC
- MINOR: quic: Attach proxy QUIC stats counters to the QUIC connection
- BUG/MINOR: quic: Fix potential memory leak during QUIC connection allocations
- MINOR: quic: QUIC stats counters handling
- MINOR: quic: Add tune.quic.retry-threshold keyword
- MINOR: quic: Dynamic Retry implementation
- MINOR: quic/mux-quic: define CONNECTION_CLOSE send API
- MINOR: mux-quic: emit FLOW_CONTROL_ERROR
- MINOR: mux-quic: emit STREAM_LIMIT_ERROR
- MINOR: mux-quic: close connection on error if different data at offset
- BUG/MINOR: peers: fix error reporting of "bind" lines
- CLEANUP: config: improve address parser error report for unmatched protocols
- CLEANUP: config: provide cleare hints about unsupported QUIC addresses
- MINOR: protocol: replace ctrl_type with xprt_type and clarify it
- MINOR: listener: provide a function to process all of a bind_conf's arguments
- MINOR: config: use the new bind_parse_args_list() to parse a "bind" line
- CLEANUP: listener: add a comment about what the BC_SSL_O_* flags are for
- MINOR: listener: add a new "options" entry in bind_conf
- CLEANUP: listener: replace all uses of bind_conf->is_ssl with BC_O_USE_SSL
- CLEANUP: listener: replace bind_conf->generate_cers with BC_O_GENERATE_CERTS
- CLEANUP: listener: replace bind_conf->quic_force_retry with BC_O_QUIC_FORCE_RETRY
- CLEANUP: listener: store stream vs dgram at the bind_conf level
- MINOR: listener: detect stream vs dgram conflict during parsing
- MINOR: listener: set the QUIC xprt layer immediately after parsing the args
- MINOR: listener/ssl: set the SSL xprt layer only once the whole config is known
- MINOR: connection: add flag MX_FL_FRAMED to mark muxes relying on framed xprt
- MINOR: config: detect and report mux and transport incompatibilities
- MINOR: listener: automatically select a QUIC mux with a QUIC transport
- MINOR: listener: automatically enable SSL if a QUIC transport is found
- BUG/MINOR: quic: Fixe a typo in qc_idle_timer_task()
- BUG/MINOR: quic: Missing <conn_opening> stats counter decrementation
- BUILD/MINOR: cpuset fix build for FreeBSD 13.1
- CI: determine actual OpenSSL version dynamically
When loading providers with 'ssl-provider' global options, this
ssl-provider-path option can be used to set the search path that is to
be used by openssl. It behaves the same way as the OPENSSL_MODULES
environment variable.
When HAProxy is linked to an OpenSSLv3 library, this option can be used
to load a provider during init. You can specify multiple ssl-provider
options, which will be loaded in the order they appear. This does not
prevent OpenSSL from parsing its own configuration file in which some
other providers might be specified.
A linked list of the providers loaded from the configuration file is
kept so that all those providers can be unloaded during cleanup. The
providers loaded directly by OpenSSL will be freed by OpenSSL.
This option can be used to define a default property query used when
fetching algorithms in OpenSSL providers. It follows the format
described in https://www.openssl.org/docs/man3.0/man7/property.html.
It is only available when haproxy is built with SSL support and linked
to OpenSSLv3 libraries.
The "http-restrict-req-hdr-names" option can now be set to restrict allowed
characters in the request header names to the "[a-zA-Z0-9-]" charset.
Idea of this option is to not send header names with non-alphanumeric or
hyphen character. It is especially important for FastCGI application because
all those characters are converted to underscore. For instance,
"X-Forwarded-For" and "X_Forwarded_For" are both converted to
"HTTP_X_FORWARDED_FOR". So, header names can be mixed up by FastCGI
applications. And some HAProxy rules may be bypassed by mangling header
names. In addition, some non-HTTP compliant servers may incorrectly handle
requests when header names contain characters ouside the "[a-zA-Z0-9-]"
charset.
When this option is set, the policy must be specify:
* preserve: It disables the filtering. It is the default mode for HTTP
proxies with no FastCGI application configured.
