Navigation:
Browse pkgsrc
(this page)
New packages:Log Message:
haproxy: updated to 3.0.0
HAProxy 3.0.0 was released on 2024/05/29. It added 21 new commits
after version 3.0-dev13. I do appreciate that everything was only
cosmetic.
We're having a total of 1108 patches in this release among which 850 ones
not concerning a bug, which makes it the smallest LTS release of all times
(2.6 and 2.4 still remain the largest ones, respectively 65% and 58%
larger). This is a good news in terms of expected stability, which might
possibly break the old myth of "better avoid dot zero".
Let's try to summarize what's new in this release. It has been one of the
most difficult for me to summarize because I'm not seeing one big killer
feature, instead it's an LTS as we like them: mostly a nice polishing of
existing stuff and small improvements all over the place as permitted by
the previous version's architectural changes. I tried to classify this
into a few categories, depending on the intended benefits.
First, let's enumerate the new features, and improvements of existing ones:
- stats can finally be preserved across reloads for frontends,
listeners, backends and servers. When using this, the config objects
of the new process are preloaded with the relevant values from a dump
of the previous process. This essentially concerns counters, ages and
rates. Please have a look at "stats-file" and "dump \
stats-file" for
more information.
- the log outgoing load-balancing now relies on a regular backend,
meaning that the load balancing algorithms could finally be unified
with the ones used by other protocols, and servers now support
weights.
- log-format now supports JSON and CBOR output encoding. In such a case,
the field name is taken from a new naming scheme that is placed within
the log-format itself, allowing to assign a name to each field.
- the load balancing algorithm "sticky" that was initially reserved for
logs was generalized to other protocols.
- the HTTP/2 RST_STREAM reason code can finally be forwarded to the
server for client aborts. This addresses the problem a few users were
facing with gRPC where request cancellation appeared as communication
errors the server side. For now this is purposely limited to only a
few reason codes that are relevant to gRPC so that we don't ruin the
possibility to later extend that to H3 and maybe H1.
- QUIC now supports the HyStart++ (RFC9406) alternative to slowstart
with the Cubic algorithm. It's supposed to show better recovery
patterns. It's not yet enabled by default.
- a new set of converters, map_*_key, will report the matching part of
the key itself instead of the associated pattern. The main target use
cases for this is to know what address mask an address did match, or
what regex a pattern did match.
- the "uuid()" sample fetch function, which takes an optional version in
argument now also supports "7" for UUIDv7. These UUIDs regroup many
properties found in ULID and other mechanisms, one of the most
interesting one being time-based locality that, for example, eases the
archiving of old data, or the grouping of events on systems where
they'll be processed together.
- the name associated with servers in connection pools can now be
overridden by the expression in "pool-conn-name" when SNI is not
desired (useful with rhttp without SSL for example, but may also make
sense when reaching remote servers over SSL tunnels). It also allows
to entirely drop SSL from the server.
- the "namespace" argument now works for "bind" and \
"server" lines using
UNIX sockets.
- Linux capabilities: the use of namespaces on the server side used to
require capability "cap_sys_admin" but it was neither checked nor
reported on startup to it would silently fail. The capability is now
supported and is being checked for. Similarly, the need for
capabilities for transparent proxying or QUIC are checked and reported
on startup. Finally, file-system capabilities set on the executable are
also supported now.
- the set-mark/set-tos actions were extended to support an expression in
addition of the constant, and were extended to also support the backend
side. This can for example be used to select an outgoing link from a
single IP address. The new backend actions are called "set-bc-mark" and
"set-bc-tos", and by analogy new frontend actions called \
"set-fc-mark"
and "set-fc-tos" were created, and the old actions are aliases of these
last ones.
- QUIC built with latest AWS-LC TLS library now correctly supports 0-RTT.
- a new global setting "ssl-security-level" allows to adjust OpenSSL's
internal security level beween 0 and 5. Previously it could only be
done in openssl.cnf.
- the key used by consistent hash to map to a server used to always be
the server's id (either explicit or implicit, position-based), but
that was not always convenient when dealing with fast added-removed
server within a large fleet of LBs. Now the "hash-key" directive will
also allow to use the server's address or address+port for this so
that the same key ends up on the same server for all LBs.
- The HTTP client now has an option to use either origin or absolute
URIs. This should make it easier to configure it to talk to old
servers which are not spec-compliant and do not support absolute
URIs. The ocsp_update agent already exploits this ability via a new
setting "ocsp-update.httpproxy".
- it is now possible to suppress Content-Length and Transfer-Encoding
headers from HTTP/1 requests and responses. It must never be done of
course but there are rare situations where users dealing with bogus
clients or server need to perform such cleanups. Most of the time
when done, this will mark a connection non-reusable and it will be
closed at the end of the transfer.
- the proxy protocol now also parses TLV for LOCAL mode and supports
sending them without a stream so that elements can be passed during
the preconnect phase of a reverse-HTTP instance to a next stage that
will no longer ignore them.
- the new sched_setaffinity() of FreeBSD 14 and newer is now supported.
- the new certificate selection callback for WolfSSL was now enabled
since it's finally available in the upstream project.