Commit graph

3547 commits

Author SHA1 Message Date
Willy Tarreau
caaacb4fc1 [RELEASE] Released version 3.5-dev2
Released version 3.5-dev2 with the following main changes :
    - MINOR: proxy: permit to report version info for option deprecation
    - MAJOR: proxy: remove support for "dispatch" and "transparent" proxy keywords
    - MEDIUM: cli/show-fd: no longer accept filtering for dispatch mode
    - CLEANUP: connection: remove some checks for objt_proxy(conn->target)
    - CLEANUP: backend: drop checks for OBJ_TYPE_PROXY in connect() code
    - CLEANUP: trace: remove backend retrieval attempt from conn->target
    - MAJOR: ot: remove deprecated OpenTracing support
    - BUG/MEDIUM: h3: fix trace crash on frontend response headers
    - CI: github: remove OpenTracing leftovers
    - BUG/MEDIUM: mux_quic: fix memory leak of rx app_buf on stream free
    - MINOR: ssl: export ssl_sock_init_srv()
    - MEDIUM: httpclient: initialize the httpclient with default SSL values
    - BUG/MINOR: hq-interop: fix transcoding of wrapping response buffer
    - BUG/MINOR: hq-interop: support transcoding of absolute URI
    - BUG/MINOR: h3: adjust HTTP headers traces
    - MINOR: mux_quic: add minimal traces for QUIC MUX init/release
    - MINOR: hq-interop: add request start-line traces
    - MINOR: hq-interop: trace transcoding of response status line
    - MINOR: hq-interop: trace HTX headers
    - BUG/MEDIUM: server: initialise agent.health in srv_settings_init()
    - BUG/MINOR: sample: set SMP_F_CONST on srv_name fetch
    - MINOR: server: distinguish name references with new SRV_F_NAME_REFD flag
    - MEDIUM: server: add 'set server name' CLI command for runtime server renaming
    - REGTESTS: server: add test for 'set server name' CLI command
    - DOC: server: document 'set server name' CLI command
    - BUG/MEDIUM: servers: Use a refcount for port_range and free it properly
    - MINOR: hbuf: new lightweight hbuf API
    - MINOR: init: add no listener mode
    - MINOR: trace: add definitions for haload streams
    - MINOR: hldstream: add definition of hldstream struct objects
    - MINOR: obj_type: add OBJ_TYPE_HALOAD for haload stream objects
    - MINOR: stconn: add sc_hastream() and __sc_hastream() helpers
    - MINOR: stconn: export sc_new()
    - MINOR: server: export functions used during server initialization
    - MINOR: haload: import source code and documentation
    - MINOR: log: add app_log_raw() and send_log_raw() for binary-safe logging
    - BUG/MINOR: init: fix default global settings being overwritten by -G
    - BUG/MINOR: tools: fix invalid character detection in strl2ic()
    - BUG/MAJOR: htx: Don't swap buffers for empty HTX message with an error
    - CLEANUP: applet/http-client: Don't needlessly copy HTX flags after htx_xfer()
    - BUG/MINOR: mux-quic: Fix handling EOM after in qcs_http_rcv_buf()
    - BUG/MINOR: http-htx: Don't by-pass HTX API when merging cookie values
    - BUG/MEDIUM: h3: fix parser desync on error with multiple frames
    - BUG/MINOR: mux_quic: prevent multiple STOP_SENDING emission per stream
    - BUILD: quic: workaround a gcc bug saying "maybe used uninitialized" when USE_TRACE=0
    - CLEANUP: traces: get rid of a few rare empty args in TRACE calls
    - MINOR: compiler: add a macro to ignore all arguments
    - MINOR: trace: always pretend to use args when disabled
    - BUILD: ssl: avoid a wrong null deref warning in ssl_sock_handshake
    - CLEANUP: haproxy: remove -dt parsing and help when !USE_TRACE
    - CLEANUP: mux-h2/traces: remove unused trace code when building without USE_TRACE
    - CLEANUP: debug/trace: remote "debug dev trace" when USE_TRACE is not set
    - BUG/MINOR: trace/quic_frame: use buf, not trace_buf in chunk_frm_appendf()
    - CLEANUP: trace/h3: allow to disable traces in H3
    - CLEANUP: trace/config: do not register section "traces" with USE_TRACE=0
    - CLEANUP: trace/tree-wide: drop trace decoding/definition when USE_TRACE=0
    - BUILD: makefile: only build trace.c and ssl_trace.c when USE_TRACE is set
    - BUILD: makefile: add macros enable_opts and disable_opts
    - BUILD: makefile: add an option to enable or disable HTTP/2 (USE_H2)
    - BUILD: makefile: add an option to enable or disable FCGI (USE_FCGI)
    - BUILD: makefile: add an option to enable or disable SPOE (USE_SPOE)
    - BUILD: makefile: add a new generic target "tiny"
    - BUG/MEDIUM: mux_quic: do not free QCS if STOP_SENDING to sent
    - MINOR: mux_quic: use separate error code for STOP_SENDING
    - MINOR: mux_quic: adjust shut stream callback
    - BUG/MEDIUM: mux_quic: complete stream shutdown for read channel
    - BUG/MINOR: quic: ignore STREAM after MUX closure on BE side
    - BUG/MEDIUM: fd: Fix a deadlock when closing other tgroups fds
    - MEDIUM: quic: remove deprecated keywords
    - DEV: patchbot: keep the review start in sync with the radios on reload
    - DEV: patchbot: only display the first 8 chars of the commit id
    - DEV: patchbot: pass the branch version to the generated page
    - DEV: patchbot: let the page fetch the shared review state
    - DEV: patchbot: let the page save the review edits to the server
    - DEV: patchbot: let the page edit and delete whole notes
    - DEV: patchbot: gray the save button when there is nothing to save
    - DEV: patchbot: don't pretend a save succeeded when the server ignored it
    - DEV: patchbot: tolerate polluted save responses and show server warnings
    - DEV: patchbot: repeat the syncing buttons at the bottom of the page
    - DEV: patchbot: update: add an awk backend to persist review edits
    - DEV: patchbot: update: return the stored overlay as JSON on GET
    - DEV: patchbot: update: support replacing a whole note blob (setnotes)
    - DEV: patchbot: update: report git commit failures in the save response
    - DEV: patchbot: update: report the exact git error to the user
    - DEV: patchbot: update: never write to stderr, thttpd sends it first
    - DEV: patchbot: update: name the touched commits in the storage messages
    - DEV: patchbot: document the shared review persistence
    - BUG/MINOR: haload: fix spurious task wakeup in hld_strm_task()
    - BUG/MINOR: hbuf: treat unexpected escape sequences as literals
    - BUG/MEDIUM: tcpcheck: Add proxy used for healthcheck sections in proxies list
    - BUG/MINOR: sample: Fix a possible underflow on be2hex for large chunk size
    - MINOR: chunks: Add function to get a large/regular chunk depending on a buffer
    - BUG/MEDIUM: chunk: Review chunks usage to not retrieve a large buffer by error
    - MINOR: htx: Add a field to save the headers data size
    - MEDIUM: htx: Be sure size of headers never exceed regular buffer on update
    - BUG/MINOR: stream: Fix custom timeouts initialization when setting backend
    - REGTESTS: Improve script testing the set-timeout action
    - BUG/MINOR: stream: Fix custom max-retries initialization when setting backend
    - MINOR: stream: Add be_max_retries/cur_max_retries sample fetch functions
    - BUG/MINOR: http-conv: Make url-dec failed if no space for trailing null byte
    - MAJOR: mworker: remove deprecated "master-worker" global keyword
    - DOC: haterm: add a missing 'haterm' build target on an example
    - DOC: readme: add a pointer to haterm/haload docs
    - MINOR: ocsp: Do not see ocsp loading failures as fatal anymore
    - REGTESTS: Remove unused `add_range_to_test_list` function from `scripts/run-regtests.sh`
    - REGTESTS: Remove unused `_version` function from `scripts/run-regtests.sh`
    - REGTESTS: Migrate REQUIRE_OPTION to `haproxy -cc`
    - REGTESTS: Remove support for `REQUIRE_OPTION` from scripts/run-regtests.sh
    - REGTESTS: Migrate `REQUIRE_SERVICE=prometheus-exporter` to a `feature(PROMEX)` check
    - REGTESTS: Remove support for `REQUIRE_SERVICE` from scripts/run-regtests.sh
    - CI: github: update vmactions/freebsd-vm to 14.4
    - MINOR: haload: move statistics header printing to mtask_cb
    - MINOR: haterm: add note about QUIC usage on SSL port
    - MINOR: haload: allow "0" shortcut for IPv4 bind address
2026-07-08 18:26:54 +02:00
Willy Tarreau
0ed430864e DOC: haterm: add a missing 'haterm' build target on an example
An example build command line was missing "haterm", resulting in building
haproxy instead of haterm. May be backported to 3.4 though not important.
2026-07-08 14:43:07 +02:00
Willy Tarreau
5a6ce04810 MAJOR: mworker: remove deprecated "master-worker" global keyword
Some checks are pending
Contrib / admin/halog/ (push) Waiting to run
Contrib / dev/flags/ (push) Waiting to run
Contrib / dev/haring/ (push) Waiting to run
Contrib / dev/hpack/ (push) Waiting to run
Contrib / dev/poll/ (push) Waiting to run
FreeBSD / clang (push) Waiting to run
VTest / Generate Build Matrix (push) Waiting to run
VTest / (push) Blocked by required conditions
Windows / Windows, gcc, all features (push) Waiting to run
This keyword, when alone, was already deprecated in 3.3 and marked
for removal in 3.5. Now using it results in an error message inviting
to start haproxy with -W or -Ws instead.