* delete: It removes request headers with a name containing a character
outside the "[a-zA-Z0-9-]" charset. It is the default mode for
HTTP backends with a configured FastCGI application.
* reject: It rejects the request with a 403-Forbidden response if it
contains a header name with a character outside the
"[a-zA-Z0-9-]" charset.
The option is evaluated per-proxy and after http-request rules evaluation.
This patch may be backported to avoid any secuirty issue with FastCGI
application (so as far as 2.2).
Released version 2.6-dev10 with the following main changes :
- MINOR: ssl: ignore dotfiles when loading a dir w/ ca-file
- MEDIUM: ssl: ignore dotfiles when loading a dir w/ crt
- BUG/MINOR: ssl: Fix typos in crl-file related CLI commands
- MINOR: compiler: add a new macro to set an attribute on an enum when possible
- BUILD: stats: conditionally mark obsolete stats states as deprecated
- BUILD: ssl: work around bogus warning in gcc 12's -Wformat-truncation
- BUILD: debug: work around gcc-12 excessive -Warray-bounds warnings
- BUILD: listener: shut report of possible null-deref in listener_accept()
- BUG/MEDIUM: ssl: fix the gcc-12 broken fix :-(
- DOC: install: update gcc version requirements
- BUILD: makefile: add -Wfatal-errors to the default flags
- BUG/MINOR: server: Make SRV_STATE_LINE_MAXLEN value from 512 to 2kB (2000 bytes).
- BUG/MAJOR: dns: multi-thread concurrency issue on UDP socket
- BUG/MINOR: mux-h2: mark the stream as open before processing it not after
- MINOR: mux-h2: report a trace event when failing to create a new stream
- DOC: configuration: add the httpclient keywords to the global keywords index
- MINOR: quic: Add a debug counter for sendto() errors
- BUG/MINOR: quic: Dropped peer transport parameters
- BUG/MINOR: quic: Wrong unit for ack delay for incoming ACK frames
- MINOR: quic: Congestion controller event trace fix (loss)
- MINOR: quic: Add correct ack delay values to ACK frames
- MINOR: config: Add "cluster-secret" new global keyword
- MINOR: quic-tls: Add quic_hkdf_extract_and_expand() for HKDF
- MINOR: quic: new_quic_cid() code moving
- MINOR: quic: Initialize stateless reset tokens with HKDF secrets
- MINOR: qc_new_conn() rework for stateless reset
- MINOR: quic: Stateless reset token copy to transport parameters
- MINOR: quic: Send stateless reset tokens
- MINOR: quic: Short packets always embed a trailing AEAD TAG
- CLEANUP: quic: wrong use of eb*entry() macro
- CLEANUP: quic: Useless use of pointer for quic_hkdf_extract()
- CLEANUP: quic_tls: QUIC_TLS_IV_LEN defined two times
- MINOR: ncbuf: define non-contiguous buffer
- MINOR: ncbuf: complete API and define block interal abstraction
- MINOR: ncbuf: optimize storage for the last gap
- MINOR: ncbuf: implement insertion
- MINOR: ncbuf: define various insertion modes
- MINOR: ncbuf: implement advance
- MINOR: ncbuf: write unit tests
- BUG/MEDIUM: lua: fix argument handling in data removal functions
- DOC/MINOR: fix typos in the lua-api document
- BUG/MEDIUM: wdt: don't trigger the watchdog when p is unitialized
- MINOR: mux-h1: Add global option accpet payload for any HTTP/1.0 requests
- CLEANUP: mux-h1: Fix comments and error messages for global options
- MINOR: conn_stream: make cs_set_error() work on the endpoint instead
- CLEANUP: mux-h1: always take the endp from the h1s not the cs
