The new "update ssl ocsp-response <certfile>" CLI command allows to
update the stored OCSP response for a given certificate. It relies on
the http_client which is used to send an HTTP request to the OCSP
responder whose URI can be extracted from the certificate.
This command won't work for a certificate that did not have a stored
OCSP response yet.
Till now it was only possible to change the thread local hot cache size
at build time using CONFIG_HAP_POOL_CACHE_SIZE. But along benchmarks it
was sometimes noticed a huge contention in the lower level memory
allocators indicating that larger caches could be beneficial, especially
on machines with large L2 CPUs.
Given that the checks against this value was no longer on a hot path
anymore, there was no reason for continuing to force it to be tuned at
build time. So this patch allows to set it by tune.memory-hot-size.
It's worth noting that during the boot phase the value remains zero so
that it's possible to know if the value was set or not, which opens the
possibility that we try to automatically adjust it based on the per-cpu
L2 cache size or the use of certain protocols (none of this is done yet).
Since the massive pools cleanup that happened in 2.6, the pools
architecture was made quite more hierarchical and many alternate code
blocks could be moved to runtime flags set by -dM. One of them had not
been converted by then, DEBUG_UAF. It's not much more difficult actually,
since it only acts on a pair of functions indirection on the slow path
(OS-level allocator) and a default setting for the cache activation.
This patch adds the "uaf" setting to the options permitted in -dM so
that it now becomes possible to set or unset UAF at boot time without
recompiling. This is particularly convenient, because every 3 months on
average, developers ask a user to recompile haproxy with DEBUG_UAF to
understand a bug. Now it will not be needed anymore, instead the user
will only have to disable pools and enable uaf using -dMuaf. Note that
-dMuaf only disables previously enabled pools, but it remains possible
to re-enable caching by specifying the cache after, like -dMuaf,cache.
A few tests with this mode show that it can be an interesting combination
which catches significantly less UAF but will do so with much less
overhead, so it might be compatible with some high-traffic deployments.
The change is very small and isolated. It could be helpful to backport
this at least to 2.7 once confirmed not to cause build issues on exotic
systems, and even to 2.6 a bit later as this has proven to be useful
over time, and could be even more if it did not require a rebuild. If
a backport is desired, the following patches are needed as well:
CLEANUP: pools: move the write before free to the uaf-only function
CLEANUP: pool: only include pool-os from pool.c not pool.h
REORG: pool: move all the OS specific code to pool-os.h
CLEANUP: pools: get rid of CONFIG_HAP_POOLS
DEBUG: pool: show a few examples in -dMhelp
Activate QUIC connection socket to achieve the best performance. The
previous behavior can be reverted by tune.quic.socket-owner
configuration option.
This change is part of quic-conn owned socket implementation.
Contrary to its siblings patches, I suggest to not backport it to 2.7.
This should ensure that stable releases behavior is perserved. If a user
faces issues with QUIC performance on 2.7, he can nonetheless change the
default configuration.
Define global configuration option "tune.quic.socket-owner". This option
can be used to activate or not socket per QUIC connection mode. The
default value is "listener" which disable this feature. It can be
activated with the option "connection".
This change is part of quic-conn owned socket implementation.
It may be backported to 2.7 after a period of observation.
This is an initial work for the dedicated
event handler API internal documentation.
The file is located at doc/internals/api/event_hdl.txt
event_hdl feature has been introduced with:
MINOR: event_hdl: add event handler base api
This patch also adds a set of new global options:
- 51degrees-use-performance-graph { on | off }
- 51degrees-use-predictive-graph { on | off }
- 51degrees-drift <number>
- 51degrees-difference <number>
- 51degrees-allow-unmatched { on | off }
To build using the latest 51Degrees V4 engine with Hash algorithm, set
USE_51DEGREES_V4=1.
Other supported build options are 51DEGREES_INC, 51DEGREES_LIB and
51DEGREES_SRC which needs to be set to the directory that contains
headers and C files. For example:
make TARGET=<target> USE_51DEGREES_V4=1 51DEGREES_SRC='51D_REPO_PATH'/src
Released version 2.7.0 with the following main changes :
- MINOR: ssl: forgotten newline in error messages on ca-file
- BUG/MINOR: ssl: shut the ca-file errors emitted during httpclient init
- DOC: config: provide some configuration hints for "http-reuse"
- DOC: config: refer to section about quoting in the "add_item" converter
- DOC: halog: explain how to use -ac and -ad in the help message
- DOC: config: clarify the fact that SNI should not be used in HTTP scenarios
- DOC: config: mention that a single monitor-uri rule is supported
- DOC: config: explain how default matching method for ACL works
- DOC: config: clarify the fact that "retries" is not just for connections
- BUILD: halog: fix missing double-quote at end of help line
- DOC: config: clarify the -m dir and -m dom pattern matching methods
- MINOR: activity: report uptime in "show activity"
- REORG: activity/cli: move the "show activity" handler to activity.c
- DEV: poll: add support for epoll
- DEV: tcploop: centralize the polling code into wait_for_fd()
- DEV: tcploop: add support for POLLRDHUP when supported
- DEV: tcploop: do not report an error on POLLERR
- DEV: tcploop: add optional support for epoll
- SCRIPTS: announce-release: add a link to the data plane API
- CLEANUP: stick-table: fill alignment holes in the stktable struct
- MINOR: stick-table: store a per-table hash seed and use it
- MINOR: stick-table: show the shard number in each entry's "show table" output
- CLEANUP: ncbuf: remove ncb_blk args by value
- CLEANUP: ncbuf: inline small functions
- CLEANUP: ncbuf: use standard BUG_ON with DEBUG_STRICT
- BUG/MINOR: quic: Endless loop during retransmissions
- MINOR: mux-h2: add the expire task and its expiration date in "show fd"
- BUG/MINOR: peers: always initialize the stksess shard value
- REGTESTS: fix peers-related regtests regarding "show table"
- BUG/MEDIUM: mux-h1: Close client H1C on EOS when there is no output data
- MINOR: stick-table: change the API of the function used to calculate the shard
- CLEANUP: peers: factor out the key len calculation in received updates
- BUG/MINOR: peers: always update the stksess shard number on incoming updates
- CLEANUP: assorted typo fixes in the code and comments
- MINOR: mux-h1: add the expire task and its expiration date in "show fd"
- MINOR: debug: improve error handling on the memstats command parser
- BUILD: quic: allow build with USE_QUIC and USE_OPENSSL_WOLFSSL
- CLEANUP: anon: clarify the help message on "debug dev hash"
- MINOR: debug: relax access restrictions on "debug dev hash" and "memstats"
- SCRIPTS: run-regtests: add a version check
- MINOR: version: mention that it's stable now
Stick-tables support sharding to multiple peers but there was no way to
know to what shard an entry was going to be sent. Let's display this in
the "show table" output to ease debugging.
There's regularly some confusion about them (do they match at the
beginning, end ? do they support multiple components etc). Tim
suggested to improve the doc in issue #61, it's never too late, so
let's do it now wih a few examples.
In issue #412 it was rightfully reported that the wording in "retries"
still exclusively speaks about connection attempts, while since L7
retries with "retry-on" it's no longer a limitation. Let's update the
text.
In issue #698, it's made apparent that the default matching method for
ACL keywords can be confusing when a converter is applied, because
depending on the converters used, users may think that the default
matching method from the sample fetch name might apply to the whole
expression. It's easier to understand that this doesn't make sense
when thinking about converters turning to completely different types
(e.g. hdr_beg(host),do_resolve() returns an IP, thus it's obvious
that _beg makes no sense at all). This patch states this in the
doc to avoid future confusion.
It was reported in issue #1059 that when multiple monitor-uri rules are
specified, only the last one is used. While this was done on purpose
since a single URI is used, it was not clearly mentioned in the doc,
possibly leading to confusion or wasted time trying to establish a
working setup. Let's clarify this point.
As reported by Tim in issue #1373 some warnings are deserved to explain
why using the frontend SNI for routing or connecting to a server is
usually not correct, especially since it can be tempting and used to
make sense in pure TCP scenarios.
As requested by Nick in issue #1719, let's add a reference to the section
about quoting there, since add_item() will often be used with commas and
it's easy to mess up.
This adds some configuration hints regarding various workloads that do
not manage to achieve high reuse rates due to too low a global maxconn
or thread groups.
This fixes github issue #1472.
Released version 2.7-dev10 with the following main changes :
- MEDIUM: tcp-act: add parameter rst-ttl to silent-drop
- BUG/MAJOR: quic: Crash upon retransmission of dgrams with several packets
- MINOR: cli: print parsed command when not found
- BUG/MAJOR: quic: Crash after discarding packet number spaces
- CLEANUP: quic: replace "choosen" with "chosen" all over the code
- MINOR: cli/pools: store "show pools" results into a temporary array
- MINOR: cli/pools: add sorting capabilities to "show pools"
- MINOR: cli/pools: add pool name filtering capability to "show pools"
- DOC: configuration: fix quic prefix typo
- MINOR: quic: report error if force-retry without cluster-secret
- MINOR: global: generate random cluster.secret if not defined
- BUG/MINOR: resolvers: do not run the timeout task when there's no resolution
- BUG/MINOR: server/idle: at least use atomic stores when updating max_used_conns
- MINOR: server/idle: make the next_takeover index per-tgroup
- BUILD: listener: fix build warning on global_listener_rwlock without threads
- BUG/MAJOR: sched: protect task during removal from wait queue
- BUILD: sched: fix build with DEBUG_THREAD with the previous commit
- DOC: quic: add note on performance issue with listener contention
- BUG/MINOR: cfgparse-listen: fix ebpt_next_dup pointer dereference on proxy "from" inheritance
- BUG/MINOR: log: fix parse_log_message rfc5424 size check
- CLEANUP: arg: remove extra check in make_arg_list arg escaping
- CLEANUP: tools: extra check in utoa_pad
- MINOR: h1: Consider empty port as invalid in authority for CONNECT
- MINOR: http: Considere empty ports as valid default ports
- BUG/MINOR: http-htx: Normalized absolute URIs with an empty port
- BUG/MINOR: h1: Replace authority validation to conform RFC3986
- REG-TESTS: http: Add more tests about authority/host matching
- BUG/MINOR: http-htx: Don't consider an URI as normalized after a set-uri action
- BUG/MEDIUM: mux-h1: Don't release H1C on timeout if there is a SC attached
- BUG/MEDIUM: mux-h1: Subscribe for reads on error on sending path
- BUILD: http-htx: Silent build error about a possible NULL start-line
- DOC: configuration.txt: add default_value for table_idle signature
- BUILD: ssl-sock: Silent error about NULL deref in ssl_sock_bind_verifycbk()
- BUG/MEDIUM: mux-h1: Remove H1C_F_WAIT_NEXT_REQ flag on a next request
- BUG/MINOR: mux-h1: Fix handling of 408-Request-Time-Out
- MINOR: mux-h1: Remove H1C_F_WAIT_NEXT_REQ in functions handling errors
- MINOR: mux-h1: Avoid useless call to h1_send() if no error is sent
- DOC: configuration.txt: fix typo in table_idle signature
- BUILD: stick-tables: fix build breakage in xxhash on older compilers
- BUILD: compiler: include compiler's definitions before ours
- BUILD: quic: global.h is needed in cfgparse-quic
- CLEANUP: tools: do not needlessly include xxhash nor cli from tools.h
- BUILD: flags: really restrict the cases where flags are exposed
- BUILD: makefile: minor reordering of objects by build time
- BUILD: quic: silence two invalid build warnings at -O1 with gcc-6.5
- BUILD: quic: use openssl-compat.h instead of openssl/ssl.h
- MEDIUM: ssl: add minimal WolfSSL support with OpenSSL compatibility mode
- MINOR: sample: make the rand() sample fetch function use the statistical_prng
- MINOR: auth: silence null dereference warning in check_user()
- CLEANUP: peers: fix format string for status messages (int signedness)
- CLEANUP: qpack: fix format string in debugging code (int signedness)
- CLEANUP: qpack: properly use the QPACK macros not HPACK ones in debug code
- BUG/MEDIUM: quic: fix datagram dropping on queueing failed
An extra ',' was mistakenly added in table_idle converter signature
with commit ed36968 ("DOC: configuration.txt: add default_value for
table_idle signature").
table_idle converter takes optional default_value argument.
The documentation correctly describes this usage but <default_value> was
missing in the converter signature.
