include $(TOPDIR)/rules.mk
PKG_NAME:=haproxy
-PKG_VERSION:=1.5.2
-PKG_RELEASE:=06
+PKG_VERSION:=1.5.3
+PKG_RELEASE:=03
PKG_SOURCE:=haproxy-$(PKG_VERSION).tar.gz
PKG_SOURCE_URL:=http://haproxy.1wt.eu/download/1.5/src/
-PKG_MD5SUM:=e854fed32ea751d6db7f366cb910225a
+PKG_MD5SUM:=e999a547d57445d5a5ab7eb6a06df9a1
PKG_MAINTAINER:=Thomas Heil <heil@terminal-consulting.de>
PKG_LICENSE:=GPL-2.0
--- /dev/null
+From ad65af7dab9b8d8033fd09d8031cc774a6fbf768 Mon Sep 17 00:00:00 2001
+From: Godbach <nylzhaowei@gmail.com>
+Date: Mon, 28 Jul 2014 17:31:57 +0800
+Subject: [PATCH 1/3] BUG/MINOR: server: move the directive #endif to the end
+ of file
+
+If a source file includes proto/server.h twice or more, redefinition errors will
+be triggered for such inline functions as server_throttle_rate(),
+server_is_draining(), srv_adm_set_maint() and so on. Just move #endif directive
+to the end of file to solve this issue.
+
+Signed-off-by: Godbach <nylzhaowei@gmail.com>
+(cherry picked from commit e468d55998e134dac1b18d5d9d075ffd5691c827)
+---
+ include/proto/server.h | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/include/proto/server.h b/include/proto/server.h
+index 9893266..71c8b13 100644
+--- a/include/proto/server.h
++++ b/include/proto/server.h
+@@ -54,8 +54,6 @@ static void inline srv_set_sess_last(struct server *s)
+ s->counters.last_sess = now.tv_sec;
+ }
+
+-#endif /* _PROTO_SERVER_H */
+-
+ /*
+ * Registers the server keyword list <kwl> as a list of valid keywords for next
+ * parsing sessions.
+@@ -200,6 +198,8 @@ static inline void srv_adm_set_ready(struct server *s)
+ srv_clr_admin_flag(s, SRV_ADMF_FMAINT);
+ }
+
++#endif /* _PROTO_SERVER_H */
++
+ /*
+ * Local variables:
+ * c-indent-level: 8
+--
+1.8.5.5
+
+++ /dev/null
-From a124eb6d7838eff2c52cc9bf027594c11e87fae9 Mon Sep 17 00:00:00 2001
-From: Willy Tarreau <w@1wt.eu>
-Date: Sat, 12 Jul 2014 17:31:07 +0200
-Subject: [PATCH 1/2] DOC: mention that Squid correctly responds 400 to PPv2
- header
-
-Amos reported that Squid builds 3.5.0.0_20140624 and 3.5.0.0_20140630
-were confirmed to respond correctly here and that any version will do
-the same.
-(cherry picked from commit 9e1382002aa1ba12dcc637870befd077ff887aad)
----
- doc/proxy-protocol.txt | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/doc/proxy-protocol.txt b/doc/proxy-protocol.txt
-index a2dbcea..a3925a4 100644
---- a/doc/proxy-protocol.txt
-+++ b/doc/proxy-protocol.txt
-@@ -692,6 +692,7 @@ presented, even with minimal implementations :
- - thttpd 2.20c : 400 Bad Request + abort => pass/optimal
- - mini-httpd-1.19 : 400 Bad Request + abort => pass/optimal
- - haproxy 1.4.21 : 400 Bad Request + abort => pass/optimal
-+ - Squid 3 : 400 Bad Request + abort => pass/optimal
- - SSL :
- - stud 0.3.47 : connection abort => pass/optimal
- - stunnel 4.45 : connection abort => pass/optimal
---
-1.8.5.5
-
--- /dev/null
+From 715e9b892f564e58489f86c125aed2a8994f16e9 Mon Sep 17 00:00:00 2001
+From: Conrad Hoffmann <conrad@soundcloud.com>
+Date: Mon, 28 Jul 2014 23:22:43 +0200
+Subject: [PATCH 2/3] BUG/MINOR: Fix search for -p argument in systemd wrapper.
