diff -Nru haproxy-2.6.16/.github/workflows/vtest.yml haproxy-2.6.17/.github/workflows/vtest.yml --- haproxy-2.6.16/.github/workflows/vtest.yml 2023-12-13 16:49:14.000000000 +0000 +++ haproxy-2.6.17/.github/workflows/vtest.yml 2024-04-05 18:18:18.000000000 +0000 @@ -55,10 +55,21 @@ run: | echo "key=$(echo ${{ matrix.name }} | sha256sum | awk '{print $1}')" >> $GITHUB_OUTPUT + +# +# temporary hack +# should be revisited after https://github.com/actions/runner-images/issues/9491 is resolved +# + + - name: Setup enthropy + if: ${{ startsWith(matrix.os, 'ubuntu-') }} + run: | + sudo sysctl vm.mmap_rnd_bits=28 + - name: Cache SSL libs if: ${{ matrix.ssl && matrix.ssl != 'stock' && matrix.ssl != 'BORINGSSL=yes' && matrix.ssl != 'QUICTLS=yes' }} id: cache_ssl - uses: actions/cache@v3 + uses: actions/cache@v4 with: path: '~/opt/' key: ssl-${{ steps.generate-cache-key.outputs.key }} @@ -66,7 +77,7 @@ - name: Cache OpenTracing if: ${{ contains(matrix.FLAGS, 'USE_OT=1') }} id: cache_ot - uses: actions/cache@v3 + uses: actions/cache@v4 with: path: '~/opt-ot/' key: ot-${{ matrix.CC }}-${{ env.OT_CPP_VERSION }}-${{ contains(matrix.name, 'ASAN') }} diff -Nru haproxy-2.6.16/CHANGELOG haproxy-2.6.17/CHANGELOG --- haproxy-2.6.16/CHANGELOG 2023-12-13 16:49:14.000000000 +0000 +++ haproxy-2.6.17/CHANGELOG 2024-04-05 18:18:18.000000000 +0000 @@ -1,6 +1,116 @@ ChangeLog : =========== +2024/04/05 : 2.6.17 + - BUG/MEDIUM: connection: report connection errors even when no mux is installed + - BUG/MEDIUM: mworker: set the master variable earlier + - BUG/MEDIUM: proxy: always initialize the default settings after init + - DOC: configuration: typo req.ssl_hello_type + - BUG/MINOR: mworker/cli: fix set severity-output support + - BUG/MEDIUM: mux-h2: Report too large HEADERS frame only when rxbuf is empty + - BUG/MINOR: resolvers: default resolvers fails when network not configured + - DOC: config: Update documentation about local haproxy response + - MINOR: stats: store the parent proxy in stats ctx (http) + - BUG/MEDIUM: stats: unhandled switching rules with TCP frontend + - MINOR: h3: check connection error during sending + - BUG/MINOR: h3: close connection on header list too big + - BUG/MINOR: h3: properly handle alloc failure on finalize + - BUG/MINOR: h3: close connection on sending alloc errors + - CLEANUP: quic: Remaining useless code into server part + - BUG/MEDIUM: h3: fix incorrect snd_buf return value + - BUG/MEDIUM: stconn: Forward shutdown on write timeout only if it is forwardable + - BUG/MEDIUM: spoe: Never create new spoe applet if there is no server up + - BUG/MEDIUM: h3: fix regression which completely prevents any send + - BUG/MINOR: mux-quic: do not prevent non-STREAM sending on flow control + - MINOR: compiler: add a new DO_NOT_FOLD() macro to prevent code folding + - MINOR: debug: make sure calls to ha_crash_now() are never merged + - MINOR: debug: make ABORT_NOW() store the caller's line number when using abort + - MINOR: debug: make BUG_ON() catch build errors even without DEBUG_STRICT + - BUG/MEDIUM: cli: some err/warn msg dumps add LR into CSV output on stat's CLI + - BUG/MINOR: vars/cli: fix missing LF after "get var" output + - BUG/MINOR: jwt: fix jwt_verify crash on 