SHA256
1
0
forked from pool/haproxy

Accepting request 329654 from network:ha-clustering:Factory

- Backport patches from upstream:
  - BUG/MINOR: http: remove stupid HTTP_METH_NONE entry
  - BUG/MAJOR: http: don't call http_send_name_header() after an error
- Add 0014-BUG-MINOR-http-remove-stupid-HTTP_METH_NONE-entry.patch
- Add 0015-BUG-MAJOR-http-don-t-call-http_send_name_header-afte.patch

- Backport patches from upstream:
  - BUG/MINOR: log: missing some ARGC_* entries in fmt_directives()
  - DOC: usesrc root privileges requirements
  - BUILD: ssl: Allow building against libssl without SSLv3.
  - DOC/MINOR: fix OpenBSD versions where haproxy works
  - BUG/MINOR: http/sample: gmtime/localtime can fail
  - DOC: typo in 'redirect', 302 code meaning
  - DOC: mention that %ms is left-padded with zeroes.
  - CLEANUP: .gitignore: ignore more test files
  - CLEANUP: .gitignore: finally ignore everything but what is known.
  - MEDIUM: config: emit a warning on a frontend without listener
  - BUG/MEDIUM: counters: ensure that src_{inc,clr}_gpc0 creates a missing entry
  - DOC: ssl: missing LF
  - DOC: fix example of http-request using ssl_fc_session_id
- Add 0001-BUG-MINOR-log-missing-some-ARGC_-entries-in-fmt_dire.patch
- Add 0002-DOC-usesrc-root-privileges-requirements.patch
- Add 0003-BUILD-ssl-Allow-building-against-libssl-without-SSLv.patch
- Add 0004-DOC-MINOR-fix-OpenBSD-versions-where-haproxy-works.patch
- Add 0005-BUG-MINOR-http-sample-gmtime-localtime-can-fail.patch
- Add 0006-DOC-typo-in-redirect-302-code-meaning.patch
- Add 0007-DOC-mention-that-ms-is-left-padded-with-zeroes.patch
- Add 0008-CLEANUP-.gitignore-ignore-more-test-files.patch
- Add 0009-CLEANUP-.gitignore-finally-ignore-everything-but-wha.patch
- Add 0010-MEDIUM-config-emit-a-warning-on-a-frontend-without-l.patch (forwarded request 329653 from KGronlund)

OBS-URL: https://build.opensuse.org/request/show/329654
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/haproxy?expand=0&rev=32
This commit is contained in:
Dominique Leuenberger 2015-09-08 15:45:55 +00:00 committed by Git OBS Bridge
parent bc4e2e452d
commit 26c4149063
17 changed files with 759 additions and 1 deletions

View File

@ -0,0 +1,64 @@
From df0a5960987b3cb663dcfa93d29c21acc13cd3e3 Mon Sep 17 00:00:00 2001
From: Willy Tarreau <w@1wt.eu>
Date: Thu, 9 Jul 2015 11:20:00 +0200
Subject: [PATCH 01/11] BUG/MINOR: log: missing some ARGC_* entries in
fmt_directives()
ARGC_CAP was not added to fmt_directives() which is used to format
error messages when failing to parse log format expressions. The
whole switch/case has been reorganized to match the declaration
order making it easier to spot missing values. The default is not
the "log" directive anymore but "undefined" asking to report the
bug.
Backport to 1.5 is not strictly needed but is desirable at least
for code sanity.
(cherry picked from commit 53e1a6d31743b1bef6063ff30b812521391ae3c3)
---
src/log.c | 24 ++++++++++++++----------
1 file changed, 14 insertions(+), 10 deletions(-)
diff --git a/src/log.c b/src/log.c
index 1a5ad25..f0a3072 100644
--- a/src/log.c
+++ b/src/log.c
@@ -167,22 +167,26 @@ struct logformat_var_args var_args_list[] = {
static inline const char *fmt_directive(const struct proxy *curproxy)
{
switch (curproxy->conf.args.ctx) {
- case ARGC_UIF:
- return "unique-id-format";
+ case ARGC_ACL:
+ return "acl";
+ case ARGC_STK:
+ return "stick";
+ case ARGC_TRK:
+ return "track-sc";
+ case ARGC_LOG:
+ return "log-format";
case ARGC_HRQ:
return "http-request";
case ARGC_HRS:
return "http-response";
- case ARGC_STK:
- return "stick";
- case ARGC_TRK:
- return "track-sc"; break;
+ case ARGC_UIF:
+ return "unique-id-format";
case ARGC_RDR:
- return "redirect"; break;
- case ARGC_ACL:
- return "acl"; break;
+ return "redirect";
+ case ARGC_CAP:
+ return "capture";
default:
- return "log-format";
+ return "undefined(please report this bug)"; /* must never happen */
}
}
--
2.1.4

