SHA256
1
0
forked from pool/haproxy

Accepting request 343758 from server:http

- fix link to tarball

- update to 1.6.2
  - BUILD: ssl: fix build error introduced in commit 7969a3 with
    OpenSSL < 1.0.0
  - DOC: fix a typo for a "deviceatlas" keyword
  - FIX: small typo in an example using the "Referer" header
  - BUG/MEDIUM: config: count memory limits on 64 bits, not 32
  - BUG/MAJOR: dns: first DNS response packet not matching queried
    hostname may lead to a loop
  - BUG/MINOR: dns: unable to parse CNAMEs response
  - BUG/MINOR: examples/haproxy.init: missing brace in
    quiet_check()
  - DOC: deviceatlas: more example use cases.
  - BUG/BUILD: replace haproxy-systemd-wrapper with $(EXTRA) in
    install-bin.
  - BUG/MAJOR: http: don't requeue an idle connection that is
    already queued
  - DOC: typo on capture.res.hdr and capture.req.hdr
  - BUG/MINOR: dns: check for duplicate nameserver id in a
    resolvers section was missing
  - CLEANUP: use direction names in place of numeric values
  - BUG/MEDIUM: lua: sample fetches based on response doesn't work
- drop haproxy-1.6.0-ssl-098.patch: included upstream

- update to 1.6.1
  - DOC: specify that stats socket doc (section 9.2) is in
    management
  - BUILD: install only relevant and existing documentation
  - CLEANUP: don't ignore debian/ directory if present

OBS-URL: https://build.opensuse.org/request/show/343758
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/haproxy?expand=0&rev=34
This commit is contained in:
Dominique Leuenberger 2015-11-12 18:41:05 +00:00 committed by Git OBS Bridge
commit b392088efb
26 changed files with 303 additions and 1030 deletions

View File

@ -1,64 +0,0 @@
From df0a5960987b3cb663dcfa93d29c21acc13cd3e3 Mon Sep 17 00:00:00 2001
From: Willy Tarreau <w@1wt.eu>
Date: Thu, 9 Jul 2015 11:20:00 +0200
Subject: [PATCH 01/11] BUG/MINOR: log: missing some ARGC_* entries in
fmt_directives()
ARGC_CAP was not added to fmt_directives() which is used to format
error messages when failing to parse log format expressions. The
whole switch/case has been reorganized to match the declaration
order making it easier to spot missing values. The default is not
the "log" directive anymore but "undefined" asking to report the
bug.
Backport to 1.5 is not strictly needed but is desirable at least
for code sanity.
(cherry picked from commit 53e1a6d31743b1bef6063ff30b812521391ae3c3)
---
src/log.c | 24 ++++++++++++++----------
1 file changed, 14 insertions(+), 10 deletions(-)
diff --git a/src/log.c b/src/log.c
index 1a5ad25..f0a3072 100644
--- a/src/log.c
+++ b/src/log.c
@@ -167,22 +167,26 @@ struct logformat_var_args var_args_list[] = {
static inline const char *fmt_directive(const struct proxy *curproxy)
{
switch (curproxy->conf.args.ctx) {
- case ARGC_UIF:
- return "unique-id-format";
+ case ARGC_ACL:
+ return "acl";
+ case ARGC_STK:
+ return "stick";
+ case ARGC_TRK:
+ return "track-sc";
+ case ARGC_LOG:
+ return "log-format";
case ARGC_HRQ:
return "http-request";
case ARGC_HRS:
return "http-response";
- case ARGC_STK:
- return "stick";
- case ARGC_TRK:
- return "track-sc"; break;
+ case ARGC_UIF:
+ return "unique-id-format";
case ARGC_RDR:
- return "redirect"; break;
- case ARGC_ACL:
- return "acl"; break;
+ return "redirect";
+ case ARGC_CAP:
+ return "capture";
default:
- return "log-format";
+ return "undefined(please report this bug)"; /* must never happen */
}
}
--
2.1.4

View File

@ -1,27 +0,0 @@
From ea31f225c2c93a25b8bef7a9241a89cecfd9d350 Mon Sep 17 00:00:00 2001
From: Baptiste Assmann <bedis9@gmail.com>
Date: Fri, 17 Jul 2015 21:59:42 +0200
Subject: [PATCH 02/11] DOC: usesrc root privileges requirements
The "usesrc" parameter of the source statement requires root privileges.
(cherry picked from commit 91bd337d90cb347feda34b01402f3471c8a4833c)
---
doc/configuration.txt | 2 ++
1 file changed, 2 insertions(+)
diff --git a/doc/configuration.txt b/doc/configuration.txt
index 6714afb..64697a4 100644
--- a/doc/configuration.txt
+++ b/doc/configuration.txt
@@ -6117,6 +6117,8 @@ source <addr>[:<port>] [interface <name>]
is possible at the server level using the "source" server option. Refer to
section 5 for more information.
+ In order to work, "usesrc" requires root privileges.
+
Examples :
backend private
# Connect to the servers using our 192.168.1.200 source address
--
2.1.4

View File

@ -1,52 +0,0 @@
From eee374c28ea8ea22834ff14515b5584bc3e0c7b5 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?J=C3=A9r=C3=A9mie=20Courr=C3=A8ges-Anglas?= <jca@wxcvbn.org>
Date: Sat, 25 Jul 2015 16:50:52 -0600
Subject: [PATCH 03/11] BUILD: ssl: Allow building against libssl without
SSLv3.
If SSLv3 is explicitely requested but not available, warn the user and
bail out.
(cherry picked from commit 17c3f6284cf605e47f6525c077bc644c45272849)
---
src/ssl_sock.c | 16 ++++++++++++++--
1 file changed, 14 insertions(+), 2 deletions(-)
diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index 7d77d36..2ae45ec 100644
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -1405,8 +1405,14 @@ int ssl_sock_prepare_ctx(struct bind_conf *bind_conf, SSL_CTX *ctx, struct proxy
ssloptions |= SSL_OP_NO_TLSv1_2;
if (bind_conf->ssl_options & BC_SSL_O_NO_TLS_TICKETS)
ssloptions |= SSL_OP_NO_TICKET;
- if (bind_conf->ssl_options & BC_SSL_O_USE_SSLV3)
+ if (bind_conf->ssl_options & BC_SSL_O_USE_SSLV3) {
+#ifndef OPENSSL_NO_SSL3
SSL_CTX_set_ssl_version(ctx, SSLv3_server_method());
+#else
+ Alert("SSLv3 support requested but unavailable.\n");
+ cfgerr++;
+#endif
+ }
if (bind_conf->ssl_options & BC_SSL_O_USE_TLSV10)
SSL_CTX_set_ssl_version(ctx, TLSv1_server_method());
#if SSL_OP_NO_TLSv1_1
@@ -1750,8 +1756,14 @@ int ssl_sock_prepare_srv_ctx(struct server *srv, struct proxy *curproxy)
options |= SSL_OP_NO_TLSv1_2;
if (srv->ssl_ctx.options & SRV_SSL_O_NO_TLS_TICKETS)
options |= SSL_OP_NO_TICKET;
- if (srv->ssl_ctx.options & SRV_SSL_O_USE_SSLV3)
+ if (srv->ssl_ctx.options & SRV_SSL_O_USE_SSLV3) {
+#ifndef OPENSSL_NO_SSL3
SSL_CTX_set_ssl_version(srv->ssl_ctx.ctx, SSLv3_client_method());
+#else
+ Alert("SSLv3 support requested but unavailable.");
+ cfgerr++;
+#endif
+ }
if (srv->ssl_ctx.options & SRV_SSL_O_USE_TLSV10)
SSL_CTX_set_ssl_version(srv->ssl_ctx.ctx, TLSv1_client_method());
#if SSL_OP_NO_TLSv1_1
--
2.1.4

