include $(TOPDIR)/rules.mk
PKG_NAME:=haproxy
-PKG_VERSION:=2.0.1
+PKG_VERSION:=2.0.3
PKG_RELEASE:=1
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
PKG_SOURCE_URL:=https://www.haproxy.org/download/2.0/src
-PKG_HASH:=9975c475ba6f19aac4b665d8705f7b9f7911df7fc316ba7b9efd6fe263181eb1
+PKG_HASH:=aac1ff3e5079997985b6560f46bf265447d0cd841f11c4d77f15942c9fe4b770
PKG_BUILD_DIR:=$(BUILD_DIR)/$(PKG_NAME)-$(BUILD_VARIANT)/$(PKG_NAME)-$(PKG_VERSION)
PKG_MAINTAINER:=Thomas Heil <heil@terminal-consulting.de>, \
#!/bin/bash
CLONEURL=http://git.haproxy.org/git/haproxy-2.0.git
-BASE_TAG=v2.0.1
+BASE_TAG=v2.0.3
TMP_REPODIR=tmprepo
PATCHESDIR=patches
+++ /dev/null
-commit 1bd140ea3fab97ccd37adf9d0c106d52af9e53fa
-Author: William Lallemand <wlallemand@haproxy.com>
-Date: Mon Jul 1 10:56:15 2019 +0200
-
- BUG/MINOR: mworker/cli: don't output a \n before the response
-
- When using a level lower than admin on the master CLI, a \n is output
- before the response, this is caused by the response of the "operator" or
- "user" that are sent before the actual command.
-
- To fix this problem we introduce the flag APPCTX_CLI_ST1_NOLF which ask
- a command response to not be followed by the final \n.
- This patch made a special case with the command operator and user
- followed by a - so they are not followed by \n.
-
- This patch must be backported to 2.0 and 1.9.
-
- (cherry picked from commit ad03288e6b28d816abb443cf8c6d984a72bb91a6)
- Signed-off-by: William Lallemand <wlallemand@haproxy.org>
-
-diff --git a/include/types/applet.h b/include/types/applet.h
-index c9e02d17..1f3a4983 100644
---- a/include/types/applet.h
-+++ b/include/types/applet.h
-@@ -50,6 +50,7 @@ struct applet {
-
- #define APPCTX_CLI_ST1_PROMPT (1 << 0)
- #define APPCTX_CLI_ST1_PAYLOAD (1 << 1)
-+#define APPCTX_CLI_ST1_NOLF (1 << 2)
-
- /* Context of a running applet. */
- struct appctx {
-diff --git a/src/cli.c b/src/cli.c
-index 44ddc7bf..9a9f80f9 100644
---- a/src/cli.c
-+++ b/src/cli.c
-@@ -821,7 +821,7 @@ static void cli_io_handler(struct appctx *appctx)
- prompt = "\n> ";
- }
- else {
-- if (!(appctx->st1 & APPCTX_CLI_ST1_PAYLOAD))
-+ if (!(appctx->st1 & (APPCTX_CLI_ST1_PAYLOAD|APPCTX_CLI_ST1_NOLF)))
- prompt = "\n";
- }
-
-@@ -848,6 +848,8 @@ static void cli_io_handler(struct appctx *appctx)
-
- /* switch state back to GETREQ to read next requests */
- appctx->st0 = CLI_ST_GETREQ;
-+ /* reactivate the \n at the end of the response for the next command */
-+ appctx->st1 &= ~APPCTX_CLI_ST1_NOLF;
- }
- }
-
-@@ -1442,6 +1444,10 @@ static int cli_parse_show_lvl(char **args, char *payload, struct appctx *appctx,
- /* parse and set the CLI level dynamically */
- static int cli_parse_set_lvl(char **args, char *payload, struct appctx *appctx, void *private)
- {
-+ /* this will ask the applet to not output a \n after the command */
-+ if (!strcmp(args[1], "-"))
-+ appctx->st1 |= APPCTX_CLI_ST1_NOLF;
-+
- if (!strcmp(args[0], "operator")) {
- if (!cli_has_level(appctx, ACCESS_LVL_OPER)) {
- return 1;
-@@ -2097,11 +2103,11 @@ int pcli_parse_request(struct stream *s, struct channel *req, char **errmsg, int
- if (pcli_has_level(s, ACCESS_LVL_ADMIN)) {
- goto end;
- } else if (pcli_has_level(s, ACCESS_LVL_OPER)) {
-- ci_insert_line2(req, 0, "operator", strlen("operator"));