View File

@ -0,0 +1,27 @@
From ea31f225c2c93a25b8bef7a9241a89cecfd9d350 Mon Sep 17 00:00:00 2001
From: Baptiste Assmann <bedis9@gmail.com>
Date: Fri, 17 Jul 2015 21:59:42 +0200
Subject: [PATCH 02/11] DOC: usesrc root privileges requirements
The "usesrc" parameter of the source statement requires root privileges.
(cherry picked from commit 91bd337d90cb347feda34b01402f3471c8a4833c)
---
doc/configuration.txt | 2 ++
1 file changed, 2 insertions(+)
diff --git a/doc/configuration.txt b/doc/configuration.txt
index 6714afb..64697a4 100644
--- a/doc/configuration.txt
+++ b/doc/configuration.txt
@@ -6117,6 +6117,8 @@ source <addr>[:<port>] [interface <name>]
is possible at the server level using the "source" server option. Refer to
section 5 for more information.
+ In order to work, "usesrc" requires root privileges.
+
Examples :
backend private
# Connect to the servers using our 192.168.1.200 source address
--
2.1.4

View File

@ -0,0 +1,52 @@
From eee374c28ea8ea22834ff14515b5584bc3e0c7b5 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?J=C3=A9r=C3=A9mie=20Courr=C3=A8ges-Anglas?= <jca@wxcvbn.org>
Date: Sat, 25 Jul 2015 16:50:52 -0600
Subject: [PATCH 03/11] BUILD: ssl: Allow building against libssl without
SSLv3.
If SSLv3 is explicitely requested but not available, warn the user and
bail out.
(cherry picked from commit 17c3f6284cf605e47f6525c077bc644c45272849)
---
src/ssl_sock.c | 16 ++++++++++++++--
1 file changed, 14 insertions(+), 2 deletions(-)
diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index 7d77d36..2ae45ec 100644
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -1405,8 +1405,14 @@ int ssl_sock_prepare_ctx(struct bind_conf *bind_conf, SSL_CTX *ctx, struct proxy
ssloptions |= SSL_OP_NO_TLSv1_2;
if (bind_conf->ssl_options & BC_SSL_O_NO_TLS_TICKETS)
ssloptions |= SSL_OP_NO_TICKET;
- if (bind_conf->ssl_options & BC_SSL_O_USE_SSLV3)
+ if (bind_conf->ssl_options & BC_SSL_O_USE_SSLV3) {
+#ifndef OPENSSL_NO_SSL3
SSL_CTX_set_ssl_version(ctx, SSLv3_server_method());
+#else
+ Alert("SSLv3 support requested but unavailable.\n");
+ cfgerr++;
+#endif
+ }
if (bind_conf->ssl_options & BC_SSL_O_USE_TLSV10)
SSL_CTX_set_ssl_version(ctx, TLSv1_server_method());
#if SSL_OP_NO_TLSv1_1
@@ -1750,8 +1756,14 @@ int ssl_sock_prepare_srv_ctx(struct server *srv, struct proxy *curproxy)
options |= SSL_OP_NO_TLSv1_2;
if (srv->ssl_ctx.options & SRV_SSL_O_NO_TLS_TICKETS)
options |= SSL_OP_NO_TICKET;
- if (srv->ssl_ctx.options & SRV_SSL_O_USE_SSLV3)
+ if (srv->ssl_ctx.options & SRV_SSL_O_USE_SSLV3) {
+#ifndef OPENSSL_NO_SSL3
SSL_CTX_set_ssl_version(srv->ssl_ctx.ctx, SSLv3_client_method());
+#else
+ Alert("SSLv3 support requested but unavailable.");
+ cfgerr++;
+#endif
+ }
if (srv->ssl_ctx.options & SRV_SSL_O_USE_TLSV10)
SSL_CTX_set_ssl_version(srv->ssl_ctx.ctx, TLSv1_client_method());
#if SSL_OP_NO_TLSv1_1
--
2.1.4