It should be backported with bbeec37b3 ("MINOR: stick-table:
Add table_expire() and table_idle() new converters")
An abosulte URI is marked as normalized if it comes from an H2 client. This
way, we know we can send a relative URI to an H1 server. But, after a
set-uri action, the URI must no longer be considered as normalized.
Otherwise there is no way to send an absolute URI on the server side.
If it is important to update a normalized absolute URI without altering this
property, the host, path and/or query-string must be set separatly.
This patch should fix the issue #1938. It should be backported as far as
2.4.
Complete quic4/quic6 bind lines by a note on performance issues due to
receiver socket contention. Suggest to use sharding to improve the
situation.
This should be backported up to 2.6.
If no cluster-secret is defined by the user, a random one is silently
generated.
This ensures that at least QUIC Retry tokens are generated if abnormal
conditions are detected. However, it is advisable to specify it in the
configuration for tokens to be valid even after a reload or across LBs
instances in the same cluster.
This should be backported up to 2.6.
QUIC Retry generation relies on global cluster-secret to produce token
valid even after a process restart and across several LBs instances.
Before this patch, Retry is automatically deactivated if no
cluster-secret is provided. This is the case even if a user has
configured a QUIC listener with quic-force-retry. Change this behavior
by now returning an error during configuration parsing. The user must
provide a cluster-secret if quic-force-retry is used.
This shoud be backported up to 2.6.
The "show pools" command is used a lot for debugging but didn't get much
love over the years. This patch brings new capabilities:
- sorting the output by pool names to ese their finding ("byname").
- sorting the output by reverse item size to spot the biggest ones("bysize")
- sorting the output by reverse number of allocated bytes ("byusage")
The last one (byusage) also omits displaying the ones with zero allocation.
In addition, an optional max number of output entries may be passed so as
to dump only the N most relevant ones.
The silent-drop action was extended with an additional optional parameter,
[rst-ttl <ttl> ], causing HAProxy to send a TCP RST with the specified TTL
towards the client.
With this behaviour, the connection state on your own client-
facing middle-boxes (load balancers, firewalls) will be purged,
but the client will still assume the TCP connection is up because
the TCP RST packet expires before reaching the client.
Released version 2.7-dev9 with the following main changes :
- BUILD: quic: QUIC mux build fix for 32-bit build
- BUILD: scripts: disable tests build on QuicTLS build
- BUG/MEDIUM: httpclient: segfault when the httpclient parser fails
- BUILD: ssl_sock: fix null dereference for QUIC build
- BUILD: quic: Fix build for m68k cross-compilation
- BUG/MINOR: quic: fix buffer overflow on retry token generation
- MINOR: quic: add version field on quic_rx_packet
- MINOR: quic: extend pn_offset field from quic_rx_packet
- MINOR: quic: define first packet flag
- MINOR: quic: extract connection retrieval
- MINOR: quic: split and rename qc_lstnr_pkt_rcv()
- MINOR: quic: refactor packet drop on reception
- MINOR: quic: extend Retry token check function
- BUG/MINOR: log: Preserve message facility when the log target is a ring buffer
- BUG/MINOR: ring: Properly parse connect timeout
- BUG/MEDIUM: httpclient/lua: crash when the lua task timeout before the httpclient
- BUG/MEDIUM: httpclient: check if the httpclient was released in the IO handler
- REGTESTS: httpclient/lua: test the lua task timeout with the httpclient
- CI: github: dump the backtrace of coredumps in the alpine container
- BUILD: Makefile: add "USE_SHM_OPEN" on the linux-musl target
- DOC: lua: add a note about compression w/ httpclient
- CLEANUP: mworker/cli: rename the status function to loadstatus
- MINOR: mworker/cli: does no try to dump the startup-logs w/o USE_SHM_OPEN
- MINOR: list: fixing typo in MT_LIST_LOCK_ELT
- DOC/MINOR: list: fixing MT_LIST_LOCK_ELT macro documentation
- MINOR: list: adding MT_LIST_APPEND_LOCKED macro
- BUG/MINOR: mux-quic: complete flow-control for uni streams
- BUG/MEDIUM: compression: handle rewrite errors when updating response headers
- MINOR: quic: do not crash on unhandled sendto error
- MINOR: quic: display unknown error sendto counter on stat page
- MINOR: peers: Support for peer shards
- MINOR: peers: handle multiple resync requests using shards
- BUG/MINOR: sink: Only use backend capability for the sink proxies
- BUG/MINOR: sink: Set default connect/server timeout for implicit ring buffers
- MINOR: ssl: add the SSL error string when failing to load a certificate
- MINOR: ssl: add the SSL error string before the chain
- MEDIUM: ssl: be stricter about chain error
- BUG/MAJOR: stick-table: don't process store-response rules for applets
- MINOR: quic: remove unnecessary quic_session_accept()
- BUG/MINOR: quic: fix subscribe operation
- BUG/MINOR: log: fixing bug in tcp syslog_io_handler Octet-Counting
- MINOR: ssl: dump the SSL string error when SSL_CTX_use_PrivateKey() failed.
- MINOR: quic: add counter for interrupted reception
- BUG/MINOR: quic: fix race condition on datagram purging
- CI: add monthly gcc cross compile jobs
- CLEANUP: assorted typo fixes in the code and comments
- CLEANUP: ssl: remove dead code in ssl_sock_load_pem_into_ckch()
- BUG/MINOR: httpclient: fixed memory allocation for the SSL ca_file
- BUG/MINOR: ssl: Memory leak of DH BIGNUM fields
- BUG/MINOR: ssl: Memory leak of AUTHORITY_KEYID struct when loading issuer
- BUG/MINOR: ssl: ocsp structure not freed properly in case of error
- CI: switch to the "latest" LibreSSL
- CI: enable QUIC for LibreSSL builds
- BUG/MEDIUM: ssl: Verify error codes can exceed 63
- MEDIUM: ssl: {ca,crt}-ignore-err can now use error constant name
- MINOR: ssl: x509_v_err_str converter transforms an integer to a X509_V_ERR name
- CLEANUP: cli: rename dynamic error printing state
- MINOR: cli: define usermsgs print context
- MINOR: server: clear prefix on stderr logs after add server
- BUG/MINOR: ssl: bind_conf is uncorrectly accessed when using QUIC
- BUILD: ssl_utils: fix build on gcc versions before 8
- BUILD: debug: remove unnecessary quotes in HA_WEAK() calls
- CI: emit the compiler's version in the build reports
- IMPORT: xxhash: update xxHash to version 0.8.1
- IMPORT: slz: declare len to fix debug build when optimal match is enabled
- IMPORT: slz: mention the potential header in slz_finish()
- IMPORT: slz: define and use a __fallthrough statement for switch/case
- BUILD: compiler: add a macro to detect if another one is set and equals 1
- BUILD: compiler: add a default definition for __has_attribute()
- BUILD: compiler: define a __fallthrough statement for switch/case
- BUILD: sample: use __fallthrough in smp_is_rw() and smp_dup()
- BUILD: quic: use __fallthrough in quic_connect_server()
- BUILD: ssl/crt-list: use __fallthrough in cli_io_handler_add_crtlist()
- BUILD: ssl: use __fallthrough in cli_io_handler_commit_{cert,cafile_crlfile}()
- BUILD: ssl: use __fallthrough in cli_io_handler_tlskeys_files()
- BUILD: hlua: use __fallthrough in hlua_post_init_state()
- BUILD: stream: use __fallthrough in stats_dump_full_strm_to_buffer()
- BUILD: tcpcheck: use __fallthrough in check_proxy_tcpcheck()
- BUILD: stats: use __fallthrough in stats_dump_proxy_to_buffer()
- BUILD: peers: use __fallthrough in peer_io_handler()
- BUILD: hash: use __fallthrough in hash_djb2()
- BUILD: tools: use __fallthrough in url_decode()
- BUILD: args: use __fallthrough in make_arg_list()
- BUILD: acl: use __fallthrough in parse_acl_expr()
- BUILD: spoe: use __fallthrough in spoe_handle_appctx()
- BUILD: logs: use __fallthrough in build_log_header()
- BUILD: check: use __fallthrough in __health_adjust()
- BUILD: http_act: use __fallthrough in parse_http_del_header()
- BUILD: h1_htx: use __fallthrough in h1_parse_chunk()
- BUILD: vars: use __fallthrough in var_accounting_{diff,add}()
- BUILD: map: use __fallthrough in cli_io_handler_*()
- BUILD: compression: use __fallthrough in comp_http_payload()
- BUILD: stconn: use __fallthrough in various shutw() functions
- BUILD: prometheus: use __fallthrough in promex_dump_metrics() and IO handler()
- CLEANUP: ssl: remove printf in bind_parse_ignore_err
- BUG/MINOR: ssl: crt-ignore-err memory leak with 'all' parameter
- BUG/MINOR: ssl: Fix potential overflow
- CLEANUP: stick-table: remove the unused table->exp_next
- OPTIM: stick-table: avoid atomic ops in stktable_requeue_exp() when possible
- BUG/MEDIUM: stick-table: fix a race condition when updating the expiration task
- MEDIUM: http-ana: remove set-cookie2 support
- BUG/MEDIUM: wdt/clock: properly handle early task hangs
- MINOR: deinit: add a "quick-exit" option to bypass the deinit step
- OPTIM: ebtree: make ebmb_insert_prefix() keep a copy the new node's pfx
- OPTIM: ebtree: make ebmb_insert_prefix() keep a copy the new node's key
- MINOR: ssl: ssl_sock_load_cert_chain() display error strings
- MINOR: ssl: reintroduce ERR_GET_LIB(ret) == ERR_LIB_PEM in ssl_sock_load_pem_into_ckch()
- BUG/MINOR: http-htx: Fix error handling during parsing http replies
- BUG/MINOR: resolvers: Don't wait periodic resolution on healthcheck failure
- BUG/MINOR: resolvers: Set port before IP address when processing SRV records
- BUG/MINOR: mux-fcgi: Be sure to send empty STDING record in case of zero-copy
- BUG/MEDIUM: mux-fcgi: Avoid value length overflow when it doesn't fit at once
- BUG/MINOR: ssl: SSL_load_error_strings might not be defined
- MINOR: pool/debug: create a new pool_alloc_flag() macro
- MINOR: dynbuf: switch allocation and release to macros to better track users
- BUG/MINOR: mux-h1: Do not send a last null chunk on body-less answers
- REG-TESTS: cache: Remove T-E header for 304-Not-Modified responses
- DOC: config: fix alphabetical ordering of global section
- MINOR: trace: split the CLI "trace" parser in CLI vs statement
- MEDIUM: trace: create a new "trace" statement in the "global" section
- BUG/MEDIUM: ring: fix creation of server in uninitialized ring
- BUILD: quic: fix dubious 0-byte overflow on qc_release_lost_pkts
- BUILD: makefile: mark poll and tcploop targets as phony
- BUILD: makefile: properly pass CC to sub-projects
- BUILD: makefile: move default verbosity settings to include/make/verbose.mk
- BUILD: makefile: use $(cmd_MAKE) in quiet mode
- BUILD: makefile: move the compiler option detection stuff to compiler.mk
- DEV: poll: make the connect() step an action as well
- DEV: poll: strip the "do_" prefix from reported function names
- DEV: poll: indicate the FD's side in front of its value
- BUG/MINOR: pool/cli: use ullong to report total pool usage in bytes
- MINOR: mux-h1: Remove usless code inside shutr callback
- CLEANUP: mux-h1; Rename H1S_F_ERROR flag into H1S_F_ERROR_MASK
- REORG: mux-h1: Reorg the H1C structure
- CLEANUP: mux-h1: Rename H1C_F_ST_ERROR and H1C_F_ST_SILENT_SHUT flags
- MINOR: mux-h1: Add a dedicated enum to deal with H1 connection state
- MEDIUM: mux-h1: Handle H1C states via its state field instead of H1C_F_ST_*
- MINOR: mux-h1: Don't handle subscribe for reads in h1_process_demux()
- CLEANUP: mux-h1: Rename H1C_F_ERR_PENDING into H1C_F_ABRT_PENDING
- MINOR: mux-h1: Add flag on H1 stream to deal with internal errors
- MEDIUM: mux-h1: Rely on the H1C to deal with shutdown for reads
- CLEANUP: mux-h1: Reorder H1 connection flags to avoid holes
- MEDIUM: mux-h1: Don't report a final error whe a message is aborted
- MEDIUM: mux-pt: Don't always set a final error on SE on the sending path
- MEDIUM: mux-h2: Introduce flags to deal with connection read/write errors
- CLEANUP: mux-h2: Remove unused fields in h2c structures
- MEDIUM: mux-fcgi: Introduce flags to deal with connection read/write errors
- MINOR: sconn: Set SE_FL_ERROR only when there is no more data to read
- MINOR: mux-h1: Rely on a H1S flag to know a WS key was found or not
- DOC: lua-api: Remove warning about the lua filters
- BUG/MEDIUM: listener: Fix race condition when updating the global mngmt task
- CLEANUP: listener: Remove useless task_queue from manage_global_listener_queue
- BUG/MINOR: mux-h1: Fix error handling when H1S allocation failed on client side
- DOC: internal: commit notes about polling states and flags
- DOC: internal: commit notes about polling states and flags on connect()
- CLEANUP: mux-h1: Don't test h1c in h1_shutw_conn()
- BUG/MINOR: http_ana/txn: don't re-initialize txn and req var lists
- BUG/MEDIUM: raw-sock: Don't report connection error if something was received
- BUG/MINOR: ssl: don't initialize the keylog callback when not required
- BUILD: Makefile: enable USE_SHM_OPEN by default on freebsd
- BUG/MEDIUM: peers: messages about unkown tables not correctly ignored
- MINOR: cfgparse: Always check the section position
- MEDIUM: thread: Restric nbthread/thread-group(s) to very first global sections
- BUILD: peers: Remove unused variables
- MINOR: ncbuf: complete doc for ncb_advance()
- BUG/MEDIUM: quic: fix unsuccessful handshakes on ncb_advance error
- BUG/MEDIUM: quic: fix memleak for out-of-order crypto data
- MINOR: quic: complete traces/debug for handshake
Let's keep these notes as references for later use. Polling on connect()
can sometimes return a few unexpected state combinations that such tests
illustrate. They can serve as reminders for special error handling.
