forked from pool/haproxy
Accepting request 329654 from network:ha-clustering:Factory
- Backport patches from upstream: - BUG/MINOR: http: remove stupid HTTP_METH_NONE entry - BUG/MAJOR: http: don't call http_send_name_header() after an error - Add 0014-BUG-MINOR-http-remove-stupid-HTTP_METH_NONE-entry.patch - Add 0015-BUG-MAJOR-http-don-t-call-http_send_name_header-afte.patch - Backport patches from upstream: - BUG/MINOR: log: missing some ARGC_* entries in fmt_directives() - DOC: usesrc root privileges requirements - BUILD: ssl: Allow building against libssl without SSLv3. - DOC/MINOR: fix OpenBSD versions where haproxy works - BUG/MINOR: http/sample: gmtime/localtime can fail - DOC: typo in 'redirect', 302 code meaning - DOC: mention that %ms is left-padded with zeroes. - CLEANUP: .gitignore: ignore more test files - CLEANUP: .gitignore: finally ignore everything but what is known. - MEDIUM: config: emit a warning on a frontend without listener - BUG/MEDIUM: counters: ensure that src_{inc,clr}_gpc0 creates a missing entry - DOC: ssl: missing LF - DOC: fix example of http-request using ssl_fc_session_id - Add 0001-BUG-MINOR-log-missing-some-ARGC_-entries-in-fmt_dire.patch - Add 0002-DOC-usesrc-root-privileges-requirements.patch - Add 0003-BUILD-ssl-Allow-building-against-libssl-without-SSLv.patch - Add 0004-DOC-MINOR-fix-OpenBSD-versions-where-haproxy-works.patch - Add 0005-BUG-MINOR-http-sample-gmtime-localtime-can-fail.patch - Add 0006-DOC-typo-in-redirect-302-code-meaning.patch - Add 0007-DOC-mention-that-ms-is-left-padded-with-zeroes.patch - Add 0008-CLEANUP-.gitignore-ignore-more-test-files.patch - Add 0009-CLEANUP-.gitignore-finally-ignore-everything-but-wha.patch - Add 0010-MEDIUM-config-emit-a-warning-on-a-frontend-without-l.patch (forwarded request 329653 from KGronlund) OBS-URL: https://build.opensuse.org/request/show/329654 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/haproxy?expand=0&rev=32
This commit is contained in:
parent
bc4e2e452d
commit
26c4149063
@ -0,0 +1,64 @@
|
||||
From df0a5960987b3cb663dcfa93d29c21acc13cd3e3 Mon Sep 17 00:00:00 2001
|
||||
From: Willy Tarreau <w@1wt.eu>
|
||||
Date: Thu, 9 Jul 2015 11:20:00 +0200
|
||||
Subject: [PATCH 01/11] BUG/MINOR: log: missing some ARGC_* entries in
|
||||
fmt_directives()
|
||||
|
||||
ARGC_CAP was not added to fmt_directives() which is used to format
|
||||
error messages when failing to parse log format expressions. The
|
||||
whole switch/case has been reorganized to match the declaration
|
||||
order making it easier to spot missing values. The default is not
|
||||
the "log" directive anymore but "undefined" asking to report the
|
||||
bug.
|
||||
|
||||
Backport to 1.5 is not strictly needed but is desirable at least
|
||||
for code sanity.
|
||||
(cherry picked from commit 53e1a6d31743b1bef6063ff30b812521391ae3c3)
|
||||
---
|
||||
src/log.c | 24 ++++++++++++++----------
|
||||
1 file changed, 14 insertions(+), 10 deletions(-)
|
||||
|
||||
diff --git a/src/log.c b/src/log.c
|
||||
index 1a5ad25..f0a3072 100644
|
||||
--- a/src/log.c
|
||||
+++ b/src/log.c
|
||||
@@ -167,22 +167,26 @@ struct logformat_var_args var_args_list[] = {
|
||||
static inline const char *fmt_directive(const struct proxy *curproxy)
|
||||
{
|
||||
switch (curproxy->conf.args.ctx) {
|
||||
- case ARGC_UIF:
|
||||
- return "unique-id-format";
|
||||
+ case ARGC_ACL:
|
||||
+ return "acl";
|
||||
+ case ARGC_STK:
|
||||
+ return "stick";
|
||||
+ case ARGC_TRK:
|
||||
+ return "track-sc";
|
||||
+ case ARGC_LOG:
|
||||
+ return "log-format";
|
||||
case ARGC_HRQ:
|
||||
return "http-request";
|
||||
case ARGC_HRS:
|
||||
return "http-response";
|
||||
- case ARGC_STK:
|
||||
- return "stick";
|
||||
- case ARGC_TRK:
|
||||
- return "track-sc"; break;
|
||||
+ case ARGC_UIF:
|
||||
+ return "unique-id-format";
|
||||
case ARGC_RDR:
|
||||
- return "redirect"; break;
|
||||
- case ARGC_ACL:
|
||||
- return "acl"; break;
|
||||
+ return "redirect";
|
||||
+ case ARGC_CAP:
|
||||
+ return "capture";
|
||||
default:
|
||||
- return "log-format";
|
||||
+ return "undefined(please report this bug)"; /* must never happen */
|
||||
}
|
||||
}
|
||||
|
||||
--
|
||||
2.1.4
|
||||
|
27
0002-DOC-usesrc-root-privileges-requirements.patch
Normal file
27
0002-DOC-usesrc-root-privileges-requirements.patch
Normal file
@ -0,0 +1,27 @@
|
||||
From ea31f225c2c93a25b8bef7a9241a89cecfd9d350 Mon Sep 17 00:00:00 2001
|
||||
From: Baptiste Assmann <bedis9@gmail.com>
|
||||
Date: Fri, 17 Jul 2015 21:59:42 +0200
|
||||
Subject: [PATCH 02/11] DOC: usesrc root privileges requirements
|
||||
|
||||
The "usesrc" parameter of the source statement requires root privileges.
