Ubuntu
haproxy package

Merge ~lucaskanashiro/ubuntu/+source/haproxy:focal-mre into ubuntu/+source/haproxy:ubuntu/focal-devel

Git
lp:~lucaskanashiro/ubuntu/+source/haproxy
focal-mre
Merge into ubuntu/focal-devel

Proposed by Lucas Kanashiro on 2022-08-29

Status:	Superseded
Proposed branch:	~lucaskanashiro/ubuntu/+source/haproxy:focal-mre
Merge into:	ubuntu/+source/haproxy:ubuntu/focal-devel
Diff against target:	26087 lines (+9825/-2857) 237 files modified BRANCHES (+1/-1) CHANGELOG (+811/-0) CONTRIBUTING (+3/-3) INSTALL (+3/-3) MAINTAINERS (+10/-1) Makefile (+24/-8) SUBVERS (+1/-1) VERDATE (+2/-2) VERSION (+1/-1) contrib/deviceatlas/dac.c (+3/-2) contrib/halog/fgets2.c (+3/-3) contrib/halog/halog.c (+8/-8) contrib/modsecurity/README (+4/-4) contrib/prometheus-exporter/README (+35/-5) contrib/prometheus-exporter/service-prometheus.c (+50/-20) contrib/spoa_example/include/mini-clist.h (+1/-1) contrib/spoa_server/README (+2/-2) contrib/spoa_server/ps_python.c (+79/-32) contrib/systemd/haproxy.service.in (+4/-3) debian/changelog (+13/-0) debian/patches/haproxy.service-add-documentation.patch (+3/-5) debian/patches/haproxy.service-start-after-syslog.patch (+4/-6) debian/patches/series (+0/-13) dev/null (+0/-51) doc/SPOE.txt (+7/-2) doc/architecture.txt (+2/-2) doc/coding-style.txt (+2/-2) doc/configuration.txt (+306/-212) doc/internals/acl.txt (+3/-3) doc/internals/buffer-api.txt (+1/-1) doc/internals/filters.txt (+9/-9) doc/internals/hashing.txt (+2/-2) doc/internals/htx-api.txt (+498/-0) doc/lua-api/index.rst (+27/-17) doc/lua.txt (+2/-2) doc/management.txt (+39/-24) doc/peers-v2.0.txt (+7/-7) doc/proxy-protocol.txt (+16/-4) doc/regression-testing.txt (+1/-1) ebtree/eb32sctree.h (+6/-1) ebtree/eb32tree.h (+2/-1) ebtree/eb64tree.h (+32/-19) ebtree/ebimtree.h (+2/-2) ebtree/ebmbtree.h (+8/-3) ebtree/ebpttree.h (+4/-1) ebtree/ebtree.c (+19/-0) ebtree/ebtree.h (+10/-3) include/common/compat.h (+10/-0) include/common/compiler.h (+90/-0) include/common/config.h (+0/-8) include/common/h2.h (+2/-0) include/common/hathreads.h (+105/-31) include/common/hpack-tbl.h (+11/-0) include/common/http.h (+3/-0) include/common/htx.h (+27/-1) include/common/ist.h (+12/-0) include/common/memory.h (+41/-37) include/common/mini-clist.h (+1/-1) include/common/openssl-compat.h (+5/-2) include/common/standard.h (+42/-3) include/common/time.h (+2/-0) include/import/atomic-ops.h (+11/-0) include/import/plock.h (+0/-2) include/proto/action.h (+5/-0) include/proto/channel.h (+37/-33) include/proto/checks.h (+3/-1) include/proto/cli.h (+1/-0) include/proto/connection.h (+9/-2) include/proto/dns.h (+1/-1) include/proto/filters.h (+4/-6) include/proto/freq_ctr.h (+15/-11) include/proto/hlua.h (+1/-0) include/proto/http_htx.h (+2/-1) include/proto/http_rules.h (+3/-0) include/proto/lb_chash.h (+1/-1) include/proto/mworker.h (+2/-1) include/proto/obj_type.h (+1/-0) include/proto/pattern.h (+2/-2) include/proto/peers.h (+1/-1) include/proto/port_range.h (+2/-0) include/proto/protocol_buffers.h (+4/-4) include/proto/proxy.h (+2/-2) include/proto/queue.h (+2/-2) include/proto/sample.h (+5/-2) include/proto/server.h (+3/-1) include/proto/shctx.h (+9/-4) include/proto/signal.h (+5/-0) include/proto/stream.h (+2/-1) include/proto/stream_interface.h (+9/-0) include/proto/task.h (+38/-0) include/proto/tcp_rules.h (+5/-0) include/types/channel.h (+1/-1) include/types/checks.h (+6/-4) include/types/cli.h (+3/-1) include/types/connection.h (+6/-5) include/types/counters.h (+1/-1) include/types/dns.h (+8/-3) include/types/filters.h (+1/-0) include/types/global.h (+2/-0) include/types/proto_http.h (+1/-0) include/types/proxy.h (+5/-2) include/types/server.h (+4/-3) include/types/shctx.h (+4/-0) include/types/signal.h (+20/-0) include/types/spoe.h (+1/-0) include/types/stats.h (+1/-0) include/types/stick_table.h (+2/-1) include/types/stream.h (+2/-1) reg-tests/balance/balance-rr.vtc (+73/-0) reg-tests/balance/balance-uri-path-only.vtc (+97/-0) reg-tests/balance/balance-uri.vtc (+74/-0) reg-tests/checks/http-check-send.vtc (+150/-0) reg-tests/checks/ldap-check.vtc (+104/-0) reg-tests/checks/tls_health_checks.vtc (+31/-6) reg-tests/compression/lua_validation.vtc (+2/-2) reg-tests/connection/proxy_protocol_tlv_validation.vtc (+140/-0) reg-tests/converter/field.vtc (+1/-1) reg-tests/http-errorfiles/errorfiles.vtc (+51/-0) reg-tests/http-errorfiles/errors/400-1.http (+9/-0) reg-tests/http-errorfiles/errors/400-2.http (+9/-0) reg-tests/http-errorfiles/errors/400-3.http (+9/-0) reg-tests/http-errorfiles/errors/400.http (+9/-0) reg-tests/http-errorfiles/errors/403-1.http (+9/-0) reg-tests/http-errorfiles/errors/403-2.http (+9/-0) reg-tests/http-errorfiles/errors/403.http (+9/-0) reg-tests/http-errorfiles/errors/404-1.http (+9/-0) reg-tests/http-errorfiles/errors/404-2.http (+9/-0) reg-tests/http-errorfiles/errors/404-3.http (+9/-0) reg-tests/http-errorfiles/errors/404.http (+9/-0) reg-tests/http-errorfiles/errors/500-1.http (+9/-0) reg-tests/http-errorfiles/errors/500.http (+9/-0) reg-tests/http-errorfiles/http_deny_errors.vtc (+57/-0) reg-tests/http-errorfiles/http_errors.vtc (+134/-0) reg-tests/http-messaging/h2_desync_attacks.vtc (+142/-0) reg-tests/http-messaging/http_abortonclose.vtc (+115/-0) reg-tests/http-messaging/http_request_buffer.vtc (+35/-1) reg-tests/http-rules/acl_cli_spaces.vtc (+80/-0) reg-tests/http-rules/agents.acl (+1/-0) reg-tests/http-rules/h1or2_to_h1c.vtc (+2/-0) reg-tests/http-rules/map_regm_with_backref.vtc (+1/-1) reg-tests/lua/txn_get_priv.vtc (+1/-1) reg-tests/sample_fetches/so_name.vtc (+22/-0) reg-tests/seamless-reload/abns_socket.vtc (+5/-4) reg-tests/server/cli_set_fdqn.vtc (+1/-1) reg-tests/ssl/ca-auth.crt (+33/-0) reg-tests/ssl/client1.pem (+81/-0) reg-tests/ssl/client2_expired.pem (+81/-0) reg-tests/ssl/client3_revoked.pem (+81/-0) reg-tests/ssl/crl-auth.pem (+18/-0) reg-tests/ssl/ssl_client_auth.vtc (+85/-0) reg-tests/ssl/ssl_client_samples.vtc (+72/-0) reg-tests/ssl/ssl_frontend_samples.vtc (+72/-0) scripts/announce-release (+94/-40) scripts/build-ssl.sh (+17/-7) scripts/git-show-backports (+10/-4) scripts/publish-release (+3/-2) scripts/run-regtests.sh (+8/-2) src/51d.c (+1/-1) src/action.c (+29/-0) src/applet.c (+10/-0) src/arg.c (+7/-0) src/auth.c (+4/-1) src/backend.c (+42/-20) src/base64.c (+6/-3) src/buffer.c (+1/-1) src/cache.c (+36/-26) src/cfgparse-global.c (+26/-7) src/cfgparse-listen.c (+138/-23) src/cfgparse.c (+92/-104) src/channel.c (+89/-4) src/checks.c (+269/-59) src/chunk.c (+2/-2) src/cli.c (+185/-89) src/compression.c (+7/-0) src/connection.c (+54/-31) src/debug.c (+18/-12) src/dns.c (+221/-112) src/ev_poll.c (+0/-1) src/ev_select.c (+1/-5) src/fd.c (+9/-3) src/filters.c (+78/-10) src/flt_http_comp.c (+34/-12) src/flt_spoe.c (+122/-67) src/flt_trace.c (+6/-6) src/freq_ctr.c (+6/-6) src/h2.c (+8/-0) src/haproxy.c (+379/-86) src/hathreads.c (+28/-3) src/hlua.c (+218/-60) src/hlua_fcn.c (+14/-4) src/hpack-tbl.c (+2/-2) src/http.c (+36/-2) src/http_act.c (+15/-4) src/http_conv.c (+22/-11) src/http_fetch.c (+145/-72) src/http_htx.c (+102/-23) src/http_rules.c (+7/-3) src/htx.c (+106/-52) src/lb_chash.c (+8/-1) src/lb_fwlc.c (+13/-7) src/listener.c (+19/-1) src/log.c (+35/-9) src/map.c (+34/-23) src/memory.c (+75/-71) src/mux_h1.c (+160/-57) src/mux_h2.c (+243/-95) src/mux_pt.c (+29/-10) src/mworker-prog.c (+7/-0) src/mworker.c (+36/-2) src/namespace.c (+2/-1) src/pattern.c (+135/-50) src/peers.c (+229/-108) src/proto_http.c (+69/-52) src/proto_htx.c (+103/-74) src/proto_sockpair.c (+0/-4) src/proto_tcp.c (+18/-6) src/proto_uxst.c (+0/-4) src/proxy.c (+22/-5) src/queue.c (+15/-7) src/raw_sock.c (+2/-3) src/sample.c (+98/-39) src/server.c (+306/-259) src/session.c (+1/-1) src/shctx.c (+10/-11) src/signal.c (+9/-1) src/ssl_sock.c (+285/-129) src/standard.c (+168/-21) src/stats.c (+21/-15) src/stick_table.c (+21/-10) src/stream.c (+108/-51) src/stream_interface.c (+67/-12) src/task.c (+47/-11) src/tcp_rules.c (+25/-8) src/time.c (+13/-1) src/vars.c (+30/-11) src/wdt.c (+8/-10) src/xxhash.c (+14/-2)
Related bugs:	Link a bug report

Reviewer	Review Type	Date Requested	Status
git-ubuntu import		2022-08-29	Pending
Review via email: mp+429078@code.launchpad.net

This proposal has been superseded by a proposal from 2022-08-29.

Unmerged commits

f25caf3... by Lucas Kanashiro on 2022-08-26: Update changelog
b3ef0b3... by Lucas Kanashiro on 2022-08-26: Remove all patches applied by upstream
708b55d... by Lucas Kanashiro on 2022-08-26: Refresh haproxy.service-*.patch
eb9b4f1... by Lucas Kanashiro on 2022-08-26: Import upstream version 2.0.29

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk

The diff has been truncated for viewing.

Subscribers

People subscribed via source and target branches

to all changes:

Lucas Kanashiro

git-ubuntu developers

Ubuntu
haproxy package

Merge ~lucaskanashiro/ubuntu/+source/haproxy:focal-mre into ubuntu/+source/haproxy:ubuntu/focal-devel