View File

@ -1,26 +0,0 @@
From e4766ba031e1fea8f2ca139316dc4e8209e960c2 Mon Sep 17 00:00:00 2001
From: Daniel Jakots <vigdis@chown.me>
Date: Wed, 29 Jul 2015 08:03:08 +0200
Subject: [PATCH 04/11] DOC/MINOR: fix OpenBSD versions where haproxy works
(cherry picked from commit 17d228be14762b282e5262262c45ecee4c265552)
---
README | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/README b/README
index add7f06..e267730 100644
--- a/README
+++ b/README
@@ -39,7 +39,7 @@ and assign it to the TARGET variable :
- solaris for Solaris 8 or 10 (others untested)
- freebsd for FreeBSD 5 to 10 (others untested)
- osx for Mac OS/X
- - openbsd for OpenBSD 3.1 to 5.2 (others untested)
+ - openbsd for OpenBSD 3.1 and above
- aix51 for AIX 5.1
- aix52 for AIX 5.2
- cygwin for Cygwin
--
2.1.4

View File

@ -1,33 +0,0 @@
From 955587271031d66e9b7a768e3bb18dae00b60cc6 Mon Sep 17 00:00:00 2001
From: Thierry FOURNIER <tfournier@arpalert.org>
Date: Wed, 8 Jul 2015 00:15:20 +0200
Subject: [PATCH 05/11] BUG/MINOR: http/sample: gmtime/localtime can fail
The man said that gmtime() and localtime() can return a NULL value.
This is not tested. It appears that all the values of a 32 bit integer
are valid, but it is better to check the return of these functions.
However, if the integer move from 32 bits to 64 bits, some 64 values
can be unsupported.
(cherry picked from commit fac9ccfb705702f211f99e67d5f5d5129002086a)
[wt: we only have sample_conv_date() in 1.5]
---
src/proto_http.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/src/proto_http.c b/src/proto_http.c
index 5db64b5..02dc42b 100644
--- a/src/proto_http.c
+++ b/src/proto_http.c
@@ -11249,6 +11249,8 @@ static int sample_conv_http_date(const struct arg *args, struct sample *smp)
curr_date += args[0].data.sint;
tm = gmtime(&curr_date);
+ if (!tm)
+ return 0;
temp = get_trash_chunk();
temp->len = snprintf(temp->str, temp->size - temp->len,
--
2.1.4

View File

@ -1,27 +0,0 @@
From 6c7351bdd0778bc171a2b54faed058eadc8c9d0d Mon Sep 17 00:00:00 2001
From: Baptiste Assmann <bedis9@gmail.com>
Date: Mon, 3 Aug 2015 11:42:50 +0200
Subject: [PATCH 06/11] DOC: typo in 'redirect', 302 code meaning
302 means a temprary move, not a permanent one
(cherry picked from commit ea849c0cca63b1b56c9c36f9c3504caa5e826816)
---
doc/configuration.txt | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/doc/configuration.txt b/doc/configuration.txt
index 64697a4..e8d8b2a 100644
--- a/doc/configuration.txt
+++ b/doc/configuration.txt
@@ -5443,7 +5443,7 @@ redirect scheme <sch> [code <code>] <option> [{if | unless} <condition>]
is desired. Only codes 301, 302, 303, 307 and 308 are supported,
with 302 used by default if no code is specified. 301 means
"Moved permanently", and a browser may cache the Location. 302
- means "Moved permanently" and means that the browser should not
+ means "Moved temporarily" and means that the browser should not
cache the redirection. 303 is equivalent to 302 except that the
browser will fetch the location with a GET method. 307 is just
like 302 but makes it clear that the same method must be reused.
--
2.1.4

View File

@ -1,27 +0,0 @@
From c3453d53f2862b22d8c8e7d2399dfc38ec966aa4 Mon Sep 17 00:00:00 2001
From: Willy Tarreau <w@1wt.eu>
Date: Sun, 9 Aug 2015 10:56:35 +0200
Subject: [PATCH 07/11] DOC: mention that %ms is left-padded with zeroes.
That's important to emit logs.
(cherry picked from commit 812c88ec126e8fc4fc0f7853f265594d03c63956)
---
doc/configuration.txt | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/doc/configuration.txt b/doc/configuration.txt
index e8d8b2a..1d95b5b 100644
--- a/doc/configuration.txt
+++ b/doc/configuration.txt
@@ -12381,7 +12381,7 @@ Please refer to the table below for currently defined variables :
| | %hrl | captured_request_headers CLF style | string list |
| | %hs | captured_response_headers default style | string |
| | %hsl | captured_response_headers CLF style | string list |
- | | %ms | accept date milliseconds | numeric |
+ | | %ms | accept date milliseconds (left-padded with 0) | numeric |
| | %pid | PID | numeric |
| H | %r | http_request | string |
| | %rc | retries | numeric |
--
2.1.4

View File

@ -1,50 +0,0 @@
From 1104336c0ba5f474fce8fe7c0125511b59f4dd3d Mon Sep 17 00:00:00 2001
From: Willy Tarreau <w@1wt.eu>
Date: Tue, 11 Aug 2015 11:20:45 +0200
Subject: [PATCH 08/11] CLEANUP: .gitignore: ignore more test files
Exclude from "git status" many of the files that often result from
development tests and bug reports reproducers.
(cherry picked from commit de365a320ead43168e78facfa337130759783515)
---
.gitignore | 27 +++++++++++++++++++++++++++
1 file changed, 27 insertions(+)
diff --git a/.gitignore b/.gitignore
index 762f5ad..f6ccd0e 100644
--- a/.gitignore
+++ b/.gitignore
@@ -18,3 +18,30 @@ make-*
dlmalloc.c
00*.patch
*.service
+*.bak
+contrib/base64/base64rev
+contrib/halog/halog
+contrib/ip6range/ip6range
+contrib/iprange/iprange
+tests/test_hashes
+/*.cfg
+/*.conf
+/*.diff
+/*.patch
+/*.c
+/*.o
+/*.so
+/*.txt
+/*.TXT
+/*.txt.*
+/*.prof
+/*.gprof
+/*.prof.*
+/*.gprof.*
+/*.tar
+/*.tar.gz
+/*.tgz
+/*.mbox
+/*.sh
+/bug*
+/TAGS
--
2.1.4

View File

@ -1,44 +0,0 @@
From 5e077624951a65e6aae381c7213fc54984768dd4 Mon Sep 17 00:00:00 2001
From: Willy Tarreau <w@1wt.eu>
Date: Tue, 11 Aug 2015 11:21:47 +0200
Subject: [PATCH 09/11] CLEANUP: .gitignore: finally ignore everything but what
is known.
Still too many files remain, it's easier to block everything but
what we know.
(cherry picked from commit d71f1766bdbb041f80394662b0d293f033f93005)
---
.gitignore | 20 ++++++++++++++++++++
1 file changed, 20 insertions(+)
diff --git a/.gitignore b/.gitignore
index f6ccd0e..1953ba3 100644
--- a/.gitignore
+++ b/.gitignore
@@ -45,3 +45,23 @@ tests/test_hashes
/*.sh
/bug*
/TAGS
+# Below we forbid everything and only allow what we know, that's much easier
+# than blocking about 500 different test files and bug report outputs.
+/.*
+/*
+!/.gitignore
+!/CHANGELOG
+!/LICENSE
+!/Makefile
+!/README
+!/ROADMAP
+!/SUBVERS
+!/VERDATE
+!/VERSION
+!/contrib
+!/doc
+!/ebtree
+!/examples
+!/include
+!/src
+!/tests
--
2.1.4