In addition, "master-worker exit-on-failure", which used to automatically
enable the master-worker mode, now doesn't set it and complains if used
without. -W/-Ws. A special case was made for config checks though (-c).

Also worth noting that "daemon" applies to master as well as max-reloads,
and will soon need to be adjusted.
2026-07-08 11:53:13 +02:00
Christopher Faulet
a608d2cade MINOR: stream: Add be_max_retries/cur_max_retries sample fetch functions
These new samples can be used to get, resepectively, the backend value for
the maximum connection retries and the current value applied to the stream.
They could be used to know if a "set-retries" action was performed.

A dedicated reg-test was also added.
2026-07-08 08:52:07 +02:00
Christopher Faulet
b71d27e253 BUG/MINOR: stream: Fix custom max-retries initialization when setting backend
It is possible to overwrite the configured max-retries value with the
"set-retries" action. However there is an issue with the listeners. When the
backend is set, this value is reset with the backend value. However, when
the backend is unchanged, the custom value must be preserved.

To fix the issue, when the stream is created, we set the max-retries to the
listener value. It remains 0 for pure-frontend. And the backend value is
used only if it is not the same proxy.

The documentation of set-retries action was improved.

This patch should be backported as far as 3.2.
2026-07-08 08:52:07 +02:00
Christopher Faulet
69caa53530 BUG/MINOR: stream: Fix custom timeouts initialization when setting backend
Timeouts may be overwritten via the action "set-timeout". Client timeout is
supported on frontends, connect/queue/tunnel/server timeouts are supported
on backends and tarpit timeout is supported on both.

However, there is an issue with the listener. In that case, the action is
always executed in the frontend context and the backend-side timeouts are
then reset, when the backend is selected. If it is another backend, it is
logical. But most of time, the backend is unchanged. And in that case, these
timeouts must be preserved.

Documentation of set-timeout action was improved.

This patch should be backported to all supported versions. Be carefull, all
timeouts are not supported in 3.3 and lower (3.3->3.0: server/tunnel/client
- 2.8->2.6: server/tunnel)
2026-07-08 08:52:07 +02:00
Amaury Denoyelle
3596904a8d MEDIUM: quic: remove deprecated keywords
Some checks failed
FreeBSD / clang (push) Waiting to run
Contrib / admin/halog/ (push) Has been cancelled
Contrib / dev/flags/ (push) Has been cancelled
Contrib / dev/haring/ (push) Has been cancelled
Contrib / dev/hpack/ (push) Has been cancelled
Contrib / dev/poll/ (push) Has been cancelled
VTest / Generate Build Matrix (push) Has been cancelled
Windows / Windows, gcc, all features (push) Has been cancelled
VTest / (push) Has been cancelled
Several QUIC related keywords were removed in 3.4. The legacy options
were marked as deprecated and scheduled for removal in 3.5. This patch
applies this removal for the upcoming 3.5.
2026-07-06 17:19:24 +02:00
Frederic Lecaille
3ef29b4314 MINOR: haload: import source code and documentation
Some checks are pending
Contrib / admin/halog/ (push) Waiting to run
Contrib / dev/flags/ (push) Waiting to run
Contrib / dev/haring/ (push) Waiting to run
Contrib / dev/hpack/ (push) Waiting to run
Contrib / dev/poll/ (push) Waiting to run
FreeBSD / clang (push) Waiting to run
VTest / Generate Build Matrix (push) Waiting to run
VTest / (push) Blocked by required conditions
Windows / Windows, gcc, all features (push) Waiting to run
This patch imports the implementation of haload, a lightweight,
multi-threaded traffic generator designed to benchmark HTTP infrastructures
under heavy loads. Built onto HAProxy's highly scalable
architecture, it natively supports HTTP/1, HTTP/2, and HTTP/3 (QUIC).

It uses the previously exposed initialization functions, the no-listener mode,
the lightweight hbuf API, and the specialized hldstream object types to
dynamically derive and generate its configuration in memory from basic
command-line inputs. By leveraging HAProxy's internal HTX
(Internal HTTP Native Representation) format, haload abstractly manipulates
HTTP elements independently of the wire protocol. This
abstraction allows it to generate unified requests and process responses
seamlessly across HTTP/1.1, HTTP/2, or HTTP/3 without duplicating the payload
handling logic for each version.

 - Makefile:
   Introduce the 'haload' compilation target and define HALOAD_OBJS.

 - src/haload.c, include/haproxy/haload.h:
   Add user and stream task scheduling handlers, HTX-driven traffic orchestration
   mechanisms, and terminal benchmarking statistical summary rendering.

 - src/haload_init.c:
   Implement program arguments parsing, fileless HAProxy memory configuration
   generation, and target URL allocations.

 - src/stconn.c:
   Wire up sc_attach_mux() to properly allocate the specific tasklet
   context when dealing with a haload stream.

 - doc/haload.txt:
   Add detailed documentation covering compilation, flags, and usage examples.
2026-07-01 15:22:14 +02:00
Alexander Stephan
af9bb8507d DOC: server: document 'set server name' CLI command
Some checks are pending
Contrib / admin/halog/ (push) Waiting to run
Contrib / dev/flags/ (push) Waiting to run
Contrib / dev/haring/ (push) Waiting to run
Contrib / dev/hpack/ (push) Waiting to run
Contrib / dev/poll/ (push) Waiting to run
FreeBSD / clang (push) Waiting to run
VTest / Generate Build Matrix (push) Waiting to run
VTest / (push) Blocked by required conditions
Windows / Windows, gcc, all features (push) Waiting to run
Document the new 'set server <b>/<s> name <newname>' CLI command in
management.txt.

The documentation states the two preconditions that gate the operation
(server must be in maintenance, server's name must not be statically
referenced via use-server / track / ARGT_SRV), notes that the command
is not gated by a per-backend opt-in directive (parity with 'add
server' / 'del server'), and mentions the EVENT_HDL_SUB_SERVER_NAME
event published on successful rename so Lua and other event consumers
know to subscribe to it.
2026-07-01 09:32:32 +02:00
Willy Tarreau
66fe27298f MAJOR: ot: remove deprecated OpenTracing support
OpenTracing support has long been best-effort and was deprecated in 3.3
with removal planned in 3.5. Let's clean it up now.

This commit removes addons/ot, the build script, ARGC_OT, USE_OT and
OT_* variables in the Makefile, and replaces the config section with a
mention for the OpenTelemetry filter instead.

For more info, see GH issues #1640 and #2782, as well as the wiki's
"breaking changes" page.
2026-06-26 11:27:07 +02:00
Willy Tarreau
848668c7ac MEDIUM: cli/show-fd: no longer accept filtering for dispatch mode
"show fd" supports various flags, one of which is 'd' for "dispatch",
which also catches "transparent", in fact, connections whose target is
a proxy. Since these can no longer happen, let's remove that. The 'b'
and 's' flags are now aliases of each other for simplicity.
2026-06-26 10:53:51 +02:00
Willy Tarreau
be8159248f MAJOR: proxy: remove support for "dispatch" and "transparent" proxy keywords
These ones were deprecated in 3.3-dev2 with commits 5c15ba5eff ("MEDIUM:
proxy: mark the "dispatch" directive as deprecated") and e93f3ea3f8
("MEDIUM: proxy: deprecate the "transparent" and "option transparent"
directives"), and were planned for removal in 3.5. See also:

   https://github.com/orgs/haproxy/discussions/2921

as well as the wiki page about breaking changes.

They've lived their lives and always cause internal limitations
(exceptions between connecting to server or connecting to proxy), and
are even confusing to some extents (especially "transparent" which users
often get wrong).

This commit removes the ability to configure them, tests based on them
and all the doc related to them. The keywords remain detected by the
parser and indicate how to proceed instead.