|
||||
(cherry picked from commit 91bd337d90cb347feda34b01402f3471c8a4833c)
|
||||
---
|
||||
doc/configuration.txt | 2 ++
|
||||
1 file changed, 2 insertions(+)
|
||||
|
||||
diff --git a/doc/configuration.txt b/doc/configuration.txt
|
||||
index 6714afb..64697a4 100644
|
||||
--- a/doc/configuration.txt
|
||||
+++ b/doc/configuration.txt
|
||||
@@ -6117,6 +6117,8 @@ source <addr>[:<port>] [interface <name>]
|
||||
is possible at the server level using the "source" server option. Refer to
|
||||
section 5 for more information.
|
||||
|
||||
+ In order to work, "usesrc" requires root privileges.
|
||||
+
|
||||
Examples :
|
||||
backend private
|
||||
# Connect to the servers using our 192.168.1.200 source address
|
||||
--
|
||||
2.1.4
|
||||
|
@ -0,0 +1,52 @@
|
||||
From eee374c28ea8ea22834ff14515b5584bc3e0c7b5 Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?J=C3=A9r=C3=A9mie=20Courr=C3=A8ges-Anglas?= <jca@wxcvbn.org>
|
||||
Date: Sat, 25 Jul 2015 16:50:52 -0600
|
||||
Subject: [PATCH 03/11] BUILD: ssl: Allow building against libssl without
|
||||
SSLv3.
|
||||
|
||||
If SSLv3 is explicitely requested but not available, warn the user and
|
||||
bail out.
|
||||
(cherry picked from commit 17c3f6284cf605e47f6525c077bc644c45272849)
|
||||
---
|
||||
src/ssl_sock.c | 16 ++++++++++++++--
|
||||
1 file changed, 14 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/src/ssl_sock.c b/src/ssl_sock.c
|
||||
index 7d77d36..2ae45ec 100644
|
||||
--- a/src/ssl_sock.c
|
||||
+++ b/src/ssl_sock.c
|
||||
@@ -1405,8 +1405,14 @@ int ssl_sock_prepare_ctx(struct bind_conf *bind_conf, SSL_CTX *ctx, struct proxy
|
||||
ssloptions |= SSL_OP_NO_TLSv1_2;
|
||||
if (bind_conf->ssl_options & BC_SSL_O_NO_TLS_TICKETS)
|
||||
ssloptions |= SSL_OP_NO_TICKET;
|
||||
- if (bind_conf->ssl_options & BC_SSL_O_USE_SSLV3)
|
||||
+ if (bind_conf->ssl_options & BC_SSL_O_USE_SSLV3) {
|
||||
+#ifndef OPENSSL_NO_SSL3
|
||||
SSL_CTX_set_ssl_version(ctx, SSLv3_server_method());
|
||||
+#else
|
||||
+ Alert("SSLv3 support requested but unavailable.\n");
|
||||
+ cfgerr++;
|
||||
+#endif
|
||||
+ }
|
||||
if (bind_conf->ssl_options & BC_SSL_O_USE_TLSV10)
|
||||
SSL_CTX_set_ssl_version(ctx, TLSv1_server_method());
|
||||
#if SSL_OP_NO_TLSv1_1
|
||||
@@ -1750,8 +1756,14 @@ int ssl_sock_prepare_srv_ctx(struct server *srv, struct proxy *curproxy)
|
||||
options |= SSL_OP_NO_TLSv1_2;
|
||||
if (srv->ssl_ctx.options & SRV_SSL_O_NO_TLS_TICKETS)
|
||||
options |= SSL_OP_NO_TICKET;
|
||||
- if (srv->ssl_ctx.options & SRV_SSL_O_USE_SSLV3)
|
||||
+ if (srv->ssl_ctx.options & SRV_SSL_O_USE_SSLV3) {
|
||||
+#ifndef OPENSSL_NO_SSL3
|
||||
SSL_CTX_set_ssl_version(srv->ssl_ctx.ctx, SSLv3_client_method());
|
||||
+#else
|
||||
+ Alert("SSLv3 support requested but unavailable.");
|
||||
+ cfgerr++;
|
||||
+#endif
|
||||
+ }
|
||||
if (srv->ssl_ctx.options & SRV_SSL_O_USE_TLSV10)
|
||||
SSL_CTX_set_ssl_version(srv->ssl_ctx.ctx, TLSv1_client_method());
|
||||
#if SSL_OP_NO_TLSv1_1
|
||||
--
|
||||
2.1.4
|
||||
|
@ -0,0 +1,26 @@
|
||||
From e4766ba031e1fea8f2ca139316dc4e8209e960c2 Mon Sep 17 00:00:00 2001
|
||||
From: Daniel Jakots <vigdis@chown.me>
|
||||
Date: Wed, 29 Jul 2015 08:03:08 +0200
|
||||
Subject: [PATCH 04/11] DOC/MINOR: fix OpenBSD versions where haproxy works
|
||||
|
||||
(cherry picked from commit 17d228be14762b282e5262262c45ecee4c265552)
|
||||
---
|
||||
README | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/README b/README
|
||||
index add7f06..e267730 100644
|
||||
--- a/README
|
||||
+++ b/README
|
||||
@@ -39,7 +39,7 @@ and assign it to the TARGET variable :
|
||||
- solaris for Solaris 8 or 10 (others untested)
|
||||
- freebsd for FreeBSD 5 to 10 (others untested)
|
||||
- osx for Mac OS/X
|
||||
- - openbsd for OpenBSD 3.1 to 5.2 (others untested)
|
||||
+ - openbsd for OpenBSD 3.1 and above
|
||||
- aix51 for AIX 5.1
|
||||
- aix52 for AIX 5.2
|
||||
- cygwin for Cygwin
|
||||
--
|
||||
2.1.4
|
||||
|
33
0005-BUG-MINOR-http-sample-gmtime-localtime-can-fail.patch
Normal file
33
0005-BUG-MINOR-http-sample-gmtime-localtime-can-fail.patch
Normal file
@ -0,0 +1,33 @@
|
||||
From 955587271031d66e9b7a768e3bb18dae00b60cc6 Mon Sep 17 00:00:00 2001
|
||||
From: Thierry FOURNIER <tfournier@arpalert.org>
|
||||
Date: Wed, 8 Jul 2015 00:15:20 +0200
|
||||
Subject: [PATCH 05/11] BUG/MINOR: http/sample: gmtime/localtime can fail
|
||||
|
||||
The man said that gmtime() and localtime() can return a NULL value.