+
+Searching for the pid file in the list of arguments did not
+take flags without parameters into account, like e.g. -de. Because
+of this, the wrapper would use a different pid file than haproxy
+if such an argument was specified before -p.
+
+The new version can still yield a false positive for some crazy
+situations, like your config file name starting with "-p", but
+I think this is as good as it gets without using getopt or some
+library.
+
+Signed-off-by: Conrad Hoffmann <conrad@soundcloud.com>
+(cherry picked from commit eb2cf45b72a7e14c581276247381dc1ac76be2c0)
+---
+ src/haproxy-systemd-wrapper.c | 7 ++-----
+ 1 file changed, 2 insertions(+), 5 deletions(-)
+
+diff --git a/src/haproxy-systemd-wrapper.c b/src/haproxy-systemd-wrapper.c
+index ba07ebe..529b213 100644
+--- a/src/haproxy-systemd-wrapper.c
++++ b/src/haproxy-systemd-wrapper.c
+@@ -130,11 +130,8 @@ static void sigint_handler(int signum __attribute__((unused)))
+ static void init(int argc, char **argv)
+ {
+ while (argc > 1) {
+- if (**argv == '-') {
+- char *flag = *argv + 1;
+- --argc; ++argv;
+- if (*flag == 'p')
+- pid_file = *argv;
++ if ((*argv)[0] == '-' && (*argv)[1] == 'p') {
++ pid_file = *(argv + 1);
+ }
+ --argc; ++argv;
+ }
+--
+1.8.5.5
+
+++ /dev/null
-From de9789b37466c37547d8c5d52d96a9d4466eb431 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Cyril=20Bont=C3=A9?= <cyril.bonte@free.fr>
-Date: Sat, 12 Jul 2014 18:22:42 +0200
-Subject: [PATCH 2/2] DOC: fix typo in Unix Socket commands
-
-Konstantin Romanenko reported a typo in the HTML documentation. The typo is
-already present in the raw text version : the "shutdown sessions" command
-should be "shutdown sessions server".
-(cherry picked from commit e63a1eb290a1c407453dbcaa16535c85a1904f9e)
----
- doc/configuration.txt | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/doc/configuration.txt b/doc/configuration.txt
-index ca21f7d..2d71555 100644
---- a/doc/configuration.txt
-+++ b/doc/configuration.txt
-@@ -13869,7 +13869,7 @@ shutdown session <id>
- endless transfer is ongoing. Such terminated sessions are reported with a 'K'
- flag in the logs.
-
--shutdown sessions <backend>/<server>
-+shutdown sessions server <backend>/<server>
- Immediately terminate all the sessions attached to the specified server. This
- can be used to terminate long-running sessions after a server is put into
- maintenance mode, for instance. Such terminated sessions are reported with a
---
-1.8.5.5
-
--- /dev/null
+From f94735eb76e634d7531f9c903113f64820c4cec0 Mon Sep 17 00:00:00 2001
+From: Willy Tarreau <w@1wt.eu>
+Date: Wed, 30 Jul 2014 08:56:35 +0200
+Subject: [PATCH 3/3] BUG/MAJOR: tcp: fix a possible busy spinning loop in
+ content track-sc*
+
+As a consequence of various recent changes on the sample conversion,
+a corner case has emerged where it is possible to wait forever for a
+sample in track-sc*.
+
+The issue is caused by the fact that functions relying on sample_process()
+don't all exactly work the same regarding the SMP_F_MAY_CHANGE flag and
+the output result. Here it was possible to wait forever for an output
+sample from stktable_fetch_key() without checking the SMP_OPT_FINAL flag.