It's likely that other deeper parts will be changed as well (e.g.
conn->target will no longer be of OBJ_TYPE_PROXY). This will be done
over the long term.
2026-06-26 10:51:16 +02:00
Willy Tarreau
088552ec08 [RELEASE] Released version 3.5-dev1
Some checks are pending
Contrib / admin/halog/ (push) Waiting to run
Contrib / dev/flags/ (push) Waiting to run
Contrib / dev/haring/ (push) Waiting to run
Contrib / dev/hpack/ (push) Waiting to run
Contrib / dev/poll/ (push) Waiting to run
FreeBSD / clang (push) Waiting to run
VTest / Generate Build Matrix (push) Waiting to run
VTest / (push) Blocked by required conditions
Windows / Windows, gcc, all features (push) Waiting to run
Released version 3.5-dev1 with the following main changes :
    - BUG/MEDIUM: check: Skip tcpcheck post-config for external checks
    - BUG/MEDIUM: check: Ignore small-buffer option when starting an external check
    - MINOR: check: Don't dump buffers state in check traces for external checks
    - BUG/MEDIUM: server/checks: Support healtcheck keyword on default-server lines
    - BUG/MEDIUM: mux_quic: prevent risk of infinite loop on recv
    - OPTIM: mux_quic: remove QCS from recv_list on reset
    - BUG/MINOR: mux_quic: do not interrupt recv on error/incomplete data
    - BUG/MINOR: tcpcheck: Override external check if healthcheck section is set
    - REGTESTS: checks: Add script for external healthchecks
    - BUG/MEDIUM: regex: initialize the match array earlier during boot
    - BUG/MEDIUM: threads: Fiw build when using no thread
    - BUG/MEDIUM: xprt_qmux: implement ->get_ssl_sock_ctx() to get the SSL laye
    - CLEANUP: sessions: simplify the sess_priv_conns pool name
    - MINOR: pools: reject creation of pools containing invalid chars in their name
    - BUG/MINOR: acl: report "ACL" not "map" in ACL ID lookup failures
    - MINOR: memprof: make in_memprof a bitfield instead of a counter
    - MINOR: memprof: be careful to account allocations only once
    - BUG/MEDIUM: checks: Dequeue checks on purge
    - MINOR: servers: Add a back-pointer to the server in srv_per_thread
    - MEDIUM: servers: Move to a per-thread idle connection cleanup task
    - REGTESTS: Fix log matching in healthcheck-section.vtc
    - BUG/MINOR: quic: fix Initial length value in sent packets
    - BUILD: servers: Fix build with -std=gnu89
    - BUG/MEDIUM: acme: stuck ACME task when authz is already "valid"
    - MINOR: acme: introduce acme_challenge_ready() for reuse outside the CLI
    - MINOR: h3: extend trace verbosity
    - MINOR: h3: trace HTTP headers on FE side
    - MINOR: h3: trace HTTP headers on BE side
    - BUILD: h3: fix compilation with USE_TRACE=0
    - MINOR: lua: add REGISTER_HLUA_STATE_INIT() to register state init callbacks
    - MEDIUM: lua: move longjmp annotation macros to hlua.h
    - MINOR: acme/lua: implement ACME.challenge_ready() Lua function
    - BUG/MEDIUM: ktls: defer enabling TLS ULP on a socket until connected
    - MINOR: errors: add ha_diag_notice() to report diag-level notifications
    - BUG/MINOR: cpu-topo: use ha_diag_notice() to report thread creations
    - MINOR: acme: publish ACME_NEWCERT event via event_hdl
    - MINOR: acme: publish ACME_DEPLOY event via event_hdl
    - EXAMPLES: lua/acme: add a dns-01 handler for Gandi LiveDNS API
    - DOC: acme: add mentions of lua features
    - MINOR: tasks: Introduce __task_set_state_and_tid
    - MINOR: tasks: Add __task_get_new_tid_field()
    - MINOR: tasks: Introduce __task_get_current_owner
    - MINOR: tasks: Use __task_get_current_owner() in task_kill.
    - MINOR: tasks: Start using __task_set_state_and_tid()
    - MEDIUM: tasks: Remove the per-thread group wait queue
    - MINOR: tasks: Use __task_set_state_and_tid() in task_instant_wakeup()
    - MINOR: tasks: Remove wq_lock and the per-thread group wait queues
    - MEDIUM: tasks: Redispatch shared tasks when the thread is loaded
    - BUG/MEDIUM: h3: Properly handle PUSH_PROMISE on backend connections
    - BUG/MINOR: server: fix add server with consistent hash balancing
    - MINOR: lua: export hlua_pusherror() and check_args()
    - REORG: httpclient/lua: move the lua httpclient code to http_client.c
    - MEDIUM: httpclient/lua: allow multiple requests from a single core.httpclient() instance
    - MEDIUM: httpclient: set res.status to 0 upon SF_ERR_MASK
    - DOC: httpclient: document status 0 on internal error
    - DEBUG: stconn: Add a BUG_ON on shut flags when the endpoint is shut
    - BUG/MINOR: http-ana: Remove a debugging memset on redirect
    - BUG/MEDIUM: http-ana: Don't ignore L7 retry errors
    - BUG/MINOR: mux-h1: Properly resolve file path for 'h1-case-adjust-file'
    - BUG/MINOR: quic: fix rxbuf settings on backend side
    - EXAMPLES: lua/acme: fix acme-gandi-livedns.lua configuration example
    - BUG/MEDIUM: ssl: Don't free the early data buffer too early
    - BUG/MINOR: hpack-tbl: add missing NULL check after hpack_dht_defrag()
    - BUG/MEDIUM: mux_quic: fix freeze transfer after QCS rxbuf realign
    - BUG/MEDIUM: http-act: Make a copy of the sample expr in (set/add)-headers-bin
    - BUG/MEDIUM: mux-fcgi: fix uint16_t overflow in drl += drp
    - OPTIM: mux-fcgi: Reorganise fcgi_conn structure to fill some holes
    - BUG/MINOR: hq-interop: reject too big content
    - MINOR: hq_interop: do not rely on stream layer for HTX stline encoding
    - BUG/MINOR: hq-interop: prevent reset if missing content-length
    - BUG/MEDIUM: hlua: Properly report EOS when http applet exits
    - BUG/MINOR: hq-interop: support full demux buf on large response
    - BUG/MINOR: hq-interop: support response buffer wrapping
    - DOC: sched: Document the wait queue modifications
    - DOC: lua: remove incorrect init tags
    - BUG/MEDIUM: h3: increment unknown request payload length
    - REGTESTS: quic: test H3 request without content-length
    - DEBUG: cli: relax tid check in "debug dev task" for recent sched changes
    - MINOR: debug: add "print" to "debug dev sched"
    - BUG/MINOR: poller: fix wait time calculation that is always 1 extra ms
    - BUILD: quic_pacing: add missing includes for api and activity in the file
    - MINOR: task: move the profiling checks to the called functions not callers
    - MINOR: task: add a new explicitly local tasklet wakeup function
    - MINOR: task: make tasklet_wakeup() explicitly call _tasklet_wakeup_here()
    - MINOR: task: make task_instant_wakeup() explicitly call _tasklet_wakeup_here()
    - MEDIUM: task: make __tasklet_wakeup_on() only accept non-local threads
    - MEDIUM: task: add a new flag TASK_RT to permit a task to skip the priority queue
    - MINOR: debug: add "rt=1" to "debug dev task" to tune the RT flag
    - BUG/MEDIUM: mux-fcgi: Truly drain outgoing HTX data when the stream is closed
    - BUG/MEDIUM: mux-h2: Truly drain outgoing HTX data when the stream is closed
    - BUG/MEDIUM: mux-spop: Truly drain outgoing data when the stream is closed
    - BUG/MEDIUM: mux-quic: Drain the given amount of data in qcs_http_reset_buf()
    - CLEANUP: task: remove duplicated code in __tasklet_wakeup_after()
    - BUILD: task: silence a build warning with threads disabled
    - MINOR: task: do not try to redistribute the WQ when single-threaded
    - MEDIUM: task: add a new tasklet class for real-time: TL_RT
2026-06-25 16:53:19 +02:00
Willy Tarreau
e37a20d330 MEDIUM: task: add a new tasklet class for real-time: TL_RT
Some checks are pending
Contrib / admin/halog/ (push) Waiting to run
Contrib / dev/flags/ (push) Waiting to run
Contrib / dev/haring/ (push) Waiting to run
Contrib / dev/hpack/ (push) Waiting to run
Contrib / dev/poll/ (push) Waiting to run
FreeBSD / clang (push) Waiting to run
VTest / Generate Build Matrix (push) Waiting to run
VTest / (push) Blocked by required conditions
Windows / Windows, gcc, all features (push) Waiting to run
This adds new class TL_RT, which is processed before other queues for
one (and only one) tasklet featuring the TASK_RT flag. This is meant to
process real time wakeups under load with even less latency. We only
process one entry to make sure it will not be abused for unimportant
stuff, and if tune.sched.low-latency is set, we also avoid picking more
tasks from the current run queues and looping after the first call to
run_tasks_from_list().

Measurements under a load of 10k concurrent conns injection at 10 Gbps
(~58k 20kB objects/s) on 4 threads and with task profiling enabled shows
that the average wakeup latency for wakeups every 10ms dropped from 220
microseconds to 1.8 microsecond, and even ~550 nanoseconds when
tune.sched.low-latency is set, or 400 times less.

The doc was updated, including the schematics.
2026-06-25 10:54:07 +02:00
Willy Tarreau
40ad8a129c MEDIUM: task: add a new flag TASK_RT to permit a task to skip the priority queue
For some very rare tasks that need to be woken up at an exact date (right
now the only known use case is haload's periodic stats collection), it's
currently difficult to guarantee the wake up date on a heavily loaded
run queue.

