From 107b83e1defb65e2cf481edbace920f33bfd706b Mon Sep 17 00:00:00 2001
From: heil <heil@terminal-consulting.de>
Date: Wed, 2 Dec 2015 12:06:32 +0100
Subject: [PATCH] haproxy: bump to version 1.5.15  - integrate pending patches

Signed-off-by: heil <heil@terminal-consulting.de>
---
 net/haproxy/Makefile                          |   6 +-
 ...e-haproxy-systemd-wrapper-with-EXTRA.patch |  34 ++++++
 ...ssing-some-ARGC_-entries-in-fmt_dire.patch |  64 ----------
 ...on-t-use-record-layer-in-req_ssl_ver.patch |  69 +++++++++++
 ...-usesrc-root-privileges-requirements.patch |  27 -----
 ...abort-keep-alive-connections-on-serv.patch |  37 ++++++
 ...building-against-libssl-without-SSLv.patch |  51 --------
 ...switch-the-request-channel-to-no-del.patch | 112 ++++++++++++++++++
 ...OpenBSD-versions-where-haproxy-works.patch |  26 ----
 ...ttp-sample-gmtime-localtime-can-fail.patch |  33 ------
 ...end-the-default-max-hostname-length-.patch |  52 ++++++++
 ...don-t-enable-auto-close-on-the-respo.patch |  49 ++++++++
 ...OC-typo-in-redirect-302-code-meaning.patch |  27 -----
 ...eam-fix-half-closed-timeout-handling.patch |  88 ++++++++++++++
 ...n-that-ms-is-left-padded-with-zeroes.patch |  27 -----
 ...hanging-compression-rate-limiting-mu.patch |  36 ++++++
 ...UP-.gitignore-ignore-more-test-files.patch |  50 --------
 ...009-BUILD-freebsd-double-declaration.patch |  31 +++++
 ...re-finally-ignore-everything-but-wha.patch |  44 -------
 ...mple-urlp-can-t-match-an-empty-value.patch |  53 +++++++++
 ...it-a-warning-on-a-frontend-without-l.patch |  46 -------
 ...ers-ensure-that-src_-inc-clr-_gpc0-c.patch |  93 ---------------
 .../patches/0012-DOC-ssl-missing-LF.patch     |  27 -----
 ...of-http-request-using-ssl_fc_session.patch |  30 -----
 ...p-remove-stupid-HTTP_METH_NONE-entry.patch |  78 ------------
 ...on-t-call-http_send_name_header-afte.patch |  49 --------
 ...make-str2sa_range-report-unresolvabl.patch |  36 ------
 27 files changed, 564 insertions(+), 711 deletions(-)
 create mode 100644 net/haproxy/patches/0001-BUG-BUILD-replace-haproxy-systemd-wrapper-with-EXTRA.patch
 delete mode 100644 net/haproxy/patches/0001-BUG-MINOR-log-missing-some-ARGC_-entries-in-fmt_dire.patch
 create mode 100644 net/haproxy/patches/0002-BUG-MINOR-acl-don-t-use-record-layer-in-req_ssl_ver.patch
 delete mode 100644 net/haproxy/patches/0002-DOC-usesrc-root-privileges-requirements.patch
 create mode 100644 net/haproxy/patches/0003-BUG-http-do-not-abort-keep-alive-connections-on-serv.patch
 delete mode 100644 net/haproxy/patches/0003-BUILD-ssl-Allow-building-against-libssl-without-SSLv.patch
 create mode 100644 net/haproxy/patches/0004-BUG-MEDIUM-http-switch-the-request-channel-to-no-del.patch
 delete mode 100644 net/haproxy/patches/0004-DOC-MINOR-fix-OpenBSD-versions-where-haproxy-works.patch
 delete mode 100644 net/haproxy/patches/0005-BUG-MINOR-http-sample-gmtime-localtime-can-fail.patch
 create mode 100644 net/haproxy/patches/0005-MINOR-config-extend-the-default-max-hostname-length-.patch
 create mode 100644 net/haproxy/patches/0006-BUG-MEDIUM-http-don-t-enable-auto-close-on-the-respo.patch
 delete mode 100644 net/haproxy/patches/0006-DOC-typo-in-redirect-302-code-meaning.patch
 create mode 100644 net/haproxy/patches/0007-BUG-MEDIUM-stream-fix-half-closed-timeout-handling.patch
 delete mode 100644 net/haproxy/patches/0007-DOC-mention-that-ms-is-left-padded-with-zeroes.patch
 create mode 100644 net/haproxy/patches/0008-BUG-MEDIUM-cli-changing-compression-rate-limiting-mu.patch
 delete mode 100644 net/haproxy/patches/0008-CLEANUP-.gitignore-ignore-more-test-files.patch
 create mode 100644 net/haproxy/patches/0009-BUILD-freebsd-double-declaration.patch
 delete mode 100644 net/haproxy/patches/0009-CLEANUP-.gitignore-finally-ignore-everything-but-wha.patch