- CLEANUP: mux-h2: always take the endp from the h2s not the cs
- CLEANUP: mux-pt: always take the endp from the context not the cs
- CLEANUP: mux-fcgi: always take the endp from the fstrm not the cs
- CLEANUP: mux-quic: always take the endp from the qcs not the cs
- CLEANUP: applet: use the appctx's endp instead of cs->endp
- MINOR: conn_stream: add a pointer back to the cs from the endpoint
- MINOR: mux-h1: remove the now unneeded h1s->cs
- MINOR: mux-h2: make sure any h2s always has an endpoint
- MINOR: mux-h2: remove the now unneeded conn_stream from the h2s
- MINOR: mux-fcgi: make sure any stream always has an endpoint
- MINOR: mux-fcgi: remove the now unneeded conn_stream from the fcgi_strm
- MINOR: mux-quic: remove the now unneeded conn_stream from the qcs
- MINOR: mux-pt: remove the now unneeded conn_stream from the context
- CLEANUP: muxes: make mux->attach/detach take a conn_stream endpoint
- MINOR: applet: replace cs_applet_shut() with appctx_shut()
- MINOR: applet: add appctx_strm() and appctx_cs() to access common fields
- CLEANUP: applet: remove the unneeded appctx->owner
- CLEANUP: conn_stream: merge cs_new_from_{mux,applet} into cs_new_from_endp()
- MINOR: ext-check: indicate the transport and protocol of a server
- BUG/MEDIUM: mux-quic: fix a thinko in the latest cs/endpoint cleanup
- MINOR: tools: improve error message accuracy in str2sa_range
- MINOR: config: make sure never to mix dgram and stream protocols on a bind line
- BUG/MINOR: ncbuf: fix coverity warning on uninit sz_data
- MINOR: xprt_quic: adjust flow-control according to bufsize
- MEDIUM: mux-quic/h3/hq-interop: use ncbuf for bidir streams
- MEDIUM: mux-quic/h3/qpack: use ncbuf for uni streams
- CLEANUP: mux-quic: remove unused fields for Rx
- CLEANUP: quic: remove unused quic_rx_strm_frm
Valerio Pachera explained [1] that external checks would benefit from
having a variable indicating if SSL is being used or not on the server
being checked, and the discussion derived to also indicating the protocol
in use.
This patch adds two environment variables for external checks:
- HAPROXY_SERVER_SSL: equals "0" when SSL is not used, "1" when it is
- HAPROXY_SERVER_PROTO: contains one of the following words to describe
the protocol used with this server:
- "cli": the haproxy CLI. Normally not seen
- "syslog": this is a syslog TCP server
- "peers": this is a peers TCP server
- "h1": this is an HTTP/1.x server
- "h2": this is an HTTP/2 server
- "tcp": this is any other TCP server
The patch is very simple, and may be backported to recent versions if
needed. This closes github issue #1692.
[1] https://www.mail-archive.com/haproxy@formilux.org/msg42233.html
Since the 2.5, for security reason, HTTP/1.0 GET/HEAD/DELETE requests with a
payload are rejected (See e136bd12a "MEDIUM: mux-h1: Reject HTTP/1.0
GET/HEAD/DELETE requests with a payload" for details). However it may be an
issue for old clients.
To avoid any compatibility issue with such clients,
"h1-accept-payload-with-any-method" global option was added. It must only be
set if there is a good reason to do so because it may lead to a request
smuggling attack on some servers or intermediaries.
This patch should solve the issue #1691. it may be backported to 2.5.
It could be usefull to set a ASCII secret which could be used for different
usages. For instance, it will be used to derive QUIC stateless reset tokens.
