IF YOU WOULD LIKE TO GET AN ACCOUNT, please write an
email to Administrator. User accounts are meant only to access repo
and report issues and/or generate pull requests.
This is a purpose-specific Git hosting for
BaseALT
projects. Thank you for your understanding!
Только зарегистрированные пользователи имеют доступ к сервису!
Для получения аккаунта, обратитесь к администратору.
If the service is rechecked before a reload, that may cause the config
to be parsed twice and file-backed rings to be lost.
Here we make sure that such a ring does contain information before
deciding to rotate it. This way the first process starting after some
writes will cause a rotate but not subsequent ones until new writes
are applied.
An attempt was also made to disable rotations on checks but this was a
bad idea, as the ring is still initialized and this causes the contents
to be lost. The choice of initializing the ring during parsing is
questionable but the config check ought to be as close as possible to a
real start, and we could imagine that the ring is used by some code
during startup (e.g. lua). So this approach was abandonned and config
checks also cause a rotation, as the purpose of this rotation is to
preserve latest information against accidental removal.
(cherry picked from commit 32872db6050cf39bf8ba80e40a2b6c4ee184a8e6)
Signed-off-by: Willy Tarreau <w@1wt.eu>
In order to ensure that an instant restart of the process will not wipe
precious debugging information, and to leave time for an admin to archive
a copy of a ring, now upon startup, any previously existing file will be
renamed with the extra suffix ".bak", and any previously existing file
with suffix ".bak" will be removed.
(cherry picked from commit ded77cc71f3ab4d23251cadb3dc1ba117b096a71)
Signed-off-by: Willy Tarreau <w@1wt.eu>
This mmaps a file which will serve as the backing-store for the ring's
contents. The idea is to provide a way to retrieve sensitive information
(last logs, debugging traces) even after the process stops and even after
a possible crash. Right now this was possible by connecting to the CLI
and dumping the contents of the ring live, but this is not handy and
consumes quite a bit of resources before it is needed.
With a backing file, the ring is effectively RAM-mapped file, so that
contents stored there are the same as those found in the file (the OS
doesn't guarantee immediate sync but if the process dies it will be OK).
Note that doing that on a filesystem backed by a physical device is a
bad idea, as it will induce slowdowns at high loads. It's really
important that the device is RAM-based.
Also, this may have security implications: if the file is corrupted by
another process, the storage area could be corrupted, causing haproxy
to crash or to overwrite its own memory. As such this should only be
used for debugging.
(cherry picked from commit 0b8e9ceb12ee7ba5f5d3fada2610920a97014dc8)
Signed-off-by: Willy Tarreau <w@1wt.eu>
The do-resolve action does not support a port in its parameter string,
the host_only converter must be used.
Must be backported to 2.6.
(cherry picked from commit b5c2cd461d08a6196f858479de5c9aa9f7a9baf9)
Signed-off-by: Christopher Faulet <cfaulet@haproxy.com>
Add 2 converters that can manipulate the value of an Host header.
host_only will return the host without any port, and port_only will
return the port.
(cherry picked from commit dd754cba16bdeb936f9089d27c96d45a9fde4a1a)
Signed-off-by: Christopher Faulet <cfaulet@haproxy.com>
Fix the documentation about do-resolve to handle the case where a port
is associated to the hostname in the Host header.
Must be backported as far as 2.0.
(cherry picked from commit 1ef2460934bffb86bd32dcdc1d418946cfc809f5)
Signed-off-by: Christopher Faulet <cfaulet@haproxy.com>
Released version 2.6.4 with the following main changes :
- BUG/MINOR: ssl/cli: error when the ca-file is empty
- BUG/MAJOR: mworker: fix infinite loop on master with no proxies.
Released version 2.6.3 with the following main changes :
- BUG/MINOR: sockpair: wrong return value for fd_send_uxst()
- Revert "BUG/MINOR: peers: set the proxy's name to the peers section name"
- DEBUG: fd: split the fd check
- MEDIUM: resolvers: continue startup if network is unavailable
- BUG/MINOR: mworker: PROC_O_LEAVING used but not updated
- BUG/MEDIUM: mux-quic: fix missing EOI flag to prevent streams leaks
- MINOR: quic: Congestion control architecture refactoring
- MEDIUM: quic: Cubic congestion control algorithm implementation
- MINOR: quic: New "quic-cc-algo" bind keyword
- BUG/MINOR: quic: loss time limit variable computed but not used
- MINOR: quic: Stop looking for packet loss asap
- BUG/MAJOR: quic: Useless resource intensive loop qc_ackrng_pkts()
- MINOR: quic: Send packets as much as possible from qc_send_app_pkts()
- BUG/MEDIUM: queue/threads: limit the number of entries dequeued at once
- MINOR: ebtree: add ebmb_lookup_shorter() to pursue lookups
- BUG/MEDIUM: pattern: only visit equivalent nodes when skipping versions
- BUG/MINOR: mux-quic: prevent crash if conn released during IO callback
- CLEANUP: mux-quic: remove useless app_ops is_active callback
- BUG/MINOR: mux-quic: do not free conn if attached streams
- MINOR: peers: Use a dedicated reconnect timeout when stopping the local peer
- BUG/MEDIUM: peers: limit reconnect attempts of the old process on reload
- BUG/MINOR: peers: Use right channel flag to consider the peer as connected
- BUG/MEDIUM: dns: Properly initialize new DNS session
- BUG/MINOR: backend: Don't increment conn_retries counter too early
- MINOR: server: Constify source server to copy its settings
- REORG: server: Export srv_settings_cpy() function
- BUG/MEDIUM: proxy: Perform a custom copy for default server settings
- MINOR: peers: Add a warning about incompatible SSL config for the local peer
- BUG/MINOR: quic: Missing in flight ack eliciting packet counter decrement
- BUG/MEDIUM: quic: Floating point exception in cubic_root()
- BUILD: http: silence an uninitialized warning affecting gcc-5
- BUG/MINOR: quic: Avoid sending truncated datagrams
- BUG/MINOR: ring/cli: fix a race condition between the writer and the reader
- BUG/MEDIUM: sink: Set the sink ref for forwarders created during ring parsing
- BUG/MINOR: sink: fix a race condition between the writer and the reader
- BUG/MINOR: quic: do not reject datagrams matching minimum permitted size
- BUG/MINOR: quic: Missing Initial packet dropping case
- MINOR: quic: explicitely ignore sendto error
- BUG/MEDIUM: quic: break out of the loop in quic_lstnr_dghdlr
- CLEANUP: assorted typo fixes in the code and comments
- BUILD: cfgparse: always defined _GNU_SOURCE for sched.h and crypt.h
- BUG/MEDIUM: quic: Wrong packet length check in qc_do_rm_hp()
- MINOR: quic: Too much useless traces in qc_build_frms()
- BUG/MEDIUM: quic: Missing AEAD TAG check after removing header protection
- CLEANUP: mux-quic: remove loop on sending frames
- BUG/MEDIUM: quic: always remove the connection from the accept list on close
- BUG/MEDIUM: poller: use fd_delete() to release the poller pipes
- BUG/MEDIUM: task: relax one thread consistency check in task_unlink_wq()
- BUILD: stconn: fix build warning at -O3 about possible null sc
- BUILD: debug: silence warning on gcc-5
- BUG/MINOR: quic: Possible infinite loop in quic_build_post_handshake_frames()
- BUG/MEDIUM: ring: fix too lax 'size' parser
- BUG/MINOR: quic: memleak on wrong datagram receipt
- MINOR: stick-table: Add table_expire() and table_idle() new converters
- BUG/MEDIUM: http-ana: fix crash or wrong header deletion by http-restrict-req-hdr-names
- MINOR: applet: add a function to reset the svcctx of an applet
- BUG/MEDIUM: cli: always reset the service context between commands
- BUG/MEDIUM: mux-h2: do not fiddle with ->dsi to indicate demux is idle
- BUG/MAJOR: log-forward: Fix log-forward proxies not fully initialized
- BUG/MAJOR: log-forward: Fix ssl layer not initialized on bind even if configured
table_expire() returns the expiration delay for a stick-table entry associated
to an input sample. Its counterpart table_idle() returns the time the entry
remained idle since the last time it was updated.
Both converters may take a default value as second argument which is returned
when the entry is not present.
(cherry picked from commit bbeec37b3189d8132e9faeea60285bdb0eefcf26)
Signed-off-by: Willy Tarreau <w@1wt.eu>
As it could be interesting to be able to choose the QUIC control congestion
algorithm to be used by listener, add "quic-cc-algo" new keyword to do so.
Update the documentation consequently.
Must be backported to 2.6.