|
||||
This is not tested. It appears that all the values of a 32 bit integer
|
||||
are valid, but it is better to check the return of these functions.
|
||||
|
||||
However, if the integer move from 32 bits to 64 bits, some 64 values
|
||||
can be unsupported.
|
||||
(cherry picked from commit fac9ccfb705702f211f99e67d5f5d5129002086a)
|
||||
[wt: we only have sample_conv_date() in 1.5]
|
||||
---
|
||||
src/proto_http.c | 2 ++
|
||||
1 file changed, 2 insertions(+)
|
||||
|
||||
diff --git a/src/proto_http.c b/src/proto_http.c
|
||||
index 5db64b5..02dc42b 100644
|
||||
--- a/src/proto_http.c
|
||||
+++ b/src/proto_http.c
|
||||
@@ -11249,6 +11249,8 @@ static int sample_conv_http_date(const struct arg *args, struct sample *smp)
|
||||
curr_date += args[0].data.sint;
|
||||
|
||||
tm = gmtime(&curr_date);
|
||||
+ if (!tm)
|
||||
+ return 0;
|
||||
|
||||
temp = get_trash_chunk();
|
||||
temp->len = snprintf(temp->str, temp->size - temp->len,
|
||||
--
|
||||
2.1.4
|
||||
|
27
0006-DOC-typo-in-redirect-302-code-meaning.patch
Normal file
27
0006-DOC-typo-in-redirect-302-code-meaning.patch
Normal file
@ -0,0 +1,27 @@
|
||||
From 6c7351bdd0778bc171a2b54faed058eadc8c9d0d Mon Sep 17 00:00:00 2001
|
||||
From: Baptiste Assmann <bedis9@gmail.com>
|
||||
Date: Mon, 3 Aug 2015 11:42:50 +0200
|
||||
Subject: [PATCH 06/11] DOC: typo in 'redirect', 302 code meaning
|
||||
|
||||
302 means a temprary move, not a permanent one
|
||||
(cherry picked from commit ea849c0cca63b1b56c9c36f9c3504caa5e826816)
|
||||
---
|
||||
doc/configuration.txt | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/doc/configuration.txt b/doc/configuration.txt
|
||||
index 64697a4..e8d8b2a 100644
|
||||
--- a/doc/configuration.txt
|
||||
+++ b/doc/configuration.txt
|
||||
@@ -5443,7 +5443,7 @@ redirect scheme <sch> [code <code>] <option> [{if | unless} <condition>]
|
||||
is desired. Only codes 301, 302, 303, 307 and 308 are supported,
|
||||
with 302 used by default if no code is specified. 301 means
|
||||
"Moved permanently", and a browser may cache the Location. 302
|
||||
- means "Moved permanently" and means that the browser should not
|
||||
+ means "Moved temporarily" and means that the browser should not
|
||||
cache the redirection. 303 is equivalent to 302 except that the
|
||||
browser will fetch the location with a GET method. 307 is just
|
||||
like 302 but makes it clear that the same method must be reused.
|
||||
--
|
||||
2.1.4
|
||||
|
27
0007-DOC-mention-that-ms-is-left-padded-with-zeroes.patch
Normal file
27
0007-DOC-mention-that-ms-is-left-padded-with-zeroes.patch
Normal file
@ -0,0 +1,27 @@
|
||||
From c3453d53f2862b22d8c8e7d2399dfc38ec966aa4 Mon Sep 17 00:00:00 2001
|
||||
From: Willy Tarreau <w@1wt.eu>
|
||||
Date: Sun, 9 Aug 2015 10:56:35 +0200
|
||||
Subject: [PATCH 07/11] DOC: mention that %ms is left-padded with zeroes.
|
||||
|
||||
That's important to emit logs.
|
||||
(cherry picked from commit 812c88ec126e8fc4fc0f7853f265594d03c63956)
|
||||
---
|
||||
doc/configuration.txt | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/doc/configuration.txt b/doc/configuration.txt
|
||||
index e8d8b2a..1d95b5b 100644
|
||||
--- a/doc/configuration.txt
|
||||
+++ b/doc/configuration.txt
|
||||
@@ -12381,7 +12381,7 @@ Please refer to the table below for currently defined variables :
|
||||
| | %hrl | captured_request_headers CLF style | string list |
|
||||
| | %hs | captured_response_headers default style | string |
|
||||
| | %hsl | captured_response_headers CLF style | string list |
|
||||
- | | %ms | accept date milliseconds | numeric |
|
||||
+ | | %ms | accept date milliseconds (left-padded with 0) | numeric |
|
||||
| | %pid | PID | numeric |
|
||||
| H | %r | http_request | string |
|
||||
| | %rc | retries | numeric |
|
||||
--
|
||||
2.1.4
|
||||
|
50
0008-CLEANUP-.gitignore-ignore-more-test-files.patch
Normal file
50
0008-CLEANUP-.gitignore-ignore-more-test-files.patch
Normal file
@ -0,0 +1,50 @@
|
||||
From 1104336c0ba5f474fce8fe7c0125511b59f4dd3d Mon Sep 17 00:00:00 2001
|
||||
From: Willy Tarreau <w@1wt.eu>
|
||||
Date: Tue, 11 Aug 2015 11:20:45 +0200
|
||||
Subject: [PATCH 08/11] CLEANUP: .gitignore: ignore more test files
|
||||
|
||||
Exclude from "git status" many of the files that often result from
|
||||
development tests and bug reports reproducers.