The exact same commands as those from the CLI may be pre-loaded at boot
time by passing them one per line after the "trace" keyword in the global
section; i.e. just copy-pasting all commands directly there will do the
job. Note that if a ring is mentioned, it needs to be declared before the
global section. Another option is to append another global section after
"ring".
For now the keyword is marked as experimental to discourage its broad
adoption by default. "expose-experimental-directives" needs to be placed
in the global section to expose it.
the global section keywords were seriously misordered, and it's visible
that some mistakes have induced other ones over time, so it was about
time to fix this. Roughly 20% of the keywords were misplaced.
This commit only reordered the keywords index and their description,
nothing else was changed. It might be backported because it's a real
pain to find certain options there.
Once in a while we spot a bug in the deinit code that is complex,
especially when it has to deal with incomplete initializations, and the
ability to bypass this step has regularly been raised. In addition for
fast-reloading setups it could theoretically save some time. Tests have
shown that very large configs can barely save ~100-150ms by skipping the
deinit step. However the ability not to crash if a bug is encountered can
occasionally help.
This patch adds an option to do exactly this. It's obviously not enabled
by default and the documentation discourages from using it, but this might
be useful in the future.
The ca-ignore-err and crt-ignore-err directives are now able to use the
openssl X509_V_ERR constant names instead of the numerical values.
This allow a configuration to survive an OpenSSL upgrade, because the
numerical ID can change between versions. For example
X509_V_ERR_INVALID_CA was 24 in OpenSSL 1 and is 79 in OpenSSL 3.
The list of errors must be updated when a new major OpenSSL version is
released.
Add "shards" new keyword for "peers" section to configure the number
of peer shards attached to such secions. This impact all the stick-tables
attached to the section.
Add "shard" new "server" parameter to configure the peers which participate to
all the stick-tables contents distribution. Each peer receive the stick-tables updates
only for keys with this shard value as distribution hash. The "shard" value
is stored in ->shard new server struct member.
cfg_parse_peers() which is the function which is called to parse all
the lines of a "peers" section is modified to parse the "shards" parameter
stored in ->nb_shards new peers struct member.
Add srv_parse_shard() new callback into server.c to pare the "shard"
parameter.
Implement stksess_getkey_hash() to compute the distribution hash for a
stick-table key as the 64-bits xxhash of the key concatenated to the stick-table
name. This function is called by stksess_setkey_shard(), itself
called by the already implemented function which create a new stick-table
key (stksess_new()).
Add ->idlen new stktable struct member to store the stick-table name length
to not have to compute it each time a stick-table key hash is computed.
Released version 2.7-dev8 with the following main changes :
- BUG/MINOR: checks: update pgsql regex on auth packet
- DOC: config: Fix pgsql-check documentation to make user param mandatory
- CLEANUP: mux-quic: remove usage of non-standard ull type
- CLEANUP: quic: remove global var definition in quic_tls header
- BUG/MINOR: quic: adjust quic_tls prototypes
- CLEANUP: quic: fix headers
- CLEANUP: quic: remove unused function prototype
- CLEANUP: quic: remove duplicated varint code from xprt_quic.h
- CLEANUP: quic: create a dedicated quic_conn module
- BUG/MINOR: mux-quic: ignore STOP_SENDING for locally closed stream
- BUG/MEDIUM: lua: Don't crash in hlua_lua2arg_check on failure
- BUG/MEDIUM: lua: handle stick table implicit arguments right.
- BUILD: h1: silence an initiialized warning with gcc-4.7 and -Os
- MINOR: fd: add a new function to only raise RLIMIT_NOFILE
- MINOR: init: do not try to shrink existing RLIMIT_NOFIlE
- BUG/MINOR: http-fetch: Update method after a prefetch in smp_fetch_meth()
- BUILD: http_fetch: silence an uninitiialized warning with gcc-4/5/6 at -Os
- BUG/MINOR: hlua: hlua_channel_insert_data() behavior conflicts with documentation
- MINOR: quic: limit usage of ssl_sock_ctx in favor of quic_conn
- MINOR: mux-quic: check quic-conn return code on Tx
- CLEANUP: quic: fix indentation
- MEDIUM: quic: retrieve frontend destination address
- CLEANUP: Reapply ist.cocci (2)
- CLEANUP: Reapply strcmp.cocci
- CLEANUP: quic/receiver: remove the now unused tx_qring list
- BUG/MINOR: quic: set IP_PKTINFO socket option for QUIC receivers only
- MINOR: hlua: some luaL_checktype() calls were not guarded with MAY_LJMP
- DOC: configuration: missing 'if' in tcp-request content example
- MINOR: hlua: removing ambiguous lua_pushvalue with 0 index
- BUG/MAJOR: stick-tables: do not try to index a server name for applets
- MINOR: plock: support disabling exponential back-off
- MINOR: freq_ctr: use the thread's local time whenever possible
- MEDIUM: stick-table: switch the table lock to rwlock
- MINOR: stick-table: do not take an exclusive lock when downing ref_cnt
- MINOR: stick-table: move the write lock inside stktable_touch_with_exp()
- MEDIUM: stick-table: only take the lock when needed in stktable_touch_with_exp()
- MEDIUM: stick-table: make stksess_kill_if_expired() avoid the exclusive lock
- MEDIUM: stick-table: return inserted entry in __stktable_store()
- MEDIUM: stick-table: free newly allocated stkess if it couldn't be inserted
- MEDIUM: stick-table: switch to rdlock in stktable_lookup() and lookup_key()
- MEDIUM: stick-table: make stktable_get_entry() look up under a read lock
- MEDIUM: stick-table: do not take a lock to update t->current anymore.
- MEDIUM: stick-table: make stktable_set_entry() look up under a read lock
- MEDIUM: stick-table: requeue the expiration task out of the exclusive lock
- MINOR: stick-table: split stktable_store() between key and requeue
- MEDIUM: stick-table: always use atomic ops to requeue the table's task
- MEDIUM: stick-table: requeue the wakeup task out of the write lock
- BUG/MINOR: stick-table: fix build with DEBUG_THREAD
- REORG: mux-fcgi: Extract flags and enums into mux_fcgi-t.h
- MINOR: flags/mux-fcgi: Decode FCGI connection and stream flags
- BUG/MEDIUM: mux-h1: Add connection error handling when reading/sending on a pipe
- BUG/MEDIUM: mux-h1: Handle abort with an incomplete message during parsing
- BUG/MINOR: server: make sure "show servers state" hides private bits
- MINOR: checks: use the lighter PRNG for spread checks
- MEDIUM: checks: spread the checks load over random threads
- CI: SSL: use proper version generating when "latest" semantic is used
- CI: SSL: temporarily stick to LibreSSL=3.5.3
- MINOR: quic: New quic_cstream object implementation
- MINOR: quic: Extract CRYPTO frame parsing from qc_parse_pkt_frms()
- MINOR: quic: Use a non-contiguous buffer for RX CRYPTO data
- BUG/MINOR: quic: Stalled 0RTT connections with big ClientHello TLS message
- MINOR: quic: Split the secrets key allocation in two parts
- CLEANUP: quic: remove unused rxbufs member in receiver
- CLEANUP: quic: improve naming for rxbuf/datagrams handling
- MINOR: quic: implement datagram cleanup for quic_receiver_buf
- MINOR: ring: ring_cast_from_area() cast from an allocated area
- MINOR: buffers: split b_force_xfer() into b_cpy() and b_force_xfer()
- MINOR: logs: startup-logs can use a shm for logging the reload
- MINOR: mworker/cli: reload command displays the startup-logs
- MEDIUM: quic: respect the threads assigned to a bind line
- DOC: management: update the "reload" command of the master CLI
- BUILD: ssl_sock: bind_conf uninitialized in ssl_sock_bind_verifycbk()
- BUG/MEDIUM: httpclient: Don't set EOM flag on an empty HTX message
- MINOR: httpclient/lua: Don't set req_payload callback if body is empty
- DOC/CLEANUP: lua-api: some minor corrections
- DOC: lua-api: updating toolbox link
- DOC/CLEANUP: lua-api: removing duplicate core.proxies attribute
- DOC: management: add forgotten "show startup-logs"
- DOC: management: "show startup-logs" for master CLI
- CI: Replace the deprecated `::set-output` command by writing to $GITHUB_OUTPUT in matrix.py
- CI: Replace the deprecated `::set-output` command by writing to $GITHUB_OUTPUT in workflow definition
Link to lua toolbox was dead (project has been deprecated).
Adding a legacy link to get old toolbox source code as well as
a link to luarocks that seems to have superseded it.
An example given for tcp-request content rule with lua
was missing 'if' keyword. Using it "as is" makes haproxy unhappy.
The example was introduced with 579d83b05.
So it may be backported as far as 1.6, but it is a really minor typo.
The username is required in the Start-up message. Thus, since the 2.2, when
this health-check was refactored, the user parameter is mandatory. On prior
versions, when no username is provided, no pgsql check is performed but only
a basic tcpcheck.
This patch should be backported as far as 2.2.