Commit message

Description of the change

Unmerged commits

Preview Diff

Subscribers

 diff --git a/BRANCHES b/BRANCHES
 index 521c0ee..8655586 100644
 --- a/BRANCHES
 +++ b/BRANCHES
@@ -134,7 +134,7 @@ to make a safe guess about what to pick.
  Branches up to 1.8 are all designated as "long-term supported" ("LTS" for
  short), which means that they are maintained for several years after the
  release. These branches were emitted at a pace of one per year since 1.5 in
--2014. As of 2019, 1.5 is still supported and widely used, eventhough it very
++2014. As of 2019, 1.5 is still supported and widely used, even though it very
  rarely receives updates. After a few years these LTS branches enter a
  "critical fixes only" status, which means that they will rarely receive a fix
  but if that a critital issue affects them, a release will be made, with or
 diff --git a/CHANGELOG b/CHANGELOG
 index 3e39a96..6ae4bed 100644
 --- a/CHANGELOG
 +++ b/CHANGELOG
@@ -1,6 +1,817 @@
  ChangeLog :
  ===========
++2022/05/13 : 2.0.29
++    - BUG/MINOR: tools: fix url2sa return value with IPv4
++    - Revert "BUG/MAJOR: mux-pt: Always destroy the backend connection on detach"
++    - BUG/MAJOR: dns: multi-thread concurrency issue on UDP socket
++    - BUILD: dns: fix backport of previous dns fix
++    - CI: github actions: switch to LibreSSL-3.5.1
++    - BUG/MEDIUM: mux-h1: only turn CO_FL_ERROR to CS_FL_ERROR with empty ibuf
++    - BUG/MINOR: tools: url2sa reads too far when no port nor path
++    - BUG/MEDIUM: stream-int: do not rely on the connection error once established
++    - MEDIUM: mux-h2: slightly relax timeout management rules
++    - BUG/MEDIUM: mux-h2: make use of http-request and keep-alive timeouts
++    - DOC: reflect H2 timeout changes
++    - BUG/MAJOR: mux_pt: always report the connection error to the conn_stream
++    - BUG/MEDIUM: http-act: Don't replace URI if path is not found or invalid
++    - CI: Update to actions/checkout@v3
++    - CI: Update to actions/cache@v3
++    - BUG/MINOR: mux-h2: do not send GOAWAY if SETTINGS were not sent
++    - BUG/MINOR: cache: do not display expired entries in "show cache"
++    - BUG/MINOR: mux-h2: do not use timeout http-keep-alive on backend side
++    - BUG/MINOR: mux-h2: use timeout http-request as a fallback for http-keep-alive
++    - BUG/MEDIUM: mux-h1: Don't request more room on partial trailers
++    - BUG/MEDIUM: compression: Don't forget to update htx_sl and http_msg flags
++    - SCRIPTS: announce-release: update the doc's URL
++    - DOC: lua: update a few doc URLs
++    - SCRIPTS: announce-release: add shortened links to pending issues
++    - BUG/MINOR: cache: Disable cache if applet creation fails
++    - DOC: remove my name from the config doc
++    - REGTESTS: fix the race conditions in be2dec.vtc ad field.vtc
++    - BUG/MINOR: pools: make sure to also destroy shared pools in pool_destroy_all()
++    - BUILD: proto_uxst: do not set unused flag
++    - BUILD: sockpair: do not set unused flag
++    - CI: github actions: update LibreSSL to 3.5.2
++    - SCRIPTS: announce-release: add URL of dev packages
++    - BUG/MINOR: mux-h2: mark the stream as open before processing it not after
++    - BUG/MEDIUM: cli: make "show cli sockets" really yield
++    - BUG/MINOR: map/cli: protect the backref list during "show map" errors
++    - BUG/MINOR: map/cli: make sure patterns don't vanish under "show map"'s init
++    - DOC: fix typo "ant" for "and" in INSTALL
++    - BUG/MINOR: server: Make SRV_STATE_LINE_MAXLEN value from 512 to 2kB (2000 bytes).
++    - BUG/MEDIUM: wdt: don't trigger the watchdog when p is unitialized
++    - CLEANUP: mux-h1: Fix comments and error messages for global options
++    - BUG/MINOR: ssl: fix build on development versions of openssl-1.1.x
++
++2022/03/14 : 2.0.28
++    - MEDIUM: cli: yield between each pipelined command
++    - MINOR: channel: add new function co_getdelim() to support multiple delimiters
++    - BUG/MINOR: cli: avoid O(bufsize) parsing cost on pipelined commands
++    - BUG/MEDIUM: mcli: do not try to parse empty buffers
++    - BUG/MEDIUM: mcli: always realign wrapping buffers before parsing them
++    - BUG/MEDIUM: mworker: don't lose the stats socket on failed reload
++    - BUG/MINOR: mworker: does not erase the pidfile upon reload
++    - BUG/MAJOR: http/htx: prevent unbounded loop in http_manage_server_side_cookies
++    - BUG/MAJOR: spoe: properly detach all agents when releasing the applet
++    - MINOR: sock: move the unused socket cleaning code into its own function
++    - BUG/MEDIUM: mworker: close unused transferred FDs on load failure
++    - BUG/MINOR: mworker: fix a FD leak of a sockpair upon a failed reload
++    - BUG/MEDIUM: resolvers: Really ignore trailing dot in domain names
++    - CI: ssl: enable parallel builds for OpenSSL on Linux
++    - CI: ssl: do not needlessly build the OpenSSL docs
++    - CI: ssl: keep the old method for ancient OpenSSL versions
++    - BUG/MINOR: mailers: negotiate SMTP, not ESMTP
++    - BUG/MINOR: tools: url2sa reads ipv4 too far
++    - BUG/MEDIUM: mux-h1: Don't wake h1s if mux is blocked on lack of output buffer
++    - BUG/MAJOR: mux-h2: Be sure to always report HTX parsing error to the app layer
++    - BUG/MEDIUM: stream: Abort processing if response buffer allocation fails
++    - CI: github actions: add the output of $CC -dM -E-
++    - CI: github actions: use cache for SSL libs
++    - CLEANUP: atomic: add a fetch-and-xxx variant for common operations
++    - BUG/MAJOR: sched: prevent rare concurrent wakeup of multi-threaded tasks
++    - BUG/MINOR: cli: shows correct mode in "show sess"
++    - BUG/MINOR: hlua: Set conn-stream/channel EOI flags at the end of request
++    - BUG/MINOR: stats: Set conn-stream/channel EOI flags at the end of request
++    - BUG/MINOR: cache: Set conn-stream/channel EOI flags at the end of request
++    - BUG/MINOR: promex: Set conn-stream/channel EOI flags at the end of request
++    - DEBUG: cache: Update underlying buffer when loading HTX message in cache applet
++    - BUG/MEDIUM: mcli: Properly handle errors and timeouts during reponse processing
++    - BUG/MAJOR: mux-pt: Always destroy the backend connection on detach
++    - DOC: ssl: req_ssl_sni needs implicit TLS
++    - DOC: use the req.ssl_sni in examples
++    - BUG/MINOR: stream: make the call_rate only count the no-progress calls
++    - DOC: Fix usage/examples of deprecated ACLs
++
++2022/01/26 : 2.0.27
++    - CI: Expand use of GitHub Actions for CI
++    - CI: Stop hijacking the hosts file
++    - CI: Github Actions: enable prometheus exporter
++    - CI: Github Actions: remove LibreSSL-3.0.2 builds
++    - CI: Github Actions: enable BoringSSL builds
++    - CI: Github Action: run "apt-get update" before packages restore
++    - CI: Pass the github.event_name to matrix.py
++    - CI: Clean up Windows CI
++    - CI: github actions: update LibreSSL to 3.3.0
++    - CI: github actions: enable 51degrees feature
++    - CI: GitHub Actions: enable daily Coverity scan
++    - CI: github actions: build several popular "contrib" tools
++    - CI: Pin VTest to a known good commit
++    - CI: Fix DEBUG_STRICT definition for Coverity
++    - CI: Fix the coverity builds
++    - CI: github actions: switch to stable LibreSSL release
++    - Revert "CI: Pin VTest to a known good commit"
++    - CI: github actions: update LibreSSL to 3.2.5
++    - CI: Github Actions: switch to LibreSSL-3.3.3
++    - CI: Github Actions: temporarily disable BoringSSL builds
++    - BUILD: makefile: add entries to build common debugging tools
++    - BUILD: scripts/build-ssl.sh: use "uname" instead of ${TRAVIS_OS_NAME}
++    - REGTESTS: mark the abns test as broken again
++    - CLEANUP: peers: Remove unused static function `free_dcache`
++    - CLEANUP: peers: Remove unused static function `free_dcache_tx`
++    - BUILD: general: always pass unsigned chars to is* functions
++    - MINOR: cli: "show version" displays the current process version
++    - BUG/MEDIUM: cli: Properly set stream analyzers to process one command at a time
++    - CLEANUP: ssl: Remove useless loop in tlskeys_list_get_next()
++    - CLEANUP: ssl: Remove useless local variable in tlskeys_list_get_next()
++    - MINOR: ssl: make tlskeys_list_get_next() take a list element
++    - DOC: spoe: Clarify use of the event directive in spoe-message section
++    - DOC: config: Specify %Ta is only available in HTTP mode
++    - BUG/MEDIUM: mworker/cli: crash when trying to access an old PID in prompt mode
++    - BUG/MINOR: backend: do not set sni on connection reuse
++    - BUG/MINOR: backend: restore the SF_SRV_REUSED flag original purpose
++    - Revert "BUG/MEDIUM: resolvers: always check a valid item in query_list"
++    - BUG/MINOR: http: fix recent regression on authorization in legacy mode
++    - BUILD: cli: clear a maybe-unused  warning on some older compilers
++    - BUILD: ssl: unbreak the build with newer libressl
++    - DOC: fix misspelled keyword "resolve_retries" in resolvers
++    - BUILD: makefile: add -Wno-atomic-alignment to work around clang abusive warning
++    - CLEANUP: ssl: make ssl_sock_free_srv_ctx() zero the pointers after free
++    - BUG/MINOR: cli: fix _getsocks with musl libc
++    - BUG/MEDIUM: http-ana: Preserve response's FLT_END analyser on L7 retry
++    - BUG/MEDIUM: mworker: don't use _getsocks in wait mode
++    - BUILD/MINOR: fix solaris build with clang.
++    - BUG/MEDIUM: cli: Never wait for more data on client shutdown
++    - BUG/MEDIUM: htx: Adjust length to add DATA block in an empty HTX buffer
++
++2021/12/03 : 2.0.26
++    - BUG/MINOR: systemd: ExecStartPre must use -Ws
++    - BUG/MINOR: compat: make sure __WORDSIZE is always defined
++    - BUG/MINOR: cli/payload: do not search for args inside payload
++    - BUG/MEDIUM: http: check for a channel pending data before waiting
++    - BUG/MINOR: stats: fix the POST requests processing in legacy mode
++    - MEDIUM: actions: Fix block ACL.
++    - BUG/MEDIUM: stream-int: Don't block SI on a channel policy if EOI is reached
++    - Revert "REGTESTS: mark http_abortonclose as broken"
++    - BUG/MINOR: server: allow 'enable health' only if check configured
++    - BUG/MEDIUM: mux-h1: Adjust conditions to ask more space in the channel buffer
++    - BUG/MEDIUM: stream-int: Notify stream that the mux wants more room to xfer data
++    - BUG/MEDIUM: stream: Stop waiting for more data if SI is blocked on RXBLK_ROOM
++    - BUG/MINOR: mux-h1/mux-fcgi: Sanitize TE header to only send "trailers"
++    - DOC: peers: fix doc "enable" statement on "peers" sections
++    - BUG/MEDIUM: lua: fix wakeup condition from sleep()
++    - BUG/MAJOR: lua: use task_wakeup() to properly run a task once
++    - BUG/MINOR: tcp-rules: Stop content rules eval on read error and end-of-input
++    - BUG/MINOR: stream: Don't release a stream if FLT_END is still registered
++    - BUG/MEDIUM: http-ana: Reset channels analysers when returning an error
++    - BUG/MINOR: filters: Always set FLT_END analyser when CF_FLT_ANALYZE flag is set
++    - BUG/MINOR: filters: Set right FLT_END analyser depending on channel
++    - BUG/MEDIUM: filters: Fix a typo when a filter is attached blocking the release
++    - BUG/MEDIUM: http-ana: Clear request analyzers when applying redirect rule
++    - BUG/MEDIUM: mux_h2: Handle others remaining read0 cases on partial frames
++    - BUG/MEDIUM: stream: Keep FLT_END analyzers if a stream detects a channel error
++    - CLEANUP: sample: rename sample_conv_var2smp() to *_sint
++    - CLEANUP: sample: uninline sample_conv_var2smp_str()
++    - MINOR: sample: provide a generic var-to-sample conversion function
++    - BUG/MEDIUM: sample: properly verify that variables cast to sample
++    - MINOR: resolvers: fix the resolv_str_to_dn_label() API about trailing zero
++    - BUG/MEDIUM: resolver: make sure to always use the correct hostname length
++    - BUG/MINOR: resolvers: do not reject host names of length 255 in SRV records
++    - MINOR: resolvers: fix the resolv_dn_label_to_str() API about trailing zero
++    - BUG/MEDIUM: resolvers: fix truncated TLD consecutive to the API fix
++    - BUG/MEDIUM: resolvers: use correct storage for the target address
++    - MINOR: resolvers: merge address and target into a union "data"
++    - BUILD: resolvers: avoid a possible warning on null-deref
++    - BUG/MEDIUM: resolvers: always check a valid item in query_list
++    - BUG/MINOR: mux-h2: do not prevent from sending a final GOAWAY frame
++    - BUG/MINOR: mux-h1: Save shutdown mode if the shutdown is delayed
++    - BUG/MEDIUM: mux-h1: Perform a connection shutdown when the h1c is released
++    - CLEANUP: resolvers: do not export resolv_purge_resolution_answer_records()
++    - CLEANUP: always initialize the answer_list
++    - CLEANUP: resolvers: replace all LIST_DELETE with LIST_DEL_INIT
++    - BUG/MEDIUM: http-ana: Drain request data waiting the tarpit timeout expiration
++    - BUG/MINOR: http: Authorization value can have multiple spaces after the scheme
++    - DOC: config: Fix alphabetical order of fc_* samples
++    - MINOR: stream: Improve dump of bogus streams
++    - BUG/MINOR: tcpcheck: Improve LDAP response parsing to fix LDAP check
++    - MINOR: htx: Add an HTX flag to know when a message is fragmented
++    - MINOR: htx: Add a function to know if the free space wraps
++    - BUG/MEDIUM: stream-int: Defrag HTX message in si_cs_recv() if necessary
++    - BUG/MEDIUM: mux-h1: Fix H1C_F_ST_SILENT_SHUT value
++    - DOC: config: Fix typo in ssl_fc_unique_id description
++    - BUG/MINOR: http-ana: Apply stop to the current section for http-response rules
++    - BUG/MEDIUM: conn-stream: Don't reset CS flags on close
++    - BUG/MINOR: mworker: doesn't launch the program postparser
++    - BUG/MINOR: mux-h2: Fix H2_CF_DEM_SHORT_READ value
++    - BUG/MEDIUM: connection: make cs_shutr/cs_shutw//cs_close() idempotent
++    - BUG/MINOR: stick-table/cli: Check for invalid ipv6 key
++    - MINOR: connection: add a new CO_FL_WANT_DRAIN flag to force drain on close
++    - MINOR: mux-h2: perform a full cycle shutdown+drain on close
++    - CLEANUP: ssl: Release cached SSL sessions on deinit
++    - BUG/MEDIUM: ssl: backend TLS resumption with sni and TLSv1.3
++    - BUG/MEDIUM: mux-h2: always process a pending shut read
++    - BUG/MEDIUM: shctx: leave the block allocator when enough blocks are found
++    - BUG/MINOR: shctx: do not look for available blocks when the first one is enough
++    - BUG/MEDIUM: ssl: abort with the correct SSL error when SNI not found
++
++2021/09/07 : 2.0.25
++    - BUG/MEDIUM: sock: really fix detection of early connection failures in for 2.3-
++    - REGTESTS: abortonclose: after retries, 503 is expected, not close
++    - BUG/MEDIUM: base64: check output boundaries within base64{dec,urldec}
++    - MINOR: compiler: implement an ONLY_ONCE() macro
++    - BUG/MINOR: lua: use strlcpy2() not strncpy() to copy sample keywords
++    - BUG/MINOR: ebtree: remove dependency on incorrect macro for bits per long
++    - BUG/MINOR threads: Use get_(local|gm)time instead of (local|gm)time
++    - BUG/MINOR: tools: Fix loop condition in dump_text()
++    - CLEANUP: Add missing include guard to signal.h
++    - DOC: configuration: remove wrong tcp-request examples in tcp-response
++    - BUG/MINOR: config: reject configs using HTTP with bufsize >= 256 MB
++    - CLEANUP: htx: remove comments about "must be < 256 MB"
++    - BUG/MAJOR: htx: fix missing header name length check in htx_add_header/trailer
++    - Revert "BUG/MINOR: stream-int: Don't block reads in si_update_rx() if chn may receive"
++    - MINOR: action: Use a generic function to check validity of an action rule list
++    - REGTESTS: mark http_abortonclose as broken
++
++2021/08/17 : 2.0.24
++    - BUG/MEDIUM: tcp-check: Do not dereference inexisting connection
++    - BUILD: add detection of missing important CFLAGS
++    - BUG/MEDIUM: mworker: do not register an exit handler if exit is expected
++    - BUG/MINOR: mworker: do not export HAPROXY_MWORKER_REEXEC across programs
++    - BUG/MINOR: systemd: must check the configuration using -Ws
++    - BUG/MINOR: mux-h2: Obey dontlognull option during the preface
++    - BUG/MEDIUM: mux-h2: Handle remaining read0 cases on partial frames
++    - BUG/MINOR: connection: Add missing error labels to conn_err_code_str
++    - BUG/MINOR: server: update last_change on maint->ready transitions too
++    - MINOR: spoe: Add a pointer on the filter config in the spoe_agent structure
++    - BUG/MEDIUM: spoe: Create a SPOE applet if necessary when the last one is released
++    - BUG/MEDIUM: spoe: Fix policy to close applets when SPOE connections are queued
++    - DOC: Improve the lua documentation
++    - DOC: config: Fix 'http-response send-spoe-group' documentation
++    - MINOR: mux-h1/proxy: Add a proxy option to disable clear h2 upgrade
++    - DOC/MINOR: fix typo in management document
++    - BUG/MAJOR: h2: enforce stricter syntax checks on the :method pseudo-header
++    - REGTESTS: add a test to prevent h2 desync attacks
++
++2021/07/16 : 2.0.23
++    - DOC: Explicitly state only IPv4 are supported by forwardfor/originalto options
++    - BUG/MINOR: tools: fix parsing "us" unit for timers
++    - DOC: clarify that compression works for HTTP/2
++    - BUG/MEDIUM: sample: Fix adjusting size in field converter
++    - BUG/MEDIUM: threads: Ignore current thread to end its harmless period
++    - BUG/MINOR: http-fetch: Make method smp safe if headers were already forwarded
++    - BUG/MINOR: http_htx: Remove BUG_ON() from http_get_stline() function
++    - BUG/MINOR: logs: Report the true number of retries if there was no connection
++    - BUG/MINOR: mux-h1: Release idle server H1 connection if data are received
++    - BUG/MINOR: server: free srv.lb_nodes in free_server
++    - BUG/MAJOR: mux-h2: Properly detect too large frames when decoding headers
++    - BUG/MEDIUM: mux-h2: Fix dfl calculation when merging CONTINUATION frames
++    - BUG/MEDIUM: config: fix cpu-map notation with both process and threads
++    - BUG/MINOR: mworker/init: don't reset nb_oldpids in non-mworker cases
++    - BUG/MINOR: mworker: don't use oldpids[] anymore for reload
++    - BUG/MEDIUM: mux-h2: Properly handle shutdowns when received with data
++    - BUG/MINOR: peers: remove useless table check if initial resync is finished
++    - BUG/MEDIUM: peers: re-work connection to new process during reload.
++    - BUG/MEDIUM: peers: re-work refcnt on table to protect against flush
++    - BUG/MINOR: htx: Preserve HTX flags when draining data from an HTX message
++    - BUG/MINOR: applet: Notify the other side if data were consumed by an applet
++    - BUG/MEDIUM: peers: initialize resync timer to get an initial full resync
++    - BUG/MEDIUM: peers: register last acked value as origin receiving a resync req
++    - BUG/MEDIUM: peers: stop considering ack messages teaching a full resync
++    - BUG/MEDIUM: peers: reset starting point if peers appears longly disconnected
++    - BUG/MEDIUM: peers: reset commitupdate value in new conns
++    - BUG/MEDIUM: peers: re-work updates lookup during the sync on the fly
++    - BUG/MEDIUM: peers: reset tables stage flags stages on new conns
++    - MINOR: peers: add informative flags about resync process for debugging
++    - MINOR: hlua: Add error message relative to the Channel manipulation and HTTP mode
++    - BUG/MINOR: hlua: Don't rely on top of the stack when using Lua buffers
++    - BUG/MEDIUM: cli: prevent memory leak on write errors
++    - BUG/MINOR: stream: Decrement server current session counter on L7 retry
++    - BUG/MINOR: stream: properly clear the previous error mask on L7 retries
++    - BUG/MINOR: stream: Reset stream final state and si error type on L7 retry
++    - BUG/MINOR: http_fetch: fix possible uninit sockaddr in fetch_url_ip/port
++    - MINOR: channel: Rely on HTX version if appropriate in channel_may_recv()
++    - BUG/MINOR: stream-int: Don't block reads in si_update_rx() if chn may receive
++    - MEDIUM: mux-h1: Don't block reads when waiting for the other side
++    - REGTESTS: Add script to test abortonclose option
++    - BUG/MEDIUM: ebtree: Invalid read when looking for dup entry
++    - BUG/MAJOR: server: prevent deadlock when using 'set maxconn server'
++    - BUG/MEDIUM: filters: Exec pre/post analysers only one time per filter
++    - BUG/MINOR: http-comp: Preserve HTTP_MSGF_COMPRESSIONG flag on the response
++    - BUG/MINOR: http-ana: Handle L7 retries on refused early data before K/A aborts
++    - BUG/MINOR: server: Missing calloc return value check in srv_parse_source
++    - BUG/MINOR: peers: Missing calloc return value check in peers_register_table
++    - BUG/MINOR: ssl: Missing calloc return value check in ssl_init_single_engine
++    - BUG/MINOR: http: Missing calloc return value check in parse_http_req_capture
++    - BUG/MINOR: proxy: Missing calloc return value check in proxy_parse_declare
++    - BUG/MINOR: proxy: Missing calloc return value check in proxy_defproxy_cpy
++    - BUG/MINOR: http: Missing calloc return value check while parsing tcp-request/tcp-response
++    - BUG/MINOR: http: Missing calloc return value check while parsing tcp-request rule
++    - BUG/MINOR: compression: Missing calloc return value check in comp_append_type/algo
++    - BUG/MINOR: worker: Missing calloc return value check in mworker_env_to_proc_list
++    - BUG/MINOR: http: Missing calloc return value check while parsing redirect rule
++    - BUG/MINOR: http: Missing calloc return value check in make_arg_list
++    - BUG/MINOR: proxy: Missing calloc return value check in chash_init_server_tree
++    - BUG/MINOR: ssl: OCSP stapling does not work if expire too far in the future
++    - BUG/MEDIUM: compression: Add a flag to know the filter is still processing data
++    - BUG/MEDIUM: dns: reset file descriptor if send returns an error
++    - BUG/MAJOR: htx: Fix htx_defrag() when an HTX block is expanded
++    - DOC: lua: Add a warning about buffers modification in HTTP
++    - BUG/MINOR: stick-table: insert srv in used_name tree even with fixed id
++    - BUG/MEDIUM: shctx: use at least thread-based locking on USE_PRIVATE_CACHE
++    - BUG/MINOR: ssl: use atomic ops to update global shctx stats
++    - BUG/MINOR: mworker: fix typo in chroot error message
++    - BUG/MAJOR: queue: set SF_ASSIGNED when setting strm->target on dequeue
++    - MINOR: mux-h2: obey http-ignore-probes during the preface
++    - BUG/MEDIUM: dns: send messages on closed/reused fd if fd was detected broken
++    - BUG/MEDIUM: spoe: Register pre/post analyzers in start_analyze callback function
++    - BUG/MAJOR: server: fix deadlock when changing maxconn via agent-check
++    - MINOR: tcp-act: Add set-src/set-src-port for "tcp-request content" rules
++    - DOC: config: Add missing actions in "tcp-request session" documentation
++    - BUG/MINOR: resolvers: answser item list was randomly purged or errors
++    - BUG/MEDIUM: server/cli: Fix ABBA deadlock when fqdn is set from the CLI
++    - BUG/MINOR: server/cli: Fix locking in function processing "set server" command
++    - BUG/MEDIUM: sock: make sure to never miss early connection failures
++    - BUG/MINOR: cli: fix server name output in "show fd"
++    - BUG/MINOR: stick-table: fix several printf sign errors dumping tables
++    - DOC: stick-table: add missing documentation about gpt0 stored type
++    - DOC: peers: fix the protocol tag name in the doc
++    - DOC: config: use CREATE USER for mysql-check
++    - BUG/MINOR: resolvers: Reset server IP when no ip is found in the response
++    - MINOR: resolvers: Reset server IP on error in resolv_get_ip_from_response()
++    - BUG/MINOR: peers: fix data_type bit computation more than 32 data_types
++    - Revert "MINOR: tcp-act: Add set-src/set-src-port for "tcp-request content" rules"
++    - MINOR: pools/debug: slightly relax DEBUG_DONT_SHARE_POOLS
++    - BUG/MINOR: pools: fix a possible memory leak in the lockless pool_flush()
++    - MINOR: pools: do not maintain the lock during pool_flush()
++    - BUG/MEDIUM: pools: Always update free_list in pool_gc().
++    - MEDIUM: memory: make pool_gc() run under thread isolation
++    - MEDIUM: pools: use a single pool_gc() function for locked and lockless
++    - BUG/MAJOR: pools: fix possible race with free() in the lockless variant
++    - CLEANUP: pools: remove now unused seq and pool_free_list
++    - BUG/MINOR: server-state: load SRV resolution only if params match the config
++    - BUG/MINOR: server: Forbid to set fqdn on the CLI if SRV resolution is enabled
++
++2021/04/12 : 2.0.22
++    - MINOR: time: also provide a global, monotonic global_now_ms timer
++    - BUG/MEDIUM: freq_ctr/threads: use the global_now_ms variable
++    - MINOR/BUG: mworker/cli: do not use the unix_bind prefix for the master CLI socket
++    - MINOR: lua: Slightly improve function dumping the lua traceback
++    - BUG/MEDIUM: debug/lua: Use internal hlua function to dump the lua traceback
++    - BUG/MEDIUM: lua: Always init the lua stack before referencing the context
++    - BUG/MEDIUM: time: make sure to always initialize the global tick
++    - BUG/MEDIUM: thread: Fix a deadlock if an isolated thread is marked as harmless
++    - MINOR: tools: make url2ipv4 return the exact number of bytes parsed
++    - BUG/MINOR: http_fetch: make hdr_ip() reject trailing characters
++    - BUG/MEDIUM: mux-h1: make h1_shutw_conn() idempotent
++    - BUG/MINOR: stats: Apply proper styles in HTML status page.
++    - BUG/MINOR: tcp: fix silent-drop workaround for IPv6
++    - BUILD: tcp: use IPPROTO_IPV6 instead of SOL_IPV6 on FreeBSD/MacOS
++    - BUG/MINOR: http_fetch: make hdr_ip() resistant to empty fields
++    - BUG/MAJOR: dns: fix null pointer dereference in snr_update_srv_status
++    - BUG/MAJOR: dns: disabled servers through SRV records never recover
++    - BUG/MINOR: resolvers: Unlink DNS resolution to set RMAINT on SRV resolution
++    - MINOR: resolvers: Use a function to remove answers attached to a resolution
++    - MINOR: resolvers: Purge answer items when a SRV resolution triggers an error
++    - MINOR: resolvers: Add function to change the srv status based on SRV resolution
++    - MINOR: resolvers: Directly call srvrq_update_srv_state() when possible
++    - BUG/MEDIUM: resolvers: Don't release resolution from a requester callbacks
++
++2021/03/18 : 2.0.21
++    - BUG/MINOR: sample: check alloc_trash_chunk return value in concat()
++    - BUG/MINOR: sample: Memory leak of sample_expr structure in case of error
++    - BUG/MINOR: init: Use a dynamic buffer to set HAPROXY_CFGFILES env variable
++    - BUG/MINOR: peers: Wrong "new_conn" value for "show peers" CLI command.
++    - BUG/MINOR: mworker: define _GNU_SOURCE for strsignal()
++    - BUG/MEDIUM: mux-h2: fix read0 handling on partial frames
++    - BUILD/MINOR: lua: define _GNU_SOURCE for LLONG_MAX
++    - BUG/MEDIUM: stats: add missing INF_BUILD_INFO definition
++    - BUG/MEDIUM: filters/htx: Fix data forwarding when payload length is unknown
++    - BUG/MINOR: config: fix leak on proxy.conn_src.bind_hdr_name
++    - DOC: management: fix "show resolvers" alphabetical ordering
++    - BUG/MINOR: stick-table: Always call smp_fetch_src() with a valid arg list
++    - BUG/MEDIUM: ssl: check a connection's status before computing a handshake
++    - BUG/MINOR: xxhash: make sure armv6 uses memcpy()
++    - BUILD: Makefile: move REGTESTST_TYPE default setting
++    - BUG/MEDIUM: mux-h2: handle remaining read0 cases
++    - BUG/MEDIUM: mux-h2: do not quit the demux loop before setting END_REACHED
++    - BUG/MEDIUM: mux-h2: Be sure to enter in demux loop even if dbuf is empty
++    - BUG/MEDIUM: mux-h1: Always set CS_FL_EOI for response in MSG_DONE state
++    - BUG/MINOR: server: re-align state file fields number
++    - BUG/MINOR: tools: Fix a memory leak on error path in parse_dotted_uints()
++    - BUG/MINOR: backend: hold correctly lock when killing idle conn
++    - BUG/MINOR: server: Fix server-state-file-name directive
++    - CLEANUP: deinit: release global and per-proxy server-state variables on deinit
++    - BUG/MEDIUM: config: don't pick unset values from last defaults section
++    - BUG/MINOR: cfgparse: do not mention "addr:port" as supported on proxy lines
++    - BUG/MINOR: server: Don't call fopen() with server-state filepath set to NULL
++    - CLEANUP: channel: fix comment in ci_putblk.
++    - BUG/MINOR: server: Remove RMAINT from admin state when loading server state
++    - BUG/MINOR: session: atomically increment the tracked sessions counter
++    - BUG/MINOR: checks: properly handle wrapping time in __health_adjust()
++    - BUG/MINOR: sample: Always consider zero size string samples as unsafe
++    - BUG/MINOR: server: Init params before parsing a new server-state line
++    - BUG/MINOR: server: Be sure to cut the last parsed field of a server-state line
++    - BUG/MEDIUM: mux-h1: Fix handling of responses to CONNECT other than 200-ok
++    - BUG/MINOR: sample: secure convs that accept base64 string and var name as args
++    - BUG/MEDIUM: vars: make functions vars_get_by_{name,desc} thread-safe
++    - BUG/MEDIUM: proxy: use thread-safe stream killing on hard-stop
++    - BUG/MEDIUM: cli/shutdown sessions: make it thread-safe
++    - BUG/MINOR: proxy: wake up all threads when sending the hard-stop signal
++    - BUG/MINOR: resolvers: new callback to properly handle SRV record errors
++    - BUG/MEDIUM: resolvers: Reset server address and port for obselete SRV records
++    - BUG/MEDIUM: resolvers: Reset address for unresolved servers
++    - BUG/MINOR: mux-h1: Immediately report H1C errors from h1_snd_buf()
++    - BUG/MINOR: http-ana: Only consider dst address to process originalto option
++    - BUG/MINOR: tcp-act: Don't forget to set the original port for IPv4 set-dst rule
++    - BUG/MINOR: connection: Use the client's dst family for adressless servers
++    - BUG/MEDIUM: spoe: Kill applets if there are pending connections and nbthread > 1
++    - DOC: spoe: Add a note about fragmentation support in HAProxy
++    - BUG/MINOR: http-ana: Don't increment HTTP error counter on read error/timeout
++    - BUG/MEDIUM: dns: Consider the fact that dns answers are case-insensitive
++    - BUG/MINOR: hlua: Don't strip last non-LWS char in hlua_pushstrippedstring()
++    - BUG/MINOR: ssl: don't truncate the file descriptor to 16 bits in debug mode
++    - BUG/MEDIUM: session: NULL dereference possible when accessing the listener
++    - BUG/MEDIUM: filters: Set CF_FL_ANALYZE on channels when filters are attached
++    - BUG/MINOR: proxy/session: Be sure to have a listener to increment its counters
++    - BUG/MINOR: session: Add some forgotten tests on session's listener
++    - CLEANUP: tcp-rules: add missing actions in the tcp-request error message
++    - BUG/MINOR: resolvers: Consider server to have no IP on DNS resolution error
++    - BUG/MINOR: resolvers: Reset server address on DNS error only on status change
++    - BUG/MINOR: resolvers: Add missing case-insensitive comparisons of DNS hostnames
++    - MINOR: time: export the global_now variable
++    - BUG/MINOR: freq_ctr/threads: make use of the last updated global time
++
++2021/01/08 : 2.0.20
++    - BUG/MINOR: pattern: a sample marked as const could be written
++    - BUG/MINOR: lua: set buffer size during map lookups
++    - BUG/MINOR: peers: Do not ignore a protocol error for dictionary entries.
++    - BUG/MINOR: peers: Missing TX cache entries reset.
++    - BUG/MEDIUM: peers: fix decoding of multi-byte length in stick-table messages
++    - BUG/MINOR: http-fetch: Extract cookie value even when no cookie name
++    - BUG/MINOR: http-fetch: Fix calls w/o parentheses of the cookie sample fetches
++    - BUG/MAJOR: spoe: Be sure to remove all references on a released spoe applet
++    - MINOR: spoe: Don't close connection in sync mode on processing timeout
++    - MINOR: cfgparse: tighten the scope of newnameserver variable, free it on error.
++    - BUILD: http-htx: fix build warning regarding long type in printf
++    - BUG/MEDIUM: filters: Forward all filtered data at the end of http filtering
++    - BUG/MINOR: http-ana: Don't wait for the body of CONNECT requests
++    - BUG/MAJOR: filters: Always keep all offsets up to date during data filtering
++    - BUG/MAJOR: peers: fix partial message decoding
++    - DOC: config: Move req.hdrs and req.hdrs_bin in L7 samples fetches section
++    - MINOR: plock: use an ARMv8 instruction barrier for the pause instruction
++    - BUG/MINOR: lua: lua-load doesn't check its parameters
++    - BUG/MINOR: lua: Post init register function are not executed beyond the first one
++    - BUG/MINOR: lua: Some lua init operation are processed unsafe
++    - MINOR: actions: Export actions lookup functions
++    - MINOR: actions: add a function returning a service pointer from its name
++    - MINOR: cli: add a function to look up a CLI service description
++    - BUG/MINOR: lua: warn when registering action, conv, sf, cli or applet multiple times
++    - DOC/MINOR: Fix formatting in Management Guide
++    - BUG/MAJOR: spoa/python: Fixing return None
++    - DOC: spoa/python: Fixing typo in IP related error messages
++    - DOC: spoa/python: Rephrasing memory related error messages
++    - DOC: spoa/python: Fixing typos in comments
++    - BUG/MINOR: spoa/python: Cleanup references for failed Module Addobject operations
++    - BUG/MINOR: spoa/python: Cleanup ipaddress objects if initialization fails
++    - BUG/MEDIUM: spoa/python: Fixing PyObject_Call positional arguments
++    - BUG/MEDIUM: spoa/python: Fixing references to None
++    - DOC: email change of the DeviceAtlas maintainer
++    - BUG/MINOR: tools: make parse_time_err() more strict on the timer validity
++    - BUG/MINOR: tools: Reject size format not starting by a digit
++    - BUG/MEDIUM: lb-leastconn: Reposition a server using the right eweight
++    - CLEANUP: lua: Remove declaration of an inexistant function
++    - CLEANUP: contrib/prometheus-exporter: typo fixes for ssl reuse metric
++    - REGTESTS: make use of HAPROXY_ARGS and pass -dM by default
++    - BUILD: Makefile: have "make clean" destroy .o/.a/.s in contrib subdirs as well
++    - BUG/MINOR: mux-h1: Don't set CS_FL_EOI too early for protocol upgrade requests
++    - BUG/MEDIUM: http-ana: Never for sending data in TUNNEL mode
++    - CONTRIB: halog: fix build issue caused by %L printf format
++    - CONTRIB: halog: mark the has_zero* functions unused
++    - CONTRIB: halog: fix signed/unsigned build warnings on counts and timestamps
++    - BUILD: plock: remove dead code that causes a warning in gcc 11
++    - BUILD: hpack: hpack-tbl-t.h uses VAR_ARRAY but does not include compiler.h
++    - MINOR: atomic: don't use ; to separate instruction on aarch64.
++    - BUG/MINOR: cfgparse: Fail if the strdup() for `rule->be.name` for `use_backend` fails
++    - SCRIPTS: improve announce-release to support different tag and versions
++    - SCRIPTS: make announce release support preparing announces before tag exists
++    - BUG/MINOR: srv: do not init address if backend is disabled
++    - BUILD: Makefile: exclude broken tests by default
++    - MINOR: contrib/prometheus-exporter: export build_info
++    - DOC: fix some spelling issues over multiple files
++    - SCRIPTS: announce-release: fix typo in help message