(cherry picked from commit 43910a94505d4515ce4ff8de0828f3bc7187c568)
[wt: minor ctx update in xprt_quic.c]
Signed-off-by: Willy Tarreau <w@1wt.eu>
Released version 2.6.2 with the following main changes :
- MEDIUM: mux-h2: try to coalesce outgoing WINDOW_UPDATE frames
- BUG/MINOR: ssl: Do not look for key in extra files if already in pem
- BUG/MINOR: http-ana: Set method to HTTP_METH_OTHER when an HTTP txn is created
- BUG/MINOR: http-fetch: Use integer value when possible in "method" sample fetch
- MINOR: fd: add a new FD_DISOWN flag to prevent from closing a deleted FD
- BUG/MEDIUM: ssl/fd: unexpected fd close using async engine
- BUILD: Makefile: Add Lua 5.4 autodetect
- CI: re-enable gcc asan builds
- MINOR: fd: Add BUG_ON checks on fd_insert()
- BUG/MINOR: peers/config: always fill the bind_conf's argument
- BUG/MINOR: http-check: Preserve headers if not redefined by an implicit rule
- BUG/MINOR: http-act: Properly generate 103 responses when several rules are used
- BUG/MINOR: peers: fix possible NULL dereferences at config parsing
- BUG/MINOR: http-htx: Fix scheme based normalization for URIs wih userinfo
- MINOR: http: Add function to get port part of a host
- MINOR: http: Add function to detect default port
- BUG/MEDIUM: h1: Improve authority validation for CONNCET request
- MINOR: http-htx: Use new HTTP functions for the scheme based normalization
- BUG/MEDIUM: http-fetch: Don't fetch the method if there is no stream
- REGTEESTS: filters: Fix CONNECT request in random-forwarding script
- BUG/MINOR: mux-h1: Be sure to commit htx changes in the demux buffer
- BUG/MEDIUM: http-ana: Don't wait to have an empty buf to switch in TUNNEL state
- BUG/MEDIUM: mux-h1: Handle connection error after a synchronous send
- MEDIUM: mworker: set the iocb of the socketpair without using fd_insert()
- BUG/MINOR: quic: Missing acknowledgments for trailing packets
- BUG/MINOR: quic: Wrong reuse of fulfilled dgram RX buffer
- BUG/MAJOR: quic: Big RX dgrams leak when fulfilling a buffer
- BUG/MAJOR: quic: Big RX dgrams leak with POST requests
- BUILD: quic+h3: 32-bit compilation errors fixes
- BUG/MINOR: quic: Dropped packets not counted (with RX buffers full)
- MINOR: quic: Add new stats counter to diagnose RX buffer overrun
- MINOR: quic: Duplicated QUIC_RX_BUFSZ definition
- MINOR: task: Add tasklet_wakeup_after()
- MINOR: quic: Improvements for the datagrams receipt
- MINOR: quic: Increase the QUIC connections RX buffer size (upto 64Kb)
- MINOR: ncbuf: implement ncb_is_fragmented()
- BUG/MINOR: mux-quic: do not signal FIN if gap in buffer
- MINOR: h3: add h3c pointer into h3s instance
- MINOR: h3: handle errors on HEADERS parsing/QPACK decoding
- MINOR: qpack: properly handle invalid dynamic table references
- CLEANUP: h2: Typo fix in h2_unsubcribe() traces
- BUG/MEDIUM: mux-quic: fix server chunked encoding response
- BUG/MINOR: quic: fix closing state on NO_ERROR code sent
- BUG/MEDIUM: cli/threads: make "show threads" more robust on applets
- BUG/MINOR: debug: enter ha_panic() only once
- BUG/MEDIUM: tools: avoid calling dlsym() in static builds
- BUILD: makefile: Fix install(1) handling for OpenBSD/NetBSD/Solaris/AIX
- BUG/MEDIUM: tools: avoid calling dlsym() in static builds (try 2)
- MINOR: resolvers: resolvers_destroy() deinit and free a resolver
- BUG/MINOR: resolvers: shut off the warning for the default resolvers
- BUG/MINOR: ssl: allow duplicate certificates in ca-file directories
- BUG/MINOR: tools: fix statistical_prng_range()'s output range
- BUG/MINOR: quic: do not send CONNECTION_CLOSE_APP in initial/handshake
- BUG/MINOR: mworker/cli: relative pid prefix not validated anymore
- BUG/MAJOR: mux_quic: fix invalid PROTOCOL_VIOLATION on POST data overlap
- BUG/MEDIUM: mworker: proc_self incorrectly set crashes upon reload
- BUILD: add detection for unsupported compiler models
- BUG/MEDIUM: stconn: Only reset connect expiration when processing backend side
- BUILD: quic: fix anonymous union for gcc-4.4
- BUG/MINOR: backend: Fallback on RR algo if balance on source is impossible
Released version 2.6.1 with the following main changes :
- BUG/MINOR: ssl_ckch: Free error msg if commit changes on a cert entry fails
- BUG/MINOR: ssl_ckch: Free error msg if commit changes on a CA/CRL entry fails
- BUG/MEDIUM: ssl_ckch: Don't delete a cert entry if it is being modified
- BUG/MEDIUM: ssl_ckch: Don't delete CA/CRL entry if it is being modified
- BUG/MINOR: ssl_ckch: Don't duplicate path when replacing a cert entry
- BUG/MINOR: ssl_ckch: Don't duplicate path when replacing a CA/CRL entry
- BUG/MEDIUM: ssl_ckch: Rework 'commit ssl cert' to handle full buffer cases
- BUG/MEDIUM: ssl_ckch: Rework 'commit ssl ca-file' to handle full buffer cases
- BUG/MEDIUM: ssl/crt-list: Rework 'add ssl crt-list' to handle full buffer cases
- BUG/MEDIUM: httpclient: Don't remove HTX header blocks before duplicating them
- BUG/MEDIUM: httpclient: Rework CLI I/O handler to handle full buffer cases
- MEDIUM: http-ana: Always report rewrite failures as PRXCOND in logs
- MEDIUM: httpclient: Don't close CLI applet at the end of a response
- REGTESTS: abortonclose: Add a barrier to not mix up log messages
- REGTESTS: http_request_buffer: Increase client timeout to wait "slow" clients
- BUG/MINOR: ssl_ckch: Use right type for old entry in show_crlfile_ctx
- BUG/MINOR: ssl_ckch: Dump CRL transaction only once if show command yield
- BUG/MINOR: ssl_ckch: Dump CA transaction only once if show command yield
- BUG/MINOR: ssl_ckch: Dump cert transaction only once if show command yield
- BUG/MINOR: ssl_ckch: Init right field when parsing "commit ssl crl-file" cmd
- BUG/MINOR: ssl_ckch: Fix possible uninitialized value in show_cert I/O handler
- BUG/MINOR: ssl_ckch: Fix possible uninitialized value in show_cafile I/O handler
- BUG/MINOR: ssl_ckch: Fix possible uninitialized value in show_crlfile I/O handler
- REGTESTS: http_abortonclose: Extend supported versions
- REGTESTS: restrict_req_hdr_names: Extend supported versions
- BUILD: compiler: implement unreachable for older compilers too
- BUG/MEDIUM: mailers: Set the object type for check attached to an email alert
- BUG/MINOR: trace: Test server existence for health-checks to get proxy
- BUG/MINOR: checks: Properly handle email alerts in trace messages
- REGTESTS: healthcheckmail: Update the test to be functionnal again
- REGTESTS: healthcheckmail: Relax health-check failure condition
- BUG/MINOR: h3: fix frame type definition
- BUG/MINOR: cli/stats: add missing trailing LF after JSON outputs
- BUG/MINOR: server: do not enable DNS resolution on disabled proxies
- BUG/MINOR: cli/stats: add missing trailing LF after "show info json"
- BUG/MEDIUM: mux-quic: fix flow control connection Tx level
- BUG/MINOR: mux-quic: fix memleak on frames rejected by transport
- BUG/MINOR: tcp-rules: Make action call final on read error and delay expiration
- BUG/MEDIUM: stconn: Don't wakeup applet for send if it won't consume data
- BUG/MEDIUM: cli: Notify cli applet won't consume data during request processing
- BUG/MEDIUM: mux-quic: fix segfault on flow-control frame cleanup
- BUG/MINOR: qpack: support header litteral name decoding
- MINOR: qpack: add comments and remove a useless trace
- BUG/MINOR: h3/qpack: deal with too many headers
- BUG/BUILD: h3: fix wrong label name
- BUG/MINOR: quic: Stop hardcoding Retry packet Version field
- BUG/MINOR: quic: Wrong PTO calculation
- BUG/MINOR: task: fix thread assignment in tasklet_kill()
- BUG/MEDIUM: stream: Properly handle destructive client connection upgrades
- MINOR: stream: Rely on stconn flags to abort stream destructive upgrade
- BUG/MINOR: log: Properly test connection retries to fix dontlog-normal option
- BUG/MINOR: quic: Unexpected half open connection counter wrapping
- BUG/MINOR: quic_stats: Duplicate "quic_streams_data_blocked_bidi" field name
- BUG/MINOR: quic: purge conn Rx packet list on release
- BUG/MINOR: quic: free rejected Rx packets
- BUG/MEDIUM: ssl/cli: crash when crt inserted into a crt-list
- BUG/MINOR: quic: Acknowledgement must be forced during handshake
- BUG/MEDIUM: mworker: use default maxconn in wait mode
- REGTESTS: ssl: add the same cert for client/server
Released version 2.6.0 with the following main changes :
- DOC: Fix formatting in configuration.txt to fix dconv
- CLEANUP: tcpcheck: Remove useless test on the stream-connector in tcpcheck_main
- CLEANUP: muxes: Consider stream's sd as defined in .show_fd callback functions
- MINOR: quic: Ignore out of packet padding.