Released version 2.7-dev7 with the following main changes :
- BUG/MEDIUM: mux-quic: fix nb_hreq decrement
- CLEANUP: httpclient: deleted unused variables
- MINOR: httpclient: enabled the use of SNI presets
- OPTIM: hpack-huff: reduce the cache footprint of the huffman decoder
- BUG/MINOR: mux-quic: do not keep detached qcs with empty Tx buffers
- REORG: mux-quic: extract traces in a dedicated source file
- REORG: mux-quic: export HTTP related function in a dedicated file
- MINOR: mux-quic: refactor snd_buf
- BUG/MEDIUM: mux-quic: properly trim HTX buffer on snd_buf reset
- BUG/MINOR: mux-h1: Account consumed output data on synchronous connection error
- BUG/MINOR: log: improper behavior when escaping log data
- CLEANUP: tools: removing escape_chunk() function
- MINOR: clock: split local and global date updates
- MINOR: pollers: only update the local date during busy polling
- MINOR: clock: do not update the global date too often
- REGTESTS: 4be_1srv_smtpchk_httpchk_layer47errors: Return valid SMTP replies
- MINOR: smtpchk: Update expect rule to fully match replies to EHLO commands
- BUG/MINOR: smtpchk: SMTP Service check should gracefully close SMTP transaction
- MINOR: list: documenting mt_list_for_each_entry_safe() macro
- CLEANUP: list: Fix mt_list_for_each_entry_safe indentation
- BUG/MINOR: hlua: Remove \n in Lua error message built with memprintf
- MINOR: hlua: Allow argument on lua-lod(-per-thread) directives
- BUG/MINOR: anon: memory illegal accesses in tools.c with hash_anon and hash_ipanon
- MEDIUM: mworker/cli: keep the connection of the FD that ask for a reload
- BUG/MINOR: hlua: fixing ambiguous sizeof in hlua_load_per_thread
- MINOR: mworker/cli: replace close() by fd_delete()
- MINOR: mworker: store and shows loading status
- MINOR: mworker: mworker_cli_proxy_new_listener() returns a bind_conf
- MINOR: mworker: stores the mcli_reload bind_conf
- MINOR: mworker/cli: the mcli_reload bind_conf only send the reload status
- DOC: management: describe the new reload command behavior
- CLEANUP: list: fix again some style issues in the recent comments
- BUG/MINOR: stream: Perform errors handling in right order in stream_new()
- BUG/MEDIUM: stconn: Reset SE descriptor when we fail to create a stream
- BUG/MEDIUM: resolvers: Remove aborted resolutions from query_ids tree
- DOC: management: add timeout on the "reload" command
- BUG/MINOR: ring: fix the size check in ring_make_from_area()
- BUG/MINOR: config: don't count trailing spaces as empty arg
- Revert "BUG/MINOR: config: don't count trailing spaces as empty arg"
- BUG/MINOR: hlua: fixing hlua_http_msg_del_data behavior
- BUG/MINOR: hlua: fixing hlua_http_msg_insert_data behavior
- MINOR: cli: Add anonymization on a missed element for 'show sess all'
- MINOR: cli: remove error message with 'set anon on|off'
- MINOR: tools: modify hash_ipanon in order to use it in cli
- MINOR: cli: use hash_ipanon to anonymized address
- MINOR: cli: Add an anonymization on a missed element in 'show server state'
- MINOR: config: correct errors about argument number in condition in cfgparse.c
- MINOR: config: Add other keywords when dump the anonymized configuration file
- MINOR: config: Add option line when the configuration file is dumped
- MINOR: cli: correct commentary and replace 'set global-key' name
- MINOR: tools: Impprove hash_ipanon to support dgram sockets and port offsets
- MINOR: tools: Impprove hash_ipanon to not hash FD-based addresses
- BUG/MINOR: hlua: _hlua_http_msg_delete incorrect behavior when offset is used
- DOC: management: httpclient can resolve server names in URLs
- BUG/MINOR: hlua: prevent crash when loading numerous arguments using lua-load(per-thread)
- DOC/CLEANUP: lua-api: removing duplicate date functions doc
- MINOR: hlua: ambiguous lua_pushvalue with 0 index
- BUG/MINOR: config: don't count trailing spaces as empty arg (v2)
- BUG/MEDIUM: config: count line arguments without dereferencing the output
- BUG/MAJOR: conn-idle: fix hash indexing issues on idle conns
- BUG/MINOR: config: insufficient syntax check of the global "maxconn" value
- BUG/MINOR: backend: only enforce turn-around state when not redispatching
Correct a commentary in in include/haproxy/global-t.h and include/haproxy/tools.h
Replace the CLI command 'set global-key <key>' by 'set anon global-key <key>' in
order to find it easily when you don't remember it, the recommandation can guide
you when you just tap 'set anon'.
No backport needed, except if anonymization mechanism is backported.
Released version 2.7-dev6 with the following main changes :
- MINOR: Revert part of clarifying samples support per os commit
- BUILD: makefile: enable crypt(3) for NetBSD
- BUG/MINOR: quic: Retransmitted frames marked as acknowledged
- BUG/MINOR: quic: Possible crash with "tls-ticket-keys" on QUIC bind lines
- MINOR: http-check: Remove support for headers/body in "option httpchk" version
- BUG/MINOR: h1: Support headers case adjustment for TCP proxies
- BUG/MINOR: quic: Possible crash when verifying certificates
- BUILD: quic: add some ifdef around the SSL_ERROR_* for libressl
- BUILD: ssl: fix ssl_sock_switchtx_cbk when no client_hello_cb
- BUILD: quic: temporarly ignore chacha20_poly1305 for libressl
- BUILD: quic: enable early data only with >= openssl 1.1.1
- BUILD: ssl: fix the ifdef mess in ssl_sock_initial_ctx
- BUILD: quic: fix the #ifdef in ssl_quic_initial_ctx()
- MINOR: quic: add QUIC support when no client_hello_cb
- MINOR: quic: Add traces about sent or resent TX frames
- MINOR: quic: No TRACE_LEAVE() in retrieve_qc_conn_from_cid()
- BUG/MINOR: quic: Wrong connection ID to thread ID association
- BUG/MINOR: task: always reset a new tasklet's call date
- BUG/MINOR: task: make task_instant_wakeup() work on a task not a tasklet
- MINOR: task: permanently enable latency measurement on tasklets
- CLEANUP: task: rename ->call_date to ->wake_date
- BUG/MINOR: sched: properly account for the CPU time of dying tasks
- MINOR: sched: store the current profile entry in the thread context
- BUG/MINOR: stream/sched: take into account CPU profiling for the last call
- MINOR: tasks: do not keep cpu and latency times in struct task
- MINOR: tools: add generic pointer hashing functions
- CLEANUP: activity: make memprof use the generic ptr_hash() function
- CLEANUP: activity: make taskprof use ptr_hash()
- MINOR: debug: add struct ha_caller to describe a calling location
- CLEANUP: debug: use struct ha_caller for memstat
- DEBUG: task: define a series of wakeup types for tasks and tasklets
- DEBUG: task: use struct ha_caller instead of arrays of file:line
- DEBUG: applet: instrument appctx_wakeup() to log the caller's location
- DEBUG: task: simplify the caller recording in DEBUG_TASK
- CLEANUP: task: move tid and wake_date into the common part
- CLEANUP: sched: remove duplicate code in run_tasks_from_list()
- CLEANUP: activity: make the number of sched activity entries more configurable
- DEBUG: resolvers: unstatify process_resolvers() to make it appear in profiling
- DEBUG: quic: export the few task handlers that often appear in task dumps
- MEDIUM: tasks/activity: combine the called function with the caller
- MINOR: tasks/activity: improve the caller-callee activity hash
- MINOR: activity/cli: support aggregating task profiling outputs
- MINOR: activity/cli: support sorting task profiling by total CPU time
- BUG/MINOR: signals/poller: set the poller timeout to 0 when there are signals
- BUG/MINOR: quic: Speed up the handshake completion only one time
- BUG/MINOR: quic: Trace fix about packet number space information.
- BUG/MINOR: h3: Crash when h3 trace verbosity is "minimal"
- MINOR: h3: Add the quic_conn object to h3 traces
- MINOR: h3: Missing connection argument for a TRACE_LEAVE() argument
- MINOR: h3: Send the h3 settings with others streams (requests)
- MINOR: dev/udp: Apply the corruption to both directions
- BUILD: udp-perturb: Add a make target for udp-perturb tool
- BUG/MINOR: signals/poller: ensure wakeup from signals
- CI: cirrus-ci: bump FreeBSD image to 13-1
- DEV: flags: fix usage message to reflect available options
- DEV: flags: add missing CO_FL_FDLESS connection flag
- MINOR: flags: add a new file to host flag dumping macros
- MINOR: flags: implement a macro used to dump enums inside masks
- MINOR: flags/channel: use flag dumping for channel flags and analysers
- MINOR: flags/connection: use flag dumping for connection flags
- MINOR: flags/stconn: use flag dumping for stconn and sedesc flags
- MINOR: flags/stream: use flag dumping for stream error type
- MINOR: flags/stream: use flag dumping for stream flags
- MINOR: flags/task: use flag dumping for task state
- MINOR: flags/http_ana: use flag dumping for txn flags
- DEV: flags: remove the now unused SHOW_FLAG() definition
- DEV: flags: remove the now useless intermediary functions
- MINOR: flags/htx: use flag dumping to show htx and start-line flags
- MINOR: flags/http_ana: use flag dumping to show http msg states
- BUG/MEDIUM: proxy: ensure pause_proxy() and resume_proxy() own PROXY_LOCK
- MINOR: listener: small API change
- MINOR: proxy/listener: support for additional PAUSED state
- BUG/MINOR: stats: fixing stat shows disabled frontend status as 'OPEN'
- BUILD: flags: fix build warning in some macros used by show_flags
- BUILD: flags: fix the fallback macros for missing stdio
- CLEANUP: pollers: remove dead code in the polling loop
- BUG/MINOR: mux-h1: Increment open_streams counter when H1 stream is created
- REGTESTS: healthcheckmail: Relax matching on the healthcheck log message
- CLEANUP: listener: function comment typo in stop_listener()
- BUG/MINOR: listener: null pointer dereference suspected by coverity
- MINOR: flags/fd: decode FD flags states
- REORG: mux-h2: extract flags and enums into mux_h2-t.h
- MINOR: flags/mux-h2: decode H2C and H2S flags
- REGTESTS: log: test the log-forward feature
- BUG/MEDIUM: sink: bad init sequence on tcp sink from a ring.
- REGTESTS: ssl/log: test the log-forward with SSL
- MEDIUM: httpclient: httpclient_create_proxy() creates a proxy for httpclient
- MEDIUM: httpclient: allow to use another proxy
- DOC: fix TOC in starter guide for subsection 3.3.8. Statistics
- MINOR: httpclient: export httpclient_create_proxy()
- MEDIUM: quic: separate path for rx and tx with set_encryption_secrets
- BUG/MEDIUM: mux-quic: fix crash on early app-ops release
- REORG: mux-h1: extract flags and enums into mux_h1-t.h
- MINOR: flags/mux-h1: decode H1C and H1S flags
- CLEANUP: mux-quic: remove stconn usage in h3/hq
- BUG/MINOR: mux-quic: do not remotely close stream too early
- CLEANUP: exclude udp-perturb with .gitignore
- BUG/MEDIUM: server: segv when adding server with hostname from CLI
- CLEANUP: quic,ssl: fix tiny typos in C comments
- BUG/MEDIUM: captures: free() an error capture out of the proxy lock
- BUILD: fd: fix a build warning on the DWCAS
- MINOR: anon: add new macros and functions to anonymize contents
- MINOR: anon: store the anonymizing key in the global structure
- MINOR: anon: store the anonymizing key in the CLI's appctx
- MINOR: cli: anonymize commands 'show sess' and 'show sess all'
- MINOR: cli: anonymize 'show servers state' and 'show servers conn'
- MINOR: config: add command-line -dC to dump the configuration file
- SCRIPTS: announce-release: update some URLs to https
This commit adds a new command line option -dC to dump the configuration
file. An optional key may be appended to -dC in order to produce an
anonymized dump using this key. The anonymizing process uses the same
algorithm as the CLI so that the same key will produce the same hashes
for the same identifiers. This way an admin may share an anonymized
extract of a configuration to match against live dumps. Note that key 0
will not anonymize the output. However, in any case, the configuration
is dumped after tokenizing, thus comments are lost.
In order to allow users to dump internal states using a specific key
without changing the global one, we're introducing a key in the CLI's
appctx. This key is preloaded from the global one when "set anon on"
is used (and if none exists, a random one is assigned). And the key
can optionally be assigned manually for the whole CLI session.
A "show anon" command was also added to show the anon state, and the
current key if the users has sufficient permissions. In addition, a
"debug dev hash" command was added to test the feature.
Add a uint32_t key in global to hash words with it. A new CLI command
'set global-key <key>' was added to change the global anonymizing key.
The global may also be set in the configuration using the global
"anonkey" directive. For now this key is not used.
This subsection has been moved from 3.4.9 to 3.3.8 somewhere along
2.4, but the TOC has not been updated - resulting in a invalid
anchor in the HTML version.
Needs to be backported to 2.4+
By default we now dump stats between caller and callee, but by
specifying "aggr" on the command line, stats get aggregated by
callee again as it used to be before the feature was available.
It may sometimes be helpful when comparing total call counts,
though that's about all.
This trick is deprecated since the health-check refactoring, It is now
invalid. It means the following line will trigger an error during the
configuration parsing:
option httpchk OPTIONS * HTTP/1.1\r\nHost:\ www
It must be replaced by:
option httpchk OPTIONS * HTTP/1.1
http-check send hdr Host www
Released version 2.7-dev5 with the following main changes :
- BUG/MINOR: mux-quic: Fix memleak on QUIC stream buffer for unacknowledged data
- BUG/MEDIUM: cpu-map: fix thread 1's affinity affecting all threads
- MINOR: cpu-map: remove obsolete diag warning about combined ranges
- BUG/MAJOR: mworker: fix infinite loop on master with no proxies.
