PKG_NAME:=haproxy
PKG_VERSION:=1.5.8
-PKG_RELEASE:=00
+PKG_RELEASE:=06
PKG_SOURCE:=haproxy-$(PKG_VERSION).tar.gz
PKG_SOURCE_URL:=http://haproxy.1wt.eu/download/1.5/src/
PKG_BUILD_DIR:=$(BUILD_DIR)/$(PKG_NAME)-$(BUILD_VARIANT)/$(PKG_NAME)-$(PKG_VERSION)
--- /dev/null
+From 184422d39df1aa27e6ef4c1ae75177489147ec99 Mon Sep 17 00:00:00 2001
+From: Arcadiy Ivanov <arcadiy.ivanov@servicemesh.com>
+Date: Tue, 4 Nov 2014 07:06:13 -0500
+Subject: [PATCH 1/6] BUILD: fix "make install" to support spaces in the
+ install dirs
+
+Makefile is unable to install into directories containing spaces.
+(cherry picked from commit 3785311e64792787de78370fa126fd806734f7fe)
+---
+ Makefile | 14 +++++++-------
+ 1 file changed, 7 insertions(+), 7 deletions(-)
+
+diff --git a/Makefile b/Makefile
+index 707037b..9556069 100644
+--- a/Makefile
++++ b/Makefile
+@@ -710,19 +710,19 @@ src/dlmalloc.o: $(DLMALLOC_SRC)
+ $(CC) $(COPTS) -DDEFAULT_MMAP_THRESHOLD=$(DLMALLOC_THRES) -c -o $@ $<
+
+ install-man:
+- install -d $(DESTDIR)$(MANDIR)/man1
+- install -m 644 doc/haproxy.1 $(DESTDIR)$(MANDIR)/man1
++ install -d "$(DESTDIR)$(MANDIR)"/man1
++ install -m 644 doc/haproxy.1 "$(DESTDIR)$(MANDIR)"/man1
+
+ install-doc:
+- install -d $(DESTDIR)$(DOCDIR)
++ install -d "$(DESTDIR)$(DOCDIR)"
+ for x in configuration architecture haproxy-en haproxy-fr; do \
+- install -m 644 doc/$$x.txt $(DESTDIR)$(DOCDIR) ; \
++ install -m 644 doc/$$x.txt "$(DESTDIR)$(DOCDIR)" ; \
+ done
+
+ install-bin: haproxy haproxy-systemd-wrapper
+- install -d $(DESTDIR)$(SBINDIR)
+- install haproxy $(DESTDIR)$(SBINDIR)
+- install haproxy-systemd-wrapper $(DESTDIR)$(SBINDIR)
++ install -d "$(DESTDIR)$(SBINDIR)"
++ install haproxy "$(DESTDIR)$(SBINDIR)"
++ install haproxy-systemd-wrapper "$(DESTDIR)$(SBINDIR)"
+
+ install: install-bin install-man install-doc
+
+--
+2.0.4
+
--- /dev/null
+From 90951497008967f10ba8f9927b53c6e6bc138540 Mon Sep 17 00:00:00 2001
+From: Emeric Brun <ebrun@haproxy.comw>
+Date: Wed, 12 Nov 2014 17:35:37 +0100
+Subject: [PATCH 2/6] BUG/MEDIUM: ssl: fix bad ssl context init can cause
+ segfault in case of OOM.
+
+Some SSL context's init functions errors were not handled and
+can cause a segfault due to an incomplete SSL context
+initialization.
+
+This fix must be backported to 1.5.