++    - DOC: Add maintainers for the Prometheus exporter
++    - BUG/MINOR: sample: fix concat() converter's corruption with non-string variables
++
++2020/11/06 : 2.0.19
++    - DOC: ssl: crt-list negative filters are only a hint
++    - BUILD: makefile: Fix building with closefrom() support enabled
++    - BUG/MINOR: Fix several leaks of 'log_tag' in init().
++    - BUG/MEDIUM: queue: make pendconn_cond_unlink() really thread-safe
++    - MINOR: counters: fix a typo in comment
++    - BUG/MINOR: stats: fix validity of the json schema
++    - MINOR: hlua: Display debug messages on stderr only in debug mode
++    - BUG/MINOR: peers: Inconsistency when dumping peer status codes.
++    - BUG/MINOR: mux-h1: Always set the session on frontend h1 stream
++    - BUG/MEDIUM: mux-h2: Don't handle pending read0 too early on streams
++    - BUG/MINOR: http-htx: Expect no body for 204/304 internal HTTP responses
++    - BUG/MEDIUM: h1: Always try to receive more in h1_rcv_buf().
++    - BUG/MINOR: init: only keep rlim_fd_cur if max is unlimited
++    - BUG/MINOR: mux-h2: do not stop outgoing connections on stopping
++    - MINOR: fd: report an error message when failing initial allocations
++    - BUG/MEDIUM: task: bound the number of tasks picked from the wait queue at once
++    - BUG/MEDIUM: spoe: Unset variable instead of set it if no data provided
++    - BUG/MEDIUM: mux-h1: Get the session from the H1S when capturing bad messages
++    - BUG/MEDIUM: lb: Always lock the server when calling server_{take,drop}_conn
++    - BUG/MINOR: peers: Possible unexpected peer seesion reset after collisions.
++    - BUG/MINOR: queue: properly report redistributed connections
++    - BUG/MEDIUM: server: support changing the slowstart value from state-file
++    - BUG/MINOR: http-ana: Don't send payload for internal responses to HEAD requests
++    - BUG/MAJOR: mux-h2: Don't try to send data if we know it is no longer possible
++    - BUG/MINOR: extcheck: add missing checks on extchk_setenv()
++    - BUG/MINOR: log: fix memory leak on logsrv parse error
++    - BUG/MINOR: server: fix srv downtime calcul on starting
++    - BUG/MINOR: server: fix down_time report for stats
++    - BUG/MINOR: lua: initialize sample before using it
++    - BUG/MINOR: cache: Inverted variables in http_calc_maxage function
++    - BUG/MEDIUM: filters: Don't try to init filters for disabled proxies
++    - BUG/MINOR: server: Set server without addr but with dns in RMAINT on startup
++    - MINOR: server: Copy configuration file and line for server templates
++    - BUG/MEDIUM: mux-pt: Release the tasklet during an HTTP upgrade
++    - BUG/MINOR: filters: Skip disabled proxies during startup only
++    - BUG/MEDIUM: stick-table: limit the time spent purging old entries
++    - MINOR: http-htx: Add understandable errors for the errorfiles parsing
++    - BUG/MINOR: http-htx: Just warn if payload of an errorfile doesn't match the C-L
++
++2020/09/30 : 2.0.18
++    - SCRIPTS: git-show-backports: make -m most only show the left branch
++    - SCRIPTS: git-show-backports: emit the shell command to backport a commit
++    - BUG/MEDIUM: mux-h2: Don't fail if nothing is parsed for a legacy chunk response
++    - BUG/MEDIUM: mux-h1: Refresh H1 connection timeout after a synchronous send
++    - BUG/MEDIUM: map/lua: Return an error if a map is loaded during runtime
++    - BUG/MINOR: lua: Check argument type to convert it to IPv4/IPv6 arg validation
++    - BUG/MINOR: lua: Check argument type to convert it to IP mask in arg validation
++    - BUG/MINOR: snapshots: leak of snapshots on deinit()
++    - BUG/MINOR: stats: use strncmp() instead of memcmp() on health states
++    - BUG/MEDIUM: htx: smp_prefetch_htx() must always validate the direction
++    - BUG/MINOR: reload: do not fail when no socket is sent
++    - DOC: cache: Use '<name>' instead of '<id>' in error message
++    - BUG/MAJOR: contrib/spoa-server: Fix unhandled python call leading to memory leak
++    - BUG/MINOR: contrib/spoa-server: Ensure ip address references are freed
++    - BUG/MINOR: contrib/spoa-server: Do not free reference to NULL
++    - BUG/MINOR: contrib/spoa-server: Updating references to free in case of failure
++    - BUG/MEDIUM: contrib/spoa-server: Fix ipv4_address used instead of ipv6_address
++    - BUG/MINOR: startup: haproxy -s cause 100% cpu
++    - BUG/MEDIUM: doc: Fix replace-path action description
++    - BUG/MEDIUM: ssl: check OCSP calloc in ssl_sock_load_ocsp()
++    - BUG/MINOR: threads: work around a libgcc_s issue with chrooting
++    - BUILD: thread: limit the libgcc_s workaround to glibc only
++    - MINOR: Commit .gitattributes
++    - CLEANUP: Update .gitignore
++    - BUG/MINOR: auth: report valid crypto(3) support depending on build options
++    - BUG/MEDIUM: mux-h1: always apply the timeout on half-closed connections
++    - BUILD: threads: better workaround for late loading of libgcc_s
++    - BUG/MEDIUM: pattern: Renew the pattern expression revision when it is pruned
++    - BUG/MEDIUM: http-ana: Don't wait to send 1xx responses received from servers
++    - BUG/MEDIUM: ssl: does not look for all SNIs before chosing a certificate
++    - BUG/MINOR: ssl: verifyhost is case sensitive
++    - BUG/MINOR: server: report correct error message for invalid port on "socks4"
++    - BUG/MINOR: http-fetch: Don't set the sample type during the htx prefetch
++    - BUG/MEDIUM: h2: report frame bits only for handled types
++    - BUG/MINOR: Fix memory leaks cfg_parse_peers
++    - BUG/MINOR: config: Fix memory leak on config parse listen
++    - BUG/MEDIUM: listeners: do not pause foreign listeners
++    - DOC: spoa-server: fix false friends `actually`
++    - DOC: agent-check: fix typo in "fail" word expected reply
++    - REGTESTS: add a few load balancing tests
++    - REGTEST: fix host part in balance-uri-path-only.vtc
++    - REGTEST: make abns_socket.vtc require 1.8
++    - REGTEST: make map_regm_with_backref require 1.7
++
++2020/07/31 : 2.0.17
++    - BUILD: ebtree: fix build on libmusl after recent introduction of eb_memcmp()
++    - REGEST: Add reg tests about error files
++    - BUG/MINOR: threads: Don't forget to init each thread toremove_lock.
++    - MINOR: pools: increase MAX_BASE_POOLS to 64
++    - BUILD: thread: add parenthesis around values of locking macros
++    - BUG/MINOR: cfgparse: don't increment linenum on incomplete lines
++    - BUG/MEDIUM: resolve: fix init resolving for ring and peers section.
++    - BUG/MEDIUM: mux-h2: Emit an error if the response chunk formatting is incomplete
++    - BUG/MAJOR: dns: Make the do-resolve action thread-safe
++    - BUG/MEDIUM: dns: Release answer items when a DNS resolution is freed
++    - BUG/MEDIUM: mux-h1: Wakeup the H1C in h1_rcv_buf() if more data are expected
++    - BUG/MEDIUM: mux-h1: Disable the splicing when nothing is received
++    - BUG/MINOR: debug: Don't dump the lua stack if it is not initialized
++    - MEDIUM: lua: Add support for the Lua 5.4
++    - BUG/MEDIUM: dns: Don't yield in do-resolve action on a final evaluation
++    - BUG/MINOR: tcp-rules: Set the inspect-delay when a tcp-response action yields
++    - MINOR: connection: Preinstall the mux for non-ssl connect
++    - MINOR: stream-int: Be sure to have a mux to do sends and receives
++    - SCRIPTS: announce-release: add the link to the wiki in the announce messages
++
++2020/07/17 : 2.0.16
++    - MINOR: http: Add 410 to http-request deny
++    - MINOR: http: Add 404 to http-request deny
++    - BUG/MINOR: tcp-rules: tcp-response must check the buffer's fullness
++    - BUG/MEDIUM: ebtree: use a byte-per-byte memcmp() to compare memory blocks
++    - BUG/MINOR: spoe: add missing key length check before checking key names
++    - BUG/MINOR: cli: allow space escaping on the CLI
++    - BUG/MINOR: mworker/cli: fix the escaping in the master CLI
++    - BUG/MINOR: mworker/cli: fix semicolon escaping in master CLI
++    - REGTEST: http-rules: test spaces in ACLs
++    - REGTEST: http-rules: test spaces in ACLs with master CLI
++    - MEDIUM: map: make the "clear map" operation yield
++    - BUG/MINOR: systemd: Wait for network to be online
++    - REGTEST: Add a simple script to tests errorfile directives in proxy sections
++    - BUG/MINOR: spoe: correction of setting bits for analyzer
++    - BUG/MINOR: http_ana: clarify connection pointer check on L7 retry
++    - MINOR: spoe: Don't systematically create new applets if processing rate is low
++    - REGTEST: ssl: tests the ssl_f_* sample fetches
++    - REGTEST: ssl: add some ssl_c_* sample fetches test
++    - BUG/MEDIUM: fetch: Fix hdr_ip misparsing IPv4 addresses due to missing NUL
++    - MINOR: cli: make "show sess" stop at the last known session
++    - DOC: ssl: add "allow-0rtt" and "ciphersuites" in crt-list
++    - BUG/MEDIUM: pattern: Add a trailing \0 to match strings only if possible
++    - BUG/MINOR: proxy: fix dump_server_state()'s misuse of the trash
++    - BUG/MINOR: proxy: always initialize the trash in show servers state
++    - DOC: configuration: add missing index entries for tune.pool-{low,high}-fd-ratio
++    - DOC: configuration: fix alphabetical ordering for tune.pool-{high,low}-fd-ratio
++    - BUG/MINOR: http_act: don't check capture id in backend (2)
++    - BUG/MINOR: mux-h1: Fix the splicing in TUNNEL mode
++    - BUG/MINOR: mux-h1: Don't read data from a pipe if the mux is unable to receive
++    - BUG/MINOR: mux-h1: Disable splicing only if input data was processed
++    - BUG/MEDIUM: mux-h1: Disable splicing for the conn-stream if read0 is received
++    - BUG/MEDIUM: mux-h1: Subscribe rather than waking up in h1_rcv_buf()
++    - MINOR: connection: move the CO_FL_WAIT_ROOM cleanup to the reader only
++    - BUG/MEDIUM: connection: Continue to recv data to a pipe when the FD is not ready
++    - BUG/MINOR: backend: Remove CO_FL_SESS_IDLE if a client remains on the last server
++    - MINOR: http: Add support for http 413 status
++    - BUG/MAJOR: stream: Mark the server address as unset on new outgoing connection
++    - BUG/MEDIUM: stream-int: Disable connection retries on plain HTTP proxy mode
++    - DOC: configuration: remove obsolete mentions of H2 being converted to HTTP/1.x
++    - BUG/MINOR: sample: Free str.area in smp_check_const_bool
++    - BUG/MINOR: sample: Free str.area in smp_check_const_meth
++    - CONTRIB: da: fix memory leak in dummy function da_atlas_open()
++    - BUG/MEDIUM: mux-h1: Continue to process request when switching in tunnel mode
++    - BUG/MEDIUM: log: issue mixing sampled to not sampled log servers.
++    - BUG/MEDIUM: channel: Be aware of SHUTW_NOW flag when output data are peeked
++
++2020/06/12 : 2.0.15
++    - BUG/MINOR: protocol_buffer: Wrong maximum shifting.
++    - BUG/MINOR: peers: Incomplete peers sections should be validated.
++    - DOC: hashing: update link to hashing functions
++    - DOC: Improve documentation on http-request set-src
++    - BUG/MINOR: ssl: default settings for ssl server options are not used
++    - BUG/MEDIUM: http-ana: Handle NTLM messages correctly.
++    - BUG/MINOR: tools: fix the i386 version of the div64_32 function
++    - BUG/MINOR: http: make url_decode() optionally convert '+' to SP
++    - DOC: option logasap does not depend on mode
++    - BUG/MINOR: check: Update server address and port to execute an external check
++    - MINOR: checks: Add a way to send custom headers and payload during http chekcs
++    - BUG/MINOR: checks: Respect the no-check-ssl option
++    - BUG/MINOR: checks: chained expect will not properly wait for enough data
++    - BUG/MINOR: obj_type: Handle stream object in obj_base_ptr() function
++    - BUG/MEDIUM: capture: capture-req/capture-res converters crash without a stream
++    - BUG/MEDIUM: capture: capture.{req,res}.* crash without a stream
++    - BUG/MEDIUM: http: the "http_first_req" sample fetch could crash without a steeam
++    - BUG/MEDIUM: http: the "unique-id" sample fetch could crash without a steeam
++    - BUG/MEDIUM: sample: make the CPU and latency sample fetches check for a stream
++    - BUG/MEDIUM: listener: mark the thread as not stuck inside the loop
++    - MINOR: threads: export the POSIX thread ID in panic dumps
++    - BUG/MINOR: debug: properly use long long instead of long for the thread ID
++    - BUG/MEDIUM: shctx: really check the lock's value while waiting
++    - BUG/MEDIUM: shctx: bound the number of loops that can happen around the lock
++    - MINOR: stream: report the list of active filters on stream crashes
++    - REGTEST: ssl: test the client certificate authentication
++    - BUG/MEDIUM: backend: don't access a non-existing mux from a previous connection
++    - Revert "BUG/MINOR: connection: make sure to correctly tag local PROXY connections"
++    - BUG/MEDIUM: server/checks: Init server check during config validity check
++    - BUG/MINOR: checks/server: use_ssl member must be signed
++    - BUG/MEDIUM: checks: Always initialize checks before starting them
++    - BUG/MINOR: checks: Compute the right HTTP request length for HTTP health checks
++    - BUG/MINOR: checks: Remove a warning about http health checks
++    - BUG/MEDIUM: streams: Remove SF_ADDR_SET if we're retrying due to L7 retry.
++    - BUG/MEDIUM: stream: Only allow L7 retries when using HTTP.
++    - BUG/MAJOR: stream-int: always detach a faulty endpoint on connect failure
++    - BUG/MEDIUM: connections: force connections cleanup on server changes
++    - BUG/MEDIUM: ssl: fix the id length check within smp_fetch_ssl_fc_session_id()
++    - CLEANUP: connections: align function declaration
++    - BUG/MINOR: sample: Set the correct type when a binary is converted to a string
++    - BUG/MINOR: threads: fix multiple use of argument inside HA_ATOMIC_CAS()
++    - BUG/MINOR: threads: fix multiple use of argument inside HA_ATOMIC_UPDATE_{MIN,MAX}()
++    - BUG/MEDIUM: lua: Fix dumping of stick table entries for STD_T_DICT
++    - BUG/MINOR: config: Make use_backend and use-server post-parsing less obscur
++    - BUG/MINOR: http-ana: fix NTLM response parsing again
++    - BUG/MEDIUM: http_ana: make the detection of NTLM variants safer
++    - BUG/MINOR: cfgparse: Abort parsing the current line if an invalid \x sequence is encountered
++    - BUG/MINOR: pools: use %u not %d to report pool stats in "show pools"
++    - BUG/MINOR: pollers: remove uneeded free in global init
++    - BUG/MINOR: soft-stop: always wake up waiting threads on stopping
++    - BUILD: select: only declare existing local labels to appease clang
++    - BUG/MINOR: cache: Don't needlessly test "cache" keyword in parse_cache_flt()
++    - BUG/MINOR: checks: Respect check-ssl param when a port or an addr is specified
++    - BUG/MINOR: server: Fix server_finalize_init() to avoid unused variable
++    - BUG/MINOR: lua: Add missing string length for lua sticktable lookup
++    - BUG/MINOR: nameservers: fix error handling in parsing of resolv.conf
++    - Revert "BUG/MEDIUM: connections: force connections cleanup on server changes"
++    - SCRIPTS: publish-release: pass -n to gzip to remove timestamp
++    - BUG/MINOR: peers: fix internal/network key type mapping.
++    - BUG/MEDIUM: lua: Reset analyse expiration timeout before executing a lua action
++    - BUG/MEDIUM: hlua: Lock pattern references to perform set/add/del operations
++    - BUG/MEDIUM: contrib/prometheus-exporter: Properly set flags to dump metrics
++    - BUG/MINOR: logs: prevent double line returns in some events.
++    - BUG/MEDIUM: logs: fix trailing zeros on log message.
++    - BUG/MINOR: proto-http: Fix detection of NTLM for the legacy HTTP version
++    - BUILD: makefile: adjust the sed expression of "make help" for solaris
++    - BUG/MEDIUM: mworker: fix the copy of options in copy_argv()
++    - BUG/MINOR: init: -x can have a parameter starting with a dash
++    - BUG/MINOR: init: -S can have a parameter starting with a dash
++    - BUG/MEDIUM: mworker: fix the reload with an -- option
++    - BUG/MINOR: mworker: fix a memleak when execvp() failed
++    - BUG/MEDIUM: log: don't hold the log lock during writev() on a file descriptor
++    - BUG/MEDIUM: pattern: fix thread safety of pattern matching
++    - REGTESTS: Add missing OPENSSL to REQUIRE_OPTIONS for lua/txn_get_priv
++    - REGTESTS: Add missing OPENSSL to REQUIRE_OPTIONS for compression/lua_validation
++    - BUG/MINOR: ssl: fix ssl-{min,max}-ver with openssl < 1.1.0
++    - REGTESTS: checks: Fix tls_health_checks when IPv6 addresses are used
++
++2020/04/02 : 2.0.14
++    - BUG/MINOR: namespace: avoid closing fd when socket failed in my_socketat
++    - BUG/MEDIUM: muxes: Use the right argument when calling the destroy method.
++    - SCRIPTS: announce-release: use mutt -H instead of -i to include the draft
++    - MINOR: http-htx: Add a function to retrieve the headers size of an HTX message
++    - MINOR: filters: Forward data only if the last filter forwards something
++    - BUG/MINOR: filters: Count HTTP headers as filtered data but don't forward them
++    - BUG/MINOR: http-ana: Matching on monitor-uri should be case-sensitive
++    - BUG/MAJOR: http-ana: Always abort the request when a tarpit is triggered
++    - MINOR: ist: add an iststop() function
++    - BUG/MINOR: http: http-request replace-path duplicates the query string
++    - BUG/MEDIUM: shctx: make sure to keep all blocks aligned
++    - MINOR: compiler: move CPU capabilities definition from config.h and complete them
++    - BUG/MEDIUM: ebtree: don't set attribute packed without unaligned access support
++    - BUILD: fix recent build failure on unaligned archs
++    - CLEANUP: cfgparse: Fix type of second calloc() parameter
++    - BUG/MINOR: sample: fix the json converter's endian-sensitivity
++    - BUG/MEDIUM: ssl: fix several bad pointer aliases in a few sample fetch functions
++    - BUG/MINOR: connection: make sure to correctly tag local PROXY connections
++    - MINOR: compiler: add new alignment macros
++    - BUILD: ebtree: improve architecture-specific alignment
++    - BUG/MINOR: sample: Make sure to return stable IDs in the unique-id fetch
++    - BUG/MINOR: dns: ignore trailing dot
++    - MINOR: contrib/prometheus-exporter: Add heathcheck status/code in server metrics
++    - MINOR: contrib/prometheus-exporter: Add the last heathcheck duration metric
++    - BUG/MEDIUM: random: initialize the random pool a bit better
++    - MINOR: tools: add 64-bit rotate operators
++    - BUG/MEDIUM: random: implement a thread-safe and process-safe PRNG
++    - MINOR: backend: use a single call to ha_random32() for the random LB algo
++    - BUG/MINOR: checks/threads: use ha_random() and not rand()
++    - BUG/MAJOR: list: fix invalid element address calculation
++    - MINOR: debug: report the task handler's pointer relative to main
++    - BUG/MEDIUM: debug: make the debug_handler check for the thread in threads_to_dump
++    - MINOR: haproxy: export main to ease access from debugger
++    - BUG/MINOR: wdt: do not return an error when the watchdog couldn't be enabled
++    - DOC: fix incorrect indentation of http_auth_*
++    - OPTIM: startup: fast unique_id allocation for acl.
++    - BUG/MINOR: pattern: Do not pass len = 0 to calloc()
++    - DOC: configuration.txt: fix various typos
++    - DOC: assorted typo fixes in the documentation and Makefile
++    - BUG/MINOR: init: make the automatic maxconn consider the max of soft/hard limits
++    - BUG/MAJOR: proxy_protocol: Properly validate TLV lengths
++    - REGTEST: make the PROXY TLV validation depend on version 2.2
++    - MINOR: htx: Add a function to return a block at a specific offset
++    - BUG/MEDIUM: cache/filters: Fix loop on HTX blocks caching the response payload
++    - BUG/MEDIUM: compression/filters: Fix loop on HTX blocks compressing the payload
++    - BUG/MINOR: http-ana: Reset request analysers on a response side error
++    - BUG/MINOR: lua: Ignore the reserve to know if a channel is full or not
++    - BUG/MINOR: http-rules: Preserve FLT_END analyzers on reject action
++    - BUG/MINOR: http-rules: Fix a typo in the reject action function
++    - BUG/MINOR: rules: Preserve FLT_END analyzers on silent-drop action
++    - BUG/MINOR: rules: Increment be_counters if backend is assigned for a silent-drop
++    - DOC: fix typo about no-tls-tickets
++    - DOC: improve description of no-tls-tickets
++    - DOC: ssl: clarify security implications of TLS tickets
++    - BUILD: wdt: only test for SI_TKILL when compiled with thread support
++    - BUG/MEDIUM: random: align the state on 2*64 bits for ARM64
++    - BUG/MINOR: haproxy: always initialize sleeping_thread_mask
++    - BUG/MINOR: listener/mq: do not dispatch connections to remote threads when stopping
++    - BUG/MINOR: haproxy/threads: try to make all threads leave together
++    - DOC: proxy_protocol: Reserve TLV type 0x05 as PP2_TYPE_UNIQUE_ID
++    - BUILD: on ARM, must be linked to libatomic.
++    - BUILD: makefile: fix regex syntax in ARM platform detection
++    - BUILD: makefile: fix expression again to detect ARM platform
++    - BUG/MEDIUM: peers: resync ended with RESYNC_PARTIAL in wrong cases.
++    - DOC: assorted typo fixes in the documentation
++    - MINOR: wdt: Move the definitions of WDTSIG and DEBUGSIG into types/signal.h.
++    - BUG/MEDIUM: wdt: Don't ignore WDTSIG and DEBUGSIG in __signal_process_queue().
++    - MINOR: memory: Change the flush_lock to a spinlock, and don't get it in alloc.
++    - BUG/MINOR: connections: Make sure we free the connection on failure.
++    - REGTESTS: use "command -v" instead of "which"
++    - REGTEST: increase timeouts on the seamless-reload test
++    - BUG/MINOR: haproxy/threads: close a possible race in soft-stop detection
++    - BUG/MINOR: peers: init bind_proc to 1 if it wasn't initialized
++    - BUG/MINOR: peers: avoid an infinite loop with peers_fe is NULL
++    - BUG/MINOR: peers: Use after free of "peers" section.
++    - MINOR: listener: add so_name sample fetch
++    - BUILD: ssl: only pass unsigned chars to isspace()
++    - BUG/MINOR: stats: Fix color of draining servers on stats page
++    - DOC: internals: Fix spelling errors in filters.txt
++    - MINOR: http-rules: Add a flag on redirect rules to know the rule direction
++    - BUG/MINOR: http_ana: make sure redirect flags don't have overlapping bits
++    - MINOR: http-rules: Handle the rule direction when a redirect is evaluated
++    - BUG/MINOR: filters: Use filter offset to decude the amount of forwarded data
++    - BUG/MINOR: filters: Forward everything if no data filters are called
++    - BUG/MINOR: http-ana: Reset request analysers on error when waiting for response
++    - BUG/CRITICAL: hpack: never index a header into the headroom after wrapping
++
 /02/13 : 2.0.13
      - BUG/MINOR: checks: refine which errno values are really errors.
      - BUG/MEDIUM: checks: Only attempt to do handshakes if the connection is ready.
 diff --git a/CONTRIBUTING b/CONTRIBUTING
 index 201e122..c222458 100644
 --- a/CONTRIBUTING
 +++ b/CONTRIBUTING
@@ -154,7 +154,7 @@ features are disabled. Similarly, when modifying the SSL stack, please always
  ensure that supported OpenSSL versions continue to build and to work, especially
  if you modify support for alternate libraries. Clean support for the legacy
  OpenSSL libraries is mandatory, support for its derivatives is a bonus and may
--occasionally break eventhough a great care is taken. In other words, if you
++occasionally break even though a great care is taken. In other words, if you
  provide a patch for OpenSSL you don't need to test its derivatives, but if you
  provide a patch for a derivative you also need to test with OpenSSL.
@@ -234,7 +234,7 @@ do not think about them anymore after a few patches.
     indented code, which only proves that the person has no consideration for
     quality and/or has done it in a hurry (probably worse). Please note that most
     bugs were found in low-quality code. Reviewers know this and tend to be much
--   more reluctant to accept poorly formated code because by experience they
++   more reluctant to accept poorly formatted code because by experience they
     won't trust their author's ability to write correct code. It is also worth
     noting that poor quality code is painful to read and may result in nobody
     willing to waste their time even reviewing your work.
@@ -990,7 +990,7 @@ How to be sure to irritate everyone
  Among the best ways to quickly lose everyone's respect, there is this small
  selection, which should help you improve the way you work with others, if
  you notice you're already practising some of them:
--  - repeatedly send improperly formated commit messages, with no type or
++  - repeatedly send improperly formatted commit messages, with no type or
      severity, or with no commit message body. These ones require manual
      edition, maintainers will quickly learn to recognize your name.
 diff --git a/INSTALL b/INSTALL
 index 84548df..313173d 100644
 --- a/INSTALL
 +++ b/INSTALL
@@ -130,7 +130,7 @@ options involved.
  HAProxy in its basic form does not depend on anything beyond a working libc.
  However a number of options are enabled by default, or are highly recommended,
  and these options will typically involve some external components or libraries,
--depending on the targetted platform.
++depending on the targeted platform.
  Optional dependencies may be split into several categories :
@@ -210,7 +210,7 @@ to forcefully enable it using "USE_LIBCRYPT=1".
 .5) Cryptography
  -----------------
  For SSL/TLS, it is necessary to use a cryptography library. HAProxy currently
--supports the OpenSSL library, and is known to build ant work with branches
++supports the OpenSSL library, and is known to build and work with branches
 .9.8, 1.0.0, 1.0.1, 1.0.2, 1.1.0 and 1.1.1. OpenSSL follows a long-term
  support cycle similar to HAProxy's, and each of the branches above receives its
  own fixes, without forcing you to upgrade to another branch. There is no excuse
@@ -288,7 +288,7 @@ can be downloaded http://libslz.org/ and is even easier to build.
 .7) Lua
  --------
--Lua is an embedded programming langage supported by HAProxy to provide more
++Lua is an embedded programming language supported by HAProxy to provide more
  advanced scripting capabilities. Only versions 5.3 and above are supported.
  In order to enable Lua support, please specify "USE_LUA=1" on the command line.
  Some systems provide this library under various names to avoid conflicts with
 diff --git a/MAINTAINERS b/MAINTAINERS
 index 9a46d74..3a36525 100644
 --- a/MAINTAINERS
 +++ b/MAINTAINERS
@@ -55,7 +55,7 @@ Maintainer: Simon Horman <horms@verge.net.au>
  Files: src/mailers.c, include/*/mailers.h
  DeviceAtlas device identification
--Maintainer: David Carlier <dcarlier@afilias.info>
++Maintainer: David Carlier <dcarlier@deviceatlas.com>
  Files: src/da.c, include/*/da.h
 Degrees device identification
@@ -86,3 +86,12 @@ Note: every change around the locking or synchronization point will require
  ScientiaMobile WURFL Device Detection
  Maintainer: Paul Borile, Massimiliano Bellomi <wurfl-haproxy-support@scientiamobile.com>
  Files: src/wurfl.c
++
++Prometheus Exporter
++Maintainer: Christopher Faulet <cfaulet@haproxy.com>
++Maintainer: William Dauchy <wdauchy@gmail.com>
++Files: contrib/prometheus-exporter
++Note: William is the referent regarding Prometheus. He should be consulted for
++      all additions and modifications of features. Christopher is the referent
++      for the code itself. He should be consulted for questions regarding the
++      exporter integration into HAProxy, as well as for the bugs.
 diff --git a/Makefile b/Makefile
 index 53d7d4d..7eddac0 100644
 --- a/Makefile
 +++ b/Makefile
@@ -41,7 +41,8 @@
  #   USE_LUA              : enable Lua support.
  #   USE_FUTEX            : enable use of futex on kernel 2.6. Automatic.
  #   USE_ACCEPT4          : enable use of accept4() on linux. Automatic.
--#   USE_MY_ACCEPT4       : use own implemention of accept4() if glibc < 2.10.
++#   USE_MY_ACCEPT4       : use own implementation of accept4() if glibc < 2.10.
++#   USE_CLOSEFROM        : enable use of closefrom() on *bsd, solaris. Automatic.
  #   USE_PRCTL            : enable use of prctl(). Automatic.
  #   USE_ZLIB             : enable zlib library support.
  #   USE_SLZ              : enable slz library instead of zlib (pick at most one).
@@ -139,7 +140,7 @@ MANDIR = $(PREFIX)/share/man
  DOCDIR = $(PREFIX)/doc/haproxy
  #### TARGET system
--# Use TARGET=<target_name> to optimize for a specifc target OS among the
++# Use TARGET=<target_name> to optimize for a specific target OS among the
  # following list (use the default "generic" if uncertain) :
  #    linux-glibc, linux-glibc-legacy, solaris, freebsd, openbsd, netbsd,
  #    cygwin, haiku, aix51, aix52, osx, generic, custom
@@ -193,6 +194,7 @@ SPEC_CFLAGS += $(call cc-nowarn,missing-field-initializers)
  SPEC_CFLAGS += $(call cc-nowarn,implicit-fallthrough)
  SPEC_CFLAGS += $(call cc-nowarn,stringop-overflow)
  SPEC_CFLAGS += $(call cc-nowarn,cast-function-type)
++SPEC_CFLAGS += $(call cc-nowarn,atomic-alignment)
  SPEC_CFLAGS += $(call cc-opt,-Wtype-limits)
  SPEC_CFLAGS += $(call cc-opt,-Wshift-negative-value)
  SPEC_CFLAGS += $(call cc-opt,-Wshift-overflow=2)
@@ -244,7 +246,7 @@ SILENT_DEFINE =
  # It's automatically appended depending on the targets.
  EXTRA =
--#### CPU dependant optimizations
++#### CPU dependent optimizations
  # Some CFLAGS are set by default depending on the target CPU. Those flags only
  # feed CPU_CFLAGS, which in turn feed CFLAGS, so it is not mandatory to use
  # them. You should not have to change these options. Better use CPU_CFLAGS or
@@ -256,7 +258,7 @@ CPU_CFLAGS.i686       = -O2 -march=i686
  CPU_CFLAGS.ultrasparc = -O6 -mcpu=v9 -mtune=ultrasparc
  CPU_CFLAGS            = $(CPU_CFLAGS.$(CPU))
--#### ARCH dependant flags, may be overridden by CPU flags
++#### ARCH dependent flags, may be overridden by CPU flags
  ARCH_FLAGS.32     = -m32
  ARCH_FLAGS.64     = -m64
  ARCH_FLAGS.i386   = -m32 -march=i386
@@ -287,7 +289,7 @@ use_opts = USE_EPOLL USE_KQUEUE USE_MY_EPOLL USE_MY_SPLICE USE_NETFILTER      \
             USE_STATIC_PCRE USE_STATIC_PCRE2 USE_TPROXY USE_LINUX_TPROXY       \
             USE_LINUX_SPLICE USE_LIBCRYPT USE_CRYPT_H USE_VSYSCALL             \
             USE_GETADDRINFO USE_OPENSSL USE_LUA USE_FUTEX USE_ACCEPT4          \
--           USE_MY_ACCEPT4 USE_ZLIB USE_SLZ USE_CPU_AFFINITY USE_TFO USE_NS    \
++           USE_CLOSEFROM USE_MY_ACCEPT4 USE_ZLIB USE_SLZ USE_CPU_AFFINITY USE_TFO USE_NS \
             USE_DL USE_RT USE_DEVICEATLAS USE_51DEGREES USE_WURFL USE_SYSTEMD  \
             USE_OBSOLETE_LINKER USE_PRCTL USE_THREAD_DUMP USE_EVPORTS
@@ -324,6 +326,9 @@ ifeq ($(TARGET),linux-glibc)
      USE_CPU_AFFINITY USE_THREAD USE_EPOLL USE_FUTEX USE_LINUX_TPROXY          \
      USE_ACCEPT4 USE_LINUX_SPLICE USE_PRCTL USE_THREAD_DUMP USE_NS USE_TFO     \
      USE_GETADDRINFO)
++ifneq ($(shell echo __arm__/__aarch64__ | $(CC) -E -xc - | grep '^[^\#]'),__arm__/__aarch64__)
++  TARGET_LDFLAGS=-latomic
++endif
  endif
  # For linux >= 2.6.28, glibc without new features
@@ -340,7 +345,7 @@ ifeq ($(TARGET),solaris)
    set_target_defaults = $(call default_opts, \
      USE_POLL USE_TPROXY USE_LIBCRYPT USE_CRYPT_H USE_GETADDRINFO USE_THREAD \
      USE_RT USE_OBSOLETE_LINKER USE_EVPORTS)
--  TARGET_CFLAGS  = -DFD_SETSIZE=65536 -D_REENTRANT -D_XOPEN_SOURCE=500 -D__EXTENSIONS__
++  TARGET_CFLAGS  = -DFD_SETSIZE=65536 -D_REENTRANT -D_XOPEN_SOURCE=600 -D__EXTENSIONS__
    TARGET_LDFLAGS = -lnsl -lsocket
  endif
@@ -807,7 +812,7 @@ INCLUDES = $(wildcard include/*/*.h ebtree/*.h)
  DEP = $(INCLUDES) .build_opts
  help:
--	$(Q)sed -ne "/^[^#]*$$/q;s/^# \?\(.*\)/\1/p" Makefile
++	$(Q)sed -ne "/^[^#]*$$/q;s/^# \{0,1\}\(.*\)/\1/;p" Makefile
  	$(Q)echo; \
  	   if [ -n "$(TARGET)" ]; then \
  	     if [ -n "$(set_target_defaults)" ]; then \
@@ -841,6 +846,15 @@ objsize: haproxy
  %.o:	%.c $(DEP)
  	$(cmd_CC) $(COPTS) -c -o $@ $<
++contrib/halog/halog:
++	$(Q)$(MAKE) -C contrib/halog halog CC='$(cmd_CC)' OPTIMIZE='$(COPTS)'
++
++contrib/debug/flags:
++	$(Q)$(MAKE) -C contrib/debug flags CC='$(cmd_CC)' OPTIMIZE='$(COPTS)'
++
++contrib/tcploop/tcploop:
++	$(Q)$(MAKE) -C contrib/tcploop tcploop CC='$(cmd_CC)' OPTIMIZE='$(COPTS)'
++
  # rebuild it every time
  .PHONY: src/version.c
@@ -896,6 +910,8 @@ clean:
  	$(Q)for dir in . src include/* doc ebtree; do rm -f $$dir/*~ $$dir/*.rej $$dir/core; done
  	$(Q)rm -f haproxy-$(VERSION).tar.gz haproxy-$(VERSION)$(SUBVERS).tar.gz
  	$(Q)rm -f haproxy-$(VERSION) haproxy-$(VERSION)$(SUBVERS) nohup.out gmon.out
++	$(Q)rm -f contrib/*/*.[oas] contrib/*/*/*.[oas] contrib/*/*/*/*.[oas]
++	$(Q)rm -f contrib/halog/halog contrib/debug/flags contrib/debug/poll contrib/tcploop/tcploop
  tags:
  	$(Q)find src include \( -name '*.c' -o -name '*.h' \) -print0 | \
@@ -980,7 +996,7 @@ reg-tests-help:
  	@echo "To run tests with specific types:"
  	@echo "    $$ REGTESTS_TYPES=slow,default make reg-tests"
  	@echo
--	@echo "with 'any' as default value for REGTESTS_TYPES variable."
++	@echo "with 'default,bug,devel,slow' as default value for REGTESTS_TYPES variable."
  	@echo
  	@echo "About the reg test types:"
  	@echo "    any         : all the tests without distinction (this is the default"
 diff --git a/SUBVERS b/SUBVERS
 index 26d9d35..50af805 100644
 --- a/SUBVERS
 +++ b/SUBVERS
@@ -1,2 +1,2 @@
---$Format:%h$
++-5e15b0f
 diff --git a/VERDATE b/VERDATE
 index 59c3bdf..cba5e36 100644
 --- a/VERDATE
 +++ b/VERDATE
@@ -1,2 +1,2 @@
--$Format:%ci$
--2020/02/13
++2022-05-13 17:43:21 +0200
++2022/05/13
 diff --git a/VERSION b/VERSION
 index 82bd22f..3df5a46 100644
 --- a/VERSION
 +++ b/VERSION
@@ -1 +1 @@
--2.0.13
++2.0.29
 diff --git a/contrib/deviceatlas/dac.c b/contrib/deviceatlas/dac.c
 index f94fe8d..720dc6a 100644
 --- a/contrib/deviceatlas/dac.c
 +++ b/contrib/deviceatlas/dac.c
@@ -63,8 +63,9 @@ da_atlas_compile(void *ctx, da_read_fn readfn, da_setpos_fn rewind, void **ptr,
  da_status_t
  da_atlas_open(da_atlas_t *atlas, da_property_decl_t *extraprops, const void *ptr, size_t len)
+ {
--    ptr = malloc(len);
--    return ptr ? DA_OK : DA_NOMEM;
++    void *ptr2 = malloc(len);
++    free(ptr2);
++    return ptr2 ? DA_OK : DA_NOMEM;
+ }
  void
 diff --git a/contrib/halog/fgets2.c b/contrib/halog/fgets2.c
 index 3db762c..776a915 100644
 --- a/contrib/halog/fgets2.c
 +++ b/contrib/halog/fgets2.c
@@ -35,7 +35,7 @@
  #endif
  /* return non-zero if the integer contains at least one zero byte */
--static inline unsigned int has_zero32(unsigned int x)
++static inline __attribute__((unused)) unsigned int has_zero32(unsigned int x)
+ {
  	unsigned int y;
@@ -72,7 +72,7 @@ static inline unsigned int has_zero32(unsigned int x)
+ }
  /* return non-zero if the argument contains at least one zero byte. See principle above. */
--static inline unsigned long long has_zero64(unsigned long long x)
++static inline __attribute__((unused)) unsigned long long has_zero64(unsigned long long x)
+ {
  	unsigned long long y;
@@ -81,7 +81,7 @@ static inline unsigned long long has_zero64(unsigned long long x)
  	return y & 0x8080808080808080ULL;
+ }
--static inline unsigned long has_zero(unsigned long x)
++static inline __attribute__((unused)) unsigned long has_zero(unsigned long x)
+ {
  	return (sizeof(x) == 8) ? has_zero64(x) : has_zero32(x);
+ }