-- ret += strlen("operator") + 2;
-+ ci_insert_line2(req, 0, "operator -", strlen("operator -"));
-+ ret += strlen("operator -") + 2;
- } else if (pcli_has_level(s, ACCESS_LVL_USER)) {
-- ci_insert_line2(req, 0, "user", strlen("user"));
-- ret += strlen("user") + 2;
-+ ci_insert_line2(req, 0, "user -", strlen("user -"));
-+ ret += strlen("user -") + 2;
- }
- }
- end:
--- /dev/null
+--- a/Makefile
++++ b/Makefile
+@@ -327,6 +327,15 @@ ifeq ($(TARGET),linux-glibc)
+ USE_GETADDRINFO)
+ endif
+
++# For linux >= 2.6.28 and uclibc
++ifeq ($(TARGET),linux-uclibc)
++ set_target_defaults = $(call default_opts, \
++ USE_POLL USE_TPROXY USE_DL USE_RT USE_NETFILTER \
++ USE_CPU_AFFINITY USE_THREAD USE_EPOLL USE_FUTEX USE_LINUX_TPROXY \
++ USE_ACCEPT4 USE_LINUX_SPLICE USE_PRCTL USE_THREAD_DUMP USE_NS USE_TFO \
++ USE_GETADDRINFO)
++endif
++
+ # Solaris 8 and above
+ ifeq ($(TARGET),solaris)
+ # We also enable getaddrinfo() which works since solaris 8.
+++ /dev/null
-commit aa2ecea6f711f50192476b26a5b1d767108bd761
-Author: Olivier Houchard <ohouchard@haproxy.com>
-Date: Fri Jun 28 14:10:33 2019 +0200
-
- BUG/MEDIUM: ssl: Don't attempt to set alpn if we're not using SSL.
-
- Checks use ssl_sock_set_alpn() to set the ALPN if check-alpn is used, however
- check-alpn failed to check if the connection was indeed using SSL, and thus,
- would crash if check-alpn was used on a non-SSL connection. Fix this by
- making sure the connection uses SSL before attempting to set the ALPN.
-
- This should be backported to 2.0 and 1.9.
-
- (cherry picked from commit e488ea865a433d93efcb14c0c602918070c6b208)
- Signed-off-by: Willy Tarreau <w@1wt.eu>
-
-diff --git a/src/ssl_sock.c b/src/ssl_sock.c
-index 05240063..c9fffbec 100644
---- a/src/ssl_sock.c
-+++ b/src/ssl_sock.c
-@@ -6411,6 +6411,9 @@ void ssl_sock_set_alpn(struct connection *conn, const unsigned char *alpn, int l
- #ifdef TLSEXT_TYPE_application_layer_protocol_negotiation
- struct ssl_sock_ctx *ctx = conn->xprt_ctx;
-
-+ if (!ssl_sock_is_ssl(conn))
-+ return;
-+
- SSL_set_alpn_protos(ctx->ssl, alpn, len);
- #endif
- }
--- /dev/null
+--- a/include/common/openssl-compat.h
++++ b/include/common/openssl-compat.h
+@@ -217,7 +217,8 @@ static inline int EVP_PKEY_base_id(EVP_PKEY *pkey)
+ #define TLSEXT_signature_ecdsa 3
+ #endif
+
+-#if (OPENSSL_VERSION_NUMBER < 0x10100000L) || (LIBRESSL_VERSION_NUMBER < 0x20700000L)
++#if (OPENSSL_VERSION_NUMBER < 0x10100000L) || \
++ (defined(LIBRESSL_VERSION_NUMBER) && (LIBRESSL_VERSION_NUMBER < 0x20700000L))
+ #define X509_getm_notBefore X509_get_notBefore
+ #define X509_getm_notAfter X509_get_notAfter
+ #endif
+++ /dev/null
-commit 9fa93f6220a374f724491fd781d44d31f307671f
-Author: Christopher Faulet <cfaulet@haproxy.com>
-Date: Fri Jun 28 17:41:42 2019 +0200
-
- BUG/MEDIUM: mux-h1: Always release H1C if a shutdown for writes was reported
-
- We must take care of this when the stream is detached from the
- connection. Otherwise, on the server side, the connexion is inserted in the list
- of idle connections of the session. But when reused, because the shutdown for
- writes was already catched, nothing is sent to the server and the session is
- blocked with a freezed connection.
-
- This patch must be backported to 2.0 and 1.9. It is related to the issue #136
- reported on Github.