 create mode 100644 net/haproxy/patches/0010-BUG-MEDIUM-sample-urlp-can-t-match-an-empty-value.patch
 delete mode 100644 net/haproxy/patches/0010-MEDIUM-config-emit-a-warning-on-a-frontend-without-l.patch
 delete mode 100644 net/haproxy/patches/0011-BUG-MEDIUM-counters-ensure-that-src_-inc-clr-_gpc0-c.patch
 delete mode 100644 net/haproxy/patches/0012-DOC-ssl-missing-LF.patch
 delete mode 100644 net/haproxy/patches/0013-DOC-fix-example-of-http-request-using-ssl_fc_session.patch
 delete mode 100644 net/haproxy/patches/0014-BUG-MINOR-http-remove-stupid-HTTP_METH_NONE-entry.patch
 delete mode 100644 net/haproxy/patches/0015-BUG-MAJOR-http-don-t-call-http_send_name_header-afte.patch
 delete mode 100644 net/haproxy/patches/0016-BUG-MINOR-tools-make-str2sa_range-report-unresolvabl.patch

diff --git a/net/haproxy/Makefile b/net/haproxy/Makefile
index c5e1948df3..5138e7c3da 100644
--- a/net/haproxy/Makefile
+++ b/net/haproxy/Makefile
@@ -9,12 +9,12 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=haproxy
-PKG_VERSION:=1.5.14
-PKG_RELEASE:=16
+PKG_VERSION:=1.5.15
+PKG_RELEASE:=10
 PKG_SOURCE:=haproxy-$(PKG_VERSION).tar.gz
 PKG_SOURCE_URL:=http://haproxy.1wt.eu/download/1.5/src/
 PKG_BUILD_DIR:=$(BUILD_DIR)/$(PKG_NAME)-$(BUILD_VARIANT)/$(PKG_NAME)-$(PKG_VERSION)
-PKG_MD5SUM:=ad9d7262b96ba85a0f8c6acc6cb9edde
+PKG_MD5SUM:=eeaa35744f84c92184cd735ee56dd0a3
 PKG_MAINTAINER:=Thomas Heil <heil@terminal-consulting.de>
 PKG_LICENSE:=GPL-2.0
 
diff --git a/net/haproxy/patches/0001-BUG-BUILD-replace-haproxy-systemd-wrapper-with-EXTRA.patch b/net/haproxy/patches/0001-BUG-BUILD-replace-haproxy-systemd-wrapper-with-EXTRA.patch
new file mode 100644
index 0000000000..0a294674e6
--- /dev/null
+++ b/net/haproxy/patches/0001-BUG-BUILD-replace-haproxy-systemd-wrapper-with-EXTRA.patch
@@ -0,0 +1,34 @@
+From 4818bc3035bccc00d8c3fc9b14ec37366cac3059 Mon Sep 17 00:00:00 2001
+From: Jerome Duval <jerome.duval@gmail.com>
+Date: Mon, 2 Nov 2015 17:47:43 +0000
+Subject: [PATCH 01/10] BUG/BUILD: replace haproxy-systemd-wrapper with
+ $(EXTRA) in install-bin.
+
+[wt: this should be backported to 1.6 and 1.5 as well since some platforms
+ don't build the systemd-wrapper]
+(cherry picked from commit 796d2fc136359c31c5c35f00c0751890ab42a016)
+(cherry picked from commit 9d0b47d96825b0584ea81c826a96ed8babcc016b)
+---
+ Makefile | 5 ++---
+ 1 file changed, 2 insertions(+), 3 deletions(-)
+
+diff --git a/Makefile b/Makefile
+index 9556069..e3199b2 100644
+--- a/Makefile
++++ b/Makefile
+@@ -719,10 +719,9 @@ install-doc:
+ 		install -m 644 doc/$$x.txt "$(DESTDIR)$(DOCDIR)" ; \
+ 	done
+ 
+-install-bin: haproxy haproxy-systemd-wrapper
++install-bin: haproxy $(EXTRA)
+ 	install -d "$(DESTDIR)$(SBINDIR)"
+-	install haproxy "$(DESTDIR)$(SBINDIR)"
+-	install haproxy-systemd-wrapper "$(DESTDIR)$(SBINDIR)"
++	install haproxy $(EXTRA) "$(DESTDIR)$(SBINDIR)"
+ 
+ install: install-bin install-man install-doc
+ 
+-- 
+2.4.10
+
diff --git a/net/haproxy/patches/0001-BUG-MINOR-log-missing-some-ARGC_-entries-in-fmt_dire.patch b/net/haproxy/patches/0001-BUG-MINOR-log-missing-some-ARGC_-entries-in-fmt_dire.patch
deleted file mode 100644
index 72db4528b8..0000000000
--- a/net/haproxy/patches/0001-BUG-MINOR-log-missing-some-ARGC_-entries-in-fmt_dire.patch
+++ /dev/null
@@ -1,64 +0,0 @@
-From df0a5960987b3cb663dcfa93d29c21acc13cd3e3 Mon Sep 17 00:00:00 2001
-From: Willy Tarreau <w@1wt.eu>
-Date: Thu, 9 Jul 2015 11:20:00 +0200
-Subject: [PATCH 1/4] BUG/MINOR: log: missing some ARGC_* entries in
- fmt_directives()
-
-ARGC_CAP was not added to fmt_directives() which is used to format
-error messages when failing to parse log format expressions. The
-whole switch/case has been reorganized to match the declaration
-order making it easier to spot missing values. The default is not
-the "log" directive anymore but "undefined" asking to report the
-bug.