View File

@ -1,46 +0,0 @@
From c7c1e55f09839727ba7defd37347fc500dabb202 Mon Sep 17 00:00:00 2001
From: Willy Tarreau <w@1wt.eu>
Date: Tue, 11 Aug 2015 11:36:45 +0200
Subject: [PATCH 10/11] MEDIUM: config: emit a warning on a frontend without
listener
Commit c6678e2 ("MEDIUM: config: authorize frontend and listen without bind")
completely removed the test for bind lines in frontends in order to make it
easier for automated tools to generate configs (eg: replacing a bind with
another one passing via a temporary config without any bind line). The
problem is that some common mistakes are totally hidden now. For example,
this apparently valid entry is silently ignored :
listen 1.2.3.4:8000
server s1 127.0.0.1:8000
Hint: 1.2.3.4:8000 is mistakenly the proxy name here.
Thus instead we now emit a warning to indicate that a frontend was found
with no listener. This should be backported to 1.5 to help spot abnormal
configurations.
(cherry picked from commit f82d1ca2d7ec83804d6b54e61a35747ad2f85188)
---
src/cfgparse.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/src/cfgparse.c b/src/cfgparse.c
index 2a5f178..d67edc5 100644
--- a/src/cfgparse.c
+++ b/src/cfgparse.c
@@ -6193,6 +6193,12 @@ int check_config_validity()
break;
}
+ if ((curproxy->cap & PR_CAP_FE) && LIST_ISEMPTY(&curproxy->conf.listeners)) {
+ Warning("config : %s '%s' has no 'bind' directive. Please declare it as a backend if this was intended.\n",
+ proxy_type_str(curproxy), curproxy->id);
+ err_code |= ERR_WARN;
+ }
+
if ((curproxy->cap & PR_CAP_BE) && (curproxy->mode != PR_MODE_HEALTH)) {
if (curproxy->lbprm.algo & BE_LB_KIND) {
if (curproxy->options & PR_O_TRANSP) {
--
2.1.4

View File

@ -1,93 +0,0 @@
From ee12145d38a7dee81a20cf232c724ccb7a46ad8b Mon Sep 17 00:00:00 2001
From: Willy Tarreau <w@1wt.eu>
Date: Tue, 18 Aug 2015 17:15:20 +0200
Subject: [PATCH 11/11] BUG/MEDIUM: counters: ensure that src_{inc,clr}_gpc0
creates a missing entry
During 1.5-dev20 there was some code refactoring to make the src_* fetch
function use the same code as sc_*. Unfortunately this introduced a
regression where src_* doesn't create an entry anymore if it does not
exist in the table. The reason is that smp_fetch_sc_stkctr() only calls
stktable_lookup_key() while src_inc_*/src_clr_* used to make use of
stktable_update_key() which additionally create the entry if it does
not exist.
There's no point modifying the common function for these two exceptions,
so instead we now have a function dedicated to the creation of this entry
for src_* only. It is called when the entry didn't exist, so that requires
minimal modifications to existing code.
Thanks to Thierry Fournier for helping diagnose the issue.
This fix must be backported to 1.5.
(cherry picked from commit 0f4eadd4830279f5ee83aa545728fb750f5c8185)
[Note: the backport to 1.5 significantly differs from the version in 1.6
since we need to use the table's type and to retrieve the source address
directly from the connection. At least it matches the way other src_*
fetch functions work, and it's been verified to work fine]
---
src/session.c | 33 +++++++++++++++++++++++++++++++++
1 file changed, 33 insertions(+)
diff --git a/src/session.c b/src/session.c
index 5b9e407..6d62e36 100644
--- a/src/session.c
+++ b/src/session.c
@@ -2806,6 +2806,33 @@ smp_fetch_sc_stkctr(struct session *l4, const struct arg *args, const char *kw)
return &l4->stkctr[num];
}
+/* same as smp_fetch_sc_stkctr() but dedicated to src_* and can create
+ * the entry if it doesn't exist yet. This is needed for a few fetch
+ * functions which need to create an entry, such as src_inc_gpc* and
+ * src_clr_gpc*.
+ */
+struct stkctr *
+smp_create_src_stkctr(struct session *sess, const struct arg *args, const char *kw)
+{
+ static struct stkctr stkctr;
+ struct stktable_key *key;
+ struct connection *conn = objt_conn(sess->si[0].end);
+
+ if (strncmp(kw, "src_", 4) != 0)
+ return NULL;
+
+ if (!conn)
+ return NULL;
+
+ key = addr_to_stktable_key(&conn->addr.from, args->data.prx->table.type);
+ if (!key)
+ return NULL;
+
+ stkctr.table = &args->data.prx->table;
+ stkctr_set_entry(&stkctr, stktable_update_key(stkctr.table, key));
+ return &stkctr;
+}
+
/* set return a boolean indicating if the requested session counter is
* currently being tracked or not.
* Supports being called as "sc[0-9]_tracked" only.
@@ -2887,6 +2914,9 @@ smp_fetch_sc_inc_gpc0(struct proxy *px, struct session *l4, void *l7, unsigned i
if (!stkctr)
return 0;
+ if (stkctr_entry(stkctr) == NULL)
+ stkctr = smp_create_src_stkctr(l4, args, kw);
+
smp->flags = SMP_F_VOL_TEST;
smp->type = SMP_T_UINT;
smp->data.uint = 0;
@@ -2924,6 +2954,9 @@ smp_fetch_sc_clr_gpc0(struct proxy *px, struct session *l4, void *l7, unsigned i
if (!stkctr)
return 0;
+ if (stkctr_entry(stkctr) == NULL)
+ stkctr = smp_create_src_stkctr(l4, args, kw);
+
smp->flags = SMP_F_VOL_TEST;
smp->type = SMP_T_UINT;
smp->data.uint = 0;
--
2.1.4

View File

@ -1,27 +0,0 @@
From 2272b4ffde38c836adfd9a9b43ff5c019ef4190a Mon Sep 17 00:00:00 2001
From: Thierry FOURNIER <tfournier@arpalert.org>
Date: Wed, 26 Aug 2015 08:21:26 +0200
Subject: [PATCH 12/13] DOC: ssl: missing LF
An error message miss LF
(cherry picked from commit bc965348d7ccc0a306504232ab85dc240fd31fbf)
---
src/ssl_sock.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index 2ae45ec..8f698c0 100644
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -1760,7 +1760,7 @@ int ssl_sock_prepare_srv_ctx(struct server *srv, struct proxy *curproxy)
#ifndef OPENSSL_NO_SSL3
SSL_CTX_set_ssl_version(srv->ssl_ctx.ctx, SSLv3_client_method());
#else
- Alert("SSLv3 support requested but unavailable.");
+ Alert("SSLv3 support requested but unavailable.\n");
cfgerr++;
#endif
}
--
2.1.4

View File

@ -1,30 +0,0 @@
From d3a93a932430bc1a4cd5d1350820c2bec706e26d Mon Sep 17 00:00:00 2001
From: Willy Tarreau <w@1wt.eu>
Date: Thu, 27 Aug 2015 17:15:05 +0200
Subject: [PATCH 13/13] DOC: fix example of http-request using
ssl_fc_session_id
It was missing the ",hex" resulting in raw binary data being dumped in
the header or the logs. Now we know where these crazy logs originated
from!
(cherry picked from commit fca4261dacab51db960d30120f4bb4201f7e4a51)
---
doc/configuration.txt | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/doc/configuration.txt b/doc/configuration.txt
index 1d95b5b..67d273b 100644
--- a/doc/configuration.txt
+++ b/doc/configuration.txt
@@ -3135,7 +3135,7 @@ http-request { allow | deny | tarpit | auth [realm <realm>] | redirect <rule> |
Example:
http-request set-header X-Haproxy-Current-Date %T
http-request set-header X-SSL %[ssl_fc]
- http-request set-header X-SSL-Session_ID %[ssl_fc_session_id]
+ http-request set-header X-SSL-Session_ID %[ssl_fc_session_id,hex]
http-request set-header X-SSL-Client-Verify %[ssl_c_verify]
http-request set-header X-SSL-Client-DN %{+Q}[ssl_c_s_dn]
http-request set-header X-SSL-Client-CN %{+Q}[ssl_c_s_dn(cn)]
--
2.1.4