- CLEANUP: quic: Useless QUIC_CONN_TX_BUF_SZ definition
- CLEANUP: quic: No more used handshake output buffer
- MINOR: quic: QUIC transport parameters split.
- MINOR: quic: Transport parameters dump
- DOC: quic: Update documentation for QUIC Retry
- MINOR: quic: Tunable "max_idle_timeout" transport parameter
- MINOR: quic: Tunable "initial_max_streams_bidi" transport parameter
- MINOR: quic: Clarifications about transport parameters value
- MINOIR: quic_stats: add QUIC connection errors counters
- BUG/MINOR: quic: Largest RX packet numbers mixing
- MINOR: quic_stats: Add transport new counters (lost, stateless reset, drop)
- DOC: quic: Documentation update for QUIC
- MINOR: quic: Connection TX buffer setting renaming.
- MINOR: h3: Add a statistics module for h3
- MINOR: quic: Send STOP_SENDING frames if mux is released
- MINOR: quic: Do not drop packets with RESET_STREAM frames
- BUG/MINOR: qpack: fix buffer API usage on prefix integer encoding
- BUG/MINOR: qpack: support bigger prefix-integer encoding
- BUG/MINOR: h3: do not report bug on unknown method
- SCRIPTS: add make-releases-json to recreate a releases.json file in download dirs
- SCRIPTS: make publish-release try to launch make-releases-json
- MINOR: htx: add an unchecked version of htx_get_head_blk()
- BUILD: htx: use the unchecked version of htx_get_head_blk() where needed
- BUILD: quic: use inttypes.h instead of stdint.h
- DOC: internal: remove totally outdated diagrams
- DOC: remove the outdated ROADMAP file
- DOC: add maintainers for QUIC and HTTP/3
- MINOR: h3: define h3 trace module
- MINOR: h3: add traces on frame recv
- MINOR: h3: add traces on frame send
- MINOR: h3: add traces on h3s init/end
- EXAMPLES: remove completely outdated acl-content-sw.cfg
- BUILD: makefile: reorder objects by build time
- DOC: fix a few spelling mistakes in the docs
- BUG/MEDIUM: peers/cli: fix "show peers" crash
- CLEANUP: peers/cli: stop misusing the appctx local variable
- CLEANUP: peers/cli: make peers_dump_peer() take an appctx instead of an stconn
- BUG/MINOR: peers: set the proxy's name to the peers section name
- MINOR: server: indicate when no address was expected for a server
- BUG/MINOR: peers: detect and warn on init_addr/resolvers/check/agent-check
- DOC: peers: indicate that some server settings are not usable
- DOC: peers: clarify when entry expiration date is renewed.
- DOC: peers: fix port number and addresses on new peers section format
- DOC: gpc/gpt: add commments of gpc/gpt array definitions on stick tables.
- DOC: install: update supported OpenSSL versions in the INSTALL doc
- MINOR: ncbuf: adjust ncb_data with NCBUF_NULL
- BUG/MINOR: h3: fix frame demuxing
- BUG/MEDIUM: h3: fix H3_EXCESSIVE_LOAD when receiving H3 frame header only
- BUG/MINOR: quic: Fix QUIC_EV_CONN_PRSAFRM event traces
- CLEANUP: quic: remove useless check on local UNI stream reception
- BUG/MINOR: qpack: do not consider empty enc/dec stream as error
- DOC: intro: adjust the numbering of paragrams to keep the output ordered
- MINOR: version: mention that it's LTS now.
Some users misunderstood that the parameter of gpc() gpt()
store types on the table line presents the number of elements
of the array to store and not an index of gpt/gpc tag/counter.
This patch adds some explanations.
This patch addresses github issue #1630
It should be backorted in until branch 2.5.
This patch fix the port number and addresses on the example
to match those of the old format.
This patch address the github issue #1492
This patch should be backported until version 2.0
This patch add some details to know which rules are updating
the expiration timer of an entry.
It also adds a comment to know how to fetch a value without renewing
this timer.
This patch addresses github issue #615
This patch should be backported on all still supported branches
Let's make it clear in the peers documentation that not all server
parameters may be used, as there is some confusion around this, and
the doc was even misleading by saying that all parameters were
supported.
This should address github issue #919.
Rename "tune.quic.conn-buf-limit" to "tune.quic.frontend.conn-tx-buffers.limit"
to reflect the stream direction (TX) and the objects (frontends) which are
concerned.
Add tunable "tune.quic.frontend.max_streams_bidi" setting for QUIC frontends
to set the "initial_max_streams_bidi" transport parameter.
Add some documentation for this new setting.
Add two tunable settings both for backends and frontends "max_idle_timeout"
QUIC transport parameter, "tune.quic.frontend.max-idle-timeout" and
"tune.quic.backend.max-idle-timeout" respectively.
cfg_parse_quic_time() has been implemented to parse a time value thanks
to parse_time_err(). It should be reused for any tunable time value to be
parsed.
Add the documentation for this tunable setting only for frontend.
Released version 2.6-dev12 with the following main changes :
- CLEANUP: tools: Clean up non-QUIC error message handling in str2sa_range()
- BUG/MEDIUM: tools: Fix `inet_ntop` usage in sa2str
- CLEANUP: tools: Crash if inet_ntop fails due to ENOSPC in sa2str
- BUG/MEDIUM: mux-quic: adjust buggy proxy closing support
- Revert "MINOR: quic: activate QUIC traces at compilation"
- Revert "MINOR: mux-quic: activate qmux traces on stdout via macro"
- CLEANUP: init: address a coverity warning about possible multiply overflow
- BUG/MEDIUM: http: Properly reject non-HTTP/1.x protocols
- MEDIUM: h1: enlarge the scope of accepted version chars with accept-invalid-http-request
- BUG/MEDIUM: resolvers: Don't defer resolutions release in deinit function
- BUG/MEDIUM: peers: fix segfault using multiple bind on peers sections
- BUG/MEDIUM: peers: prevent unitialized multiple listeners on peers section
- BUG/MINOR: task: Don't defer tasks release when HAProxy is stopping
- MINOR: h3: mark ncbuf as const on h3_b_dup
- MINOR: mux-quic: do not alloc quic_stream_desc for uni remote stream
- MINOR: mux-quic: delay cs_endpoint allocation
- MINOR: mux-quic: add traces in qc_recv()
- MINOR: mux-quic: adjust return value of decode_qcs
- CLEANUP: h3: rename struct h3 -> h3c
- CLEANUP: h3: rename uni stream type constants
- BUG/MINOR: h3: prevent overflow when parsing SETTINGS
- MINOR: h3: refactor h3_control_send()
- MINOR: quic: support CONNECTION_CLOSE_APP emission
- MINOR: mux-quic: disable read on CONNECTION_CLOSE emission
- MINOR: h3: reject too big frames
- MINOR: mux-quic: emit STREAM_STATE_ERROR in qcc_recv
- BUG/MINOR: mux-quic: refactor uni streams TX/send H3 SETTINGS
- MINOR: h3/qpack: use qcs as type in decode callbacks
- MINOR: h3: define stream type
- MINOR: h3: refactor uni streams initialization
- MINOR: h3: check if frame is valid for stream type
- MINOR: h3: define non-h3 generic parsing function
- MEDIUM: quic: refactor uni streams RX
- CLEANUP: h3: remove h3 uni tasklet
- MINOR: h3: abort read on unknown uni stream
- MINOR: h3: refactor SETTINGS parsing/error reporting
- Revert "BUG/MINOR: task: Don't defer tasks release when HAProxy is stopping"
- DOC: configuration: add a warning for @system-ca on bind
- CLEANUP: init: address another coverity warning about a possible multiply overflow
- BUG/MINOR: ssl/lua: use correctly cert_ext in CertCache.set()
- BUG/MEDIUM: sample: Fix adjusting size in word converter
- REGTESTS: Do not use REQUIRE_VERSION for HAProxy 2.5+ (2)
- CLEANUP: conn_stream: remove unneeded exclusion of RX_WAIT_EP from RXBLK_ANY
- CLEANUP: conn_stream: rename the cs_endpoint's context to "conn"
- MINOR: conn_stream: add new sets of functions to set/get endpoint flags
- DEV: coccinelle: add cs_endp_flags.cocci
- CLEANUP: conn_stream: apply cs_endp_flags.cocci tree-wide
