------------------------------------------------------------------- Mon Oct 28 14:32:00 UTC 2013 - p.drouand@gmail.com - Add systemd support Target distributions all support systemd; keep alive sysvinit support is useless ------------------------------------------------------------------- Thu Oct 10 15:16:32 UTC 2013 - cdenicolo@suse.com - license update: GPL-2.0+ and LGPL-2.1+ only header files are LGPL, the rest is still GPL ------------------------------------------------------------------- Tue Jun 18 09:14:13 UTC 2013 - mrueckert@suse.de - update to 1.4.24 (bnc#825412) - BUG/MAJOR: backend: consistent hash can loop forever in certain circumstances - BUG/MEDIUM: checks: disable TCP quickack when pure TCP checks are used - MEDIUM: protocol: implement a "drain" function in protocol layers - BUG/CRITICAL: fix a possible crash when using negative header occurrences CVE-2013-2175 ------------------------------------------------------------------- Wed Apr 3 14:47:43 UTC 2013 - mrueckert@suse.de - update to 1.4.23 CVE-2013-1912 - CONTRIB: halog: sort URLs by avg bytes_read or total bytes_read - BUG: fix garbage data when http-send-name-header replaces an existing header - BUG/MEDIUM: remove supplementary groups when changing gid - BUG/MINOR: Correct logic in cut_crlf() - BUG/MINOR: config: use a copy of the file name in proxy configurations - BUG/MINOR: epoll: correctly disable FD polling in fd_rem() - MINOR: halog: sort output by cookie code - BUG/MINOR: halog: -ad/-ac report the correct number of output lines - BUG/MINOR: halog: fix help message for -ut/-uto - BUG/MEDIUM: http: set DONTWAIT on data when switching to tunnel mode - BUG/MEDIUM: command-line option -D must have precedence over "debug" - OPTIM: halog: keep a fast path for the lines-count only - MINOR: halog: add a parameter to limit output line count - BUG: halog: fix broken output limitation - MEDIUM: checks: avoid accumulating TIME_WAITs during checks - MEDIUM: checks: prevent TIME_WAITs from appearing also on timeouts - BUG/MAJOR: cli: show sess may randomly corrupt the back-ref list - BUG/MINOR: http: don't report client aborts as server errors - BUG/MINOR: http: don't log a 503 on client errors while waiting for requests - BUG/MEDIUM: tcp: process could theorically crash on lack of source ports - BUG/MINOR: http: don't abort client connection on premature responses - BUILD: no need to clean up when making git-tar - MINOR: http: always report PR-- flags for redirect rules - BUG/MINOR: time: frequency counters are not totally accurate - BUG/MINOR: http: don't process abortonclose when request was sent - BUG/MINOR: epoll: use a fix maxevents argument in epoll_wait() - BUG/MINOR: config: fix improper check for failed memory alloc in ACL parser - BUG/MEDIUM: checks: ensure the health_status is always within bounds - CLEANUP: http: remove a useless null check - BUG/MEDIUM: signal: signal handler does not properly check for signal bounds - BUG/MEDIUM: uri_auth: missing NULL check and memory leak on memory shortage - CLEANUP: config: slowstart is never negative - BUILD: improve the makefile's support for libpcre - BUG/MINOR: checks: fix an warning introduced by commit 2f61455a - MEDIUM: halog: add support for counting per source address (-ic) - DOC: mention the new HTTP 307 and 308 redirect statues (cherry picked from commit b67fdc4cd8bde202f2805d98683ddab929469a05) - MEDIUM: poll: do not use FD_* macros anymore - BUG/MAJOR: ev_select: disable the select() poller if maxsock > FD_SETSIZE - BUILD: enable poll() by default in the makefile - BUILD: add explicit support for Mac OS/X - BUG/CRITICAL: using HTTP information in tcp-request content may crash the process CVE-2013-1912 - MEDIUM: http: implement redirect 307 and 308 - MINOR: http: status 301 should not be marked non-cacheable - adapt haproxy-makefile_lib.patch to the rewritten Makefile ------------------------------------------------------------------- Mon Nov 12 14:10:33 UTC 2012 - mrueckert@suse.de - switch license tag to spdx format. ------------------------------------------------------------------- Mon Nov 12 13:50:46 UTC 2012 - mrueckert@suse.de - update to 1.4.22 - BUG/MEDIUM: option forwardfor if-none doesn't work with some configurations - MINOR: balance uri: added 'whole' parameter to include query string in hash calculation - DOC: specify the default value for maxconn in the context of a proxy - BUG/MINOR: checks: expire on timeout.check if smaller than timeout.connect - REORG/MINOR: use dedicated proxy flags for the cookie handling - BUG/MINOR: config: do not report twice the incompatibility between cookie and non-http - MINOR: http: add support for "httponly" and "secure" cookie attributes - MEDIUM: stats: add support for soft stop/soft start in the admin interface - BUILD: add