HAproxy RPM spec and builds for CentOS/RHEL 6/7/8
HAProxy 2.4.0 was released on 2021/05/14. It added 34 new commits after version 2.4-dev19. This completes 6 months of improvements and cleanups split into 1687 commits from 36 participants.
Full Release Notes Available on https://www.mail-archive.com/[email protected]/msg40499.html
2020/09/30 : 2.2.4 - BUILD: threads: better workaround for late loading of libgcc_s - BUG/MEDIUM: pattern: Renew the pattern expression revision when it is pruned - BUG/MINOR: Fix type passed of sizeof() for calloc() - BUG/MINOR: ssl: verifyhost is case sensitive - BUG/MINOR: server: report correct error message for invalid port on "socks4" - BUG/MEDIUM: ssl: Don't call ssl_sock_io_cb() directly. - BUG/MINOR: ssl/crt-list: crt-list could end without a \n - BUG/MINOR: h2/trace: do not display "stream error" after a frame ACK - BUG/MINOR: http-fetch: Don't set the sample type during the htx prefetch - BUG/MINOR: config: Fix memory leak on config parse listen - BUG/MEDIUM: h2: report frame bits only for handled types - BUG/MINOR: Fix memory leaks cfg_parse_peers - MINOR: h2/trace: also display the remaining frame length in traces - MINOR: backend: make the "whole" option of balance uri take only one bit - MINOR: backend: add a new "path-only" option to "balance uri" - REGTESTS: add a few load balancing tests - BUG/MEDIUM: listeners: do not pause foreign listeners - BUILD: trace: include tools.h - REGTESTS: use "command" instead of "which" for better POSIX compatibility - DOC: agent-check: fix typo in "fail" word expected reply - BUG/MINOR: ssl/crt-list: exit on warning out of crtlist_parse_line() - REGTEST: fix host part in balance-uri-path-only.vtc - REGTEST: make agent-check.vtc require 1.8 - REGTEST: make abns_socket.vtc require 1.8 - REGTEST: make map_regm_with_backref require 1.7
2020/09/08 : 2.2.3
- SCRIPTS: git-show-backports: make -m most only show the left branch
- SCRIPTS: git-show-backports: emit the shell command to backport a commit
- BUG/MEDIUM: mux-h1: Refresh H1 connection timeout after a synchronous send
- CLEANUP: dns: typo in reported error message
- BUG/MAJOR: dns: disabled servers through SRV records never recover
- BUG/MINOR: spoa-server: fix size_t format printing
- DOC: spoa-server: fix false friends actually
- BUG/MINOR: ssl: fix memory leak at OCSP loading
- BUG/MEDIUM: ssl: memory leak of ocsp data at SSL_CTX_free()
- BUG/MEDIUM: map/lua: Return an error if a map is loaded during runtime
- MINOR: arg: Add an argument type to keep a reference on opaque data
- BUG/MINOR: converters: Store the sink in an arg pointer for debug() converter
- BUG/MINOR: lua: Duplicate map name to load it when a new Map object is created
- BUG/MINOR: arg: Fix leaks during arguments validation for fetches/converters
- BUG/MINOR: lua: Check argument type to convert it to IPv4/IPv6 arg validation
- BUG/MINOR: lua: Check argument type to convert it to IP mask in arg validation
- MINOR: hlua: Don't needlessly copy lua strings in trash during args validation
- BUG/MINOR: lua: Duplicate lua strings in sample fetches/converters arg array
- MEDIUM: lua: Don't filter exported fetches and converters
- BUG/MINOR: snapshots: leak of snapshots on deinit()
- BUG/MEDIUM: ssl: fix the ssl-skip-self-issued-ca option
- BUG/MINOR: ssl: ssl-skip-self-issued-ca requires >= 1.0.2
- BUG/MINOR: stats: use strncmp() instead of memcmp() on health states
- BUG/MEDIUM: htx: smp_prefetch_htx() must always validate the direction
- BUG/MEDIUM: ssl: never generates the chain from the verify store
- BUG/MEDIUM: ssl: fix ssl_bind_conf double free w/ wildcards
- BUG/MINOR: reload: do not fail when no socket is sent
- BUG/MEDIUM: http-ana: Don't wait to send 1xx responses received from servers
- MINOR: http-htx: Add an option to eval query-string when the path is replaced
- BUG/MINOR: http-rules: Replace path and query-string in "replace-path" action
- BUG/MEDIUM: ssl: crt-list negative filters don't work
- DOC: cache: Use '