 diff --git a/contrib/halog/halog.c b/contrib/halog/halog.c
 index 91e2af3..28afb0c 100644
 --- a/contrib/halog/halog.c
 +++ b/contrib/halog/halog.c
@@ -650,11 +650,11 @@ int convert_date_to_timestamp(const char *field)
+ 	}
  	if (likely(timeinfo)) {
--		if (timeinfo->tm_min == m &&
--		    timeinfo->tm_hour == h &&
--		    timeinfo->tm_mday == d &&
--		    timeinfo->tm_mon == mo - 1 &&
--		    timeinfo->tm_year == y - 1900)
++		if ((unsigned)timeinfo->tm_min == m &&
++		    (unsigned)timeinfo->tm_hour == h &&
++		    (unsigned)timeinfo->tm_mday == d &&
++		    (unsigned)timeinfo->tm_mon == mo - 1 &&
++		    (unsigned)timeinfo->tm_year == y - 1900)
  			return last_res + s;
+ 	}
  	else {
@@ -692,10 +692,10 @@ int main(int argc, char **argv)
  	struct url_stat *ustat = NULL;
  	int val, test;
  	unsigned int uval;
--	int filter_acc_delay = 0, filter_acc_count = 0;
++	unsigned int filter_acc_delay = 0, filter_acc_count = 0;
  	int filter_time_resp = 0;
  	int filt_http_status_low = 0, filt_http_status_high = 0;
--	int filt2_timestamp_low = 0, filt2_timestamp_high = 0;
++	unsigned int filt2_timestamp_low = 0, filt2_timestamp_high = 0;
  	int skip_fields = 1;
  	void (*line_filter)(const char *accept_field, const char *time_field, struct timer **tptr) = NULL;
@@ -1287,7 +1287,7 @@ int main(int argc, char **argv)
  		node = eb_last(&timers[0]);
  		while (node) {
  			ustat = container_of(node, struct url_stat, node.url.node);
--			printf("%d %d %Ld %Ld %Ld %Ld %Ld %Ld %s\n",
++			printf("%d %d %llu %llu %llu %llu %llu %llu %s\n",
  			       ustat->nb_req,
  			       ustat->nb_err,
  			       ustat->total_time,
 diff --git a/contrib/modsecurity/README b/contrib/modsecurity/README
 index 8031389..8e74016 100644
 --- a/contrib/modsecurity/README
 +++ b/contrib/modsecurity/README
@@ -1,7 +1,7 @@
  ModSecurity for HAProxy
  -----------------------
--This is a third party deamon which speaks SPOE. It gives requests send by HAProxy
++This is a third party daemon which speaks SPOE. It gives requests send by HAProxy
  to ModSecurity and returns the verdict.
    Compilation
@@ -24,8 +24,8 @@ the Apache dependencies are installed on the system.
  	cp standalone/*.h $PWD/INSTALL/include
  	cp apache2/*.h $PWD/INSTALL/include
--Note that this compilation method works, but is a litle bit rustic. I can't
--deal with Lua, I supposed that is a dependecies problem on my computer.
++Note that this compilation method works, but is a little bit rustic. I can't
++deal with Lua, I supposed that is a dependencies problem on my computer.
    Start the service
  ---------------------
@@ -113,7 +113,7 @@ Modsecurity bugs:
     -    rc = apr_global_mutex_create(&msce->auditlog_lock, NULL, APR_LOCK_DEFAULT, mp);
     +    rc = apr_global_mutex_create(&msce->auditlog_lock, NULL, APR_LOCK_PROC_PTHREAD, mp);
--* Configuration file loaded with wilcard (eg. Include rules/*.conf), are loaded
++* Configuration file loaded with wildcard (eg. Include rules/*.conf), are loaded
    in reverse alphabetical order. You can found a patch below. The ModSecurity
    team ignored this patch.
 diff --git a/contrib/prometheus-exporter/README b/contrib/prometheus-exporter/README
 index b19acc1..a688f10 100644
 --- a/contrib/prometheus-exporter/README
 +++ b/contrib/prometheus-exporter/README
@@ -4,14 +4,14 @@ PROMEX: A Prometheus exporter for HAProxy
  Prometheus is a monitoring and alerting system. More and more people use it to
  monitor their environment (this is written February 2019). It collects metrics
  from monitored targets by scraping metrics HTTP endpoints on these targets. For
--HAProxy, The Prometheus team offically supports an exporter written in Go
++HAProxy, The Prometheus team officially supports an exporter written in Go
  (https://github.com/prometheus/haproxy_exporter). But it requires an extra
  software to deploy and monitor. PROMEX, on its side, is a built-in Prometheus
  exporter for HAProxy. It was developed as a service and is directly available in
  HAProxy, like the stats applet.
  However, PROMEX is not built by default with HAProxy. It is provided as an extra
--component for everyone want to use it. So you need to explicity build HAProxy
++component for everyone want to use it. So you need to explicitly build HAProxy
  with the PROMEX service, using the Makefile variable "EXTRA_OBJS". For instance:
      > make TARGET=linux-glibc EXTRA_OBJS="contrib/prometheus-exporter/service-prometheus.o"
@@ -46,7 +46,7 @@ applet, all metrics are not grouped by service (proxy, listener or server). With
  PROMEX, all lines for a given metric are provided as one single group. So
  instead of collecting all metrics for a proxy before moving to the next one, we
  must loop on all proxies for each metric. Same for the servers. Thus, it will
--spend much more ressources to produce the Prometheus metrics than the CSV export
++spend much more resources to produce the Prometheus metrics than the CSV export
  through the stats page. To give a comparison order, quick benchmarks shown that
  a PROMEX dump is 5x slower and 20x more verbose than a CSV export.
@@ -99,7 +99,7 @@ Exported metrics
  | haproxy_process_pool_used_bytes                | Total amount of memory used in pools (in bytes).                              |
  | haproxy_process_pool_failures_total            | Total number of failed pool allocations.                                      |
  | haproxy_process_max_fds                        | Maximum number of open file descriptors; 0=unset.                             |
--| haproxy_process_max_sockets                    | Maximum numer of open sockets.                                                |
++| haproxy_process_max_sockets                    | Maximum number of open sockets.                                               |
  | haproxy_process_max_connections                | Maximum number of concurrent connections.                                     |
  | haproxy_process_hard_max_connections           | Initial Maximum number of concurrent connections.                             |
  | haproxy_process_current_connections            | Number of active sessions.                                                    |
@@ -122,7 +122,7 @@ Exported metrics
  | haproxy_process_max_ssl_rate                   | Maximum observed number of SSL sessions per second.                           |
  | haproxy_process_current_frontend_ssl_key_rate  | Current frontend SSL Key computation per second over last elapsed second.     |
  | haproxy_process_max_frontend_ssl_key_rate      | Maximum observed frontend SSL Key computation per second.                     |
--| haproxy_process_frontent_ssl_reuse             | SSL session reuse ratio (percent).                                            |
++| haproxy_process_frontend_ssl_reuse             | SSL session reuse ratio (percent).                                            |
  | haproxy_process_current_backend_ssl_key_rate   | Current backend SSL Key computation per second over last elapsed second.      |
  | haproxy_process_max_backend_ssl_key_rate       | Maximum observed backend SSL Key computation per second.                      |
  | haproxy_process_ssl_cache_lookups_total        | Total number of SSL session cache lookups.                                    |
@@ -268,6 +268,9 @@ Exported metrics
  | haproxy_server_client_aborts_total                 | Total number of data transfers aborted by the client.                     |
  | haproxy_server_server_aborts_total                 | Total number of data transfers aborted by the server.                     |
  | haproxy_server_weight                              | Service weight.                                                           |
++| haproxy_server_check_status                        | Status of last health check, if enabled. (see below for the mapping)      |
++| haproxy_server_check_code                          | layer5-7 code, if available of the last health check.                     |
++| haproxy_server_check_duration_seconds              | Total duration of the latest server health check, in seconds.             |
  | haproxy_server_check_failures_total                | Total number of failed check (Only when the server is up).                |
  | haproxy_server_check_up_down_total                 | Total number of UP->DOWN transitions.                                     |
  | haproxy_server_downtime_seconds_total              | Total downtime (in seconds) for the service.                              |
@@ -278,3 +281,30 @@ Exported metrics
  | haproxy_server_idle_connections_current            | Current number of idle connections available for reuse.                   |
  | haproxy_server_idle_connections_limit              | Limit on the number of available idle connections.                        |
  +----------------------------------------------------+---------------------------------------------------------------------------+
++
++Mapping of health check status :
++
++   0 : HCHK_STATUS_UNKNOWN  (Unknown)
++   1 : HCHK_STATUS_INI      (Initializing)
++
++   4 : HCHK_STATUS_HANA     (Health analyze detected enough consecutive errors)
++
++   5 : HCHK_STATUS_SOCKERR  (Socket error)
++
++   6 : HCHK_STATUS_L4OK     (L4 check passed, for example tcp connect)
++   7 : HCHK_STATUS_L4TOUT   (L4 timeout)
++   8 : HCHK_STATUS_L4CON    (L4 connection problem)
++
++   9 : HCHK_STATUS_L6OK     (L6 check passed)
++  10 : HCHK_STATUS_L6TOUT   (L6 (SSL) timeout)
++  11 : HCHK_STATUS_L6RSP    (L6 invalid response - protocol error)
++
++  12 : HCHK_STATUS_L7TOUT   (L7 (HTTP/SMTP) timeout)
++  13 : HCHK_STATUS_L7RSP    (L7 invalid response - protocol error)
++  15 : HCHK_STATUS_L7OKD    (L7 check passed)
++  16 : HCHK_STATUS_L7OKCD   (L7 check conditionally passed)
++  17 : HCHK_STATUS_L7STS    (L7 response error, for example HTTP 5xx)
++
++  18 : HCHK_STATUS_PROCERR  (External process check failure)
++  19 : HCHK_STATUS_PROCTOUT (External process check timeout)
++  20 : HCHK_STATUS_PROCOK   (External process check passed)
 diff --git a/contrib/prometheus-exporter/service-prometheus.c b/contrib/prometheus-exporter/service-prometheus.c
 index c34ee0e..d420cbc 100644
 --- a/contrib/prometheus-exporter/service-prometheus.c
 +++ b/contrib/prometheus-exporter/service-prometheus.c
@@ -20,6 +20,7 @@
  #include <common/initcall.h>
  #include <common/memory.h>
  #include <common/mini-clist.h>
++#include <common/version.h>
  #include <types/global.h>
@@ -83,12 +84,17 @@ enum {
   */
  #define PROMEX_MAX_METRIC_LENGTH 512
++/* Some labels for build_info */
++#define PROMEX_VERSION_LABEL "version=\"" HAPROXY_VERSION "\""
++#define PROMEX_BUILDINFO_LABEL PROMEX_VERSION_LABEL
++
  /* Matrix used to dump global metrics. Each metric points to the next one to be
   * processed or 0 to stop the dump. */
  const int promex_global_metrics[INF_TOTAL_FIELDS] = {
--	[INF_NAME]                           = INF_NBTHREAD,
++	[INF_NAME]                           = INF_BUILD_INFO,
  	[INF_VERSION]                        = 0,
  	[INF_RELEASE_DATE]                   = 0,
++	[INF_BUILD_INFO]                     = INF_NBTHREAD,
  	[INF_NBTHREAD]                       = INF_NBPROC,
  	[INF_NBPROC]                         = INF_PROCESS_NUM,
  	[INF_PROCESS_NUM]                    = INF_UPTIME_SEC,
@@ -367,7 +373,7 @@ const int promex_srv_metrics[ST_F_TOTAL_FIELDS] = {
  	[ST_F_WRETR]          = ST_F_WREDIS,
  	[ST_F_WREDIS]         = ST_F_WREW,
  	[ST_F_STATUS]         = ST_F_SCUR,
--	[ST_F_WEIGHT]         = ST_F_CHKFAIL,
++	[ST_F_WEIGHT]         = ST_F_CHECK_STATUS,
  	[ST_F_ACT]            = 0,
  	[ST_F_BCK]            = 0,
  	[ST_F_CHKFAIL]        = ST_F_CHKDOWN,
@@ -385,9 +391,9 @@ const int promex_srv_metrics[ST_F_TOTAL_FIELDS] = {
  	[ST_F_RATE]           = 0,
  	[ST_F_RATE_LIM]       = 0,
  	[ST_F_RATE_MAX]       = ST_F_LASTSESS,
--	[ST_F_CHECK_STATUS]   = 0,
--	[ST_F_CHECK_CODE]     = 0,
--	[ST_F_CHECK_DURATION] = 0,
++	[ST_F_CHECK_STATUS]   = ST_F_CHECK_CODE,
++	[ST_F_CHECK_CODE]     = ST_F_CHECK_DURATION,
++	[ST_F_CHECK_DURATION] = ST_F_CHKFAIL,
  	[ST_F_HRSP_1XX]       = ST_F_HRSP_2XX,
  	[ST_F_HRSP_2XX]       = ST_F_HRSP_3XX,
  	[ST_F_HRSP_3XX]       = ST_F_HRSP_4XX,
@@ -450,6 +456,7 @@ const struct ist promex_inf_metric_names[INF_TOTAL_FIELDS] = {
  	[INF_NAME]                           = IST("name"),
  	[INF_VERSION]                        = IST("version"),
  	[INF_RELEASE_DATE]                   = IST("release_date"),
++	[INF_BUILD_INFO]                     = IST("build_info"),
  	[INF_NBTHREAD]                       = IST("nbthread"),
  	[INF_NBPROC]                         = IST("nbproc"),
  	[INF_PROCESS_NUM]                    = IST("relative_process_id"),
@@ -484,7 +491,7 @@ const struct ist promex_inf_metric_names[INF_TOTAL_FIELDS] = {
  	[INF_MAX_SSL_RATE]                   = IST("max_ssl_rate"),
  	[INF_SSL_FRONTEND_KEY_RATE]          = IST("current_frontend_ssl_key_rate"),
  	[INF_SSL_FRONTEND_MAX_KEY_RATE]      = IST("max_frontend_ssl_key_rate"),
--	[INF_SSL_FRONTEND_SESSION_REUSE_PCT] = IST("frontent_ssl_reuse"),
++	[INF_SSL_FRONTEND_SESSION_REUSE_PCT] = IST("frontend_ssl_reuse"),
  	[INF_SSL_BACKEND_KEY_RATE]           = IST("current_backend_ssl_key_rate"),
  	[INF_SSL_BACKEND_MAX_KEY_RATE]       = IST("max_backend_ssl_key_rate"),
  	[INF_SSL_CACHE_LOOKUPS]              = IST("ssl_cache_lookups_total"),
@@ -549,7 +556,7 @@ const struct ist promex_st_metric_names[ST_F_TOTAL_FIELDS] = {
  	[ST_F_RATE_MAX]       = IST("max_session_rate"),
  	[ST_F_CHECK_STATUS]   = IST("check_status"),
  	[ST_F_CHECK_CODE]     = IST("check_code"),
--	[ST_F_CHECK_DURATION] = IST("check_duration_milliseconds"),
++	[ST_F_CHECK_DURATION] = IST("check_duration_seconds"),
  	[ST_F_HRSP_1XX]       = IST("http_responses_total"),
  	[ST_F_HRSP_2XX]       = IST("http_responses_total"),
  	[ST_F_HRSP_3XX]       = IST("http_responses_total"),
@@ -611,7 +618,8 @@ const struct ist promex_st_metric_names[ST_F_TOTAL_FIELDS] = {
  const struct ist promex_inf_metric_desc[INF_TOTAL_FIELDS] = {
  	[INF_NAME]                           = IST("Product name."),
  	[INF_VERSION]                        = IST("HAProxy version."),
--	[INF_RELEASE_DATE]                   = IST("HAProxy realease date."),
++	[INF_RELEASE_DATE]                   = IST("HAProxy release date."),
++	[INF_BUILD_INFO]                     = IST("HAProxy build info."),
  	[INF_NBTHREAD]                       = IST("Configured number of threads."),
  	[INF_NBPROC]                         = IST("Configured number of processes."),
  	[INF_PROCESS_NUM]                    = IST("Relative process id, starting at 1."),
@@ -709,9 +717,9 @@ const struct ist promex_st_metric_desc[ST_F_TOTAL_FIELDS] = {
  	[ST_F_RATE]           = IST("Current number of sessions per second over last elapsed second."),
  	[ST_F_RATE_LIM]       = IST("Configured limit on new sessions per second."),
  	[ST_F_RATE_MAX]       = IST("Maximum observed number of sessions per second."),
--	[ST_F_CHECK_STATUS]   = IST("Status of last health check (If a check is running, the status will be reported, prefixed with '* ')."),
++	[ST_F_CHECK_STATUS]   = IST("Status of last health check (HCHK_STATUS_* values)."),
  	[ST_F_CHECK_CODE]     = IST("layer5-7 code, if available of the last health check."),
--	[ST_F_CHECK_DURATION] = IST("Time in ms took to finish last health check."),
++	[ST_F_CHECK_DURATION] = IST("Total duration of the latest server health check, in seconds."),
  	[ST_F_HRSP_1XX]       = IST("Total number of HTTP responses."),
  	[ST_F_HRSP_2XX]       = IST("Total number of HTTP responses."),
  	[ST_F_HRSP_3XX]       = IST("Total number of HTTP responses."),
@@ -774,6 +782,7 @@ const struct ist promex_inf_metric_labels[INF_TOTAL_FIELDS] = {
  	[INF_NAME]                           = IST(""),
  	[INF_VERSION]                        = IST(""),
  	[INF_RELEASE_DATE]                   = IST(""),
++	[INF_BUILD_INFO]                     = IST(PROMEX_BUILDINFO_LABEL),
  	[INF_NBTHREAD]                       = IST(""),
  	[INF_NBPROC]                         = IST(""),
  	[INF_PROCESS_NUM]                    = IST(""),
@@ -930,6 +939,7 @@ const struct ist promex_inf_metric_types[INF_TOTAL_FIELDS] = {
  	[INF_NAME]                           = IST("untyped"),
  	[INF_VERSION]                        = IST("untyped"),
  	[INF_RELEASE_DATE]                   = IST("untyped"),
++	[INF_BUILD_INFO]                     = IST("gauge"),
  	[INF_NBTHREAD]                       = IST("gauge"),
  	[INF_NBPROC]                         = IST("gauge"),
  	[INF_PROCESS_NUM]                    = IST("gauge"),
@@ -1027,8 +1037,8 @@ const struct ist promex_st_metric_types[ST_F_TOTAL_FIELDS] = {
  	[ST_F_RATE]           = IST("untyped"),
  	[ST_F_RATE_LIM]       = IST("gauge"),
  	[ST_F_RATE_MAX]       = IST("gauge"),
--	[ST_F_CHECK_STATUS]   = IST("untyped"),
--	[ST_F_CHECK_CODE]     = IST("untyped"),
++	[ST_F_CHECK_STATUS]   = IST("gauge"),
++	[ST_F_CHECK_CODE]     = IST("gauge"),
  	[ST_F_CHECK_DURATION] = IST("gauge"),
  	[ST_F_HRSP_1XX]       = IST("counter"),
  	[ST_F_HRSP_2XX]       = IST("counter"),
@@ -1269,6 +1279,9 @@ static int promex_dump_global_metrics(struct appctx *appctx, struct htx *htx)
  #endif
  	while (appctx->st2 && appctx->st2 < INF_TOTAL_FIELDS) {
  		switch (appctx->st2) {
++			case INF_BUILD_INFO:
++				metric = mkf_u32(FN_GAUGE, 1);
++				break;
  			case INF_NBTHREAD:
  				metric = mkf_u32(FO_CONFIG|FS_SERVICE, global.nbthread);
  				break;
@@ -2012,6 +2025,22 @@ static int promex_dump_srv_metrics(struct appctx *appctx, struct htx *htx)
  						weight = (sv->cur_eweight * px->lbprm.wmult + px->lbprm.wdiv - 1) / px->lbprm.wdiv;
  						metric = mkf_u32(FN_AVG, weight);
  						break;
++					case ST_F_CHECK_STATUS:
++						if ((sv->check.state & (CHK_ST_ENABLED|CHK_ST_PAUSED)) != CHK_ST_ENABLED)
++							goto next_sv;
++						metric = mkf_u32(FN_OUTPUT, sv->check.status);
++						break;
++					case ST_F_CHECK_CODE:
++						if ((sv->check.state & (CHK_ST_ENABLED|CHK_ST_PAUSED)) != CHK_ST_ENABLED)
++							goto next_sv;
++						metric = mkf_u32(FN_OUTPUT, (sv->check.status < HCHK_STATUS_L57DATA) ? 0 : sv->check.code);
++						break;
++					case ST_F_CHECK_DURATION:
++						if (sv->check.status < HCHK_STATUS_CHECKED)
++						    goto next_sv;
++						secs = (double)sv->check.duration / 1000.0;
++						metric = mkf_flt(FN_DURATION, secs);
++						break;
  					case ST_F_CHKFAIL:
  						metric = mkf_u64(FN_COUNTER, sv->counters.failed_checks);
  						break;
@@ -2113,13 +2142,12 @@ static int promex_dump_srv_metrics(struct appctx *appctx, struct htx *htx)
  static int promex_dump_metrics(struct appctx *appctx, struct stream_interface *si, struct htx *htx)
+ {
  	int ret;
--	int flags = appctx->ctx.stats.flags;
  	switch (appctx->st1) {
  		case PROMEX_DUMPER_INIT:
  			appctx->ctx.stats.px = NULL;
  			appctx->ctx.stats.sv = NULL;
--			appctx->ctx.stats.flags = (flags|PROMEX_FL_METRIC_HDR|PROMEX_FL_INFO_METRIC);
++			appctx->ctx.stats.flags |= (PROMEX_FL_METRIC_HDR|PROMEX_FL_INFO_METRIC);
  			appctx->st2 = promex_global_metrics[INF_NAME];
  			appctx->st1 = PROMEX_DUMPER_GLOBAL;
  			/* fall through */
@@ -2136,7 +2164,8 @@ static int promex_dump_metrics(struct appctx *appctx, struct stream_interface *s
  			appctx->ctx.stats.px = proxies_list;
  			appctx->ctx.stats.sv = NULL;
--			appctx->ctx.stats.flags = (flags|PROMEX_FL_METRIC_HDR|PROMEX_FL_STATS_METRIC);
++			appctx->ctx.stats.flags &= ~PROMEX_FL_INFO_METRIC;
++			appctx->ctx.stats.flags |= (PROMEX_FL_METRIC_HDR|PROMEX_FL_STATS_METRIC);
  			appctx->st2 = promex_front_metrics[ST_F_PXNAME];
  			appctx->st1 = PROMEX_DUMPER_FRONT;
  			/* fall through */
@@ -2153,7 +2182,7 @@ static int promex_dump_metrics(struct appctx *appctx, struct stream_interface *s
  			appctx->ctx.stats.px = proxies_list;
  			appctx->ctx.stats.sv = NULL;
--			appctx->ctx.stats.flags = (flags|PROMEX_FL_METRIC_HDR|PROMEX_FL_STATS_METRIC);
++			appctx->ctx.stats.flags |= PROMEX_FL_METRIC_HDR;
  			appctx->st2 = promex_back_metrics[ST_F_PXNAME];
  			appctx->st1 = PROMEX_DUMPER_BACK;
  			/* fall through */
@@ -2170,7 +2199,7 @@ static int promex_dump_metrics(struct appctx *appctx, struct stream_interface *s
  			appctx->ctx.stats.px = proxies_list;
  			appctx->ctx.stats.sv = (appctx->ctx.stats.px ? appctx->ctx.stats.px->srv : NULL);
--			appctx->ctx.stats.flags = (flags|PROMEX_FL_METRIC_HDR|PROMEX_FL_STATS_METRIC);
++			appctx->ctx.stats.flags |= PROMEX_FL_METRIC_HDR;
  			appctx->st2 = promex_srv_metrics[ST_F_PXNAME];
  			appctx->st1 = PROMEX_DUMPER_SRV;
  			/* fall through */
@@ -2187,7 +2216,7 @@ static int promex_dump_metrics(struct appctx *appctx, struct stream_interface *s
  			appctx->ctx.stats.px = NULL;
  			appctx->ctx.stats.sv = NULL;
--			appctx->ctx.stats.flags = flags;
++			appctx->ctx.stats.flags &= ~(PROMEX_FL_METRIC_HDR|PROMEX_FL_INFO_METRIC|PROMEX_FL_STATS_METRIC);
  			appctx->st2 = 0;
  			appctx->st1 = PROMEX_DUMPER_DONE;
  			/* fall through */
@@ -2261,7 +2290,7 @@ static int promex_parse_uri(struct appctx *appctx, struct stream_interface *si)
  			*(p++) = 0;
  		else if (*p == '#')
  			*p = 0;
--		len = url_decode(key);
++		len = url_decode(key, 1);
  		if (len == -1)
  			goto error;
@@ -2275,7 +2304,7 @@ static int promex_parse_uri(struct appctx *appctx, struct stream_interface *si)
  				*(p++) = 0;
  			else if (*p == '#')
  				*p = 0;
--			len = url_decode(value);
++			len = url_decode(value, 1);
  			if (len == -1)
  				goto error;
+ 		}
@@ -2411,6 +2440,7 @@ static void promex_appctx_handle_io(struct appctx *appctx)
  				goto out;
+ 			}
  			channel_add_input(res, 1);
++			res->flags |= CF_EOI;
  			appctx->st0 = PROMEX_ST_END;
  			/* fall through */
 diff --git a/contrib/spoa_example/include/mini-clist.h b/contrib/spoa_example/include/mini-clist.h
 index a89255c..d009704 100644
 --- a/contrib/spoa_example/include/mini-clist.h
 +++ b/contrib/spoa_example/include/mini-clist.h
@@ -44,7 +44,7 @@ struct list {
   * since it's used only once.
   * Example: LIST_ELEM(cur_node->args.next, struct node *, args)
   */
--#define LIST_ELEM(lh, pt, el) ((pt)(((void *)(lh)) - ((void *)&((pt)NULL)->el)))
++#define LIST_ELEM(lh, pt, el) ((pt)(((const char *)(lh)) - ((size_t)&((pt)NULL)->el)))
  /* checks if the list head <lh> is empty or not */
  #define LIST_ISEMPTY(lh) ((lh)->n == (lh))
 diff --git a/contrib/spoa_server/README b/contrib/spoa_server/README
 index d820807..7eaebd3 100644
 --- a/contrib/spoa_server/README
 +++ b/contrib/spoa_server/README
@@ -11,7 +11,7 @@ is done.
    Compilation
  ---------------
--Actually, the server support Lua and Python. Type "make" with the options:
++The server currently supports Lua and Python. Type "make" with the options:
  USE_LUA=1 and/or USE_PYTHON=1.
@@ -66,7 +66,7 @@ Main process:
  Python:
-- * Improve repporting: Catch python error message and repport it in the right
++ * Improve reporting: Catch python error message and report it in the right
     place. Today the error are dumped on stdout. How using syslog for logging
     stack traces ?
 diff --git a/contrib/spoa_server/ps_python.c b/contrib/spoa_server/ps_python.c
 index 0a9fbff..7eadef6 100644
 --- a/contrib/spoa_server/ps_python.c
 +++ b/contrib/spoa_server/ps_python.c
@@ -29,7 +29,7 @@ static PyObject *module_ipaddress;
  static PyObject *ipv4_address;
  static PyObject *ipv6_address;
  static PyObject *spoa_error;
--static PyObject *empty_array;
++static PyObject *empty_tuple;
  static struct worker *worker;
  static int ps_python_start_worker(struct worker *w);
@@ -54,7 +54,7 @@ static PyObject *ps_python_register_message(PyObject *self, PyObject *args)
  	ps_register_message(&ps_python_bindings, name, (void *)ref);
--	return Py_None;
++	Py_RETURN_NONE;
+ }
  static PyObject *ps_python_set_var_null(PyObject *self, PyObject *args)
@@ -66,10 +66,10 @@ static PyObject *ps_python_set_var_null(PyObject *self, PyObject *args)
  	if (!PyArg_ParseTuple(args, "s#i", &name, &name_len, &scope))
  		return NULL;
  	if (!set_var_null(worker, name, name_len, scope)) {
--		PyErr_SetString(spoa_error, "No space left available");
++		PyErr_SetString(spoa_error, "No more memory space available");
  		return NULL;
+ 	}
--	return Py_None;
++	Py_RETURN_NONE;
+ }
  static PyObject *ps_python_set_var_boolean(PyObject *self, PyObject *args)
@@ -82,10 +82,10 @@ static PyObject *ps_python_set_var_boolean(PyObject *self, PyObject *args)
  	if (!PyArg_ParseTuple(args, "s#ii", &name, &name_len, &scope, &value))
  		return NULL;
  	if (!set_var_bool(worker, name, name_len, scope, value)) {
--		PyErr_SetString(spoa_error, "No space left available");
++		PyErr_SetString(spoa_error, "No more memory space available");
  		return NULL;
+ 	}
--	return Py_None;
++	Py_RETURN_NONE;
+ }
  static PyObject *ps_python_set_var_int32(PyObject *self, PyObject *args)
@@ -98,10 +98,10 @@ static PyObject *ps_python_set_var_int32(PyObject *self, PyObject *args)
  	if (!PyArg_ParseTuple(args, "s#ii", &name, &name_len, &scope, &value))
  		return NULL;
  	if (!set_var_int32(worker, name, name_len, scope, value)) {
--		PyErr_SetString(spoa_error, "No space left available");
++		PyErr_SetString(spoa_error, "No more memory space available");
  		return NULL;
+ 	}
--	return Py_None;
++	Py_RETURN_NONE;
+ }
  static PyObject *ps_python_set_var_uint32(PyObject *self, PyObject *args)
@@ -114,10 +114,10 @@ static PyObject *ps_python_set_var_uint32(PyObject *self, PyObject *args)
  	if (!PyArg_ParseTuple(args, "s#iI", &name, &name_len, &scope, &value))
  		return NULL;
  	if (!set_var_uint32(worker, name, name_len, scope, value)) {
--		PyErr_SetString(spoa_error, "No space left available");
++		PyErr_SetString(spoa_error, "No more memory space available");
  		return NULL;
+ 	}
--	return Py_None;
++	Py_RETURN_NONE;
+ }
  static PyObject *ps_python_set_var_int64(PyObject *self, PyObject *args)
@@ -130,10 +130,10 @@ static PyObject *ps_python_set_var_int64(PyObject *self, PyObject *args)
  	if (!PyArg_ParseTuple(args, "s#il", &name, &name_len, &scope, &value))
  		return NULL;
  	if (!set_var_int64(worker, name, name_len, scope, value)) {
--		PyErr_SetString(spoa_error, "No space left available");
++		PyErr_SetString(spoa_error, "No more memory space available");
  		return NULL;
+ 	}
--	return Py_None;
++	Py_RETURN_NONE;
+ }
  static PyObject *ps_python_set_var_uint64(PyObject *self, PyObject *args)
@@ -146,10 +146,10 @@ static PyObject *ps_python_set_var_uint64(PyObject *self, PyObject *args)
  	if (!PyArg_ParseTuple(args, "s#ik", &name, &name_len, &scope, &value))
  		return NULL;
  	if (!set_var_uint64(worker, name, name_len, scope, value)) {
--		PyErr_SetString(spoa_error, "No space left available");
++		PyErr_SetString(spoa_error, "No more memory space available");
  		return NULL;
+ 	}
--	return Py_None;
++	Py_RETURN_NONE;
+ }
  static PyObject *ps_python_set_var_ipv4(PyObject *self, PyObject *args)
@@ -172,15 +172,17 @@ static PyObject *ps_python_set_var_ipv4(PyObject *self, PyObject *args)
  	if (value == NULL)
  		return NULL;
  	if (PyString_GET_SIZE(value) != sizeof(ip)) {
--		PyErr_Format(spoa_error, "UPv6 manipulation internal error");
++		PyErr_Format(spoa_error, "IPv4 manipulation internal error");
  		return NULL;
+ 	}
  	memcpy(&ip, PyString_AS_STRING(value), PyString_GET_SIZE(value));
  	if (!set_var_ipv4(worker, name, name_len, scope, &ip)) {
--		PyErr_SetString(spoa_error, "No space left available");
++		PyErr_SetString(spoa_error, "No more memory space available");
  		return NULL;
+ 	}
--	return Py_None;
++	/* Once we set the IP value in the worker, we don't need it anymore... */
++	Py_XDECREF(value);
++	Py_RETURN_NONE;
+ }
  static PyObject *ps_python_set_var_ipv6(PyObject *self, PyObject *args)
@@ -203,15 +205,17 @@ static PyObject *ps_python_set_var_ipv6(PyObject *self, PyObject *args)
  	if (value == NULL)
  		return NULL;
  	if (PyString_GET_SIZE(value) != sizeof(ip)) {
--		PyErr_Format(spoa_error, "UPv6 manipulation internal error");
++		PyErr_Format(spoa_error, "IPv6 manipulation internal error");
  		return NULL;
+ 	}
  	memcpy(&ip, PyString_AS_STRING(value), PyString_GET_SIZE(value));
  	if (!set_var_ipv6(worker, name, name_len, scope, &ip)) {
--		PyErr_SetString(spoa_error, "No space left available");
++		PyErr_SetString(spoa_error, "No more memory space available");
  		return NULL;
+ 	}
--	return Py_None;
++	/* Once we set the IP value in the worker, we don't need it anymore... */
++	Py_XDECREF(value);
++	Py_RETURN_NONE;
+ }
  static PyObject *ps_python_set_var_str(PyObject *self, PyObject *args)
@@ -225,10 +229,10 @@ static PyObject *ps_python_set_var_str(PyObject *self, PyObject *args)
  	if (!PyArg_ParseTuple(args, "s#is#", &name, &name_len, &scope, &value, &value_len))
  		return NULL;
  	if (!set_var_string(worker, name, name_len, scope, value, value_len)) {
--		PyErr_SetString(spoa_error, "No space left available");
++		PyErr_SetString(spoa_error, "No more memory space available");
  		return NULL;
+ 	}
--	return Py_None;
++	Py_RETURN_NONE;
+ }
  static PyObject *ps_python_set_var_bin(PyObject *self, PyObject *args)
@@ -242,10 +246,10 @@ static PyObject *ps_python_set_var_bin(PyObject *self, PyObject *args)
  	if (!PyArg_ParseTuple(args, "s#is#", &name, &name_len, &scope, &value, &value_len))
  		return NULL;
  	if (!set_var_bin(worker, name, name_len, scope, value, value_len)) {
--		PyErr_SetString(spoa_error, "No space left available");
++		PyErr_SetString(spoa_error, "No more memory space available");
  		return NULL;
+ 	}
--	return Py_None;
++	Py_RETURN_NONE;
+ }
@@ -300,25 +304,42 @@ static int ps_python_start_worker(struct worker *w)
  	ipv4_address = PyObject_GetAttrString(module_ipaddress, "IPv4Address");
  	if (ipv4_address == NULL) {
++		Py_DECREF(module_ipaddress);
  		PyErr_Print();
  		return 0;
+ 	}
  	ipv6_address = PyObject_GetAttrString(module_ipaddress, "IPv6Address");
--	if (ipv4_address == NULL) {
++	if (ipv6_address == NULL) {
++		Py_DECREF(ipv4_address);
++		Py_DECREF(module_ipaddress);
  		PyErr_Print();
  		return 0;
+ 	}
  	m = Py_InitModule("spoa", spoa_methods);
  	if (m == NULL) {
++		Py_DECREF(ipv4_address);
++		Py_DECREF(ipv6_address);
++		Py_DECREF(module_ipaddress);
  		PyErr_Print();
  		return 0;
+ 	}
  	spoa_error = PyErr_NewException("spoa.error", NULL, NULL);
++	 /* PyModule_AddObject will steal the reference to spoa_error
++	 * in case of success only
++	 * We need to increment the counters to continue using it
++	 * but cleanup in case of failure
++	 */
  	Py_INCREF(spoa_error);
--	PyModule_AddObject(m, "error", spoa_error);
++	ret = PyModule_AddObject(m, "error", spoa_error);
++	if (ret == -1) {
++		Py_DECREF(m);
++		Py_DECREF(spoa_error);
++		PyErr_Print();
++		return 0;
++	}
  	value = PyLong_FromLong(SPOE_SCOPE_PROC);
@@ -329,60 +350,74 @@ static int ps_python_start_worker(struct worker *w)
  	ret = PyModule_AddObject(m, "scope_proc", value);
  	if (ret == -1) {
++		Py_DECREF(m);
++		Py_DECREF(value);
  		PyErr_Print();
  		return 0;
+ 	}
  	value = PyLong_FromLong(SPOE_SCOPE_SESS);
  	if (value == NULL) {
++		Py_DECREF(m);
  		PyErr_Print();
  		return 0;
+ 	}
  	ret = PyModule_AddObject(m, "scope_sess", value);
  	if (ret == -1) {
++		Py_DECREF(m);
++		Py_DECREF(value);
  		PyErr_Print();
  		return 0;
+ 	}
  	value = PyLong_FromLong(SPOE_SCOPE_TXN);
  	if (value == NULL) {
++		Py_DECREF(m);
  		PyErr_Print();
  		return 0;
+ 	}
  	ret = PyModule_AddObject(m, "scope_txn", value);
  	if (ret == -1) {
++		Py_DECREF(m);
++		Py_DECREF(value);
  		PyErr_Print();
  		return 0;
+ 	}
  	value = PyLong_FromLong(SPOE_SCOPE_REQ);
  	if (value == NULL) {
++		Py_DECREF(m);
  		PyErr_Print();
  		return 0;
+ 	}
  	ret = PyModule_AddObject(m, "scope_req", value);
  	if (ret == -1) {
++		Py_DECREF(m);
++		Py_DECREF(value);
  		PyErr_Print();
  		return 0;
+ 	}
  	value = PyLong_FromLong(SPOE_SCOPE_RES);
  	if (value == NULL) {
++		Py_DECREF(m);
  		PyErr_Print();
  		return 0;
+ 	}
  	ret = PyModule_AddObject(m, "scope_res", value);
  	if (ret == -1) {
++		Py_DECREF(m);
++		Py_DECREF(value);
  		PyErr_Print();
  		return 0;
+ 	}
--	empty_array = PyDict_New();
--	if (empty_array == NULL) {
++	empty_tuple = PyTuple_New(0);
++	if (empty_tuple == NULL) {
  		PyErr_Print();
  		return 0;
+ 	}
@@ -445,7 +480,6 @@ static int ps_python_exec_message(struct worker *w, void *ref, int nargs, struct
  		ent = PyDict_New();
  		if (ent == NULL) {
  			Py_DECREF(kw_args);
--			Py_DECREF(ent);
  			PyErr_Print();
  			return 0;
+ 		}
@@ -455,6 +489,7 @@ static int ps_python_exec_message(struct worker *w, void *ref, int nargs, struct
  		key = PyString_FromString("name");
  		if (key == NULL) {
  			Py_DECREF(kw_args);
++			Py_DECREF(ent);
  			PyErr_Print();
  			return 0;
+ 		}
@@ -478,7 +513,7 @@ static int ps_python_exec_message(struct worker *w, void *ref, int nargs, struct
  			return 0;
+ 		}
--		/* Create th value entry */
++		/* Create the value entry */
  		key = PyString_FromString("value");
  		if (key == NULL) {
@@ -490,6 +525,7 @@ static int ps_python_exec_message(struct worker *w, void *ref, int nargs, struct
  		switch (args[i].value.type) {
  		case SPOE_DATA_T_NULL:
++			Py_INCREF(Py_None);
  			value = Py_None;
  			break;
  		case SPOE_DATA_T_BOOL:
@@ -520,6 +556,7 @@ static int ps_python_exec_message(struct worker *w, void *ref, int nargs, struct
  			if (func == NULL) {
  				Py_DECREF(kw_args);
  				Py_DECREF(ent);
++				Py_DECREF(key);
  				PyErr_Print();
  				return 0;
+ 			}
@@ -527,6 +564,7 @@ static int ps_python_exec_message(struct worker *w, void *ref, int nargs, struct
  			if (ip_dict == NULL) {
  				Py_DECREF(kw_args);
  				Py_DECREF(ent);
++				Py_DECREF(key);
  				Py_DECREF(func);
  				PyErr_Print();
  				return 0;
@@ -535,6 +573,7 @@ static int ps_python_exec_message(struct worker *w, void *ref, int nargs, struct
  			if (ip_name == NULL) {
  				Py_DECREF(kw_args);
  				Py_DECREF(ent);
++				Py_DECREF(key);
  				Py_DECREF(func);
  				Py_DECREF(ip_dict);
  				PyErr_Print();
@@ -544,6 +583,7 @@ static int ps_python_exec_message(struct worker *w, void *ref, int nargs, struct
  			if (ip_value == NULL) {
  				Py_DECREF(kw_args);
  				Py_DECREF(ent);
++				Py_DECREF(key);
  				Py_DECREF(func);
  				Py_DECREF(ip_dict);
  				Py_DECREF(ip_name);
@@ -554,11 +594,15 @@ static int ps_python_exec_message(struct worker *w, void *ref, int nargs, struct
  			Py_DECREF(ip_name);
  			Py_DECREF(ip_value);
  			if (ret == -1) {
++				Py_DECREF(kw_args);
++				Py_DECREF(ent);
++				Py_DECREF(key);
++				Py_DECREF(func);
  				Py_DECREF(ip_dict);
  				PyErr_Print();
  				return 0;
+ 			}
--			value = PyObject_Call(func, empty_array, ip_dict);
++			value = PyObject_Call(func, empty_tuple, ip_dict);
  			Py_DECREF(func);
  			Py_DECREF(ip_dict);
  			break;
@@ -570,6 +614,7 @@ static int ps_python_exec_message(struct worker *w, void *ref, int nargs, struct
  			value = PyString_FromStringAndSize(args[i].value.u.buffer.str, args[i].value.u.buffer.len);
  			break;
  		default:
++			Py_INCREF(Py_None);
  			value = Py_None;
  			break;
+ 		}
@@ -628,11 +673,13 @@ static int ps_python_exec_message(struct worker *w, void *ref, int nargs, struct
  		return 0;
+ 	}
--	result = PyObject_Call(python_ref, empty_array, fkw);
++	result = PyObject_Call(python_ref, empty_tuple, fkw);
++	Py_DECREF(fkw);
  	if (result == NULL) {
  		PyErr_Print();
  		return 0;
+ 	}
++	Py_DECREF(result);
  	return 1;
+ }