|
||||
(cherry picked from commit de365a320ead43168e78facfa337130759783515)
|
||||
---
|
||||
.gitignore | 27 +++++++++++++++++++++++++++
|
||||
1 file changed, 27 insertions(+)
|
||||
|
||||
diff --git a/.gitignore b/.gitignore
|
||||
index 762f5ad..f6ccd0e 100644
|
||||
--- a/.gitignore
|
||||
+++ b/.gitignore
|
||||
@@ -18,3 +18,30 @@ make-*
|
||||
dlmalloc.c
|
||||
00*.patch
|
||||
*.service
|
||||
+*.bak
|
||||
+contrib/base64/base64rev
|
||||
+contrib/halog/halog
|
||||
+contrib/ip6range/ip6range
|
||||
+contrib/iprange/iprange
|
||||
+tests/test_hashes
|
||||
+/*.cfg
|
||||
+/*.conf
|
||||
+/*.diff
|
||||
+/*.patch
|
||||
+/*.c
|
||||
+/*.o
|
||||
+/*.so
|
||||
+/*.txt
|
||||
+/*.TXT
|
||||
+/*.txt.*
|
||||
+/*.prof
|
||||
+/*.gprof
|
||||
+/*.prof.*
|
||||
+/*.gprof.*
|
||||
+/*.tar
|
||||
+/*.tar.gz
|
||||
+/*.tgz
|
||||
+/*.mbox
|
||||
+/*.sh
|
||||
+/bug*
|
||||
+/TAGS
|
||||
--
|
||||
2.1.4
|
||||
|
@ -0,0 +1,44 @@
|
||||
From 5e077624951a65e6aae381c7213fc54984768dd4 Mon Sep 17 00:00:00 2001
|
||||
From: Willy Tarreau <w@1wt.eu>
|
||||
Date: Tue, 11 Aug 2015 11:21:47 +0200
|
||||
Subject: [PATCH 09/11] CLEANUP: .gitignore: finally ignore everything but what
|
||||
is known.
|
||||
|
||||
Still too many files remain, it's easier to block everything but
|
||||
what we know.
|
||||
(cherry picked from commit d71f1766bdbb041f80394662b0d293f033f93005)
|
||||
---
|
||||
.gitignore | 20 ++++++++++++++++++++
|
||||
1 file changed, 20 insertions(+)
|
||||
|
||||
diff --git a/.gitignore b/.gitignore
|
||||
index f6ccd0e..1953ba3 100644
|
||||
--- a/.gitignore
|
||||
+++ b/.gitignore
|
||||
@@ -45,3 +45,23 @@ tests/test_hashes
|
||||
/*.sh
|
||||
/bug*
|
||||
/TAGS
|
||||
+# Below we forbid everything and only allow what we know, that's much easier
|
||||
+# than blocking about 500 different test files and bug report outputs.
|
||||
+/.*
|
||||
+/*
|
||||
+!/.gitignore
|
||||
+!/CHANGELOG
|
||||
+!/LICENSE
|
||||
+!/Makefile
|
||||
+!/README
|
||||
+!/ROADMAP
|
||||
+!/SUBVERS
|
||||
+!/VERDATE
|
||||
+!/VERSION
|
||||
+!/contrib
|
||||
+!/doc
|
||||
+!/ebtree
|
||||
+!/examples
|
||||
+!/include
|
||||
+!/src
|
||||
+!/tests
|
||||
--
|
||||
2.1.4
|
||||
|
@ -0,0 +1,46 @@
|
||||
From c7c1e55f09839727ba7defd37347fc500dabb202 Mon Sep 17 00:00:00 2001
|
||||
From: Willy Tarreau <w@1wt.eu>
|
||||
Date: Tue, 11 Aug 2015 11:36:45 +0200
|
||||
Subject: [PATCH 10/11] MEDIUM: config: emit a warning on a frontend without
|
||||
listener
|
||||
|
||||
Commit c6678e2 ("MEDIUM: config: authorize frontend and listen without bind")
|
||||
completely removed the test for bind lines in frontends in order to make it
|
||||
easier for automated tools to generate configs (eg: replacing a bind with
|
||||
another one passing via a temporary config without any bind line). The
|
||||
problem is that some common mistakes are totally hidden now. For example,
|
||||
this apparently valid entry is silently ignored :
|
||||
|
||||
listen 1.2.3.4:8000
|
||||
server s1 127.0.0.1:8000
|
||||
|
||||
Hint: 1.2.3.4:8000 is mistakenly the proxy name here.
|
||||
|
||||
Thus instead we now emit a warning to indicate that a frontend was found
|
||||
with no listener. This should be backported to 1.5 to help spot abnormal
|
||||
configurations.