support for linux kernels >= 2.6.28 - MINOR: contrib/iprange: add a network IP range to mask converter - BUILD: add an AIX 5.2 (and later) target. - MINOR: halog: use the more recent dual-mode fgets2 implementation - BUG/MEDIUM: ebtree: ebmb_insert() must not call cmp_bits on full-length matches - CLEANUP: halog: make clean should also remove .o files (cherry picked from commit 8ad4193100aafa19f04929670371bf823dbe11d0) - OPTIM: halog: make use of memchr() on platforms which provide a fast one - OPTIM: halog: improve cold-cache behaviour when loading a file - [MINOR] config: make it possible to specify a cookie even without a server - MINOR: config: tolerate server "cookie" setting in non-HTTP mode - BUG/MINOR: tarpit: fix condition to return the HTTP 500 message ------------------------------------------------------------------- Tue Oct 30 16:02:03 UTC 2012 - mrueckert@suse.de - fix description in the init script ------------------------------------------------------------------- Tue May 22 16:47:45 UTC 2012 - pascal.bleser@opensuse.org - update to 1.4.21 (bnc#763833) CVE-2012-2391 - MINOR: patch for minor typo (ressources/resources) - CLEANUP: fix typo in findserver() log message - DOC: cleanup indentation, alignment, columns and chapters - DOC: fix some keywords arguments documentation - MINOR: stats admin: allow unordered parameters in POST requests - MINOR: stats admin: use the backend id instead of its name in the form - BUG/MAJOR: trash must always be the size of a buffer - DOC: fix minor regex example issue and improve doc on stats - BUG/MAJOR: possible crash when using capture headers on TCP frontends - MINOR: config: disable header captures in TCP mode and complain - BUG/MEDIUM: balance source did not properly hash IPv6 addresses - CLEANUP: http: message parser must ignore HTTP_MSG_ERROR - CLEANUP: remove a few warning about unchecked return values in debug code - CLEANUP: http: remove unused http_msg->col - BUG/MINOR: http: error snapshots are wrong if buffer wraps - BUG/MAJOR: checks: don't call set_server_status_* when no LB algo is set - MINOR: proxy: make findproxy() return proxies from numeric IDs too - BUILD: http: stop gcc-4.1.2 from complaining about possibly uninitialized values - BUG/MINOR: stop connect timeout when connect succeeds ------------------------------------------------------------------- Sun Mar 11 19:16:20 UTC 2012 - pascal.bleser@opensuse.org - update to 1.4.20: - BUG/MINOR: fix typo in processing of http-send-name-header - BUG/MEDIUM: correctly disable servers tracking another disabled servers. - BUG/MEDIUM: zero-weight servers must not dequeue requests from the backend - MINOR: halog: add some help on the command line (cherry picked from commit 615674cdec067066a42f53f5d55628ab7b207e6c) - BUG: queue: fix dequeueing sequence on HTTP keep-alive sessions - BUG: http: disable TCP delayed ACKs when forwarding content-length data - BUG: checks: fix server maintenance exit sequence - BUG/MINOR: stream_sock: don't remove BF_EXPECT_MORE and BF_SEND_DONTWAIT on partial writes - DOC: enumerate valid status codes for "observe layer7" ------------------------------------------------------------------- Wed Feb 8 15:30:58 UTC 2012 - mrueckert@suse.de - update to 1.4.19 - MEDIUM: http: add support for sending the server's name in the outgoing request - BUG/MINOR: fix options forwardfor if-none when an alternative header name is specified - MINOR: task: new function task_schedule() to schedule a wake up - BUG/MEDIUM: checks: fix slowstart behaviour when server tracking is in use - BUG: tcp: option nolinger does not work on backends - BUG: ebtree: ebst_lookup() could return the wrong entry - BUG: http: re-enable TCP quick-ack upon incomplete HTTP requests - CLEANUP: ebtree: remove a few annoying signedness warnings - CLEANUP: ebtree: remove 4-year old harmless typo in duplicates insertion code - CLEANUP: ebtree: remove another typo, a wrong initialization in insertion code - BUG: proto_tcp: set AF_INET on tproxy for use with recent kernels - MINOR: halog: add support for matching queued requests - BUG: http: tighten the list of allowed characters in a URI ------------------------------------------------------------------- Wed Nov 9 12:09:33 UTC 2011 - mrueckert@suse.de - update to 1.4.18 - [MINOR] http: *_dom matching header functions now also split on ":" - [MINOR] halog: support backslash-escaped quotes - BUILD/MINOR: fix the source URL in the spec file - DOC: acl is http_first_req, not http_req_first - BUG/MEDIUM: don't trim last spaces from headers consisting only of spaces - MINOR: acl: add new matches for header/path/url length - [MINOR] halog: do not consider byte 0x8A as end of line - [OPTIM] halog: make fgets parse more bytes by blocks - [OPTIM] halog: add assembly version of the