32-bit archs + - BUG/MEDIUM: pool: fix rare risk of deadlock in pool_flush() + - BUG/MINOR: h1-htx: properly initialize the err_pos field + - BUG/MINOR: h1: Don't support LF only at the end of chunks + - BUG/MEDIUM: h1: Don't support LF only to mark the end of a chunk size + - BUG/MEDIUM: h1: always reject the NUL character in header values + - BUG/MAJOR: ssl_sock: Always clear retry flags in read/write functions + - BUG/MINOR: ssl: Clear the ckch instance when deleting a crt-list line + - REGTESTS: ssl: Fix empty line in cli command input + - BUG/MINOR: h3: fix checking on NULL Tx buffer + - CLEANUP: quic: Remove unused CUBIC_BETA_SCALE_FACTOR_SHIFT macro. + - MINOR: quic: Stop hardcoding a scale shifting value (CUBIC_BETA_SCALE_FACTOR_SHIFT) + - MINOR: quic: extract qc_stream_buf free in a dedicated function + - MINOR: h3: add traces for stream sending function + - BUG/MEDIUM: h3: do not crash on invalid response status code + - BUG/MEDIUM: qpack: allow 6xx..9xx status codes + - BUG/MEDIUM: quic: fix crash on invalid qc_stream_buf_free() BUG_ON + - BUG/MINOR: quic: Wrong ack ranges handling when reaching the limit. + - CLEANUP: quic: Code clarifications for QUIC CUBIC (RFC 9438) + - BUG/MINOR: quic: fix possible integer wrap around in cubic window calculation + - MINOR: quic: Stop using 1024th of a second. + - BUG/MEDIUM: quic: Wrong K CUBIC calculation. + - MINOR: quic: Update K CUBIC calculation (RFC 9438) + - MINOR: quic: Dynamic packet reordering threshold + - BUG/MINOR: diag: run the final diags before quitting when using -c + - BUILD: address a few remaining calloc(size, n) cases + - DOC: configuration: clarify http-request wait-for-body + - DOC: httpclient: add dedicated httpclient section + - DOC: install: recommend pcre2 + - DOC: internal: update missing data types in peers-v2.0.txt + - CI: Update to actions/cache@v4 + - DEV: makefile: add a new "range" target to iteratively build all commits + - DEV: makefile: fix POSIX compatibility for "range" target + - BUG/MAJOR: promex: fix crash on deleted server + - BUG/MINOR: quic: reject unknown frame type + - BUG/MINOR: quic: reject HANDSHAKE_DONE as server + - BUG/MINOR: qpack: reject invalid increment count decoding + - BUG/MINOR: qpack: reject invalid dynamic table capacity + - BUG/MEDIUM: applet: Immediately free appctx on early error + - BUG/MEDIUM: hlua: Be able to garbage collect uninitialized lua sockets + - BUG/MEDIUM: hlua: Don't loop if a lua socket does not consume received data + - MINOR: quic: warn on bind on multiple addresses if no IP_PKTINFO support + - BUG/MINOR: ist: allocate nul byte on istdup + - BUG/MINOR: stats: drop srv refcount on early release + - BUG/MAJOR: server: fix stream crash due to deleted server + - BUG/MINOR: ist: only store NUL byte on succeeded alloc + - BUG/MINOR: ssl/cli: duplicate cleaning code in cli_parse_del_crtlist + - DOC: configuration: clarify ciphersuites usage + - BUG/MINOR: hlua: Fix log level to the right value when set via TXN:set_loglevel + - MINOR: hlua: Be able to disable logging from lua + - BUG/MINOR: tools: seed the statistical PRNG slightly better + - BUG/MINOR: hlua: fix unsafe lua_tostring() usage with empty stack + - BUG/MINOR: hlua: don't use