- DEV: coccinelle: add endp_flags.cocci
- CLEANUP: conn_stream: apply endp_flags.cocci tree-wide
- CLEANUP: conn_stream: rename the stream endpoint flags CS_EP_* to SE_FL_*
- CLEANUP: conn_stream: rename the cs_endpoint's target to "se"
- CLEANUP: conn_stream: rename cs_endpoint to sedesc (stream endpoint descriptor)
- CLEANUP: applet: rename the sedesc pointer from "endp" to "sedesc"
- CLEANUP: conn_stream: rename the conn_stream's endp to sedesc
- CLEANUP: conn_stream: rename cs_app_* to sc_app_*
- CLEANUP: conn_stream: tree-wide rename to stconn (stream connector)
- CLEANUP: mux-h1: add and use h1s_sc() to retrieve the stream connector
- CLEANUP: mux-h2: add and use h2s_sc() to retrieve the stream connector
- CLEANUP: mux-fcgi: add and use fcgi_strm_sc() to retrieve the stream connector
- CLEANUP: mux-pt: add and use pt_sc() to retrieve the stream connector
- CLEANUP: stdesc: rename the stream connector ->cs field to ->sc
- CLEANUP: stream: rename "csf" and "csb" to "scf" and "scb"
- CLEANUP: stconn: tree-wide rename stream connector flags CS_FL_* to SC_FL_*
- CLEANUP: stconn: tree-wide rename stconn states CS_ST/SB_* to SC_ST/SB_*
- MINOR: check: export wake_srv_chk()
- MINOR: conn_stream: test the various ops functions before calling them
- MEDIUM: stconn: merge the app_ops and the data_cb fields
- MINOR: applet: add new wrappers to put chk/blk/str/chr to channel from appctx
- CLEANUP: applet: use applet_put*() everywhere possible
- CLEANUP: stconn: rename cs_{i,o}{b,c} to sc_{i,o}{b,c}
- CLEANUP: stconn: rename cs_{check,strm,strm_task} to sc_strm_*
- CLEANUP: stconn: rename cs_conn() to sc_conn()
- CLEANUP: stconn: rename cs_mux() to sc_mux_strm()
- CLEANUP: stconn: rename cs_conn_mux() to sc_mux_ops()
- CLEANUP: stconn: rename cs_appctx() to sc_appctx()
- CLEANUP: stconn: rename __cs_endp_target() to __sc_endp()
- CLEANUP: stconn: rename cs_get_data_name() to sc_get_data_name()
- CLEANUP: stconn: rename cs_conn_*() to sc_conn_*()
- CLEANUP: stconn: rename cs_conn_get_first() to conn_get_first_sc()
- CLEANUP: stconn: rename cs_ep_set_error() to se_fl_set_error()
- CLEANUP: stconn: make a few functions take a const argument
- CLEANUP: stconn: use a single function to know if SC may send to SE
- MINOR: stconn: consider CF_SHUTW for sc_is_send_allowed()
- MINOR: stconn: remove calls to cs_done_get()
- MEDIUM: stconn: always rely on CF_SHUTR in addition to cs_rx_blocked()
- MEDIUM: stconn: remove SE_FL_RXBLK_SHUT
- MINOR: stconn: rename SE_FL_RXBLK_CONN to SE_FL_APPLET_NEED_CONN
- MEDIUM: stconn: take SE_FL_APPLET_NEED_CONN out of the RXBLK_ANY flags
- CLEANUP: stconn: rename cs_rx_room_{blk,rdy} to sc_{need,have}_room()
- CLEANUP: stconn: rename cs_rx_chan_{blk,rdy} to sc_{wont,will}_read()
- CLEANUP: stconn: rename cs_rx_buff_{blk,rdy} to sc_{need,have}_buff()
- MINOR: stconn: start to rename cs_rx_endp_{more,done}() to se_have_{no_,}more_data()
- MINOR: stconn: add sc_is_recv_allowed() to check for ability to receive
- CLEANUP: stconn: rename SE_FL_RX_WAIT_EP to SE_FL_HAVE_NO_DATA
- MEDIUM: stconn: move the RXBLK flags to the stream connector
- CLEANUP: stconn: rename SE_FL_WANT_GET to SE_FL_WILL_CONSUME
- CLEANUP: stconn: remove cs_tx_blocked() and cs_tx_endp_ready()
- CLEANUP: stconn: rename cs_{want,stop}_get() to se_{will,wont}_consume()
- CLEANUP: stconn: rename cs_cant_get() to se_need_more_data()
- CLEANUP: stconn: rename cs_{new,create,free,destroy}_* to sc_*
- CLEANUP: stconn: rename remaining management functions from cs_* to sc_*
- CLEANUP: stconn: rename cs{,_get}_{src,dst} to sc_*
- CLEANUP: stconn: rename cs_{shut,chk}* to sc_*
- CLEANUP: stconn: rename final state manipulation functions from cs_* to sc_*
- CLEANUP: quic: drop the name "conn_stream" from the pool variable names
- REORG: rename cs_utils.h to sc_strm.h
- REORG: stconn: rename conn_stream.{c,h} to stconn.{c,h}
- CLEANUP: muxes: rename "get_first_cs" to "get_first_sc"
- DEV: flags: use "sc" for stream conns instead of "cs"
- CLEANUP: check: rename all occurrences of stconn "cs" to "sc"
- CLEANUP: connection: rename all occurrences of stconn "cs" to "sc"
- CLEANUP: stconn: rename all occurrences of stconn "cs" to "sc"
- CLEANUP: quic/h3: rename all occurrences of stconn "cs" to "sc"
- CLEANUP: stream: rename all occurrences of stconn "cs" to "sc"
- CLEANUP: promex: rename all occurrences of stconn "cs" to "sc"
- CLEANUP: stats: rename all occurrences of stconn "cs" to "sc"
- CLEANUP: cli: rename all occurrences of stconn "cs" to "sc"
- CLEANUP: applet: rename all occurrences of stconn "cs" to "sc"
- CLEANUP: cache: rename all occurrences of stconn "cs" to "sc"
- CLEANUP: dns: rename all occurrences of stconn "cs" to "sc"
- CLEANUP: spoe: rename all occurrences of stconn "cs" to "sc"
- CLEANUP: hlua: rename all occurrences of stconn "cs" to "sc"
- CLEANUP: log-forward: rename all occurrences of stconn "cs" to "sc"
- CLEANUP: http-client: rename all occurrences of stconn "cs" to "sc"
- CLEANUP: mux-fcgi: rename all occurrences of stconn "cs" to "sc"
- CLEANUP: mux-h1: rename all occurrences of stconn "cs" to "sc"
- CLEANUP: mux-h2: rename all occurrences of stconn "cs" to "sc"
- CLEANUP: mux-pt: rename all occurrences of stconn "cs" to "sc"
- CLEANUP: peers: rename all occurrences of stconn "cs" to "sc"
- CLEANUP: sink: rename all occurrences of stconn "cs" to "sc"
- CLEANUP: sslsock: remove only occurrence of local variable "cs"
- CLEANUP: applet: rename appctx_cs() to appctx_sc()
- CLEANUP: stream: rename stream_upgrade_from_cs() to stream_upgrade_from_sc()
- CLEANUP: obj_type: rename OBJ_TYPE_CS to OBJ_TYPE_SC
- CLEANUP: stconn: replace a few remaining occurrences of CS in comments or traces
- DOC: internal: update the muxes doc to mention the stconn
- CLEANUP: mux-quic: rename the "endp" field to "sd"
- CLEANUP: mux-h1: rename the "endp" field to "sd"
- CLEANUP: mux-h2: rename the "endp" field to "sd"
- CLEANUP: mux-fcgi: rename the "endp" field to "sd"
- CLEANUP: mux-pt: rename the "endp" field to "sd"
- CLEANUP: stconn: rename a few "endp" arguments and variables to "sd"
- MINOR: stconn: turn SE_FL_WILL_CONSUME to SE_FL_WONT_CONSUME
- CLEANUP: stream: remove unneeded test on appctx during initialization
- CLEANUP: stconn: remove the new unneeded SE_FL_APP_MASK
- DEV: flags: fix "siet" shortcut name
- DEV: flags: rename the "endp" shortcut to "sd" for "stream descriptor"
- DEV: flags: reorder a few SC/SE flags
- DOC: internal: add a description of the stream connectors and descriptors
We used to support both RTSP and HTTP protocol version names with and
without accept-invalid-http-request, but since this is based on the
characters themselves, any protocol made of chars {0-9/.HPRST} was
possible and not others. Now that such non-standard protocols are
restricted to accept-invalid-http-request, there's no reason for not
allowing other letters. With this patch, characters {0-9./A-Z} are
permitted when the option is set.
Released version 2.6-dev11 with the following main changes :
- CI: determine actual LibreSSL version dynamically
- BUG/MEDIUM: ncbuf: fix null buffer usage
- MINOR: ncbuf: fix warnings for testing build
- MEDIUM: http-ana: Add a proxy option to restrict chars in request header names
- MEDIUM: ssl: Delay random generator initialization after config parsing
- MINOR: ssl: Add 'ssl-propquery' global option
- MINOR: ssl: Add 'ssl-provider' global option
- CLEANUP: Add missing header to ssl_utils.c
- CLEANUP: Add missing header to hlua_fcn.c
- CLEANUP: Remove unused function hlua_get_top_error_string
- BUILD: fix build warning on solaris based systems with __maybe_unused.