View File

@ -1,78 +0,0 @@
From bcd033699c5a4904967652de4980e4f35f17ee34 Mon Sep 17 00:00:00 2001
From: Willy Tarreau <w@1wt.eu>
Date: Thu, 3 Sep 2015 17:15:21 +0200
Subject: [PATCH 14/15] BUG/MINOR: http: remove stupid HTTP_METH_NONE entry
When converting the "method" fetch to a string, we used to get an empty
string if the first character was not an upper case. This was caused by
the lookup function which returns HTTP_METH_NONE when a lookup is not
possible, and this method being mapped to an empty string in the array.
This is a totally stupid mechanism, there's no reason for having the
result depend on the first char. In fact the message parser already
checks that the syntax matches an HTTP token so we can only land there
with a valid token, hence only HTTP_METH_OTHER should be returned.
This fix should be backported to all actively supported branches.
(cherry picked from commit b7ce424be2bc9df73a3b971fa9dd6daea0332bf1)
---
include/types/proto_http.h | 1 -
src/proto_http.c | 11 ++++-------
2 files changed, 4 insertions(+), 8 deletions(-)
diff --git a/include/types/proto_http.h b/include/types/proto_http.h
index a5a5d31..dbce972 100644
--- a/include/types/proto_http.h
+++ b/include/types/proto_http.h
@@ -219,7 +219,6 @@ enum {
/* Known HTTP methods */
enum http_meth_t {
- HTTP_METH_NONE = 0,
HTTP_METH_OPTIONS,
HTTP_METH_GET,
HTTP_METH_HEAD,
diff --git a/src/proto_http.c b/src/proto_http.c
index 02dc42b..46694cb 100644
--- a/src/proto_http.c
+++ b/src/proto_http.c
@@ -361,12 +361,11 @@ const struct http_method_desc http_methods[26][3] = {
[0] = { .meth = HTTP_METH_TRACE , .len=5, .text="TRACE" },
},
/* rest is empty like this :
- * [1] = { .meth = HTTP_METH_NONE , .len=0, .text="" },
+ * [0] = { .meth = HTTP_METH_OTHER , .len=0, .text="" },
*/
};
const struct http_method_name http_known_methods[HTTP_METH_OTHER] = {
- [HTTP_METH_NONE] = { "", 0 },
[HTTP_METH_OPTIONS] = { "OPTIONS", 7 },
[HTTP_METH_GET] = { "GET", 3 },
[HTTP_METH_HEAD] = { "HEAD", 4 },
@@ -793,8 +792,8 @@ struct chunk *http_error_message(struct session *s, int msgnum)
}
/*
- * returns HTTP_METH_NONE if there is nothing valid to read (empty or non-text
- * string), HTTP_METH_OTHER for unknown methods, or the identified method.
+ * returns a known method among HTTP_METH_* or HTTP_METH_OTHER for all unknown
+ * ones.
*/
enum http_meth_t find_http_meth(const char *str, const int len)
{
@@ -810,10 +809,8 @@ enum http_meth_t find_http_meth(const char *str, const int len)
if (likely(memcmp(str, h->text, h->len) == 0))
return h->meth;
};
- return HTTP_METH_OTHER;
}
- return HTTP_METH_NONE;
-
+ return HTTP_METH_OTHER;
}
/* Parse the URI from the given transaction (which is assumed to be in request
--
2.1.4

View File

@ -1,49 +0,0 @@
From 3f34b5539e7ba31e44055d853b9ba496e73e0bae Mon Sep 17 00:00:00 2001
From: Willy Tarreau <w@1wt.eu>
Date: Mon, 7 Sep 2015 19:32:33 +0200
Subject: [PATCH 15/15] BUG/MAJOR: http: don't call http_send_name_header()
after an error
A crash was reported when using the "famous" http-send-name-header
directive. This time it's a bit tricky, it requires a certain number of
conditions to be met including maxconn on a server, queuing, timeout in
the queue and cookie-based persistence.
The problem is that in stream.c, before calling http_send_name_header(),
we check a number of conditions to know if we have to replace the header
name. But prior to reaching this place, it's possible for
sess_update_stream_int() to fail and change the stream-int's state to
SI_ST_CLO, send an error 503 to the client, and flush all buffers. But
http_send_name_header() can only be called with valid buffer contents
matching the http_msg's description. So when it rewinds the stream to
modify the header, buf->o becomes negative by the size of the incoming
request and is used as the argument to memmove() which basically
displaces 4GB of memory off a few bytes to write the new name, resulting
in a core and a core file that's really not fun to play with.
The solution obviously consists in refraining from calling this nasty
function when the stream interface is already closed.
This bug also affects 1.5 and possibly 1.4, so the fix must be backported
there.
(cherry picked from commit 9c03b33329cb4924716edc1c851913a18b0670dc)
---
src/session.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/session.c b/src/session.c
index 6d62e36..7520a85 100644
--- a/src/session.c
+++ b/src/session.c
@@ -2293,7 +2293,7 @@ struct task *process_session(struct task *t)
/* Now we can add the server name to a header (if requested) */
/* check for HTTP mode and proxy server_name_hdr_name != NULL */
- if ((s->si[1].state >= SI_ST_CON) &&
+ if ((s->si[1].state >= SI_ST_CON) && (s->si[1].state < SI_ST_CLO) &&
(s->be->server_id_hdr_name != NULL) &&
(s->be->mode == PR_MODE_HTTP) &&
objt_server(s->target)) {
--
2.1.4

View File

@ -1,32 +0,0 @@
Index: examples/examples.cfg
===================================================================
--- examples/examples.cfg.orig
+++ examples/examples.cfg
@@ -3,8 +3,8 @@
# log 127.0.0.1 local1
maxconn 4000
ulimit-n 8000
- uid 0
- gid 0
+ user haproxy
+ group haproxy
# chroot /tmp
# nbproc 2
# daemon
Index: examples/haproxy.cfg
===================================================================
--- examples/haproxy.cfg.orig
+++ examples/haproxy.cfg
@@ -5,9 +5,9 @@
log 127.0.0.1 local1 notice
#log loghost local0 info
maxconn 4096
- chroot /usr/share/haproxy
- uid 99
- gid 99
+ chroot /var/lib/haproxy
+ user haproxy
+ group haproxy
daemon
#debug
#quiet

View File

@ -1,3 +0,0 @@
version https://git-lfs.github.com/spec/v1
oid sha256:9565dd38649064d0350a2883fa81ccfe92eb17dcda457ebdc01535e1ab0c8f99
size 1345345

View File

@ -1,76 +0,0 @@
diff -Ndur haproxy-1.5.8/examples/build.cfg haproxy-1.5.8-fix-bashisms/examples/build.cfg
--- haproxy-1.5.8/examples/build.cfg 2014-10-31 11:06:53.000000000 +0200
+++ haproxy-1.5.8-fix-bashisms/examples/build.cfg 2014-11-17 04:09:42.408078486 +0200
@@ -5,12 +5,12 @@
PATCH_LIST=
FILE_LIST=
-function do_compile_only {
+do_compile_only() {
$FLXMAKE CPU_OPTS="-march=$arch -mcpu=$cpu -Os -mpreferred-stack-boundary=2 -momit-leaf-frame-pointer -malign-jumps=0" \
TARGET=linux24
}
-function do_prepack {
+do_prepack() {
mkdir -p $ROOTDIR/sbin/init.d ; cp examples/init.haproxy.flx0 $ROOTDIR/sbin/init.d/haproxy
mkdir -p $ROOTDIR/usr/sbin ; cp haproxy $ROOTDIR/usr/sbin
mkdir -p $ROOTDIR/usr/share/examples/$PKGRADIX/$PKGRADIX-$PKGVER/etc/haproxy/
diff -Ndur haproxy-1.5.8/examples/haproxy-1.1.21-flx.1.pkg haproxy-1.5.8-fix-bashisms/examples/haproxy-1.1.21-flx.1.pkg
--- haproxy-1.5.8/examples/haproxy-1.1.21-flx.1.pkg 2014-10-31 11:06:53.000000000 +0200
+++ haproxy-1.5.8-fix-bashisms/examples/haproxy-1.1.21-flx.1.pkg 2014-11-17 04:09:28.396079434 +0200
@@ -1,10 +1,10 @@
#!/bin/sh
-function do_compile {
+do_compile() {
$FLXMAKE COPTS="-march=$arch -mcpu=$cpu -Os -mpreferred-stack-boundary=2 -momit-leaf-frame-pointer -malign-jumps=0 -DNETFILTER -DTRANSPARENT"
}
-function do_prepack {
+do_prepack() {
mkdir -p $ROOTDIR/sbin/init.d ; cp init.d/haproxy $ROOTDIR/sbin/init.d
mkdir -p $ROOTDIR/usr/sbin ; cp haproxy $ROOTDIR/usr/sbin
mkdir -p $ROOTDIR/usr/share/examples/$PKGRADIX/$PKGRADIX-$PKGVER/etc
diff -Ndur haproxy-1.5.8/examples/haproxy.init haproxy-1.5.8-fix-bashisms/examples/haproxy.init
--- haproxy-1.5.8/examples/haproxy.init 2014-10-31 11:06:53.000000000 +0200
+++ haproxy-1.5.8-fix-bashisms/examples/haproxy.init 2014-11-17 04:10:05.127076949 +0200
@@ -116,7 +116,7 @@
check
;;
*)
- echo $"Usage: $BASENAME {start|stop|restart|reload|condrestart|status|check}"
+ echo "Usage: $BASENAME {start|stop|restart|reload|condrestart|status|check}"
exit 1
esac
diff -Ndur haproxy-1.5.8/examples/init.haproxy haproxy-1.5.8-fix-bashisms/examples/init.haproxy
--- haproxy-1.5.8/examples/init.haproxy 2014-10-31 11:06:53.000000000 +0200
+++ haproxy-1.5.8-fix-bashisms/examples/init.haproxy 2014-11-17 04:10:58.897073312 +0200
@@ -19,7 +19,7 @@
maintfd=0
fi
-maxfd=$[$maxconn*2 + $maintfd]
+maxfd=$(($maxconn * 2 + $maintfd))
if [ $maxfd -lt 100 ]; then
maxfd=100;
fi
@@ -31,7 +31,7 @@
# ulimit -c unlimited
# soft stop
-function do_stop {
+do_stop() {
pids=`pidof -o $$ -- $PNAME`
if [ ! -z "$pids" ]; then
echo "Asking $PNAME to terminate gracefully..."
@@ -41,7 +41,7 @@
}
# dump status
-function do_status {
+do_status() {
pids=`pidof -o $$ -- $PNAME`
if [ ! -z "$pids" ]; then
echo "Dumping $PNAME status in logs."