 diff --git a/contrib/systemd/haproxy.service.in b/contrib/systemd/haproxy.service.in
 index 9b7c3d1..49d3c52 100644
 --- a/contrib/systemd/haproxy.service.in
 +++ b/contrib/systemd/haproxy.service.in
@@ -1,14 +1,15 @@
  [Unit]
  Description=HAProxy Load Balancer
--After=network.target
++After=network-online.target
++Wants=network-online.target
  [Service]
  EnvironmentFile=-/etc/default/haproxy
  EnvironmentFile=-/etc/sysconfig/haproxy
  Environment="CONFIG=/etc/haproxy/haproxy.cfg" "PIDFILE=/run/haproxy.pid" "EXTRAOPTS=-S /run/haproxy-master.sock"
--ExecStartPre=@SBINDIR@/haproxy -f $CONFIG -c -q $EXTRAOPTS
++ExecStartPre=@SBINDIR@/haproxy -Ws -f $CONFIG -c -q $EXTRAOPTS
  ExecStart=@SBINDIR@/haproxy -Ws -f $CONFIG -p $PIDFILE $EXTRAOPTS
--ExecReload=@SBINDIR@/haproxy -f $CONFIG -c -q $EXTRAOPTS
++ExecReload=@SBINDIR@/haproxy -Ws -f $CONFIG -c -q $EXTRAOPTS
  ExecReload=/bin/kill -USR2 $MAINPID
  KillMode=mixed
  Restart=always
 diff --git a/debian/changelog b/debian/changelog
 index c45f3b2..d5459d3 100644
 --- a/debian/changelog
 +++ b/debian/changelog
@@ -1,3 +1,16 @@
++haproxy (2.0.29-0ubuntu1) focal; urgency=medium
++
++  * New upstream release (LP: #1987914).
++    - Refresh haproxy.service-*.patch.
++    - Remove patches applied by upstream in debian/patches:
++      + 0001-2.0-2.3-BUG-MAJOR-htx-fix-missing-header-name-length-check-i.patch
++      + 0001-BUG-CRITICAL-hpack-never-index-a-header-into-the-hea.patch
++      + 2.0-0001-BUG-MAJOR-h2-enforce-checks-on-the-method-syntax-bef.patch
++      + CVE-2022-0711.patch
++      + lp1894879-BUG-MEDIUM-dns-*.patch
++
++ -- Lucas Kanashiro <kanashiro@ubuntu.com>  Fri, 26 Aug 2022 17:07:24 -0300
++
  haproxy (2.0.13-2ubuntu0.5) focal-security; urgency=medium
    * SECURITY UPDATE: infinite loop via Set-Cookie2 header
 diff --git a/debian/patches/0001-2.0-2.3-BUG-MAJOR-htx-fix-missing-header-name-length-check-i.patch b/debian/patches/0001-2.0-2.3-BUG-MAJOR-htx-fix-missing-header-name-length-check-i.patch
 deleted file mode 100644
 index 1176bb5..0000000
 --- a/debian/patches/0001-2.0-2.3-BUG-MAJOR-htx-fix-missing-header-name-length-check-i.patch
 +++ /dev/null
@@ -1,65 +0,0 @@
--From 86f4f281efb933900ebcc4fdaef95f566382d907 Mon Sep 17 00:00:00 2001
--From: Willy Tarreau <w@1wt.eu>
--Date: Thu, 26 Aug 2021 16:23:37 +0200
--Subject: BUG/MAJOR: htx: fix missing header name length check in
-- htx_add_header/trailer
--
--Shachar Menashe for JFrog Security reported that htx_add_header() and
--htx_add_trailer() were missing a length check on the header name. While
--this does not allow to overwrite any memory area, it results in bits of
--the header name length to slip into the header value length and may
--result in forging certain header names on the input. The sad thing here
--is that a FIXME comment was present suggesting to add the required length
--checks :-(
--
--The injected headers are visible to the HTTP internals and to the config
--rules, so haproxy will generally stay synchronized with the server. But
--there is one exception which is the content-length header field, because
--it is already deduplicated on the input, but before being indexed. As
--such, injecting a content-length header after the deduplication stage
--may be abused to present a different, shorter one on the other side and
--help build a request smuggling attack, or even maybe a response splitting
--attack.
--
--As a mitigation measure, it is sufficient to verify that no more than
--one such header is present in any message, which is normally the case
--thanks to the duplicate checks:
--
--   http-request  deny if { req.hdr_cnt(content-length) gt 1 }
--   http-response deny if { res.hdr_cnt(content-length) gt 1 }
--
--This must be backported to all HTX-enabled versions, hence as far as 2.0.
--In 2.3 and earlier, the functions are in src/htx.c instead.
--
--Many thanks to Shachar for his work and his responsible report!
--
--[wt: code is in src/htx.c in 2.3 and older]
--Signed-off-by: Willy Tarreau <w@1wt.eu>
-----
-- src/htx.c | 8 ++++++--
-- 1 file changed, 6 insertions(+), 2 deletions(-)
--
----- a/src/htx.c
--+++ b/src/htx.c
--@@ -846,7 +846,9 @@ struct htx_blk *htx_add_header(struct ht
-- {
-- 	struct htx_blk *blk;
--
---	/* FIXME: check name.len (< 256B) and value.len (< 1MB) */
--+	if (name.len > 255 || value.len > 1048575)
--+		return NULL;
--+
-- 	blk = htx_add_blk(htx, HTX_BLK_HDR, name.len + value.len);
-- 	if (!blk)
-- 		return NULL;
--@@ -865,7 +867,9 @@ struct htx_blk *htx_add_trailer(struct h
-- {
-- 	struct htx_blk *blk;
--
---	/* FIXME: check name.len (< 256B) and value.len (< 1MB) */
--+	if (name.len > 255 || value.len > 1048575)
--+		return NULL;
--+
-- 	blk = htx_add_blk(htx, HTX_BLK_TLR, name.len + value.len);
-- 	if (!blk)
-- 		return NULL;
 diff --git a/debian/patches/0001-BUG-CRITICAL-hpack-never-index-a-header-into-the-hea.patch b/debian/patches/0001-BUG-CRITICAL-hpack-never-index-a-header-into-the-hea.patch
 deleted file mode 100644
 index fd33180..0000000
 --- a/debian/patches/0001-BUG-CRITICAL-hpack-never-index-a-header-into-the-hea.patch
 +++ /dev/null
@@ -1,51 +0,0 @@
--From 4e372dc350be5c72b88546bf03392a5793cea179 Mon Sep 17 00:00:00 2001
--From: Willy Tarreau <w@1wt.eu>
--Date: Sun, 29 Mar 2020 08:53:31 +0200
--Subject: BUG/CRITICAL: hpack: never index a header into the headroom after
-- wrapping
--
--The HPACK header table is implemented as a wrapping list inside a contigous
--area. Headers names and values are stored from right to left while indexes
--are stored from left to right. When there's no more room to store a new one,
--we wrap to the right again, or possibly defragment it if needed. The condition
--do use the right part (called tailroom) or the left part (called headroom)
--depends on the location of the last inserted header. After wrapping happens,
--the code forces to stick to tailroom by pretending there's no more headroom,
--so that the size fit test always fails. The problem is that nothing prevents
--from storing a header with an empty name and empty value, resulting in a
--total size of zero bytes, which satisfies the condition to use the headroom.
--Doing this in a wrapped buffer results in changing the "front" header index
--and causing miscalculations on the available size and the addresses of the
--next headers. This may even allow to overwrite some parts of the index,
--opening the possibility to perform arbitrary writes into a 32-bit relative
--address space.
--
--This patch fixes the issue by making sure the headroom is considered only
--when the buffer does not wrap, instead of relying on the zero size. This
--must be backported to all versions supporting H2, which is as far as 1.8.
--
--Many thanks to Felix Wilhelm of Google Project Zero for responsibly
--reporting this problem with a reproducer and a detailed analysis.
-----
-- src/hpack-tbl.c | 4 ++--
-- 1 file changed, 2 insertions(+), 2 deletions(-)
--
--diff --git a/src/hpack-tbl.c b/src/hpack-tbl.c
--index 70d7f35834..727ff7a17b 100644
----- a/src/hpack-tbl.c
--+++ b/src/hpack-tbl.c
--@@ -346,9 +346,9 @@ int hpack_dht_insert(struct hpack_dht *dht, struct ist name, struct ist value)
-- 	 * room left in the tail to suit the protocol, but tests show that in
-- 	 * practice it almost never happens in other situations so the extra
-- 	 * test is useless and we simply fill the headroom as long as it's
---	 * available.
--+	 * available and we don't wrap.
-- 	 */
---	if (headroom >= name.len + value.len) {
--+	if (prev == dht->front && headroom >= name.len + value.len) {
-- 		/* install upfront and update ->front */
-- 		dht->dte[head].addr = dht->dte[dht->front].addr - (name.len + value.len);
-- 		dht->front = head;
----
--2.20.1
--
 diff --git a/debian/patches/2.0-0001-BUG-MAJOR-h2-enforce-checks-on-the-method-syntax-bef.patch b/debian/patches/2.0-0001-BUG-MAJOR-h2-enforce-checks-on-the-method-syntax-bef.patch
 deleted file mode 100644
 index bf662b7..0000000
 --- a/debian/patches/2.0-0001-BUG-MAJOR-h2-enforce-checks-on-the-method-syntax-bef.patch
 +++ /dev/null
@@ -1,80 +0,0 @@
--From 08f7092fa046b115285bfb0df276a5d1b6d52d37 Mon Sep 17 00:00:00 2001
--Date: Wed, 11 Aug 2021 11:12:46 +0200
--Subject: BUG/MAJOR: h2: enforce checks on the method syntax before translating
-- to HTX
--MIME-Version: 1.0
--Content-Type: text/plain; charset=latin1
--Content-Transfer-Encoding: 8bit
--
--The situation with message components in H2 is always troubling. They're
--produced by the HPACK layer which contains a dictionary of well-known
--hardcoded values, yet wants to remain binary transparent and protocol-
--agnostic with HTTP just being one user, yet at the H2 layer we're
--supposed to enforce some checks on some selected pseudo-headers that
--come from internal constants... The :method pseudo-header is no exception
--and is not tested when coming from the HPACK layer. This makes it possible
--to pass random chars into methods, that can be serialized on another H2
--connection (where they would not harm), or worse, on an H1 connection
--where they can be used to transform the forwareded request. This is
--similar to the request line injection described here:
--
--   https://portswigger.net/research/http2
--
--A workaround here is to reject malformed methods by placing this rule
--in the frontend or backend, at least before leaving haproxy in H1:
--
--   http-request reject if { method -m reg [^A-Z0-9] }
--
--Alternately H2 may be globally disabled by commenting out the "alpn"
--directive on "bind" lines, and by rejecting H2 streams creation by
--adding the following statement to the global section:
--
--   tune.h2.max-concurrent-streams 0
--
--This patch adds a check for each character of the method to be part of
--the ones permitted in a token, as mentioned in RFC7231#4.1. This should
--be backported to versions 2.0 and above, maybe even 1.8. For older
--versions not having HTX_FL_PARSING_ERROR, a "goto fail" works as well
--as it results in a protocol error at the stream level. Non-HTX versions
--were initially thought to be safe but must be carefully rechecked since
--they transcode the request into H1 before processing it.
--
--Thanks to Tim D�sterhus for reporting that one.
--
--(cherry picked from commit b4be735a0a7c4a00bf3d774334763536774d7eea)
--Signed-off-by: Willy Tarreau <w@1wt.eu>
--(cherry picked from commit 6b827f661374704e91322a82197bbfbfbf910f70)
--[wt: adapted since no meth_sl in 2.3]
--Signed-off-by: Willy Tarreau <w@1wt.eu>
--(cherry picked from commit fbeb053d1a83faedbf3edbe04bde39bc7304cddd)
--Signed-off-by: Willy Tarreau <w@1wt.eu>
--(cherry picked from commit c91c37a122784de872b79ec6832fe8a9cfe675e0)
--[wt: context adjustment; non-htx is safe since nul/cr/lf forbidden
--     in any header, and other invalid chars blocked by H1 parser]
--Signed-off-by: Willy Tarreau <w@1wt.eu>
-----
-- src/h2.c | 8 ++++++++
-- 1 file changed, 8 insertions(+)
--
--diff --git a/src/h2.c b/src/h2.c
--index 719b1743b..bfc0bdafe 100644
----- a/src/h2.c
--+++ b/src/h2.c
--@@ -571,6 +571,14 @@ static struct htx_sl *h2_prepare_htx_reqline(uint32_t fields, struct ist *phdr,
-- 		}
-- 	}
--
--+	/* The method is a non-empty token (RFC7231#4.1) */
--+	if (!phdr[H2_PHDR_IDX_METH].len)
--+		goto fail;
--+	for (i = 0; i < phdr[H2_PHDR_IDX_METH].len; i++) {
--+		if (!HTTP_IS_TOKEN(phdr[H2_PHDR_IDX_METH].ptr[i]))
--+			htx->flags |= HTX_FL_PARSING_ERROR;
--+	}
--+
-- 	/* 7540#8.1.2.3: :path must not be empty */
-- 	if (!phdr[uri_idx].len)
-- 		goto fail;
----
--2.28.0
--
 diff --git a/debian/patches/CVE-2022-0711.patch b/debian/patches/CVE-2022-0711.patch
 deleted file mode 100644
 index cbeb71e..0000000
 --- a/debian/patches/CVE-2022-0711.patch
 +++ /dev/null
@@ -1,40 +0,0 @@
--Backport of:
--
--From bfb15ab34ead85f64cd6da0e9fb418c9cd14cee8 Mon Sep 17 00:00:00 2001
--From: Andrew McDermott <aim@frobware.com>
--Date: Fri, 11 Feb 2022 18:26:49 +0000
--Subject: [PATCH] BUG/MAJOR: http/htx: prevent unbounded loop in
-- http_manage_server_side_cookies
--
--Ensure calls to http_find_header() terminate. If a "Set-Cookie2"
--header is found then the while(1) loop in
--http_manage_server_side_cookies() will never terminate, resulting in
--the watchdog firing and the process terminating via SIGABRT.
--
--The while(1) loop becomes unbounded because an unmatched call to
--http_find_header("Set-Cookie") will leave ctx->blk=NULL. Subsequent
--calls to check for "Set-Cookie2" will now enumerate from the beginning
--of all the blocks and will once again match on subsequent
--passes (assuming a match first time around), hence the loop becoming
--unbounded.
--
--This issue was introduced with HTX and this fix should be backported
--to all versions supporting HTX.
--
--Many thanks to Grant Spence (gspence@redhat.com) for working through
--this issue with me.
-----
-- src/http_ana.c | 2 +-
-- 1 file changed, 1 insertion(+), 1 deletion(-)
--
----- a/src/proto_htx.c
--+++ b/src/proto_htx.c
--@@ -4389,7 +4389,7 @@ static void htx_manage_server_side_cooki
-- 	while (1) {
-- 		int is_first = 1;
--
---		if (!http_find_header(htx, ist("Set-Cookie"), &ctx, 1)) {
--+		if (is_cookie2 || !http_find_header(htx, ist("Set-Cookie"), &ctx, 1)) {
-- 			if (!http_find_header(htx, ist("Set-Cookie2"), &ctx, 1))
-- 				break;
-- 			is_cookie2 = 1;
 diff --git a/debian/patches/haproxy.service-add-documentation.patch b/debian/patches/haproxy.service-add-documentation.patch
 index 380b39c..1ebd2f1 100644
 --- a/debian/patches/haproxy.service-add-documentation.patch
 +++ b/debian/patches/haproxy.service-add-documentation.patch
@@ -4,13 +4,11 @@ Date: Sun, 25 Mar 2018 11:31:50 +0200
  Subject: Add documentation field to the systemd unit
  Forwarded: no
--Last-Update: 2014-01-03
++Last-Update: 2022-08-26
  ---
   contrib/systemd/haproxy.service.in | 2 ++
 file changed, 2 insertions(+)
--diff --git a/contrib/systemd/haproxy.service.in b/contrib/systemd/haproxy.service.in
--index 243acf2..ac88c37 100644
  --- a/contrib/systemd/haproxy.service.in
  +++ b/contrib/systemd/haproxy.service.in
@@ -1,5 +1,7 @@
@@ -18,6 +16,6 @@ index 243acf2..ac88c37 100644
   Description=HAProxy Load Balancer
  +Documentation=man:haproxy(1)
  +Documentation=file:/usr/share/doc/haproxy/configuration.txt.gz
-- After=network.target rsyslog.service
++ After=network-online.target rsyslog.service
++ Wants=network-online.target
-- [Service]
 diff --git a/debian/patches/haproxy.service-start-after-syslog.patch b/debian/patches/haproxy.service-start-after-syslog.patch
 index 1e8e1e4..c81cc30 100644
 --- a/debian/patches/haproxy.service-start-after-syslog.patch
 +++ b/debian/patches/haproxy.service-start-after-syslog.patch
@@ -8,20 +8,18 @@ trigger syslog activation, we explicitly order HAProxy after rsyslog.service.
  Note that we are not using syslog.service here, since the additional socket is
  rsyslog-specific.
  Forwarded: no
--Last-Update: 2017-12-01
++Last-Update: 2022-08-26
  ---
   contrib/systemd/haproxy.service.in | 2 +-
 file changed, 1 insertion(+), 1 deletion(-)
--diff --git a/contrib/systemd/haproxy.service.in b/contrib/systemd/haproxy.service.in
--index 74e66e3..243acf2 100644
  --- a/contrib/systemd/haproxy.service.in
  +++ b/contrib/systemd/haproxy.service.in
@@ -1,6 +1,6 @@
   [Unit]
   Description=HAProxy Load Balancer
---After=network.target
--+After=network.target rsyslog.service
++-After=network-online.target
+++After=network-online.target rsyslog.service
++ Wants=network-online.target
   [Service]
-- EnvironmentFile=-/etc/default/haproxy
 diff --git a/debian/patches/lp1894879-BUG-CRITICAL-dns-Make-the-do-resolve-action-thread-safe.patch b/debian/patches/lp1894879-BUG-CRITICAL-dns-Make-the-do-resolve-action-thread-safe.patch
 deleted file mode 100644
 index e9e6edc..0000000
 --- a/debian/patches/lp1894879-BUG-CRITICAL-dns-Make-the-do-resolve-action-thread-safe.patch
 +++ /dev/null
@@ -1,132 +0,0 @@
--From ef131aee357478c45d547abcb0ab21c2a191f578 Mon Sep 17 00:00:00 2001
--From: Christopher Faulet <cfaulet@haproxy.com>
--Date: Wed, 22 Jul 2020 11:46:32 +0200
--Subject: [PATCH] BUG/MAJOR: dns: Make the do-resolve action thread-safe
--
--The do-resolve HTTP action, performing a DNS resolution of a sample expression
--output, is not thread-safe at all. The resolver object used to do the resolution
--must be locked when the action is executed or when the stream is released
--because its curr or wait resolution lists and the requester list inside a
--resolution are updated. It is also important to not wake up a released stream
--(with a destroyed task).
--
--Of course, because of this bug, various kind of crashes may be observed.
--
--This patch should fix the issue #236. It must be backported as far as 2.0.
--
--(cherry picked from commit 5098a08c2fafb0d9513996729d2a30c9785378f3)
--Signed-off-by: Willy Tarreau <w@1wt.eu>
--(cherry picked from commit 99f4623952cbbad2bcae451abdd0f3133bcbe75c)
--Signed-off-by: Christopher Faulet <cfaulet@haproxy.com>
--(cherry picked from commit 6e5861d72fe1e3c9d34b591d6f77ffd28ddde197)
--Signed-off-by: Christopher Faulet <cfaulet@haproxy.com>
-----
-- src/dns.c    |   36 +++++++++++++++++++++++++++---------
-- src/stream.c |    4 ++++
-- 2 files changed, 31 insertions(+), 9 deletions(-)
--
--diff --git a/src/dns.c b/src/dns.c
--index 282fa92..40e29ad 100644
----- a/src/dns.c
--+++ b/src/dns.c
--@@ -2162,14 +2162,23 @@ enum act_return dns_action_do_resolve(struct act_rule *rule, struct proxy *px,
-- 	struct dns_requester *req;
-- 	struct dns_resolvers  *resolvers;
-- 	struct dns_resolution *res;
---	int exp;
--+	int exp, locked = 0;
--+	enum act_return ret = ACT_RET_CONT;
--+
--+	resolvers = rule->arg.dns.resolvers;
--
-- 	/* we have a response to our DNS resolution */
--  use_cache:
-- 	if (s->dns_ctx.dns_requester && s->dns_ctx.dns_requester->resolution != NULL) {
-- 		resolution = s->dns_ctx.dns_requester->resolution;
--+		if (!locked) {
--+			HA_SPIN_LOCK(DNS_LOCK, &resolvers->lock);
--+			locked = 1;
--+		}
--+
-- 		if (resolution->step == RSLV_STEP_RUNNING) {
---			return ACT_RET_YIELD;
--+			ret = ACT_RET_YIELD;
--+			goto end;
-- 		}
-- 		if (resolution->step == RSLV_STEP_NONE) {
-- 			/* We update the variable only if we have a valid response. */
--@@ -2211,29 +2220,33 @@ enum act_return dns_action_do_resolve(struct act_rule *rule, struct proxy *px,
-- 		pool_free(dns_requester_pool, s->dns_ctx.dns_requester);
-- 		s->dns_ctx.dns_requester = NULL;
--
---		return ACT_RET_CONT;
--+		goto end;
-- 	}
--
-- 	/* need to configure and start a new DNS resolution */
-- 	smp = sample_fetch_as_type(px, sess, s, SMP_OPT_DIR_REQ|SMP_OPT_FINAL, rule->arg.dns.expr, SMP_T_STR);
-- 	if (smp == NULL)
---		return ACT_RET_CONT;
--+		goto end;
--
-- 	fqdn = smp->data.u.str.area;
-- 	if (action_prepare_for_resolution(s, fqdn) == -1)
---		return ACT_RET_ERR;
--+		goto end; /* on error, ignore the action */
--
-- 	s->dns_ctx.parent = rule;
--+
--+	HA_SPIN_LOCK(DNS_LOCK, &resolvers->lock);
--+	locked = 1;
--+
-- 	dns_link_resolution(s, OBJ_TYPE_STREAM, 0);
--
-- 	/* Check if there is a fresh enough response in the cache of our associated resolution */
-- 	req = s->dns_ctx.dns_requester;
-- 	if (!req || !req->resolution) {
-- 		dns_trigger_resolution(s->dns_ctx.dns_requester);
---		return ACT_RET_YIELD;
--+		ret = ACT_RET_YIELD;
--+		goto end;
-- 	}
---	res       = req->resolution;
---	resolvers = res->resolvers;
--+	res = req->resolution;
--
-- 	exp = tick_add(res->last_resolution, resolvers->hold.valid);
-- 	if (resolvers->t && res->status == RSLV_STATUS_VALID && tick_isset(res->last_resolution)
--@@ -2242,7 +2255,12 @@ enum act_return dns_action_do_resolve(struct act_rule *rule, struct proxy *px,
-- 	}
--
-- 	dns_trigger_resolution(s->dns_ctx.dns_requester);
---	return ACT_RET_YIELD;
--+	ret = ACT_RET_YIELD;
--+
--+  end:
--+	if (locked)
--+		HA_SPIN_UNLOCK(DNS_LOCK, &resolvers->lock);
--+	return ret;
-- }
--
--
--diff --git a/src/stream.c b/src/stream.c
--index 080189e..2eb7cfa 100644
----- a/src/stream.c
--+++ b/src/stream.c
--@@ -435,9 +435,13 @@ static void stream_free(struct stream *s)
-- 	}
--
-- 	if (s->dns_ctx.dns_requester) {
--+		__decl_hathreads(struct dns_resolvers *resolvers = s->dns_ctx.parent->arg.dns.resolvers);
--+
--+		HA_SPIN_LOCK(DNS_LOCK, &resolvers->lock);
-- 		free(s->dns_ctx.hostname_dn); s->dns_ctx.hostname_dn = NULL;
-- 		s->dns_ctx.hostname_dn_len = 0;
-- 		dns_unlink_resolution(s->dns_ctx.dns_requester);
--+		HA_SPIN_UNLOCK(DNS_LOCK, &resolvers->lock);
--
-- 		pool_free(dns_requester_pool, s->dns_ctx.dns_requester);
-- 		s->dns_ctx.dns_requester = NULL;
----
--1.7.10.4
--
 diff --git a/debian/patches/lp1894879-BUG-MEDIUM-dns-Dont-yield-in-do-resolve-action-on-a-final.patch b/debian/patches/lp1894879-BUG-MEDIUM-dns-Dont-yield-in-do-resolve-action-on-a-final.patch
 deleted file mode 100644
 index 34a6a37..0000000
 --- a/debian/patches/lp1894879-BUG-MEDIUM-dns-Dont-yield-in-do-resolve-action-on-a-final.patch
 +++ /dev/null
@@ -1,106 +0,0 @@
--From 74d704f2f36945d60f1ff7ea75dbfe3f40508861 Mon Sep 17 00:00:00 2001
--From: Christopher Faulet <cfaulet@haproxy.com>
--Date: Tue, 28 Jul 2020 10:21:54 +0200
--Subject: [PATCH] BUG/MEDIUM: dns: Don't yield in do-resolve action on a final
-- evaluation
--
--When an action is evaluated, flags are passed to know if it is the first call
--(ACT_OPT_FIRST) and if it must be the last one (ACT_OPT_FINAL). For the
--do-resolve DNS action, the ACT_OPT_FINAL flag must be handled because the
--action may yield. It must never yield when this flag is set. Otherwise, it may
--lead to a wakeup loop of the stream because the inspected-delay of a tcp-request
--content ruleset was reached without stopping the rules evaluation.
--
--This patch is related to the issue #222. It must be backported as far as 2.0.
--
--(cherry picked from commit 385101e53816dc1b7bc1fc957adc512ce8a07cb4)
--Signed-off-by: Christopher Faulet <cfaulet@haproxy.com>
--(cherry picked from commit 5c038f759959adf95b4b347aba9d97e60ab87e93)
--Signed-off-by: Christopher Faulet <cfaulet@haproxy.com>
--(cherry picked from commit af018c4865400dda4553a732df4c43751a4ff88c)
--Signed-off-by: Christopher Faulet <cfaulet@haproxy.com>
-----
-- src/dns.c |   39 +++++++++++++++++++++------------------
-- 1 file changed, 21 insertions(+), 18 deletions(-)
--
--diff --git a/src/dns.c b/src/dns.c
--index 18e64d9..095040e 100644
----- a/src/dns.c
--+++ b/src/dns.c
--@@ -2182,10 +2182,8 @@ enum act_return dns_action_do_resolve(struct act_rule *rule, struct proxy *px,
-- 			locked = 1;
-- 		}
--
---		if (resolution->step == RSLV_STEP_RUNNING) {
---			ret = ACT_RET_YIELD;
---			goto end;
---		}
--+		if (resolution->step == RSLV_STEP_RUNNING)
--+			goto yield;
-- 		if (resolution->step == RSLV_STEP_NONE) {
-- 			/* We update the variable only if we have a valid response. */
-- 			if (resolution->status == RSLV_STATUS_VALID) {
--@@ -2219,14 +2217,7 @@ enum act_return dns_action_do_resolve(struct act_rule *rule, struct proxy *px,
-- 			}
-- 		}
--
---		free(s->dns_ctx.hostname_dn); s->dns_ctx.hostname_dn = NULL;
---		s->dns_ctx.hostname_dn_len = 0;
---		dns_unlink_resolution(s->dns_ctx.dns_requester);
---
---		pool_free(dns_requester_pool, s->dns_ctx.dns_requester);
---		s->dns_ctx.dns_requester = NULL;
---
---		goto end;
--+		goto release_requester;
-- 	}
--
-- 	/* need to configure and start a new DNS resolution */
--@@ -2247,26 +2238,38 @@ enum act_return dns_action_do_resolve(struct act_rule *rule, struct proxy *px,
--
-- 	/* Check if there is a fresh enough response in the cache of our associated resolution */
-- 	req = s->dns_ctx.dns_requester;
---	if (!req || !req->resolution) {
---		dns_trigger_resolution(s->dns_ctx.dns_requester);
---		ret = ACT_RET_YIELD;
---		goto end;
---	}
--+	if (!req || !req->resolution)
--+		goto release_requester; /* on error, ignore the action */
-- 	res = req->resolution;
--
-- 	exp = tick_add(res->last_resolution, resolvers->hold.valid);
-- 	if (resolvers->t && res->status == RSLV_STATUS_VALID && tick_isset(res->last_resolution)
---		       && !tick_is_expired(exp, now_ms)) {
--+	    && !tick_is_expired(exp, now_ms)) {
-- 		goto use_cache;
-- 	}
--
-- 	dns_trigger_resolution(s->dns_ctx.dns_requester);
--+
--+  yield:
--+	if (flags & ACT_FLAG_FINAL)
--+		goto release_requester;
-- 	ret = ACT_RET_YIELD;
--
--   end:
-- 	if (locked)
-- 		HA_SPIN_UNLOCK(DNS_LOCK, &resolvers->lock);
-- 	return ret;
--+
--+  release_requester:
--+	free(s->dns_ctx.hostname_dn);
--+	s->dns_ctx.hostname_dn = NULL;
--+	s->dns_ctx.hostname_dn_len = 0;
--+	if (s->dns_ctx.dns_requester) {
--+		dns_unlink_resolution(s->dns_ctx.dns_requester);
--+		pool_free(dns_requester_pool, s->dns_ctx.dns_requester);
--+		s->dns_ctx.dns_requester = NULL;
--+	}
--+	goto end;
-- }
--
--
----
--1.7.10.4
--
 diff --git a/debian/patches/lp1894879-BUG-MEDIUM-dns-Release-answer-items-when-a-DNS-resolution-is-freed.patch b/debian/patches/lp1894879-BUG-MEDIUM-dns-Release-answer-items-when-a-DNS-resolution-is-freed.patch
 deleted file mode 100644
 index f83de45..0000000
 --- a/debian/patches/lp1894879-BUG-MEDIUM-dns-Release-answer-items-when-a-DNS-resolution-is-freed.patch
 +++ /dev/null
@@ -1,51 +0,0 @@
--From 39eb766825d8aad09946dfc284d4a73f610ebd64 Mon Sep 17 00:00:00 2001
--From: Christopher Faulet <cfaulet@haproxy.com>
--Date: Wed, 22 Jul 2020 15:55:49 +0200
--Subject: [PATCH] BUG/MEDIUM: dns: Release answer items when a DNS resolution
-- is freed
--
--When a DNS resolution is freed, the remaining items in .ar_list and .answer_list
--are also released. It must be done to avoid a memory leak. And it is the last
--chance to release these objects. I've honestly no idea if there is a better
--place to release them earlier. But at least, there is no more leak.
--
--This patch should solve the issue #222. It must be backported, at least, as far
--as 2.0, and probably, with caution, as far as 1.8 or 1.7.
--
--(cherry picked from commit 010ab35a9118daf17a670fb2b42e40447f967f7c)
--Signed-off-by: Willy Tarreau <w@1wt.eu>
--(cherry picked from commit c58ac80d00284886b108b209a5bf993de5ab38ed)
--Signed-off-by: Christopher Faulet <cfaulet@haproxy.com>
--(cherry picked from commit 81120e6ea286ae3f2566959167fb56a7d1f0de19)
--Signed-off-by: Christopher Faulet <cfaulet@haproxy.com>
-----
-- src/dns.c |    6 ++++++
-- 1 file changed, 6 insertions(+)
--
--diff --git a/src/dns.c b/src/dns.c
--index 40e29ad..18e64d9 100644
----- a/src/dns.c
--+++ b/src/dns.c
--@@ -1336,6 +1336,7 @@ static struct dns_resolution *dns_pick_resolution(struct dns_resolvers *resolver
-- static void dns_free_resolution(struct dns_resolution *resolution)
-- {
-- 	struct dns_requester *req, *reqback;
--+	struct dns_answer_item *item, *itemback;
--
-- 	/* clean up configuration */
-- 	dns_reset_resolution(resolution);
--@@ -1347,6 +1348,11 @@ static void dns_free_resolution(struct dns_resolution *resolution)
-- 		req->resolution = NULL;
-- 	}
--
--+	list_for_each_entry_safe(item, itemback, &resolution->response.answer_list, list) {
--+		LIST_DEL(&item->list);
--+		pool_free(dns_answer_item_pool, item);
--+	}
--+
-- 	LIST_DEL(&resolution->list);
-- 	pool_free(dns_resolution_pool, resolution);
-- }
----
--1.7.10.4
--
 diff --git a/debian/patches/series b/debian/patches/series
 index f2fb934..0945bb0 100644
 --- a/debian/patches/series
 +++ b/debian/patches/series
@@ -1,16 +1,3 @@
 -Use-dpkg-buildflags-to-build-halog.patch
  haproxy.service-start-after-syslog.patch
  haproxy.service-add-documentation.patch
--
--# 20200402 security issue (CVE-2020-11100) about HTTP/2 HPACK header table
--0001-BUG-CRITICAL-hpack-never-index-a-header-into-the-hea.patch
--
--# applied during the build process:
--# debianize-dconv.patch
--
--lp1894879-BUG-CRITICAL-dns-Make-the-do-resolve-action-thread-safe.patch
--lp1894879-BUG-MEDIUM-dns-Release-answer-items-when-a-DNS-resolution-is-freed.patch
--lp1894879-BUG-MEDIUM-dns-Dont-yield-in-do-resolve-action-on-a-final.patch
--2.0-0001-BUG-MAJOR-h2-enforce-checks-on-the-method-syntax-bef.patch
--0001-2.0-2.3-BUG-MAJOR-htx-fix-missing-header-name-length-check-i.patch
--CVE-2022-0711.patch
 diff --git a/doc/SPOE.txt b/doc/SPOE.txt
 index 19f00ad..e7c303a 100644
 --- a/doc/SPOE.txt
 +++ b/doc/SPOE.txt
@@ -115,7 +115,7 @@ If you specify an engine name on the SPOE filter line, then you need to define
  scope in the SPOE configuration with the same name. You can have several SPOE
  scope in the same file. In each scope, you must define one and only one
  "spoe-agent" section to configure the SPOA linked to your SPOE and several
--"spoe-message" and "spoe-group" sections to describe, respecively, messages and
++"spoe-message" and "spoe-group" sections to describe, respectively, messages and
  group of messages sent to servers mananged by your SPOA.
  A SPOE scope starts with this kind of line :
@@ -510,7 +510,8 @@ args [name=]<sample> ...
  event <name> [ { if | unless } <condition> ]
    Set the event that triggers sending of the message. It may optionally be
    followed by an ACL-based condition, in which case it will only be evaluated
--  if the condition is true.
++  if the condition is true. A SPOE message can only be sent on one event. If
++  several events are defined, only the last one is considered.
    ACL-based conditions are executed in the context of the stream that handle
    the client and the server connections.
@@ -762,6 +763,10 @@ Here are the list of official capabilities that HAProxy and agents can support:
  Unsupported or unknown capabilities are silently ignored, when possible.
++NOTE: HAProxy does not support the fragmentation for now. This means it is not
++      able to handle fragmented frames. However, if an agent announces the
++      fragmentation support, HAProxy may choose to send fragemented frames.
++
 .2.2. Frame types overview
  ----------------------------
 diff --git a/doc/architecture.txt b/doc/architecture.txt
 index 85d5219..8174b5d 100644
 --- a/doc/architecture.txt
 +++ b/doc/architecture.txt
@@ -257,7 +257,7 @@ Description :
   - if a request does not contain a cookie, it will be forwarded to a valid
     server
   - in return, if a JESSIONID cookie is seen, the server name will be prefixed
--   into it, followed by a delimitor ('~')
++   into it, followed by a delimiter ('~')
   - when the client comes again with the cookie "JSESSIONID=A~xxx", LB1 will
     know that it must be forwarded to server A. The server name will then be
     extracted from cookie before it is sent to the server.
@@ -1265,7 +1265,7 @@ S2L2. So only initial users will load the inter-site link, not the new ones.
  ===================
  Sometimes it may reveal useful to access servers from a pool of IP addresses
--instead of only one or two. Some equipments (NAT firewalls, load-balancers)
++instead of only one or two. Some equipment (NAT firewalls, load-balancers)
  are sensible to source address, and often need many sources to distribute the
  load evenly amongst their internal hash buckets.
 diff --git a/doc/coding-style.txt b/doc/coding-style.txt
 index 9f1bd79..24550f1 100644
 --- a/doc/coding-style.txt
 +++ b/doc/coding-style.txt
@@ -111,7 +111,7 @@ with "#", we get this :
    | [-Tabs-][-Tabs-]ctx->del = len;
    | [-Tabs-]}
--It is worth noting that some editors tend to confuse indentations and aligment.
++It is worth noting that some editors tend to confuse indentations and alignment.
  Emacs is notoriously known for this brokenness, and is responsible for almost
  all of the alignment mess. The reason is that Emacs only counts spaces, tries
  to fill as many as possible with tabs and completes with spaces. Once you know
@@ -1218,7 +1218,7 @@ Wrong use of comments :
  Right use of comments :
--  | /* This function returns the positoin of the highest bit set in the lowest
++  | /* This function returns the position of the highest bit set in the lowest
    |  * byte of <x>, between 0 and 7. It only works if <x> is non-null. It uses
    |  * a 32-bit value as a lookup table to return one of 4 values for the
    |  * highest 16 possible 4-bit values.
 diff --git a/doc/configuration.txt b/doc/configuration.txt
 index b2ee835..4394d07 100644
 --- a/doc/configuration.txt
 +++ b/doc/configuration.txt
@@ -3,8 +3,7 @@
                            Configuration Manual
                           ----------------------
                                version 2.0
--                             willy tarreau
--                              2020/02/13
++                              2022/05/13
  This document covers the configuration language as implemented in the version
@@ -190,11 +189,6 @@ HAProxy supports 4 connection modes :
    - server close  : the server-facing connection is closed after the response.
    - close         : the connection is actively closed after end of response.
--For HTTP/2, the connection mode resembles more the "server close" mode : given
--the independence of all streams, there is currently no place to hook the idle
--server connection after a response, so it is closed after the response. HTTP/2
--is only supported for incoming connections, not on connections going to
--servers.
 .2. HTTP request
@@ -263,10 +257,6 @@ specific to the language, framework or application in use.
  HTTP/2 doesn't convey a version information with the request, so the version is
  assumed to be the same as the one of the underlying protocol (i.e. "HTTP/2").
--However, haproxy natively processes HTTP/1.x requests and headers, so requests
--received over an HTTP/2 connection are transcoded to HTTP/1.1 before being
--processed. This explains why they still appear as "HTTP/1.1" in haproxy's logs
--as well as in server logs.
 .2.2. The request headers
@@ -284,7 +274,10 @@ define a total of 3 values for the "Accept:" header.
  Contrary to a common misconception, header names are not case-sensitive, and
  their values are not either if they refer to other header names (such as the
  "Connection:" header). In HTTP/2, header names are always sent in lower case,
--as can be seen when running in debug mode.
++as can be seen when running in debug mode. Internally, all header names are
++normalized to lower case so that HTTP/1.x and HTTP/2 use the exact same
++representation, and they are sent as-is on the other side. This explains why an
++HTTP/1.x request typed with camel case is delivered in lower case.
  The end of the headers is indicated by the first empty line. People often say
  that it's a double line feed, which is not exact, even if a double line feed
@@ -365,7 +358,10 @@ HAProxy may emit the following status codes by itself :
 when an authentication is required to perform the action (when
          accessing the stats page)
 when a request is forbidden by a "block" ACL or "reqdeny" filter
++   404  when the requested resource could not be found
 when the request timeout strikes before the request is complete
++   410  when the requested resource is no longer available and will not
++        be available again
 when haproxy encounters an unrecoverable internal error, such as a
          memory allocation failure, which should never happen
 when the server returns an empty, invalid or incomplete response, or
@@ -668,6 +664,8 @@ The following keywords are supported in the "global" section :
     - tune.maxrewrite
     - tune.pattern.cache-size
     - tune.pipesize
++   - tune.pool-high-fd-ratio
++   - tune.pool-low-fd-ratio
     - tune.rcvbuf.client
     - tune.rcvbuf.server
     - tune.recv_enough
@@ -817,7 +815,7 @@ external-check
    See "option external-check".
  gid <number>
--  Changes the process' group ID to <number>. It is recommended that the group