+(cherry picked from commit 5547615cdac377797ae351a2e024376dbf6d6963)
+---
+ src/ssl_sock.c | 44 ++++++++++++++++++++++++++++++++++----------
+ 1 file changed, 34 insertions(+), 10 deletions(-)
+
+diff --git a/src/ssl_sock.c b/src/ssl_sock.c
+index f8bfbe7..620609f 100644
+--- a/src/ssl_sock.c
++++ b/src/ssl_sock.c
+@@ -2040,15 +2040,29 @@ static int ssl_sock_init(struct connection *conn)
+ return -1;
+ }
+
+- SSL_set_connect_state(conn->xprt_ctx);
+- if (objt_server(conn->target)->ssl_ctx.reused_sess)
+- SSL_set_session(conn->xprt_ctx, objt_server(conn->target)->ssl_ctx.reused_sess);
+-
+ /* set fd on SSL session context */
+- SSL_set_fd(conn->xprt_ctx, conn->t.sock.fd);
++ if (!SSL_set_fd(conn->xprt_ctx, conn->t.sock.fd)) {
++ SSL_free(conn->xprt_ctx);
++ conn->xprt_ctx = NULL;
++ conn->err_code = CO_ER_SSL_NO_MEM;
++ return -1;
++ }
+
+ /* set connection pointer */
+- SSL_set_app_data(conn->xprt_ctx, conn);
++ if (!SSL_set_app_data(conn->xprt_ctx, conn)) {
++ SSL_free(conn->xprt_ctx);
++ conn->xprt_ctx = NULL;
++ conn->err_code = CO_ER_SSL_NO_MEM;
++ return -1;
++ }
++
++ SSL_set_connect_state(conn->xprt_ctx);
++ if (objt_server(conn->target)->ssl_ctx.reused_sess) {
++ if(!SSL_set_session(conn->xprt_ctx, objt_server(conn->target)->ssl_ctx.reused_sess)) {
++ SSL_SESSION_free(objt_server(conn->target)->ssl_ctx.reused_sess);
++ objt_server(conn->target)->ssl_ctx.reused_sess = NULL;
++ }
++ }
+
+ /* leave init state and start handshake */
+ conn->flags |= CO_FL_SSL_WAIT_HS | CO_FL_WAIT_L6_CONN;
+@@ -2065,13 +2079,23 @@ static int ssl_sock_init(struct connection *conn)
+ return -1;
+ }
+
+- SSL_set_accept_state(conn->xprt_ctx);
+-
+ /* set fd on SSL session context */
+- SSL_set_fd(conn->xprt_ctx, conn->t.sock.fd);
++ if (!SSL_set_fd(conn->xprt_ctx, conn->t.sock.fd)) {
++ SSL_free(conn->xprt_ctx);
++ conn->xprt_ctx = NULL;
++ conn->err_code = CO_ER_SSL_NO_MEM;
++ return -1;
++ }
+
+ /* set connection pointer */
+- SSL_set_app_data(conn->xprt_ctx, conn);
++ if (!SSL_set_app_data(conn->xprt_ctx, conn)) {
++ SSL_free(conn->xprt_ctx);
++ conn->xprt_ctx = NULL;
++ conn->err_code = CO_ER_SSL_NO_MEM;
++ return -1;
++ }
++
++ SSL_set_accept_state(conn->xprt_ctx);
+
+ /* leave init state and start handshake */
+ conn->flags |= CO_FL_SSL_WAIT_HS | CO_FL_WAIT_L6_CONN;
+--
+2.0.4
+
--- /dev/null
+From 9bcc01ae25985dd540080f43b160beab1f1a2bc6 Mon Sep 17 00:00:00 2001
+From: Willy Tarreau <w@1wt.eu>
+Date: Thu, 13 Nov 2014 13:48:58 +0100
+Subject: [PATCH 3/6] BUG/MEDIUM: ssl: force a full GC in case of memory
+ shortage
+
+When memory becomes scarce and openssl refuses to allocate a new SSL
+session, it is worth freeing the pools and trying again instead of
+rejecting all incoming SSL connection. This can happen when some
+memory usage limits have been assigned to the haproxy process using
+-m or with ulimit -m/-v.
+
+This is mostly an enhancement of previous fix and is worth backporting
+to 1.5.