|
||||
(cherry picked from commit f82d1ca2d7ec83804d6b54e61a35747ad2f85188)
|
||||
---
|
||||
src/cfgparse.c | 6 ++++++
|
||||
1 file changed, 6 insertions(+)
|
||||
|
||||
diff --git a/src/cfgparse.c b/src/cfgparse.c
|
||||
index 2a5f178..d67edc5 100644
|
||||
--- a/src/cfgparse.c
|
||||
+++ b/src/cfgparse.c
|
||||
@@ -6193,6 +6193,12 @@ int check_config_validity()
|
||||
break;
|
||||
}
|
||||
|
||||
+ if ((curproxy->cap & PR_CAP_FE) && LIST_ISEMPTY(&curproxy->conf.listeners)) {
|
||||
+ Warning("config : %s '%s' has no 'bind' directive. Please declare it as a backend if this was intended.\n",
|
||||
+ proxy_type_str(curproxy), curproxy->id);
|
||||
+ err_code |= ERR_WARN;
|
||||
+ }
|
||||
+
|
||||
if ((curproxy->cap & PR_CAP_BE) && (curproxy->mode != PR_MODE_HEALTH)) {
|
||||
if (curproxy->lbprm.algo & BE_LB_KIND) {
|
||||
if (curproxy->options & PR_O_TRANSP) {
|
||||
--
|
||||
2.1.4
|
||||
|
@ -0,0 +1,93 @@
|
||||
From ee12145d38a7dee81a20cf232c724ccb7a46ad8b Mon Sep 17 00:00:00 2001
|
||||
From: Willy Tarreau <w@1wt.eu>
|
||||
Date: Tue, 18 Aug 2015 17:15:20 +0200
|
||||
Subject: [PATCH 11/11] BUG/MEDIUM: counters: ensure that src_{inc,clr}_gpc0
|
||||
creates a missing entry
|
||||
|
||||
During 1.5-dev20 there was some code refactoring to make the src_* fetch
|
||||
function use the same code as sc_*. Unfortunately this introduced a
|
||||
regression where src_* doesn't create an entry anymore if it does not
|
||||
exist in the table. The reason is that smp_fetch_sc_stkctr() only calls
|
||||
stktable_lookup_key() while src_inc_*/src_clr_* used to make use of
|
||||
stktable_update_key() which additionally create the entry if it does
|
||||
not exist.
|
||||
|
||||
There's no point modifying the common function for these two exceptions,
|
||||
so instead we now have a function dedicated to the creation of this entry
|
||||
for src_* only. It is called when the entry didn't exist, so that requires
|
||||
minimal modifications to existing code.
|
||||
|
||||
Thanks to Thierry Fournier for helping diagnose the issue.
|
||||
|
||||
This fix must be backported to 1.5.
|
||||
(cherry picked from commit 0f4eadd4830279f5ee83aa545728fb750f5c8185)
|
||||
|
||||
[Note: the backport to 1.5 significantly differs from the version in 1.6
|
||||
since we need to use the table's type and to retrieve the source address
|
||||
directly from the connection. At least it matches the way other src_*
|
||||
fetch functions work, and it's been verified to work fine]
|
||||
---
|
||||
src/session.c | 33 +++++++++++++++++++++++++++++++++
|
||||
1 file changed, 33 insertions(+)
|
||||
|
||||
diff --git a/src/session.c b/src/session.c
|
||||
index 5b9e407..6d62e36 100644
|
||||
--- a/src/session.c
|
||||
+++ b/src/session.c
|
||||
@@ -2806,6 +2806,33 @@ smp_fetch_sc_stkctr(struct session *l4, const struct arg *args, const char *kw)
|
||||
return &l4->stkctr[num];
|
||||
}
|
||||
|
||||
+/* same as smp_fetch_sc_stkctr() but dedicated to src_* and can create
|
||||
+ * the entry if it doesn't exist yet. This is needed for a few fetch
|
||||
+ * functions which need to create an entry, such as src_inc_gpc* and
|
||||
+ * src_clr_gpc*.
|
||||
+ */
|
||||
+struct stkctr *
|
||||
+smp_create_src_stkctr(struct session *sess, const struct arg *args, const char *kw)
|
||||
+{
|
||||
+ static struct stkctr stkctr;
|
||||
+ struct stktable_key *key;
|
||||
+ struct connection *conn = objt_conn(sess->si[0].end);
|
||||
+
|
||||
+ if (strncmp(kw, "src_", 4) != 0)
|
||||
+ return NULL;
|
||||
+
|
||||
+ if (!conn)
|
||||
+ return NULL;
|
||||
+
|
||||
+ key = addr_to_stktable_key(&conn->addr.from, args->data.prx->table.type);
|
||||
+ if (!key)
|
||||
+ return NULL;
|
||||
+
|
||||
+ stkctr.table = &args->data.prx->table;
|
||||
+ stkctr_set_entry(&stkctr, stktable_update_key(stkctr.table, key));
|
||||
+ return &stkctr;
|
||||
+}
|
||||
+
|
||||
/* set return a boolean indicating if the requested session counter is
|
||||
* currently being tracked or not.
|
||||
* Supports being called as "sc[0-9]_tracked" only.