++  Changes the process's group ID to <number>. It is recommended that the group
    ID is dedicated to HAProxy or to a small set of similar daemons. HAProxy must
    be started with a user belonging to this group, or with superuser privileges.
    Note that if haproxy is started from a user having supplementary groups, it
@@ -849,7 +847,7 @@ h1-case-adjust <from> <to>
    <from>, to change it to <to> before sending it to HTTP/1 clients or
    servers. <from> must be in lower case, and <from> and <to> must not differ
    except for their case. It may be repeated if several header names need to be
--  ajusted. Duplicate entries are not allowed. If a lot of header names have to
++  adjusted. Duplicate entries are not allowed. If a lot of header names have to
    be adjusted, it might be more convenient to use "h1-case-adjust-file".
    Please note that no transformation will be applied unless "option
    h1-case-adjust-bogus-client" or "option h1-case-adjust-bogus-server" is
@@ -1244,7 +1242,7 @@ stats maxconn <connections>
    possible to change this value with "stats maxconn".
  uid <number>
--  Changes the process' user ID to <number>. It is recommended that the user ID
++  Changes the process's user ID to <number>. It is recommended that the user ID
    is dedicated to HAProxy or to a small set of similar daemons. HAProxy must
    be started with superuser privileges in order to be able to switch to another
    one. See also "gid" and "user".
@@ -1853,12 +1851,6 @@ tune.pipesize <number>
    performed. This has an impact on the kernel's memory footprint, so this must
    not be changed if impacts are not understood.
--tune.pool-low-fd-ratio <number>
--  This setting sets the max number of file descriptors (in percentage) used by
--  haproxy globally against the maximum number of file descriptors haproxy can
--  use before we stop putting connection into the idle pool for reuse. The
--  default is 20.
--
  tune.pool-high-fd-ratio <number>
    This setting sets the max number of file descriptors (in percentage) used by
    haproxy globally against the maximum number of file descriptors haproxy can
@@ -1868,6 +1860,12 @@ tune.pool-high-fd-ratio <number>
    keep an idle connection behind, anything beyond this probably doesn't make
    much sense in the general case when targeting connection reuse).
++tune.pool-low-fd-ratio <number>
++  This setting sets the max number of file descriptors (in percentage) used by
++  haproxy globally against the maximum number of file descriptors haproxy can
++  use before we stop putting connection into the idle pool for reuse. The
++  default is 20.
++
  tune.rcvbuf.client <number>
  tune.rcvbuf.server <number>
    Forces the kernel socket receive buffer size on the client or the server side
@@ -2114,8 +2112,9 @@ default-server [param*]
    See also: "server" and section 5 about server options
--enable
--  This re-enables a disabled peers section which was previously disabled.
++enabled
++  This re-enables a peers section which was previously disabled via the
++  "disabled" keyword.
  peer <peername> <ip>:<port> [param*]
    Defines a peer inside a peers section.
@@ -2455,6 +2454,7 @@ option allbackups                    (*)  X          -         X         X
  option checkcache                    (*)  X          -         X         X
  option clitcpka                      (*)  X          X         X         -
  option contstats                     (*)  X          X         X         -
++option disable-h2-upgrade            (*)  X          X         X         -
  option dontlog-normal                (*)  X          X         X         -
  option dontlognull                   (*)  X          X         X         -
  -- keyword -------------------------- defaults - frontend - listen -- backend -
@@ -2807,7 +2807,7 @@ balance url_param <param> [check_post]
        rdp-cookie(<name>)
                    The RDP cookie <name> (or "mstshash" if omitted) will be
                    looked up and hashed for each incoming TCP request. Just as
--                  with the equivalent ACL 'req_rdp_cookie()' function, the name
++                  with the equivalent ACL 'req.rdp_cookie()' function, the name
                    is not case-sensitive. This mechanism is useful as a degraded
                    persistence mode, as it makes it possible to always send the
                    same user (or the same session ID) to the same server. If the
@@ -2817,14 +2817,12 @@ balance url_param <param> [check_post]
                    Note that for this to work, the frontend must ensure that an
                    RDP cookie is already present in the request buffer. For this
                    you must use 'tcp-request content accept' rule combined with
--                  a 'req_rdp_cookie_cnt' ACL.
++                  a 'req.rdp_cookie_cnt' ACL.
                    This algorithm is static by default, which means that
                    changing a server's weight on the fly will have no effect,
                    but this can be changed using "hash-type".
--                  See also the rdp_cookie pattern fetch function.
--
      <arguments> is an optional list of arguments which may be needed by some
                  algorithms. Right now, only "url_param" and "uri" support an
                  optional argument.
@@ -3295,7 +3293,7 @@ compression offload
    Compression is disabled when:
      * the request does not advertise a supported compression algorithm in the
        "Accept-Encoding" header
--    * the response message is not HTTP/1.1
++    * the response message is not HTTP/1.1 or above
      * HTTP status code is not one of 200, 201, 202, or 203
      * response contain neither a "Content-Length" header nor a
        "Transfer-Encoding" whose last value is "chunked"
@@ -3666,8 +3664,8 @@ errorfile <code> <file>
                                   yes   |    yes   |   yes  |   yes
    Arguments :
      <code>    is the HTTP status code. Currently, HAProxy is capable of
--              generating codes 200, 400, 403, 405, 408, 425, 429, 500, 502,
--              503, and 504.
++              generating codes 200, 400, 403, 404, 405, 408, 410, 413, 425, 429,
++              500, 502, 503, and 504.
      <file>    designates a file containing the full HTTP response. It is
                recommended to follow the common practice of appending ".http" to
@@ -3715,8 +3713,8 @@ errorloc302 <code> <url>
                                   yes   |    yes   |   yes  |   yes
    Arguments :
      <code>    is the HTTP status code. Currently, HAProxy is capable of
--              generating codes 200, 400, 403, 405, 408, 425, 429, 500, 502,
--              503, and 504.
++              generating codes 200, 400, 403, 404, 405, 408, 410, 413, 425, 429,
++              500, 502, 503, and 504.
      <url>     it is the exact contents of the "Location" header. It may contain
                either a relative URI to an error page hosted on the same site,
@@ -3747,8 +3745,8 @@ errorloc303 <code> <url>
                                   yes   |    yes   |   yes  |   yes
    Arguments :
      <code>    is the HTTP status code. Currently, HAProxy is capable of
--              generating codes 200, 400, 403, 405, 408, 425, 429, 500, 502,
--              503, and 504.
++              generating codes 200, 400, 403, 404, 405, 408, 410, 413, 425, 429,
++              500, 502, 503, and 504.
      <url>     it is the exact contents of the "Location" header. It may contain
                either a relative URI to an error page hosted on the same site,
@@ -4213,6 +4211,33 @@ http-check expect [!] <match> <pattern>
    See also : "option httpchk", "http-check disable-on-404"
++http-check send [hdr <name> <value>]* [body <string>]
++  Add a possible list of headers and/or a body to the request sent during HTTP
++  health checks.
++  May be used in sections :   defaults | frontend | listen | backend
++                                 yes   |    no    |   yes  |   yes
++  Arguments :
++    hdr <name> <value>   adds the HTTP header field whose name is specified in
++                         <name> and whose value is defined by <value> to the
++                         request sent during HTTP health checks.
++
++    body <string>        add the body defined by <string> to the request sent
++                         sent during HTTP health checks. If defined, the
++                         "Content-Length" header is thus automatically added
++                         to the request.
++
++  In addition to the request line defined by the "option httpchk" directive,
++  this one is the valid way to add some headers and optionally a body to the
++  request sent during HTTP health checks. If a body is defined, the associate
++  "Content-Length" header is automatically added. The old trick consisting to
++  add headers after the version string on the "option httpchk" line is now
++  deprecated. Note also the "Connection: close" header is still added if a
++  "http-check expect" direcive is defined independently of this directive, just
++  like the state header if the directive "http-check send-state" is defined.
++
++  See also : "option httpchk", "http-check send-state" and "http-check expect"
++
++
  http-check send-state
    Enable emission of a state header with HTTP health checks
    May be used in sections :   defaults | frontend | listen | backend
@@ -4509,7 +4534,7 @@ http-request reject [ { if | unless } <condition> ]
  http-request replace-header <name> <match-regex> <replace-fmt>
                              [ { if | unless } <condition> ]
--  This matches the value of all occurences of header field <name> against
++  This matches the value of all occurrences of header field <name> against
    <match-regex>. Matching is performed case-sensitively. Matching values are
    completely replaced by <replace-fmt>. Format characters are allowed in
    <replace-fmt> and work like <fmt> arguments in "http-request add-header".
@@ -4546,8 +4571,9 @@ http-request replace-path <match-regex> <replace-fmt>
    This works like "replace-header" except that it works on the request's path
    component instead of a header. The path component starts at the first '/'
--  after an optional scheme+authority. It does contain the query string if any
--  is present. The replacement does not modify the scheme nor authority.
++  after an optional scheme+authority and ends before the question mark. Thus,
++  the replacement does not modify the scheme, the authority and the
++  query-string.
    It is worth noting that regular expressions may be more expensive to evaluate
    than certain ACLs, so rare replacements may benefit from a condition to avoid
@@ -4557,9 +4583,6 @@ http-request replace-path <match-regex> <replace-fmt>
      # prefix /foo : turn /bar?q=1 into /foo/bar?q=1 :
      http-request replace-path (.*) /foo\1
--    # suffix /foo : turn /bar?q=1 into /bar/foo?q=1 :
--    http-request replace-path ([^?]*)(\?(.*))? \1/foo\2
--
      # strip /foo : turn /foo/bar?q=1 into /bar?q=1
      http-request replace-path /foo/(.*) /\1
      # or more efficient if only some requests match :
@@ -4785,16 +4808,23 @@ http-request set-src <expr> [ { if | unless } <condition> ]
    This is used to set the source IP address to the value of specified
    expression. Useful when a proxy in front of HAProxy rewrites source IP, but
    provides the correct IP in a HTTP header; or you want to mask source IP for
--  privacy.
++  privacy. All subsequent calls to "src" fetch will return this value
++  (see example).
    Arguments :
      <expr>  Is a standard HAProxy expression formed by a sample-fetch followed
              by some converters.
++  See also "option forwardfor".
++
    Example:
      http-request set-src hdr(x-forwarded-for)
      http-request set-src src,ipmask(24)
++    # After the masking this will track connections
++    # based on the IP address with the last byte zeroed out.
++    http-request track-sc0 src
++
    When possible, set-src preserves the original source port as long as the
    address family allows it, otherwise the source port is set to 0.
@@ -5163,7 +5193,8 @@ http-response sc-set-gpt0(<sc-id>) <int> [ { if | unless } <condition> ]
    <sc-id> and the value of <int>. The expected result is a boolean. If an error
    occurs, this action silently fails and the actions evaluation continues.
--http-response send-spoe-group [ { if | unless } <condition> ]
++http-response send-spoe-group <engine-name> <group-name>
++                              [ { if | unless } <condition> ]
    This action is used to trigger sending of a group of SPOE messages. To do so,
    the SPOE engine used to send messages must be defined, as well as the SPOE
@@ -6204,6 +6235,25 @@ option contstats
    not enabled by default, as it can cause a lot of wakeups for very large
    session counts and cause a small performance drop.
++option disable-h2-upgrade
++no option disable-h2-upgrade
++  Enable or disable the implicit HTTP/2 upgrade from an HTTP/1.x client
++  connection.
++  May be used in sections :   defaults | frontend | listen | backend
++                                 yes   |    yes   |   yes  |   no
++  Arguments : none
++
++  By default, HAProxy is able to implicitly upgrade an HTTP/1.x client
++  connection to an HTTP/2 connection if the first request it receives from a
++  given HTTP connection matches the HTTP/2 connection preface (i.e. the string
++  "PRI * HTTP/2.0\r\n\r\nSM\r\n\r\n"). This way, it is possible to support
++  HTTP/1.x and HTTP/2 clients on a non-SSL connections. This option must be used to
++  disable the implicit upgrade. Note this implicit upgrade is only supported
++  for HTTP proxies, thus this option too. Note also it is possible to force the
++  HTTP/2 on clear connections by specifying "proto h2" on the bind line.
++
++  If this option has been enabled in a "defaults" section, it can be disabled
++  in a specific instance by prepending the "no" keyword before it.
  option dontlog-normal
  no option dontlog-normal
@@ -6297,6 +6347,9 @@ option forwardfor [ except <network> ] [ header <name> ] [ if-none ]
    environment, as this might cause a security issue if headers reaching haproxy
    are under the control of the end-user.
++  Only IPv4 addresses are supported. "http-request add-header" or "http-request
++  set-header" rules may be used to work around this limitation.
++
    This option may be specified either in the frontend or in the backend. If at
    least one of them uses it, the header will be added. Note that the backend's
    setting of the header subargument takes precedence over the frontend's if
@@ -6747,8 +6800,7 @@ option httpchk <method> <uri> <version>
      <version> is the optional HTTP version string. It defaults to "HTTP/1.0"
                but some servers might behave incorrectly in HTTP 1.0, so turning
                it to HTTP/1.1 may sometimes help. Note that the Host field is
--              mandatory in HTTP/1.1, and as a trick, it is possible to pass it
--              after "\r\n" following the version string.
++              mandatory in HTTP/1.1, use "http-check send" directive to add it.
    By default, server health checks only consist in trying to establish a TCP
    connection. When "option httpchk" is specified, a complete HTTP request is
@@ -6762,12 +6814,18 @@ option httpchk <method> <uri> <version>
    plain TCP backends. This is particularly useful to check simple scripts bound
    to some dedicated ports using the inetd daemon.
++  Note : For a while, there was no way to add headers or body in the request
++         used for HTTP health checks. So a workaround was to hide it at the end
++         of the version string with a "\r\n" after the version. It is now
++	 deprecated. The directive "http-check send" must be used instead.
++
    Examples :
        # Relay HTTPS traffic to Apache instance and check service availability
        # using HTTP request "OPTIONS * HTTP/1.1" on port 80.
        backend https_relay
            mode tcp
--          option httpchk OPTIONS * HTTP/1.1\r\nHost:\ www
++          option httpchk OPTIONS * HTTP/1.1
++          http-check send hdr Host www
            server apache1 192.168.1.1:443 check port 80
    See also : "option ssl-hello-chk", "option smtpchk", "option mysql-check",
@@ -6992,21 +7050,27 @@ no option log-separate-errors
  option logasap
  no option logasap
--  Enable or disable early logging of HTTP requests
++  Enable or disable early logging.
    May be used in sections :   defaults | frontend | listen | backend
                                   yes   |    yes   |   yes  |   no
    Arguments : none
--  By default, HTTP requests are logged upon termination so that the total
--  transfer time and the number of bytes appear in the logs. When large objects
--  are being transferred, it may take a while before the request appears in the
--  logs. Using "option logasap", the request gets logged as soon as the server
--  sends the complete headers. The only missing information in the logs will be
--  the total number of bytes which will indicate everything except the amount
--  of data transferred, and the total time which will not take the transfer
--  time into account. In such a situation, it's a good practice to capture the
--  "Content-Length" response header so that the logs at least indicate how many
--  bytes are expected to be transferred.
++  By default, logs are emitted when all the log format variables and sample
++  fetches used in the definition of the log-format string return a value, or
++  when the session is terminated. This allows the built in log-format strings
++  to account for the transfer time, or the number of bytes in log messages.
++
++  When handling long lived connections such as large file transfers or RDP,
++  it may take a while for the request or connection to appear in the logs.
++  Using "option logasap", the log message is created as soon as the server
++  connection is established in mode tcp, or as soon as the server sends the
++  complete headers in mode http. Missing information in the logs will be the
++  total number of bytes which will only indicate the amount of data transfered
++  before the message was created and the total time which will not take the
++  remainder of the connection life or transfer time into account. For the case
++  of HTTP, it is good practice to capture the Content-Length response header
++  so that the logs at least indicate how many bytes are expected to be
++  transfered.
    Examples :
        listen http_proxy 0.0.0.0:80
@@ -7037,12 +7101,13 @@ option mysql-check [ user <username> [ post-41 ] ]
    one Client Authentication packet, and one QUIT packet, to correctly close
    MySQL session. We then parse the MySQL Handshake Initialization packet and/or
    Error packet. It is a basic but useful test which does not produce error nor
--  aborted connect on the server. However, it requires adding an authorization
--  in the MySQL table, like this :
++  aborted connect on the server. However, it requires an unlocked authorised
++  user without a password. To create a basic limited user in MySQL with
++  optional resource limits:
--      USE mysql;
--      INSERT INTO user (Host,User) values ('<ip_of_haproxy>','<username>');
--      FLUSH PRIVILEGES;
++      CREATE USER '<username>'@'<ip_of_haproxy|network_of_haproxy/netmask>'
++      /*!50701 WITH MAX_QUERIES_PER_HOUR 1 MAX_UPDATES_PER_HOUR 0 */
++      /*M!100201 MAX_STATEMENT_TIME 0.0001 */;
    If you don't specify a username (it is deprecated and not recommended), the
    check only consists in parsing the Mysql Handshake Initialization packet or
@@ -7136,6 +7201,9 @@ option originalto [ except <network> ] [ header <name> ]
    network will not cause an addition of this header. Most common uses are with
    private networks or 127.0.0.1.
++  Only IPv4 addresses are supported. "http-request add-header" or "http-request
++  set-header" rules may be used to work around this limitation.
++
    This option may be specified either in the frontend or in the backend. If at
    least one of them uses it, the header will be added. Note that the backend's
    setting of the header subargument takes precedence over the frontend's if
@@ -7838,8 +7906,7 @@ persist rdp-cookie(<name>)
              server srv1 1.1.1.1:3389
              server srv2 1.1.1.2:3389
--  See also : "balance rdp-cookie", "tcp-request", the "req_rdp_cookie" ACL and
--  the rdp_cookie pattern fetch function.
++  See also : "balance rdp-cookie", "tcp-request" and the "req.rdp_cookie" ACL.
  rate-limit sessions <rate>
@@ -8570,13 +8637,17 @@ server <name> <address>[:[port]] [param*]
    See also: "default-server", "http-send-name-header" and section 5 about
               server options
--server-state-file-name [<file>]
++server-state-file-name [ { use-backend-name | <file> } ]
    Set the server state file to read, load and apply to servers available in
--  this backend. It only applies when the directive "load-server-state-from-file"
--  is set to "local". When <file> is not provided or if this directive is not
--  set, then backend name is used. If <file> starts with a slash '/', then it is
--  considered as an absolute path. Otherwise, <file> is concatenated to the
--  global directive "server-state-file-base".
++  this backend.
++  May be used in sections:    defaults | frontend | listen | backend
++                                  no   |    no   |   yes  |   yes
++
++  It only applies when the directive "load-server-state-from-file" is set to
++  "local". When <file> is not provided, if "use-backend-name" is used or if
++  this directive is not set, then backend name is used. If <file> starts with a
++  slash '/', then it is considered as an absolute path. Otherwise, <file> is
++  concatenated to the global directive "server-state-base".
    Example: the minimal configuration below would make HAProxy look for the
             state server file '/etc/haproxy/states/bk':
@@ -8584,10 +8655,10 @@ server-state-file-name [<file>]
      global
        server-state-file-base /etc/haproxy/states
--   backend bk
++    backend bk
        load-server-state-from-file
--  See also: "server-state-file-base", "load-server-state-from-file", and
++  See also: "server-state-base", "load-server-state-from-file", and
    "show servers state"
  server-template <prefix> <num | range> <fqdn>[:<port>] [params*]
@@ -9589,6 +9660,11 @@ stick-table type {ip | integer | string [len <length>] | binary [len <length>]}
        incremented. Most of the time it will be used to measure the frequency of
        occurrence of certain events (e.g. requests to a specific URL).
++    - gpt0 : first General Purpose Tag. It is a positive 32-bit integer
++      integer which may be used for anything. Most of the time it will be used
++      to put a special tag on some entries, for instance to note that a
++      specific behavior was detected and must be known for future matches
++
      - conn_cnt : Connection Count. It is a positive 32-bit integer which counts
        the absolute number of connections received from clients which matched
        this entry. It does not mean the connections were accepted, just that
@@ -9772,8 +9848,8 @@ stick store-response <pattern> [table <table>] [{if | unless} <condition>]
          # maximum SSL session ID length is 32 bytes.
          stick-table type binary len 32 size 30k expire 30m
--        acl clienthello req_ssl_hello_type 1
--        acl serverhello rep_ssl_hello_type 2
++        acl clienthello req.ssl_hello_type 1
++        acl serverhello rep.ssl_hello_type 2
          # use tcp content accepts to detects ssl client and server hello.
          tcp-request inspect-delay 5s
@@ -9787,10 +9863,10 @@ stick store-response <pattern> [table <table>] [{if | unless} <condition>]
          # at offset 44.
          # Match and learn on request if client hello.
--        stick on payload_lv(43,1) if clienthello
++        stick on req.payload_lv(43,1) if clienthello
          # Learn on response if server hello.
--        stick store-response payload_lv(43,1) if serverhello
++        stick store-response resp.payload_lv(43,1) if serverhello
          server s1 192.168.1.1:443
          server s2 192.168.1.1:443
@@ -10390,12 +10466,12 @@ tcp-request content <action> [{if | unless} <condition>]
    Example:
          # reject SMTP connection if client speaks first
          tcp-request inspect-delay 30s
--        acl content_present req_len gt 0
++        acl content_present req.len gt 0
          tcp-request content reject if content_present
          # Forward HTTPS connection only if client speaks
          tcp-request inspect-delay 30s
--        acl content_present req_len gt 0
++        acl content_present req.len gt 0
          tcp-request content accept if content_present
          tcp-request content reject
@@ -10530,7 +10606,7 @@ tcp-response content <action> [{if | unless} <condition>]
          the rules evaluation. Rejected session are immediately closed.
      - set-var(<var-name>) <expr>
--        Sets a variable.
++        Sets a variable from an expression.
      - unset-var(<var-name>)
          Unsets a variable.
@@ -10602,17 +10678,9 @@ tcp-response content <action> [{if | unless} <condition>]
      <expr>     Is a standard HAProxy expression formed by a sample-fetch
                 followed by some converters.
--  Example:
--
--        tcp-request content set-var(sess.my_var) src
--
    The "unset-var" is used to unset a variable. See above for details about
    <var-name>.
--  Example:
--
--        tcp-request content unset-var(sess.my_var)
--
    The "send-spoe-group" is used to trigger sending of a group of SPOE
    messages. To do so, the SPOE engine used to send messages must be defined, as
    well as the SPOE group to send. Of course, the SPOE engine must refer to an
@@ -10671,6 +10739,10 @@ tcp-request session <action> [{if | unless} <condition>]
      - sc-inc-gpc0(<sc-id>)
      - sc-inc-gpc1(<sc-id>)
      - sc-set-gpt0(<sc-id>) <int>
++    - set-dst <expr>
++    - set-dst-port <expr>
++    - set-src <expr>
++    - set-src-port <expr>
      - set-var(<var-name>) <expr>
      - unset-var(<var-name>)
      - silent-drop
@@ -10793,8 +10865,6 @@ timeout clitimeout <timeout> (deprecated)
    during startup because it may result in accumulation of expired sessions in
    the system if the system's timeouts are not configured either.
--  This also applies to HTTP/2 connections, which will be closed with GOAWAY.
--
    This parameter replaces the old, deprecated "clitimeout". It is recommended
    to use it to write new configurations. The form "timeout clitimeout" is
    provided only by backwards compatibility but its use is strongly discouraged.
@@ -10900,10 +10970,6 @@ timeout http-keep-alive <timeout>
    set in the frontend to take effect, unless the frontend is in TCP mode, in
    which case the HTTP backend's timeout will be used.
--  When using HTTP/2 "timeout client" is applied instead. This is so we can keep
--  using short keep-alive timeouts in HTTP/1.1 while using longer ones in HTTP/2
--  (where we only have one connection per client and a connection setup).
--
    See also : "timeout http-request", "timeout client".
@@ -11286,16 +11352,17 @@ use-server <server> unless <condition>
    The "use-server" statement works both in HTTP and TCP mode. This makes it
    suitable for use with content-based inspection. For instance, a server could
--  be selected in a farm according to the TLS SNI field. And if these servers
--  have their weight set to zero, they will not be used for other traffic.
++  be selected in a farm according to the TLS SNI field when using protocols with
++  implicit TLS (also see "req.ssl_sni"). And if these servers have their weight
++  set to zero, they will not be used for other traffic.
    Example :
       # intercept incoming TLS requests based on the SNI field
--     use-server www if { req_ssl_sni -i www.example.com }
++     use-server www if { req.ssl_sni -i www.example.com }
       server     www 192.168.0.1:443 weight 0
--     use-server mail if { req_ssl_sni -i mail.example.com }
--     server     mail 192.168.0.1:587 weight 0
--     use-server imap if { req_ssl_sni -i imap.example.com }
++     use-server mail if { req.ssl_sni -i mail.example.com }
++     server     mail 192.168.0.1:465 weight 0
++     use-server imap if { req.ssl_sni -i imap.example.com }
       server     imap 192.168.0.1:993 weight 0
       # all the rest is forwarded to this server
       server  default 192.168.0.2:443 check
@@ -11561,13 +11628,17 @@ crt-list <file>
          <crtfile> [\[<sslbindconf> ...\]] [[!]<snifilter> ...]
--  sslbindconf support "npn", "alpn", "verify", "ca-file", "no-ca-names",
--  crl-file", "ecdhe", "curves", "ciphers" configuration. With BoringSSL
--  and Openssl >= 1.1.1 "ssl-min-ver" and "ssl-max-ver" are also supported.
--  It override the configuration set in bind line for the certificate.
--
--  Wildcards are supported in the SNI filter. Negative filter are also supported,
--  only useful in combination with a wildcard filter to exclude a particular SNI.
++  sslbindconf supports "allow-0rtt", "alpn", "ca-file", "ciphers",
++  "ciphersuites", "crl-file", "curves", "ecdhe", "no-ca-names", "npn",
++  "verify" configuration. With BoringSSL and Openssl >= 1.1.1
++  "ssl-min-ver" and "ssl-max-ver" are also supported. It overrides the
++  configuration set in bind line for the certificate.
++
++  Wildcards are supported in the SNI filter. Negative filters can be specified
++  in the configuration, but they are only used as a hint, they don't do
++  anything.  (this changes in newer haproxy versions) If you want to exclude a
++  SNI from a wildcard, use this positive SNI on another line. (like in the
++  example).
    The certificates will be presented to clients who provide a valid TLS Server
    Name Indication field matching one of the SNI filters. If no SNI filter is
    specified, the CN and alt subjects are used. This directive may be specified
@@ -11779,6 +11850,9 @@ no-tls-tickets
    extension) and force to use stateful session resumption. Stateless
    session resumption is more expensive in CPU usage. This option is also
    available on global statement "ssl-default-bind-options".
++  The TLS ticket mechanism is only used up to TLS 1.2.
++  Forward Secrecy is compromised with TLS tickets, unless ticket keys
++  are periodically rotated (via reload or by using "tls-ticket-keys").
  no-tlsv10
    This setting is only available when support for OpenSSL was built in. It
@@ -12041,7 +12115,7 @@ agent-check
      MAINT mode, thus it will not accept any new connections at all, and health
      checks will be stopped.
--  - The words "down", "failed", or "stopped", optionally followed by a
++  - The words "down", "fail", or "stopped", optionally followed by a
      description string after a sharp ('#'). All of these mark the server's
      operating state as DOWN, but since the word itself is reported on the stats
      page, the difference allows an administrator to know if the situation was
@@ -12478,6 +12552,9 @@ no-tls-tickets
    extension) and force to use stateful session resumption. Stateless
    session resumption is more expensive in CPU usage for servers. This option
    is also available on global statement "ssl-default-server-options".
++  The TLS ticket mechanism is only used up to TLS 1.2.
++  Forward Secrecy is compromised with TLS tickets, unless ticket keys
++  are periodically rotated (via reload or by using "tls-ticket-keys").
    See also "tls-tickets".
  no-tlsv10
@@ -12902,8 +12979,11 @@ tls-tickets
    This option may be used as "server" setting to reset any "no-tls-tickets"
    setting which would have been inherited from "default-server" directive as
    default value.
++  The TLS ticket mechanism is only used up to TLS 1.2.
++  Forward Secrecy is compromised with TLS tickets, unless ticket keys
++  are periodically rotated (via reload or by using "tls-ticket-keys").
    It may also be used as "default-server" setting to reset any previous
--  "default-server" "no-tlsv-tickets" setting.
++  "default-server" "no-tls-tickets" setting.
  verify [none|required]
    This setting is only available when support for OpenSSL was built in. If set
@@ -12948,7 +13028,7 @@ weight <weight>
  HAProxy allows using a host name on the server line to retrieve its IP address
  using name servers. By default, HAProxy resolves the name when parsing the
--configuration file, at startup and cache the result for the process' life.
++configuration file, at startup and cache the result for the process's life.
  This is not sufficient in some cases, such as in Amazon where a server's IP
  can change after a reboot or an ELB Virtual IP can change based on current
  workload.
@@ -13013,7 +13093,7 @@ used by HAProxy. The following processing is applied on this error:
 . When the fallback on the query type was done (or not applicable), HAProxy
       retries the original DNS query, with the preferred query type.
--  3. HAProxy retries previous steps <resolve_retires> times. If no valid
++  3. HAProxy retries previous steps <resolve_retries> times. If no valid
       response is received after that, it stops the DNS resolution and reports
       the error.
@@ -13425,17 +13505,17 @@ be placed first. The pattern matching method must be one of the following :
  For example, to quickly detect the presence of cookie "JSESSIONID" in an HTTP
  request, it is possible to do :
--    acl jsess_present cook(JSESSIONID) -m found
++    acl jsess_present req.cook(JSESSIONID) -m found
  In order to apply a regular expression on the 500 first bytes of data in the
  buffer, one would use the following acl :
--    acl script_tag payload(0,500) -m reg -i <script>
++    acl script_tag req.payload(0,500) -m reg -i <script>
  On systems where the regex library is much slower when using "-i", it is
  possible to convert the sample to lowercase before matching, like this :
--    acl script_tag payload(0,500),lower -m reg <script>
++    acl script_tag req.payload(0,500),lower -m reg <script>
  All ACL-specific criteria imply a default matching method. Most often, these
  criteria are composed by concatenating the name of the original sample fetch
@@ -13541,11 +13621,11 @@ Available operators for integer matching are :
  For instance, the following ACL matches any negative Content-Length header :
--  acl negative-length hdr_val(content-length) lt 0
++  acl negative-length req.hdr_val(content-length) lt 0
  This one matches SSL versions between 3.0 and 3.1 (inclusive) :
--  acl sslv3 req_ssl_ver 3:3.1
++  acl sslv3 req.ssl_ver 3:3.1
 .1.3. Matching strings
@@ -13613,7 +13693,7 @@ digits may be used upper or lower case.
  Example :
      # match "Hello\n" in the input stream (\x48 \x65 \x6c \x6c \x6f \x0a)
--    acl hello payload(0,6) -m bin 48656c6c6f0a
++    acl hello req.payload(0,6) -m bin 48656c6c6f0a
 .1.6. Matching IPv4 and IPv6 addresses
@@ -13684,7 +13764,7 @@ For instance, to block HTTP requests to the "*" URL with methods other than
  requests with a content-length greater than 0, and finally every request which
  is not either GET/HEAD/POST/OPTIONS !
--   acl missing_cl hdr_cnt(Content-length) eq 0
++   acl missing_cl req.hdr_cnt(Content-length) eq 0
     http-request deny if HTTP_URL_STAR !METH_OPTIONS || METH_POST missing_cl