lua_tostring() from unprotected contexts + - BUG/MINOR: hlua: fix possible crash in hlua_filter_new() under load + - BUG/MINOR: hlua: improper lock usage in hlua_filter_callback() + - BUG/MINOR: hlua: improper lock usage in hlua_filter_new() + - BUG/MEDIUM: hlua: improper lock usage with SET_SAFE_LJMP() + - BUG/MAJOR: hlua: improper lock usage with hlua_ctx_resume() + - BUG/MINOR: ssl/cli: typo in new ssl crl-file CLI description + - BUG/MINOR: cfgparse: report proper location for log-format-sd errors + - DOC: configuration: clarify ciphersuites usage (V2) + - BUG/MINOR: ssl: fix possible ctx memory leak in sample_conv_aes_gcm() + - BUG/MINOR: hlua: segfault when loading the same filter from different contexts + - BUG/MINOR: hlua: missing lock in hlua_filter_new() + - BUG/MINOR: hlua: fix missing lock in hlua_filter_delete() + - BUG/MINOR: listener: Wake proxy's mngmt task up if necessary on session release + - BUG/MINOR: listener: Don't schedule frontend without task in listener_release() + - BUG/MEDIUM: spoe: Don't rely on stream's expiration to detect processing timeout + - BUG/MINOR: spoe: Be sure to be able to quickly close IDLE applets on soft-stop + - CI: temporarily adjust kernel entropy to work with ASAN/clang + - BUG/MEDIUM: spoe: Return an invalid frame on recv if size is too small + - BUG/MINOR: session: ensure conn owner is set after insert into session + - BUG/MINOR: mux-quic: close all QCS before freeing QCC tasklet + - BUG/MEDIUM: mux-fcgi: Properly handle EOM flag on end-of-trailers HTX block + - BUG/MINOR: server: 'source' interface ignored from 'default-server' directive + - BUG/MINOR: server: ignore 'enabled' for dynamic servers + - BUG/MINOR: backend: properly handle redispatch 0 + - DOC: config: Remove httpclient.timeout.connect parameter + - DEBUG: lua: precisely identify if stream is stuck inside lua or not + - MINOR: hlua: use accessors for stream hlua ctx + - BUG/MEDIUM: hlua: streams don't support mixing lua-load with lua-load-per-thread (2nd try) + - BUG/MINOR: proxy: fix logformat expression leak in use_backend rules + 2023/12/13 : 2.6.16 - CI: get rid of travis-ci wrapper for Coverity scan - BUG/MINOR: hlua: fix invalid use of lua_pop on error paths diff -Nru haproxy-2.6.16/INSTALL haproxy-2.6.17/INSTALL --- haproxy-2.6.16/INSTALL 2023-12-13 16:49:14.000000000 +0000 +++ haproxy-2.6.17/INSTALL 2024-04-05 18:18:18.000000000 +0000 @@ -38,18 +38,18 @@ - recent Linux system with all options, make and install : $ make clean $ make -j $(nproc) TARGET=linux-glibc \ - USE_OPENSSL=1 USE_LUA=1 USE_PCRE=1 USE_SYSTEMD=1 + USE_OPENSSL=1 USE_LUA=1 USE_PCRE2=1 USE_SYSTEMD=1 $ sudo make install - FreeBSD and OpenBSD, build with all options : - $ gmake -j 4 TARGET=freebsd USE_OPENSSL=1 USE_LUA=1 USE_PCRE=1 + $ gmake -j 4 TARGET=freebsd USE_OPENSSL=1 USE_LUA=1 USE_PCRE2=1 - embedded Linux, build using a cross-compiler : - $ make -j $(nproc) TARGET=linux-glibc USE_OPENSSL=1 USE_PCRE=1 \ + $ make -j $(nproc) TARGET=linux-glibc USE_OPENSSL=1 USE_PCRE2=1 \ CC=/opt/cross/gcc730-arm/bin/gcc ADDLIB=-latomic - Build with static PCRE on Solaris / UltraSPARC : - $ make TARGET=solaris CPU=ultrasparc USE_STATIC_PCRE=1 + $ make TARGET=solaris CPU=ultrasparc USE_STATIC_PCRE2=1 