View File

@ -0,0 +1,26 @@
From e4766ba031e1fea8f2ca139316dc4e8209e960c2 Mon Sep 17 00:00:00 2001
From: Daniel Jakots <vigdis@chown.me>
Date: Wed, 29 Jul 2015 08:03:08 +0200
Subject: [PATCH 04/11] DOC/MINOR: fix OpenBSD versions where haproxy works
(cherry picked from commit 17d228be14762b282e5262262c45ecee4c265552)
---
README | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/README b/README
index add7f06..e267730 100644
--- a/README
+++ b/README
@@ -39,7 +39,7 @@ and assign it to the TARGET variable :
- solaris for Solaris 8 or 10 (others untested)
- freebsd for FreeBSD 5 to 10 (others untested)
- osx for Mac OS/X
- - openbsd for OpenBSD 3.1 to 5.2 (others untested)
+ - openbsd for OpenBSD 3.1 and above
- aix51 for AIX 5.1
- aix52 for AIX 5.2
- cygwin for Cygwin
--
2.1.4

View File

@ -0,0 +1,33 @@
From 955587271031d66e9b7a768e3bb18dae00b60cc6 Mon Sep 17 00:00:00 2001
From: Thierry FOURNIER <tfournier@arpalert.org>
Date: Wed, 8 Jul 2015 00:15:20 +0200
Subject: [PATCH 05/11] BUG/MINOR: http/sample: gmtime/localtime can fail
The man said that gmtime() and localtime() can return a NULL value.
This is not tested. It appears that all the values of a 32 bit integer
are valid, but it is better to check the return of these functions.
However, if the integer move from 32 bits to 64 bits, some 64 values
can be unsupported.
(cherry picked from commit fac9ccfb705702f211f99e67d5f5d5129002086a)
[wt: we only have sample_conv_date() in 1.5]
---
src/proto_http.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/src/proto_http.c b/src/proto_http.c
index 5db64b5..02dc42b 100644
--- a/src/proto_http.c
+++ b/src/proto_http.c
@@ -11249,6 +11249,8 @@ static int sample_conv_http_date(const struct arg *args, struct sample *smp)
curr_date += args[0].data.sint;
tm = gmtime(&curr_date);
+ if (!tm)
+ return 0;
temp = get_trash_chunk();
temp->len = snprintf(temp->str, temp->size - temp->len,
--
2.1.4

View File

@ -0,0 +1,27 @@
From 6c7351bdd0778bc171a2b54faed058eadc8c9d0d Mon Sep 17 00:00:00 2001
From: Baptiste Assmann <bedis9@gmail.com>
Date: Mon, 3 Aug 2015 11:42:50 +0200
Subject: [PATCH 06/11] DOC: typo in 'redirect', 302 code meaning
302 means a temprary move, not a permanent one
(cherry picked from commit ea849c0cca63b1b56c9c36f9c3504caa5e826816)
---
doc/configuration.txt | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/doc/configuration.txt b/doc/configuration.txt
index 64697a4..e8d8b2a 100644
--- a/doc/configuration.txt
+++ b/doc/configuration.txt
@@ -5443,7 +5443,7 @@ redirect scheme <sch> [code <code>] <option> [{if | unless} <condition>]
is desired. Only codes 301, 302, 303, 307 and 308 are supported,
with 302 used by default if no code is specified. 301 means
"Moved permanently", and a browser may cache the Location. 302
- means "Moved permanently" and means that the browser should not
+ means "Moved temporarily" and means that the browser should not
cache the redirection. 303 is equivalent to 302 except that the
browser will fetch the location with a GET method. 307 is just
like 302 but makes it clear that the same method must be reused.
--
2.1.4

View File

@ -0,0 +1,27 @@
From c3453d53f2862b22d8c8e7d2399dfc38ec966aa4 Mon Sep 17 00:00:00 2001
From: Willy Tarreau <w@1wt.eu>
Date: Sun, 9 Aug 2015 10:56:35 +0200
Subject: [PATCH 07/11] DOC: mention that %ms is left-padded with zeroes.
That's important to emit logs.
(cherry picked from commit 812c88ec126e8fc4fc0f7853f265594d03c63956)
---
doc/configuration.txt | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/doc/configuration.txt b/doc/configuration.txt
index e8d8b2a..1d95b5b 100644
--- a/doc/configuration.txt
+++ b/doc/configuration.txt
@@ -12381,7 +12381,7 @@ Please refer to the table below for currently defined variables :
| | %hrl | captured_request_headers CLF style | string list |
| | %hs | captured_response_headers default style | string |
| | %hsl | captured_response_headers CLF style | string list |
- | | %ms | accept date milliseconds | numeric |
+ | | %ms | accept date milliseconds (left-padded with 0) | numeric |
| | %pid | PID | numeric |
| H | %r | http_request | string |
| | %rc | retries | numeric |
--
2.1.4