field lookup code - [CLEANUP] startup: report only the basename in the usage message - [DOC] update the README file to reflect new naming rules for patches ------------------------------------------------------------------- Mon Sep 05 22:26:59 UTC 2011 - pascal.bleser@opensuse.org - update to 1.4.17: - [MINOR] halog: add support for termination code matching (-tcn/-TCN) - [MINOR] halog: make SKIP_CHAR stop on field delimiters - [MINOR] halog: add support for HTTP log matching (-H) - [MINOR] halog: gain back performance before SKIP_CHAR fix - [OPTIM] halog: cache some common fields positions - [OPTIM] halog: check once for correct line format and reuse the pointer - [OPTIM] halog: remove many 'if' by using a function pointer for the filters - [OPTIM] halog: remove support for tab delimiters in input data - [MINOR] halog: add -hs/-HS to filter by HTTP status code range - [CLEANUP] update the year in the copyright banner - [BUG] check: http-check expect + regex would crash in defaults section - [MEDIUM] http: make x-forwarded-for addition conditional - [DOC] fixed a few "sensible" -> "sensitive" errors - [MINOR] stats: display "" instead of the frontend name when unknown - [BUG] http: trailing white spaces must also be trimmed after headers - [MINOR] http: take a capture of too large requests and responses - [MINOR] http: take a capture of truncated responses - [MINOR] http: take a capture of bad content-lengths. ------------------------------------------------------------------- Sat Aug 13 22:49:36 UTC 2011 - mrueckert@suse.de - update to version 1.4.16 - [BUG] checks: fix support of Mysqld >= 5.5 for mysql-check - [DOC] Minor spelling fixes and grammatical enhancements - [CLEANUP] Remove assigned but unused variables - [BUG] checks: http-check expect could fail a check on multi-packet responses - [DOC] fix minor typo in the "dispatch" doc - [MINOR] http: make the "HTTP 200" status code configurable. - [MINOR] http: partially revert the chunking optimization for now - [MINOR] stream_sock: always clear BF_EXPECT_MORE upon complete transfer - [CLEANUP] stream_sock: remove unneeded FL_TCP and factor out test - [MEDIUM] http: add support for "http-no-delay" - [OPTIM] http: optimize chunking again in non-interactive mode - [OPTIM] stream_sock: avoid fast-forwarding of partial data - [OPTIM] stream_sock: don't use splice on too small payloads - [BUG] stats: support url-encoded forms - [BUG] halog: correctly handle truncated last line - [DOC] fix typos, "#" is a sharp, not a dash ------------------------------------------------------------------- Fri Apr 15 22:14:24 UTC 2011 - pascal.bleser@opensuse.org - revert splitting out the documentation ------------------------------------------------------------------- Thu Apr 14 19:18:45 UTC 2011 - pascal.bleser@opensuse.org - split out documentation and examples into haproxy-doc - add rpmlintrc to suppress false positive warnings about script examples in documentation files (without exec flag) - fix license ------------------------------------------------------------------- Tue Apr 12 15:31:38 UTC 2011 - mrueckert@suse.de - update to version 1.4.15 - [CRITICAL] fix risk of crash when dealing with space in response cookies - additional changes from 1.4.14 - [MINOR] config: fix endianness of server check port - [BUG] http: fix possible incorrect forwarded wrapping chunk size (take 2) - [MINOR] tools: add two macros MID_RANGE and MAX_RANGE - [BUG] http: fix content-length handling on 32-bit platforms - [OPTIM] buffers: uninline buffer_forward() ------------------------------------------------------------------- Wed Mar 9 12:00:23 UTC 2011 - mrueckert@suse.de - update to 1.4.13 - config: don't crash on empty pattern files. - additional changes from 1.4.12 - stats: add support for several packets in stats admin - stats: admin commands must check the proxy state - stats: admin web interface must check the proxy state - http: update the header list's tail when removing the last header - fix typos (http-request instead of http-check) (cherry picked from commit 8f2a1e72bebea700f37add40997b716fdfd86b9c) - http: use correct ACL pointer when evaluating authentication - cfgparse: correctly count one socket per port in ranges - startup: set the rlimits before binding ports, not after. - acl: srv_id must return no match when the server is NULL - acl: fd leak when reading patterns from file - fix minor typo in "usesrc" - http: fix possible incorrect forwarded wrapping chunk size - http: fix computation of message body length after forwarding has started - http: balance url_param did not work with first parameters on POST - update the url_param regression test to test check_post too ------------------------------------------------------------------- >>>>>>> ./haproxy.changes.r40 Tue Feb 