|
||||
@@ -2887,6 +2914,9 @@ smp_fetch_sc_inc_gpc0(struct proxy *px, struct session *l4, void *l7, unsigned i
|
||||
if (!stkctr)
|
||||
return 0;
|
||||
|
||||
+ if (stkctr_entry(stkctr) == NULL)
|
||||
+ stkctr = smp_create_src_stkctr(l4, args, kw);
|
||||
+
|
||||
smp->flags = SMP_F_VOL_TEST;
|
||||
smp->type = SMP_T_UINT;
|
||||
smp->data.uint = 0;
|
||||
@@ -2924,6 +2954,9 @@ smp_fetch_sc_clr_gpc0(struct proxy *px, struct session *l4, void *l7, unsigned i
|
||||
if (!stkctr)
|
||||
return 0;
|
||||
|
||||
+ if (stkctr_entry(stkctr) == NULL)
|
||||
+ stkctr = smp_create_src_stkctr(l4, args, kw);
|
||||
+
|
||||
smp->flags = SMP_F_VOL_TEST;
|
||||
smp->type = SMP_T_UINT;
|
||||
smp->data.uint = 0;
|
||||
--
|
||||
2.1.4
|
||||
|
27
0012-DOC-ssl-missing-LF.patch
Normal file
27
0012-DOC-ssl-missing-LF.patch
Normal file
@ -0,0 +1,27 @@
|
||||
From 2272b4ffde38c836adfd9a9b43ff5c019ef4190a Mon Sep 17 00:00:00 2001
|
||||
From: Thierry FOURNIER <tfournier@arpalert.org>
|
||||
Date: Wed, 26 Aug 2015 08:21:26 +0200
|
||||
Subject: [PATCH 12/13] DOC: ssl: missing LF
|
||||
|
||||
An error message miss LF
|
||||
(cherry picked from commit bc965348d7ccc0a306504232ab85dc240fd31fbf)
|
||||
---
|
||||
src/ssl_sock.c | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/src/ssl_sock.c b/src/ssl_sock.c
|
||||
index 2ae45ec..8f698c0 100644
|
||||
--- a/src/ssl_sock.c
|
||||
+++ b/src/ssl_sock.c
|
||||
@@ -1760,7 +1760,7 @@ int ssl_sock_prepare_srv_ctx(struct server *srv, struct proxy *curproxy)
|
||||
#ifndef OPENSSL_NO_SSL3
|
||||
SSL_CTX_set_ssl_version(srv->ssl_ctx.ctx, SSLv3_client_method());
|
||||
#else
|
||||
- Alert("SSLv3 support requested but unavailable.");
|
||||
+ Alert("SSLv3 support requested but unavailable.\n");
|
||||
cfgerr++;
|
||||
#endif
|
||||
}
|
||||
--
|
||||
2.1.4
|
||||
|
@ -0,0 +1,30 @@
|
||||
From d3a93a932430bc1a4cd5d1350820c2bec706e26d Mon Sep 17 00:00:00 2001
|
||||
From: Willy Tarreau <w@1wt.eu>
|
||||
Date: Thu, 27 Aug 2015 17:15:05 +0200
|
||||
Subject: [PATCH 13/13] DOC: fix example of http-request using
|
||||
ssl_fc_session_id
|
||||
|
||||
It was missing the ",hex" resulting in raw binary data being dumped in
|
||||
the header or the logs. Now we know where these crazy logs originated
|
||||
from!
|
||||
(cherry picked from commit fca4261dacab51db960d30120f4bb4201f7e4a51)
|
||||
---
|
||||
doc/configuration.txt | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/doc/configuration.txt b/doc/configuration.txt
|
||||
index 1d95b5b..67d273b 100644
|
||||
--- a/doc/configuration.txt
|
||||
+++ b/doc/configuration.txt
|
||||
@@ -3135,7 +3135,7 @@ http-request { allow | deny | tarpit | auth [realm <realm>] | redirect <rule> |
|
||||
Example:
|
||||
http-request set-header X-Haproxy-Current-Date %T
|
||||
http-request set-header X-SSL %[ssl_fc]
|
||||
- http-request set-header X-SSL-Session_ID %[ssl_fc_session_id]
|
||||
+ http-request set-header X-SSL-Session_ID %[ssl_fc_session_id,hex]
|
||||
http-request set-header X-SSL-Client-Verify %[ssl_c_verify]
|
||||
http-request set-header X-SSL-Client-DN %{+Q}[ssl_c_s_dn]
|
||||
http-request set-header X-SSL-Client-CN %{+Q}[ssl_c_s_dn(cn)]
|
||||
--
|
||||
2.1.4
|
||||
|
78
0014-BUG-MINOR-http-remove-stupid-HTTP_METH_NONE-entry.patch
Normal file
78
0014-BUG-MINOR-http-remove-stupid-HTTP_METH_NONE-entry.patch
Normal file
@ -0,0 +1,78 @@
|
||||
From bcd033699c5a4904967652de4980e4f35f17ee34 Mon Sep 17 00:00:00 2001
|
||||
From: Willy Tarreau <w@1wt.eu>
|
||||
Date: Thu, 3 Sep 2015 17:15:21 +0200
|
||||
Subject: [PATCH 14/15] BUG/MINOR: http: remove stupid HTTP_METH_NONE entry
|
||||
|
||||
When converting the "method" fetch to a string, we used to get an empty
|
||||
string if the first character was not an upper case. This was caused by
|
||||
the lookup function which returns HTTP_METH_NONE when a lookup is not
|
||||
possible, and this method being mapped to an empty string in the array.
|
||||
|
||||
This is a totally stupid mechanism, there's no reason for having the
|
||||
result depend on the first char. In fact the message parser already
|
||||
checks that the syntax matches an HTTP token so we can only land there
|
||||
with a valid token, hence only HTTP_METH_OTHER should be returned.
|
||||
|
||||
This fix should be backported to all actively supported branches.
|
||||
(cherry picked from commit b7ce424be2bc9df73a3b971fa9dd6daea0332bf1)
|
||||
---
|
||||
include/types/proto_http.h | 1 -
|
||||
src/proto_http.c | 11 ++++-------
|
||||
2 files changed, 4 insertions(+), 8 deletions(-)
|
||||
|
||||
diff --git a/include/types/proto_http.h b/include/types/proto_http.h
|
||||
index a5a5d31..dbce972 100644
|
||||
--- a/include/types/proto_http.h
|
||||
+++ b/include/types/proto_http.h
|
||||
@@ -219,7 +219,6 @@ enum {
|
||||
|
||||
/* Known HTTP methods */
|
||||
enum http_meth_t {
|
||||
- HTTP_METH_NONE = 0,
|
||||
HTTP_METH_OPTIONS,
|
||||
HTTP_METH_GET,
|
||||
HTTP_METH_HEAD,
|
||||
diff --git a/src/proto_http.c b/src/proto_http.c
|
||||
index 02dc42b..46694cb 100644
|
||||
--- a/src/proto_http.c
|
||||
+++ b/src/proto_http.c
|
||||
@@ -361,12 +361,11 @@ const struct http_method_desc http_methods[26][3] = {
|
||||
[0] = { .meth = HTTP_METH_TRACE , .len=5, .text="TRACE" },
|
||||
},
|
||||
/* rest is empty like this :
|
||||
- * [1] = { .meth = HTTP_METH_NONE , .len=0, .text="" },
|
||||
+ * [0] = { .meth = HTTP_METH_OTHER , .len=0, .text="" },
|
||||
*/
|
||||
};
|
||||
|
||||
const struct http_method_name http_known_methods[HTTP_METH_OTHER] = {
|
||||
- [HTTP_METH_NONE] = { "", 0 },
|
||||
[HTTP_METH_OPTIONS] = { "OPTIONS", 7 },
|
||||
[HTTP_METH_GET] = { "GET", 3 },
|
||||
[HTTP_METH_HEAD] = { "HEAD", 4 },
|
||||
@@ -793,8 +792,8 @@ struct chunk *http_error_message(struct session *s, int msgnum)
|
||||
}
|
||||
|
||||
/*
|
||||
- * returns HTTP_METH_NONE if there is nothing valid to read (empty or non-text
|
||||
- * string), HTTP_METH_OTHER for unknown methods, or the identified method.