View File

@ -0,0 +1,50 @@
From 1104336c0ba5f474fce8fe7c0125511b59f4dd3d Mon Sep 17 00:00:00 2001
From: Willy Tarreau <w@1wt.eu>
Date: Tue, 11 Aug 2015 11:20:45 +0200
Subject: [PATCH 08/11] CLEANUP: .gitignore: ignore more test files
Exclude from "git status" many of the files that often result from
development tests and bug reports reproducers.
(cherry picked from commit de365a320ead43168e78facfa337130759783515)
---
.gitignore | 27 +++++++++++++++++++++++++++
1 file changed, 27 insertions(+)
diff --git a/.gitignore b/.gitignore
index 762f5ad..f6ccd0e 100644
--- a/.gitignore
+++ b/.gitignore
@@ -18,3 +18,30 @@ make-*
dlmalloc.c
00*.patch
*.service
+*.bak
+contrib/base64/base64rev
+contrib/halog/halog
+contrib/ip6range/ip6range
+contrib/iprange/iprange
+tests/test_hashes
+/*.cfg
+/*.conf
+/*.diff
+/*.patch
+/*.c
+/*.o
+/*.so
+/*.txt
+/*.TXT
+/*.txt.*
+/*.prof
+/*.gprof
+/*.prof.*
+/*.gprof.*
+/*.tar
+/*.tar.gz
+/*.tgz
+/*.mbox
+/*.sh
+/bug*
+/TAGS
--
2.1.4

View File

@ -0,0 +1,44 @@
From 5e077624951a65e6aae381c7213fc54984768dd4 Mon Sep 17 00:00:00 2001
From: Willy Tarreau <w@1wt.eu>
Date: Tue, 11 Aug 2015 11:21:47 +0200
Subject: [PATCH 09/11] CLEANUP: .gitignore: finally ignore everything but what
is known.
Still too many files remain, it's easier to block everything but
what we know.
(cherry picked from commit d71f1766bdbb041f80394662b0d293f033f93005)
---
.gitignore | 20 ++++++++++++++++++++
1 file changed, 20 insertions(+)
diff --git a/.gitignore b/.gitignore
index f6ccd0e..1953ba3 100644
--- a/.gitignore
+++ b/.gitignore
@@ -45,3 +45,23 @@ tests/test_hashes
/*.sh
/bug*
/TAGS
+# Below we forbid everything and only allow what we know, that's much easier
+# than blocking about 500 different test files and bug report outputs.
+/.*
+/*
+!/.gitignore
+!/CHANGELOG
+!/LICENSE
+!/Makefile
+!/README
+!/ROADMAP
+!/SUBVERS
+!/VERDATE
+!/VERSION
+!/contrib
+!/doc
+!/ebtree
+!/examples
+!/include
+!/src
+!/tests
--
2.1.4

View File

@ -0,0 +1,46 @@
From c7c1e55f09839727ba7defd37347fc500dabb202 Mon Sep 17 00:00:00 2001
From: Willy Tarreau <w@1wt.eu>
Date: Tue, 11 Aug 2015 11:36:45 +0200
Subject: [PATCH 10/11] MEDIUM: config: emit a warning on a frontend without
listener
Commit c6678e2 ("MEDIUM: config: authorize frontend and listen without bind")
completely removed the test for bind lines in frontends in order to make it
easier for automated tools to generate configs (eg: replacing a bind with
another one passing via a temporary config without any bind line). The
problem is that some common mistakes are totally hidden now. For example,
this apparently valid entry is silently ignored :
listen 1.2.3.4:8000
server s1 127.0.0.1:8000
Hint: 1.2.3.4:8000 is mistakenly the proxy name here.
Thus instead we now emit a warning to indicate that a frontend was found
with no listener. This should be backported to 1.5 to help spot abnormal
configurations.
(cherry picked from commit f82d1ca2d7ec83804d6b54e61a35747ad2f85188)
---
src/cfgparse.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/src/cfgparse.c b/src/cfgparse.c
index 2a5f178..d67edc5 100644
--- a/src/cfgparse.c
+++ b/src/cfgparse.c
@@ -6193,6 +6193,12 @@ int check_config_validity()
break;
}
+ if ((curproxy->cap & PR_CAP_FE) && LIST_ISEMPTY(&curproxy->conf.listeners)) {
+ Warning("config : %s '%s' has no 'bind' directive. Please declare it as a backend if this was intended.\n",
+ proxy_type_str(curproxy), curproxy->id);
+ err_code |= ERR_WARN;
+ }
+
if ((curproxy->cap & PR_CAP_BE) && (curproxy->mode != PR_MODE_HEALTH)) {
if (curproxy->lbprm.algo & BE_LB_KIND) {
if (curproxy->options & PR_O_TRANSP) {
--
2.1.4