-
-Backport to 1.5 is not strictly needed but is desirable at least
-for code sanity.
-(cherry picked from commit 53e1a6d31743b1bef6063ff30b812521391ae3c3)
----
- src/log.c | 24 ++++++++++++++----------
- 1 file changed, 14 insertions(+), 10 deletions(-)
-
-diff --git a/src/log.c b/src/log.c
-index 1a5ad25..f0a3072 100644
---- a/src/log.c
-+++ b/src/log.c
-@@ -167,22 +167,26 @@ struct logformat_var_args var_args_list[] = {
- static inline const char *fmt_directive(const struct proxy *curproxy)
- {
- 	switch (curproxy->conf.args.ctx) {
--	case ARGC_UIF:
--		return "unique-id-format";
-+	case ARGC_ACL:
-+		return "acl";
-+	case ARGC_STK:
-+		return "stick";
-+	case ARGC_TRK:
-+		return "track-sc";
-+	case ARGC_LOG:
-+		return "log-format";
- 	case ARGC_HRQ:
- 		return "http-request";
- 	case ARGC_HRS:
- 		return "http-response";
--	case ARGC_STK:
--		return "stick";
--	case ARGC_TRK:
--		return "track-sc"; break;
-+	case ARGC_UIF:
-+		return "unique-id-format";
- 	case ARGC_RDR:
--		return "redirect"; break;
--	case ARGC_ACL:
--		return "acl"; break;
-+		return "redirect";
-+	case ARGC_CAP:
-+		return "capture";
- 	default:
--		return "log-format";
-+		return "undefined(please report this bug)"; /* must never happen */
- 	}
- }
- 
--- 
-2.3.6
-
diff --git a/net/haproxy/patches/0002-BUG-MINOR-acl-don-t-use-record-layer-in-req_ssl_ver.patch b/net/haproxy/patches/0002-BUG-MINOR-acl-don-t-use-record-layer-in-req_ssl_ver.patch
new file mode 100644
index 0000000000..daac5d4b96
--- /dev/null
+++ b/net/haproxy/patches/0002-BUG-MINOR-acl-don-t-use-record-layer-in-req_ssl_ver.patch
@@ -0,0 +1,69 @@
+From 1af6a324c3206902f69bd2c9838e94ffb4cee3ae Mon Sep 17 00:00:00 2001
+From: Lukas Tribus <luky-37@hotmail.com>
+Date: Thu, 5 Nov 2015 13:59:30 +0100
+Subject: [PATCH 02/10] BUG/MINOR: acl: don't use record layer in req_ssl_ver
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+The initial record layer version in a SSL handshake may be set to TLSv1.0
+or similar for compatibility reasons, this is allowed as per RFC5246
+Appendix E.1 [1]. Some implementations are Openssl [2] and NSS [3].
+
+A related issue has been fixed some time ago in commit 57d229747
+("BUG/MINOR: acl: req_ssl_sni fails with SSLv3 record version").
+
+Fix this by using the real client hello version instead of the record
+layer version.
+
+This was reported by Julien Vehent and analyzed by Cyril Bonté.
+The initial patch is from Julien Vehent as well.
+
+This should be backported to stable series, the req_ssl_ver keyword was
+first introduced in 1.3.16.