Released version 2.6-dev9 with the following main changes :
- MINOR: mux-quic: support full request channel buffer
- BUG/MINOR: h3: fix parsing of unknown frame type with null length
- CLEANUP: backend: make alloc_{bind,dst}_address() idempotent
- MEDIUM: stream: remove the confusing SF_ADDR_SET flag
- MINOR: conn_stream: remove the now unused CS_FL_ADDR_*_SET flags
- CLEANUP: protocol: make sure the connect_* functions always receive a dst
- MINOR: connection: get rid of the CO_FL_ADDR_*_SET flags
- MINOR: session: get rid of the now unused SESS_FL_ADDR_*_SET flags
- CLEANUP: mux: Useless xprt_quic-t.h inclusion
- MINOR: quic: Make the quic_conn be aware of the number of streams
- BUG/MINOR: quic: Dropped retransmitted STREAM frames
- BUG/MINOR: mux_quic: Dropped packet upon retransmission for closed streams
- MEDIUM: httpclient: remove url2sa to use a more flexible parser
- MEDIUM: httpclient: http-request rules for resolving
- MEDIUM: httpclient: allow address and port change for resolving
- CLEANUP: httpclient: remove the comment about resolving
- MINOR: httpclient: handle unix and other socket types in dst
- MINOR: httpclient: rename dash by dot in global option
- MINOR: init: exit() after pre-check upon error
- MINOR: httpclient: cleanup the error handling in init
- MEDIUM: httpclient: hard-error when SSL is configured
- MINOR: httpclient: allow to configure the ca-file
- MINOR: httpclient: configure the resolvers section to use
- MINOR: httpclient: allow ipv4 or ipv6 preference for resolving
- DOC: configuration: httpclient global option
- MINOR: conn-stream: Add mask from flags set by endpoint or app layer
- BUG/MEDIUM: conn-stream: Only keep app layer flags of the endpoint on reset
- BUG/MEDIUM: mux-fcgi: Be sure to never set EOM flag on an empty HTX message
- BUG/MEDIUM: mux-h1: Be able to handle trailers when C-L header was specified
- DOC: config: Update doc for PR/PH session states to warn about rewrite failures
- MINOR: resolvers: cleanup alert/warning in parse-resolve-conf
- MINOR: resolvers: move the resolv.conf parser in parse_resolv_conf()
- MINOR: resolvers: resolvers_new() create a resolvers with default values
- BUILD: debug: unify the definition of ha_backtrace_to_stderr()
- BUG/MINOR: tcp/http: release the expr of set-{src,dst}[-port]
- MEDIUM: resolvers: create a "default" resolvers section at startup
- DOC: resolvers: default resolvers section
- BUG/MINOR: startup: usage() when no -cc arguments
- BUG/MEDIUM: resolvers: make "show resolvers" properly yield
- BUG/MEDIUM: cli: make "show cli sockets" really yield
- BUG/MINOR: proxy/cli: don't enumerate internal proxies on "show backend"
- BUG/MINOR: map/cli: protect the backref list during "show map" errors
- BUG/MINOR: map/cli: make sure patterns don't vanish under "show map"'s init
- BUG/MINOR: ssl/cli: fix "show ssl ca-file/crl-file" not to mix cli+ssl contexts
- BUG/MINOR: ssl/cli: fix "show ssl ca-file <name>" not to mix cli+ssl contexts
- BUG/MINOR: ssl/cli: fix "show ssl crl-file" not to mix cli+ssl contexts
- BUG/MINOR: ssl/cli: fix "show ssl cert" not to mix cli+ssl contexts
- CLEANUP: ssl/cli: do not loop on unknown states in "add ssl crt-list" handler
- MINOR: applet: reserve some generic storage in the applet's context
- CLEANUP: applet: make appctx_new() initialize the whole appctx
- CLEANUP: stream/cli: take the "show sess" context definition out of the appctx
- CLEANUP: stream/cli: stop using appctx->st2 for the dump state
- CLEANUP: stream/cli: remove the unneeded init state from "show sess"
- CLEANUP: stream/cli: remove the unneeded STATE_FIN state from "show sess"
- CLEANUP: stream/cli: remove the now unneeded dump state from "show sess"
- CLEANUP: proxy/cli: take the "show errors" context definition out of the appctx
- CLEANUP: stick-table/cli: take the "show table" context definition out of the appctx
- CLEANUP: stick-table/cli: stop using appctx->st2 for the dump state
- CLEANUP: stick-table/cli: remove the unneeded STATE_INIT for "show table"
- CLEANUP: map/cli: take the "show map" context definition out of the appctx