+As a result, if the client connects and closes without sending the data
+and haproxy expects a sample which is capable of coming, it will ignore
+this impossible case and will continue to wait.
+
+This change adds control for SMP_OPT_FINAL before waiting for extra data.
+The various relevant functions have been better documented regarding their
+output values.
+
+This fix must be backported to 1.5 since it appeared there.
+(cherry picked from commit 6bcb0a84e7256f00793fa8ec8a0d6c19c3b22935)
+---
+ src/proto_tcp.c | 4 ++--
+ src/sample.c | 23 ++++++++++++++++++++++-
+ src/stick_table.c | 11 ++++++++++-
+ 3 files changed, 34 insertions(+), 4 deletions(-)
+
+diff --git a/src/proto_tcp.c b/src/proto_tcp.c
+index 9778856..72dc92b 100644
+--- a/src/proto_tcp.c
++++ b/src/proto_tcp.c
+@@ -1048,8 +1048,8 @@ int tcp_inspect_request(struct session *s, struct channel *req, int an_bit)
+ t = rule->act_prm.trk_ctr.table.t;
+ key = stktable_fetch_key(t, s->be, s, &s->txn, SMP_OPT_DIR_REQ | partial, rule->act_prm.trk_ctr.expr, &smp);
+
+- if (smp.flags & SMP_F_MAY_CHANGE)
+- goto missing_data;
++ if ((smp.flags & SMP_F_MAY_CHANGE) && !(partial & SMP_OPT_FINAL))
++ goto missing_data; /* key might appear later */
+
+ if (key && (ts = stktable_get_entry(t, key))) {
+ session_track_stkctr(&s->stkctr[tcp_trk_idx(rule->action)], t, ts);
+diff --git a/src/sample.c b/src/sample.c
+index 3a0f3fb..8e62640 100644
+--- a/src/sample.c
++++ b/src/sample.c
+@@ -896,6 +896,18 @@ out_error:
+ * Note: the fetch functions are required to properly set the return type. The
+ * conversion functions must do so too. However the cast functions do not need
+ * to since they're made to cast mutiple types according to what is required.
++ *
++ * The caller may indicate in <opt> if it considers the result final or not.
++ * The caller needs to check the SMP_F_MAY_CHANGE flag in p->flags to verify
++ * if the result is stable or not, according to the following table :
++ *
++ * return MAY_CHANGE FINAL Meaning for the sample
++ * NULL 0 * Not present and will never be (eg: header)
++ * NULL 1 0 Not present yet, could change (eg: POST param)
++ * NULL 1 1 Not present yet, will not change anymore
++ * smp 0 * Present and will not change (eg: header)
++ * smp 1 0 Present, may change (eg: request length)
++ * smp 1 1 Present, last known value (eg: request length)
+ */
+ struct sample *sample_process(struct proxy *px, struct session *l4, void *l7,
+ unsigned int opt,
+@@ -1153,7 +1165,16 @@ int smp_resolve_args(struct proxy *p)
+ * and <opt> does not contain SMP_OPT_FINAL, then the sample is returned as-is
+ * with its SMP_F_MAY_CHANGE flag so that the caller can check it and decide to
+ * take actions (eg: wait longer). If a sample could not be found or could not
+- * be converted, NULL is returned.
++ * be converted, NULL is returned. The caller MUST NOT use the sample if the
++ * SMP_F_MAY_CHANGE flag is present, as it is used only as a hint that there is
++ * still hope to get it after waiting longer, and is not converted to string.