- MINOR: tools: add get_exec_path implementation for solaris based systems.
- BUG/MINOR: ssl: Fix crash when no private key is found in pem
- CLEANUP: conn-stream: Remove cs_applet_shut declaration from header file
- MINOR: applet: Prepare appctx to own the session on frontend side
- MINOR: applet: Let the frontend appctx release the session
- MINOR: applet: Change return value for .init callback function
- MINOR: stream: Export stream_free()
- MINOR: applet: Add appctx_init() helper fnuction
- MINOR: applet: Add a function to finalize frontend appctx startup
- MINOR: applet: Add function to release appctx on error during init stage
- MEDIUM: dns: Refactor dns appctx creation
- MEDIUM: spoe: Refactor SPOE appctx creation
- MEDIUM: lua: Refactor cosocket appctx creation
- MEDIUM: httpclient: Refactor http-client appctx creation
- MINOR: sink: Add a ref to sink in the sink_forward_target structure
- MEDIUM: sink: Refactor sink forwarder appctx creation
- MINOR: peers: Add a ref to peers section in the peer structure
- MEDIUM: peers: Refactor peer appctx creation
- MINOR: applet: Add API to start applet on a thread subset
- MEDIUM: applet: Add support for async appctx startup on a thread subset
- MINOR: peers: Track number of applets run by thread
- MEDIUM: peers: Balance applets across threads
- MINOR: conn-stream/applet: Stop setting appctx as the endpoint context
- CLEANUP: proxy: Remove dead code when parsing "http-restrict-req-hdr-names" option
- REGTESTS: abortonclose: Fix some race conditions
- MINOR: ssl: Add 'ssl-provider-path' global option
- CLEANUP: http_ana: Make use of the return value of stream_generate_unique_id()
- BUG/MINOR: spoe: Fix error handling in spoe_init_appctx()
- CLEANUP: peers: Remove unreachable code in peer_session_create()
- CLEANUP: httpclient: Remove useless test on ss_dst in httpclient_applet_init()
- BUG/MEDIUM: quic: fix Rx buffering
- OPTIM: quic: realign empty Rx buffer
- BUG/MINOR: ncbuf: fix ncb_is_empty()
- MINOR: ncbuf: refactor ncb_advance()
- BUG/MINOR: mux-quic: update session's idle delay before stream creation
- MINOR: h3: do not wait a complete frame for demuxing
- MINOR: h3: flag demux as full on HTX full
- MEDIUM: mux-quic: implement recv on io-cb
- MINOR: mux-quic: remove qcc_decode_qcs() call in XPRT
- MINOR: mux-quic: reorganize flow-control frames emission
- MINOR: mux-quic: implement MAX_STREAM_DATA emission
- MINOR: mux-quic: implement MAX_DATA emission
- BUG/MINOR: mux-quic: support nul buffer with qc_free_ncbuf()
- MINOR: mux-quic: free RX buf if empty
- BUG/MEDIUM: config: Reset outline buffer size on realloc error in readcfgfile()
- BUG/MINOR: check: Reinit the buffer wait list at the end of a check
- MEDIUM: check: No longer shutdown the connection in .wake callback function
- REORG: check: Rename and export I/O callback function
- MEDIUM: check: Use the CS to handle subscriptions for read/write events
- BUG/MINOR: quic: break for error on sendto
- MINOR: quic: abort on unlisted errno on sendto()
- MINOR: quic: detect EBADF on sendto()
- BUG/MEDIUM: quic: fix initialization for local/remote TPs
- CLEANUP: quic: adjust comment/coding style for TPs init
- BUG/MINOR: cfgparse: abort earlier in case of allocation error
- MINOR: quic: Dump initial derived secrets
- MINOR: quic_tls: Add quic_tls_derive_retry_token_secret()
- MINOR: quic_tls: Add quic_tls_decrypt2() implementation
- MINOR: quic: Retry implementation
- MINOR: cfgparse: Update for "cluster-secret" keyword for QUIC Retry
- MINOR: quic: Move quic_lstnr_dgram_dispatch() out of xprt_quic.c
- BUILD: stats: Missing headers inclusions from stats.h
- MINOR: quic_stats: Add a new stats module for QUIC
- MINOR: quic: Attach proxy QUIC stats counters to the QUIC connection
- BUG/MINOR: quic: Fix potential memory leak during QUIC connection allocations
- MINOR: quic: QUIC stats counters handling
- MINOR: quic: Add tune.quic.retry-threshold keyword
- MINOR: quic: Dynamic Retry implementation
- MINOR: quic/mux-quic: define CONNECTION_CLOSE send API
- MINOR: mux-quic: emit FLOW_CONTROL_ERROR
- MINOR: mux-quic: emit STREAM_LIMIT_ERROR
- MINOR: mux-quic: close connection on error if different data at offset
- BUG/MINOR: peers: fix error reporting of "bind" lines
- CLEANUP: config: improve address parser error report for unmatched protocols
- CLEANUP: config: provide cleare hints about unsupported QUIC addresses
- MINOR: protocol: replace ctrl_type with xprt_type and clarify it
- MINOR: listener: provide a function to process all of a bind_conf's arguments
- MINOR: config: use the new bind_parse_args_list() to parse a "bind" line
- CLEANUP: listener: add a comment about what the BC_SSL_O_* flags are for
- MINOR: listener: add a new "options" entry in bind_conf
- CLEANUP: listener: replace all uses of bind_conf->is_ssl with BC_O_USE_SSL
- CLEANUP: listener: replace bind_conf->generate_cers with BC_O_GENERATE_CERTS
- CLEANUP: listener: replace bind_conf->quic_force_retry with BC_O_QUIC_FORCE_RETRY
- CLEANUP: listener: store stream vs dgram at the bind_conf level
- MINOR: listener: detect stream vs dgram conflict during parsing
- MINOR: listener: set the QUIC xprt layer immediately after parsing the args
- MINOR: listener/ssl: set the SSL xprt layer only once the whole config is known
- MINOR: connection: add flag MX_FL_FRAMED to mark muxes relying on framed xprt
- MINOR: config: detect and report mux and transport incompatibilities
- MINOR: listener: automatically select a QUIC mux with a QUIC transport
- MINOR: listener: automatically enable SSL if a QUIC transport is found
- BUG/MINOR: quic: Fixe a typo in qc_idle_timer_task()
- BUG/MINOR: quic: Missing <conn_opening> stats counter decrementation
- BUILD/MINOR: cpuset fix build for FreeBSD 13.1
- CI: determine actual OpenSSL version dynamically
When loading providers with 'ssl-provider' global options, this
ssl-provider-path option can be used to set the search path that is to
be used by openssl. It behaves the same way as the OPENSSL_MODULES
environment variable.
When HAProxy is linked to an OpenSSLv3 library, this option can be used
to load a provider during init. You can specify multiple ssl-provider
options, which will be loaded in the order they appear. This does not
prevent OpenSSL from parsing its own configuration file in which some
other providers might be specified.
A linked list of the providers loaded from the configuration file is
kept so that all those providers can be unloaded during cleanup. The
providers loaded directly by OpenSSL will be freed by OpenSSL.
This option can be used to define a default property query used when
fetching algorithms in OpenSSL providers. It follows the format
described in https://www.openssl.org/docs/man3.0/man7/property.html.
It is only available when haproxy is built with SSL support and linked
to OpenSSLv3 libraries.
The "http-restrict-req-hdr-names" option can now be set to restrict allowed
characters in the request header names to the "[a-zA-Z0-9-]" charset.
Idea of this option is to not send header names with non-alphanumeric or
hyphen character. It is especially important for FastCGI application because
all those characters are converted to underscore. For instance,
"X-Forwarded-For" and "X_Forwarded_For" are both converted to
"HTTP_X_FORWARDED_FOR". So, header names can be mixed up by FastCGI
applications. And some HAProxy rules may be bypassed by mangling header
names. In addition, some non-HTTP compliant servers may incorrectly handle
requests when header names contain characters ouside the "[a-zA-Z0-9-]"
charset.
When this option is set, the policy must be specify:
* preserve: It disables the filtering. It is the default mode for HTTP
proxies with no FastCGI application configured.
* delete: It removes request headers with a name containing a character
outside the "[a-zA-Z0-9-]" charset. It is the default mode for
HTTP backends with a configured FastCGI application.
* reject: It rejects the request with a 403-Forbidden response if it
contains a header name with a character outside the
"[a-zA-Z0-9-]" charset.
The option is evaluated per-proxy and after http-request rules evaluation.
This patch may be backported to avoid any secuirty issue with FastCGI
application (so as far as 2.2).