This patch introduces TASK_RT for real-time tasks. Right now, all it does
is modify __task_wakeup() to immediately switch to __tasklet_wakeup_*()
and effectively bypass the priority-based run queue. Doing it here has
the benefit of making sure that it automatically applies to tasks found
in the wait queue, and that it will also work for _task_drop_running().

For now nothing uses it. The doc was updated.
2026-06-24 19:08:00 +02:00
Willy Tarreau
11f7994bcb MINOR: task: add a new explicitly local tasklet wakeup function
The current tasklet_wakeup() call relies on tasklet_wakeup_on(tl->tid),
which was already quite ambiguous till now due to the sole reliance on
tid being negative or not to decide to run locally, but it no longer
works correctly if used to wake tasks up since the new set of possible
negative values for ->tid (particularly if some code calls
__tasklet_wakeup_on() on a task as is done in task_instant_wakeup()).

The problem is that it is not possible in the current API to explicitly
say that we want a task/tasklet to run locally or remotely without having
to play games with a thread number. The chosen approach to address this
is to change tasklet_wakeup_on() to always be remote and have
tasklet_wakeup_here() which will always be local, with tasklet_wakeup()
choosing one or the other depending on the tid, for backwards compat
only.

This patch implements tasklet_wakeup_here() to __tasklet_wakeup_here()
that reimplement the part of __tasklet_wakeup_on() that used to deal
with the local thread only (negative tid). No other change was made.
For now it remains unused.

The doc was updated.
2026-06-24 19:07:49 +02:00
Thayne McCombs
29458ba7f1 DOC: lua: remove incorrect init tags
The `core.httpclient()` and `core.tcp()` functions aren't actually
available in the init context, as they require the event loop to be set
up.

As such, remove "init" form the list of contexts for those functions.

It probably makes sense to backport this to previous versions.

Fixes: #3420
Signed-off-by: Thayne McCombs <astrothayne@gmail.com>
2026-06-24 07:03:30 +02:00
Olivier Houchard
94f20d494c DOC: sched: Document the wait queue modifications
Some checks are pending
Contrib / admin/halog/ (push) Waiting to run
Contrib / dev/flags/ (push) Waiting to run
Contrib / dev/haring/ (push) Waiting to run
Contrib / dev/hpack/ (push) Waiting to run
Contrib / dev/poll/ (push) Waiting to run
FreeBSD / clang (push) Waiting to run
VTest / Generate Build Matrix (push) Waiting to run
VTest / (push) Blocked by required conditions
Windows / Windows, gcc, all features (push) Waiting to run
Commit 0988b9c773 removed the global wait
queue, and introduced the concept of ownership for shared tasks, so
properly document it.
2026-06-23 17:39:55 +02:00
William Lallemand
5530f50e4b DOC: httpclient: document status 0 on internal error
Some checks are pending
Contrib / admin/halog/ (push) Waiting to run
Contrib / dev/flags/ (push) Waiting to run
Contrib / dev/haring/ (push) Waiting to run
Contrib / dev/hpack/ (push) Waiting to run
Contrib / dev/poll/ (push) Waiting to run
FreeBSD / clang (push) Waiting to run
VTest / Generate Build Matrix (push) Waiting to run
VTest / (push) Blocked by required conditions
Windows / Windows, gcc, all features (push) Waiting to run
This patch documents the behavior where the internal HTTP client sets
the response status to 0 when an error is encountered by the stream
(SF_ERR_MASK).

This allows users to distinguish between an HTTP status code returned
by a remote server and an internal error generated by HAProxy (e.g.
connection timeout, connection refused, etc.).
2026-06-14 13:19:26 +02:00
William Lallemand
0748799ad1 MEDIUM: httpclient/lua: allow multiple requests from a single core.httpclient() instance
Some checks are pending
Contrib / admin/halog/ (push) Waiting to run
Contrib / dev/flags/ (push) Waiting to run
Contrib / dev/haring/ (push) Waiting to run
Contrib / dev/hpack/ (push) Waiting to run
Contrib / dev/poll/ (push) Waiting to run
FreeBSD / clang (push) Waiting to run
VTest / Generate Build Matrix (push) Waiting to run
VTest / (push) Blocked by required conditions
Windows / Windows, gcc, all features (push) Waiting to run
Refactor the Lua HTTP client to defer initialization. core.httpclient()
no longer initializes the internal HTTP client immediately. Instead,
initialization now occurs within hlua_httpclient_send() when a request
method (e.g., get, put, head) is invoked.

The HTTPClient class now serves as a factory for accessing methods, while
a new class, HTTPClientRequest, has been introduced to represent individual
requests and manage the HTTP client lifecycle.

This change allows multiple requests to be executed using a single
HTTP client instance:

  local hc = core.httpclient()
  local res1 = hc:get({url = "...", headers = ...})
  local res2 = hc:post({url = "...", headers = ...})
  local res3 = hc:put({url = "...", headers = ...})

This refactor maintains backward compatibility, as existing scripts that
instantiate a new core.httpclient() for every request will continue to
work as expected.
2026-06-14 01:49:54 +02:00
Olivier Houchard
aaee6c463c MINOR: tasks: Remove wq_lock and the per-thread group wait queues
Now that they are no longer used, remove wq_lock and the per-thread
group wait queues.
2026-06-12 11:49:09 +02:00
William Lallemand
92206fb02f DOC: acme: add mentions of lua features
Some checks are pending
Contrib / admin/halog/ (push) Waiting to run
Contrib / dev/flags/ (push) Waiting to run
Contrib / dev/haring/ (push) Waiting to run
Contrib / dev/hpack/ (push) Waiting to run
Contrib / dev/poll/ (push) Waiting to run
FreeBSD / clang (push) Waiting to run
VTest / Generate Build Matrix (push) Waiting to run
VTest / (push) Blocked by required conditions
Windows / Windows, gcc, all features (push) Waiting to run
Mention ACME.challenge_ready() and event_hdl which are useful in lua to
implement dns-01.
2026-06-11 23:51:45 +02:00
William Lallemand
4bb21dae2f MINOR: acme: publish ACME_DEPLOY event via event_hdl
Add EVENT_HDL_SUB_ACME_DEPLOY to the ACME family. It is published in
the dns-01 challenge path after the TXT record information has been
prepared, carrying the certificate store name, domain, account
thumbprint, dns_record value, and optionally the provider and vars
strings.

Lua subscribers using core.event_sub() receive the event data as an
AcmeEvent object, which is the same class used for ACME_NEWCERT and
carries the fields relevant to the event type.
2026-06-11 19:14:52 +02:00
William Lallemand
81d7624e01 MINOR: acme: publish ACME_NEWCERT event via event_hdl
Add a new EVENT_HDL_SUB_ACME_NEWCERT event type in the ACME family.
It is published after a new certificate has been successfully fetched
and installed. The event carries the certificate store name, allowing
subscribers to act on newly available certificates.

Lua subscribers using core.event_sub() receive the event data as an
AcmeEvent object with a crtname field containing the certificate store
name.
2026-06-11 19:14:52 +02:00
William Lallemand
784f972a6f MINOR: acme/lua: implement ACME.challenge_ready() Lua function
Add a new ACME global Lua table with a challenge_ready(crt, dns) method
that wraps acme_challenge_ready(). It marks the ACME challenge for domain
<dns> in certificate <crt> as ready and returns the number of remaining
challenges, or 0 when all challenges are ready and validation has been
triggered. A Lua error is raised if the certificate or domain is not found.

The ACME table is registered for each lua_State via the new
REGISTER_HLUA_STATE_INIT() mechanism.
2026-06-11 15:01:38 +02:00
William Lallemand
d0fde90e16 MINOR: lua: add REGISTER_HLUA_STATE_INIT() to register state init callbacks
Add a registration mechanism so that modules outside of hlua.c can hook
into each lua_State creation. Modules call hap_register_hlua_state_init()
(or the REGISTER_HLUA_STATE_INIT() macro) with a callback of the form:

  int my_init(lua_State *L, char **errmsg);