View File

@ -0,0 +1,93 @@
From ee12145d38a7dee81a20cf232c724ccb7a46ad8b Mon Sep 17 00:00:00 2001
From: Willy Tarreau <w@1wt.eu>
Date: Tue, 18 Aug 2015 17:15:20 +0200
Subject: [PATCH 11/11] BUG/MEDIUM: counters: ensure that src_{inc,clr}_gpc0
creates a missing entry
During 1.5-dev20 there was some code refactoring to make the src_* fetch
function use the same code as sc_*. Unfortunately this introduced a
regression where src_* doesn't create an entry anymore if it does not
exist in the table. The reason is that smp_fetch_sc_stkctr() only calls
stktable_lookup_key() while src_inc_*/src_clr_* used to make use of
stktable_update_key() which additionally create the entry if it does
not exist.
There's no point modifying the common function for these two exceptions,
so instead we now have a function dedicated to the creation of this entry
for src_* only. It is called when the entry didn't exist, so that requires
minimal modifications to existing code.
Thanks to Thierry Fournier for helping diagnose the issue.
This fix must be backported to 1.5.
(cherry picked from commit 0f4eadd4830279f5ee83aa545728fb750f5c8185)
[Note: the backport to 1.5 significantly differs from the version in 1.6
since we need to use the table's type and to retrieve the source address
directly from the connection. At least it matches the way other src_*
fetch functions work, and it's been verified to work fine]
---
src/session.c | 33 +++++++++++++++++++++++++++++++++
1 file changed, 33 insertions(+)
diff --git a/src/session.c b/src/session.c
index 5b9e407..6d62e36 100644
--- a/src/session.c
+++ b/src/session.c
@@ -2806,6 +2806,33 @@ smp_fetch_sc_stkctr(struct session *l4, const struct arg *args, const char *kw)
return &l4->stkctr[num];
}
+/* same as smp_fetch_sc_stkctr() but dedicated to src_* and can create
+ * the entry if it doesn't exist yet. This is needed for a few fetch
+ * functions which need to create an entry, such as src_inc_gpc* and
+ * src_clr_gpc*.
+ */
+struct stkctr *
+smp_create_src_stkctr(struct session *sess, const struct arg *args, const char *kw)
+{
+ static struct stkctr stkctr;
+ struct stktable_key *key;
+ struct connection *conn = objt_conn(sess->si[0].end);
+
+ if (strncmp(kw, "src_", 4) != 0)
+ return NULL;
+
+ if (!conn)
+ return NULL;
+
+ key = addr_to_stktable_key(&conn->addr.from, args->data.prx->table.type);
+ if (!key)
+ return NULL;
+
+ stkctr.table = &args->data.prx->table;
+ stkctr_set_entry(&stkctr, stktable_update_key(stkctr.table, key));
+ return &stkctr;
+}
+
/* set return a boolean indicating if the requested session counter is
* currently being tracked or not.
* Supports being called as "sc[0-9]_tracked" only.
@@ -2887,6 +2914,9 @@ smp_fetch_sc_inc_gpc0(struct proxy *px, struct session *l4, void *l7, unsigned i
if (!stkctr)
return 0;
+ if (stkctr_entry(stkctr) == NULL)
+ stkctr = smp_create_src_stkctr(l4, args, kw);
+
smp->flags = SMP_F_VOL_TEST;
smp->type = SMP_T_UINT;
smp->data.uint = 0;
@@ -2924,6 +2954,9 @@ smp_fetch_sc_clr_gpc0(struct proxy *px, struct session *l4, void *l7, unsigned i
if (!stkctr)
return 0;
+ if (stkctr_entry(stkctr) == NULL)
+ stkctr = smp_create_src_stkctr(l4, args, kw);
+
smp->flags = SMP_F_VOL_TEST;
smp->type = SMP_T_UINT;
smp->data.uint = 0;
--
2.1.4