2020/07/31 : 2.2.2 - BUG/MINOR: mux-fcgi: Don't url-decode the QUERY_STRING parameter anymore - BUILD: tools: fix build with static only toolchains - BUG/MINOR: debug: Don't dump the lua stack if it is not initialized - BUG/MAJOR: dns: fix null pointer dereference in snr_update_srv_status - BUG/MAJOR: dns: don't treat Authority records as an error - MEDIUM: lua: Add support for the Lua 5.4 - BUG/MEDIUM: dns: Don't yield in do-resolve action on a final evaluation - BUG/MINOR: lua: Abort execution of actions that yield on a final evaluation - BUG/MINOR: tcp-rules: Preserve the right filter analyser on content eval abort - BUG/MINOR: tcp-rules: Set the inspect-delay when a tcp-response action yields - BUG/MEDIUM: connection: Be sure to always install a mux for sync connect - MINOR: connection: Preinstall the mux for non-ssl connect - MINOR: stream-int: Be sure to have a mux to do sends and receives - SCRIPTS: announce-release: add the link to the wiki in the announce messages - BUG/MEDIUM: backend: always attach the transport before installing the mux - BUG/MEDIUM: tcp-checks: always attach the transport before installing the mux
2020/07/23 : 2.2.1 - BUG/MINOR: sample: Free str.area in smp_check_const_bool - BUG/MINOR: sample: Free str.area in smp_check_const_meth - BUG/MEDIUM: lists: add missing store barrier on MT_LIST_BEHEAD() - BUG/MEDIUM: lists: add missing store barrier in MT_LIST_ADD/MT_LIST_ADDQ - CONTRIB: da: fix memory leak in dummy function da_atlas_open() - BUG/MEDIUM: mux-h2: Don't add private connections in available connection list - BUG/MEDIUM: mux-fcgi: Don't add private connections in available connection list - BUG/MEDIUM: mux-h1: Continue to process request when switching in tunnel mode - BUG/MINOR: mux-fcgi: Handle empty STDERR record - BUG/MINOR: mux-fcgi: Set conn state to RECORD_P when skipping the record padding - BUG/MINOR: mux-fcgi: Set flags on the right stream field for empty FCGI_STDOUT - BUG/MEDIUM: log: issue mixing sampled to not sampled log servers. - BUG/MEDIUM: fcgi-app: fix memory leak in fcgi_flt_http_headers - BUG/MEDIUM: server: resolve state file handle leak on reload - BUG/MEDIUM: server: fix possibly uninitialized state file on close - BUG/MEDIUM: channel: Be aware of SHUTW_NOW flag when output data are peeked - BUILD: config: address build warning on raspbian+rpi4 - BUG/MAJOR: tasks: make sure to always lock the shared wait queue if needed - BUILD: config: fix again bugs gcc warnings on calloc - DOC: ssl: req_ssl_sni needs implicit TLS - BUG/MEDIUM: arg: empty args list must be dropped - BUG/MEDIUM: resolve: fix init resolving for ring and peers section. - BUG/MAJOR: tasks: don't requeue global tasks into the local queue - BUG/MAJOR: dns: Make the do-resolve action thread-safe - BUG/MEDIUM: dns: Release answer items when a DNS resolution is freed - MEDIUM: htx: Add a flag on a HTX message when no more data are expected - BUG/MINOR: htx: add two missing HTX_FL_EOI and remove an unexpected one - BUG/MEDIUM: stream-int: Don't set MSG_MORE flag if no more data are expected - BUG/MEDIUM: http-ana: Only set CF_EXPECT_MORE flag on data filtering
2020/07/07 : 2.2.0 - BUILD: mux-h2: fix typo breaking build when using DEBUG_LOCK - CLEANUP: makefile: update the outdated list of DEBUG_xxx options - BUILD: tools: make resolve_sym_name() return a const - CLEANUP: auth: fix useless self-include of auth-t.h - BUILD: tree-wide: cast arguments to tolower/toupper to unsigned char - CLEANUP: assorted typo fixes in the code and comments - WIP/MINOR: ssl: add sample fetches for keylog in frontend - DOC: fix tune.ssl.keylog sample fetches array - BUG/MINOR: ssl: check conn in keylog sample fetch - DOC: configuration: various typo fixes - MINOR: log: Remove unused case statement during the log-format string parsing - BUG/MINOR: mux-h1: Fix the splicing in TUNNEL mode - BUG/MINOR: mux-h1: Don't read data from a pipe if the mux is unable to receive - BUG/MINOR: mux-h1: Disable splicing only if input data was processed - BUG/MEDIUM: mux-h1: Disable splicing for the conn-stream if read0 is received - MINOR: mux-h1: Improve traces about the splicing - BUG/MINOR: backend: Remove CO_FL_SESS_IDLE if a client remains on the last server - BUG/MEDIUM: connection: Don't consider new private connections as available - BUG/MINOR: connection: See new connection as available only on reuse always - DOC: configuration: remove obsolete mentions of H2 being converted to HTTP/1.x - CLEANUP: ssl: remove unrelevant comment in smp_fetch_ssl_x_keylog() - DOC: update INSTALL with new compiler versions - DOC: minor update to coding style file - MINOR: version: mention that it's an LTS release now
Replacing previous 2.1 builds due to https://www.haproxy.com/blog/haproxy-1-8-http-2-hpack-decoder-vulnerability-fixed/