The callback returns an ERR_* code. ERR_ALERT and ERR_WARN trigger
ha_alert()/ha_warning() respectively; any other non-zero errmsg is
emitted via ha_notice(). ERR_FATAL or ERR_ABORT cause exit(1).
Registered entries are freed in hlua_deinit().
2026-06-11 14:13:04 +02:00
Willy Tarreau
7835e1fcbe [RELEASE] Released version 3.5-dev0
Some checks failed
Contrib / admin/halog/ (push) Has been cancelled
Contrib / dev/flags/ (push) Has been cancelled
Contrib / dev/haring/ (push) Has been cancelled
Contrib / dev/hpack/ (push) Has been cancelled
Contrib / dev/poll/ (push) Has been cancelled
FreeBSD / clang (push) Has been cancelled
VTest / Generate Build Matrix (push) Has been cancelled
Windows / Windows, gcc, all features (push) Has been cancelled
VTest / (push) Has been cancelled
Released version 3.5-dev0 with the following main changes :
    - MINOR: version: mention that it's development again
2026-06-03 15:26:45 +02:00
Willy Tarreau
64a335366d [RELEASE] Released version 3.4.0
Released version 3.4.0 with the following main changes :
    - BUG/MINOR: tcpcheck: Check LDAP response to not read more data than available
    - BUG/MINOR: ssl-gencert: validate SNI characters to prevent SAN certificate injection
    - BUG/MINOR: mux-h1: H2 preface rejection doesn't update stick-table glitches
    - BUG/MEDIUM: cpu-topo: Enforce thread-hard-limit on policy
    - BUG/MEDIUM: qmux: do not crash on too large record
    - BUG/MEDIUM: qmux: do not crash on receiving an invalid first frame
    - BUG/MINOR: qmux: reject too large initial record
    - Revert "BUG/MEDIUM: dns: fix long loops in additional records parse on name failure"
    - BUG/MINOR: qpack: Fix index calculation in debug functions
    - BUG/MINOR: qpack: fix potential null-pointer dereference in qpack_dht_insert()
    - CLEANUP: qpack: fix copy-paste typo in value Huffman debug string
    - BUG/MINOR: qpack: fix sign bit mask in qpack_decode_fs_pfx()
    - CLEANUP: qpack: fix copy-paste typo in value Huffman debug string for WLN
    - BUG/MINOR: qpack: fix huff_dec() error handling in qpack_decode_fs()
    - CLEANUP: qpack: move encoded macros to qpack-t.h to avoid duplication
    - BUG/MEDIUM: quic: handle ECONNREFUSED on RX side
    - BUG/MINOR: quic: Fix memory leak in quic_deallocate_dghdlrs()
    - BUG/MEDIUM: lua: defer Lua VM initialisation to the first Lua config keyword
    - REGTESTS: lua: fix tune.lua.openlibs in Lua reg-tests
    - BUG/MINOR: mux-h2: Count padding for connection flow control on error path
    - BUILD: addons: convert 51d addon to EXTRA_MAKE
    - BUILD: addons: convert deviceatlas addon to EXTRA_MAKE
    - BUILD: addons: convert WURFL addon to EXTRA_MAKE
    - MINOR: mux_quic/flags: add missing flags
    - BUG/MINOR: mux_quic: open an idle QCS on reset on BE side
    - BUG/MINOR: mux_quic: fix BE conn removal on app shutdown
    - BUG/MINOR: mux_quic: prevent BE reuse with an errored conn
    - BUG/MINOR: quic: fix ack range node pool_free call passing wrong pointer type
    - MEDIUM: quic: optimize HKDF operations by reusing per-thread contexts
    - BUG/MEDIUM: quic: reset cwnd in slow_start on persistent congestion (cubic)
    - BUG/MEDIUM: quic: reset consecutive_losses on exit from recovery period (cubic)
    - BUG/MINOR: quic: update drs->lost before calling on_ack_recv
    - Revert "MEDIUM: quic: optimize HKDF operations by reusing per-thread contexts"
    - BUG/MEDIUM: lua: register hlua_init() as a pre-check to fix crash without Lua config
    - REGTESTS: quic: disable quic/ocsp_auto_update for now
    - BUG/MINOR: threads: set at least grp_max when mtpg is too small
    - BUG/MEDIUM: threads: ignore max-threads-per-group when thread-groups is set
    - CLEANUP: thread: indicate when max-threads-per-group is ignored
    - MINOR: cpu-topo: notify when cpu-policy is ignored due to other settings
    - MINOR: thread: report when thread-groups or nbthread results in less threads
    - BUILD: makefile: include EXTRA_MAKE in the .build_opts construction
    - BUG/MINOR: quic: Fix another buffer overflow with sockaddr_in46
    - MINOR: quic: Copy sin6_flowinfo and sin6_scope_id too
    - BUILD: Makefile: put EXTRA_MAKE help at the right place
    - BUG/MINOR: cache: fix cache tree iteration
    - BUG/MEDIUM: resolvers: Wait a bit before calling the xprt prepare_srv
    - CLEANUP: addons/51degrees: initialize variables
    - MINOR: addons/51degrees: handle memory allocation failures
    - CLEANUP: ncbmbuf: improve handling of memory allocation errors in unit tests
    - CLEANUP: admin/halog: improve handling of memory allocation errors
    - DOC: internals: clarify ambiguous wording in core-principles
    - DOC: internals: add a threat model definition
    - DOC: add security.txt describing how to report security issues
    - DOC: security: also add a note to exclude dev/ and admin/
    - BUG/MEDIUM: qmux: Close connection on invalid frame
    - CLEANUP: fix comment typo
    - BUG/MEDIUM: h3: fix MAX_PUSH_ID handling
    - BUG/MINOR: cache: Fix copy of value when parsing maxage
    - BUG/MEDIUM: mux-h1: Dup connection/upgrade value to parse it when making headers
    - BUG/MEDIUM: htx: Fix headers rollback on partial copy in htx_xfer()
    - MINOR: deinit: release the in-memory copy of shared libs
    - MINOR: debug: add -dA to dump an archive of all dependencies
    - BUG/MEDIUM: ssl: Make sure the alpn length is small enough
    - BUG/MINOR: applet: Commit changes into input buffer after sending HTX data
    - BUG/MINOR: mux-spop: Fix possible off-by-one OOB read in spop_get_varint()
    - BUG/MEDIUM: leastconn: Unlock the write lock on allocation failure
    - BUG/MINOR: tasks: Increase the right niced_task counter
    - BUILD: makefile: search for Lua 5.5 as well
    - DEV: dev/gdb: improve ebtree pointer handling
    - DEV: dev/gdb: add simple task dump
    - DEV: dev/gdb: add simple thread dump
    - DEV: dev/gdb: add fdtab dump
    - DOC: config: add a few more explanation in http-reusee regarding sni-auto
    - REGTESTS: add basic QMux tests
    - BUG/MINOR: http-act: Properly handle final evaluation in pause action
    - BUILD: makefile/lua: use the system's default library before all other variants
    - BUG/MINOR: startup: unbreak chroot with CAP_SYS_CHROOT
    - BUG/MINOR: haterm: do not try to bind QUIC when not supported
    - BUG/MINOR: haterm: also apply the tcp-bind-opts to clear TCP "bind" lines
    - CLEANUP: haterm: do not try to bind to SSL when not built in
    - MINOR: haterm: enable ktls on the SSL bind line when supported
    - CI: github: replace cirrus by a vmactions/freebsd-vm job
    - BUILD: makefile: fix build error with GNU make 4.2.1 and /bin/dash
    - BUG/MEDIUM: channel: Fix condition to know if a channel may send
    - BUG/MEDIUM: vars: Properly eval set-var-fmt action for emtpy log-format string
    - CI: github: run illumos job weekly on Mondays at 03:00 instead of monthly
    - BUG/MEDIUM: stream: Don't use small buffer on queuing with a request data filter
    - BUG/MINOR: jwe: don't write randoms past MAX_DECRYPTED_CEK_LEN in RSA_PKCS1_PADDING
    - BUG/MEDIUM: chunk: do not rely on small trash by default for expressions
    - CLEANUP: map: always test pat->ref in sample_conv_map_key()
    - DEV: patchbot: prepare for new version 3.5-dev
    - MINOR: version: mention that it's 3.4 LTS now.
2026-06-03 15:01:51 +02:00
Willy Tarreau
7ac4bcfbd4 DOC: config: add a few more explanation in http-reusee regarding sni-auto
The default sni-auto that aims at not upsetting certain servers doing
excessive checks of SNI vs host has some drawbacks (lower reuse ratio)
that are particularly hard to diagnose, so let's explain how connections
are reused/purged when dealing with many hosts, and how to cheat as well.

Let's also mention the expression used by "sni-auto" since it was only
mentioned in the code.
2026-06-02 09:14:11 +02:00
Willy Tarreau
030a2bfeeb MINOR: debug: add -dA to dump an archive of all dependencies
This adds "-dA[file]" on the command line, which dumps an archive of all
dependencies detected at runtime into the designated file in tar format.
This is equivalent to "set-dumpable libs", but instead of keeping the libs
in memory, it dumps them into a file. This may be used after a core dump,
in order to provide all necessary libraries to developers to permit them
to exploit the core. This may not be available on all operating systems.
2026-06-01 15:01:32 +02:00
Willy Tarreau
41a20c1738 DOC: security: also add a note to exclude dev/ and admin/
These ones are not intended for production so they're out of scope.
This also fixes a paragraph formatting issue left after a fix.
2026-06-01 00:46:21 +02:00
Willy Tarreau
03b828b648 DOC: add security.txt describing how to report security issues
Move the security contact out of intro.txt into a dedicated, easily
searchable doc/security.txt that points reporters at the threat model
first, and reference it from intro.txt's contacts section and the
documentation index.
2026-05-31 22:44:15 +02:00
Willy Tarreau
8badf5d2fa DOC: internals: add a threat model definition
Add doc/internals/threat-model.txt describing what does and does not
qualify as a security vulnerability in HAProxy so that reporters and
developers have a common understanding of the threat model, and make it
clear that anything non-critical should be handled in the open and
not hidden behind embargoes.