View File

@ -0,0 +1,27 @@
From 2272b4ffde38c836adfd9a9b43ff5c019ef4190a Mon Sep 17 00:00:00 2001
From: Thierry FOURNIER <tfournier@arpalert.org>
Date: Wed, 26 Aug 2015 08:21:26 +0200
Subject: [PATCH 12/13] DOC: ssl: missing LF
An error message miss LF
(cherry picked from commit bc965348d7ccc0a306504232ab85dc240fd31fbf)
---
src/ssl_sock.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index 2ae45ec..8f698c0 100644
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -1760,7 +1760,7 @@ int ssl_sock_prepare_srv_ctx(struct server *srv, struct proxy *curproxy)
#ifndef OPENSSL_NO_SSL3
SSL_CTX_set_ssl_version(srv->ssl_ctx.ctx, SSLv3_client_method());
#else
- Alert("SSLv3 support requested but unavailable.");
+ Alert("SSLv3 support requested but unavailable.\n");
cfgerr++;
#endif
}
--
2.1.4

View File

@ -0,0 +1,30 @@
From d3a93a932430bc1a4cd5d1350820c2bec706e26d Mon Sep 17 00:00:00 2001
From: Willy Tarreau <w@1wt.eu>
Date: Thu, 27 Aug 2015 17:15:05 +0200
Subject: [PATCH 13/13] DOC: fix example of http-request using
ssl_fc_session_id
It was missing the ",hex" resulting in raw binary data being dumped in
the header or the logs. Now we know where these crazy logs originated
from!
(cherry picked from commit fca4261dacab51db960d30120f4bb4201f7e4a51)
---
doc/configuration.txt | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/doc/configuration.txt b/doc/configuration.txt
index 1d95b5b..67d273b 100644
--- a/doc/configuration.txt
+++ b/doc/configuration.txt
@@ -3135,7 +3135,7 @@ http-request { allow | deny | tarpit | auth [realm <realm>] | redirect <rule> |
Example:
http-request set-header X-Haproxy-Current-Date %T
http-request set-header X-SSL %[ssl_fc]
- http-request set-header X-SSL-Session_ID %[ssl_fc_session_id]
+ http-request set-header X-SSL-Session_ID %[ssl_fc_session_id,hex]
http-request set-header X-SSL-Client-Verify %[ssl_c_verify]
http-request set-header X-SSL-Client-DN %{+Q}[ssl_c_s_dn]
http-request set-header X-SSL-Client-CN %{+Q}[ssl_c_s_dn(cn)]
--
2.1.4

View File

@ -0,0 +1,78 @@
From bcd033699c5a4904967652de4980e4f35f17ee34 Mon Sep 17 00:00:00 2001
From: Willy Tarreau <w@1wt.eu>
Date: Thu, 3 Sep 2015 17:15:21 +0200
Subject: [PATCH 14/15] BUG/MINOR: http: remove stupid HTTP_METH_NONE entry
When converting the "method" fetch to a string, we used to get an empty
string if the first character was not an upper case. This was caused by
the lookup function which returns HTTP_METH_NONE when a lookup is not
possible, and this method being mapped to an empty string in the array.
This is a totally stupid mechanism, there's no reason for having the
result depend on the first char. In fact the message parser already
checks that the syntax matches an HTTP token so we can only land there
with a valid token, hence only HTTP_METH_OTHER should be returned.
This fix should be backported to all actively supported branches.
(cherry picked from commit b7ce424be2bc9df73a3b971fa9dd6daea0332bf1)
---
include/types/proto_http.h | 1 -
src/proto_http.c | 11 ++++-------
2 files changed, 4 insertions(+), 8 deletions(-)
diff --git a/include/types/proto_http.h b/include/types/proto_http.h
index a5a5d31..dbce972 100644
--- a/include/types/proto_http.h
+++ b/include/types/proto_http.h
@@ -219,7 +219,6 @@ enum {
/* Known HTTP methods */
enum http_meth_t {
- HTTP_METH_NONE = 0,
HTTP_METH_OPTIONS,
HTTP_METH_GET,
HTTP_METH_HEAD,
diff --git a/src/proto_http.c b/src/proto_http.c
index 02dc42b..46694cb 100644
--- a/src/proto_http.c
+++ b/src/proto_http.c
@@ -361,12 +361,11 @@ const struct http_method_desc http_methods[26][3] = {
[0] = { .meth = HTTP_METH_TRACE , .len=5, .text="TRACE" },
},
/* rest is empty like this :
- * [1] = { .meth = HTTP_METH_NONE , .len=0, .text="" },
+ * [0] = { .meth = HTTP_METH_OTHER , .len=0, .text="" },
*/
};
const struct http_method_name http_known_methods[HTTP_METH_OTHER] = {
- [HTTP_METH_NONE] = { "", 0 },
[HTTP_METH_OPTIONS] = { "OPTIONS", 7 },
[HTTP_METH_GET] = { "GET", 3 },
[HTTP_METH_HEAD] = { "HEAD", 4 },
@@ -793,8 +792,8 @@ struct chunk *http_error_message(struct session *s, int msgnum)
}
/*
- * returns HTTP_METH_NONE if there is nothing valid to read (empty or non-text
- * string), HTTP_METH_OTHER for unknown methods, or the identified method.
+ * returns a known method among HTTP_METH_* or HTTP_METH_OTHER for all unknown
+ * ones.
*/
enum http_meth_t find_http_meth(const char *str, const int len)
{
@@ -810,10 +809,8 @@ enum http_meth_t find_http_meth(const char *str, const int len)
if (likely(memcmp(str, h->text, h->len) == 0))
return h->meth;
};
- return HTTP_METH_OTHER;
}
- return HTTP_METH_NONE;
-
+ return HTTP_METH_OTHER;
}
/* Parse the URI from the given transaction (which is assumed to be in request
--
2.1.4