++ * The possible output combinations are the following :
++ *
++ * return MAY_CHANGE FINAL Meaning for the sample
++ * NULL * * Not present and will never be (eg: header)
++ * smp 0 * Final value converted (eg: header)
++ * smp 1 0 Not present yet, may appear later (eg: header)
++ * smp 1 1 never happens (either flag is cleared on output)
+ */
+ struct sample *sample_fetch_string(struct proxy *px, struct session *l4, void *l7,
+ unsigned int opt, struct sample_expr *expr)
+diff --git a/src/stick_table.c b/src/stick_table.c
+index a708d3c..d39b4ff 100644
+--- a/src/stick_table.c
++++ b/src/stick_table.c
+@@ -603,7 +603,16 @@ static sample_to_key_fct sample_to_key[SMP_TYPES][STKTABLE_TYPES] = {
+ * no key could be extracted, or a pointer to the converted result stored in
+ * static_table_key in format <table_type>. If <smp> is not NULL, it will be reset
+ * and its flags will be initialized so that the caller gets a copy of the input
+- * sample, and knows why it was not accepted (eg: SMP_F_MAY_CHANGE is present).
++ * sample, and knows why it was not accepted (eg: SMP_F_MAY_CHANGE is present
++ * without SMP_OPT_FINAL). The output will be usable like this :
++ *
++ * return MAY_CHANGE FINAL Meaning for the sample
++ * NULL 0 * Not present and will never be (eg: header)
++ * NULL 1 0 Not present or unstable, could change (eg: req_len)
++ * NULL 1 1 Not present, will not change anymore
++ * smp 0 * Present and will not change (eg: header)
++ * smp 1 0 not possible
++ * smp 1 1 Present, last known value (eg: request length)
+ */
+ struct stktable_key *stktable_fetch_key(struct stktable *t, struct proxy *px, struct session *l4, void *l7,
+ unsigned int opt, struct sample_expr *expr, struct sample *smp)
+--
+1.8.5.5
+
+++ /dev/null
-From 60d7aeb6e1450995e721d01f48f60b7db4c44e2b Mon Sep 17 00:00:00 2001
-From: Remi Gacogne <rgacogne[at]aquaray[dot]fr>
-Date: Tue, 15 Jul 2014 11:36:40 +0200
-Subject: [PATCH 3/3] BUG/MEDIUM: ssl: Fix a memory leak in DHE key exchange
-
-OpenSSL does not free the DH * value returned by the callback specified with SSL_CTX_set_tmp_dh_callback(),
-leading to a memory leak for SSL/TLS connections using Diffie Hellman Ephemeral key exchange.
-This patch fixes the leak by allocating the DH * structs holding the DH parameters once, at configuration time.
-
-Note: this fix must be backported to 1.5.
-(cherry picked from commit 8de5415b85512da871d58d1e9a0a33bd67f3b570)
----
- src/ssl_sock.c | 43 ++++++++++++++++++++++++++++++++++++-------
- 1 file changed, 36 insertions(+), 7 deletions(-)
-
-diff --git a/src/ssl_sock.c b/src/ssl_sock.c
-index 375225d..cf8adc7 100644
---- a/src/ssl_sock.c
-+++ b/src/ssl_sock.c
-@@ -105,6 +105,13 @@ enum {
- int sslconns = 0;
- int totalsslconns = 0;
-
-+#ifndef OPENSSL_NO_DH
-+static DH *local_dh_1024 = NULL;
-+static DH *local_dh_2048 = NULL;
-+static DH *local_dh_4096 = NULL;
-+static DH *local_dh_8192 = NULL;
-+#endif /* OPENSSL_NO_DH */
-+
- #ifdef SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB
- struct certificate_ocsp {
- struct ebmb_node key;
-@@ -1034,16 +1041,16 @@ static DH *ssl_get_tmp_dh(SSL *ssl, int export, int keylen)
- }
-
- if (keylen >= 8192) {
-- dh = ssl_get_dh_8192();
-+ dh = local_dh_8192;
- }
- else if (keylen >= 4096) {