+
+[1] https://tools.ietf.org/html/rfc5246#appendix-E.1
+[2] https://github.com/openssl/openssl/commit/4a1cf50187659e60c5867ecbbc36e37b2605d2c3
+[3] https://bugzilla.mozilla.org/show_bug.cgi?id=774547
+(cherry picked from commit c93242cab986087f06a4655d14fec18eecb7f5f4)
+(cherry picked from commit b048a6eb3d9cb518e4a378e20ba2a801afec553c)
+---
+ src/payload.c | 11 +++++++----
+ 1 file changed, 7 insertions(+), 4 deletions(-)
+
+diff --git a/src/payload.c b/src/payload.c
+index f62163c..b8f1ca3 100644
+--- a/src/payload.c
++++ b/src/payload.c
+@@ -148,21 +148,24 @@ smp_fetch_req_ssl_ver(struct proxy *px, struct session *s, void *l7, unsigned in
+ 	data = (const unsigned char *)s->req->buf->p;
+ 	if ((*data >= 0x14 && *data <= 0x17) || (*data == 0xFF)) {
+ 		/* SSLv3 header format */
+-		if (bleft < 5)
++		if (bleft < 11)
+ 			goto too_short;
+ 
+-		version = (data[1] << 16) + data[2]; /* version: major, minor */
++		version = (data[1] << 16) + data[2]; /* record layer version: major, minor */
+ 		msg_len = (data[3] <<  8) + data[4]; /* record length */
+ 
+ 		/* format introduced with SSLv3 */
+ 		if (version < 0x00030000)
+ 			goto not_ssl;
+ 
+-		/* message length between 1 and 2^14 + 2048 */
+-		if (msg_len < 1 || msg_len > ((1<<14) + 2048))
++		/* message length between 6 and 2^14 + 2048 */
++		if (msg_len < 6 || msg_len > ((1<<14) + 2048))
+ 			goto not_ssl;
+ 
+ 		bleft -= 5; data += 5;
++
++		/* return the client hello client version, not the record layer version */
++		version = (data[4] << 16) + data[5]; /* client hello version: major, minor */
+ 	} else {
+ 		/* SSLv2 header format, only supported for hello (msg type 1) */
+ 		int rlen, plen, cilen, silen, chlen;
+-- 
+2.4.10
+
diff --git a/net/haproxy/patches/0002-DOC-usesrc-root-privileges-requirements.patch b/net/haproxy/patches/0002-DOC-usesrc-root-privileges-requirements.patch
deleted file mode 100644
index 0af6565800..0000000000
--- a/net/haproxy/patches/0002-DOC-usesrc-root-privileges-requirements.patch
+++ /dev/null
@@ -1,27 +0,0 @@
-From ea31f225c2c93a25b8bef7a9241a89cecfd9d350 Mon Sep 17 00:00:00 2001
-From: Baptiste Assmann <bedis9@gmail.com>
-Date: Fri, 17 Jul 2015 21:59:42 +0200
-Subject: [PATCH 2/4] DOC: usesrc root privileges requirements
-
-The "usesrc" parameter of the source statement requires root privileges.
-(cherry picked from commit 91bd337d90cb347feda34b01402f3471c8a4833c)
----
- doc/configuration.txt | 2 ++
- 1 file changed, 2 insertions(+)
-
-diff --git a/doc/configuration.txt b/doc/configuration.txt
-index 6714afb..64697a4 100644
---- a/doc/configuration.txt
-+++ b/doc/configuration.txt
-@@ -6117,6 +6117,8 @@ source <addr>[:<port>] [interface <name>]
-   is possible at the server level using the "source" server option. Refer to
-   section 5 for more information.
- 
-+  In order to work, "usesrc" requires root privileges.
-+
-   Examples :
-         backend private
-             # Connect to the servers using our 192.168.1.200 source address
--- 
-2.3.6
-
diff --git a/net/haproxy/patches/0003-BUG-http-do-not-abort-keep-alive-connections-on-serv.patch b/net/haproxy/patches/0003-BUG-http-do-not-abort-keep-alive-connections-on-serv.patch
new file mode 100644
index 0000000000..10fcc865f6
--- /dev/null
+++ b/net/haproxy/patches/0003-BUG-http-do-not-abort-keep-alive-connections-on-serv.patch
@@ -0,0 +1,37 @@
+From ef8a113d59e89b2214adf7ab9f9b0b75905a7050 Mon Sep 17 00:00:00 2001
+From: lsenta <laurent.senta@gmail.com>
+Date: Fri, 13 Nov 2015 10:44:22 +0100
+Subject: [PATCH 03/10] BUG: http: do not abort keep-alive connections on
+ server timeout
+
+When a server timeout is detected on the second or nth request of a keep-alive
+connection, HAProxy closes the connection without writing a response.
+Some clients would fail with a remote disconnected exception and some
+others would retry potentially unsafe requests.
+
+This patch removes the special case and makes sure a 504 timeout is
+written back whenever a server timeout is handled.