View File

@ -0,0 +1,49 @@
From 3f34b5539e7ba31e44055d853b9ba496e73e0bae Mon Sep 17 00:00:00 2001
From: Willy Tarreau <w@1wt.eu>
Date: Mon, 7 Sep 2015 19:32:33 +0200
Subject: [PATCH 15/15] BUG/MAJOR: http: don't call http_send_name_header()
after an error
A crash was reported when using the "famous" http-send-name-header
directive. This time it's a bit tricky, it requires a certain number of
conditions to be met including maxconn on a server, queuing, timeout in
the queue and cookie-based persistence.
The problem is that in stream.c, before calling http_send_name_header(),
we check a number of conditions to know if we have to replace the header
name. But prior to reaching this place, it's possible for
sess_update_stream_int() to fail and change the stream-int's state to
SI_ST_CLO, send an error 503 to the client, and flush all buffers. But
http_send_name_header() can only be called with valid buffer contents
matching the http_msg's description. So when it rewinds the stream to
modify the header, buf->o becomes negative by the size of the incoming
request and is used as the argument to memmove() which basically
displaces 4GB of memory off a few bytes to write the new name, resulting
in a core and a core file that's really not fun to play with.
The solution obviously consists in refraining from calling this nasty
function when the stream interface is already closed.
This bug also affects 1.5 and possibly 1.4, so the fix must be backported
there.
(cherry picked from commit 9c03b33329cb4924716edc1c851913a18b0670dc)
---
src/session.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/session.c b/src/session.c
index 6d62e36..7520a85 100644
--- a/src/session.c
+++ b/src/session.c
@@ -2293,7 +2293,7 @@ struct task *process_session(struct task *t)
/* Now we can add the server name to a header (if requested) */
/* check for HTTP mode and proxy server_name_hdr_name != NULL */
- if ((s->si[1].state >= SI_ST_CON) &&
+ if ((s->si[1].state >= SI_ST_CON) && (s->si[1].state < SI_ST_CLO) &&
(s->be->server_id_hdr_name != NULL) &&
(s->be->mode == PR_MODE_HTTP) &&
objt_server(s->target)) {
--
2.1.4

View File

@ -1,3 +1,44 @@
-------------------------------------------------------------------
Tue Sep 8 09:10:02 UTC 2015 - kgronlund@suse.com
- Backport patches from upstream:
- BUG/MINOR: http: remove stupid HTTP_METH_NONE entry
- BUG/MAJOR: http: don't call http_send_name_header() after an error
- Add 0014-BUG-MINOR-http-remove-stupid-HTTP_METH_NONE-entry.patch
- Add 0015-BUG-MAJOR-http-don-t-call-http_send_name_header-afte.patch
-------------------------------------------------------------------
Wed Aug 26 22:47:34 UTC 2015 - kgronlund@suse.com
- Backport patches from upstream:
- BUG/MINOR: log: missing some ARGC_* entries in fmt_directives()
- DOC: usesrc root privileges requirements
- BUILD: ssl: Allow building against libssl without SSLv3.
- DOC/MINOR: fix OpenBSD versions where haproxy works
- BUG/MINOR: http/sample: gmtime/localtime can fail
- DOC: typo in 'redirect', 302 code meaning
- DOC: mention that %ms is left-padded with zeroes.
- CLEANUP: .gitignore: ignore more test files
- CLEANUP: .gitignore: finally ignore everything but what is known.
- MEDIUM: config: emit a warning on a frontend without listener
- BUG/MEDIUM: counters: ensure that src_{inc,clr}_gpc0 creates a missing entry
- DOC: ssl: missing LF
- DOC: fix example of http-request using ssl_fc_session_id
- Add 0001-BUG-MINOR-log-missing-some-ARGC_-entries-in-fmt_dire.patch
- Add 0002-DOC-usesrc-root-privileges-requirements.patch
- Add 0003-BUILD-ssl-Allow-building-against-libssl-without-SSLv.patch
- Add 0004-DOC-MINOR-fix-OpenBSD-versions-where-haproxy-works.patch
- Add 0005-BUG-MINOR-http-sample-gmtime-localtime-can-fail.patch
- Add 0006-DOC-typo-in-redirect-302-code-meaning.patch
- Add 0007-DOC-mention-that-ms-is-left-padded-with-zeroes.patch
- Add 0008-CLEANUP-.gitignore-ignore-more-test-files.patch
- Add 0009-CLEANUP-.gitignore-finally-ignore-everything-but-wha.patch
- Add 0010-MEDIUM-config-emit-a-warning-on-a-frontend-without-l.patch
- Add 0011-BUG-MEDIUM-counters-ensure-that-src_-inc-clr-_gpc0-c.patch
- Add 0012-DOC-ssl-missing-LF.patch
- Add 0013-DOC-fix-example-of-http-request-using-ssl_fc_session.patch
-------------------------------------------------------------------
Fri Jul 3 16:37:55 UTC 2015 - kgronlund@suse.com