For more advanced build options or if a command above reports an error, please read the following sections. @@ -185,9 +185,9 @@ If you plan on importing a particularly heavy configuration involving a lot of regex, you may benefit from using some alternative regex implementations such as -PCRE. HAProxy natively supports PCRE and PCRE2, both in standard and JIT -flavors (Just In Time). The following options are available depending on the -library version provided on your system : +PCRE. HAProxy natively supports PCRE and PCRE2 (recommended), both in standard +and JIT flavors (Just In Time). The following options are available depending on +the library version provided on your system : - "USE_PCRE=1" : enable PCRE version 1, dynamic linking - "USE_STATIC_PCRE=1" : enable PCRE version 1, static linking diff -Nru haproxy-2.6.16/Makefile haproxy-2.6.17/Makefile --- haproxy-2.6.16/Makefile 2023-12-13 16:49:14.000000000 +0000 +++ haproxy-2.6.17/Makefile 2024-04-05 18:18:18.000000000 +0000 @@ -23,8 +23,8 @@ # USE_PCRE2_JIT : enable JIT for faster regex on libpcre2 # USE_POLL : enable poll(). Automatic. # USE_THREAD : enable threads support. -# USE_STATIC_PCRE : enable static libpcre. Recommended. -# USE_STATIC_PCRE2 : enable static libpcre2. +# USE_STATIC_PCRE : enable static libpcre. +# USE_STATIC_PCRE2 : enable static libpcre2. Recommended. # USE_TPROXY : enable transparent proxy. Automatic. # USE_LINUX_TPROXY : enable full transparent proxy. Automatic. # USE_LINUX_SPLICE : enable kernel 2.6 splicing. Automatic. @@ -1207,3 +1207,38 @@ @echo "(see --help option of this script for more information)." .PHONY: reg-tests reg-tests-help + +# "make range" iteratively builds using "make all" and the exact same build +# options for all commits within RANGE. RANGE may be either a git range +# such as ref1..ref2 or a single commit, in which case all commits from +# the master branch to this one will be tested. + +range: + $(Q)[ -d .git/. ] || { echo "## Fatal: \"make $@\" may only be used inside a Git repository."; exit 1; } + + $(Q)if git diff-index --name-only HEAD 2>/dev/null | grep -q ^; then \ + echo "Fatal: \"make $@\" requires a clean working tree."; exit 1; fi + + $(Q)[ -n "$(RANGE)" ] || { echo "## Fatal: \"make $@\" requires a git commit range in RANGE."; exit 1; } + $(Q)[ -n "$(TARGET)" ] || { echo "## Fatal: \"make $@\" needs the same variables as \"all\" (TARGET etc)."; exit 1; } + + $(Q) ( die() { echo;echo "## Stopped in error at index [ $$index/$$count ] commit $$commit";\ + echo "Previous branch was $$BRANCH"; exit $$1; }; \ + BRANCH=$$(git branch --show-current HEAD 2>/dev/null); \ + [ -n "$$BRANCH" ] || { echo "Fatal: \"make $@\" may only be used inside a checked out branch."; exit 1; }; \ + [ -z "$${RANGE##*..*}" ] || RANGE="master..