-
- (cherry picked from commit 3ac0f43020e1cd77198020201e4e482a1c2ef8ac)
- Signed-off-by: Willy Tarreau <w@1wt.eu>
-
-diff --git a/src/mux_h1.c b/src/mux_h1.c
-index 3d2bd8b8..e497e6f6 100644
---- a/src/mux_h1.c
-+++ b/src/mux_h1.c
-@@ -2192,9 +2192,9 @@ static void h1_detach(struct conn_stream *cs)
- }
- }
-
-- /* We don't want to close right now unless the connection is in error */
-- if ((h1c->flags & (H1C_F_CS_ERROR|H1C_F_CS_SHUTDOWN|H1C_F_UPG_H2C)) ||
-- (h1c->conn->flags & CO_FL_ERROR) || !h1c->conn->owner)
-+ /* We don't want to close right now unless the connection is in error or shut down for writes */
-+ if ((h1c->flags & (H1C_F_CS_ERROR|H1C_F_CS_SHUTW_NOW|H1C_F_CS_SHUTDOWN|H1C_F_UPG_H2C)) ||
-+ (h1c->conn->flags & (CO_FL_ERROR|CO_FL_SOCK_WR_SH)) || !h1c->conn->owner)
- h1_release(h1c);
- else {
- tasklet_wakeup(h1c->wait_event.tasklet);
+++ /dev/null
-commit afc313e6cd4be32f3c3d212e875d4dbcef8a0c70
-Author: Willy Tarreau <w@1wt.eu>
-Date: Mon Jul 1 07:51:29 2019 +0200
-
- BUG/MEDIUM: checks: unblock signals in external checks
-
- As discussed in issue #140, processes are forked with signals blocked
- resulting in haproxy's kill being ignored. This happens when the command
- takes more time to complete than the configured check timeout or interval.
- Just calling "sleep 30" every second makes the problem obvious.
-
- The fix simply consists in unblocking the signals in the child after the
- fork. It needs to be backported to all stable branches containing external
- checks and where signals are blocked on startup. It's unclear when it
- started, but the following config exhibits the issue :
-
- global
- external-check
-
- listen www
- bind :8001
- timeout client 5s
- timeout server 5s
- timeout connect 5s
- option external-check
- external-check command "$PWD/sleep10.sh"
- server local 127.0.0.1:80 check inter 200
-
- $ cat sleep10.sh
- #!/bin/sh
- exec /bin/sleep 10
-
- The "sleep" processes keep accumulating for 10 seconds and stabilize
- around 25 when the bug is present. Just issuing "killall sleep" has no
- effect on them, and stopping haproxy leaves these processes behind.
-
- (cherry picked from commit 2df8cad0fea2d1a4ca8dd58f384df3c3c3f5d7ee)
- Signed-off-by: Willy Tarreau <w@1wt.eu>
-
-diff --git a/src/checks.c b/src/checks.c
-index c175a752..e31eb173 100644
---- a/src/checks.c
-+++ b/src/checks.c
-@@ -1997,6 +1997,7 @@ static int connect_proc_chk(struct task *t)
-
- environ = check->envp;
- extchk_setenv(check, EXTCHK_HAPROXY_SERVER_CURCONN, ultoa_r(s->cur_sess, buf, sizeof(buf)));
-+ haproxy_unblock_signals();
- execvp(px->check_command, check->argv);
- ha_alert("Failed to exec process for external health check: %s. Aborting.\n",
- strerror(errno));
+++ /dev/null
-commit 52131680c42ddbfa6f2b5d109ffc79c28f44e42a
-Author: Christopher Faulet <cfaulet@haproxy.com>
-Date: Thu Jun 27 17:40:14 2019 +0200
-
- BUG/MINOR: mux-h1: Skip trailers for non-chunked outgoing messages
-
- Unlike H1, H2 messages may contains trailers while the header "Content-Length"
- is set. Indeed, because of the framed structure of HTTP/2, it is no longer
- necessary to use the chunked transfer encoding. So Trailing HEADERS frames,
- after all DATA frames, may be added on messages with an explicit content length.
-
- But in H1, it is impossible to have trailers on non-chunked messages. So when
- outgoing messages are formatted by the H1 multiplexer, if the message is not
- chunked, all trailers must be dropped.
-
- This patch must be backported to 2.0 and 1.9. However, the patch will have to be
- adapted for the 1.9.