+
+Signed-off-by: lsenta <laurent.senta@gmail.com>
+(cherry picked from commit 1e1f41d0f3473d86da84dc3785b7d7cbef6e9044)
+(cherry picked from commit 1f279c0b116f7fbc208793fffbd256c3c736fc52)
+---
+ src/proto_http.c | 2 --
+ 1 file changed, 2 deletions(-)
+
+diff --git a/src/proto_http.c b/src/proto_http.c
+index 17742c6..e7e1785 100644
+--- a/src/proto_http.c
++++ b/src/proto_http.c
+@@ -5782,8 +5782,6 @@ int http_wait_for_response(struct session *s, struct channel *rep, int an_bit)
+ 		else if (rep->flags & CF_READ_TIMEOUT) {
+ 			if (msg->err_pos >= 0)
+ 				http_capture_bad_message(&s->be->invalid_rep, s, msg, msg->msg_state, s->fe);
+-			else if (txn->flags & TX_NOT_FIRST)
+-				goto abort_keep_alive;
+ 
+ 			s->be->be_counters.failed_resp++;
+ 			if (objt_server(s->target)) {
+-- 
+2.4.10
+
diff --git a/net/haproxy/patches/0003-BUILD-ssl-Allow-building-against-libssl-without-SSLv.patch b/net/haproxy/patches/0003-BUILD-ssl-Allow-building-against-libssl-without-SSLv.patch
deleted file mode 100644
index 074cedc84f..0000000000
--- a/net/haproxy/patches/0003-BUILD-ssl-Allow-building-against-libssl-without-SSLv.patch
+++ /dev/null
@@ -1,51 +0,0 @@
-From eee374c28ea8ea22834ff14515b5584bc3e0c7b5 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?J=C3=A9r=C3=A9mie=20Courr=C3=A8ges-Anglas?= <jca@wxcvbn.org>
-Date: Sat, 25 Jul 2015 16:50:52 -0600
-Subject: [PATCH 3/4] BUILD: ssl: Allow building against libssl without SSLv3.
-
-If SSLv3 is explicitely requested but not available, warn the user and
-bail out.
-(cherry picked from commit 17c3f6284cf605e47f6525c077bc644c45272849)
----
- src/ssl_sock.c | 16 ++++++++++++++--
- 1 file changed, 14 insertions(+), 2 deletions(-)
-
-diff --git a/src/ssl_sock.c b/src/ssl_sock.c
-index 7d77d36..2ae45ec 100644
---- a/src/ssl_sock.c
-+++ b/src/ssl_sock.c
-@@ -1405,8 +1405,14 @@ int ssl_sock_prepare_ctx(struct bind_conf *bind_conf, SSL_CTX *ctx, struct proxy
- 		ssloptions |= SSL_OP_NO_TLSv1_2;
- 	if (bind_conf->ssl_options & BC_SSL_O_NO_TLS_TICKETS)
- 		ssloptions |= SSL_OP_NO_TICKET;
--	if (bind_conf->ssl_options & BC_SSL_O_USE_SSLV3)
-+	if (bind_conf->ssl_options & BC_SSL_O_USE_SSLV3) {
-+#ifndef OPENSSL_NO_SSL3
- 		SSL_CTX_set_ssl_version(ctx, SSLv3_server_method());
-+#else
-+		Alert("SSLv3 support requested but unavailable.\n");
-+		cfgerr++;
-+#endif
-+	}
- 	if (bind_conf->ssl_options & BC_SSL_O_USE_TLSV10)
- 		SSL_CTX_set_ssl_version(ctx, TLSv1_server_method());
- #if SSL_OP_NO_TLSv1_1
-@@ -1750,8 +1756,14 @@ int ssl_sock_prepare_srv_ctx(struct server *srv, struct proxy *curproxy)
- 		options |= SSL_OP_NO_TLSv1_2;
- 	if (srv->ssl_ctx.options & SRV_SSL_O_NO_TLS_TICKETS)
- 		options |= SSL_OP_NO_TICKET;
--	if (srv->ssl_ctx.options & SRV_SSL_O_USE_SSLV3)
-+	if (srv->ssl_ctx.options & SRV_SSL_O_USE_SSLV3) {
-+#ifndef OPENSSL_NO_SSL3
- 		SSL_CTX_set_ssl_version(srv->ssl_ctx.ctx, SSLv3_client_method());
-+#else
-+		Alert("SSLv3 support requested but unavailable.");
-+		cfgerr++;
-+#endif
-+	}
- 	if (srv->ssl_ctx.options & SRV_SSL_O_USE_TLSV10)
- 		SSL_CTX_set_ssl_version(srv->ssl_ctx.ctx, TLSv1_client_method());
- #if SSL_OP_NO_TLSv1_1
--- 
-2.3.6
-
diff --git a/net/haproxy/patches/0004-BUG-MEDIUM-http-switch-the-request-channel-to-no-del.patch b/net/haproxy/patches/0004-BUG-MEDIUM-http-switch-the-request-channel-to-no-del.patch
new file mode 100644
index 0000000000..9f74e1fd0e
--- /dev/null
+++ b/net/haproxy/patches/0004-BUG-MEDIUM-http-switch-the-request-channel-to-no-del.patch
@@ -0,0 +1,112 @@
+From c0d56134320e507c82952f3d2a03f76b701945cb Mon Sep 17 00:00:00 2001
+From: Willy Tarreau <w@1wt.eu>
+Date: Wed, 18 Nov 2015 11:59:55 +0100
+Subject: [PATCH 04/10] BUG/MEDIUM: http: switch the request channel to
+ no-delay once done.