Released version 2.6-dev10 with the following main changes :
- MINOR: ssl: ignore dotfiles when loading a dir w/ ca-file
- MEDIUM: ssl: ignore dotfiles when loading a dir w/ crt
- BUG/MINOR: ssl: Fix typos in crl-file related CLI commands
- MINOR: compiler: add a new macro to set an attribute on an enum when possible
- BUILD: stats: conditionally mark obsolete stats states as deprecated
- BUILD: ssl: work around bogus warning in gcc 12's -Wformat-truncation
- BUILD: debug: work around gcc-12 excessive -Warray-bounds warnings
- BUILD: listener: shut report of possible null-deref in listener_accept()
- BUG/MEDIUM: ssl: fix the gcc-12 broken fix :-(
- DOC: install: update gcc version requirements
- BUILD: makefile: add -Wfatal-errors to the default flags
- BUG/MINOR: server: Make SRV_STATE_LINE_MAXLEN value from 512 to 2kB (2000 bytes).
- BUG/MAJOR: dns: multi-thread concurrency issue on UDP socket
- BUG/MINOR: mux-h2: mark the stream as open before processing it not after
- MINOR: mux-h2: report a trace event when failing to create a new stream
- DOC: configuration: add the httpclient keywords to the global keywords index
- MINOR: quic: Add a debug counter for sendto() errors
- BUG/MINOR: quic: Dropped peer transport parameters
- BUG/MINOR: quic: Wrong unit for ack delay for incoming ACK frames
- MINOR: quic: Congestion controller event trace fix (loss)
- MINOR: quic: Add correct ack delay values to ACK frames
- MINOR: config: Add "cluster-secret" new global keyword
- MINOR: quic-tls: Add quic_hkdf_extract_and_expand() for HKDF
- MINOR: quic: new_quic_cid() code moving
- MINOR: quic: Initialize stateless reset tokens with HKDF secrets
- MINOR: qc_new_conn() rework for stateless reset
- MINOR: quic: Stateless reset token copy to transport parameters
- MINOR: quic: Send stateless reset tokens
- MINOR: quic: Short packets always embed a trailing AEAD TAG
- CLEANUP: quic: wrong use of eb*entry() macro
- CLEANUP: quic: Useless use of pointer for quic_hkdf_extract()
- CLEANUP: quic_tls: QUIC_TLS_IV_LEN defined two times
- MINOR: ncbuf: define non-contiguous buffer
- MINOR: ncbuf: complete API and define block interal abstraction
- MINOR: ncbuf: optimize storage for the last gap
- MINOR: ncbuf: implement insertion
- MINOR: ncbuf: define various insertion modes
- MINOR: ncbuf: implement advance
- MINOR: ncbuf: write unit tests
- BUG/MEDIUM: lua: fix argument handling in data removal functions
- DOC/MINOR: fix typos in the lua-api document
- BUG/MEDIUM: wdt: don't trigger the watchdog when p is unitialized
- MINOR: mux-h1: Add global option accpet payload for any HTTP/1.0 requests
- CLEANUP: mux-h1: Fix comments and error messages for global options
- MINOR: conn_stream: make cs_set_error() work on the endpoint instead
- CLEANUP: mux-h1: always take the endp from the h1s not the cs
- CLEANUP: mux-h2: always take the endp from the h2s not the cs
- CLEANUP: mux-pt: always take the endp from the context not the cs
- CLEANUP: mux-fcgi: always take the endp from the fstrm not the cs
- CLEANUP: mux-quic: always take the endp from the qcs not the cs
- CLEANUP: applet: use the appctx's endp instead of cs->endp
- MINOR: conn_stream: add a pointer back to the cs from the endpoint
- MINOR: mux-h1: remove the now unneeded h1s->cs
- MINOR: mux-h2: make sure any h2s always has an endpoint
- MINOR: mux-h2: remove the now unneeded conn_stream from the h2s
- MINOR: mux-fcgi: make sure any stream always has an endpoint
- MINOR: mux-fcgi: remove the now unneeded conn_stream from the fcgi_strm
- MINOR: mux-quic: remove the now unneeded conn_stream from the qcs
- MINOR: mux-pt: remove the now unneeded conn_stream from the context
- CLEANUP: muxes: make mux->attach/detach take a conn_stream endpoint
- MINOR: applet: replace cs_applet_shut() with appctx_shut()
- MINOR: applet: add appctx_strm() and appctx_cs() to access common fields
- CLEANUP: applet: remove the unneeded appctx->owner
- CLEANUP: conn_stream: merge cs_new_from_{mux,applet} into cs_new_from_endp()
- MINOR: ext-check: indicate the transport and protocol of a server
- BUG/MEDIUM: mux-quic: fix a thinko in the latest cs/endpoint cleanup
- MINOR: tools: improve error message accuracy in str2sa_range
- MINOR: config: make sure never to mix dgram and stream protocols on a bind line
- BUG/MINOR: ncbuf: fix coverity warning on uninit sz_data
- MINOR: xprt_quic: adjust flow-control according to bufsize
- MEDIUM: mux-quic/h3/hq-interop: use ncbuf for bidir streams
- MEDIUM: mux-quic/h3/qpack: use ncbuf for uni streams
- CLEANUP: mux-quic: remove unused fields for Rx
- CLEANUP: quic: remove unused quic_rx_strm_frm
Valerio Pachera explained [1] that external checks would benefit from
having a variable indicating if SSL is being used or not on the server
being checked, and the discussion derived to also indicating the protocol
in use.
This patch adds two environment variables for external checks:
- HAPROXY_SERVER_SSL: equals "0" when SSL is not used, "1" when it is
- HAPROXY_SERVER_PROTO: contains one of the following words to describe
the protocol used with this server:
- "cli": the haproxy CLI. Normally not seen
- "syslog": this is a syslog TCP server
- "peers": this is a peers TCP server
- "h1": this is an HTTP/1.x server
- "h2": this is an HTTP/2 server
- "tcp": this is any other TCP server
The patch is very simple, and may be backported to recent versions if
needed. This closes github issue #1692.
[1] https://www.mail-archive.com/haproxy@formilux.org/msg42233.html
Since the 2.5, for security reason, HTTP/1.0 GET/HEAD/DELETE requests with a
payload are rejected (See e136bd12a "MEDIUM: mux-h1: Reject HTTP/1.0
GET/HEAD/DELETE requests with a payload" for details). However it may be an
issue for old clients.
To avoid any compatibility issue with such clients,
"h1-accept-payload-with-any-method" global option was added. It must only be
set if there is a good reason to do so because it may lead to a request
smuggling attack on some servers or intermediaries.
This patch should solve the issue #1691. it may be backported to 2.5.
It could be usefull to set a ASCII secret which could be used for different
usages. For instance, it will be used to derive QUIC stateless reset tokens.