View File

@ -2,7 +2,7 @@ Index: Makefile
===================================================================
--- Makefile.orig
+++ Makefile
@@ -567,7 +567,7 @@ ifneq ($(USE_PCRE)$(USE_STATIC_PCRE)$(US
@@ -644,7 +644,7 @@ ifneq ($(USE_PCRE)$(USE_STATIC_PCRE)$(US
PCREDIR := $(shell pcre-config --prefix 2>/dev/null || echo /usr/local)
ifneq ($(PCREDIR),)
PCRE_INC := $(PCREDIR)/include

View File

@ -1,8 +1,8 @@
Index: Makefile
===================================================================
--- Makefile.orig 2014-06-05 19:23:53.559663353 +0200
+++ Makefile 2014-06-05 19:29:01.679662808 +0200
@@ -594,6 +594,35 @@ OPTIONS_CFLAGS += -DUSE_TFO
--- Makefile.orig
+++ Makefile
@@ -671,6 +671,35 @@ OPTIONS_CFLAGS += -DUSE_TFO
BUILD_OPTIONS += $(call ignore_implicit,USE_TFO)
endif

View File

@ -0,0 +1,95 @@
Index: haproxy-1.6.0/examples/acl-content-sw.cfg
===================================================================
--- haproxy-1.6.0.orig/examples/acl-content-sw.cfg
+++ haproxy-1.6.0/examples/acl-content-sw.cfg
@@ -5,9 +5,9 @@ global
log loghost local0
log localhost local0 err
maxconn 250
- uid 71
- gid 71
- chroot /var/empty
+ user haproxy
+ group haproxy
+ chroot /var/lib/haproxy
pidfile /var/run/haproxy.pid
daemon
quiet
Index: haproxy-1.6.0/examples/auth.cfg
===================================================================
--- haproxy-1.6.0.orig/examples/auth.cfg
+++ haproxy-1.6.0/examples/auth.cfg
@@ -1,7 +1,7 @@
global
-# chroot /var/empty/
-# uid 451
-# gid 451
+ user haproxy
+ group haproxy
+ chroot /var/lib/haproxy
log 192.168.131.214:8514 local4 debug
maxconn 8192
Index: haproxy-1.6.0/examples/content-sw-sample.cfg
===================================================================
--- haproxy-1.6.0.orig/examples/content-sw-sample.cfg
+++ haproxy-1.6.0/examples/content-sw-sample.cfg
@@ -11,9 +11,9 @@ global
maxconn 10000
stats socket /var/run/haproxy.stat mode 600 level admin
log 127.0.0.1 local0
- uid 200
- gid 200
- chroot /var/empty
+ user haproxy
+ group haproxy
+ chroot /var/lib/haproxy
daemon
# The public 'www' address in the DMZ
Index: haproxy-1.6.0/examples/option-http_proxy.cfg
===================================================================
--- haproxy-1.6.0.orig/examples/option-http_proxy.cfg
+++ haproxy-1.6.0/examples/option-http_proxy.cfg
@@ -6,9 +6,9 @@ global
maxconn 20000
ulimit-n 16384
log 127.0.0.1 local0
- uid 200
- gid 200
- chroot /var/empty
+ chroot /var/lib/haproxy
+ user haproxy
+ group haproxy
nbproc 4
daemon
Index: haproxy-1.6.0/examples/ssl.cfg
===================================================================
--- haproxy-1.6.0.orig/examples/ssl.cfg
+++ haproxy-1.6.0/examples/ssl.cfg
@@ -4,6 +4,9 @@
global
maxconn 100
+ chroot /var/lib/haproxy
+ user haproxy
+ group haproxy
defaults
mode http
Index: haproxy-1.6.0/examples/transparent_proxy.cfg
===================================================================
--- haproxy-1.6.0.orig/examples/transparent_proxy.cfg
+++ haproxy-1.6.0/examples/transparent_proxy.cfg
@@ -6,6 +6,10 @@
#
global
+ chroot /var/lib/haproxy
+ user haproxy
+ group haproxy
+
defaults
timeout client 30s
timeout server 30s

3
haproxy-1.6.2.tar.gz Normal file
View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:bd4a7eee79e1bfd25af59d956bb60e82acbb6f146f3fb3b30636036f4c9548d3
size 1538976

35
haproxy.cfg Normal file
View File

@ -0,0 +1,35 @@
global
log /dev/log daemon
maxconn 32768
chroot /var/lib/haproxy
user haproxy
group haproxy
daemon
stats socket /var/lib/haproxy/stats user haproxy group haproxy mode 0640 level operator
tune.bufsize 32768
tune.ssl.default-dh-param 2048
ssl-default-bind-ciphers ALL:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!RC4:!ADH:!LOW@STRENGTH
defaults
log global
mode http
option log-health-checks
option log-separate-errors
option dontlog-normal
option dontlognull
option httplog
option socket-stats
retries 3
option redispatch
maxconn 10000
timeout connect 5s
timeout client 50s
timeout server 450s
listen stats
bind 0.0.0.0:80
bind :::80 v6only
stats enable
stats uri /
stats refresh 5s
rspadd Server:\ haproxy/1.6