-- dh = ssl_get_dh_4096();
-+ dh = local_dh_4096;
- }
- else if (keylen >= 2048) {
-- dh = ssl_get_dh_2048();
-+ dh = local_dh_2048;
- }
- else {
-- dh = ssl_get_dh_1024();
-+ dh = local_dh_1024;
- }
-
- return dh;
-@@ -1079,11 +1086,11 @@ int ssl_sock_load_dh_params(SSL_CTX *ctx, const char *file)
-
- if (global.tune.ssl_default_dh_param <= 1024) {
- /* we are limited to DH parameter of 1024 bits anyway */
-- dh = ssl_get_dh_1024();
-- if (dh == NULL)
-+ local_dh_1024 = ssl_get_dh_1024();
-+ if (local_dh_1024 == NULL)
- goto end;
-
-- SSL_CTX_set_tmp_dh(ctx, dh);
-+ SSL_CTX_set_tmp_dh(ctx, local_dh_1024);
- }
- else {
- SSL_CTX_set_tmp_dh_callback(ctx, ssl_get_tmp_dh);
-@@ -1594,6 +1601,28 @@ int ssl_sock_prepare_ctx(struct bind_conf *bind_conf, SSL_CTX *ctx, struct proxy
- global.tune.ssl_default_dh_param = 1024;
- }
-
-+#ifndef OPENSSL_NO_DH
-+ if (global.tune.ssl_default_dh_param >= 1024) {
-+ if (local_dh_1024 == NULL) {
-+ local_dh_1024 = ssl_get_dh_1024();
-+ }
-+ if (global.tune.ssl_default_dh_param >= 2048) {
-+ if (local_dh_2048 == NULL) {
-+ local_dh_2048 = ssl_get_dh_2048();
-+ }
-+ if (global.tune.ssl_default_dh_param >= 4096) {
-+ if (local_dh_4096 == NULL) {
-+ local_dh_4096 = ssl_get_dh_4096();
-+ }
-+ if (global.tune.ssl_default_dh_param >= 8192 &&
-+ local_dh_8192 == NULL) {
-+ local_dh_8192 = ssl_get_dh_8192();
-+ }
-+ }
-+ }
-+ }
-+#endif /* OPENSSL_NO_DH */
-+
- SSL_CTX_set_info_callback(ctx, ssl_sock_infocbk);
- #if OPENSSL_VERSION_NUMBER >= 0x00907000L
- SSL_CTX_set_msg_callback(ctx, ssl_sock_msgcbk);
---
-1.8.5.5
-
+++ /dev/null
-From 0dff81c6a5876172bc1d4725a7a07fddd9d1f369 Mon Sep 17 00:00:00 2001
-From: Willy Tarreau <w@1wt.eu>
-Date: Tue, 15 Jul 2014 21:34:06 +0200
-Subject: [PATCH 4/5] BUG/MINOR: http: base32+src should use the big endian
- version of base32
-
-We're using the internal memory representation of base32 here, which is
-wrong since these data might be exported to headers for logs or be used
-to stick to a server and replicated to other peers. Let's convert base32
-to big endian (network representation) when building the binary block.
-
-This mistake is also present in 1.5, it would be better to backport it.
-(cherry picked from commit 5ad6e1dc09f0a85aabf86f154b1817b9ebffb568)
----
- src/proto_http.c | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/src/proto_http.c b/src/proto_http.c
-index 94afed7..b7ed85d 100644
---- a/src/proto_http.c
-+++ b/src/proto_http.c
-@@ -10358,8 +10358,8 @@ smp_fetch_base32_src(struct proxy *px, struct session *l4, void *l7, unsigned in
- return 0;
-
- temp = get_trash_chunk();
-- memcpy(temp->str + temp->len, &smp->data.uint, sizeof(smp->data.uint));
-- temp->len += sizeof(smp->data.uint);
-+ *(unsigned int *)temp->str = htonl(smp->data.uint);
-+ temp->len += sizeof(unsigned int);
-
- switch (cli_conn->addr.from.ss_family) {
- case AF_INET:
---
-1.8.5.5
-
+++ /dev/null
-From 66dbae025876a65c81ae3c4011e3aa3b630b42f7 Mon Sep 17 00:00:00 2001
-From: Dave McCowan <11235david@gmail.com>
-Date: Thu, 17 Jul 2014 14:34:01 -0400
-Subject: [PATCH 5/5] BUG/MEDIUM: connection: fix memory corruption when
- building a proxy v2 header
-
-Use temporary trash chunk, instead of global trash chunk in
-make_proxy_line_v2() to avoid memory overwrite.