$${RANGE}"; \ + COMMITS=$$(git rev-list --abbrev-commit --reverse "$${RANGE}"); \ + index=1; count=$$(echo $$COMMITS | wc -w); \ + [ "$${count}" -gt 0 ] || { echo "## Fatal: no commit(s) found in range $${RANGE}."; exit 1; }; \ + echo "Found $${count} commit(s) in range $${RANGE}." ; \ + echo "Current branch is $$BRANCH"; \ + echo "Starting to building now..."; \ + for commit in $$COMMITS; do \ + echo "[ $$index/$$count ] $$commit #############################"; \ + git checkout -q $$commit || die 1; \ + $(MAKE) all || die 1; \ + index=$$((index + 1)); \ + done; \ + echo;echo "Done! $${count} commit(s) built successfully for RANGE $${RANGE}" ; \ + git checkout -q "$$BRANCH"; \ + ) diff -Nru haproxy-2.6.16/SUBVERS haproxy-2.6.17/SUBVERS --- haproxy-2.6.16/SUBVERS 2023-12-13 16:49:14.000000000 +0000 +++ haproxy-2.6.17/SUBVERS 2024-04-05 18:18:18.000000000 +0000 @@ -1,2 +1,2 @@ --c6a7346 +-a7cab98 diff -Nru haproxy-2.6.16/VERDATE haproxy-2.6.17/VERDATE --- haproxy-2.6.16/VERDATE 2023-12-13 16:49:14.000000000 +0000 +++ haproxy-2.6.17/VERDATE 2024-04-05 18:18:18.000000000 +0000 @@ -1,2 +1,2 @@ -2023-12-13 17:49:14 +0100 -2023/12/13 +2024-04-05 20:18:18 +0200 +2024/04/05 diff -Nru haproxy-2.6.16/VERSION haproxy-2.6.17/VERSION --- haproxy-2.6.16/VERSION 2023-12-13 16:49:14.000000000 +0000 +++ haproxy-2.6.17/VERSION 2024-04-05 18:18:18.000000000 +0000 @@ -1 +1 @@ -2.6.16 +2.6.17 diff -Nru haproxy-2.6.16/addons/promex/service-prometheus.c haproxy-2.6.17/addons/promex/service-prometheus.c --- haproxy-2.6.16/addons/promex/service-prometheus.c 2023-12-13 16:49:14.000000000 +0000 +++ haproxy-2.6.17/addons/promex/service-prometheus.c 2024-04-05 18:18:18.000000000 +0000 @@ -412,6 +412,15 @@ return state; } +/* Store in safely by using refcount to prevent server deletion. */ +static void promex_set_ctx_sv(struct promex_ctx *ctx, struct server *sv) +{ + srv_drop(ctx->sv); + ctx->sv = sv; + if (ctx->sv) + srv_take(ctx->sv); +} + /* Convert a field to its string representation and write it in , followed * by a newline, if there is enough space. non-numeric value are converted in * "NaN" because Prometheus only support numerical values (but it is unexepceted @@ -1125,16 +1134,16 @@ &val, labels, &out, max)) goto full; next_sv: - ctx->sv = sv->next; + promex_set_ctx_sv(ctx, sv->next); } next_px: ctx->px = px->next; - ctx->sv = (ctx->px ? ctx->px->srv : NULL); + promex_set_ctx_sv(ctx, ctx->px ? ctx->px->srv : NULL); } ctx->flags |= PROMEX_FL_METRIC_HDR; ctx->px = proxies_list; - ctx->sv = (ctx->px ? ctx->px->srv : NULL); + promex_set_ctx_sv(ctx, ctx->px ? ctx->px->srv : NULL); } @@ -1229,7 +1238,7 @@ ctx->px = NULL; ctx->st = NULL; ctx->li = NULL; - ctx->sv = NULL; + promex_set_ctx_sv(ctx, NULL); ctx->flags |= (PROMEX_FL_METRIC_HDR|PROMEX_FL_INFO_METRIC); ctx->obj_state = 0; ctx->field_num = INF_NAME; @@ -1249,7 +1258,7 @@ ctx->px = proxies_list; ctx->st = NULL; ctx->li = NULL; - ctx->sv = NULL; + promex_set_ctx_sv(ctx, NULL); ctx->flags &= ~PROMEX_FL_INFO_METRIC; ctx->flags |= (PROMEX_FL_METRIC_HDR|PROMEX_FL_FRONT_METRIC); ctx->obj_state = 0; @@ -1270,7 +1279,7 @@ ctx->px = proxies_list; ctx->st = NULL; ctx->li = LIST_NEXT(&proxies_list->conf.listeners, struct listener *, by_fe); - ctx->sv = NULL; + promex_set_ctx_sv(ctx, NULL); ctx->flags &= ~PROMEX_FL_FRONT_METRIC; ctx->flags |= (PROMEX_FL_METRIC_HDR|PROMEX_FL_LI_METRIC); ctx->obj_state = 0; @@ -1291,7 +1300,7 @@ ctx->px = proxies_list; ctx->st = NULL; ctx->li = NULL; - ctx->sv = NULL; + promex_set_ctx_sv(ctx, NULL); ctx->flags &= ~PROMEX_FL_LI_METRIC; ctx->flags |= (PROMEX_FL_METRIC_HDR|PROMEX_FL_BACK_METRIC); ctx->obj_state = 0; @@ -1312,7 +1321,7 @@ ctx->px = proxies_list; ctx->st = NULL; ctx->li = NULL; - ctx->sv = ctx->px ? ctx->px->srv : NULL; + promex_set_ctx_sv(ctx, ctx->px ? ctx->px->srv : NULL); ctx->flags &= ~PROMEX_FL_BACK_METRIC; ctx->flags |= (PROMEX_FL_METRIC_HDR|PROMEX_FL_SRV_METRIC); ctx->obj_state = 0; @@ -1333,7 +1342,7 @@ ctx->px = NULL; ctx->st = stktables_list; ctx->li = NULL; - ctx->sv = NULL; + promex_set_ctx_sv(ctx, NULL); ctx->flags &= ~(PROMEX_FL_METRIC_HDR|PROMEX_FL_SRV_METRIC); ctx->flags |= (PROMEX_FL_METRIC_HDR|PROMEX_FL_STICKTABLE_METRIC); ctx->field_num = STICKTABLE_SIZE; @@ -1353,7 +1362,7 @@ ctx->px = NULL; ctx->st = NULL; ctx->li = NULL; - ctx->sv = NULL; + promex_set_ctx_sv(ctx, NULL); ctx->flags &= ~(PROMEX_FL_METRIC_HDR|PROMEX_FL_STICKTABLE_METRIC); ctx->field_num = 0; appctx->st1 = PROMEX_DUMPER_DONE; @@ -1374,7 +1383,7 @@ ctx->px = NULL; ctx->st = NULL; ctx->li = NULL; - ctx->sv = NULL; + promex_set_ctx_sv(ctx, NULL); ctx->flags = 0; ctx->field_num = 0; appctx->st1 = PROMEX_DUMPER_DONE; @@ -1530,6 +1539,16 @@ return 0; } +/* Callback function that releases a promex applet. This happens when the + * connection with the agent is closed. */ +static void promex_appctx_release(struct appctx *appctx) +{ + struct promex_ctx *ctx = appctx->svcctx; + + if (appctx->st1 == PROMEX_DUMPER_SRV) + srv_drop(ctx->sv); +} + /* The main I/O handler for the promex applet. */ static void promex_appctx_handle_io(struct appctx *appctx) { @@ -1627,6 +1646,7 @@ .name = "", /* used for logging */ .init = promex_appctx_init, .fct = promex_appctx_handle_io, + .release = promex_appctx_release, }; static enum act_parse_ret service_parse_prometheus_exporter(const char **args, int *cur_arg, struct proxy *px, diff -Nru haproxy-2.6.16/admin/halog/halog.c haproxy-2.6.17/admin/halog/halog.c --- haproxy-2.6.16/admin/halog/halog.c 2023-12-13 16:49:14.000000000 +0000 +++ haproxy-2.6.17/admin/halog/halog.c 2024-04-05 18:18:18.000000000 +0000 @@ -405,7 +405,7 @@ struct eb32_node *n; if (!t) { - t = calloc(sizeof(*t), 1); + t = calloc(1, sizeof(*t)); if (unlikely(!t)) { fprintf(stderr, "%s: not enough memory\n", __FUNCTION__); exit(1); @@ -433,7 +433,7 @@ struct eb32_node *n; if (!t) { - t = calloc(sizeof(*t), 1); + t = calloc(1, sizeof(*t)); if (unlikely(!t)) { fprintf(stderr, "%s: not enough memory\n", __FUNCTION__); exit(1); diff -Nru haproxy-2.6.16/debian/changelog haproxy-2.6.17/debian/changelog --- haproxy-2.6.16/debian/changelog 2023-12-13 19:50:30.000000000 +0000 +++ haproxy-2.6.17/debian/changelog 2024-04-06 14:02:57.000000000 +0000 @@ -1,3 +1,15 @@ +haproxy (2.6.17-1ppa1~jammy) jammy; urgency=medium + + * Rebuild for jammy. + + -- Vincent Bernat Sat, 06 Apr 2024 16:02:57 +0200 + +haproxy (2.6.17-1) UNRELEASED; urgency=medium + + * New upstream release. + + -- Vincent Bernat Sat, 06 Apr 2024 15:02:41 +0200 + haproxy (2.6.16-1ppa1~jammy) jammy; urgency=medium * Rebuild for jammy. diff -Nru haproxy-2.6.16/dev/udp/udp-perturb.c haproxy-2.6.17/dev/udp/udp-perturb.c --- haproxy-2.6.16/dev/udp/udp-perturb.c 2023-12-13 16:49:14.000000000 +0000 +++ haproxy-2.6.17/dev/udp/udp-perturb.c 2024-04-05 18:18:18.000000000 +0000 @@ -481,7 +481,7 @@ if (addr_to_ss(argv[optind+1], &srv_addr, &err) < 0) die(1, "parsing server address: %s\n", err.msg); - pfd = calloc(sizeof(struct pollfd), MAXCONN + 1); + pfd = calloc(MAXCONN + 1, sizeof(struct pollfd)); if (!pfd) die(1, "out of memory\n"); diff -Nru haproxy-2.6.16/doc/configuration.txt haproxy-2.6.17/doc/configuration.txt --- haproxy-2.6.16/doc/configuration.txt 2023-12-13 16:49:14.000000000 +0000 +++ haproxy-2.6.17/doc/configuration.txt 2024-04-05 18:18:18.000000000 +0000 @@ -3,7 +3,7 @@ Configuration Manual ---------------------- version 2.6 - 2023/12/13 + 2024/04/05 This document covers the configuration language as implemented in the version @@ -56,6 +56,7 @@ 3.8. HTTP-errors 3.9. Rings 3.10. Log forwarding +3.11. HTTPClient tuning 4. Proxies 4.1. Proxy keywords matrix @@ -1053,10 +1054,6 @@ - h1-case-adjust-file - h2-workaround-bogus-websocket-clients - hard-stop-after - - httpclient.resolvers.id - - httpclient.resolvers.prefer - - httpclient.ssl.ca-file - - httpclient.ssl.verify - insecure-fork-wanted - insecure-setuid-wanted - issuers-chain-path @@ -1190,6 +1187,11 @@ - quiet - zero-warning + * HTTPClient + - httpclient.resolvers.id + - httpclient.resolvers.prefer + - httpclient.ssl.ca-file + - httpclient.ssl.verify 3.1. Process management and security ------------------------------------ @@ -1606,43 +1608,6 @@ See also: grace -httpclient.resolvers.id - This option defines the resolvers section with which the httpclient will try - to resolve. - - Default option is the "default" resolvers ID. By default, if this option is - not used, it will simply disable the resolving if the section is not found. - - However, when this option is explicitly enabled it will trigger a - configuration error if it fails to load. - -httpclient.resolvers.prefer - This option allows to chose which family of IP you want when resolving, - which is convenient when IPv6 is not available on your network. Default - option is "ipv6". - -httpclient.ssl.ca-file - This option defines the ca-file which should be used to verify the server - certificate. It takes the same parameters as the "ca-file" option on the - server line. - - By default and when this option is not used, the value is - "@system-ca" which tries to load the CA of the system. If it fails the SSL - will be disabled for the httpclient. - - However, when this option is explicitly enabled it will trigger a - configuration error if it fails. - -httpclient.ssl.verify [none|required] - Works the same way as the verify option on server lines. If specified to 'none', - servers certificates are not verified. Default option is "required". - - By default and when this option is not used, the value is - "required". If it fails the SSL will be disabled for the httpclient. - - However, when this option is explicitly enabled it will trigger a - configuration error if it fails. - insecure-fork-wanted By default HAProxy tries hard to prevent any thread and process creation after it starts. Doing so is particularly important when using Lua files of @@ -2080,8 +2045,26 @@ theirs. The format of the string is defined in "man 1 ciphers" from OpenSSL man pages under the section "ciphersuites". For cipher configuration for TLSv1.2 and earlier, please check the - "ssl-default-bind-ciphers" keyword. Please check the "bind" keyword