     http-request deny if METH_GET HTTP_CONTENT
     http-request deny unless METH_GET or METH_POST or METH_OPTIONS
@@ -13709,12 +13789,12 @@ the braces must be seen as independent words). Example :
     The following rule :
--       acl missing_cl hdr_cnt(Content-length) eq 0
++       acl missing_cl req.hdr_cnt(Content-length) eq 0
         http-request deny if METH_POST missing_cl
     Can also be written that way :
--       http-request deny if METH_POST { hdr_cnt(Content-length) eq 0 }
++       http-request deny if METH_POST { req.hdr_cnt(Content-length) eq 0 }
  It is generally not recommended to use this construct because it's a lot easier
  to leave errors in the configuration when written that way. However, for very
@@ -14511,9 +14591,13 @@ upper
    sample fetch function or after a transformation keyword returning a string
    type. The result is of type string.
--url_dec
--  Takes an url-encoded string provided as input and returns the decoded
--  version as output. The input and the output are of type string.
++url_dec([<in_form>])
++  Takes an url-encoded string provided as input and returns the decoded version
++  as output. The input and the output are of type string. If the <in_form>
++  argument is set to a non-zero integer value, the input string is assumed to
++  be part of a form or query string and the '+' character will be turned into a
++  space (' '). Otherwise this will only happen after a question mark indicating
++  a query string ('?').
  ungrpc(<field_number>,[<field_type>])
    This extracts the protocol buffers message field in raw mode of an input binary
@@ -14852,7 +14936,7 @@ env(<name>) : string
        http-request add-header Via 1.1\ %[env(HOSTNAME)]
        # reject cookie-less requests when the STOP environment variable is set
--      http-request deny if !{ cook(SESSIONID) -m found } { env(STOP) -m found }
++      http-request deny if !{ req.cook(SESSIONID) -m found } { env(STOP) -m found }
  fe_conn([<frontend>]) : integer
    Returns the number of currently established connections on the frontend,
@@ -15155,15 +15239,39 @@ dst_port : integer
    a same server, or to pass the destination port information to a server using
    an HTTP header.
++fc_fackets : integer
++  Returns the fack counter measured by the kernel for the client
++  connection. If the server connection is not established, if the connection is
++  not TCP or if the operating system does not support TCP_INFO, for example
++  Linux kernels before 2.4, the sample fetch fails.
++
  fc_http_major : integer
    Reports the front connection's HTTP major version encoding, which may be 1
    for HTTP/0.9 to HTTP/1.1 or 2 for HTTP/2. Note, this is based on the on-wire
    encoding and not on the version present in the request header.
++fc_lost : integer
++  Returns the lost counter measured by the kernel for the client
++  connection. If the server connection is not established, if the connection is
++  not TCP or if the operating system does not support TCP_INFO, for example
++  Linux kernels before 2.4, the sample fetch fails.
++
  fc_rcvd_proxy : boolean
    Returns true if the client initiated the connection with a PROXY protocol
    header.
++fc_reordering : integer
++  Returns the reordering counter measured by the kernel for the client
++  connection. If the server connection is not established, if the connection is
++  not TCP or if the operating system does not support TCP_INFO, for example
++  Linux kernels before 2.4, the sample fetch fails.
++
++fc_retrans : integer
++  Returns the retransmits counter measured by the kernel for the client
++  connection. If the server connection is not established, if the connection is
++  not TCP or if the operating system does not support TCP_INFO, for example
++  Linux kernels before 2.4, the sample fetch fails.
++
  fc_rtt(<unit>) : integer
    Returns the Round Trip Time (RTT) measured by the kernel for the client
    connection. <unit> is facultative, by default the unit is milliseconds. <unit>
@@ -15180,41 +15288,18 @@ fc_rttvar(<unit>) : integer
    operating system does not support TCP_INFO, for example Linux kernels before
 .4, the sample fetch fails.
--fc_unacked : integer
--  Returns the unacked counter measured by the kernel for the client connection.
--  If the server connection is not established, if the connection is not TCP or
--  if the operating system does not support TCP_INFO, for example Linux kernels
--  before 2.4, the sample fetch fails.
--
  fc_sacked : integer
    Returns the sacked counter measured by the kernel for the client connection.
    If the server connection is not established, if the connection is not TCP or
    if the operating system does not support TCP_INFO, for example Linux kernels
    before 2.4, the sample fetch fails.
--fc_retrans : integer
--  Returns the retransmits counter measured by the kernel for the client
--  connection. If the server connection is not established, if the connection is
--  not TCP or if the operating system does not support TCP_INFO, for example
--  Linux kernels before 2.4, the sample fetch fails.
--
--fc_fackets : integer
--  Returns the fack counter measured by the kernel for the client
--  connection. If the server connection is not established, if the connection is
--  not TCP or if the operating system does not support TCP_INFO, for example
--  Linux kernels before 2.4, the sample fetch fails.
--
--fc_lost : integer
--  Returns the lost counter measured by the kernel for the client
--  connection. If the server connection is not established, if the connection is
--  not TCP or if the operating system does not support TCP_INFO, for example
--  Linux kernels before 2.4, the sample fetch fails.
--fc_reordering : integer
--  Returns the reordering counter measured by the kernel for the client
--  connection. If the server connection is not established, if the connection is
--  not TCP or if the operating system does not support TCP_INFO, for example
--  Linux kernels before 2.4, the sample fetch fails.
++fc_unacked : integer
++  Returns the unacked counter measured by the kernel for the client connection.
++  If the server connection is not established, if the connection is not TCP or
++  if the operating system does not support TCP_INFO, for example Linux kernels
++  before 2.4, the sample fetch fails.
  fe_defbe : string
    Returns a string containing the frontend's default backend name. It can be
@@ -15464,6 +15549,11 @@ so_id : integer
    in frontends involving many "bind" lines, or to stick all users coming via a
    same socket to the same server.
++so_name : string
++  Returns a string containing the current listening socket's name, as defined
++  with name on a "bind" line. It can serve the same purposes as so_id but with
++  strings instead of integers.
++
  src : ip
    This is the source IPv4 address of the client of the session. It is of type
    IP and works on both IPv4 and IPv6 tables. On IPv6 tables, IPv4 addresses are
@@ -16045,7 +16135,7 @@ ssl_fc_protocol : string
  ssl_fc_unique_id : binary
    When the incoming connection was made over an SSL/TLS transport layer,
    returns the TLS unique ID as defined in RFC5929 section 3. The unique id
--  can be encoded to base64 using the converter: "ssl_bc_unique_id,base64".
++  can be encoded to base64 using the converter: "ssl_fc_unique_id,base64".
  ssl_fc_server_random : binary
    Returns the server random of the front connection when the incoming connection
@@ -16072,7 +16162,7 @@ ssl_fc_sni : string
    matching the HTTPS host name (253 chars or less). The SSL library must have
    been built with support for TLS extensions enabled (check haproxy -vv).
--  This fetch is different from "req_ssl_sni" above in that it applies to the
++  This fetch is different from "req.ssl_sni" above in that it applies to the
    connection being deciphered by haproxy and not to SSL contents being blindly
    forwarded. See also "ssl_fc_sni_end" and "ssl_fc_sni_reg" below. This
    requires that the SSL library is built with support for TLS extensions
@@ -16110,25 +16200,6 @@ payload_lv(<offset1>,<length>[,<offset2>]) : binary (deprecated)
    (e.g. "stick on", "stick match"), and for "res.payload_lv" when used in the
    context of a response such as in "stick store response".
--req.hdrs : string
--  Returns the current request headers as string including the last empty line
--  separating headers from the request body. The last empty line can be used to
--  detect a truncated header block. This sample fetch is useful for some SPOE
--  headers analyzers and for advanced logging.
--
--req.hdrs_bin : binary
--  Returns the current request headers contained in preparsed binary form. This
--  is useful for offloading some processing with SPOE. Each string is described
--  by a length followed by the number of bytes indicated in the length. The
--  length is represented using the variable integer encoding detailed in the
--  SPOE documentation. The end of the list is marked by a couple of empty header
--  names and values (length of 0 for both).
--
--  *(<str:header-name><str:header-value>)<empty string><empty string>
--
--  int:  refer to the SPOE documentation for the encoding
--  str:  <int:length><bytes>
--
  req.len : integer
  req_len : integer (deprecated)
    Returns an integer value corresponding to the number of bytes present in the
@@ -16147,8 +16218,8 @@ req.payload(<offset>,<length>) : binary
    with ACLs in order to check for the presence of some content in a buffer at
    any location.
--  ACL alternatives :
--    payload(<offset>,<length>) : hex binary match
++  ACL derivatives :
++    req.payload(<offset>,<length>) : hex binary match
  req.payload_lv(<offset1>,<length>[,<offset2>]) : binary
    This extracts a binary block whose size is specified at <offset1> for <length>
@@ -16156,8 +16227,8 @@ req.payload_lv(<offset1>,<length>[,<offset2>]) : binary
    the request buffer. The <offset2> parameter also supports relative offsets if
    prepended with a '+' or '-' sign.
--  ACL alternatives :
--    payload_lv(<offset1>,<length>[,<offset2>]) : hex binary match
++  ACL derivatives :
++    req.payload_lv(<offset1>,<length>[,<offset2>]) : hex binary match
    Example : please consult the example from the "stick store-response" keyword.
@@ -16195,7 +16266,7 @@ rdp_cookie([<name>]) : string (deprecated)
    rdp-cookie".
    ACL derivatives :
--    req_rdp_cookie([<name>]) : exact string match
++    req.rdp_cookie([<name>]) : exact string match
    Example :
     listen tse-farm
@@ -16214,7 +16285,7 @@ rdp_cookie([<name>]) : string (deprecated)
         server srv1 1.1.1.2:3389
    See also : "balance rdp-cookie", "persist rdp-cookie", "tcp-request" and the
--  "req_rdp_cookie" ACL.
++  "req.rdp_cookie" ACL.
  req.rdp_cookie_cnt([name]) : integer
  rdp_cookie_cnt([name]) : integer (deprecated)
@@ -16224,7 +16295,7 @@ rdp_cookie_cnt([name]) : integer (deprecated)
    used in ACL.
    ACL derivatives :
--    req_rdp_cookie_cnt([<name>]) : integer match
++    req.rdp_cookie_cnt([<name>]) : integer match
  req.ssl_alpn : string
    Returns a string containing the values of the Application-Layer Protocol
@@ -16238,7 +16309,7 @@ req.ssl_alpn : string
    Examples :
       # Wait for a client hello for at most 5 seconds
       tcp-request inspect-delay 5s
--     tcp-request content accept if { req_ssl_hello_type 1 }
++     tcp-request content accept if { req.ssl_hello_type 1 }
       use_backend bk_acme if { req.ssl_alpn acme-tls/1 }
       default_backend bk_default
@@ -16268,22 +16339,24 @@ req_ssl_sni : string (deprecated)
    contains data that parse as a complete SSL (v3 or superior) client hello
    message. Note that this only applies to raw contents found in the request
    buffer and not to contents deciphered via an SSL data layer, so this will not
--  work with "bind" lines having the "ssl" option. SNI normally contains the
--  name of the host the client tries to connect to (for recent browsers). SNI is
--  useful for allowing or denying access to certain hosts when SSL/TLS is used
--  by the client. This test was designed to be used with TCP request content
--  inspection. If content switching is needed, it is recommended to first wait
--  for a complete client hello (type 1), like in the example below. See also
--  "ssl_fc_sni".
++  work with "bind" lines having the "ssl" option. This will only work for actual
++  implicit TLS based protocols like HTTPS (443), IMAPS (993), SMTPS (465),
++  however it will not work for explicit TLS based protocols, like SMTP (25/587)
++  or IMAP (143). SNI normally contains the name of the host the client tries to
++  connect to (for recent browsers). SNI is useful for allowing or denying access
++  to certain hosts when SSL/TLS is used by the client. This test was designed to
++  be used with TCP request content inspection. If content switching is needed,
++  it is recommended to first wait for a complete client hello (type 1), like in
++  the example below. See also "ssl_fc_sni".
    ACL derivatives :
--    req_ssl_sni : exact string match
++    req.ssl_sni : exact string match
    Examples :
       # Wait for a client hello for at most 5 seconds
       tcp-request inspect-delay 5s
--     tcp-request content accept if { req_ssl_hello_type 1 }
--     use_backend bk_allow if { req_ssl_sni -f allowed_sites }
++     tcp-request content accept if { req.ssl_hello_type 1 }
++     use_backend bk_allow if { req.ssl_sni -f allowed_sites }
       default_backend bk_sorry_page
  req.ssl_st_ext : integer
@@ -16310,7 +16383,7 @@ req_ssl_ver : integer (deprecated)
    fetch is mostly used in ACL.
    ACL derivatives :
--    req_ssl_ver : decimal match
++    req.ssl_ver : decimal match
  res.len : integer
    Returns an integer value corresponding to the number of bytes present in the
@@ -16493,14 +16566,14 @@ cook([<name>]) : string (deprecated)
    presence. Use the res.cook() variant for response cookies sent by the server.
    ACL derivatives :
--    cook([<name>])     : exact string match
--    cook_beg([<name>]) : prefix match
--    cook_dir([<name>]) : subdir match
--    cook_dom([<name>]) : domain match
--    cook_end([<name>]) : suffix match
--    cook_len([<name>]) : length match
--    cook_reg([<name>]) : regex match
--    cook_sub([<name>]) : substring match
++    req.cook([<name>])     : exact string match
++    req.cook_beg([<name>]) : prefix match
++    req.cook_dir([<name>]) : subdir match
++    req.cook_dom([<name>]) : domain match
++    req.cook_end([<name>]) : suffix match
++    req.cook_len([<name>]) : length match
++    req.cook_reg([<name>]) : regex match
++    req.cook_sub([<name>]) : substring match
  req.cook_cnt([<name>]) : integer
  cook_cnt([<name>]) : integer (deprecated)
@@ -16588,7 +16661,11 @@ hdr_ip([<name>[,<occ>]]) : ip (deprecated)
    This extracts the last occurrence of header <name> in an HTTP request,
    converts it to an IPv4 or IPv6 address and returns this address. When used
    with ACLs, all occurrences are checked, and if <name> is omitted, every value
--  of every header is checked. Optionally, a specific occurrence might be
++  of every header is checked. The parser strictly adheres to the format
++  described in RFC7239, with the extension that IPv4 addresses may optionally
++  be followed by a colon (':') and a valid decimal port number (0 to 65535),
++  which will be silently dropped. All other forms will not match and will
++  cause the address to be ignored. Optionally, a specific occurrence might be
    specified as a position number. Positive values indicate a position from the
    first occurrence, with 1 being the first one. Negative values indicate
    positions relative to the last one, with -1 being the last one. A typical use
@@ -16604,7 +16681,24 @@ hdr_val([<name>[,<occ>]]) : integer (deprecated)
    the first one. Negative values indicate positions relative to the last one,
    with -1 being the last one. A typical use is with the X-Forwarded-For header.
++req.hdrs : string
++  Returns the current request headers as string including the last empty line
++  separating headers from the request body. The last empty line can be used to
++  detect a truncated header block. This sample fetch is useful for some SPOE
++  headers analyzers and for advanced logging.
++
++req.hdrs_bin : binary
++  Returns the current request headers contained in preparsed binary form. This
++  is useful for offloading some processing with SPOE. Each string is described
++  by a length followed by the number of bytes indicated in the length. The
++  length is represented using the variable integer encoding detailed in the
++  SPOE documentation. The end of the list is marked by a couple of empty header
++  names and values (length of 0 for both).
++
++  *(<str:header-name><str:header-value>)<empty string><empty string>
++  int:  refer to the SPOE documentation for the encoding
++  str:  <int:length><bytes>
  http_auth(<userlist>) : boolean
    Returns a boolean indicating whether the authentication data received from
@@ -16689,7 +16783,7 @@ req_ver : string (deprecated)
    check for versions 1.0 and 1.1.
    ACL derivatives :
--    req_ver : exact string match
++    req.ver : exact string match
  res.comp : boolean
    Returns the boolean "true" value if the response has been compressed by
@@ -16708,7 +16802,7 @@ scook([<name>]) : string (deprecated)
    specified, the first cookie value is returned.
    ACL derivatives :
--    scook([<name>] : exact string match
++    res.scook([<name>] : exact string match
  res.cook_cnt([<name>]) : integer
  scook_cnt([<name>]) : integer (deprecated)
@@ -16752,14 +16846,14 @@ shdr([<name>[,<occ>]]) : string (deprecated)
    res.fhdr() fetch should be used instead.
    ACL derivatives :
--    shdr([<name>[,<occ>]])     : exact string match
--    shdr_beg([<name>[,<occ>]]) : prefix match
--    shdr_dir([<name>[,<occ>]]) : subdir match
--    shdr_dom([<name>[,<occ>]]) : domain match
--    shdr_end([<name>[,<occ>]]) : suffix match
--    shdr_len([<name>[,<occ>]]) : length match
--    shdr_reg([<name>[,<occ>]]) : regex match
--    shdr_sub([<name>[,<occ>]]) : substring match
++    res.hdr([<name>[,<occ>]])     : exact string match
++    res.hdr_beg([<name>[,<occ>]]) : prefix match
++    res.hdr_dir([<name>[,<occ>]]) : subdir match
++    res.hdr_dom([<name>[,<occ>]]) : domain match
++    res.hdr_end([<name>[,<occ>]]) : suffix match
++    res.hdr_len([<name>[,<occ>]]) : length match
++    res.hdr_reg([<name>[,<occ>]]) : regex match
++    res.hdr_sub([<name>[,<occ>]]) : substring match
  res.hdr_cnt([<name>]) : integer
  shdr_cnt([<name>]) : integer (deprecated)
@@ -16799,7 +16893,7 @@ resp_ver : string (deprecated)
    can be useful for logs, but is mostly there for ACL.
    ACL derivatives :
--    resp_ver : exact string match
++    resp.ver : exact string match
  set-cookie([<name>]) : string (deprecated)
    This extracts the last occurrence of the cookie name <name> on a "Set-Cookie"
@@ -17570,7 +17664,7 @@ Please refer to the table below for currently defined variables :
    |   | %ID  | unique-id                                     | string      |
    |   | %ST  | status_code                                   | numeric     |
    |   | %T   | gmt_date_time                                 | date        |
--  |   | %Ta  | Active time of the request (from TR to end)   | numeric     |
++  | H | %Ta  | Active time of the request (from TR to end)   | numeric     |
    |   | %Tc  | Tc                                            | numeric     |
    |   | %Td  | Td = Tt - (Tq + Tw + Tc + Tr)                 | numeric     |
    |   | %Tl  | local_date_time                               | date        |
@@ -18184,7 +18278,7 @@ easier finding and understanding.
            external attacks.
       PC   The proxy refused to establish a connection to the server because the
--          process' socket limit has been reached while attempting to connect.
++          process's socket limit has been reached while attempting to connect.
            The global "maxconn" parameter may be increased in the configuration
            so that it does not happen anymore. This status is very rare and
            might happen when the global "ulimit-n" parameter is forced by hand.
 diff --git a/doc/internals/acl.txt b/doc/internals/acl.txt
 index 320381a..0379331 100644
 --- a/doc/internals/acl.txt
 +++ b/doc/internals/acl.txt
@@ -25,7 +25,7 @@ reports no more value. This makes sense for instance when checking IP addresses
  found in HTTP headers, which can appear multiple times. The acl_test is kept
  intact between calls and even holds a context so that the fetch function knows
  where to start from for subsequent calls. The match function may also use the
--context eventhough it was not designed for that purpose.
++context even though it was not designed for that purpose.
  An ACL is defined only by its name and can be a series of ACL expressions. The
  ACL is deemed true when any of its expressions is true. They are evaluated in
@@ -35,7 +35,7 @@ So in summary :
    - an ACL is a series of tests to perform on a stream, any of which is enough
      to validate the result.
--
++
    - each test is defined by an expression associating a keyword and a series of
      patterns.
@@ -59,7 +59,7 @@ a suite. A term simply is a pointer to an ACL.
  We could then represent a rule by the following BNF :
--  rule = if-cond
++  rule = if-cond
         | unless-cond
    if-cond (struct acl_cond with ->pol = ACL_COND_IF)
 diff --git a/doc/internals/buffer-api.txt b/doc/internals/buffer-api.txt
 index abb5e9f..90113a1 100644
 --- a/doc/internals/buffer-api.txt
 +++ b/doc/internals/buffer-api.txt
@@ -9,7 +9,7 @@ used during data transformation such as compression, header insertion or
  defragmentation, and are used to carry intermediary representations between the
  various internal layers. They support wrapping at the end, and they carry their
  own size information so that in theory it would be possible to use different
--buffer sizes in parallel eventhough this is not currently implemented.
++buffer sizes in parallel even though this is not currently implemented.
  The format of this structure has evolved over time, to reach a point where it
  is convenient and versatile enough to have permitted to make several internal
 diff --git a/doc/internals/filters.txt b/doc/internals/filters.txt
 index 7705ee2..d1e0c4d 100644
 --- a/doc/internals/filters.txt
 +++ b/doc/internals/filters.txt
@@ -54,7 +54,7 @@ places, mainly around channel analyzers. Their purpose is to allow filters to
  be involved in the data processing, from the stream creation/destruction to
  the data forwarding. Depending of what it should do, a filter can implement all
  or part of these callbacks. For now, existing callbacks are focused on
--streams. But futur improvements could enlarge filters scope. For example, it
++streams. But future improvements could enlarge filters scope. For example, it
  could be useful to handle events at the connection level.
  In HAProxy configuration file, a filter is declared in a proxy section, except
@@ -84,7 +84,7 @@ filters are also chained, frontend ones called first. Even if the filters
  processing is serialized, each filter will bahave as it was alone (unless it was
  developed to be aware of other filters). For all that, some constraints are
  imposed to filters, especially when data exchanged between the client and the
--server are processed. We will dicuss again these contraints when we will tackle
++server are processed. We will discuss again these constraints when we will tackle
  the subject of writing a filter.
@@ -122,11 +122,11 @@ The list of available filters is reported by 'haproxy -vv':
  Multiple filter lines can be used in a proxy section to chain filters. Filters
  will be called in the declaration order.
--Some filters can support implicit declarartions in certain circumstances
--(without the filter line). This is not recommanded for new features but are
++Some filters can support implicit declarations in certain circumstances
++(without the filter line). This is not recommended for new features but are
  useful for existing ones moved in a filter, for backward compatibility
--reasons. Implicit declarartions are supported when there is only one filter used
--on a proxy. When several filters are used, explicit declarartions are mandatory.
++reasons. Implicit declarations are supported when there is only one filter used
++on a proxy. When several filters are used, explicit declarations are mandatory.
  The HTTP compression filter is one of these filters. Alone, using 'compression'
  keywords is enough to use it. But when at least a second filter is used, a
  filter line must be added.
@@ -283,7 +283,7 @@ the structure 'stream', the field 'strm_flt' is the state of all filter
  instances attached to a stream:
      /*
--     * Structure reprensenting the "global" state of filters attached to a
++     * Structure representing the "global" state of filters attached to a
       * stream.
       */
      struct strm_flt {
@@ -302,7 +302,7 @@ Filter instances attached to a stream are stored in the field
  'strm_flt.filters', each instance is of type 'struct filter *':
      /*
--     * Structure reprensenting a filter instance attached to a stream
++     * Structure representing a filter instance attached to a stream
+      *
       * 2D-Array fields are used to store info per channel. The first index
       * stands for the request channel, and the second one for the response
@@ -659,7 +659,7 @@ For example:
  The main purpose of filters is to take part in the channels analyzing. To do so,
  there is 2 callbacks, 'flt_ops.channel_pre_analyze' and
  'flt_ops.channel_post_analyze', called respectively before and after each
--analyzer attached to a channel, execpt analyzers responsible for the data
++analyzer attached to a channel, except analyzers responsible for the data
  parsing/forwarding (TCP or HTTP data). Concretely, on the request channel, these
  callbacks could be called before following analyzers:
 diff --git a/doc/internals/hashing.txt b/doc/internals/hashing.txt
 index 281dcf6..af66de2 100644
 --- a/doc/internals/hashing.txt
 +++ b/doc/internals/hashing.txt
@@ -2,7 +2,7 @@
  This document describes how Haproxy implements hashing both map-based and
  consistent hashing, both prior to versions 1.5 and the motivation and tests
--that were done when providing additional options starting in version 1.5.
++that were done when providing additional options starting in version 2.0
  A note on hashing in general, hash functions strive to have little
  correlation between input and output. The heart of a hash function is its
@@ -79,5 +79,5 @@ algorithms that are better for different inputs. Avalanche is not always
  applicable and may result in less smooth distribution.
  References:
--Mixing Functions/Avalanche: http://home.comcast.net/~bretm/hash/3.html
++Mixing Functions/Avalanche: https://papa.bretmulvey.com/post/124027987928/hash-functions
  Hash Functions: http://www.cse.yorku.ca/~oz/hash.html
 diff --git a/doc/internals/htx-api.txt b/doc/internals/htx-api.txt
 new file mode 100644
 index 0000000..f1e38d1
 --- /dev/null
 +++ b/doc/internals/htx-api.txt
@@ -0,0 +1,498 @@
++                -----------------------------------------------
++                                   HTX API
++                                  Version 1.0
++                          ( Last update: 2019-06-20 )
++                -----------------------------------------------
++                          Author : Christopher Faulet
++                      Contact : cfaulet at haproxy dot com
++
++1. Background
++
++Historically, HAProxy stored HTTP messages in a raw fashion in buffers, keeping
++parsing information separately in a "struct http_msg" owned by the stream. It was
++optimized to the data transfer, but not so much for rewrites. It was also HTTP/1
++centered. While it was the only HTTP version supported, it was not a
++problem. But with the rise of HTTP/2, it starts to be hard to still use this
++representation.
++
++At the first age of the HTTP/2 in HAProxy, H2 messages were converted into
++H1. This was terribly unefficient because it required two parsing passes, a
++first one in H2 and a second one in H1, with a conversion in the middle. And of
++course, the same was also true in the opposite direction. outgoing H1 messages
++had to be converted back in H2 to be sent. Even worse, because the H2->H1
++conversion, only client H2 connections were supported.
++
++So, to address all these problems, we decided to replace the old raw
++representation by a version-agnostic and self-structured internal HTTP
++representation, the HTX. As an additional benefit, with this new representation,
++the message parsing and its processing are now separated, making all the HTTP
++analysis simpler and cleaner. The parsing of HTTP messages is now handled by
++the multiplexers (h1 or h2).
++
++
++2. The HTX message
++
++The HTX is a structure containing useful information about an HTTP message
++followed by a contiguous array with some parts of the message. These parts are
++called blocks. A block is composed of metadata (htx_blk) and an associated
++payload. Blocks' metadata are stored starting from the end of the array while
++their payload are stored at the beginning. Blocks' metadata are often simply
++called blocks. it is a misuse of language that's simplify explanations.
++
++Internally, this structure is "hidden" in a buffer. This way, there are few
++changes into intermediate layers (stream-interface and channels). They still
++manipulate buffers. Only the multiplexer and the stream have to know how data
++are really stored. From the HTX perspective, a buffer is just a memory
++area. When an HTX message is stored in a buffer, this one appears as full.
++
++  * General view of an HTX message :
++
++
++  buffer->area
++    |
++    |<------------ buffer->size == buffer->data ----------------------|
++    |                                                                 |
++    |     |<------------- Blocks array (htx->size) ------------------>|
++    V     |                                                           |
++    +-----+-----------------+-------------------------+---------------+
++    | HTX |   PAYLOADS ==>  |                         |  <== HTX_BLKs |
++    +-----+-----------------+-------------------------+---------------+
++          |                 |                         |               |
++          |<-payloads part->|<----- free space ------>|<-blocks part->|
++              (htx->data)
++
++
++The blocks part remains linear and sorted. You may think about it as an array
++with negative indexes. But, instead of using negative indexes, we use positive
++positions to identify a block. This position is then converted to an address
++relatively to the beginning of the blocks array.
++
++                tail                                 head
++                 |                                     |
++                 V                                     V
++     .....--+----+-----------------------+------+------+
++            | Bn |       ...             |  B1  |  B0  |
++     .....--+----+-----------------------+------+------+
++                 ^                       ^      ^
++ Addr of the block       Addr of the block      Addr of the block
++ at the position N       at the position 1      at the position 0
++
++
++In the HTX structure, 3 "special" positions are stored:
++
++    - tail  : Position of the newest inserted block
++    - head  : Position of the oldest inserted block
++    - first : Position of the first block to (re)start the analyse
++
++The blocks part never wrap. If we have no space to allocate a new block and if
++there is a hole at the beginning of the blocks part (so at the end of the blocks
++array), we move back all blocks.
++
++
++      tail           head                                tail           head
++       |              |                                   |              |
++       V              V                                   V              V
++    ...+--------------+---------+    blocks  ...----------+--------------+
++       | X== HTX_BLKS |         |    defrag               | <== HTX_BLKS |
++    ...+--------------+---------+    =====>  ...----------+--------------+
++
++
++The payloads part is a raw space that may wrap. You never access to a block's
++payload directly. Instead you get a block to retrieve the address of its
++payload.
++
++
++          +------------------------( B0.addr )--------------------------+
++          |    +-------------------( B1.addr )----------------------+   |
++          |    |       +-----------( B2.addr )----------------+     |   |
++          V    V       V                                      |     |   |
++    +-----+----+-------+----+--------+-------------+-------+----+----+----+
++    | HTX | P0 |   P1  | P2 | ...==> |             | <=... | B2 | B1 | B0 |
++    +-----+----+-------+----+--------+-------------+-------+----+----+----+
++
++
++Because the payloads part may wrap, there are 2 usable free spaces:
++
++    - The free space in front of the blocks part. This one is used if and only if
++      the other one was not used yet.
++
++    - The free space at the beginning of the message. Once this one is used, the
++      other one is never used again, until a message defragmentation.
++
++
++  * Linear payloads part :
++
++
++      head_addr             end_addr     tail_addr
++          |                    |             |
++          V                    V             V
++    +-----+--------------------+-------------+--------------------+-------...
++    | HTX |                    |   PAYLOADS  |                    | HTX_BLKs
++    +-----+--------------------+-------------+--------------------+-------...
++          |<-- free space 2 -->|             |<-- free space 1 -->|
++     (used if the other is too small)          (used in priority)
++
++
++  * Wrapping payloads part :
++
++
++                            head_addr end_addr        tail_addr
++                                |        |                |
++                                V        V                V
++    +-----+----+----------------+--------+----------------+-------+-------...
++    | HTX |    | PAYLOADS part2 |        | PAYLOADS part1 |       | HTX_BLKs
++    +-----+----+----------------+--------+----------------+-------+-------...
++          |<-->|                |<------>|                |<----->|
++         unusable               free space                 unusable
++        free space                                        free space
++
++
++Finally, when the usable free space is not enough to store a new block, unsuable
++parts may be get back with a full defragmentation. The payloads part is then
++realigned at the beginning of the blocks array and the free space becomes
++continuous again.
++
++
++3. The HTX blocks
++
++An HTX block can be as well a start-line as a header, a body part or a
++trailer. For all these types of block, a payload is attached to the block. It
++can also be a marker, the end-of-headers, end-of-trailers or end-of-message. For
++these blocks, there is no payload but it counts for a byte. It is important to
++not skip it when data are forwarded.
++
++As already said, a block is composed of metadata and a payload. Metadata are