View File

@ -1,3 +1,123 @@
-------------------------------------------------------------------
Tue Nov 10 14:50:26 UTC 2015 - mrueckert@suse.de
- fix link to tarball
-------------------------------------------------------------------
Tue Nov 3 12:02:19 UTC 2015 - mrueckert@suse.de
- update to 1.6.2
- BUILD: ssl: fix build error introduced in commit 7969a3 with
OpenSSL < 1.0.0
- DOC: fix a typo for a "deviceatlas" keyword
- FIX: small typo in an example using the "Referer" header
- BUG/MEDIUM: config: count memory limits on 64 bits, not 32
- BUG/MAJOR: dns: first DNS response packet not matching queried
hostname may lead to a loop
- BUG/MINOR: dns: unable to parse CNAMEs response
- BUG/MINOR: examples/haproxy.init: missing brace in
quiet_check()
- DOC: deviceatlas: more example use cases.
- BUG/BUILD: replace haproxy-systemd-wrapper with $(EXTRA) in
install-bin.
- BUG/MAJOR: http: don't requeue an idle connection that is
already queued
- DOC: typo on capture.res.hdr and capture.req.hdr
- BUG/MINOR: dns: check for duplicate nameserver id in a
resolvers section was missing
- CLEANUP: use direction names in place of numeric values
- BUG/MEDIUM: lua: sample fetches based on response doesn't work
- drop haproxy-1.6.0-ssl-098.patch: included upstream
-------------------------------------------------------------------
Thu Oct 22 10:21:00 UTC 2015 - mrueckert@suse.de
- update to 1.6.1
- DOC: specify that stats socket doc (section 9.2) is in
management
- BUILD: install only relevant and existing documentation
- CLEANUP: don't ignore debian/ directory if present
- BUG/MINOR: dns: parsing error of some DNS response
- BUG/MEDIUM: namespaces: don't fail if no namespace is used
- BUG/MAJOR: ssl: free the generated SSL_CTX if the LRU cache is
disabled
- MEDIUM: dns: Don't use the ANY query type
- drop haproxy-1.6.0-ssl.crash.patch included in update
-------------------------------------------------------------------
Mon Oct 19 16:15:57 UTC 2015 - mrueckert@suse.de
- add haproxy-1.6.0-ssl-098.patch:
fix building on openssl 0.9.8
-------------------------------------------------------------------
Fri Oct 16 17:16:40 UTC 2015 - mrueckert@suse.de
- added haproxy-1.6.0-ssl.crash.patch: fix SNI related crash
-------------------------------------------------------------------
Thu Oct 15 23:19:33 UTC 2015 - mrueckert@suse.de
- only use network namespace support on distros newer than 13.2
-------------------------------------------------------------------
Tue Oct 13 19:39:12 UTC 2015 - mrueckert@suse.de
- update to 1.6.0
The most user-visible changes, we can cite the simpler handling
of multiple configuration files, the support for quotes and
environment variables in the configuration, a significant
reduction of the memory usage thanks to a new dynamic buffer
allocator, notifications over e-mail, server state keeping across
reloads, dynamic DNS-based server address resolution, new
scripting capabilities thanks to the embedded Lua interpreter,
use of variables in the configuration to manipulate samples,
request body buffering and analysis, support for two third-party
device identification products (DeviceAtlas and 51Degrees), a lot
of new sample converters including arithmetic operators and table
lookups, TLS ticket secret sharing between nodes, TLS SNI to the
server, full tables replication between peers, ability to
instruct the kernel to quickly kill dead connections, support for
Linux namespaces, and a number of other less visible goodies. The
performance has also been improved a lot with support for server
connection multiplexing, much faster and cheaper HTTP compression
via libslz, and the addition of a pattern cache to speed up
certain expensive ACLs. The great flexibility offered by this
version will allow many users to significantly simplify their
configurations. Some users will notice a huge performance boost
after they enable the features designed for them.
for all the details see /usr/share/doc/packages/haproxy/CHANGELOG
- drop patches we pulled from upstream git:
0001-BUG-MINOR-log-missing-some-ARGC_-entries-in-fmt_dire.patch
0002-DOC-usesrc-root-privileges-requirements.patch
0003-BUILD-ssl-Allow-building-against-libssl-without-SSLv.patch
0004-DOC-MINOR-fix-OpenBSD-versions-where-haproxy-works.patch
0005-BUG-MINOR-http-sample-gmtime-localtime-can-fail.patch
0006-DOC-typo-in-redirect-302-code-meaning.patch
0007-DOC-mention-that-ms-is-left-padded-with-zeroes.patch
0008-CLEANUP-.gitignore-ignore-more-test-files.patch
0009-CLEANUP-.gitignore-finally-ignore-everything-but-wha.patch
0010-MEDIUM-config-emit-a-warning-on-a-frontend-without-l.patch
0011-BUG-MEDIUM-counters-ensure-that-src_-inc-clr-_gpc0-c.patch
0012-DOC-ssl-missing-LF.patch
0013-DOC-fix-example-of-http-request-using-ssl_fc_session.patch
0014-BUG-MINOR-http-remove-stupid-HTTP_METH_NONE-entry.patch
0015-BUG-MAJOR-http-don-t-call-http_send_name_header-afte.patch
- refresh/redo patches to apply cleanly again:
old: haproxy-1.2.16_config_haproxy_user.patch
new: haproxy-1.6.0_config_haproxy_user.patch
old: haproxy-makefile_lib.patch
new: haproxy-1.6.0-makefile_lib.patch
old: sec-options.patch
new: haproxy-1.6.0-sec-options.patch
- added new haproxy.cfg to have a minimal config we can actually
launch!
- drop patch haproxy-1.5.8-fix-bashisms.patch: patched files no
longer exist
- drop haproxy.vim: we will use the copy which ships with the
upstream tarball now.
-------------------------------------------------------------------
Wed Sep 23 19:26:54 UTC 2015 - dmueller@suse.com