-
-This fix must also be backported to 1.5.
-(cherry picked from commit 77d1f0143e210c13ee8ec6aaf6b3150fa4ce6c5b)
----
- src/connection.c | 6 ++++--
- 1 file changed, 4 insertions(+), 2 deletions(-)
-
-diff --git a/src/connection.c b/src/connection.c
-index 20a911b..3435b1a 100644
---- a/src/connection.c
-+++ b/src/connection.c
-@@ -622,6 +622,7 @@ int make_proxy_line_v2(char *buf, int buf_len, struct server *srv, struct connec
- char *value = NULL;
- struct tlv_ssl *tlv;
- int ssl_tlv_len = 0;
-+ struct chunk *cn_trash;
- #endif
-
- if (buf_len < PP2_HEADER_LEN)
-@@ -682,8 +683,9 @@ int make_proxy_line_v2(char *buf, int buf_len, struct server *srv, struct connec
- tlv->verify = htonl(ssl_sock_get_verify_result(remote));
- }
- if (srv->pp_opts & SRV_PP_V2_SSL_CN) {
-- if (ssl_sock_get_remote_common_name(remote, &trash) > 0) {
-- tlv_len = make_tlv(&buf[ret+ssl_tlv_len], (buf_len - ret - ssl_tlv_len), PP2_TYPE_SSL_CN, trash.len, trash.str);
-+ cn_trash = get_trash_chunk();
-+ if (ssl_sock_get_remote_common_name(remote, &cn_trash) > 0) {
-+ tlv_len = make_tlv(&buf[ret+ssl_tlv_len], (buf_len - ret - ssl_tlv_len), PP2_TYPE_SSL_CN, cn_trash->len, cn_trash->str);
- ssl_tlv_len += tlv_len;
- }
- }
---
-1.8.5.5
-
+++ /dev/null
-From 04b80cd29b23d02f373c095569e871275d128b43 Mon Sep 17 00:00:00 2001
-From: Willy Tarreau <w@1wt.eu>
-Date: Sat, 19 Jul 2014 06:37:33 +0200
-Subject: [PATCH 6/6] BUG/MEDIUM: connection: fix proxy v2 header again!
-
-Last commit 77d1f01 ("BUG/MEDIUM: connection: fix memory corruption
-when building a proxy v2 header") was wrong, using &cn_trash instead
-of cn_trash resulting in a warning and the client's SSL cert CN not
-being stored at the proper location.
-
-Thanks to Lukas Tribus for spotting this quickly.
-
-This should be backported to 1.5 after the patch above is backported.
-(cherry picked from commit 3b9a0c9d4d083d749846d66f9bd4caabafe4ee78)
----
- src/connection.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/src/connection.c b/src/connection.c
-index 3435b1a..2dd2c02 100644
---- a/src/connection.c
-+++ b/src/connection.c
-@@ -684,7 +684,7 @@ int make_proxy_line_v2(char *buf, int buf_len, struct server *srv, struct connec
- }
- if (srv->pp_opts & SRV_PP_V2_SSL_CN) {
- cn_trash = get_trash_chunk();
-- if (ssl_sock_get_remote_common_name(remote, &cn_trash) > 0) {
-+ if (ssl_sock_get_remote_common_name(remote, cn_trash) > 0) {
- tlv_len = make_tlv(&buf[ret+ssl_tlv_len], (buf_len - ret - ssl_tlv_len), PP2_TYPE_SSL_CN, cn_trash->len, cn_trash->str);
- ssl_tlv_len += tlv_len;
- }
---
-1.8.5.5
-
projects / feed / packages.git / commitdiff