- REGTESTS: launch http_reuse_always in mworker mode
- BUG/MINOR: quix: Memleak for non in flight TX packets
- BUG/MINOR: quic: Wrong list_for_each_entry() use when building packets from qc_do_build_pkt()
- BUG/MINOR: quic: Safer QUIC frame builders
- MINOR: quic: Replace MT_LISTs by LISTs for RX packets.
- BUG/MEDIUM: applet: fix incorrect check for abnormal return condition from handler
- BUG/MINOR: applet: make the call_rate only count the no-progress calls
- MEDIUM: peers: limit the number of updates sent at once
- BUILD: tcp_sample: fix build of get_tcp_info() on OpenBSD
- BUG/MINOR: resolvers: return the correct value in resolvers_finalize_config()
- BUG/MINOR: mworker: does not create the "default" resolvers in wait mode
- BUG/MINOR: tcpcheck: Disable QUICKACK only if data should be sent after connect
- REGTESTS: Fix prometheus script to perform HTTP health-checks
- MINOR: resolvers: shut the warning when "default" resolvers is implicit
- Revert "BUG/MINOR: quix: Memleak for non in flight TX packets"
- BUG/MINOR: quic: Leak in qc_release_lost_pkts() for non in flight TX packets
- BUG/MINOR: quic: Stalled connections (missing I/O handler wakeup)
- CLEANUP: quic: No more use ->rx_list MT_LIST entry point (quic_rx_packet)
- CLEANUP: quic: Remove a useless check in qc_lstnr_pkt_rcv()
- MINOR: quic: Remove useless traces about references to TX packets
- Revert "MINOR: quic: Remove useless traces about references to TX packets"
- DOC: configuration: do-resolve doesn't work with a port in the string
- MINOR: sample: add the host_only and port_only converters
- BUG/MINOR: httpclient: fix resolution with port
- DOC: configuration.txt: do-resolve must use host_only to remove its port.
- BUG/MINOR: quic: Null packet dereferencing from qc_dup_pkt_frms() trace
- BUG/MINOR: quic: Frames added to packets even if not built.
- BUG/MEDIUM: spoe: Properly update streams waiting for a ACK in async mode
- BUG/MEDIUM: peers: Add connect and server timeut to peers proxy
- BUG/MEDIUM: peers: Don't use resync timer when local resync is in progress
- BUG/MEDIUM: peers: Don't start resync on reload if local peer is not up-to-date
- BUG/MINOR: hlua: Rely on CF_EOI to detect end of message in HTTP applets
- BUG/MEDIUM: mux-h1: do not refrain from signaling errors after end of input
- BUG/MINOR: epoll: do not actively poll for Rx after an error
- MINOR: raw-sock: don't try to send if an error was already reported
- BUG/MINOR: quic: Missing header protection AES cipher context initialisations (draft-v2)
- MINOR: quic: Add a trace to distinguish the datagram from the packets inside
- BUG/MINOR: ssl: fix deinit of the ca-file tree
- BUG/MINOR: ssl: leak of ckch_inst_link in ckch_inst_free()
- BUG/MINOR: tcpcheck: Disable QUICKACK for default tcp-check (with no rule)
- BUG/MEDIUM: ssl: Fix a UAF when old ckch instances are released
- BUG/MINOR: ssl: revert two wrong fixes with ckhi_link
- BUG/MINOR: dev/udp: properly preset the rx address size
- BUILD: debug: make sure debug macros are never empty
- MINOR: quic: Move traces about RX/TX bytes from QUIC_EV_CONN_PRSAFRM event
- BUG/MINOR: quic: TX frames memleak
- BUG/MINOR: ssl: leak of ckch_inst_link in ckch_inst_free() v2
- MINOR: sink/ring: rotate non-empty file-backed contents only
- BUG/MINOR: regex: Properly handle PCRE2 lib compiled without JIT support
- REGTESTS: http_request_buffer: Add a barrier to not mix up log messages
- BUG/MEDIUM: mux-h1: always use RST to kill idle connections in pools
- MINOR: backend: always satisfy the first req reuse rule with l7 retries
- BUG/MINOR: quic: Do not ack when probing
- MINOR: quic: Add TX frames addresses to traces to several trace events
- MINOR: quic: Trace typo fix in qc_release_frm()
- BUG/MINOR: quic: Frames leak during retransmissions
- BUG/MINOR: h2: properly set the direction flag on HTX response
- BUG/MEDIUM: httpclient: always detach the caller before self-killing
- BUG/MINOR: httpclient: only ask for more room on failed writes
- BUG/MINOR: httpclient: keep-alive was accidentely disabled
- MEDIUM: httpclient: enable ALPN support on outgoing https connections
- BUG/MINOR: mux-h2: fix the "show fd" dest buffer for the subscriber
- BUG/MINOR: mux-h1: fix the "show fd" dest buffer for the subscriber
- BUG/MINOR: mux-fcgi: fix the "show fd" dest buffer for the subscriber
- DEBUG: stream: minor rearrangement of a few fields in struct stream.
- MINOR: debug: report applet pointer and handler in crashes when known
- MINOR: mux-h2: extract the stream dump function out of h2_show_fd()
- MINOR: mux-h2: extract the connection dump function out of h2_show_fd()
- MINOR: muxes: add a "show_sd" helper to complete "show sess" dumps
- MINOR: mux-h2: provide a "show_sd" helper to output stream debugging info
- MINOR: mux-h2: insert line breaks in "show sess all" output for legibility
- MINOR: mux-quic: provide a "show_sd" helper to output stream debugging info
- MINOR: mux-h1: split "show_fd" into connection and stream
- MINOR: mux-h1: provide a "show_sd" helper to output stream debugging info
- BUG/MINOR: http-act: initialize http fmt head earlier
If the service is rechecked before a reload, that may cause the config
to be parsed twice and file-backed rings to be lost.
Here we make sure that such a ring does contain information before
deciding to rotate it. This way the first process starting after some
writes will cause a rotate but not subsequent ones until new writes
are applied.
An attempt was also made to disable rotations on checks but this was a
bad idea, as the ring is still initialized and this causes the contents
to be lost. The choice of initializing the ring during parsing is
questionable but the config check ought to be as close as possible to a
real start, and we could imagine that the ring is used by some code
during startup (e.g. lua). So this approach was abandonned and config
checks also cause a rotation, as the purpose of this rotation is to
preserve latest information against accidental removal.
Fix the documentation about do-resolve to handle the case where a port
is associated to the hostname in the Host header.
Must be backported as far as 2.0.
As seen in GH issue #1770, peers synchronization do not cope well with
very large buffers because by default the only two reasons for stopping
the processing of updates is either that the end was reached or that
the buffer is full. This can cause high latencies, and even rightfully
trigger the watchdog when the operations are numerous and slowed down
by competition on the stick-table lock.
This patch introduces a limit to the number of messages one may send
at once, which now defaults to 200, regardless of the buffer size. This
means taking and releasing the lock up to 400 times in a row, which is
costly enough to let some other parts work.
After some observation this could be backported to 2.6. If so, however,
previous commits "BUG/MEDIUM: applet: fix incorrect check for abnormal
return condition from handler" and "BUG/MINOR: applet: make the call_rate
only count the no-progress calls" must be backported otherwise the call
rate might trigger the looping protection.
Released version 2.7-dev4 with the following main changes :
- BUG/MEDIUM: quic: Wrong packet length check in qc_do_rm_hp()
- MINOR: quic: Too much useless traces in qc_build_frms()
- BUG/MEDIUM: quic: Missing AEAD TAG check after removing header protection
- MINOR: quic: Replace pool_zalloc() by pool_malloc() for fake datagrams
- MINOR: debug: make the mem_stats section aligned to void*
- MINOR: debug: store and report the pool's name in struct mem_stats
- MINOR: debug: also store the function name in struct mem_stats
- MINOR: debug/memstats: automatically determine first column size
- MINOR: debug/memstats: permit to pass the size to free()
- CLEANUP: mux-quic: remove loop on sending frames
- MINOR: quic: replace custom buf on Tx by default struct buffer
- MINOR: quic: release Tx buffer on each send
- MINOR: quic: refactor datagram commit in Tx buffer
- MINOR: quic: skip sending if no frame to send in io-cb
- BUG/MINOR: mux-quic: open stream on STOP_SENDING
- BUG/MINOR: quic: fix crash on handshake io-cb for null next enc level
- BUG/MEDIUM: quic: always remove the connection from the accept list on close
- BUG/MEDIUM: poller: use fd_delete() to release the poller pipes
- BUG/MEDIUM: task: relax one thread consistency check in task_unlink_wq()
- MEDIUM: quic: xprt traces rework
- BUILD: stconn: fix build warning at -O3 about possible null sc
- MINOR: quic: Remove useless lock for RX packets
- BUG/MINOR: quic: Possible infinite loop in quic_build_post_handshake_frames()
- CLEANUP: quic: Remove trailing spaces
- MINOR: mux-quic: adjust enter/leave traces
- MINOR: mux-quic: define protocol error traces
- CLEANUP: mux-quic: adjust traces level
- MINOR: mux-quic: define new traces
- BUG/MEDIUM: mux-quic: fix crash due to invalid trace arg
- BUG/MEDIUM: quic: Possible use of uninitialized <odcid> variable in qc_lstnr_params_init()
- BUG/MEDIUM: ring: fix too lax 'size' parser
- BUG/MEDIUM: quic: Wrong use of <token_odcid> in qc_lsntr_pkt_rcv()
- BUILD: ring: forward-declare struct appctx to avoid a build warning
- MINOR: ring: support creating a ring from a linear area
- MINOR: ring: add support for a backing-file
- DEV: haring: add a simple utility to read file-backed rings
- DEV: haring: support remapping LF in contents with CR VT
- BUG/MINOR: quic: memleak on wrong datagram receipt
- BUILD: sink: replace S_IRUSR, S_IWUSR with their octal value
- MINOR: ring: archive a previous file-backed ring on startup
- BUG/MINOR: mux-quic: fix crash with traces in qc_detach()
- BUG/MINOR: quic: MIssing check when building TX packets
- BUG/MINOR: quic: Wrong status returned by qc_pkt_decrypt()
- MINOR: memprof: export the minimum definitions for memory profiling
- MINOR: pool/memprof: report pool alloc/free in memory profiling
- MINOR: pools/memprof: store and report the pool's name in each bin
- MINOR: chunk: inline alloc_trash_chunk()
- MINOR: stick-table: Add table_expire() and table_idle() new converters
- CLEANUP: exclude haring with .gitignore
- MINOR: quic: adjust quic_frame flag manipulation
- MINOR: h3: report error on control stream close
- MINOR: qpack: report error on enc/dec stream close
- BUG/MEDIUM: mux-quic: reject uni stream ID exceeding flow control
- MINOR: mux-quic: adjust traces on stream init
- MINOR: mux-quic: add missing args on some traces
- MINOR: quic: refactor application send
- BUG/MINOR: quic: do not notify MUX on frame retransmit
- BUG/MEDIUM: http-ana: fix crash or wrong header deletion by http-restrict-req-hdr-names
- BUG/MINOR: quic: Missing initializations for ducplicated frames.
- BUG/MEDIUM: quic: fix crash on MUX send notification
- REORG: h2: extract cookies concat function in http_htx
- REGTESTS: add test for HTTP/2 cookies concatenation
- MEDIUM: h3: concatenate multiple cookie headers
- MINOR: applet: add a function to reset the svcctx of an applet
- BUG/MEDIUM: cli: always reset the service context between commands
- BUG/MEDIUM: mux-h2: do not fiddle with ->dsi to indicate demux is idle
- MINOR: mux-h2/traces: report transition to SETTINGS1 before not after
- MINOR: mux-h2: make streams know if they need to send more data
- BUG/MINOR: mux-h2: send a CANCEL instead of ES on truncated writes
- BUG/MINOR: quic: Possible crashes when dereferencing ->pkt quic_frame struct member
- MINOR: quic: Add frame addresses to QUIC_EV_CONN_PRSAFRM event traces
- BUG/MINOR: quic: Wrong splitted duplicated frames handling
- MINOR: quic: Add the QUIC connection to mux traces
- MINOR: quic: Trace fix in qc_release_frm()
- BUG/MAJOR: log-forward: Fix log-forward proxies not fully initialized
- BUG/MAJOR: log-forward: Fix ssl layer not initialized on bind even if configured
- MINOR: quic: Add reusable cipher contexts for header protection
- BUG/MINOR: ssl/cli: error when the ca-file is empty
- MINOR: ssl: handle ca-file appending in cafile_entry
- MINOR: ssl/cli: implement "add ssl ca-file"
In ticket #1805 an user is impacted by the limitation of size of the CLI
buffer when updating a ca-file.