|
||||
+ * returns a known method among HTTP_METH_* or HTTP_METH_OTHER for all unknown
|
||||
+ * ones.
|
||||
*/
|
||||
enum http_meth_t find_http_meth(const char *str, const int len)
|
||||
{
|
||||
@@ -810,10 +809,8 @@ enum http_meth_t find_http_meth(const char *str, const int len)
|
||||
if (likely(memcmp(str, h->text, h->len) == 0))
|
||||
return h->meth;
|
||||
};
|
||||
- return HTTP_METH_OTHER;
|
||||
}
|
||||
- return HTTP_METH_NONE;
|
||||
-
|
||||
+ return HTTP_METH_OTHER;
|
||||
}
|
||||
|
||||
/* Parse the URI from the given transaction (which is assumed to be in request
|
||||
--
|
||||
2.1.4
|
||||
|
@ -0,0 +1,49 @@
|
||||
From 3f34b5539e7ba31e44055d853b9ba496e73e0bae Mon Sep 17 00:00:00 2001
|
||||
From: Willy Tarreau <w@1wt.eu>
|
||||
Date: Mon, 7 Sep 2015 19:32:33 +0200
|
||||
Subject: [PATCH 15/15] BUG/MAJOR: http: don't call http_send_name_header()
|
||||
after an error
|
||||
|
||||
A crash was reported when using the "famous" http-send-name-header
|
||||
directive. This time it's a bit tricky, it requires a certain number of
|
||||
conditions to be met including maxconn on a server, queuing, timeout in
|
||||
the queue and cookie-based persistence.
|
||||
|
||||
The problem is that in stream.c, before calling http_send_name_header(),
|
||||
we check a number of conditions to know if we have to replace the header
|
||||
name. But prior to reaching this place, it's possible for
|
||||
sess_update_stream_int() to fail and change the stream-int's state to
|
||||
SI_ST_CLO, send an error 503 to the client, and flush all buffers. But
|
||||
http_send_name_header() can only be called with valid buffer contents
|
||||
matching the http_msg's description. So when it rewinds the stream to
|
||||
modify the header, buf->o becomes negative by the size of the incoming
|
||||
request and is used as the argument to memmove() which basically
|
||||
displaces 4GB of memory off a few bytes to write the new name, resulting
|
||||
in a core and a core file that's really not fun to play with.
|
||||
|
||||
The solution obviously consists in refraining from calling this nasty
|
||||
function when the stream interface is already closed.
|
||||
|
||||
This bug also affects 1.5 and possibly 1.4, so the fix must be backported
|
||||
there.
|
||||
(cherry picked from commit 9c03b33329cb4924716edc1c851913a18b0670dc)
|
||||
---
|
||||
src/session.c | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/src/session.c b/src/session.c
|
||||
index 6d62e36..7520a85 100644
|
||||
--- a/src/session.c
|
||||
+++ b/src/session.c
|
||||
@@ -2293,7 +2293,7 @@ struct task *process_session(struct task *t)
|
||||
|
||||
/* Now we can add the server name to a header (if requested) */
|
||||
/* check for HTTP mode and proxy server_name_hdr_name != NULL */
|
||||
- if ((s->si[1].state >= SI_ST_CON) &&
|
||||
+ if ((s->si[1].state >= SI_ST_CON) && (s->si[1].state < SI_ST_CLO) &&
|
||||
(s->be->server_id_hdr_name != NULL) &&
|
||||
(s->be->mode == PR_MODE_HTTP) &&
|
||||
objt_server(s->target)) {
|
||||
--
|
||||
2.1.4
|
||||
|
@ -1,3 +1,44 @@
|
||||
-------------------------------------------------------------------
|
||||
Tue Sep 8 09:10:02 UTC 2015 - kgronlund@suse.com
|
||||
|
||||
- Backport patches from upstream:
|
||||
- BUG/MINOR: http: remove stupid HTTP_METH_NONE entry
|
||||
- BUG/MAJOR: http: don't call http_send_name_header() after an error
|
||||
- Add 0014-BUG-MINOR-http-remove-stupid-HTTP_METH_NONE-entry.patch
|
||||
- Add 0015-BUG-MAJOR-http-don-t-call-http_send_name_header-afte.patch
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Wed Aug 26 22:47:34 UTC 2015 - kgronlund@suse.com
|
||||
|
||||
- Backport patches from upstream:
|
||||
- BUG/MINOR: log: missing some ARGC_* entries in fmt_directives()
|
||||
- DOC: usesrc root privileges requirements
|
||||
- BUILD: ssl: Allow building against libssl without SSLv3.
|
||||
- DOC/MINOR: fix OpenBSD versions where haproxy works
|
||||
- BUG/MINOR: http/sample: gmtime/localtime can fail
|
||||
- DOC: typo in 'redirect', 302 code meaning
|
||||
- DOC: mention that %ms is left-padded with zeroes.
|
||||
- CLEANUP: .gitignore: ignore more test files
|
||||
- CLEANUP: .gitignore: finally ignore everything but what is known.