Released version 2.6-dev9 with the following main changes :
- MINOR: mux-quic: support full request channel buffer
- BUG/MINOR: h3: fix parsing of unknown frame type with null length
- CLEANUP: backend: make alloc_{bind,dst}_address() idempotent
- MEDIUM: stream: remove the confusing SF_ADDR_SET flag
- MINOR: conn_stream: remove the now unused CS_FL_ADDR_*_SET flags
- CLEANUP: protocol: make sure the connect_* functions always receive a dst
- MINOR: connection: get rid of the CO_FL_ADDR_*_SET flags
- MINOR: session: get rid of the now unused SESS_FL_ADDR_*_SET flags
- CLEANUP: mux: Useless xprt_quic-t.h inclusion
- MINOR: quic: Make the quic_conn be aware of the number of streams
- BUG/MINOR: quic: Dropped retransmitted STREAM frames
- BUG/MINOR: mux_quic: Dropped packet upon retransmission for closed streams
- MEDIUM: httpclient: remove url2sa to use a more flexible parser
- MEDIUM: httpclient: http-request rules for resolving
- MEDIUM: httpclient: allow address and port change for resolving
- CLEANUP: httpclient: remove the comment about resolving
- MINOR: httpclient: handle unix and other socket types in dst
- MINOR: httpclient: rename dash by dot in global option
- MINOR: init: exit() after pre-check upon error
- MINOR: httpclient: cleanup the error handling in init
- MEDIUM: httpclient: hard-error when SSL is configured
- MINOR: httpclient: allow to configure the ca-file
- MINOR: httpclient: configure the resolvers section to use
- MINOR: httpclient: allow ipv4 or ipv6 preference for resolving
- DOC: configuration: httpclient global option
- MINOR: conn-stream: Add mask from flags set by endpoint or app layer
- BUG/MEDIUM: conn-stream: Only keep app layer flags of the endpoint on reset
- BUG/MEDIUM: mux-fcgi: Be sure to never set EOM flag on an empty HTX message
- BUG/MEDIUM: mux-h1: Be able to handle trailers when C-L header was specified
- DOC: config: Update doc for PR/PH session states to warn about rewrite failures
- MINOR: resolvers: cleanup alert/warning in parse-resolve-conf
- MINOR: resolvers: move the resolv.conf parser in parse_resolv_conf()
- MINOR: resolvers: resolvers_new() create a resolvers with default values
- BUILD: debug: unify the definition of ha_backtrace_to_stderr()
- BUG/MINOR: tcp/http: release the expr of set-{src,dst}[-port]
- MEDIUM: resolvers: create a "default" resolvers section at startup
- DOC: resolvers: default resolvers section
- BUG/MINOR: startup: usage() when no -cc arguments
- BUG/MEDIUM: resolvers: make "show resolvers" properly yield
- BUG/MEDIUM: cli: make "show cli sockets" really yield
- BUG/MINOR: proxy/cli: don't enumerate internal proxies on "show backend"
- BUG/MINOR: map/cli: protect the backref list during "show map" errors
- BUG/MINOR: map/cli: make sure patterns don't vanish under "show map"'s init
- BUG/MINOR: ssl/cli: fix "show ssl ca-file/crl-file" not to mix cli+ssl contexts
- BUG/MINOR: ssl/cli: fix "show ssl ca-file <name>" not to mix cli+ssl contexts
- BUG/MINOR: ssl/cli: fix "show ssl crl-file" not to mix cli+ssl contexts
- BUG/MINOR: ssl/cli: fix "show ssl cert" not to mix cli+ssl contexts
- CLEANUP: ssl/cli: do not loop on unknown states in "add ssl crt-list" handler
- MINOR: applet: reserve some generic storage in the applet's context
- CLEANUP: applet: make appctx_new() initialize the whole appctx
- CLEANUP: stream/cli: take the "show sess" context definition out of the appctx
- CLEANUP: stream/cli: stop using appctx->st2 for the dump state
- CLEANUP: stream/cli: remove the unneeded init state from "show sess"
- CLEANUP: stream/cli: remove the unneeded STATE_FIN state from "show sess"
- CLEANUP: stream/cli: remove the now unneeded dump state from "show sess"
- CLEANUP: proxy/cli: take the "show errors" context definition out of the appctx
- CLEANUP: stick-table/cli: take the "show table" context definition out of the appctx
- CLEANUP: stick-table/cli: stop using appctx->st2 for the dump state
- CLEANUP: stick-table/cli: remove the unneeded STATE_INIT for "show table"
- CLEANUP: map/cli: take the "show map" context definition out of the appctx
- CLEANUP: map/cli: stop using cli.i0/i1 to store the generation numbers
- CLEANUP: map/cli: stop using appctx->st2 for the dump state
- CLEANUP: map/cli: always detach the backref from the list after "show map"
- CLEANUP: peers/cli: take the "show peers" context definition out of the appctx
- CLEANUP: peers/cli: stop using appctx->st2 for the dump state
- CLEANUP: peers/cli: remove unneeded state STATE_INIT
- CLEANUP: cli: initialize the whole appctx->ctx, not just the stats part
- CLEANUP: promex: make the applet use its own context
- CLEANUP: promex: stop using appctx->st2
- CLEANUP: stats/cli: take the "show stat" context definition out of the appctx
- CLEANUP: stats/cli: stop using appctx->st2
- CLEANUP: hlua/cli: take the hlua_cli context definition out of the appctx
- CLEANUP: ssl/cli: use a local context for "show cafile"
- CLEANUP: ssl/cli: use a local context for "show crlfile"
- CLEANUP: ssl/cli: use a local context for "show ssl cert"
- CLEANUP: ssl/cli: use a local context for "commit ssl cert"
- CLEANUP: ssl/cli: stop using appctx->st2 for "commit ssl cert"
- CLEANUP: ssl/cli: use a local context for "set ssl cert"
- CLEANUP: ssl/cli: use a local context for "set ssl cafile"
- CLEANUP: ssl/cli: use a local context for "set ssl crlfile"
- CLEANUP: ssl/cli: use a local context for "commit ssl {ca|crl}file"
- CLEANUP: ssl/cli: stop using appctx->st2 for "commit ssl ca/crl"
- CLEANUP: ssl/cli: stop using ctx.cli.i0/i1/p0 for "show tls-keys"
- CLEANUP: ssl/cli: add a new "dump_entries" field to "show_keys_ref"
- CLEANUP: ssl/cli: make "show tlskeys" not use appctx->st2 anymore
- CLEANUP: ssl/cli: make "show ssl ocsp-response" not use cli.p0 anymore
- CLEANUP: ssl/cli: make "{show|dump} ssl crtlist" use its own context
- CLEANUP: ssl/cli: make "add ssl crtlist" use its own context
- CLEANUP: ssl/cli: make "add ssl crtlist" not use st2 anymore
- CLEANUP: dns: stop abusing the sink forwarder's context
- CLEANUP: sink: use the generic context to store the forwarder's context
- CLEANUP: activity/cli: make "show profiling" not use ctx.cli anymore
- CLEANUP: debug/cli: make "debug dev fd" not use ctx.cli anymore
- CLEANUP: debug/cli: make "debug dev memstats" not use ctx.cli anymore
- CLEANUP: ring: pass the ring watch flags to ring_attach_cli(), not in ctx.cli
- CLEANUP: ring/cli: use a locally-defined context instead of using ctx.cli
- CLEANUP: resolvers/cli: make "show resolvers" use a locally-defined context
- CLEANUP: resolvers/cli: remove the unneeded appctx->st2 from "show resolvers"
- CLEANUP: cache/cli: make use of a locally defined context for "show cache"
- CLEANUP: proxy/cli: make use of a locally defined context for "show servers"
- CLEANUP: proxy/cli: get rid of appctx->st2 in "show servers"
- CLEANUP: proxy/cli: make "show backend" only use the generic context
- CLEANUP: cli: make "show fd" use its own context
- CLEANUP: cli: make "show env" use its own context
- CLEANUP: cli: simplify the "show cli sockets" I/O handler
- CLEANUP: cli: make "show cli sockets" use its own context
- CLEANUP: httpclient/cli: use a locally-defined context instead of ctx.cli
- CLEANUP: httpclient: do not use the appctx.ctx anymore
- CLEANUP: peers: do not use appctx.ctx anymore
- CLEANUP: spoe: do not use appctx.ctx anymore
- BUILD: applet: mark the CLI's generic variables as deprecated
- BUILD: applet: mark the appctx's st2 variable as deprecated
- CLEANUP: cache: take the context out of appctx.ctx
- MEDIUM: lua: move the cosocket storage outside of appctx.ctx
- MINOR: lua: move the tcp service storage outside of appctx.ctx
- MINOR: lua: move the http service context out of appctx.ctx
- CLEANUP: cli: move the status print context into its own context
- CLEANUP: stats: rename the stats state values an mark the old ones deprecated
- DOC: internal: document the new cleaner approach to the appctx
- MINOR: tcp: socket translate TCP_KEEPIDLE for macOs equivalent
- DOC: fix typo "ant" for "and" in INSTALL
- CI: dynamically determine actual version of h2spec
When an HTTP header rewrite failure is triggered, and 500-internal-error
response is returned. A "PR" termination state is logged if the error
occurred on the request and "PH" if the error is reported for the response.
The documentation was updated accordingly.
This patch is related to issue #1597.