This patch allows a user to append new certificates to a ca-file instead
of trying to put them all with "set ssl ca-file"
The implementation use a new function ssl_store_dup_cafile_entry() which
duplicates a cafile_entry and its X509_STORE.
ssl_store_load_ca_from_buf() was modified to take an apped parameter so
we could share the function for "set" and "add".
table_expire() returns the expiration delay for a stick-table entry associated
to an input sample. Its counterpart table_idle() returns the time the entry
remained idle since the last time it was updated.
Both converters may take a default value as second argument which is returned
when the entry is not present.
In order to ensure that an instant restart of the process will not wipe
precious debugging information, and to leave time for an admin to archive
a copy of a ring, now upon startup, any previously existing file will be
renamed with the extra suffix ".bak", and any previously existing file
with suffix ".bak" will be removed.
This mmaps a file which will serve as the backing-store for the ring's
contents. The idea is to provide a way to retrieve sensitive information
(last logs, debugging traces) even after the process stops and even after
a possible crash. Right now this was possible by connecting to the CLI
and dumping the contents of the ring live, but this is not handy and
consumes quite a bit of resources before it is needed.
With a backing file, the ring is effectively RAM-mapped file, so that
contents stored there are the same as those found in the file (the OS
doesn't guarantee immediate sync but if the process dies it will be OK).
Note that doing that on a filesystem backed by a physical device is a
bad idea, as it will induce slowdowns at high loads. It's really
important that the device is RAM-based.
Also, this may have security implications: if the file is corrupted by
another process, the storage area could be corrupted, causing haproxy
to crash or to overwrite its own memory. As such this should only be
used for debugging.
Released version 2.7-dev3 with the following main changes :
- BUILD: makefile: Fix install(1) handling for OpenBSD/NetBSD/Solaris/AIX
- BUG/MEDIUM: tools: avoid calling dlsym() in static builds (try 2)
- MINOR: resolvers: resolvers_destroy() deinit and free a resolver
- BUG/MINOR: resolvers: shut off the warning for the default resolvers
- BUG/MINOR: ssl: allow duplicate certificates in ca-file directories
- BUG/MINOR: tools: fix statistical_prng_range()'s output range
- BUG/MINOR: quic: do not send CONNECTION_CLOSE_APP in initial/handshake
- BUILD: debug: Add braces to if statement calling only CHECK_IF()
- BUG/MINOR: fd: Properly init the fd state in fd_insert()
- BUG/MEDIUM: fd/threads: fix incorrect thread selection in wakeup broadcast
- MINOR: init: load OpenSSL error strings
- MINOR: ssl: enhance ca-file error emitting
- BUG/MINOR: mworker/cli: relative pid prefix not validated anymore
- BUG/MAJOR: mux_quic: fix invalid PROTOCOL_VIOLATION on POST data overlap
- BUG/MEDIUM: mworker: proc_self incorrectly set crashes upon reload
- BUILD: add detection for unsupported compiler models
- BUG/MEDIUM: stconn: Only reset connect expiration when processing backend side
- BUG/MINOR: backend: Fallback on RR algo if balance on source is impossible
- BUG/MEDIUM: master: force the thread count earlier
- BUG/MAJOR: poller: drop FD's tgid when masks don't match
- DEBUG: fd: detect possibly invalid tgid in fd_insert()
- BUG/MINOR: sockpair: wrong return value for fd_send_uxst()
- MINOR: sockpair: move send_fd_uxst() error message in caller
- Revert "BUG/MINOR: peers: set the proxy's name to the peers section name"
- DEBUG: fd: split the fd check
- MEDIUM: resolvers: continue startup if network is unavailable
- BUG/MINOR: fd: always remove late updates when freeing fd_updt[]
- MINOR: cli: emit a warning when _getsocks was used more than once
- BUG/MINOR: mworker: PROC_O_LEAVING used but not updated
- Revert "MINOR: cli: emit a warning when _getsocks was used more than once"
- MINOR: cli: warning on _getsocks when socket were closed
- BUG/MEDIUM: mux-quic: fix missing EOI flag to prevent streams leaks
- MINOR: quic: Congestion control architecture refactoring
- MEDIUM: quic: Cubic congestion control algorithm implementation
- MINOR: quic: New "quic-cc-algo" bind keyword
- BUG/MINOR: quic: loss time limit variable computed but not used
- MINOR: quic: Stop looking for packet loss asap
- BUG/MAJOR: quic: Useless resource intensive loop qc_ackrng_pkts()
- MINOR: quic: Send packets as much as possible from qc_send_app_pkts()
- BUG/MEDIUM: queue/threads: limit the number of entries dequeued at once
- MAJOR: threads/plock: update the embedded library
- MINOR: thread: provide an alternative to pthread's rwlock
- DEBUG: tools: provide a tree dump function for ebmbtrees as well
- MINOR: ebtree: add ebmb_lookup_shorter() to pursue lookups
- BUG/MEDIUM: pattern: only visit equivalent nodes when skipping versions
- BUG/MINOR: mux-quic: prevent crash if conn released during IO callback
- CLEANUP: mux-quic: remove useless app_ops is_active callback
- BUG/MINOR: mux-quic: do not free conn if attached streams
- MINOR: mux-quic: save proxy instance into qcc
- MINOR: mux-quic: use timeout server for backend conns
- MEDIUM: mux-quic: adjust timeout refresh
- MINOR: mux-quic: count in-progress requests
- MEDIUM: mux-quic: implement http-keep-alive timeout
- MINOR: peers: Add a warning about incompatible SSL config for the local peer
- MINOR: peers: Use a dedicated reconnect timeout when stopping the local peer
- BUG/MEDIUM: peers: limit reconnect attempts of the old process on reload
- BUG/MINOR: peers: Use right channel flag to consider the peer as connected
- BUG/MEDIUM: dns: Properly initialize new DNS session
- BUG/MINOR: backend: Don't increment conn_retries counter too early
- MINOR: server: Constify source server to copy its settings
- REORG: server: Export srv_settings_cpy() function
- BUG/MEDIUM: proxy: Perform a custom copy for default server settings
- BUG/MINOR: quic: Missing in flight ack eliciting packet counter decrement
- BUG/MEDIUM: quic: Floating point exception in cubic_root()
- MINOR: h3: support HTTP request framing state
- MINOR: mux-quic: refresh timeout on frame decoding
- MINOR: mux-quic: refactor refresh timeout function
- MEDIUM: mux-quic: implement http-request timeout
- BUG/MINOR: quic: Avoid sending truncated datagrams
- BUG/MINOR: ring/cli: fix a race condition between the writer and the reader
- BUG/MEDIUM: sink: Set the sink ref for forwarders created during ring parsing
- BUG/MINOR: sink: fix a race condition between the writer and the reader
- BUG/MINOR: quic: do not reject datagrams matching minimum permitted size
- MINOR: quic: Add two new stats counters for sendto() errors
- BUG/MINOR: quic: Missing Initial packet dropping case
- MINOR: quic: explicitely ignore sendto error
- BUG/MINOR: quic: adjust errno handling on sendto
- BUG/MEDIUM: quic: break out of the loop in quic_lstnr_dghdlr
- MINOR: threads: report the number of thread groups in build options
- MINOR: config: automatically preset MAX_THREADS based on MAX_TGROUPS
- BUILD: SSL: allow to pass additional configure args to QUICTLS
- CI: enable weekly "m32" builds on x86_64
- CLEANUP: assorted typo fixes in the code and comments
- BUG/MEDIUM: fix DH length when EC key is used
- REGTESTS: ssl: adopt tests to OpenSSL-3.0.N
- REGTESTS: ssl: adopt tests to OpenSSL-3.0.N
- REGTESTS: ssl: fix grep invocation to use extended regex in ssl_generate_certificate.vtc
- BUILD: cfgparse: always defined _GNU_SOURCE for sched.h and crypt.h
As it could be interesting to be able to choose the QUIC control congestion
algorithm to be used by listener, add "quic-cc-algo" new keyword to do so.
Update the documentation consequently.
Must be backported to 2.6.
Released version 2.7-dev2 with the following main changes :
- BUG/MINOR: qpack: fix build with QPACK_DEBUG
- MINOR: h3: handle errors on HEADERS parsing/QPACK decoding
- BUG/MINOR: qpack: abort on dynamic index field line decoding
- MINOR: qpack: properly handle invalid dynamic table references
- MINOR: task: Add tasklet_wakeup_after()
- BUG/MINOR: quic: Dropped packets not counted (with RX buffers full)
- MINOR: quic: Add new stats counter to diagnose RX buffer overrun
- MINOR: quic: Duplicated QUIC_RX_BUFSZ definition
- MINOR: quic: Improvements for the datagrams receipt
- CLEANUP: h2: Typo fix in h2_unsubcribe() traces
- MINOR: quic: Increase the QUIC connections RX buffer size (upto 64Kb)
- CLEANUP: mux-quic: adjust comment on qcs_consume()
- MINOR: ncbuf: implement ncb_is_fragmented()
- BUG/MINOR: mux-quic: do not signal FIN if gap in buffer
- MINOR: fd: add a new FD_DISOWN flag to prevent from closing a deleted FD
- BUG/MEDIUM: ssl/fd: unexpected fd close using async engine
- MINOR: tinfo: make tid temporarily still reflect global ID
- CLEANUP: config: remove unused proc_mask()
- MINOR: debug: remove mask support from "debug dev sched"
- MEDIUM: task: add and preset a thread ID in the task struct
- MEDIUM: task/debug: move the ->thread_mask integrity checks to ->tid
- MAJOR: task: use t->tid instead of ffsl(t->thread_mask) to take the thread ID
- MAJOR: task: replace t->thread_mask with 1<<t->tid when thread mask is needed
- CLEANUP: task: remove thread_mask from the struct task
- MEDIUM: applet: only keep appctx_new_*() and drop appctx_new()
- MEDIUM: task: only keep task_new_*() and drop task_new()
- MINOR: applet: always use task_new_on() on applet creation
- MEDIUM: task: remove TASK_SHARED_WQ and only use t->tid
- MINOR: task: replace task_set_affinity() with task_set_thread()
- CLEANUP: task: remove the unused task_unlink_rq()
- CLEANUP: task: remove the now unused TASK_GLOBAL flag
- MINOR: task: make rqueue_ticks atomic
- MEDIUM: task: move the shared runqueue to one per thread
- MEDIUM: task: replace the global rq_lock with a per-rq one
- MINOR: task: remove grq_total and use rq_total instead
- MINOR: task: replace global_tasks_mask with a check for tree's emptiness
- MEDIUM: task: use regular eb32 trees for the run queues
- MEDIUM: queue: revert to regular inter-task wakeups
- MINOR: thread: make wake_thread() take care of the sleeping threads mask
- MINOR: thread: move the flags to the shared cache line
- MINOR: thread: only use atomic ops to touch the flags
- MINOR: poller: centralize poll return handling
- MEDIUM: polling: make update_fd_polling() not care about sleeping threads
- MINOR: poller: update_fd_polling: wake a random other thread
- MEDIUM: thread: add a new per-thread flag TH_FL_NOTIFIED to remember wakeups
- MEDIUM: tasks/fd: replace sleeping_thread_mask with a TH_FL_SLEEPING flag
- MINOR: tinfo: add the tgid to the thread_info struct
- MINOR: tinfo: replace the tgid with tgid_bit in tgroup_info
- MINOR: tinfo: add the mask of enabled threads in each group
- MINOR: debug: use ltid_bit in ha_thread_dump()
- MINOR: wdt: use ltid_bit in wdt_handler()
- MINOR: clock: use ltid_bit in clock_report_idle()
- MINOR: thread: use ltid_bit in ha_tkillall()
- MINOR: thread: add a new all_tgroups_mask variable to know about active tgroups
- CLEANUP: thread: remove thread_sync_release() and thread_sync_mask
- MEDIUM: tinfo: add a dynamic thread-group context
- MEDIUM: thread: make stopping_threads per-group and add stopping_tgroups
- MAJOR: threads: change thread_isolate to support inter-group synchronization
- MINOR: thread: add is_thread_harmless() to know if a thread already is harmless
- MINOR: debug: mark oneself harmless while waiting for threads to finish
- MINOR: wdt: do not rely on threads_to_dump anymore