for more - information. + "ssl-default-bind-ciphers" keyword. This setting might accept TLSv1.2 + ciphersuites however this is an undocumented behavior and not recommended as + it could be inconsistent or buggy. + The default TLSv1.3 ciphersuites of OpenSSL are: + "TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256" + + TLSv1.3 only supports 5 ciphersuites: + + - TLS_AES_128_GCM_SHA256 + - TLS_AES_256_GCM_SHA384 + - TLS_CHACHA20_POLY1305_SHA256 + - TLS_AES_128_CCM_SHA256 + - TLS_AES_128_CCM_8_SHA256 + + Please check the "bind" keyword for more information. + + Example: + global + ssl-default-bind-ciphers ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES128-GCM-SHA256 + ssl-default-bind-ciphersuites TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256 ssl-default-bind-curves This setting is only available when support for OpenSSL was built in. It sets @@ -3022,6 +3005,12 @@ The default value is 100. +tune.quic.reorder-ratio <0..100, in percent> + The ratio applied to the packet reordering threshold calculated. It may + trigger a high packet loss detection when too small. + + The default value is 50. + tune.quic.retry-threshold Warning: QUIC support in HAProxy is currently experimental. Configuration may change without deprecation in the future. @@ -3826,6 +3815,50 @@ timeout client Set the maximum inactivity time on the client side. +3.11. HTTPClient tuning +----------------------- + +HTTPClient is an internal HTTP library, it can be used by various subsystems, +for example in LUA scripts. HTTPClient is not used in the data path, in other +words it has nothing with HTTP traffic passing through HAProxy. + +httpclient.resolvers.id + This option defines the resolvers section with which the httpclient will try + to resolve. + + Default option is the "default" resolvers ID. By default, if this option is + not used, it will simply disable the resolving if the section is not found. + + However, when this option is explicitly enabled it will trigger a + configuration error if it fails to load. + +httpclient.resolvers.prefer + This option allows to chose which family of IP you want when resolving, + which is convenient when IPv6 is not available on your network. Default + option is "ipv6". + +httpclient.ssl.ca-file + This option defines the ca-file which should be used to verify the server + certificate. It takes the same parameters as the "ca-file" option on the + server line. + + By default and when this option is not used, the value is + "@system-ca" which tries to load the CA of the system. If it fails the SSL + will be disabled for the httpclient. + + However, when this option is explicitly enabled it will trigger a + configuration error if it fails. + +httpclient.ssl.verify [none|required] + Works the same way as the verify option on server lines. If specified to 'none', + servers certificates are not verified. Default option is "required". + + By default and when this option is not used, the value is + "required". If it fails the SSL will be disabled for the httpclient. + + However, when this option is explicitly enabled it will trigger a + configuration error if it fails. + 4. Proxies ---------- @@ -7544,13 +7577,21 @@ http-request wait-for-body time