++stored in the blocks part and are composed of 2 fields :
++
++    - info : It a 32 bits field containing the block's type on 4 bits followed
++             by the payload length. See below for details.
++
++    - addr : The payload's address, if any, relatively to the beginning the
++             array used to store part of the HTTP message itself.
++
++
++  * Block's info representation :
++
++    0b 0000 0000 0000 0000 0000 0000 0000 0000
++       ---- ------------------------ ---------
++       type     value (1 MB max)     name length (header/trailer - 256B max)
++            ----------------------------------
++                 data length (256 MB max)
++     (body, method, path, version, status, reason)
++
++
++Supported types are :
++
++    - 0000  (0) : The request start-line
++    - 0001  (1) : The response start-line
++    - 0010  (2) : A header block
++    - 0011  (3) : The end-of-headers marker
++    - 0100  (4) : A data block
++    - 0101  (5) : A trailer block
++    - 0110  (6) : The end-of-trailers marker
++    - 0111  (7) : The end-of-message marker
++    - 1111 (15) : An unused block
++
++Other types are unused for now and reserved for futur extensions.
++
++An HTX message is typically composed of following blocks, in this order :
++
++    - a start-line
++    - zero or more header blocks
++    - an end-of-headers marker
++    - zero or more data blocks
++    - zero or more trailer blocks (optional)
++    - an end-of-trailers marker (optional but always set if there is at least
++      one trailer block)
++    - an end-of-message marker.
++
++Only one HTTP request at a time can be stored in an HTX message. For HTTP
++response, it is more complicated. Only one "final" response can be stored in an
++HTX message. It is a response with status-code 101 or greater or equal to
++200. But it may be preceded by several 1xx informational responses. Such
++responses are part of the same HTX message, so there is no end-of-message marker
++for them.
++
++
++3.1. The start-line
++
++Every HTX message starts with a start-line. Its payload is a "struct htx_sl". In
++addition to the parts of the HTTP start-line, this structure contains some
++information about the represented HTTP message, mainly in the form of flags
++(HTX_SL_F_*). For instance, if an HTTP message contains the header
++"conten-length", then the flag HTX_SL_F_CLEN is set.
++
++Each HTTP message has its own start-line. So an HTX request has one and only one
++start-line because it must contain only one HTTP request at a time. But an HTX
++response may have more than one start-line if the final HTTP response is
++precedeed by some 1xx informational responses.
++
++In HTTP/2, there is no start-line. So the H2 multiplexer must create one when it
++converts an H2 message to HTX :
++
++    - For the request, it uses the pseudo headers ":method", ":path" or
++      ":authority" depending on the method and the hardcoded version "HTTP/2.0".
++
++    - For the response, it used the hardcoded version "HTTP/2.0", the
++      pseudo-header ":status" and an empty reason.
++
++
++3.2. The headers and trailers
++
++HTX Headers and trailers are quite similar. Different types are used to simplify
++headers processing. But from the HTX point of view, there is no real difference,
++except their position in the HTX message. The header blocks always follow an HTX
++start-line while trailer blocks come after the data. If there is no data, they
++follow the end-of-headers marker.
++
++Headers and trailers are the only blocks containing a Key/Value payload. The
++corresponding end-of marker must always be placed after each group to mark, as
++it name suggests, the end.
++
++In HTTP/1, trailers are only present on chunked messages. But chunked messages
++do not always have trailers. In this case, the end-of-trailers block may or may
++not be present. Multiplexers must be able to handle both situations. In HTTP/2,
++trailers are only present if a HEADERS frame is sent after DATA frames.
++
++
++3.3. The data
++
++The payload body of an HTTP message is stored as DATA blocks in the HTX
++message. For HTTP/1 messages, it is the message body without the chunks
++formatting, if any. For HTTP/2, it is the payload of DATA frames.
++
++The DATA blocks are the only HTX blocks that may be partially processed (copied
++or removed). All other types of block must be entierly processed. This means
++DATA blocks can be resized.
++
++
++3.4. The end-of markers
++
++These blocks are used to delimit parts of an HTX message. It exists three
++markers:
++
++    - end-of-headers (EOH)
++    - end-of-trailers (EOT)
++    - end-of-message (EOM)
++
++EOH and EOM are always present in an HTX message. EOT is optional.
++
++
++4. The HTX API
++
++
++4.1. Get/set HTX message from/to the underlying buffer
++
++The first thing to do to process an HTX message is to get it from the underlying
++buffer. There are 2 functions to do so, the second one relying on the first:
++
++    - htxbuf() returns an HTX message from a buffer. It does not modify the
++      buffer. It only initialize the HTX message if the buffer is empty.
++
++    - htx_from_buf() uses htxbuf(). But it also updates the underlying buffer so
++      that it appears as full.
++
++Both functions return a "zero-sized" HTX message if the buffer is null. This
++way, you are sure to always have a valid HTX message. The first function is the
++default function to use. The second one is only useful when some content will be
++added. For instance, it used by the HTX analyzers when HAproxy generates a
++response. This way, the buffer is in a right state and you don't need to take
++care of it anymore outside the possible error paths.
++
++Once the processing done, if the HTX message has been modified, the underlying
++buffer must be also updated, except you uses htx_from_buf() and you only add
++data. For all other cases, the function htx_to_buf() must be called.
++
++Finally, the function htx_reset() may be called at any time to reset an HTX
++message. And the function buf_room_for_htx_data() may be called to know if a raw
++buffer is full from the HTX perspective. It is used during conversion from/to
++the HTX.
++
++
++4.2. Helpers to deal with free space in an HTX message
++
++Once you have an HTX message, following functions may help you to process it :
++
++    - htx_used_space() and htx_meta_space() return, respectively, the total
++      space used in an HTX message and the space used by block's metadata only.
++
++    - htx_free_space() and htx_free_data_space() return, respectively, the total
++      free space in an HTX message and the free space available for the payload
++      if a new HTX block is stored (so it is the total free space minus the size
++      of an HTX block).
++
++    - htx_is_empty() and htx_is_not_empty() are boolean functions to know if an
++      HTX message is empty or not.
++
++    - htx_get_max_blksz() returns the maximum size available for the payload,
++      not exceeding a maximum, metadata included.
++
++    - htx_almost_full() should be used to know if an HTX message uses at least
++      3/4 of its capacity.
++
++
++4.3. HTX Blocks manipulations
++
++Once you know how much space is available in an HTX message, the next step is to
++add HTX blocks. First of all the function htx_nbblks() returns the number of
++blocks allocated in an HTX message. Then, there is an add function per block's
++type:
++
++    - htx_add_stline() adds a start-line. The type (request or response) and the
++      flags of the start-line must be provided, as well as its three parts
++      (method,uri,version or version,status-code,reason).
++
++    - htx_add_header() and htx_add_trailers() are similar. The name and the
++      value must be provided. The inserted HTX block is returned on success or
++      NULL if an error occurred.
++
++    - htx_add_endof() must be used to add any end-of marker. The block's type
++      (EOH, EOT or EOM) must be specified. The inserted HTX block is returned on
++      success or NULL if an error occurred.
++
++    - htx_add_all_headers() and htx_add_all_trailers() add, respectively, a list
++      of headers and a list of trailers, followed by the appropriate end-of
++      marker. On success, this marker is returned. Otherwise, NULL is
++      returned. Note there is no rollback on the HTX message when an error
++      occurred. Some headers or trailers may have been added. So it is the
++      caller responsibility to take care of that.
++
++    - htx_add_data() must be used to add a DATA block. Unlike previous
++      functions, this one returns the number of bytes copied or 0 if nothing was
++      copied. If possible, the data are appended to the last DATA block, if
++      any. Only a part of the payload may be copied because this function will
++      try to limit the message defragmentation and the wrapping of blocks as far
++      as possible. If you really need to add all data or nothing, the function
++      htx_add_data_atonce() must be used instead. Because it tries to insert all
++      the payload, this function returns the inserted block on success.
++      Otherwise it returns NULL.
++
++When an HTX block is added, it is always the last one (the tail). But, if you
++need to add a block at a specific place, it is not really handy. 2 functions may
++help you (others could be added) :
++
++    - htx_add_last_data() adds a DATA block just after all other DATA blocks and
++      before any trailers and EOT or EOM markers. It relies on
++      htx_add_data_atonce(), so a defragmentation may be performed.
++
++    - htx_move_blk_before() moves a specific block just after another one. Both
++      blocks must already be in the HTX message and the block to move must
++      always be placed after the "pivot".
++
++Once added, there are three functions to update the block's payload :
++
++    - htx_replace_stline() updates a start-line. The HTX block must be passed as
++      argument. Only string parts of the start-line are updated by this
++      function. On success, it returns the new start-line. So it is pretty easy
++      to update its flags. NULL is returned if an error occurred.
++
++    - htx_replace_header() fully replaces a header (its name and its value) by a
++      new one. The HTX block must be passed a argument, as well as its new name
++      and its new value. The new header can be smaller or larger than the old
++      one. This function returns the new HTX block on success, or NULL is an
++      error occurred.
++
++    - htx_replace_blk_value() replaces a part of a block's payload or its
++      totality. It works for HEADERS, TRAILERS or DATA blocks. The HTX block
++      must be provided with the part to remove and the new one. The new part can
++      be smaller or larger than the old one. This function returns the new HTX
++      block on success, or NULL is an error occurred.
++
++Finally, You may remove a block using the function htx_remove_blk(). This
++function returns the block following the one removed or NULL if it is the tail
++block.
++
++
++4.4. The HTX start-line
++
++Unlike other HTX blocks, the start-line is a bit special because its payload is
++a structure followed by its three parts :
++
++        +--------+-------+-------+-------+
++        | HTX_SL | PART1 | PART2 | PART3 |
++        +--------+-------+-------+-------+
++
++Some macros and functions may help to manipulate these parts :
++
++    - HTX_SL_P{N}_LEN() and HTX_SL_P{N}_PTR() are macros to get the length of a
++      part and a pointer on it. {N} should be 1, 2 or 3.
++
++    - HTX_SL_REQ_MLEN(), HTX_SL_REQ_ULEN(), HTX_SL_REQ_VLEN(),
++      HTX_SL_REQ_MPTR(), HTX_SL_REQ_UPTR() and HTX_SL_REQ_VPTR() are macros to
++      get info about a request start-line. These macros only wrap HTX_SL_P*
++      ones.
++
++    - HTX_SL_RES_VLEN(), HTX_SL_RES_CLEN(), HTX_SL_RES_RLEN(),
++      HTX_SL_RES_VPTR(), HTX_SL_RES_CPTR() and HTX_SL_RES_RPTR() are macros to
++      get info about a response start-line. These macros only wrap HTX_SL_P*
++      ones.
++
++    - htx_sl_p1(), htx_sl_p2() and htx_sl_p2() are functions to get the ist
++      corresponding to the right part of a start-line.
++
++    - htx_sl_req_meth(), htx_sl_req_uri() and htx_sl_req_vsn() get the ist
++      corresponding to the right part of a request start-line.
++
++    - htx_sl_res_vsn(), htx_sl_res_code() and htx_sl_res_reason() get the ist
++      corresponding to the right part of a response start-line.
++
++
++4.5. Iterate on the HTX message
++
++To iterate on an HTX message, the first thing to do is to get the HTX block to
++start the loop. There are three special blocks in an HTX message that may be
++good candidates to start a loop :
++
++  * the head block. It is the oldest inserted block. Multiplexers always start
++    to consume an HTX message from this block. The function htx_get_head()
++    returns its position and htx_get_head_blk() returns the blocks itself. In
++    addition, the function htx_get_head_type() returns its block's type.
++
++  * the tail block. It is the newest inserted block. The function htx_get_tail()
++    returns its position and htx_get_tail_blk() returns the blocks itself. In
++    addition, the function htx_get_tail_type() returns its block's type.
++
++  * the first block. It is the block where to (re)start the analyse. It is used
++    as start point by HTX analyzers. The function htx_get_first() returns its
++    position and htx_get_first_blk() returns the blocks itself. In addition, the
++    function htx_get_first_type() returns its block's type.
++
++For all these functions, if the HTX message is empty, -1 is returned for the
++block's position, NULL instead of a block and HTX_BLK_UNUSED for its type.
++
++Then to iterate on blocks, you may move foreword or backward :
++
++  * htx_get_prev() and htx_get_next() return, respectively, the position of the
++    previous block or the next block, given a specific position. Or -1 if an edge
++    is reached.
++
++  * htx_get_prev_blk() and htx_get_next_blk() return, respectively, the previous
++    block or the next one, given a specific block. Or NULL if an edge is
++    reached.
++
++
++4.6. Advanced functions
++
++Some more advanced functions may be used to do complex processing on the HTX
++message. These functions are used by HTX analyzers or by multiplexers.
++
++  * htx_truncate() removes all blocks after the one containing a specific offset
++    relatively to the head block of the HTX message. If the offset is inside a
++    DATA block, it is truncated. For all other blocks, the removal starts to the
++    next block.
++
++  * htx_drain() tries to remove a specific amount of bytes of payload. If the
++    last block is a DATA block, it may be truncated if necessary. All other
++    block are removed at once or kept. This function returns a mixed value, with
++    the first block not removed, or NULL if everything was removed, and the
++    amount of data drained.
++
++  * htx_xfer_blks() transfers HTX blocks from an HTX message to another,
++    stopping on the first block of a specified type or when a specific amount of
++    bytes, including meta-data, was moved. If the last block is a DATA block, it
++    may be partially moved. All other block are transferred at once or
++    kept. This function returns a mixed value, with the last block moved, or
++    NULL if nothing was moved, and the amount of data transferred. When HEADERS
++    or TRAILERS blocks must be transferred, this function transfers all of
++    them. Otherwise, if it is not possible, it triggers an error. It is the
++    caller responsibility to transfer all headers or trailers at once.
 diff --git a/doc/lua-api/index.rst b/doc/lua-api/index.rst
 index 7085dc8..6d1b653 100644
 --- a/doc/lua-api/index.rst
 +++ b/doc/lua-api/index.rst
@@ -55,9 +55,10 @@ functions. Lua have 6 execution context.
     function `core.register_fetches()`. Each declared sample-fetch is prefixed by
     the string "lua.".
--   **NOTE**: It is possible that this function cannot found the required data
--   in the original HAProxy sample-fetches, in this case, it cannot return the
--   result. This case is not yet supported
++   .. note::
++      It is possible that this function cannot found the required data in the
++      original HAProxy sample-fetches, in this case, it cannot return the
++      result. This case is not yet supported
 . The **converter context**. It is a Lua function that takes a string as input
     and returns another string as output. These types of function are stateless,
@@ -173,8 +174,9 @@ Core class
    proxy give an access to his list of listeners and servers. The table is
    indexed by proxy name, and each entry is of type :ref:`proxy_class`.
--  Warning, if you are declared frontend and backend with the same name, only one
--  of these are listed.
++  .. Warning::
++     if you are declared frontend and backend with the same name, only one of
++     these are listed.
    :see: :js:attr:`core.backends`
    :see: :js:attr:`core.frontends`
@@ -437,8 +439,9 @@ Core class
    configuration file. The table is indexed by the proxy name, and each entry
    of the proxies table is an object of type :ref:`proxy_class`.
--  Warning, if you have declared a frontend and backend with the same name, only
--  one of these are listed.
++  .. warning::
++     if you have declared a frontend and backend with the same name, only one of
++     these are listed.
  .. js:function:: core.register_action(name, actions, func [, nb_args])
@@ -605,10 +608,11 @@ Core class
      :ref:`applethttp_class`. If the *mode* value is 'tcp', the applet will gets
      a :ref:`applettcp_class`.
--  **warning**: Applets of type 'http' cannot be called from 'tcp-*'
--  rulesets. Only the 'http-*' rulesets are authorized, this means
--  that is not possible to call an HTTP applet from a proxy in tcp
--  mode. Applets of type 'tcp' can be called from anywhere.
++  .. warning::
++     Applets of type 'http' cannot be called from 'tcp-*' rulesets. Only the
++     'http-*' rulesets are authorized, this means that is not possible to call
++     an HTTP applet from a proxy in tcp mode. Applets of type 'tcp' can be
++     called from anywhere.
    Here, an example of service registration. The service just send an 'Hello world'
    as an http response.
@@ -1199,8 +1203,9 @@ Fetches class
    HAProxy "configuration.txt" documentation for more information about her
    usage. They are the chapters 7.3.2 to 7.3.6.
--  **warning** some sample fetches are not available in some context. These
--  limitations are specified in this documentation when they're useful.
++  .. warning::
++     some sample fetches are not available in some context. These limitations
++     are specified in this documentation when they're useful.
    :see: :js:attr:`TXN.f`
    :see: :js:attr:`TXN.sf`
@@ -1271,6 +1276,10 @@ Channel class
    **Warning**: It is not possible to read from the response in request action,
    and it is not possible to read for the request channel in response action.
++  **Warning**: It is forbidden to alter the Channels buffer from HTTP contexts.
++  So only :js:func:`Channel.get_in_length`, :js:func:`Channel.get_out_length`
++  and :js:func:`Channel.is_full` can be called from an HTTP conetext.
++
  .. image:: _static/channel.png
  .. js:function:: Channel.dup(channel)
@@ -1739,10 +1748,11 @@ TXN class
    session. It can be used when a critical error is detected or to terminate
    processing after some data have been returned to the client (eg: a redirect).
--  *Warning*: It not make sense to call this function from sample-fetches. In
--  this case the behaviour of this one is the same than core.done(): it quit
--  the Lua execution. The transaction is really aborted only from an action
--  registered function.
++  .. warning::
++    It not make sense to call this function from sample-fetches. In this case
++    the behaviour of this one is the same than core.done(): it quit the Lua
++    execution. The transaction is really aborted only from an action registered
++    function.
    :param class_txn txn: The class txn object containing the data.
 diff --git a/doc/lua.txt b/doc/lua.txt
 index a0a1d61..a86979d 100644
 --- a/doc/lua.txt
 +++ b/doc/lua.txt
@@ -83,9 +83,9 @@ Prerequisite
  Reading the following documentation links is required to understand the
  current paragraph:
--   HAProxy doc: http://cbonte.github.io/haproxy-dconv/
++   HAProxy doc: http://docs.haproxy.org/
     Lua API:     http://www.lua.org/manual/5.3/
--   HAProxy API: http://www.arpalert.org/src/haproxy-lua-api/1.9dev/index.html
++   HAProxy API: http://www.arpalert.org/src/haproxy-lua-api/2.6/index.html
     Lua guide:   http://www.lua.org/pil/
  more about Lua choice
 diff --git a/doc/management.txt b/doc/management.txt
 index 2ba460d..337cc14 100644
 --- a/doc/management.txt
 +++ b/doc/management.txt
@@ -475,7 +475,7 @@ continues to process existing connections. If the binding still fails (because
  for example a port is shared with another daemon), then the new process sends a
  SIGTTIN signal to the old processes to instruct them to resume operations just
  as if nothing happened. The old processes will then restart listening to the
--ports and continue to accept connections. Not that this mechanism is system
++ports and continue to accept connections. Note that this mechanism is system
  dependent and some operating systems may not support it in multi-process mode.
  If the new process manages to bind correctly to all ports, then it sends either
@@ -1111,7 +1111,7 @@ S (Servers).
 . ttime_max [..BS]: the maximum observed total session time in ms
--9.2) Typed output format
++9.2. Typed output format
  ------------------------
  Both "show info" and "show stat" support a mode where each output value comes
@@ -1507,7 +1507,7 @@ disable agent <backend>/<server>
    level "admin".
  disable dynamic-cookie backend <backend>
--  Disable the generation of dynamic cookies fot the backend <backend>
++  Disable the generation of dynamic cookies for the backend <backend>
  disable frontend <frontend>
    Mark the frontend as temporarily stopped. This corresponds to the mode which
@@ -1859,7 +1859,7 @@ show activity
    of reports of abnormal behaviours. A typical example would be a properly
    running process never sleeping and eating 100% of the CPU. The output fields
    will be made of one line per metric, and per-thread counters on the same
--  line. These counters are 32-bit and will wrap during the process' life, which
++  line. These counters are 32-bit and will wrap during the process's life, which
    is not a problem since calls to this command will typically be performed
    twice. The fields are purposely not documented so that their exact meaning is
    verified in the code where the counters are fed. These values are also reset
@@ -2166,6 +2166,25 @@ show profiling
    Dumps the current profiling settings, one per line, as well as the command
    needed to change them.
++show resolvers [<resolvers section id>]
++  Dump statistics for the given resolvers section, or all resolvers sections
++  if no section is supplied.
++
++  For each name server, the following counters are reported:
++    sent: number of DNS requests sent to this server
++    valid: number of DNS valid responses received from this server
++    update: number of DNS responses used to update the server's IP address
++    cname: number of CNAME responses
++    cname_error: CNAME errors encountered with this server
++    any_err: number of empty response (IE: server does not support ANY type)
++    nx: non existent domain response received from this server
++    timeout: how many time this server did not answer in time
++    refused: number of requests refused by this server
++    other: any other DNS errors
++    invalid: invalid DNS response (from a protocol point of view)
++    too_big: too big response
++    outdated: number of response arrived too late (after an other name server)
++
  show servers state [<backend>]
    Dump the state of the servers found in the running configuration. A backend
    name or identifier may be provided to limit the output to this backend only.
@@ -2266,7 +2285,11 @@ show servers state [<backend>]
  show sess
    Dump all known sessions. Avoid doing this on slow connections as this can
    be huge. This command is restricted and can only be issued on sockets
--  configured for levels "operator" or "admin".
++  configured for levels "operator" or "admin". Note that on machines with
++  quickly recycled connections, it is possible that this output reports less
++  entries than really exist because it will dump all existing sessions up to
++  the last one that was created before the command was entered; those which
++  die in the mean time will not appear.
  show sess <id>
    Display a lot of internal information about the specified session identifier.
@@ -2435,25 +2458,6 @@ show stat [{<iid>|<proxy>} <type> <sid>] [typed|json]
    $ echo "show stat json" | socat /var/run/haproxy.sock stdio | \
      python -m json.tool
--show resolvers [<resolvers section id>]
--  Dump statistics for the given resolvers section, or all resolvers sections
--  if no section is supplied.
--
--  For each name server, the following counters are reported:
--    sent: number of DNS requests sent to this server
--    valid: number of DNS valid responses received from this server
--    update: number of DNS responses used to update the server's IP address
--    cname: number of CNAME responses
--    cname_error: CNAME errors encountered with this server
--    any_err: number of empty response (IE: server does not support ANY type)
--    nx: non existent domain response received from this server
--    timeout: how many time this server did not answer in time
--    refused: number of requests refused by this server
--    other: any other DNS errors
--    invalid: invalid DNS response (from a protocol point of view)
--    too_big: too big response
--    outdated: number of response arrived too late (after an other name server)
--
  show table
    Dump general information on all known stick-tables. Their name is returned
    (the name of the proxy which holds them), their type (currently zero, always
@@ -2570,6 +2574,17 @@ show schema json
    stat json" against the schema.
++show version
++  Show the version of the current HAProxy process. This is available from
++  master and workers CLI.
++  Example:
++
++      $ echo "show version" | socat /var/run/haproxy.sock stdio
++      2.4.9
++
++      $ echo "show version" | socat /var/run/haproxy-master.sock stdio
++      2.5.0
++
  shutdown frontend <frontend>
    Completely delete the specified frontend. All the ports it was bound to will
    be released. It will not be possible to enable the frontend anymore after
 diff --git a/doc/peers-v2.0.txt b/doc/peers-v2.0.txt
 index 477e7bb..b9f82f7 100644
 --- a/doc/peers-v2.0.txt
 +++ b/doc/peers-v2.0.txt
@@ -1,4 +1,4 @@
--	Haproxy's peers v2.0 protocol 08/18/2016
++	HAProxy's peers v2.0 protocol 08/18/2016
  Author: Emeric Brun ebrun@haproxy.com
@@ -36,7 +36,7 @@ Hello message is composed of 3 lines:
  <remotepeerid>
  <localpeerid> <processpid> <relativepid>
--protocol: current value is "HaproxyS"
++protocol: current value is "HAProxyS"
  version: current value is "2.0"
  remotepeerid: is the name of the target peer as defined in the configuration peers section.
  localpeerid: is the name of the local peer as defined on cmdline or using hostname.
@@ -191,11 +191,11 @@ between the "Sender Table ID" to identify it directly in case of "Table Switch M
  Table Type present the numeric type of key used to store stick table entries:
  integer
-- 0: signed integer
-- 1: IPv4 address
-- 2: IPv6 address
-- 3: string
-- 4: binary
++ 2: signed integer
++ 4: IPv4 address
++ 5: IPv6 address
++ 6: string
++ 7: binary
  Table Keylen present the key length or max length in case of strings or binary (padded with 0).
 diff --git a/doc/proxy-protocol.txt b/doc/proxy-protocol.txt
 index 52d7bc7..ff64c8b 100644
 --- a/doc/proxy-protocol.txt
 +++ b/doc/proxy-protocol.txt
@@ -1,4 +1,4 @@
--2017/03/10                                                        Willy Tarreau
++2020/03/05                                                        Willy Tarreau
                                                             HAProxy Technologies
                                 The PROXY protocol
                                   Versions 1 & 2
@@ -27,6 +27,7 @@ Revision history
                  reserved TLV type ranges, added TLV documentation, clarified
                  string encoding. With contributions from Andriy Palamarchuk
                  (Amazon.com).
++   2020/03/05 - added the unique ID TLV type (Tim Düsterhus)
 . Background
@@ -538,6 +539,7 @@ The following types have already been registered for the <type> field :
          #define PP2_TYPE_AUTHORITY      0x02
          #define PP2_TYPE_CRC32C         0x03
          #define PP2_TYPE_NOOP           0x04
++        #define PP2_TYPE_UNIQUE_ID      0x05
          #define PP2_TYPE_SSL            0x20
          #define PP2_SUBTYPE_SSL_VERSION 0x21
          #define PP2_SUBTYPE_SSL_CN      0x22
@@ -602,7 +604,17 @@ bytes. Can be used for data padding or alignment. Note that it can be used
  to align only by 3 or more bytes because a TLV can not be smaller than that.
--2.2.5. The PP2_TYPE_SSL type and subtypes
++2.2.5. PP2_TYPE_UNIQUE_ID
++
++The value of the type PP2_TYPE_UNIQUE_ID is an opaque byte sequence of up to
++128 bytes generated by the upstream proxy that uniquely identifies the
++connection.
++
++The unique ID can be used to easily correlate connections across multiple
++layers of proxies, without needing to look up IP addresses and port numbers.
++
++
++2.2.6. The PP2_TYPE_SSL type and subtypes
  For the type PP2_TYPE_SSL, the value is itself a defined like this :
@@ -654,13 +666,13 @@ In all cases, the string representation (in UTF8) of the Common Name field
  using the TLV format and the type PP2_SUBTYPE_SSL_CN. E.g. "example.com".
--2.2.6. The PP2_TYPE_NETNS type
++2.2.7. The PP2_TYPE_NETNS type
  The type PP2_TYPE_NETNS defines the value as the US-ASCII string representation
  of the namespace's name.
--2.2.7. Reserved type ranges
++2.2.8. Reserved type ranges
  The following range of 16 type values is reserved for application-specific
  data and will be never used by the PROXY Protocol. If you need more values
 diff --git a/doc/regression-testing.txt b/doc/regression-testing.txt
 index 320c51c..1b6c21d 100644
 --- a/doc/regression-testing.txt
 +++ b/doc/regression-testing.txt
@@ -131,7 +131,7 @@ instance.
      #   BUG/MINOR: spoe: Initialize variables used during conf parsing before any check
      #   Some initializations must be done at the beginning of parse_spoe_flt to avoid
--    #   segmentaion fault when first errors are caught, when the "filter spoe" line is
++    #   segmentation fault when first errors are caught, when the "filter spoe" line is
      #   parsed.
      haproxy h1 -conf-BAD {} {
 diff --git a/ebtree/eb32sctree.h b/ebtree/eb32sctree.h
 index 51a2664..0ab057b 100644
 --- a/ebtree/eb32sctree.h
 +++ b/ebtree/eb32sctree.h
@@ -38,13 +38,18 @@ typedef   signed int s32;
   * have put some sort of transparent union here to reduce the indirection
   * level, but the fact is, the end user is not meant to manipulate internals,
   * so this is pointless.
++ * In case sizeof(void*)>=sizeof(long), we know there will be some padding after
++ * the leaf if it's unaligned. In this case we force the alignment on void* so
++ * that we prefer to have the padding before for more efficient accesses.
   */
  struct eb32sc_node {
  	struct eb_node node; /* the tree node, must be at the beginning */
++	MAYBE_ALIGN(sizeof(u32));
  	u32 key;
++	ALWAYS_ALIGN(sizeof(void*));
  	unsigned long node_s; /* visibility of this node's branches */
  	unsigned long leaf_s; /* visibility of this node's leaf */
--};
++} ALIGNED(sizeof(void*));
  /*
   * Exported functions and macros.
 diff --git a/ebtree/eb32tree.h b/ebtree/eb32tree.h
 index 08ff900..b10a5ed 100644
 --- a/ebtree/eb32tree.h
 +++ b/ebtree/eb32tree.h
@@ -41,8 +41,9 @@ typedef   signed int s32;
   */
  struct eb32_node {
  	struct eb_node node; /* the tree node, must be at the beginning */
++	MAYBE_ALIGN(sizeof(u32));
  	u32 key;
--};
++} ALIGNED(sizeof(void*));
  /*
   * Exported functions and macros.
 diff --git a/ebtree/eb64tree.h b/ebtree/eb64tree.h
 index 6d0d039..5fcf137 100644
 --- a/ebtree/eb64tree.h
 +++ b/ebtree/eb64tree.h
@@ -38,11 +38,16 @@ typedef   signed long long s64;
   * eb_node so that it can be cast into an eb_node. We could also have put some
   * sort of transparent union here to reduce the indirection level, but the fact
   * is, the end user is not meant to manipulate internals, so this is pointless.
++ * In case sizeof(void*)>=sizeof(u64), we know there will be some padding after
++ * the key if it's unaligned. In this case we force the alignment on void* so
++ * that we prefer to have the padding before for more efficient accesses.
   */
  struct eb64_node {
  	struct eb_node node; /* the tree node, must be at the beginning */
++	MAYBE_ALIGN(sizeof(u64));
++	ALWAYS_ALIGN(sizeof(void*));
  	u64 key;
--};
++} ALIGNED(sizeof(void*));
  /*
   * Exported functions and macros.
@@ -370,17 +375,21 @@ __eb64_insert(struct eb_root *root, struct eb64_node *new) {
  		/* walk down */
  		root = &old->node.branches;
--#if BITS_PER_LONG >= 64
--		side = (newkey >> old_node_bit) & EB_NODE_BRANCH_MASK;
--#else
--		side = newkey;
--		side >>= old_node_bit;
--		if (old_node_bit >= 32) {
--			side = newkey >> 32;
--			side >>= old_node_bit & 0x1F;
++
++		if (sizeof(long) >= 8) {
++			side = newkey >> old_node_bit;
++		} else {
++			/* note: provides the best code on low-register count archs
++			 * such as i386.
++			 */
++			side = newkey;
++			side >>= old_node_bit;
++			if (old_node_bit >= 32) {
++				side = newkey >> 32;
++				side >>= old_node_bit & 0x1F;
++			}
+ 		}
  		side &= EB_NODE_BRANCH_MASK;
--#endif
  		troot = root->b[side];
+ 	}
@@ -548,17 +557,21 @@ __eb64i_insert(struct eb_root *root, struct eb64_node *new) {
  		/* walk down */
  		root = &old->node.branches;
--#if BITS_PER_LONG >= 64
--		side = (newkey >> old_node_bit) & EB_NODE_BRANCH_MASK;
--#else
--		side = newkey;
--		side >>= old_node_bit;
--		if (old_node_bit >= 32) {
--			side = newkey >> 32;
--			side >>= old_node_bit & 0x1F;
++
++		if (sizeof(long) >= 8) {
++			side = newkey >> old_node_bit;
++		} else {
++			/* note: provides the best code on low-register count archs
++			 * such as i386.
++			 */
++			side = newkey;
++			side >>= old_node_bit;
++			if (old_node_bit >= 32) {
++				side = newkey >> 32;
++				side >>= old_node_bit & 0x1F;
++			}
+ 		}
  		side &= EB_NODE_BRANCH_MASK;
--#endif
  		troot = root->b[side];
+ 	}
 diff --git a/ebtree/ebimtree.h b/ebtree/ebimtree.h
 index 4a98c96..28a9f14 100644
 --- a/ebtree/ebimtree.h
 +++ b/ebtree/ebimtree.h
@@ -62,7 +62,7 @@ __ebim_lookup(struct eb_root *root, const void *x, unsigned int len)
  		if (eb_gettag(troot) == EB_LEAF) {
  			node = container_of(eb_untag(troot, EB_LEAF),

Ubuntuhaproxy package

Merge ~lucaskanashiro/ubuntu/+source/haproxy:focal-mre into ubuntu/+source/haproxy:ubuntu/focal-devel

Commit message

Description of the change

Unmerged commits

Preview Diff

Subscribers

Ubuntu
haproxy package