Full release notes: https://www.mail-archive.com/[email protected]/msg36876.html
Replacing previous 2.0 builds due to https://www.haproxy.com/blog/haproxy-1-8-http-2-hpack-decoder-vulnerability-fixed/
Full release notes: https://www.mail-archive.com/[email protected]/msg36877.html
Replacing previous 1.9 builds due to https://www.haproxy.com/blog/haproxy-1-8-http-2-hpack-decoder-vulnerability-fixed/
Full release notes: https://www.mail-archive.com/[email protected]/msg36878.html
Replacing previous 1.8 builds due to https://www.haproxy.com/blog/haproxy-1-8-http-2-hpack-decoder-vulnerability-fixed/
Full release notes: https://www.mail-archive.com/[email protected]/msg36879.html
HAProxy 2.1.3 was released on 2020/02/12. It added 86 new commits after version 2.1.2.
It's clear that 2.1 has been one of the calmest releases in a while, to the point of making us forget that it still had a few fixes pending that would be pleasant to have in a released version! So after accumulating fixes for 7 weeks, it's about time to have another one!
Here are the most relevant fixes:
pools: there is an ABA race condition in pool_flush() (which is called when stopping as well as under memory pressure) which can lead to a crash. It's been there since 1.9 and is very hard to trigger, but if you run with many threads and reload very often you may occasionally hit it, seeing a trace of the old process crashing in your system logs.
there was a bug in the way our various hashes were calculated, some of them were considering the inputs as signed chars instead of unsigned ones, so some non-ASCII characters would hash differently across different architectures and wouldn't match another component's calculation (e.g. a CRC32 inserted in a header would differ when given values with the 8th bit set, or applied to the PROXY protocol header). The bug has been there since 1.5-dev20 but became visible since it affected Postfix's validation of the PROXY protocol's CRC32. It's unlikely that anyone will ever witness it if it didn't happen already, but I tagged it "major" to make sure it is properly backported to distro packages, since not having it on certain nodes may sometimes result in hash inconsistencies which can be very hard to diagnose.
the addition of the Early-Data header when using 0rtt could wrongly be emitted during SSL handshake as well.
health checks could crash if using handshakes (e.g. SSL) mixed with DNS that takes time to retrieve an address, causing an attempt to use an incompletely initialized connection.
the peers listening socket was missing from the seamless reload, possibly causing some failed bindings when not using reuseport, resulting in the new process giving up.
splicing could often end up on a timeout because after the last block we did not switch back to HTX to complete the message.
fixed a small race affecting idle connections, allowing one thread to pick a connection at the same moment another one would decide to free it because there are too many idle.
response redirects were appended to the actual response instead of replacing it. This could cause various errors, including data corruption on the client if the entire response didn't fit into the buffer at once.
when stopping or when releasing a few connections after a listener's maxconn was reached, we could distribute some work to inexistent threads if the listener had "1/odd" or "1/even" while the process had less than 64 threads. An easy workaround for this is to explicitly reference the thread numbers instead.
when proxying an HTTP/1 client to an HTTP/2 server, make sure to clean up the "TE" header from anything but "trailers", otherwise the server may reject a request if it came from a browser placing "gzip" there.
the H2 mux had an incorrect buffer full detection causing the send phase to stop on a fragment boundary then to immediately wake up all waiting threads to go on, resulting in an excessive CPU usage in some tricky situations. It is possible that those using H2 with many streams per connection and moderately large objects, like Luke's maps servers, could observe a CPU usage drop (maybe Luke on his map servers).
it was possible to lose the master-worker status after a failed reload when it was only mentioned in the config and not on the command line.
when decoding the Netscaler's CIP protocol we forgot to allocate the storage for the src/dst addresses, crashing the process.