Documentation about the 4 options in the global section for the
httpclient:
- httpclient.ssl.verify
- httpclient.ssl.ca-file
- httpclient.resolvers.id
- httpclient.resolvers.prefer
Released version 2.6-dev8 with the following main changes :
- BUG/MINOR: quic: fix use-after-free with trace on ACK consume
- BUG/MINOR: rules: Forbid captures in defaults section if used by a backend
- BUG/MEDIUM: rules: Be able to use captures defined in defaults section
- BUG/MINOR: rules: Fix check_capture() function to use the right rule arguments
- BUG/MINOR: http-act: make release_http_redir() more robust
- BUG/MINOR: sample: add missing use_backend/use-server contexts in smp_resolve_args
- MINOR: sample: don't needlessly call c_none() in sample_fetch_as_type()
- MINOR: sample: make the bool type cast to bin
- MEDIUM: backend: add new "balance hash <expr>" algorithm
- MINOR: init: add global setting "fd-hard-limit" to bound system limits
- BUILD: pollers: use an initcall to register the pollers
- BUILD: xprt: use an initcall to register the transport layers
- BUILD: thread: use initcall instead of a constructor
- BUILD: http: remove the two unused constructors in rules and ana
- CLEANUP: compression: move the default setting of maxzlibmem to defaults
- MINOR: tree-wide: always consider EWOULDBLOCK in addition to EAGAIN
- BUG/MINOR: connection: "connection:close" header added despite 'close-spread-time'
- MINOR: fd: add functions to set O_NONBLOCK and FD_CLOEXEC
- CLEANUP: tree-wide: use fd_set_nonblock() and fd_set_cloexec()
- CLEANUP: tree-wide: remove 25 occurrences of unneeded fcntl.h
- REGTESTS: fix the race conditions in be2dec.vtc ad field.vtc
- REGTESTS: webstats: remove unused stats socket in /tmp
- MEDIUM: httpclient: disable SSL when the ca-file couldn't be loaded
- BUG/MINOR: httpclient/lua: error when the httpclient_start() fails
- BUG/MINOR: ssl: free the cafile entries on deinit
- BUG/MINOR: ssl: memory leak when trying to load a directory with ca-file
- MEDIUM: httpclient: re-enable the verify by default
- BUG/MEDIUM: ssl/cli: fix yielding in show_cafile_detail
- BUILD: compiler: properly distinguish weak and global symbols
- MINOR: connection: Add way to disable active connection closing during soft-stop
- BUG/MEDIUM: http-ana: Fix memleak in redirect rules with ignore-empty option
- CLEANUP: Destroy `http_err_chunks` members during deinit
- BUG/MINOR: resolvers: Fix memory leak in resolvers_deinit()
- MINOR: Call deinit_and_exit(0) for `haproxy -vv`
- BUILD: fd: disguise the fd_set_nonblock/cloexec result
- BUG/MINOR: pools: make sure to also destroy shared pools in pool_destroy_all()
- MINOR: ssl: add a new global option "tune.ssl.hard-maxrecord"
- CLEANUP: errors: also call deinit_errors_buffers() on deinit()
- CLEANUP: chunks: release trash also in deinit
- CLEANUP: deinit: release the pre-check callbacks
- CLEANUP: deinit: release the config postparsers
- CLEANUP: listeners/deinit: release accept queue tasklets on deinit
- CLEANUP: connections/deinit: destroy the idle_conns tasks
- BUG/MINOR: mux-quic: fix build in release mode
- MINOR: mux-quic: adjust comment on emission function
- MINOR: mux-quic: remove unused bogus qcc_get_stream()
- BUG/MINOR: mux-quic: fix leak if cs alloc failure
- MINOR: mux-quic: count local flow-control stream limit on reception
- BUG/MINOR: h3: fix incomplete POST requests
- BUG/MEDIUM: h3: fix use-after-free on mux Rx buffer wrapping
- MINOR: mux-quic: partially copy Rx frame if almost full buf
- MINOR: h3: change frame demuxing API
- MINOR: mux-quic: add a app-layer context in qcs
- MINOR: h3: implement h3 stream context
- MINOR: h3: support DATA demux if buffer full
- MINOR: quic: decode as much STREAM as possible
- MINOR: quic: Improve qc_prep_pkts() flexibility
- MINOR: quic: Prepare quic_frame struct duplication
- MINOR: quic: Do not retransmit frames from coalesced packets
- MINOR: quic: Add traces about TX frame memory releasing
- MINOR: quic: process_timer() rework
- MEDIUM: quic: New functions for probing rework
- MEDIUM: quic: Retransmission functions rework
- MEDIUM: quic: qc_requeue_nacked_pkt_tx_frms() rework
- MINOR: quic: old data distinction for qc_send_app_pkt()
- MINOR: quic: Mark packets as probing with old data
- MEDIUM: quic: Mark copies of acknowledged frames as acknowledged
- MEDIUM: quic: Enable the new datagram probing process
- MINOR: quic: Do not send ACK frames when probing
- BUG/MINOR: quic: Wrong returned status by qc_build_frms()
- BUG/MINOR: quic: Avoid sending useless PADDING frame
- BUG/MINOR: quic: Traces fix about remaining frames upon packet build failure
- MINOR: quic: Wake up the mux to probe with new data
- BUG/MEDIUM: quic: Possible crash on STREAM frame loss
- BUG/MINOR: quic: Missing Initial packet length check
- CLEANUP: quic: Rely on the packet length set by qc_lstnr_pkt_rcv()
- MINOR: quic: Drop 0-RTT packets if not allowed
- BUG/MINOR: httpclient/ssl: use the correct verify constant
- BUG/MEDIUM: conn-stream: Don't erase endpoint flags on reset
- BUG/MEDIUM: httpclient: Fix loop consuming HTX blocks from the response channel
- BUG/MINOR: httpclient: Count metadata in size to transfer via htx_xfer_blks()
- MINOR: httpclient: Don't use co_set_data() to decrement output
- BUG/MINOR: conn_stream: do not confirm a connection from the frontend path
- MEDIUM: quic: do not ACK packet with STREAM if MUX not present
- MEDIUM: quic: do not ack packet with invalid STREAM
- MINOR: quic: Drop 0-RTT packets without secrets
- CLEANUP: quic: Remaining fprintf() debug trace
- MINOR: quic: moving code for QUIC loss detection
- BUG/MINOR: quic: Missing time threshold multiplifier for loss delay computation
- CI: github actions: update LibreSSL to 3.5.2
- SCRIPTS: announce-release: add URL of dev packages
Low footprint client machines may not have enough memory to download a
complete 16KB TLS record at once. With the new option the maximum
record size can be defined on the server side.
Note: Before limiting the the record size on the server side, a client should
consider using the TLS Maximum Fragment Length Negotiation Extension defined
in RFC6066.
This patch fixes GitHub issue #1679.
If the "close-spread-time" option is set to "infinite", active
connection closing during a soft-stop can be disabled. The 'connection:
close' header or the GOAWAY frame will not be added anymore to the
server's response and active connections will only be closed once the
clients disconnect. Idle connections will not be closed all at once when
the soft-stop starts anymore, and each idle connection will follow its
own timeout based on the multiple timeouts set in the configuration (as
is the case during regular execution).
This feature request was described in GitHub issue #1614.
This patch should be backported to 2.5. It depends on 'MEDIUM: global:
Add a "close-spread-time" option to spread soft-stop on time window'.
On some systems, the hard limit for ulimit -n may be huge, in the order
of 1 billion, and using this to automatically compute maxconn doesn't
work as it requires way too much memory. Users tend to hard-code maxconn
but that's not convenient to manage deployments on heterogenous systems,
nor when porting configs to developers' machines. The ulimit-n parameter
doesn't work either because it forces the limit. What most users seem to
want (and it makes sense) is to respect the system imposed limits up to
a certain value and cap this value. This is exactly what fd-hard-limit
does.
This addresses github issue #1622.
Almost all of our hash-based LB algorithms are implemented as special
cases of something that can now be achieved using sample expressions,
and some of them have adopted some options to adapt their behavior in
ways that could also be achieved using converters.
There are users who want to hash other parameters that are combined
into variables, and who set headers from these values and use
"balance hdr(name)" for this.
Instead of constantly implementing specific options and having users
hack around when they want a real hash, let's implement a native hash
mode that applies to a standard sample expression. This way, any
fetchable element (including variables) may be used to construct the
hash, even modified by any converter if desired.
Released version 2.6-dev7 with the following main changes :
- BUILD: calltrace: fix wrong include when building with TRACE=1
- MINOR: ssl: Use DH parameters defined in RFC7919 instead of hard coded ones
- MEDIUM: ssl: Disable DHE ciphers by default
- BUILD: ssl: Fix compilation with OpenSSL 1.0.2
- MINOR: mux-quic: split xfer and STREAM frames build
- REORG: quic: use a dedicated module for qc_stream_desc
- MINOR: quic-stream: use distinct tree nodes for quic stream and qcs
- MINOR: quic-stream: add qc field
- MEDIUM: quic: implement multi-buffered Tx streams
- MINOR: quic-stream: refactor ack management
- MINOR: quic: limit total stream buffers per connection
- MINOR: mux-quic: implement immediate send retry
- MINOR: cfg-quic: define tune.quic.conn-buf-limit
- MINOR: ssl: Add 'show ssl providers' cli command and providers list in -vv option
- REGTESTS: ssl: Update error messages that changed with OpenSSLv3.1.0-dev
- BUG/MEDIUM: quic: Possible crash with released mux
- BUG/MINOR: mux-quic: unsubscribe on release
- BUG/MINOR: mux-quic: handle null timeout
- BUG/MEDIUM: logs: fix http-client's log srv initialization
- BUG/MINOR: mux-quic: remove dead code in qcs_xfer_data()
- DEV: stream: Fix conn-streams dump in full stream message
- CLEANUP: conn-stream: Rename cs_conn_close() and cs_conn_drain_and_close()
- CLEANUP: conn-stream: Rename cs_applet_release()
- MINOR: conn-stream: Rely on endpoint shutdown flags to shutdown an applet
- BUG/MINOR: cache: Disable cache if applet creation fails
- BUG/MINOR: backend: Don't allow to change backend applet
- BUG/MEDIUM: conn-stream: Set back CS to RDY state when the appctx is created
- MINOR: stream: Don't needlessly detach server endpoint on early client abort
- MINOR: conn-stream: Make cs_detach_* private and use cs_destroy() from outside
- MINOR: init: add the pre-check callback
- MEDIUM: httpclient: change the init sequence
- MEDIUM: httpclient/ssl: verify required
- MINOR: httpclient/mworker: disable in the master process
- MEDIUM: httpclient/ssl: verify is configurable and disabled by default
- BUG/MAJOR: connection: Never remove connection from idle lists outside the lock
- BUG/MEDIUM: mux-quic: fix stalled POST requets
- BUG/MINOR: mux-quic: fix POST with abortonclose
- MINOR: task: add a new task_instant_wakeup() function
- MEDIUM: queue: use tasklet_instant_wakeup() to wake tasks
- DOC: remove my name from the config doc