View File

@ -19,6 +19,14 @@
%bcond_with tcp_fast_open
%endif
%if 0%{?suse_version} > 1320
%bcond_without lua
%bcond_without network_namespace
%else
%bcond_with lua
%bcond_with network_namespace
%endif
%if 0%{?suse_version} >= 1310
%bcond_without systemd
%else
@ -33,12 +41,15 @@
%bcond_without apparmor
Name: haproxy
Version: 1.5.14
Version: 1.6.2
Release: 0
#
#
BuildRoot: %{_tmppath}/%{name}-%{version}-build
BuildRequires: libgcrypt-devel
%if %{with lua}
BuildRequires: lua-devel >= 5.3
%endif
BuildRequires: pcre-devel
BuildRequires: zlib-devel
BuildRequires: openssl-devel
@ -52,46 +63,14 @@ BuildRequires: vim
%define pkg_home /var/lib/%{pkg_name}
#
Url: http://www.haproxy.org/
Source: http://www.haproxy.org/download/1.5/src/haproxy-%{version}.tar.gz
Source: http://www.haproxy.org/download/1.6/src/haproxy-%{version}.tar.gz
Source1: %{pkg_name}.init
Source2: http://www.haproxy.org/download/contrib/haproxy.vim
Source3: usr.sbin.haproxy.apparmor
Source4: local.usr.sbin.haproxy.apparmor
Patch1: haproxy-1.2.16_config_haproxy_user.patch
Patch2: haproxy-makefile_lib.patch
Patch3: sec-options.patch
Patch4: haproxy-1.5.8-fix-bashisms.patch
# BUG/MINOR: log: missing some ARGC_* entries in fmt_directives()
Patch5: 0001-BUG-MINOR-log-missing-some-ARGC_-entries-in-fmt_dire.patch
# DOC: usesrc root privileges requirements
Patch6: 0002-DOC-usesrc-root-privileges-requirements.patch
# BUILD: ssl: Allow building against libssl without SSLv3.
Patch7: 0003-BUILD-ssl-Allow-building-against-libssl-without-SSLv.patch
# DOC/MINOR: fix OpenBSD versions where haproxy works
Patch8: 0004-DOC-MINOR-fix-OpenBSD-versions-where-haproxy-works.patch
# BUG/MINOR: http/sample: gmtime/localtime can fail
Patch9: 0005-BUG-MINOR-http-sample-gmtime-localtime-can-fail.patch
# DOC: typo in 'redirect', 302 code meaning
Patch10: 0006-DOC-typo-in-redirect-302-code-meaning.patch
# DOC: mention that %ms is left-padded with zeroes.
Patch11: 0007-DOC-mention-that-ms-is-left-padded-with-zeroes.patch
# CLEANUP: .gitignore: ignore more test files
Patch12: 0008-CLEANUP-.gitignore-ignore-more-test-files.patch
# CLEANUP: .gitignore: finally ignore everything but what is known.
Patch13: 0009-CLEANUP-.gitignore-finally-ignore-everything-but-wha.patch
# MEDIUM: config: emit a warning on a frontend without listener
Patch14: 0010-MEDIUM-config-emit-a-warning-on-a-frontend-without-l.patch
# BUG/MEDIUM: counters: ensure that src_{inc,clr}_gpc0 creates a missing entry
Patch15: 0011-BUG-MEDIUM-counters-ensure-that-src_-inc-clr-_gpc0-c.patch
# DOC: ssl: missing LF
Patch16: 0012-DOC-ssl-missing-LF.patch
# DOC: fix example of http-request using ssl_fc_session_id
Patch17: 0013-DOC-fix-example-of-http-request-using-ssl_fc_session.patch
# BUG/MINOR: http: remove stupid HTTP_METH_NONE entry
Patch18: 0014-BUG-MINOR-http-remove-stupid-HTTP_METH_NONE-entry.patch
# BUG/MAJOR: http: don't call http_send_name_header() after an error
Patch19: 0015-BUG-MAJOR-http-don-t-call-http_send_name_header-afte.patch
Source2: usr.sbin.haproxy.apparmor
Source3: local.usr.sbin.haproxy.apparmor
Source4: haproxy.cfg
Patch1: haproxy-1.6.0_config_haproxy_user.patch
Patch2: haproxy-1.6.0-makefile_lib.patch
Patch3: haproxy-1.6.0-sec-options.patch
#
Source99: haproxy-rpmlintrc
#
@ -122,25 +101,9 @@ the most work done from every CPU cycle.
%prep
%setup -q
%patch1
%patch1 -p1
%patch2
%patch3
%patch4 -p1
%patch5 -p1
%patch6 -p1
%patch7 -p1
%patch8 -p1
%patch9 -p1
%patch10 -p1
%patch11 -p1
%patch12 -p1
%patch13 -p1
%patch14 -p1
%patch15 -p1
%patch16 -p1
%patch17 -p1
%patch18 -p1
%patch19 -p1
%build
%{__make} \
@ -157,6 +120,10 @@ the most work done from every CPU cycle.
%ifarch %ix86
USE_REGPARM=1 \
%endif
USE_PTHREAD_PSHARED=1 \
%if %{with lua}
USE_LUA=1 \
%endif
USE_TPROXY=1 \
USE_LINUX_TPROXY=1 \
USE_LINUX_SPLICE=1 \
@ -167,9 +134,12 @@ the most work done from every CPU cycle.
USE_PIE=1 \
USE_STACKPROTECTOR=1 \
USE_RELRO_NOW=1 \
%if %{with tcp_fast_open}
%if %{with tcp_fast_open}
USE_TFO=1 \
%endif
%endif
%if %{with network_namespace}
USE_NS=1 \
%endif
LIB="%{_lib}" \
PREFIX="%{_prefix}" \
DEBUG_CFLAGS="%{optflags}"
@ -178,28 +148,30 @@ make -C contrib/halog PREFIX="%{_prefix}" \
DEFINE="%{optflags} -pie -fpie -fstack-protector -Wl,-z,relro,-z,now"
%install
%{__install} -D -m 0755 %{pkg_name} %{buildroot}%{_sbindir}/%{pkg_name}
%{__install} -D -m 0644 examples/%{pkg_name}.cfg %{buildroot}%{_sysconfdir}/%{pkg_name}/%{pkg_name}.cfg
install -D -m 0755 %{pkg_name} %{buildroot}%{_sbindir}/%{pkg_name}
install -d -m 0750 %{buildroot}%{_sysconfdir}/%{pkg_name}/
install -m 0640 %{S:4} %{buildroot}%{_sysconfdir}/%{pkg_name}/%{pkg_name}.cfg
install -D -m 0755 contrib/halog/halog %{buildroot}%{_sbindir}/haproxy-halog
%{__install} -D -m 0755 contrib/halog/halog %{buildroot}%{_sbindir}/haproxy-halog
%if %{with systemd}
%{__install} -D -m 0755 haproxy-systemd-wrapper %{buildroot}%{_sbindir}/haproxy-systemd-wrapper
%{__install} -D -m 0644 contrib/systemd/%{pkg_name}.service %{buildroot}%{_unitdir}/%{pkg_name}.service
install -D -m 0755 haproxy-systemd-wrapper %{buildroot}%{_sbindir}/haproxy-systemd-wrapper
install -D -m 0644 contrib/systemd/%{pkg_name}.service %{buildroot}%{_unitdir}/%{pkg_name}.service
ln -sf /sbin/service %{buildroot}%{_sbindir}/rc%{pkg_name}
%else
%{__install} -D -m 0755 %{S:1} %{buildroot}%{_sysconfdir}/init.d/%{pkg_name}
%{__ln_s} -f %{_sysconfdir}/init.d/%{pkg_name} %{buildroot}%{_sbindir}/rc%{pkg_name}
install -D -m 0755 %{S:1} %{buildroot}%{_sysconfdir}/init.d/%{pkg_name}
%{__ln_s} -f %{_sysconfdir}/init.d/%{pkg_name} %{buildroot}%{_sbindir}/rc%{pkg_name}
%endif
%{__install} -d -m 0755 %{buildroot}%{pkg_home}
%{__install} -D -m 0644 %{S:2} %{buildroot}%{vim_data_dir}/syntax/%{pkg_name}.vim
%{__install} -D -m 0644 doc/%{pkg_name}.1 %{buildroot}%{_mandir}/man1/%{pkg_name}.1
install -d -m 0755 %{buildroot}%{pkg_home}
install -D -m 0644 examples/haproxy.vim %{buildroot}%{vim_data_dir}/syntax/%{pkg_name}.vim
install -D -m 0644 doc/%{pkg_name}.1 %{buildroot}%{_mandir}/man1/%{pkg_name}.1
%if %{with apparmor}
%{__install} -D -m 0644 %{S:3} %{buildroot}/etc/apparmor.d/usr.sbin.haproxy
%{__install} -D -m 0644 %{S:4} %{buildroot}/etc/apparmor.d/local/usr.sbin.haproxy
install -D -m 0644 %{S:2} %{buildroot}/etc/apparmor.d/usr.sbin.haproxy
install -D -m 0644 %{S:3} %{buildroot}/etc/apparmor.d/local/usr.sbin.haproxy
%endif
%{__rm} examples/haproxy.spec
rm examples/haproxy.spec examples/*init* examples/haproxy.vim
%if 0%{?suse_version} < 1230
%clean
@ -241,18 +213,14 @@ ln -sf /sbin/service %{buildroot}%{_sbindir}/rc%{pkg_name}
%doc CHANGELOG README LICENSE
%doc ROADMAP doc/* examples/
%doc contrib/netsnmp-perl/ contrib/selinux/
%dir %{_sysconfdir}/%{pkg_name}
%config(noreplace) %{_sysconfdir}/%{pkg_name}/%{pkg_name}.cfg
%dir %attr(-,root,haproxy) %{_sysconfdir}/%{pkg_name}
%config(noreplace) %attr(-,root,haproxy) %{_sysconfdir}/%{pkg_name}/*
%if %{with systemd}
%{_unitdir}/%{pkg_name}.service
%{_sbindir}/haproxy-systemd-wrapper
%else
%config(noreplace) %{_sysconfdir}/init.d/%{pkg_name}
%endif
%{_sbindir}/haproxy
%{_sbindir}/haproxy-halog
%{_sbindir}/rchaproxy