+(cherry picked from commit fba03cdc5ac6e3ca318b34915596cbc0a0dacc55)
+---
+ src/ssl_sock.c | 30 ++++++++++++++++++++++++++++++
+ 1 file changed, 30 insertions(+)
+
+diff --git a/src/ssl_sock.c b/src/ssl_sock.c
+index 620609f..f50efe5 100644
+--- a/src/ssl_sock.c
++++ b/src/ssl_sock.c
+@@ -2033,9 +2033,16 @@ static int ssl_sock_init(struct connection *conn)
+ /* If it is in client mode initiate SSL session
+ in connect state otherwise accept state */
+ if (objt_server(conn->target)) {
++ int may_retry = 1;
++
++ retry_connect:
+ /* Alloc a new SSL session ctx */
+ conn->xprt_ctx = SSL_new(objt_server(conn->target)->ssl_ctx.ctx);
+ if (!conn->xprt_ctx) {
++ if (may_retry--) {
++ pool_gc2();
++ goto retry_connect;
++ }
+ conn->err_code = CO_ER_SSL_NO_MEM;
+ return -1;
+ }
+@@ -2044,6 +2051,10 @@ static int ssl_sock_init(struct connection *conn)
+ if (!SSL_set_fd(conn->xprt_ctx, conn->t.sock.fd)) {
+ SSL_free(conn->xprt_ctx);
+ conn->xprt_ctx = NULL;
++ if (may_retry--) {
++ pool_gc2();
++ goto retry_connect;
++ }
+ conn->err_code = CO_ER_SSL_NO_MEM;
+ return -1;
+ }
+@@ -2052,6 +2063,10 @@ static int ssl_sock_init(struct connection *conn)
+ if (!SSL_set_app_data(conn->xprt_ctx, conn)) {
+ SSL_free(conn->xprt_ctx);
+ conn->xprt_ctx = NULL;
++ if (may_retry--) {
++ pool_gc2();
++ goto retry_connect;
++ }
+ conn->err_code = CO_ER_SSL_NO_MEM;
+ return -1;
+ }
+@@ -2072,9 +2087,16 @@ static int ssl_sock_init(struct connection *conn)
+ return 0;
+ }
+ else if (objt_listener(conn->target)) {
++ int may_retry = 1;
++
++ retry_accept:
+ /* Alloc a new SSL session ctx */
+ conn->xprt_ctx = SSL_new(objt_listener(conn->target)->bind_conf->default_ctx);
+ if (!conn->xprt_ctx) {
++ if (may_retry--) {
++ pool_gc2();
++ goto retry_accept;
++ }
+ conn->err_code = CO_ER_SSL_NO_MEM;
+ return -1;
+ }
+@@ -2083,6 +2105,10 @@ static int ssl_sock_init(struct connection *conn)
+ if (!SSL_set_fd(conn->xprt_ctx, conn->t.sock.fd)) {
+ SSL_free(conn->xprt_ctx);
+ conn->xprt_ctx = NULL;
++ if (may_retry--) {
++ pool_gc2();
++ goto retry_accept;
++ }
+ conn->err_code = CO_ER_SSL_NO_MEM;
+ return -1;
+ }
+@@ -2091,6 +2117,10 @@ static int ssl_sock_init(struct connection *conn)
+ if (!SSL_set_app_data(conn->xprt_ctx, conn)) {
+ SSL_free(conn->xprt_ctx);
+ conn->xprt_ctx = NULL;
++ if (may_retry--) {
++ pool_gc2();
++ goto retry_accept;
++ }
+ conn->err_code = CO_ER_SSL_NO_MEM;
+ return -1;
+ }
+--
+2.0.4
+
--- /dev/null
+From 1f96a87c4e1412ccdc6cfe81bfd6f20a1782886a Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Cyril=20Bont=C3=A9?= <cyril.bonte@free.fr>
+Date: Sat, 15 Nov 2014 22:41:27 +0100
+Subject: [PATCH 4/6] BUG/MEDIUM: checks: fix conflicts between agent checks
+ and ssl healthchecks
+
+Lasse Birnbaum Jensen reported an issue when agent checks are used at the same
+time as standard healthchecks when SSL is enabled on the server side.
+
+The symptom is that agent checks try to communicate in SSL while it should
+manage raw data. This happens because the transport layer is shared between all
+kind of checks.
+
+To fix the issue, the transport layer is now stored in each check type,
+allowing to use SSL healthchecks when required, while an agent check should
+always use the raw_sock implementation.
+
+The fix must be backported to 1.5.