-
- (cherry picked from commit 5433a0b0215c791b4165bddd360a254fa141c6e9)
- Signed-off-by: Christopher Faulet <cfaulet@haproxy.com>
-
-diff --git a/src/mux_h1.c b/src/mux_h1.c
-index e497e6f6..e7d769b4 100644
---- a/src/mux_h1.c
-+++ b/src/mux_h1.c
-@@ -1696,7 +1696,9 @@ static size_t h1_process_output(struct h1c *h1c, struct buffer *buf, size_t coun
- goto done;
- }
- else if (type == HTX_BLK_EOT || type == HTX_BLK_TLR) {
-- if (!chunk_memcat(&tmp, "0\r\n", 3))
-+ /* If the message is not chunked, never
-+ * add the last chunk. */
-+ if ((h1m->flags & H1_MF_CHNK) && !chunk_memcat(&tmp, "0\r\n", 3))
- goto copy;
- goto trailers;
- }
-@@ -1715,6 +1717,11 @@ static size_t h1_process_output(struct h1c *h1c, struct buffer *buf, size_t coun
- goto error;
- trailers:
- h1m->state = H1_MSG_TRAILERS;
-+ /* If the message is not chunked, ignore
-+ * trailers. It may happen with H2 messages. */
-+ if (!(h1m->flags & H1_MF_CHNK))
-+ break;
-+
- if (type == HTX_BLK_EOT) {
- if (!chunk_memcat(&tmp, "\r\n", 2))
- goto copy;
+++ /dev/null
-commit 33d58b51e0f1bf68603aa86c9125ae75d6964454
-Author: Christopher Faulet <cfaulet@haproxy.com>
-Date: Mon Jul 1 16:17:30 2019 +0200
-
- BUG/MINOR: mux-h1: Don't return the empty chunk on HEAD responses
-
- HEAD responses must not have any body payload. But, because of a bug, for chunk
- reponses, the empty chunk was always added.
-
- This patch fixes the Github issue #146. It must be backported to 2.0 and 1.9.
-
- (cherry picked from commit b8fc304e8f996f0d9835e4d6524ef8961d3be076)
- Signed-off-by: Christopher Faulet <cfaulet@haproxy.com>
-
-diff --git a/src/mux_h1.c b/src/mux_h1.c
-index e7d769b4..37cc8252 100644
---- a/src/mux_h1.c
-+++ b/src/mux_h1.c
-@@ -1682,6 +1682,8 @@ static size_t h1_process_output(struct h1c *h1c, struct buffer *buf, size_t coun
- h1m->flags |= (H1_MF_NO_PHDR|H1_MF_CLEAN_CONN_HDR);
- h1s->flags &= ~H1S_F_HAVE_O_CONN;
- }
-+ else if ((h1m->flags & H1_MF_RESP) && h1s->meth == HTTP_METH_HEAD)
-+ h1m->state = H1_MSG_DONE;
- else
- h1m->state = H1_MSG_DATA;
- break;
+++ /dev/null
---- a/Makefile
-+++ b/Makefile
-@@ -327,6 +327,15 @@ ifeq ($(TARGET),linux-glibc)
- USE_GETADDRINFO)
- endif
-
-+# For linux >= 2.6.28 and uclibc
-+ifeq ($(TARGET),linux-uclibc)
-+ set_target_defaults = $(call default_opts, \
-+ USE_POLL USE_TPROXY USE_DL USE_RT USE_NETFILTER \
-+ USE_CPU_AFFINITY USE_THREAD USE_EPOLL USE_FUTEX USE_LINUX_TPROXY \
-+ USE_ACCEPT4 USE_LINUX_SPLICE USE_PRCTL USE_THREAD_DUMP USE_NS USE_TFO \
-+ USE_GETADDRINFO)
-+endif
-+
- # Solaris 8 and above
- ifeq ($(TARGET),solaris)
- # We also enable getaddrinfo() which works since solaris 8.
+++ /dev/null
---- a/include/common/openssl-compat.h
-+++ b/include/common/openssl-compat.h
-@@ -217,7 +217,8 @@ static inline int EVP_PKEY_base_id(EVP_PKEY *pkey)
- #define TLSEXT_signature_ecdsa 3
- #endif
-
--#if (OPENSSL_VERSION_NUMBER < 0x10100000L) || (LIBRESSL_VERSION_NUMBER < 0x20700000L)
-+#if (OPENSSL_VERSION_NUMBER < 0x10100000L) || \
-+ (defined(LIBRESSL_VERSION_NUMBER) && (LIBRESSL_VERSION_NUMBER < 0x20700000L))
- #define X509_getm_notBefore X509_get_notBefore
- #define X509_getm_notAfter X509_get_notAfter
- #endif
projects / feed / packages.git / commitdiff