|
||||
- MEDIUM: config: emit a warning on a frontend without listener
|
||||
- BUG/MEDIUM: counters: ensure that src_{inc,clr}_gpc0 creates a missing entry
|
||||
- DOC: ssl: missing LF
|
||||
- DOC: fix example of http-request using ssl_fc_session_id
|
||||
|
||||
- Add 0001-BUG-MINOR-log-missing-some-ARGC_-entries-in-fmt_dire.patch
|
||||
- Add 0002-DOC-usesrc-root-privileges-requirements.patch
|
||||
- Add 0003-BUILD-ssl-Allow-building-against-libssl-without-SSLv.patch
|
||||
- Add 0004-DOC-MINOR-fix-OpenBSD-versions-where-haproxy-works.patch
|
||||
- Add 0005-BUG-MINOR-http-sample-gmtime-localtime-can-fail.patch
|
||||
- Add 0006-DOC-typo-in-redirect-302-code-meaning.patch
|
||||
- Add 0007-DOC-mention-that-ms-is-left-padded-with-zeroes.patch
|
||||
- Add 0008-CLEANUP-.gitignore-ignore-more-test-files.patch
|
||||
- Add 0009-CLEANUP-.gitignore-finally-ignore-everything-but-wha.patch
|
||||
- Add 0010-MEDIUM-config-emit-a-warning-on-a-frontend-without-l.patch
|
||||
- Add 0011-BUG-MEDIUM-counters-ensure-that-src_-inc-clr-_gpc0-c.patch
|
||||
- Add 0012-DOC-ssl-missing-LF.patch
|
||||
- Add 0013-DOC-fix-example-of-http-request-using-ssl_fc_session.patch
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Fri Jul 3 16:37:55 UTC 2015 - kgronlund@suse.com
|
||||
|
||||
|
46
haproxy.spec
46
haproxy.spec
@ -61,6 +61,36 @@ Patch1: haproxy-1.2.16_config_haproxy_user.patch
|
||||
Patch2: haproxy-makefile_lib.patch
|
||||
Patch3: sec-options.patch
|
||||
Patch4: haproxy-1.5.8-fix-bashisms.patch
|
||||
# BUG/MINOR: log: missing some ARGC_* entries in fmt_directives()
|
||||
Patch5: 0001-BUG-MINOR-log-missing-some-ARGC_-entries-in-fmt_dire.patch
|
||||
# DOC: usesrc root privileges requirements
|
||||
Patch6: 0002-DOC-usesrc-root-privileges-requirements.patch
|
||||
# BUILD: ssl: Allow building against libssl without SSLv3.
|
||||
Patch7: 0003-BUILD-ssl-Allow-building-against-libssl-without-SSLv.patch
|
||||
# DOC/MINOR: fix OpenBSD versions where haproxy works
|
||||
Patch8: 0004-DOC-MINOR-fix-OpenBSD-versions-where-haproxy-works.patch
|
||||
# BUG/MINOR: http/sample: gmtime/localtime can fail
|
||||
Patch9: 0005-BUG-MINOR-http-sample-gmtime-localtime-can-fail.patch
|
||||
# DOC: typo in 'redirect', 302 code meaning
|
||||
Patch10: 0006-DOC-typo-in-redirect-302-code-meaning.patch
|
||||
# DOC: mention that %ms is left-padded with zeroes.
|
||||
Patch11: 0007-DOC-mention-that-ms-is-left-padded-with-zeroes.patch
|
||||
# CLEANUP: .gitignore: ignore more test files
|
||||
Patch12: 0008-CLEANUP-.gitignore-ignore-more-test-files.patch
|
||||
# CLEANUP: .gitignore: finally ignore everything but what is known.
|
||||
Patch13: 0009-CLEANUP-.gitignore-finally-ignore-everything-but-wha.patch
|
||||
# MEDIUM: config: emit a warning on a frontend without listener
|
||||
Patch14: 0010-MEDIUM-config-emit-a-warning-on-a-frontend-without-l.patch
|
||||
# BUG/MEDIUM: counters: ensure that src_{inc,clr}_gpc0 creates a missing entry
|
||||
Patch15: 0011-BUG-MEDIUM-counters-ensure-that-src_-inc-clr-_gpc0-c.patch
|
||||
# DOC: ssl: missing LF
|
||||
Patch16: 0012-DOC-ssl-missing-LF.patch
|
||||
# DOC: fix example of http-request using ssl_fc_session_id
|
||||
Patch17: 0013-DOC-fix-example-of-http-request-using-ssl_fc_session.patch
|
||||
# BUG/MINOR: http: remove stupid HTTP_METH_NONE entry
|
||||
Patch18: 0014-BUG-MINOR-http-remove-stupid-HTTP_METH_NONE-entry.patch
|
||||
# BUG/MAJOR: http: don't call http_send_name_header() after an error
|
||||
Patch19: 0015-BUG-MAJOR-http-don-t-call-http_send_name_header-afte.patch
|
||||
|
||||
#
|
||||
Source99: haproxy-rpmlintrc
|
||||
@ -96,7 +126,21 @@ the most work done from every CPU cycle.
|
||||
%patch2
|
||||
%patch3
|
||||
%patch4 -p1
|
||||
|
||||
%patch5 -p1
|
||||
%patch6 -p1
|
||||
%patch7 -p1
|
||||
%patch8 -p1
|
||||
%patch9 -p1
|
||||
%patch10 -p1
|
||||
%patch11 -p1
|
||||
%patch12 -p1
|
||||
%patch13 -p1
|
||||
%patch14 -p1
|
||||
%patch15 -p1
|
||||
%patch16 -p1
|
||||
%patch17 -p1
|
||||
%patch18 -p1
|
||||
%patch19 -p1
|
||||
|
||||
%build
|
||||
%{__make} \
|
||||
|
Loading…
Reference in New Issue
Block a user