- CLEANUP: map/cli: stop using cli.i0/i1 to store the generation numbers
- CLEANUP: map/cli: stop using appctx->st2 for the dump state
- CLEANUP: map/cli: always detach the backref from the list after "show map"
- CLEANUP: peers/cli: take the "show peers" context definition out of the appctx
- CLEANUP: peers/cli: stop using appctx->st2 for the dump state
- CLEANUP: peers/cli: remove unneeded state STATE_INIT
- CLEANUP: cli: initialize the whole appctx->ctx, not just the stats part
- CLEANUP: promex: make the applet use its own context
- CLEANUP: promex: stop using appctx->st2
- CLEANUP: stats/cli: take the "show stat" context definition out of the appctx
- CLEANUP: stats/cli: stop using appctx->st2
- CLEANUP: hlua/cli: take the hlua_cli context definition out of the appctx
- CLEANUP: ssl/cli: use a local context for "show cafile"
- CLEANUP: ssl/cli: use a local context for "show crlfile"
- CLEANUP: ssl/cli: use a local context for "show ssl cert"
- CLEANUP: ssl/cli: use a local context for "commit ssl cert"
- CLEANUP: ssl/cli: stop using appctx->st2 for "commit ssl cert"
- CLEANUP: ssl/cli: use a local context for "set ssl cert"
- CLEANUP: ssl/cli: use a local context for "set ssl cafile"
- CLEANUP: ssl/cli: use a local context for "set ssl crlfile"
- CLEANUP: ssl/cli: use a local context for "commit ssl {ca|crl}file"
- CLEANUP: ssl/cli: stop using appctx->st2 for "commit ssl ca/crl"
- CLEANUP: ssl/cli: stop using ctx.cli.i0/i1/p0 for "show tls-keys"
- CLEANUP: ssl/cli: add a new "dump_entries" field to "show_keys_ref"
- CLEANUP: ssl/cli: make "show tlskeys" not use appctx->st2 anymore
- CLEANUP: ssl/cli: make "show ssl ocsp-response" not use cli.p0 anymore
- CLEANUP: ssl/cli: make "{show|dump} ssl crtlist" use its own context
- CLEANUP: ssl/cli: make "add ssl crtlist" use its own context
- CLEANUP: ssl/cli: make "add ssl crtlist" not use st2 anymore
- CLEANUP: dns: stop abusing the sink forwarder's context
- CLEANUP: sink: use the generic context to store the forwarder's context
- CLEANUP: activity/cli: make "show profiling" not use ctx.cli anymore
- CLEANUP: debug/cli: make "debug dev fd" not use ctx.cli anymore
- CLEANUP: debug/cli: make "debug dev memstats" not use ctx.cli anymore
- CLEANUP: ring: pass the ring watch flags to ring_attach_cli(), not in ctx.cli
- CLEANUP: ring/cli: use a locally-defined context instead of using ctx.cli
- CLEANUP: resolvers/cli: make "show resolvers" use a locally-defined context
- CLEANUP: resolvers/cli: remove the unneeded appctx->st2 from "show resolvers"
- CLEANUP: cache/cli: make use of a locally defined context for "show cache"
- CLEANUP: proxy/cli: make use of a locally defined context for "show servers"
- CLEANUP: proxy/cli: get rid of appctx->st2 in "show servers"
- CLEANUP: proxy/cli: make "show backend" only use the generic context
- CLEANUP: cli: make "show fd" use its own context
- CLEANUP: cli: make "show env" use its own context
- CLEANUP: cli: simplify the "show cli sockets" I/O handler
- CLEANUP: cli: make "show cli sockets" use its own context
- CLEANUP: httpclient/cli: use a locally-defined context instead of ctx.cli
- CLEANUP: httpclient: do not use the appctx.ctx anymore
- CLEANUP: peers: do not use appctx.ctx anymore
- CLEANUP: spoe: do not use appctx.ctx anymore
- BUILD: applet: mark the CLI's generic variables as deprecated
- BUILD: applet: mark the appctx's st2 variable as deprecated
- CLEANUP: cache: take the context out of appctx.ctx
- MEDIUM: lua: move the cosocket storage outside of appctx.ctx
- MINOR: lua: move the tcp service storage outside of appctx.ctx
- MINOR: lua: move the http service context out of appctx.ctx
- CLEANUP: cli: move the status print context into its own context
- CLEANUP: stats: rename the stats state values an mark the old ones deprecated
- DOC: internal: document the new cleaner approach to the appctx
- MINOR: tcp: socket translate TCP_KEEPIDLE for macOs equivalent
- DOC: fix typo "ant" for "and" in INSTALL
- CI: dynamically determine actual version of h2spec