- MEDIUM: debug: make the thread dumper not rely on a thread mask anymore
- BUILD: debug: fix build issue on clang with previous commit
- BUILD: debug: re-export thread_dump_state
- BUG/MEDIUM: threads: fix incorrect thread group being used on soft-stop
- BUG/MEDIUM: thread: check stopping thread against local bit and not global one
- MINOR: proxy: use tg->threads_enabled in hard_stop() to detect stopped threads
- BUILD: Makefile: Add Lua 5.4 autodetect
- CI: re-enable gcc asan builds
- MEDIUM: mworker: set the iocb of the socketpair without using fd_insert()
- MINOR: fd: Add BUG_ON checks on fd_insert()
- CLEANUP: mworker: rename mworker_pipe to mworker_sockpair
- CLEANUP: mux-quic: do not export qc_get_ncbuf
- REORG: mux-quic: reorganize flow-control fields
- MINOR: mux-quic: implement accessor for sedesc
- MEDIUM: mux-quic: refactor streams opening
- MINOR: mux-quic: rename qcs flag FIN_RECV to SIZE_KNOWN
- MINOR: mux-quic: emit FINAL_SIZE_ERROR on invalid STREAM size
- BUG/MINOR: peers/config: always fill the bind_conf's argument
- BUG/MEDIUM: peers/config: properly set the thread mask
- CLEANUP: bwlim: Set pointers to NULL when memory is released
- BUG/MINOR: http-check: Preserve headers if not redefined by an implicit rule
- BUG/MINOR: http-act: Properly generate 103 responses when several rules are used
- BUG/MEDIUM: thread: mask stopping_threads with threads_enabled when checking it
- CLEANUP: thread: also remove a thread's bit from stopping_threads on stop
- BUG/MINOR: peers: fix possible NULL dereferences at config parsing
- BUG/MINOR: http-htx: Fix scheme based normalization for URIs wih userinfo
- MINOR: http: Add function to get port part of a host
- MINOR: http: Add function to detect default port
- BUG/MEDIUM: h1: Improve authority validation for CONNCET request
- MINOR: http-htx: Use new HTTP functions for the scheme based normalization
- BUG/MEDIUM: http-fetch: Don't fetch the method if there is no stream
- REGTEESTS: filters: Fix CONNECT request in random-forwarding script
- MEDIUM: mworker/systemd: send STATUS over sd_notify
- BUG/MINOR: mux-h1: Be sure to commit htx changes in the demux buffer
- BUG/MEDIUM: http-ana: Don't wait to have an empty buf to switch in TUNNEL state
- BUG/MEDIUM: mux-h1: Handle connection error after a synchronous send
- MEDIUM: epoll: don't synchronously delete migrated FDs
- BUILD: debug: silence warning on gcc-5
- BUILD: http: silence an uninitialized warning affecting gcc-5
- BUG/MEDIUM: mux-quic: fix server chunked encoding response
- REORG: mux-quic: rename stream initialization function
- MINOR: mux-quic: rename stream purge function
- MINOR: mux-quic: add traces on frame parsing functions
- MINOR: mux-quic: implement qcs_alert()
- MINOR: mux-quic: filter send/receive-only streams on frame parsing
- MINOR: mux-quic: do not ack STREAM frames on unrecoverable error
- MINOR: mux-quic: support stream opening via MAX_STREAM_DATA
- MINOR: mux-quic: define basic stream states
- MINOR: mux-quic: use stream states to mark as detached
- MEDIUM: mux-quic: implement RESET_STREAM emission
- MEDIUM: mux-quic: implement STOP_SENDING handling
- BUG/MEDIUM: debug: fix possible hang when multiple threads dump at once
- BUG/MINOR: quic: fix closing state on NO_ERROR code sent
- CLEANUP: quic: clean up include on quic_frame-t.h
- MINOR: quic: define a generic QUIC error type
- MINOR: mux-quic: support app graceful shutdown
- MINOR: mux-quic/h3: prepare CONNECTION_CLOSE on release
- MEDIUM: quic: send CONNECTION_CLOSE on released MUX
- CLEANUP: mux-quic: move qc_release()
- MINOR: mux-quic: send one last time before release
- MINOR: h3: store control stream in h3c
- MINOR: h3: implement graceful shutdown with GOAWAY
- BUG/MINOR: threads: produce correct global mask for tgroup > 1
- BUG/MEDIUM: cli/threads: make "show threads" more robust on applets
- BUG/MINOR: thread: use the correct thread's group in ha_tkillall()
- BUG/MINOR: debug: enter ha_panic() only once
- BUG/MEDIUM: debug: fix parallel thread dumps again
- MINOR: cli/streams: show a stream's tgid next to its thread ID
- DEBUG: cli: add a new "debug dev deadlock" expert command
- MINOR: cli/activity: add a thread number argument to "show activity"
- CLEANUP: applet: remove the obsolete command context from the appctx
- MEDIUM: config: remove deprecated "bind-process" directives from frontends
- MEDIUM: config: remove the "process" keyword on "bind" lines
- MINOR: listener/config: make "thread" always support up to LONGBITS
- CLEANUP: fd: get rid of the __GET_{NEXT,PREV} macros
- MEDIUM: debug/threads: make the lock debugging take tgroups into account
- MEDIUM: proto: stop protocols under thread isolation during soft stop
- MEDIUM: poller: program the update in fd_update_events() for a migrated FD
- MEDIUM: poller: disable thread-groups for poll() and select()
- MINOR: thread: remove MAX_THREADS limitation
- MEDIUM: cpu-map: replace the process number with the thread group number
- MINOR: mworker/threads: limit the mworker sockets to group 1
- MINOR: cli/threads: always bind CLI to thread group 1
- MINOR: fd/thread: get rid of thread_mask()
- MEDIUM: task/thread: move the task shared wait queues per thread group
- MINOR: task: move the niced_tasks counter to the thread group context
- DOC: design: add some thoughts about how to handle the update_list
- MEDIUM: conn: make conn_backend_get always scan the same group
- MAJOR: fd: remove pending updates upon real close
- MEDIUM: fd/poller: make the update-list per-group
- MINOR: fd: delete unused updates on close()
- MINOR: fd: make fd_insert() apply the thread mask itself
- MEDIUM: fd: add the tgid to the fd and pass it to fd_insert()
- MINOR: cli/fd: show fd's tgid and refcount in "show fd"
- MINOR: fd: add functions to manipulate the FD's tgid
- MINOR: fd: add fd_get_running() to atomically return the running mask
- MAJOR: fd: grab the tgid before manipulating running
- MEDIUM: fd/poller: turn polled_mask to group-local IDs
- MEDIUM: fd/poller: turn update_mask to group-local IDs
- MEDIUM: fd/poller: turn running_mask to group-local IDs
- MINOR: fd: make fd_clr_running() return the previous value instead
- MEDIUM: fd: make thread_mask now represent group-local IDs
- MEDIUM: fd: make fd_insert() take local thread masks
- MEDIUM: fd: make fd_insert/fd_delete atomically update fd.tgid
- MEDIUM: fd: quit fd_update_events() when FD is closed
- MEDIUM: thread: change thread_resolve_group_mask() to return group-local values
- MEDIUM: listener: switch bind_thread from global to group-local
- MINOR: fd: add fd_reregister_all() to deal with boot-time FDs
- MEDIUM: fd: support stopping FDs during starting
- MAJOR: pollers: rely on fd_reregister_all() at boot time
- MAJOR: poller: only touch/inspect the update_mask under tgid protection
- MEDIUM: fd: support broadcasting updates for foreign groups in updt_fd_polling
- CLEANUP: threads: remove the now unused all_threads_mask and tid_bit
- MINOR: config: change default MAX_TGROUPS to 16
- BUG/MEDIUM: tools: avoid calling dlsym() in static builds
This will allows nbtgroups > 1 to be declared in the config without
recompiling. The theoretical limit is 64, though we'd rather not push
it too far for now as some structures might be enlarged to be indexed
per group. Let's start with 16 groups max, allowing to experiment with
dual-socket machines suffering from up to 8 loosely coupled L3 caches.
It's a good start and doesn't engage us too far.
The principle remains the same, but instead of having a single process
and ignoring extra ones, now we set the affinity masks for the respective
threads of all groups.
The doc was updated with a few extra examples.
It was deprecated, marked for removal in 2.7 and was already emitting a
warning, let's get rid of it. Note that we've kept the keyword detection
to suggest to use "thread" instead.
This was already causing a deprecation warning and was marked for removal
in 2.7, now it happens. An error message indicates this doesn't exist
anymore.
The output of "show activity" can be so large that the output is visually
unreadable on a screen. Let's add an option to filter on the desired
column (actually the thread number), use "0" to report only the first
column (aggregated/sum/avg), and use "-1", the default, for the normal
detailed dump.
Released version 2.7-dev1 with the following main changes :
- BUG/MINOR: ssl_ckch: Free error msg if commit changes on a cert entry fails
- BUG/MINOR: ssl_ckch: Free error msg if commit changes on a CA/CRL entry fails
- BUG/MEDIUM: ssl_ckch: Don't delete a cert entry if it is being modified
- BUG/MEDIUM: ssl_ckch: Don't delete CA/CRL entry if it is being modified
- BUG/MINOR: ssl_ckch: Don't duplicate path when replacing a cert entry
- BUG/MINOR: ssl_ckch: Don't duplicate path when replacing a CA/CRL entry
- BUG/MEDIUM: ssl_ckch: Rework 'commit ssl cert' to handle full buffer cases
- BUG/MEDIUM: ssl_ckch: Rework 'commit ssl ca-file' to handle full buffer cases
- BUG/MEDIUM: ssl/crt-list: Rework 'add ssl crt-list' to handle full buffer cases
- BUG/MEDIUM: httpclient: Don't remove HTX header blocks before duplicating them
- BUG/MEDIUM: httpclient: Rework CLI I/O handler to handle full buffer cases
- MEDIUM: httpclient: Don't close CLI applet at the end of a response
- MEDIUM: http-ana: Always report rewrite failures as PRXCOND in logs
- CLEANUP: Re-apply xalloc_size.cocci (2)
- REGTESTS: abortonclose: Add a barrier to not mix up log messages
- REGTESTS: http_request_buffer: Increase client timeout to wait "slow" clients
- CLEANUP: ssl_ckch: Use corresponding enum for commit_cacrlfile_ctx.cafile_type
- MINOR: ssl_ckch: Simplify I/O handler to commit changes on CA/CRL entry
- BUG/MINOR: ssl_ckch: Use right type for old entry in show_crlfile_ctx
- BUG/MINOR: ssl_ckch: Dump CRL transaction only once if show command yield
- BUG/MINOR: ssl_ckch: Dump CA transaction only once if show command yield
- BUG/MINOR: ssl_ckch: Dump cert transaction only once if show command yield
- BUG/MINOR: ssl_ckch: Init right field when parsing "commit ssl crl-file" cmd
- CLEANUP: ssl_ckch: Remove unused field in commit_cacrlfile_ctx structure
- MINOR: ssl_ckch: Simplify structure used to commit changes on CA/CRL entries
- MINOR: ssl_ckch: Remove service context for "set ssl cert" command
- MINOR: ssl_ckch: Remove service context for "set ssl ca-file" command
- MINOR: ssl_ckch: Remove service context for "set ssl crl-file" command
- BUG/MINOR: ssl_ckch: Fix possible uninitialized value in show_cert I/O handler
- BUG/MINOR: ssl_ckch: Fix possible uninitialized value in show_cafile I/O handler
- BUG/MINOR: ssl_ckch: Fix possible uninitialized value in show_crlfile I/O handler
- BUILD: ssl_ckch: Fix build error about a possible uninitialized value
- BUG/MINOR: ssl_ckch: Fix another possible uninitialized value
- REGTESTS: http_abortonclose: Extend supported versions
- REGTESTS: restrict_req_hdr_names: Extend supported versions
- MINOR: connection: support HTTP/3.0 for smp_*_http_major fetch
- MINOR: h3: add h3c pointer into h3s instance
- MINOR: mux-quic: simplify decode_qcs API
- MINOR: mux-quic/h3: adjust demuxing function return values
- BUG/MINOR: h3: fix return value on decode_qcs on error
- BUILD: quic: fix anonymous union for gcc-4.4
- BUILD: compiler: implement unreachable for older compilers too
- DEV: tcploop: reorder options in the usage message
- DEV: tcploop: make the current address the default address
- DEV: tcploop: make it possible to change the target address of a connect()
- DEV: tcploop: factor out the socket creation
- DEV: tcploop: permit port 0 to ease handling of default options
- DEV: tcploop: add a new "bind" command to bind to ip/port.