The document lists assets to protect, what constitutes an attack, what
are the mitigations in place, and the severity ordering of various
risks. This may in the long term also help developers make better
choices of default settings and option names, and may also justify
changing default settings over time when modern operating systems
bring new possibilities.

A section also lists some invariants and defaults in an attempt to
limit the risk of reporting theoretical issues that are technically
impossible to happen in the field.

This is an initial version meant to be refined as cases arise. It
was incrementally designed and cross-checked with the help of three
independent LLMs (Qwen, Gemini and Claude) until each correctly
classified a set of sample reports against it. In the current state
they do not raise any residual ambiguities anymore.
2026-05-31 20:28:08 +02:00
Willy Tarreau
551e01e3e7 DOC: internals: clarify ambiguous wording in core-principles
After testing against a few LLMs, it appeared that several entries in
the core principles document were ambiguous or imprecise and could be
misread (size_t, pools, trash, dwcas, comparison, ncbuf). No more
complaint after this rewording so this will be sufficient for now.
2026-05-31 16:38:03 +02:00
William Lallemand
1c59c39171 BUG/MEDIUM: lua: defer Lua VM initialisation to the first Lua config keyword
HAProxy used to call hlua_init() unconditionally from step_init_1(),
before any configuration file was parsed.  As a consequence, Lua states
0 and 1 were always created with hlua_openlibs_flags set to its default
value (HLUA_OPENLIBS_ALL), regardless of any tune.lua.openlibs directive
that appeared later in the global section.  With multiple threads, states
2..N were created correctly in hlua_post_init() after the config had been
parsed, while states 0 and 1 retained the full standard-library set.
This produced the observable bug reported in GitHub issue #3396: a script
loaded with lua-load-per-thread could see require() as a function on
thread 1 but nil on thread 2 when tune.lua.openlibs was used to restrict
the available libraries.

The initialisation is now lazy.  hlua_init() is idempotent: it returns
immediately if the states already exist (hlua_states[0] != NULL).  It is
called explicitly from the three config keyword handlers that need the
Lua states to be live before they can do their work (lua-load,
lua-load-per-thread, lua-prepend-path) and from tune.lua.openlibs, after
the hlua_openlibs_flags variable has been updated, so that the states are
always created with the correct library set.

hlua_post_init() calls hlua_init() unconditionally as a safety net,
covering the case where no Lua directive appeared in the configuration at
all (no global section, or only pure-tuning directives such as timeouts
and memory limits), and ensuring correct behaviour with multiple
consecutive global sections.

As a result of this change, tune.lua.openlibs must now appear before
lua-load, lua-load-per-thread, and lua-prepend-path in the configuration;
if any of those keywords is encountered first, the Lua states will already
be initialised and tune.lua.openlibs with a non-default value will return
a parse error.

No backport needed.
2026-05-28 11:36:02 +02:00
Willy Tarreau
88da61e218 [RELEASE] Released version 3.4-dev14
Some checks are pending
Contrib / admin/halog/ (push) Waiting to run
Contrib / dev/flags/ (push) Waiting to run
Contrib / dev/haring/ (push) Waiting to run
Contrib / dev/hpack/ (push) Waiting to run
Contrib / dev/poll/ (push) Waiting to run
VTest / Generate Build Matrix (push) Waiting to run
VTest / (push) Blocked by required conditions
Windows / Windows, gcc, all features (push) Waiting to run
Released version 3.4-dev14 with the following main changes :
    - MINOR: config: shm-stats-file is no longer experimental
    - BUILD: proxy: unstatify the proxies_del_lock to avoid a warning without threads
    - BUG/MEDIUM: net_helper: fix a remaining possibly infinite loop in converters
    - MINOR: ssl_sock: remove unneeded check on QMux flags
    - MINOR: connection: define xprt_add_l6hs()
    - MINOR: xprt_qmux: define default value for get_alpn
    - MINOR: connection: define mask CO_FL_WAIT_XPRT_L6
    - MINOR: session: support QMux in clear on FE side
    - MINOR: backend: support QMux in clear for BE side
    - BUG/MINOR: ocsp: Manage date too far away in the future
    - MINOR: mux_quic: handle STOP_SENDING in QMux
    - MINOR: mux_quic: handle MAX_STREAMS for uni stream in QMux
    - MINOR: mux_quic: do not crash on unhandled QMux frame reception
    - BUG/MEDIUM: applet: Properly handle receives of size 0
    - BUG/MEDIUM: resolvers: Fix test on dn label size in resolv_dn_label_to_str()
    - BUG/MEDIUM: ssl-gencert: Unlock LRU cache if failing to generate certificate
    - BUG/MINOR: quic: fix ODCID lookup from derived value
    - BUG/MEDIUM: dict: hold lock while decrementing refcount in dict_entry_unref
    - BUG/MINOR: tcpchecks: Limit parsing of agent-check reply to the buffer
    - BUG/MEDIUM: hlua: Fix integer underflow when receiving line from lua cosocket
    - BUG/MEDIUM: cli: Fix parsing of pattern finishing a command payload
    - BUG/MEDIUM: acme: NUL terminate response buffer before PEM parsing
    - BUILD: intops: mask the fail value in array_size_or_fail()
    - BUG/MEDIUM: log-forward: make sure the month is unsigned
    - BUG/MEDIUM: regex: allocate a large enough pcre2 match for all matches
    - BUG/MEDIUM: tcpcheck/spoe: bound the SPOP error code to valid values
    - BUG/MEDIUM: cache: fix a refcount leak for missed secondary entries
    - BUG/MINOR: log: free logformat expr on compile failure in cfg_parse_log_profile
    - BUG/MINOR: resolvers: fix room for trailing zero in resolv_dn_label_to_str()
    - BUG/MINOR: resolvers: fix risk of appending garbage past the domain name
    - BUG/MINOR: mux-h2: validate HEADERS frame length before reading stream dep
    - BUG/MINOR: log: look for the end of priority before the end of the buffer
    - BUG/MINOR: dict: fix refcount race on insert collision
    - BUG/MINOR: init: use more than ha_random64() for the cluster secret
    - BUG/MINOR: sample: limit the be2hex converter's chunk size
    - CLEANUP: resolvers: use read_n32() instead of open-coded big-endian read
    - CLEANUP: resolvers: remove pool_free(NULL) in SRV additional record matching
    - CLEANUP: resolvers: fix comment typos and wrong filenames in file headers
    - BUG/MINOR: haterm: fix the random suffix multiplication
    - MINOR: haterm: enable h3 for TCP bindings
    - MINOR: haterm: do not emit a warning when not using SSL
    - BUG/MEDIUM: h1: drop headers whose names contain invalid chars
    - BUG/MEDIUM: h1: limit status codes to 3 digits by default
    - BUG/MEDIUM: cache: always verify the primary hash in get_secondary_entry()
    - BUG/MINOR: cache: also recognize directives in the form "token="
    - BUG/MINOR: resolvers: relax size checks in authority record parsing
    - BUG/MINOR: sample: request an extra output byte for the url_dec converter
    - BUG/MINOR: http-fetch: check against the whole token in get_http_auth()
    - BUG/MEDIUM: acme: protect against risk of null-deref on connection failure
    - BUG/MINOR: http-ext: always check remaining data when reading rfc7239 nodeport
    - BUG/MINOR: base64: return empty string for empty input in base64dec()
    - BUG/MINOR: payload: fix the handshake length bounds check smp_client_hello_parse()
    - BUG/MINOR: ssl-hello: make use of the null-terminated servername
    - BUG/MINOR: resolvers: switch to a better PRNG for query IDs
    - BUG/MINOR: addons/51d: NUL-terminate headers before passing them to Trie API
    - BUG/MEDIUM: tools: insert an XXH64 layer on the PRNG output
    - MINOR: tools: provide a function to generate a hashed random pair
    - MEDIUM: init: fall back to ha_random64_pair_hashed() for the cluster secret
    - MEDIUM: tools: use the hashed random pair for UUID generation
    - MEDIUM: h1: use ha_random64_pair_hashed() for the WebSocket key
    - MEDIUM: quic: use ha_random64_pair_hashed() to generate the QUIC retry tokens
    - MEDIUM: tools: switch the main PRNG to a thread-local xoshiro256**
    - BUG/MEDIUM: h3: reject client push stream
    - BUG/MINOR: h3: reject server push stream
    - BUG/MINOR: h3: reject client CANCEL_PUSH frame
    - BUG/MINOR: h3: adjust error on PUSH_PROMISE frame reception
    - BUG/MINOR: h3: reject server MAX_PUSH_ID frame
    - BUG/MEDIUM: auth: fix unconfigured password NULL deref
    - BUG/MINOR: h3: add missing break on rcv_buf()
    - BUG/MINOR: hlua: prevent Lua from passing CR/LF/NUL in HTTP headers
    - BUG/MINOR: qmux: do not crash on frame parsing issue
    - BUG/MINOR: quic: reject packet too short for HP decryption
    - BUG/MINOR: jwe: enforce GCM tag length to 128 bits
    - BUG/MEDIUM: jwe: substitute random CEK on RSA1_5 decryption failure per RFC 7516 #11.5
    - BUG/MEDIUM: mux-fcgi: reject stream ID 0 for application records
    - MINOR: http: Add function to remove all occurrences of a value in a header
    - MINOR: h1: Add  a H1M flag to specify a non-empty 'Upgrade:' header was parsed
    - BUG/MEDIUM: h1-htx: Sanitize parsing to properly handle upgrade requests
    - BUG/MINOR: mux-fcgi: Use relative offset to compute contig data in demux buf
    - BUG/MINOR: mux-spop: Use relative offset to compute contig data in demux buf
    - CLEANUP: mux-fcgi/mux-spop: Remove copy/pasted comment about slow realign
2026-05-26 21:56:40 +02:00
Willy Tarreau
8bdcc55163 BUG/MEDIUM: h1: limit status codes to 3 digits by default
By default, HTTP/1 status codes are not limited in the parser. However,
the value is stored in a 16-bit field, meaning that it may be truncated
if too large. Let's just restrict to 3-digits by default, and permit to
relax the check when accept-unsafe-violations is set, provided that the
value still fits in 16 bits.