+
+There's an issue when sending POST data that came in a second packet,
+the CF_NEVER_WAIT flag is not always set on the request channel, while
+the server is waiting for the request. We must always set this flag in
+this case since we're not going to shut down after sending, contrary
+to the response side.
+
+Note that option http-no-delay works around this issue.
+
+Reproducer :
+
+listen  px
+        mode http
+        timeout client 10s
+        timeout server 5s
+        timeout connect 3s
+        option http-server-close
+        #option http-no-delay
+        bind :8001
+        server s1 127.0.0.1:8003
+
+$ (printf "POST / HTTP/1.1\r\nTransfer-encoding: chunked\r\n\r\n"; sleep 0.01; printf "10\r\nAZERTYUIOPQSDFGH\r\n0\r\n\r\n") | nc6 0 8001
+
+Before this fix :
+
+12:03:31.946763 epoll_wait(3, {{EPOLLIN, {u32=5, u64=5}}}, 200, 1000) = 1
+12:03:32.634175 accept4(5, {sa_family=AF_INET, sin_port=htons(53849), sin_addr=inet_addr("127.0.0.1")}, [16], SOCK_NONBLOCK) = 6
+12:03:32.634318 setsockopt(6, SOL_TCP, TCP_NODELAY, [1], 4) = 0
+12:03:32.634434 accept4(5, 0x7ffccfbb2cf0, [128], SOCK_NONBLOCK) = -1 EAGAIN (Resource temporarily unavailable)
+12:03:32.634574 recvfrom(6, "POST / HTTP/1.1\r\nTransfer-encodi"..., 8192, 0, NULL, NULL) = 47
+12:03:32.634809 setsockopt(6, SOL_TCP, TCP_QUICKACK, [1], 4) = 0
+12:03:32.634952 socket(PF_INET, SOCK_STREAM, IPPROTO_TCP) = 7
+12:03:32.635031 fcntl(7, F_SETFL, O_RDONLY|O_NONBLOCK) = 0
+12:03:32.635089 setsockopt(7, SOL_TCP, TCP_NODELAY, [1], 4) = 0
+12:03:32.635153 connect(7, {sa_family=AF_INET, sin_port=htons(8003), sin_addr=inet_addr("127.0.0.1")}, 16) = -1 EINPROGRESS (Operation now in progress)
+12:03:32.635315 epoll_wait(3, {}, 200, 0) = 0
+12:03:32.635394 sendto(7, "POST / HTTP/1.1\r\nTransfer-encodi"..., 66, MSG_DONTWAIT|MSG_NOSIGNAL, NULL, 0) = 66
+12:03:32.635527 recvfrom(6, 0x7f0224e66024, 8192, 0, 0, 0) = -1 EAGAIN (Resource temporarily unavailable)
+12:03:32.635651 epoll_ctl(3, EPOLL_CTL_ADD, 6, {EPOLLIN|0x2000, {u32=6, u64=6}}) = 0
+12:03:32.635782 epoll_wait(3, {}, 200, 0) = 0
+12:03:32.635842 recvfrom(7, 0x7f0224e66024, 8192, 0, 0, 0) = -1 EAGAIN (Resource temporarily unavailable)
+12:03:32.635924 epoll_ctl(3, EPOLL_CTL_ADD, 7, {EPOLLIN|0x2000, {u32=7, u64=7}}) = 0
+12:03:32.636027 epoll_wait(3, {{EPOLLIN, {u32=6, u64=6}}}, 200, 1000) = 1
+12:03:32.644892 recvfrom(6, "10\r\nAZERTYUIOPQSDFGH\r\n0\r\n\r\n", 8192, 0, NULL, NULL) = 27
+12:03:32.645016 epoll_wait(3, {}, 200, 0) = 0
+12:03:32.645105 sendto(7, "10\r\nAZERTYUIOPQSDFGH\r\n0\r\n\r\n", 27, MSG_DONTWAIT|MSG_NOSIGNAL|MSG_MORE, NULL, 0) = 27
+
+After the fix :
+
+11:59:12.538617 connect(7, {sa_family=AF_INET, sin_port=htons(8003), sin_addr=inet_addr("127.0.0.1")}, 16) = -1 EINPROGRESS (Operation now in progress)
+11:59:12.538787 epoll_wait(3, {}, 200, 0) = 0
+11:59:12.538867 sendto(7, "POST / HTTP/1.1\r\nTransfer-encodi"..., 66, MSG_DONTWAIT|MSG_NOSIGNAL, NULL, 0) = 66
+11:59:12.539031 recvfrom(6, 0x7f832ce45024, 8192, 0, 0, 0) = -1 EAGAIN (Resource temporarily unavailable)
+11:59:12.539161 epoll_ctl(3, EPOLL_CTL_ADD, 6, {EPOLLIN|0x2000, {u32=6, u64=6}}) = 0
+11:59:12.539259 epoll_wait(3, {}, 200, 0) = 0
+11:59:12.539337 recvfrom(7, 0x7f832ce45024, 8192, 0, 0, 0) = -1 EAGAIN (Resource temporarily unavailable)