+(cherry picked from commit 9ce1311ebc834e20addc7a8392c0fc4e4ad687b7)
+---
+ include/types/checks.h | 3 ++-
+ include/types/server.h | 1 -
+ src/checks.c | 2 +-
+ src/server.c | 2 +-
+ src/ssl_sock.c | 2 +-
+ 5 files changed, 5 insertions(+), 5 deletions(-)
+
+diff --git a/include/types/checks.h b/include/types/checks.h
+index a50043b..42b7b07 100644
+--- a/include/types/checks.h
++++ b/include/types/checks.h
+@@ -125,6 +125,7 @@ enum {
+ };
+
+ struct check {
++ struct xprt_ops *xprt; /* transport layer operations for health checks */
+ struct connection *conn; /* connection state for health checks */
+ unsigned short port; /* the port to use for the health checks */
+ struct buffer *bi, *bo; /* input and output buffers to send/recv check */
+@@ -132,7 +133,7 @@ struct check {
+ struct timeval start; /* last health check start time */
+ long duration; /* time in ms took to finish last health check */
+ short status, code; /* check result, check code */
+- char desc[HCHK_DESC_LEN]; /* health check descritpion */
++ char desc[HCHK_DESC_LEN]; /* health check description */
+ int use_ssl; /* use SSL for health checks */
+ int send_proxy; /* send a PROXY protocol header with checks */
+ struct tcpcheck_rule *current_step; /* current step when using tcpcheck */
+diff --git a/include/types/server.h b/include/types/server.h
+index 313f58d..c419b40 100644
+--- a/include/types/server.h
++++ b/include/types/server.h
+@@ -194,7 +194,6 @@ struct server {
+
+ struct { /* configuration used by health-check and agent-check */
+ struct protocol *proto; /* server address protocol for health checks */
+- struct xprt_ops *xprt; /* transport layer operations for health checks */
+ struct sockaddr_storage addr; /* the address to check, if different from <addr> */
+ } check_common;
+
+diff --git a/src/checks.c b/src/checks.c
+index 5318f35..84bf0e5 100644
+--- a/src/checks.c
++++ b/src/checks.c
+@@ -1413,7 +1413,7 @@ static int connect_chk(struct task *t)
+
+ /* prepare a new connection */
+ conn_init(conn);
+- conn_prepare(conn, s->check_common.proto, s->check_common.xprt);
++ conn_prepare(conn, s->check_common.proto, check->xprt);
+ conn_attach(conn, check, &check_conn_cb);
+ conn->target = &s->obj_type;
+
+diff --git a/src/server.c b/src/server.c
+index fdb63cc..94a31b6 100644
+--- a/src/server.c
++++ b/src/server.c
+@@ -929,7 +929,7 @@ int parse_server(const char *file, int linenum, char **args, struct proxy *curpr
+
+ newsrv->addr = *sk;
+ newsrv->proto = newsrv->check_common.proto = protocol_by_family(newsrv->addr.ss_family);
+- newsrv->xprt = newsrv->check_common.xprt = &raw_sock;
++ newsrv->xprt = newsrv->check.xprt = newsrv->agent.xprt = &raw_sock;
+
+ if (!newsrv->proto) {
+ Alert("parsing [%s:%d] : Unknown protocol family %d '%s'\n",
+diff --git a/src/ssl_sock.c b/src/ssl_sock.c
+index f50efe5..b73d6f9 100644
+--- a/src/ssl_sock.c
++++ b/src/ssl_sock.c
+@@ -1812,7 +1812,7 @@ int ssl_sock_prepare_srv_ctx(struct server *srv, struct proxy *curproxy)
+ if (srv->use_ssl)
+ srv->xprt = &ssl_sock;
+ if (srv->check.use_ssl)
+- srv->check_common.xprt = &ssl_sock;
++ srv->check.xprt = &ssl_sock;
+
+ srv->ssl_ctx.ctx = SSL_CTX_new(SSLv23_client_method());
+ if (!srv->ssl_ctx.ctx) {
+--
+2.0.4
+
--- /dev/null
+From cac307c020db7a938b73d4fef27a3b4ad2ecdf6a Mon Sep 17 00:00:00 2001
+From: Willy Tarreau <w@1wt.eu>
+Date: Tue, 18 Nov 2014 15:04:29 +0100
+Subject: [PATCH 5/6] BUG/MINOR: config: don't inherit the default balance
+ algorithm in frontends
+
+Tom Limoncelli from Stack Exchange reported a minor bug : the frontend
+inherits the LB parameters from the defaults sections. The impact is
+that if a "balance" directive uses any L7 parameter in the defaults
+sections and the frontend is in TCP mode, a warning is emitted about
+their incompatibility. The warning is harmless but a valid, sane config
+should never cause any warning to be reported.
+
+This fix should be backported into 1.5 and possibly 1.4.