15 14:30:53 UTC 2011 - mrueckert@suse.de - update to 1.4.11 - cfgparse: Check whether the path given for the stats socket actually fits into the sockaddr_un structure to avoid truncation. - fix a minor typo - fix ignore-persist documentation - http: fix http-pretend-keepalive and httpclose/tunnel mode - add warnings on features not compatible with multi-process mode - acl: add be_id/srv_id to match backend's and server's id - log: add support for passing the forwarded hostname - log: ability to override the syslog tag - fix minor typos in the doc - fix another typo in the doc - http chunking: don't report a parsing error on connection errors - stream_interface: truncate buffers when sending error messages - http: fix incorrect error reporting during data transfers - session: correctly leave turn-around and queue states on abort - session: release slot before processing pending connections - stats: report HTTP message state and buffer flags in error dumps - http: support wrapping messages in error captures - http: capture incorrectly chunked message bodies - stats: add global event ID and count - http: don't send each chunk in a separate packet - acl: fix handling of empty lines in pattern files - ebtree: fix ebmb_lookup() with len smaller than the tree's keys - ebtree: ebmb_lookup: reduce stack usage by moving the return code out of the loop ------------------------------------------------------------------- Mon Nov 29 13:57:37 UTC 2010 - pascal.bleser@opensuse.org - update to 1.4.10: * a possible crash when using Cookie-based persistence with appsessions was fixed * header processing could become wrong after a single reqidel rule removed exactly two headers * some out-of-memory conditions were not correctly handled in appsession or cookie captures * users of appsessions are strongly encouraged to upgrade ------------------------------------------------------------------- Tue Nov 2 13:11:15 UTC 2010 - pascal.bleser@opensuse.org - update to 1.4.9: * the Web interface now allows you to enable or disable servers * the ECV and LDAPv3 checks were merged * the MySQL check was improved to support a real login sequence * persistence cookies can now be timestamped to support a maximum idle time and a maximum life time, and can be removed by the server if needed (e.g. logout) * the SNMP plugin was improved to report socket stats * some Cacti templates were merged * the halog tool can now instantly report per-URL response times ------------------------------------------------------------------- Tue Aug 17 15:46:13 UTC 2010 - mrueckert@suse.de - implement graceful restart in the init script ------------------------------------------------------------------- Tue Jun 22 14:49:12 UTC 2010 - mrueckert@suse.de - update to 1.4.8: * mention 'option http-server-close' effect in Tq section * summarize and highlight persistent connections behaviour * add configuration samples * stick_table: the fix for the memory leak caused a regression * client: don't add a new session to the list too early ------------------------------------------------------------------- Thu Jun 10 09:03:34 UTC 2010 - pascal.bleser@opensuse.org - update to 1.4.7: * fixes problems where consistent hashing was broken when no server ID was specified in the configuration * some errors were incorrectly reported as failed instead of denied in the statistics * the dispatch and http_proxy modes were fixed * a few termination flags in the logs used for troubleshooting were corrected * a few other minor issues were fixed * upgrading is recommended ------------------------------------------------------------------- Mon May 17 20:29:02 UTC 2010 - pascal.bleser@opensuse.org - update to 1.4.6: * a minor precision about RDP cookies was added to the documentation * a new ACL keyword was added * those who had no problem building and running 1.4.5 don't need to upgrade - drop haproxy-fix_dprintf.patch, merged upstream ------------------------------------------------------------------- Fri May 14 07:18:03 UTC 2010 - pascal.bleser@opensuse.org - update to 1.4.5: * Haproxy can now read huge ACL pattern lists from files and match inputs against them without any noticeable performance impact, making geolocation possible * adds a new "ignore-persist" directive, allowing it to ignore the persistence cookie if an ACL-based condition is matched (which is useful for static objects in stateful farms) * a few other minor improvements * a nice performance boost of the log analyzer, which can now process more than 1 GB of logs per second and report request counts by status codes ------------------------------------------------------------------- Thu Apr 8 09:41:51 UTC 2010 - pascal.bleser@opensuse.org - update to 1.4.4: * brings a new option to work around optimization issues with Tomcat