+11:59:12.539421 epoll_ctl(3, EPOLL_CTL_ADD, 7, {EPOLLIN|0x2000, {u32=7, u64=7}}) = 0
+11:59:12.539499 epoll_wait(3, {{EPOLLIN, {u32=6, u64=6}}}, 200, 1000) = 1
+11:59:12.548519 recvfrom(6, "10\r\nAZERTYUIOPQSDFGH\r\n0\r\n\r\n", 8192, 0, NULL, NULL) = 27
+11:59:12.548844 epoll_wait(3, {}, 200, 0) = 0
+11:59:12.549012 sendto(7, "10\r\nAZERTYUIOPQSDFGH\r\n0\r\n\r\n", 27, MSG_DONTWAIT|MSG_NOSIGNAL, NULL, 0) = 27
+11:59:12.549454 epoll_wait(3, {}, 200, 1000) = 0
+
+This fix must be backported to 1.6, 1.5 and 1.4.
+(cherry picked from commit 7f876a1eeb14ffae708327aad8a0b4b029da5e26)
+(cherry picked from commit 712a5339f384db62796aa4d4901e091dd7fd24dd)
+---
+ src/proto_http.c | 9 +++++++--
+ 1 file changed, 7 insertions(+), 2 deletions(-)
+
+diff --git a/src/proto_http.c b/src/proto_http.c
+index e7e1785..b32e778 100644
+--- a/src/proto_http.c
++++ b/src/proto_http.c
+@@ -5001,6 +5001,13 @@ int http_sync_req_state(struct session *s)
+ 		 */
+ 		chn->cons->flags |= SI_FL_NOHALF;
+ 
++		/* In any case we've finished parsing the request so we must
++		 * disable Nagle when sending data because 1) we're not going
++		 * to shut this side, and 2) the server is waiting for us to
++		 * send pending data.
++		 */
++		chn->flags |= CF_NEVER_WAIT;
++
+ 		if (txn->rsp.msg_state == HTTP_MSG_ERROR)
+ 			goto wait_other_side;
+ 
+@@ -5015,7 +5022,6 @@ int http_sync_req_state(struct session *s)
+ 			/* if any side switches to tunnel mode, the other one does too */
+ 			channel_auto_read(chn);
+ 			txn->req.msg_state = HTTP_MSG_TUNNEL;
+-			chn->flags |= CF_NEVER_WAIT;
+ 			goto wait_other_side;
+ 		}
+ 
+@@ -5048,7 +5054,6 @@ int http_sync_req_state(struct session *s)
+ 			if ((txn->flags & TX_CON_WANT_MSK) == TX_CON_WANT_TUN) {
+ 				channel_auto_read(chn);
+ 				txn->req.msg_state = HTTP_MSG_TUNNEL;
+-				chn->flags |= CF_NEVER_WAIT;
+ 			}
+ 		}
+ 
+-- 
+2.4.10
+
diff --git a/net/haproxy/patches/0004-DOC-MINOR-fix-OpenBSD-versions-where-haproxy-works.patch b/net/haproxy/patches/0004-DOC-MINOR-fix-OpenBSD-versions-where-haproxy-works.patch
deleted file mode 100644
index c769228fa5..0000000000
--- a/net/haproxy/patches/0004-DOC-MINOR-fix-OpenBSD-versions-where-haproxy-works.patch
+++ /dev/null
@@ -1,26 +0,0 @@
-From e4766ba031e1fea8f2ca139316dc4e8209e960c2 Mon Sep 17 00:00:00 2001
-From: Daniel Jakots <vigdis@chown.me>
-Date: Wed, 29 Jul 2015 08:03:08 +0200
-Subject: [PATCH 4/4] DOC/MINOR: fix OpenBSD versions where haproxy works
-
-(cherry picked from commit 17d228be14762b282e5262262c45ecee4c265552)
----
- README | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/README b/README
-index add7f06..e267730 100644
---- a/README
-+++ b/README
-@@ -39,7 +39,7 @@ and assign it to the TARGET variable :
-   - solaris     for Solaris 8 or 10 (others untested)
-   - freebsd     for FreeBSD 5 to 10 (others untested)
-   - osx         for Mac OS/X
--  - openbsd     for OpenBSD 3.1 to 5.2 (others untested)
-+  - openbsd     for OpenBSD 3.1 and above
-   - aix51       for AIX 5.1
-   - aix52       for AIX 5.2
-   - cygwin      for Cygwin
--- 
-2.3.6
-
diff --git a/net/haproxy/patches/0005-BUG-MINOR-http-sample-gmtime-localtime-can-fail.patch b/net/haproxy/patches/0005-BUG-MINOR-http-sample-gmtime-localtime-can-fail.patch