View File

@ -1,164 +0,0 @@
" Vim syntax file
" Language: HAproxy
" Maintainer: Bruno Michel <brmichel@free.fr>
" Last Change: Mar 30, 2007
" Version: 0.3
" URL: http://haproxy.1wt.eu/
" URL: http://vim.sourceforge.net/scripts/script.php?script_id=1845
" It is suggested to add the following line to $HOME/.vimrc :
" au BufRead,BufNewFile haproxy* set ft=haproxy
" For version 5.x: Clear all syntax items
" For version 6.x: Quit when a syntax file was already loaded
if version < 600
syntax clear
elseif exists("b:current_syntax")
finish
endif
if version >= 600
setlocal iskeyword=_,-,a-z,A-Z,48-57
else
set iskeyword=_,-,a-z,A-Z,48-57
endif
" Escaped chars
syn match hapEscape +\\\(\\\| \|n\|r\|t\|#\|x\x\x\)+
" Comments
syn match hapComment /#.*$/ contains=hapTodo
syn keyword hapTodo contained TODO FIXME XXX
syn case ignore
" Sections
syn match hapSection /^\s*\(global\|defaults\)/
syn match hapSection /^\s*\(listen\|frontend\|backend\|ruleset\)/ skipwhite nextgroup=hapSectLabel
syn match hapSectLabel /\S\+/ skipwhite nextgroup=hapIp1 contained
syn match hapIp1 /\(\d\{1,3}\.\d\{1,3}\.\d\{1,3}\.\d\{1,3}\)\?:\d\{1,5}/ nextgroup=hapIp2 contained
syn match hapIp2 /,\(\d\{1,3}\.\d\{1,3}\.\d\{1,3}\.\d\{1,3}\)\?:\d\{1,5}/hs=s+1 nextgroup=hapIp2 contained
" Parameters
syn keyword hapParam chroot cliexp clitimeout contimeout
syn keyword hapParam daemon debug disabled
syn keyword hapParam enabled
syn keyword hapParam fullconn
syn keyword hapParam gid grace
syn keyword hapParam maxconn monitor-uri
syn keyword hapParam nbproc noepoll nopoll
syn keyword hapParam pidfile
syn keyword hapParam quiet
syn keyword hapParam redispatch retries
syn keyword hapParam reqallow reqdel reqdeny reqpass reqtarpit skipwhite nextgroup=hapRegexp
syn keyword hapParam reqiallow reqidel reqideny reqipass reqitarpit skipwhite nextgroup=hapRegexp
syn keyword hapParam rspdel rspdeny skipwhite nextgroup=hapRegexp
syn keyword hapParam rspidel rspideny skipwhite nextgroup=hapRegexp
syn keyword hapParam reqsetbe reqisetbe skipwhite nextgroup=hapRegexp2
syn keyword hapParam reqadd reqiadd rspadd rspiadd
syn keyword hapParam server source srvexp srvtimeout
syn keyword hapParam uid ulimit-n
syn keyword hapParam reqrep reqirep rsprep rspirep skipwhite nextgroup=hapRegexp
syn keyword hapParam errorloc errorloc302 errorloc303 skipwhite nextgroup=hapStatus
syn keyword hapParam default_backend skipwhite nextgroup=hapSectLabel
syn keyword hapParam appsession skipwhite nextgroup=hapAppSess
syn keyword hapParam bind skipwhite nextgroup=hapIp1
syn keyword hapParam balance skipwhite nextgroup=hapBalance
syn keyword hapParam cookie skipwhite nextgroup=hapCookieNam
syn keyword hapParam capture skipwhite nextgroup=hapCapture
syn keyword hapParam dispatch skipwhite nextgroup=hapIpPort
syn keyword hapParam source skipwhite nextgroup=hapIpPort
syn keyword hapParam mode skipwhite nextgroup=hapMode
syn keyword hapParam monitor-net skipwhite nextgroup=hapIPv4Mask
syn keyword hapParam option skipwhite nextgroup=hapOption
syn keyword hapParam stats skipwhite nextgroup=hapStats
syn keyword hapParam server skipwhite nextgroup=hapServerN
syn keyword hapParam source skipwhite nextgroup=hapServerEOL
syn keyword hapParam log skipwhite nextgroup=hapGLog,hapLogIp
" Options and additional parameters
syn keyword hapAppSess contained len timeout
syn keyword hapBalance contained roundrobin source
syn keyword hapLen contained len
syn keyword hapGLog contained global
syn keyword hapMode contained http tcp health
syn keyword hapOption contained abortonclose allbackups checkcache clitcpka dontlognull forceclose forwardfor
syn keyword hapOption contained httpchk httpclose httplog keepalive logasap persist srvtcpka ssl-hello-chk
syn keyword hapOption contained tcplog tcpka tcpsplice
syn keyword hapOption contained except skipwhite nextgroup=hapIPv4Mask
syn keyword hapStats contained uri realm auth scope enable
syn keyword hapLogFac contained kern user mail daemon auth syslog lpr news nextgroup=hapLogLvl skipwhite
syn keyword hapLogFac contained uucp cron auth2 ftp ntp audit alert cron2 nextgroup=hapLogLvl skipwhite
syn keyword hapLogFac contained local0 local1 local2 local3 local4 local5 local6 local7 nextgroup=hapLogLvl skipwhite
syn keyword hapLogLvl contained emerg alert crit err warning notice info debug
syn keyword hapCookieKey contained rewrite insert nocache postonly indirect prefix nextgroup=hapCookieKey skipwhite
syn keyword hapCapture contained cookie nextgroup=hapNameLen skipwhite
syn keyword hapCapture contained request response nextgroup=hapHeader skipwhite
syn keyword hapHeader contained header nextgroup=hapNameLen skipwhite
syn keyword hapSrvKey contained backup cookie check inter rise fall port source minconn maxconn weight usesrc
syn match hapStatus contained /\d\{3}/
syn match hapIPv4Mask contained /\d\{1,3}\.\d\{1,3}\.\d\{1,3}\.\d\{1,3}\(\/\d\{1,2}\)\?/
syn match hapLogIp contained /\d\{1,3}\.\d\{1,3}\.\d\{1,3}\.\d\{1,3}/ nextgroup=hapLogFac skipwhite
syn match hapIpPort contained /\d\{1,3}\.\d\{1,3}\.\d\{1,3}\.\d\{1,3}:\d\{1,5}/
syn match hapServerAd contained /\d\{1,3}\.\d\{1,3}\.\d\{1,3}\.\d\{1,3}\(:[+-]\?\d\{1,5}\)\?/ nextgroup=hapSrvEOL skipwhite
syn match hapNameLen contained /\S\+/ nextgroup=hapLen skipwhite
syn match hapCookieNam contained /\S\+/ nextgroup=hapCookieKey skipwhite
syn match hapServerN contained /\S\+/ nextgroup=hapServerAd skipwhite
syn region hapSrvEOL contained start=/\S/ end=/$/ contains=hapSrvKey
syn region hapRegexp contained start=/\S/ end=/\(\s\|$\)/ skip=/\\ / nextgroup=hapRegRepl skipwhite
syn region hapRegRepl contained start=/\S/ end=/$/ contains=hapComment,hapEscape,hapBackRef
syn region hapRegexp2 contained start=/\S/ end=/\(\s\|$\)/ skip=/\\ / nextgroup=hapSectLabel skipwhite
syn match hapBackref contained /\\\d/
" Transparent is a Vim keyword, so we need a regexp to match it
syn match hapParam +transparent+
syn match hapOption +transparent+ contained
" Define the default highlighting.
" For version 5.7 and earlier: only when not done already
" For version 5.8 and later: only when an item doesn't have highlighting yet
if version < 508
command -nargs=+ HiLink hi link <args>
else
command -nargs=+ HiLink hi def link <args>
endif
HiLink hapEscape SpecialChar
HiLink hapBackRef Special
HiLink hapComment Comment
HiLink hapTodo Todo
HiLink hapSection Constant
HiLink hapSectLabel Identifier
HiLink hapParam Keyword
HiLink hapRegexp String
HiLink hapRegexp2 hapRegexp
HiLink hapIp1 Number
HiLink hapIp2 hapIp1
HiLink hapLogIp hapIp1
HiLink hapIpPort hapIp1
HiLink hapIPv4Mask hapIp1
HiLink hapServerAd hapIp1
HiLink hapStatus Number
HiLink hapOption Operator
HiLink hapAppSess hapOption
HiLink hapBalance hapOption
HiLink hapCapture hapOption
HiLink hapCookieKey hapOption
HiLink hapHeader hapOption
HiLink hapGLog hapOption
HiLink hapLogFac hapOption
HiLink hapLogLvl hapOption
HiLink hapMode hapOption
HiLink hapStats hapOption
HiLink hapLen hapOption
HiLink hapSrvKey hapOption
delcommand HiLink
let b:current_syntax = "haproxy"
" vim: ts=8