+(cherry picked from commit 743c128580ee29c8f073b4a29771a5ce715f3721)
+---
+ src/cfgparse.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/cfgparse.c b/src/cfgparse.c
+index 392a692..40d20ab 100644
+--- a/src/cfgparse.c
++++ b/src/cfgparse.c
+@@ -2003,7 +2003,6 @@ int cfg_parse_listen(const char *file, int linenum, char **args, int kwm)
+ curproxy->no_options = defproxy.no_options;
+ curproxy->no_options2 = defproxy.no_options2;
+ curproxy->bind_proc = defproxy.bind_proc;
+- curproxy->lbprm.algo = defproxy.lbprm.algo;
+ curproxy->except_net = defproxy.except_net;
+ curproxy->except_mask = defproxy.except_mask;
+ curproxy->except_to = defproxy.except_to;
+@@ -2037,6 +2036,7 @@ int cfg_parse_listen(const char *file, int linenum, char **args, int kwm)
+ }
+
+ if (curproxy->cap & PR_CAP_BE) {
++ curproxy->lbprm.algo = defproxy.lbprm.algo;
+ curproxy->fullconn = defproxy.fullconn;
+ curproxy->conn_retries = defproxy.conn_retries;
+ curproxy->max_ka_queue = defproxy.max_ka_queue;
+--
+2.0.4
+
--- /dev/null
+From 8ba50128832bb31e95f06fe4cb2bd172f2b945fe Mon Sep 17 00:00:00 2001
+From: Willy Tarreau <w@1wt.eu>
+Date: Tue, 18 Nov 2014 18:49:19 +0100
+Subject: [PATCH 6/6] BUG/MAJOR: frontend: initialize capture pointers earlier
+
+Denys Fedoryshchenko reported and diagnosed a nasty bug caused by TCP
+captures, introduced in late 1.5-dev by commit 18bf01e ("MEDIUM: tcp:
+add a new tcp-request capture directive"). The problem is that we're
+using the array of capture pointers initially designed for HTTP usage
+only, and that this array was only reset when starting to process an
+HTTP request. In a tcp-only frontend, the pointers are not reset, and
+if the capture pool is shared, we can very well point to whatever other
+memory location, resulting in random crashes when tcp-request content
+captures are processed.
+
+The fix simply consists in initializing these pointers when the pools
+are prepared.
+
+A workaround for existing versions consists in either disabling TCP
+captures in tcp-only frontends, or in forcing the frontends to work in
+HTTP mode.
+
+Thanks to Denys for the amount of testing and detailed reports.
+
+This fix must be backported to 1.5.
+(cherry picked from commit 9654e57fac86c773091b892f42015ba2ba56be5a)
+---
+ src/frontend.c | 14 ++++++++++----
+ 1 file changed, 10 insertions(+), 4 deletions(-)
+
+diff --git a/src/frontend.c b/src/frontend.c
+index 3f80774..2928047 100644
+--- a/src/frontend.c
++++ b/src/frontend.c
+@@ -106,11 +106,17 @@ int frontend_accept(struct session *s)
+ if (global.tune.client_rcvbuf)
+ setsockopt(cfd, SOL_SOCKET, SO_RCVBUF, &global.tune.client_rcvbuf, sizeof(global.tune.client_rcvbuf));
+
+- if (unlikely(s->fe->nb_req_cap > 0 && (s->txn.req.cap = pool_alloc2(s->fe->req_cap_pool)) == NULL))
+- goto out_return; /* no memory */
++ if (unlikely(s->fe->nb_req_cap > 0)) {
++ if ((s->txn.req.cap = pool_alloc2(s->fe->req_cap_pool)) == NULL)
++ goto out_return; /* no memory */
++ memset(s->txn.req.cap, 0, s->fe->nb_req_cap * sizeof(void *));
++ }
+
+- if (unlikely(s->fe->nb_rsp_cap > 0 && (s->txn.rsp.cap = pool_alloc2(s->fe->rsp_cap_pool)) == NULL))
+- goto out_free_reqcap; /* no memory */
++ if (unlikely(s->fe->nb_rsp_cap > 0)) {
++ if ((s->txn.rsp.cap = pool_alloc2(s->fe->rsp_cap_pool)) == NULL)
++ goto out_free_reqcap; /* no memory */
++ memset(s->txn.rsp.cap, 0, s->fe->nb_rsp_cap * sizeof(void *));
++ }
+
+ if (s->fe->http_needed) {
+ /* we have to allocate header indexes only if we know
+--
+2.0.4
+
projects / feed / packages.git / commitdiff