This could be backported to latest LTS release.
2026-05-26 13:13:24 +02:00
Willy Tarreau
b9aaf3c18a BUG/MEDIUM: h1: drop headers whose names contain invalid chars
Originally with "option accept-invalid-http-request", we couldn't really
edit the request on the fly to remove offending headers. But since we
have HTX and the headers are indexed one at a time, it has become
trivial. A non-negligible number of violations are conditioned by the
now renamed "option accept-unsafe-violations-in-http-request", and a
controversial one could definitely be reporting and passing invalid
header names containing control chars or spaces. The option was placed
so as not to block requests/responses containing them, but there's no
point in passing them to the other side. Most of the time it will be
totally harmless since the other side will reject them. But in case
haproxy is placed in front of a non-compliant server, it would fail
to protect it.

This patch implements a name check for all headers when a parsing
error was detected. It's cheap enough (especially since only done
after an error), and will skip the header if its name is invalid.
This may also remove some possibilities of confusion in logs, or
when encoding headers names for example.

This should be backported at least till the latest LTS.
2026-05-26 13:13:18 +02:00
Willy Tarreau
050e06dd66 MINOR: config: shm-stats-file is no longer experimental
As confirmed by Aurlien, there isn't any point in keeping this feature
in experimental status, it's now stable.
2026-05-21 08:50:20 +02:00
Willy Tarreau
bcf768f157 [RELEASE] Released version 3.4-dev13
Some checks are pending
Contrib / admin/halog/ (push) Waiting to run
Contrib / dev/flags/ (push) Waiting to run
Contrib / dev/haring/ (push) Waiting to run
Contrib / dev/hpack/ (push) Waiting to run
Contrib / dev/poll/ (push) Waiting to run
VTest / Generate Build Matrix (push) Waiting to run
VTest / (push) Blocked by required conditions
Windows / Windows, gcc, all features (push) Waiting to run
Released version 3.4-dev13 with the following main changes :
    - BUG/MINOR: backend: correct parameter value validation in get_server_ph_post()
    - BUG/MINOR: config/dns: properly fail on duplicate nameserver name detection
    - BUG/MEDIUM: dns: fix long loops in additional records parse on name failure
    - BUG/MEDIUM: resolvers: fix name compression pointer validation in resolv_read_name()
    - BUG/MEDIUM: dns: fix memory leak of sockaddr in dns_session_init() error path
    - CLEANUP: proxy: fix tiny mistakes in parse error messages
    - CLEANUP: dns: fix misleading error messages in dns_stream_init()
    - BUG/MINOR: server: better handling of OOM in srv_set_fqdn()
    - BUG/MINOR: servers: use proper source of pool_conn_name in srv_settings_cpy()
    - BUG/MEDIUM: server/cli: unlock server lock on failure in cli_parse_set_server
    - BUG/MINOR: resolvers: fix dangling list pointer in resolvers_new() error paths
    - BUG/MINOR: dns: fix dangling dgram pointer on dns_dgram_init() failure path
    - BUG/MINOR: proxy: use proxy_drop() in parse_new_proxy() error path
    - CLEANUP: resolvers: properly initialize the sample in resolv_action_do_resolve()
    - BUG/MINOR: resolvers: report the expression error in the do-resolve() action parser
    - BUG/MINOR: resolvers: fix leaked dgram and dns_ring struct in parse_resolve_conf()
    - BUG/MINOR: resolvers: fix leaked fields on cfg_parse_resolvers() error paths
    - BUG/MINOR: resolvers: fix missing task_idle destruction in resolvers_destroy()
    - CLEANUP: proxy: fix duplicate declaration of cli_find_frontend in proxy.h
    - CLEANUP: address a few typos and copy-paste errors in httpclient and dns
    - DOC: internal: add a few rules about internal core principles
    - BUG/MINOR: session/trace: use distinct flags for SESS_EV_END and _ERR
    - CLEANUP: stick-table: uniformize the different action_inc_gpc*()
    - REGTESTS: do not run quic/tls13_ssl_crt-list_filters in quic openssl compat mode
    - REGTESTS: quic/issuers_chain_path: do not forget to enable QUIC compat mode
    - BUG/MINOR: sock: store the connection error status
    - BUG/MINOR: check: properly report errno in chk_report_conn_err()
    - CLEANUP: tcpcheck: mention that we're a bit far for a sync errno
    - BUG/MINOR: jwt: fix possible memory leak in convert_ecdsa_sig() error path
    - CLEANUP: jwe: fix theoretical overflow in AAD length calculation
    - DOC: config: further clarify that resolvers "default" exists
    - MINOR: proxy: remove the experimental status on dynamic backends
    - BUG/MEDIUM: limits: properly account for global.maxpipes in compute_ideal_maxconn()
    - BUG/MINOR: jws: fix OpenSSL 3.0 version check from > to >=
    - BUG/MINOR: jws: Add missing return value check (EVP_PKEY_get_bn_param)
    - BUG/MINOR: server: Properly handle init-state value during haproxy startup
    - BUG/MINOR: httpclient-cli: Destroy http-client context if failing to start it
    - BUG/MEDIUM: h1: Skip all h2c values from Upgrade headers during parsing
    - BUG/MINOR: h1: Don't mask websocket protocol if multiple protocols used
    - MINOR: haterm: Don't init haterm master pipe if not used
    - CLEANUP: haterm: Remove "(too old kernel)" from warning message during init
    - BUG/MINOR: httpclient-cli: fix uninit variable in error label
    - MINOR: mux: Rename the "token" from mux_proto_list to mux_proto
    - MEDIUM: connections: Use both mux_proto and alpn to pick a mux
    - MINOR: connection: define conn_select_mux_fe()
    - MINOR: connection: define conn_select_mux_be()
    - MINOR: connection/mux_quic: add MUX <init_xprt> field for QMux handshake
    - MINOR: proxy/server: reject TCP ALPN h3 without experimental
    - MEDIUM: ssl: allow h3/QMux negotiation without explicit proto
    - BUG/MINOR: server: accept server IDs above 2^31 and clarify error message
    - BUG/MINOR: backend: fix balance hash calculation when using hash-type none
    - MINOR: server: support hash-key id32 for a cleaner distribution
    - MINOR: backend: support hash-key guid for a stabler distribution
    - MINOR: startup: support unprivileged chroot if possible
    - MEDIUM: startup: add automatic chroot feature
    - MINOR: h2: explain committed_extra_streams dec on h2_init() error
    - OPTIM: h2: do not update committed streams if elasticity disabled
    - MINOR: mux_quic: implement basic committed_extra_streams accounting
    - MINOR: quic: use stream elasticity value for initial advertisement
    - MINOR: mux_quic: define ms_bidi_rel QCC member
    - MAJOR: mux_quic: support stream elasticity during connection lifetime
    - BUG/MEDIUM: servers: Store the connection hash with the parameter cache
    - BUG/MINOR: prevent conn leak in case of xprt_qmux init failure
    - BUILD: traces: set a few __maybe_unused on vars used only for traces
    - BUILD: traces: add USE_TRACE allowing to disable traces
    - MINOR: startup: do not execute chroot() when "/"
    - MEDIUM: startup: warn when chroot is not set for root
    - BUG/MEDIUM: servers: Don't forget to set srv_hash when needed
    - DOC: fix typo on QUIC stream.max-concurrent reference
    - BUG/MINOR: mux_quic: do not exceed stream.max-concurrent on backend side
    - BUG/MINOR: htx: Fix value of HTX_XFER_HDRS_ONLY flag
    - MEDIUM: htx: Improve htx_xfer API to not count HTX meta-data
    - BUG/MEDIUM: applet: Fix transfer of HTX data to the applet
    - BUG/MEDIUM: htx: Alloc a chunk of right size in htx_replace_blk_value()
    - MEDIUM: stick-tables: Avoid freeing elements while holding a lock
    - MINOR: intops: add a multiply overflow detection for ulong and size_t
    - CLEANUP: tree-wide: use array_size_or_fail() in array size for allocations
    - DOC: update supported gcc and openssl versions in INSTALL
2026-05-20 17:46:36 +02:00
Amaury Denoyelle
47a61eb86d BUG/MINOR: mux_quic: do not exceed stream.max-concurrent on backend side
Some checks are pending
Contrib / admin/halog/ (push) Waiting to run
Contrib / dev/flags/ (push) Waiting to run
Contrib / dev/haring/ (push) Waiting to run
Contrib / dev/hpack/ (push) Waiting to run
Contrib / dev/poll/ (push) Waiting to run
VTest / Generate Build Matrix (push) Waiting to run
VTest / (push) Blocked by required conditions
Windows / Windows, gcc, all features (push) Waiting to run
Fix usage of stream.max-concurrent QUIC setting on the backend side.
Contrary to frontend connections, this limit must be enforced by QUIC
MUX directly. This is necessary as the peer may allow a larger number of
concurrent streams via its flow control.

