[prev in list] [next in list] [prev in thread] [next in thread] 

List:       haproxy
Subject:    [ANNOUNCE] haproxy-1.5-dev24
From:       Willy Tarreau <w () 1wt ! eu>
Date:       2014-04-25 22:30:52
Message-ID: 20140425223052.GA25282 () 1wt ! eu
[Download RAW message or body]

OK, so as usual when I'm sending a version with many patches, a second
one is not that far away...

1.5-dev23 was a mess. I broke a few things very quickly in the last
changes made to fix the chunked compression. On the positive side of
things, I start to have a nose for this, the faulty commit was properly
tagged "MAJOR" :-)

So three things broke :
  - forwarding of a message body (request or response) would automatically
    stop after the transfer timeout strikes, and with no error. This is the
    reason some people retrieved truncated tarballs from the main site.

  - redirects failed to update the msg->next offset after consuming the
    request, so if they were made with keep-alive enabled and starting with
    a slash (relative location), then the buffer was shifted by a negative
    amount of data, causing a crash.

That's for the regressions. Now the other issues fixed :

  - the bug that was randomly breaking the stats page in chunked mode was
    fixed, and it could likely have affected peers synchronization as well,
    with some rare but possible connection breakages.

  - 100-continue responses could be blocked if the final response came in
    the same packet.

  - fixed reporting of some server errors and client errors in the stats
    and logs.

  - stats activation in frontend/backend/defaults was still a mess start
    started in 1.3.4 and which did not match the doc since then. Now it's
    supported in front/back/defaults and we don't emit a warning anymore
    when it's specified in a frontend.

  - the code to standardize DH parameters caused an important performance
    regression for Sander Klein, so it was temporarily reverted for the
    time needed to understand the cause and to fix it.

And some improvements :

  - the stats page now finally supports keep-alive and compression. The
    compression ratio is between 75 and 85% depending on the number of
    servers, that's quite appreciable.

  - some people were complaining about the time it took to start checks
    with long intervals, so now there's a global max-spread-checks setting
    to limit the delay between the first and the last check.

  - now we have the discussed max-keep-alive-queue setting to avoid reusing
    a connection if a server already has a certain amount of queuing.

  - http-request/response support set-map/del-map, add-acl/del-acl to add
    or remove patterns to maps and acls on the fly by extracting them from
    various sources. The lookups are still linear since they search in the
    pattern database (text version), but that can already be very useful
    as a complement to stick tables.

  - we now detect TLSv1 handshakes containing a heartbeat record, and
    among them, specifically the Heartbleed attack which we can block. It
    will only work with a heartbeat-enabled openssl though. The detected
    heartbeat type is reported. At least it will tell us whether we're
    facing real handshake failures or just noise from random attackers
    and bots. It can also save ones' butts when accidentely deploying
    using a fresh non-upgraded install of a system shipped with the
    vulnerability.

And that's all, it's enough for a new release. Please report any bugs you
find. I hope none, of course. I was surprized to see that little bug reports
on dev23 despite the two I faced, but maybe we're starting to hit the rare
ones already.

Willy
---
Usual links below :

     Site index       : http://haproxy.1wt.eu/
     Sources          : http://haproxy.1wt.eu/download/1.5/src/devel/
     Changelog        : http://haproxy.1wt.eu/download/1.5/src/CHANGELOG
     Cyril's HTML doc : http://cbonte.github.com/haproxy-dconv/configuration-1.5.html

And the changelog :

2014/04/26 : 1.5-dev24
    - MINOR: pattern: find element in a reference
    - MEDIUM: http: ACL and MAP updates through http-(request|response) rules
    - MEDIUM: ssl: explicitly log failed handshakes after a heartbeat
    - DOC: Full section dedicated to the converters
    - MEDIUM: http: register http-request and http-response keywords
    - BUG/MINOR: compression: correctly report incoming byte count
    - BUG/MINOR: http: don't report server aborts as client aborts
    - BUG/MEDIUM: channel: bi_putblk() must not wrap before the end of buffer
    - CLEANUP: buffers: remove unused function buffer_contig_space_with_res()
    - MEDIUM: stats: reimplement HTTP keep-alive on the stats page
    - BUG/MAJOR: http: fix timeouts during data forwarding
    - BUG/MEDIUM: http: 100-continue responses must process the next part immediately
    - MEDIUM: http: move skipping of 100-continue earlier
    - BUILD: stats: let gcc know that last_fwd cannot be used uninitialized...
    - CLEANUP: general: get rid of all old occurrences of "session *t"
    - CLEANUP: http: remove the useless "if (1)" inherited from version 1.4
    - BUG/MEDIUM: stats: mismatch between behaviour and doc about front/back
    - MEDIUM: http: enable analysers to have keep-alive on stats
    - REORG: http: move HTTP Connection response header parsing earlier
    - MINOR: stats: always emit HTTP/1.1 in responses
    - MINOR: http: add capture.req.ver and capture.res.ver
    - MINOR: checks: add a new global max-spread-checks directive
    - BUG/MAJOR: http: fix the 'next' pointer when performing a redirect
    - MINOR: http: implement the max-keep-alive-queue setting
    - DOC: fix alphabetic order of tcp-check
    - MINOR: connection: add a new error code for SSL with heartbeat
    - MEDIUM: ssl: implement a workaround for the OpenSSL heartbleed attack
    - BUG/MEDIUM: Revert "MEDIUM: ssl: Add standardized DH parameters >= 1024 bits"
    - BUILD: http: remove a warning on strndup
    - BUILD: ssl: avoid a warning about conn not used with OpenSSL < 1.0.1
    - BUG/MINOR: ssl: really block OpenSSL's response to heartbleed attack
    - MINOR: ssl: finally catch the heartbeats missing the padding

---


[prev in list] [next in list] [prev in thread] [next in thread] 

Configure | About | News | Add a list | Sponsored by KoreLogic