and Jetty in server close mode, and for a bug in Jetty's handling of Expect: 100-continue * a very old appsession unexpected match of shorter cookie names was also fixed * a new feature to make it possible to connect to a server from an IP found in a header was merged: it allows you to run stunnel+haproxy in transparent mode together ------------------------------------------------------------------- Fri Apr 2 23:42:44 UTC 2010 - pascal.bleser@opensuse.org - update to 1.4.3: * fxes a regression introduced in 1.4.2 which could cause a connection to still be attempted on the server side in case of an error on the client side; this issue could even lead to a crash if a Layer7 hash algorithm was used, so this code was strengthened * the configuration parser now detects many more inappropriate options in TCP mode and emits related warnings * it is now possible to indicate in the configuration that a server will start in the "disabled" state * other very minor issues were fixed ------------------------------------------------------------------- Thu Mar 18 12:00:49 UTC 2010 - pascal.bleser@opensuse.org - update to 1.4.2: * fixes a very rare case of stuck client sessions when using keep-alive * fixes a url_param hash bug which could result in a dead server in very rare situations * fixes status codes 501 and 505 which could cause a server to be marked down if on-error was used * fixes a risk of getting truncated HTTP responses when chunk-encoding was used * fixes an issue with anonymous ACLs * improvements on health checks ------------------------------------------------------------------- Fri Mar 5 00:45:12 UTC 2010 - pascal.bleser@opensuse.org - update to 1.4.1: * some errors were incorrectly reported as 502 with the flags "SL" in the logs; this is now fixed * other minor issues were fixed * documentation was updated ------------------------------------------------------------------- Fri Feb 26 20:44:34 UTC 2010 - pascal.bleser@opensuse.org - update to 1.4.0: * new features: + keep-alive + IP-based stickiness + consistent hashing + support for the RDP protocol + a much nicer stats interface + a much-improved performance level * add -fno-strict-aliasing - changes from 1.4rc1: * new features: + server maintenance mode + HTTP authentication (server and proxy) + secure passwords + conditional request/response header rewriting using ACLs + anonymous ACLs that can be declared inline + support for HTTP/1.1 101+Upgrade status code to support non- HTTP protocols such as WebSocket ------------------------------------------------------------------- Thu Feb 11 15:20:01 UTC 2010 - mrueckert@suse.de - update to 1.3.23 ------------------------------------------------------------------- Tue Sep 15 14:09:34 CEST 2009 - mrueckert@suse.de - update to 1.3.20 ------------------------------------------------------------------- Fri Apr 3 13:54:40 CEST 2009 - mrueckert@suse.de - update to 1.3.17 ------------------------------------------------------------------- Mon Mar 9 16:40:38 CET 2009 - mrueckert@suse.de - update to 1.3.15.8 ------------------------------------------------------------------- Wed Feb 4 15:13:15 CET 2009 - mrueckert@suse.de - update to 1.3.15.7 ------------------------------------------------------------------- Mon Sep 15 15:52:45 CEST 2008 - mrueckert@suse.de - update to 1.3.15.4 ------------------------------------------------------------------- Sun Nov 4 21:21:35 CET 2007 - mrueckert@suse.de - update to 1.3.13.1: too many changes see changelog file ------------------------------------------------------------------- Mon Apr 2 00:53:38 CEST 2007 - mrueckert@suse.de - prepared spec for easy split out of -snapshot packages. - added vim syntax file ------------------------------------------------------------------- Mon Mar 19 17:50:33 CET 2007 - mrueckert@suse.de - update to 1.2.17: - replaced the linked-list with a faster rbtree in the scheduler - add user/group support (Marcus Rueckert) - add the "except" keyword to the "forwardfor" option (Bryan Germann) - re-implemented support for multi-line headers (was incidently reverted) - fixed possible crash when no cookie was set on a server - fixed various length checks in appsession - fixed unlikely memory leak in appsession in case of memory shortage - updates to the architecture guide - remove haproxy-1.2.16_username_groupname_support.patch: patch included upstream ------------------------------------------------------------------- Mon Jan 8 00:27:17 CET 2007 - mrueckert@suse.de - initial package of 1.2.16 - added 2 patches: haproxy-1.2.16_config_haproxy_user.patch haproxy-1.2.16_username_groupname_support.patch the patches allow to specify username and groupname instead of uid/gid. The patches are needed as we do not have a static uid/gid for the haproxy user/group.