First, QUIC TP initial max bidi streams value is now set to 0. This is
fine as only the HTTP/3 client is expected to open bidirectional
streams.

The most important changes is performed in qcm_avail_streams(). The
value first depends on the peer flow control. Now, it is further reduced
if necessary to not exceed the configured BE stream.max-concurrent.

Note that this new behavior may further increases current limitation on
QUIC BE reuse when a QCS instance is kept while its upper stream layer
is detached. In this case there is a risk that the connection is not
reinserted in the correct server pool, as an idle or avail one.

This is a breaking change as BE stream.max-concurrent keyword setting
meaning is changed in effect. However, this does not necessitate extra
warnings as the previous usage was in effect useless. Furthermore, QUIC
on the backend side is still considered as experimental.

This can be backported up to 3.3.
2026-05-20 14:42:03 +02:00
Amaury Denoyelle
b7c607e207 DOC: fix typo on QUIC stream.max-concurrent reference
Add a missing "fe" prefix for the QUIC keyword reference in
tune.streams-elasticity documentation.
2026-05-20 13:40:53 +02:00
Willy Tarreau
b9acb4415f MEDIUM: startup: warn when chroot is not set for root
We're still regularly seeing insecure configs where chroot is missing.
Now that we have "chroot auto", there's no excuse for not knowing where
to chroot, so let's detect that we're starting as root, detect that the
process is allowed to chroot (i.e. no capability issue, or some hardened
containers), and if no chroot is set, let's emit a warning explaining how
to silence it, i.e. either "chroot auto" or "chroot /".

Most likely we'll start using "chroot auto" by default in 3.5 if no
usability issue is reported.
2026-05-20 11:51:45 +02:00
Amaury Denoyelle
e139dd90e3 MAJOR: mux_quic: support stream elasticity during connection lifetime
Some checks are pending
Contrib / admin/halog/ (push) Waiting to run
Contrib / dev/flags/ (push) Waiting to run
Contrib / dev/haring/ (push) Waiting to run
Contrib / dev/hpack/ (push) Waiting to run
Contrib / dev/poll/ (push) Waiting to run
VTest / Generate Build Matrix (push) Waiting to run
VTest / (push) Blocked by required conditions
Windows / Windows, gcc, all features (push) Waiting to run
qcc_release_remote_stream() is called each time a remote stream is
closed. Flow control accounting is updated and when necessary, a
MAX_STREAMS_BIDI frame is prepared to allow the peer to initiate new
streams.

This patch extends stream elasticity features with the QUIC bidirection
stream flow control mechanism. The announced value can now be possibly
reduced depending on conn_calc_max_streams().

The first step is to decrement closed streams from the global committed
extra streams total. This must be performed conn_calc_max_streams() to
ensure the calculation will be valid.

Then, there is two cases depending on conn_calc_max_streams() result. If
the value is less than the peer still remaining stream window, nothing
more is performed. If the opposite case, flow control must be increased
and a MAX_STREAMS_BIDI frame is prepared, with the value adjusted to not
exceed the stream elasticity limit. Global extra streams total is then
finally incremented.

This calcul also ensures that when all streams are closed, global extra
streams accounting operations are decremented by 1, as a connection
always has access to one stream which is excluded from the global total.

Note that if stream elasticity is not active, flow control increases
principle is unchanged and remains statically performed.

This patch is labelled as major as it complexifies bidirectional stream
flow control mechanisme. This is a sensitive operation as there is a
risk of connection freeze if flow control updates are inadvertently
skipped.
2026-05-20 09:52:50 +02:00
Amaury Denoyelle
d21ec4c707 MINOR: quic: use stream elasticity value for initial advertisement
When stream elasticity is active, the maximum number of concurrent bidi
streams advertised via transport parameters is now reduced depending on
the connection load. This is implemented via conn_calc_max_streams()
which returns the value to use.

This is not applied on listeners with enabled 0-RTT. Indeed, for such
connections, clients are expected to reuse the previously seen transport
parameters. The server on the other hand must not decrease several
values on the newly advertised params, in particular for the maximum
number of concurrent bidi streams. The simplest way to prevent 0-RTT
failure is to not mix stream elasticity with it.

Note that the 0-RTT limitation is only applied for the initial value :
during the connection lifetime, stream elasticity can still be used by
the MUX to dynamically reduce the stream window. This will be
implemented in a future patch.
2026-05-20 09:52:50 +02:00
Maxime Henrion
641fe4f119 MEDIUM: startup: add automatic chroot feature
It is now possible to use "chroot auto" in the configuration. This lets
haproxy create an anonymous (cleaned up after the process terminates)
and read-only directory for chroot. This directory is created in /tmp;
we might want to support creating it in a different directory in the
future, either by respecting $TMPDIR or by allowing an optional
directory after the "auto" keyword.
2026-05-20 08:34:24 +02:00
Willy Tarreau
7004bb3b8c MINOR: backend: support hash-key guid for a stabler distribution
Some checks are pending
Contrib / admin/halog/ (push) Waiting to run
Contrib / dev/flags/ (push) Waiting to run
Contrib / dev/haring/ (push) Waiting to run
Contrib / dev/hpack/ (push) Waiting to run
Contrib / dev/poll/ (push) Waiting to run
VTest / Generate Build Matrix (push) Waiting to run
VTest / (push) Blocked by required conditions
Windows / Windows, gcc, all features (push) Waiting to run
When server fleets are constantly updated, using a stable distribution
across a bunch of load balancers can be convenient. The addr and port
already provide a bit of this but for situations were addresses might
differ between sites or change dynamically this does not work. The guid
is perfect for this because by definition it's supposed to designate a
single server and be unique. So when two servers anywhere have the same,
the tool that provisionned them promises that they are the same server.

So here we introduce "hash-key guid" which performs a 32-bit hash on
the GUID value. When no guid is provided, a fallback is performed on
ID, as is done for other keys.
2026-05-19 19:11:25 +02:00
Willy Tarreau
a59e6e5efd MINOR: server: support hash-key id32 for a cleaner distribution
The "id" hash-key scales the ID by a factor of 16 that tries to leave
room between the nodes on the 32-bit space to permit smooth weight
variations (e.g. during slowstart). However this does not deal well
with overlaps between server IDs. For example, assigning IDs that are
only multiples of 256 million to 16 servers yields traffic only on
one since in practice they all have the same 28 lower bits.

The new "id32" hash key bridges this gap by using the full 32-bit ID
of the server as the key. On the other hand, the user must be careful
not to switch the hash function to "none" when using incremental IDs
because in this case they might be very poorly distributed. But this
can be convenient for automated provisionning systems which assign
IDs themselves, as the full 32 bits are used now.
2026-05-19 19:11:25 +02:00
Willy Tarreau
cb5d98c495 BUG/MINOR: backend: fix balance hash calculation when using hash-type none
The "hash-type xxx none" is broken for keys that are not in type string
because the sample fetch call casts them to SMP_T_BIN, that tends to
preserve the original format (integers, IP addresses etc), but the
gen_hash() function in case of BE_LB_HFCN_NONE expects to read a string
representing a number, that it parses to retrieve the value, and just
fails on many binary types. For example, the following just always
returns key 0:

    balance hash rand()
    hash type consistent none

An ugly workaround is to make sure the expression returns a string, for
example this:

    balance hash rand(),concat()
    hash type consistent none

In order to fix most cases here, we force the conversion to type string
when using BE_LB_HFCN_NONE, but a better approach would require a larger
rework and split gen_hash() or change it to accept an integer as well,
so that the caller could cast to SMP_T_INT for BE_LB_HFCN_NONE and pass
the resulting number already parsed with the least information loss. In
this case even IPv4 addresses would be preserved.

The current approach at least addresses the initially envisioned use
cases, and the limitations have been added to the doc. This can be
backported to 3.0 though it's not really important.
2026-05-19 19:11:25 +02:00
Willy Tarreau
f2bf3483ba BUG/MINOR: server: accept server IDs above 2^31 and clarify error message
Due to the check of the stored value instead of the parsed one, it was not
permitted to use server IDs above 2^31 while they are perfectly possible.
Let's refine the parsing and also update the error message to indicate the
range. The doc was also refined to reflect the relation with hash-key.

This may be backported though it wouldn't have any effect on working
configs.
2026-05-19 19:11:25 +02:00