upon pipe creation failure due to shortage of file descriptors, the struct pipe was still returned after having been released, quickly crashing the process. Fortunately the automatic maxconn/maxpipe settings do not allow this situation to happen but very old configs still having "ulimit-n" could have been affected.
the "tcp-request session" rules would report an error upon a "reject" action, making the listener throttle itself to protect resources, which could actually amplify the problem.
the "commit ssl cert" command on the CLI used the old SSL_CTX instead of the new one, which caused some certs not to work anymore (found on openssl-1.0.2 with ECDSA+ECDHE). There is quite a number of other SSL SSL fixes for small bugs that were found while troubleshooting this issue, mainly in relation with dynamic cert updates.
the H1 mux could attempt to perform a sendto() when facing new data after having already failed, resulting in excess calls to sendto().
The rest has less impact or is less likely to be noticed, but feel free to dig into the appended changelog.
I'm hearing 2.0 jealously complain that it's always his youngest brother that's served first and that it would like to get a release as well, so maybe I'll please the rest of the family this week, as the other stable co-maintainers look busy right now (or they play it well :-)).
Speaking of this, for those currently testing 2.2-dev2, please make sure to be up to date, as I was hit by two dirty crashes after deploying it on haproxy.org this week-end, that were both addressed in the master branch.
[RELEASE] Released version 2.1.0
Released version 2.1.0 with the following main changes : - BUG/MINOR: init: fix set-dumpable when using uid/gid - MINOR: init: avoid code duplication while setting identify - BUG/MINOR: ssl: ssl_pkey_info_index ex_data can store a dereferenced pointer - BUG/MINOR: ssl: fix crt-list neg filter for openssl < 1.1.1 - MINOR: peers: Alway show the table info for disconnected peers. - MINOR: peers: Add TX/RX heartbeat counters. - MINOR: peers: Add debugging information to "show peers". - BUG/MINOR: peers: Wrong null "server_name" data field handling. - MINOR: ssl/cli: 'abort ssl cert' deletes an on-going transaction - BUG/MEDIUM: mworker: don't fill the -sf argument with -1 during the reexec - BUG/MINOR: peers: "peer alive" flag not reset when deconnecting. - BUILD/MINOR: ssl: fix compiler warning about useless statement - BUG/MEDIUM: stream-int: Don't loose events on the CS when an EOS is reported - MINOR: contrib/prometheus-exporter: filter exported metrics by scope - MINOR: contrib/prometheus-exporter: Add a param to ignore servers in maintenance - BUILD: debug: Avoid warnings in dev mode with -02 because of some BUG_ON tests - BUG/MINOR: mux-h1: Fix tunnel mode detection on the response path - BUG/MINOR: http-ana: Properly catch aborts during the payload forwarding - DOC: Update http-buffer-request description to remove the part about chunks - BUG/MINOR: stream-int: Fix si_cs_recv() return value - DOC: internal: document the init calls - MEDIUM: dns: Add resolve-opts "ignore-weight" - MINOR: ssl: ssl_sock_prepare_ctx() return an error code - MEDIUM: ssl/cli: apply SSL configuration on SSL_CTX during commit - MINOR: ssl/cli: display warning during 'commit ssl cert' - MINOR: version: report the version status in "haproxy -v" - MINOR: version: emit the link to the known bugs in output of "haproxy -v" - DOC: Add documentation about the use-service action - MINOR: ssl: fix possible null dereference in error handling - BUG/MINOR: ssl: fix curve setup with LibreSSL - BUG/MINOR: ssl: Stop passing dynamic strings as format arguments - CLEANUP: ssl: check if a transaction exists once before setting it - BUG/MINOR: cli: fix out of bounds in -S parser - MINOR: ist: add ist_find_ctl() - BUG/MAJOR: h2: reject header values containing invalid chars - BUG/MAJOR: h2: make header field name filtering stronger - BUG/MAJOR: mux-h2: don't try to decode a response HEADERS frame in idle state - MINOR: h2: add a function to report H2 error codes as strings - MINOR: mux-h2/trace: report the connection and/or stream error code - SCRIPTS: create-release: show the correct origin name in suggested commands - SCRIPTS: git-show-backports: add "-s" to proposed cherry-pick commands - BUG/MEDIUM: trace: fix a typo causing an incorrect startup error - BUILD: reorder the objects in the makefile - DOC: mention in INSTALL haproxy 2.1 is a stable stable version - MINOR: version: indicate that this version is stable
http://www.haproxy.org/download/2.0/src/CHANGELOG
Adding RHEL/CentOS 8 build