View File

@ -61,6 +61,36 @@ Patch1: haproxy-1.2.16_config_haproxy_user.patch
Patch2: haproxy-makefile_lib.patch
Patch3: sec-options.patch
Patch4: haproxy-1.5.8-fix-bashisms.patch
# BUG/MINOR: log: missing some ARGC_* entries in fmt_directives()
Patch5: 0001-BUG-MINOR-log-missing-some-ARGC_-entries-in-fmt_dire.patch
# DOC: usesrc root privileges requirements
Patch6: 0002-DOC-usesrc-root-privileges-requirements.patch
# BUILD: ssl: Allow building against libssl without SSLv3.
Patch7: 0003-BUILD-ssl-Allow-building-against-libssl-without-SSLv.patch
# DOC/MINOR: fix OpenBSD versions where haproxy works
Patch8: 0004-DOC-MINOR-fix-OpenBSD-versions-where-haproxy-works.patch
# BUG/MINOR: http/sample: gmtime/localtime can fail
Patch9: 0005-BUG-MINOR-http-sample-gmtime-localtime-can-fail.patch
# DOC: typo in 'redirect', 302 code meaning
Patch10: 0006-DOC-typo-in-redirect-302-code-meaning.patch
# DOC: mention that %ms is left-padded with zeroes.
Patch11: 0007-DOC-mention-that-ms-is-left-padded-with-zeroes.patch
# CLEANUP: .gitignore: ignore more test files
Patch12: 0008-CLEANUP-.gitignore-ignore-more-test-files.patch
# CLEANUP: .gitignore: finally ignore everything but what is known.
Patch13: 0009-CLEANUP-.gitignore-finally-ignore-everything-but-wha.patch
# MEDIUM: config: emit a warning on a frontend without listener
Patch14: 0010-MEDIUM-config-emit-a-warning-on-a-frontend-without-l.patch
# BUG/MEDIUM: counters: ensure that src_{inc,clr}_gpc0 creates a missing entry
Patch15: 0011-BUG-MEDIUM-counters-ensure-that-src_-inc-clr-_gpc0-c.patch
# DOC: ssl: missing LF
Patch16: 0012-DOC-ssl-missing-LF.patch
# DOC: fix example of http-request using ssl_fc_session_id
Patch17: 0013-DOC-fix-example-of-http-request-using-ssl_fc_session.patch
# BUG/MINOR: http: remove stupid HTTP_METH_NONE entry
Patch18: 0014-BUG-MINOR-http-remove-stupid-HTTP_METH_NONE-entry.patch
# BUG/MAJOR: http: don't call http_send_name_header() after an error
Patch19: 0015-BUG-MAJOR-http-don-t-call-http_send_name_header-afte.patch
#
Source99: haproxy-rpmlintrc
@ -96,7 +126,21 @@ the most work done from every CPU cycle.
%patch2
%patch3
%patch4 -p1
%patch5 -p1
%patch6 -p1
%patch7 -p1
%patch8 -p1
%patch9 -p1
%patch10 -p1
%patch11 -p1
%patch12 -p1
%patch13 -p1
%patch14 -p1
%patch15 -p1
%patch16 -p1
%patch17 -p1
%patch18 -p1
%patch19 -p1
%build
%{__make} \