- DEV: tcploop: add minimal UDP support
- BUG/MINOR: trace: Test server existence for health-checks to get proxy
- BUG/MINOR: checks: Properly handle email alerts in trace messages
- BUG/MEDIUM: mailers: Set the object type for check attached to an email alert
- REGTESTS: healthcheckmail: Update the test to be functionnal again
- REGTESTS: healthcheckmail: Relax health-check failure condition
- BUG/MINOR: h3: fix incorrect BUG_ON assert on SETTINGS parsing
- MEDIUM: mux-h2: try to coalesce outgoing WINDOW_UPDATE frames
- OPTIM: mux-h2: increase h2_settings_initial_window_size default to 64k
- BUG/MINOR: h3: fix frame type definition
- BUG/MEDIUM: h3: fix SETTINGS parsing
- BUG/MINOR: cli/stats: add missing trailing LF after JSON outputs
- BUG/MINOR: server: do not enable DNS resolution on disabled proxies
- BUG/MINOR: cli/stats: add missing trailing LF after "show info json"
- DOC: design: update the notes on thread groups
- BUG/MEDIUM: mux-quic: fix flow control connection Tx level
- MINOR: mux-quic: complete BUG_ON on TX flow-control enforcing
- BUG/MINOR: mux-quic: fix memleak on frames rejected by transport
- BUG/MINOR: tcp-rules: Make action call final on read error and delay expiration
- CLEANUP: check: Remove useless tests on check's stream-connector
- BUG/MEDIUM: stconn: Don't wakeup applet for send if it won't consume data
- BUG/MEDIUM: cli: Notify cli applet won't consume data during request processing
- BUG/MEDIUM: mux-quic: fix segfault on flow-control frame cleanup
- MINOR: task: move profiling bit to per-thread
- CLEANUP: quic: use task_new_on() for single-threaded tasks
- MINOR: tinfo: remove the global thread ID bit (tid_bit)
- CLEANUP: hlua: check for at least 2 threads on a task
- MINOR: thread: get rid of MAX_THREADS_MASK
- OPTIM: task: do not consult shared WQ when we're already full
- DOC: design: update the task vs thread affinity requirements
- MINOR: qpack: add comments and remove a useless trace
- MINOR: qpack: reduce dependencies on other modules
- BUG/MINOR: qpack: support header litteral name decoding
- MINOR: qpack: add ABORT_NOW on unimplemented decoding
- BUG/MINOR: h3/qpack: deal with too many headers
- MINOR: qpack: improve decoding function
- MINOR: qpack: implement standalone decoder tool
- BUG/BUILD: h3: fix wrong label name
- BUG/MINOR: quic: Stop hardcoding Retry packet Version field
- MINOR: quic: Add several nonce and key definitions for Retry tag
- BUG/MINOR: quic: Wrong PTO calculation
- MINOR: quic: Parse long packet version from qc_parse_hd_form()
- CLEANUP: quid: QUIC draft-28 no more supported
- MEDIUM: quic: Add QUIC v2 draft support
- MINOR: quic: Released QUIC TLS extension for QUIC v2 draft
- MEDIUM: quic: Compatible version negotiation implementation (draft-08)
- CLEANUP: quic: Remove any reference to boringssl
- BUG/MINOR: task: fix thread assignment in tasklet_kill()
- BUG/MEDIUM: stream: Properly handle destructive client connection upgrades
- MINOR: stream: Rely on stconn flags to abort stream destructive upgrade
- CLEANUP: stconn: Don't expect to have no sedesc on detach
- BUG/MINOR: log: Properly test connection retries to fix dontlog-normal option
- MINOR: hlua: don't dump empty entries in hlua_traceback()
- MINOR: hlua: add a new hlua_show_current_location() function
- MEDIUM: debug: add a tainted flag when a shared library is loaded
- MEDIUM: debug: detect redefinition of symbols upon dlopen()
- BUILD: quic: Wrong HKDF label constant variable initializations
- BUG/MINOR: quic: Unexpected half open connection counter wrapping
- BUG/MINOR: quic_stats: Duplicate "quic_streams_data_blocked_bidi" field name
- BUG/MINOR: quic: purge conn Rx packet list on release
- BUG/MINOR: quic: free rejected Rx packets
- BUG/MINOR: qpack: abort on dynamic index field line decoding
- BUG/MEDIUM: ssl/cli: crash when crt inserted into a crt-list
- REGTESTS: ssl: add the same cert for client/server
- BUG/MINOR: quic: Acknowledgement must be forced during handshake
- MINOR: quic: Dump version_information transport parameter
- BUG/MEDIUM: mworker: use default maxconn in wait mode
- MINOR: intops: add a function to return a valid bit position from a mask
- TESTS: add a unit test for one_among_mask()
- BUILD: ssl_ckch: fix "maybe-uninitialized" build error on gcc-9.4 + ARM
- BUG/MINOR: ssl: Do not look for key in extra files if already in pem
- BUG/MINOR: quic: Missing acknowledgments for trailing packets
- BUG/MINOR: http-ana: Set method to HTTP_METH_OTHER when an HTTP txn is created
- BUG/MINOR: http-fetch: Use integer value when possible in "method" sample fetch
- MINOR: freq_ctr: Add a function to get events excess over the current period
- BUG/MINOR: stream: only free the req/res captures when set
- CLEANUP: pool/tree-wide: remove suffix "_pool" from certain pool names
- MEDIUM: debug: improve DEBUG_MEM_STATS to also report pool alloc/free
- BUG/MINOR: quic: Wrong reuse of fulfilled dgram RX buffer
- BUG/MAJOR: quic: Big RX dgrams leak when fulfilling a buffer
- BUG/MAJOR: quic: Big RX dgrams leak with POST requests
- BUILD: quic+h3: 32-bit compilation errors fixes
- MEDIUM: bwlim: Add support of bandwith limitation at the stream level
This patch adds a filter to limit bandwith at the stream level. Several
filters can be defined. A filter may limit incoming data (upload) or
outgoing data (download). The limit can be defined per-stream or shared via
a stick-table. For a given stream, the bandwith limitation filters can be
enabled using the "set-bandwidth-limit" action.
A bandwith limitation filter can be used indifferently for HTTP or TCP
stream. For HTTP stream, only the payload transfer is limited. The filter is
pretty simple for now. But it was designed to be extensible. The current
design tries, as far as possible, to never exceed the limit. There is no
burst.
It looks like we'll need:
- one share timers queue for the rare tasks that need to wake up
anywhere
- one private timers queue per thread
- one global queue per group
- one local queue per thread
And may be we can simply get rid of any global/shared run queue as
we don't seem to have any task bound to a subset of threads.
This macro was used both for binding and for lookups. When binding tasks
or FDs, using all_threads_mask instead is better as it will later be per
group. For lookups, ~0UL always does the job. Thus in practice the macro
was already almost not used anymore since the rest of the code could run
fine with a constant of all ones there.
Instead of having a global mask of all the profiled threads, let's have
one flag per thread in each thread's flags. They are never accessed more
than one at a time an are better located inside the threads' contexts for
both performance and scalability.
This changes the default from RFC 7540's default 65535 (64k-1) to avoid
avoid some degenerative WINDOW_UPDATE behaviors in the wild observed with
clients using 65536 as their buffer size, and have to complete each block
with a 1-byte frame, which with some servers tend to degenerate in 1-byte
WU causing more 1-byte frames to be sent until the transfer almost only
uses 1-byte frames.
More details here: https://github.com/nghttp2/nghttp2/issues/1722
As mentioned in previous commit (MEDIUM: mux-h2: try to coalesce outgoing
WINDOW_UPDATE frames) the issue could not be reproduced with haproxy but
individual WU frames are sent so theoretically nothing prevents this from
happening. As such it should be backported as a workaround for already
deployed clients after watching for any possible side effect with rare
clients. As an added benefit, uploads from curl now use less DATA frames
(all are 16384 now). Note that the previous patch alone is sufficient to
stop the issue with curl in case this one would need to be reverted.
[wt: edited commit messaged, updated doc]
Released version 2.6.0 with the following main changes :
- DOC: Fix formatting in configuration.txt to fix dconv
- CLEANUP: tcpcheck: Remove useless test on the stream-connector in tcpcheck_main
- CLEANUP: muxes: Consider stream's sd as defined in .show_fd callback functions
- MINOR: quic: Ignore out of packet padding.
- CLEANUP: quic: Useless QUIC_CONN_TX_BUF_SZ definition
- CLEANUP: quic: No more used handshake output buffer
- MINOR: quic: QUIC transport parameters split.
- MINOR: quic: Transport parameters dump
- DOC: quic: Update documentation for QUIC Retry
- MINOR: quic: Tunable "max_idle_timeout" transport parameter
- MINOR: quic: Tunable "initial_max_streams_bidi" transport parameter
- MINOR: quic: Clarifications about transport parameters value
- MINOIR: quic_stats: add QUIC connection errors counters
- BUG/MINOR: quic: Largest RX packet numbers mixing
- MINOR: quic_stats: Add transport new counters (lost, stateless reset, drop)
- DOC: quic: Documentation update for QUIC
- MINOR: quic: Connection TX buffer setting renaming.
- MINOR: h3: Add a statistics module for h3
- MINOR: quic: Send STOP_SENDING frames if mux is released
- MINOR: quic: Do not drop packets with RESET_STREAM frames
- BUG/MINOR: qpack: fix buffer API usage on prefix integer encoding
- BUG/MINOR: qpack: support bigger prefix-integer encoding
- BUG/MINOR: h3: do not report bug on unknown method
- SCRIPTS: add make-releases-json to recreate a releases.json file in download dirs
- SCRIPTS: make publish-release try to launch make-releases-json
- MINOR: htx: add an unchecked version of htx_get_head_blk()
- BUILD: htx: use the unchecked version of htx_get_head_blk() where needed
- BUILD: quic: use inttypes.h instead of stdint.h
- DOC: internal: remove totally outdated diagrams
- DOC: remove the outdated ROADMAP file
- DOC: add maintainers for QUIC and HTTP/3
- MINOR: h3: define h3 trace module
- MINOR: h3: add traces on frame recv
- MINOR: h3: add traces on frame send
- MINOR: h3: add traces on h3s init/end
- EXAMPLES: remove completely outdated acl-content-sw.cfg
- BUILD: makefile: reorder objects by build time
- DOC: fix a few spelling mistakes in the docs
- BUG/MEDIUM: peers/cli: fix "show peers" crash
- CLEANUP: peers/cli: stop misusing the appctx local variable
- CLEANUP: peers/cli: make peers_dump_peer() take an appctx instead of an stconn
- BUG/MINOR: peers: set the proxy's name to the peers section name
- MINOR: server: indicate when no address was expected for a server
- BUG/MINOR: peers: detect and warn on init_addr/resolvers/check/agent-check
- DOC: peers: indicate that some server settings are not usable
- DOC: peers: clarify when entry expiration date is renewed.
- DOC: peers: fix port number and addresses on new peers section format
- DOC: gpc/gpt: add commments of gpc/gpt array definitions on stick tables.
- DOC: install: update supported OpenSSL versions in the INSTALL doc
- MINOR: ncbuf: adjust ncb_data with NCBUF_NULL
- BUG/MINOR: h3: fix frame demuxing
- BUG/MEDIUM: h3: fix H3_EXCESSIVE_LOAD when receiving H3 frame header only
- BUG/MINOR: quic: Fix QUIC_EV_CONN_PRSAFRM event traces
- CLEANUP: quic: remove useless check on local UNI stream reception
- BUG/MINOR: qpack: do not consider empty enc/dec stream as error
- DOC: intro: adjust the numbering of paragrams to keep the output ordered
- MINOR: version: mention that it's LTS now.
The HTML version appeared with sections in a different order where
3.3.10..3.3.16 were placed between 3.3.1 and 3.3.2. This patch just slips
them into an intermediary section so that we now have "basic features",
"standard features", and "advanced features".
Some users misunderstood that the parameter of gpc() gpt()
store types on the table line presents the number of elements
of the array to store and not an index of gpt/gpc tag/counter.
This patch adds some explanations.
This patch addresses github issue #1630
It should be backorted in until branch 2.5.