deleted file mode 100644
index 23012ba0c6..0000000000
--- a/net/haproxy/patches/0005-BUG-MINOR-http-sample-gmtime-localtime-can-fail.patch
+++ /dev/null
@@ -1,33 +0,0 @@
-From 955587271031d66e9b7a768e3bb18dae00b60cc6 Mon Sep 17 00:00:00 2001
-From: Thierry FOURNIER <tfournier@arpalert.org>
-Date: Wed, 8 Jul 2015 00:15:20 +0200
-Subject: [PATCH 05/13] BUG/MINOR: http/sample: gmtime/localtime can fail
-
-The man said that gmtime() and localtime() can return a NULL value.
-This is not tested. It appears that all the values of a 32 bit integer
-are valid, but it is better to check the return of these functions.
-
-However, if the integer move from 32 bits to 64 bits, some 64 values
-can be unsupported.
-(cherry picked from commit fac9ccfb705702f211f99e67d5f5d5129002086a)
-[wt: we only have sample_conv_date() in 1.5]
----
- src/proto_http.c | 2 ++
- 1 file changed, 2 insertions(+)
-
-diff --git a/src/proto_http.c b/src/proto_http.c
-index 5db64b5..02dc42b 100644
---- a/src/proto_http.c
-+++ b/src/proto_http.c
-@@ -11249,6 +11249,8 @@ static int sample_conv_http_date(const struct arg *args, struct sample *smp)
- 		curr_date += args[0].data.sint;
- 
- 	tm = gmtime(&curr_date);
-+	if (!tm)
-+		return 0;
- 
- 	temp = get_trash_chunk();
- 	temp->len = snprintf(temp->str, temp->size - temp->len,
--- 
-2.4.6
-
diff --git a/net/haproxy/patches/0005-MINOR-config-extend-the-default-max-hostname-length-.patch b/net/haproxy/patches/0005-MINOR-config-extend-the-default-max-hostname-length-.patch
new file mode 100644
index 0000000000..69e8f4f7b7
--- /dev/null
+++ b/net/haproxy/patches/0005-MINOR-config-extend-the-default-max-hostname-length-.patch
@@ -0,0 +1,52 @@
+From e77015cdc18ab74aba61cdf57de56d06be5c2a4d Mon Sep 17 00:00:00 2001
+From: Willy Tarreau <w@1wt.eu>
+Date: Wed, 14 Jan 2015 11:48:58 +0100
+Subject: [PATCH 05/10] MINOR: config: extend the default max hostname length
+ to 64 and beyond
+
+Some users reported that the default max hostname length of 32 is too
+short in some environments. This patch does two things :
+
+  - it relies on the system's max hostname length as found in MAXHOSTNAMELEN
+    if it is set. This is the most logical thing to do as the system libs
+    generally present the appropriate value supported by the system. This
+    value is 64 on Linux and 256 on Solaris, to give a few examples.
+
+  - otherwise it defaults to 64
+
+It is still possible to override this value by defining MAX_HOSTNAME_LEN at
+build time. After some observation time, this patch may be backported to
+1.5 if it does not cause any build issue, as it is harmless and may help
+some users.
+(cherry picked from commit 75abcb3106e2c27ef983df885558cf94e01f717a)
+
+Cc: Lukas Tribus <luky-37@hotmail.com>
+Cc: jose.castro.leon@cern.ch
+
+[wt: no issue reported so far and Jose rightfully asked for it in 1.5]
+---
+ include/common/defaults.h | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/include/common/defaults.h b/include/common/defaults.h
+index 0075509..a191b8a 100644
+--- a/include/common/defaults.h
++++ b/include/common/defaults.h
+@@ -190,8 +190,12 @@
+ 
+ /* Maximum host name length */
+ #ifndef MAX_HOSTNAME_LEN
+-#define MAX_HOSTNAME_LEN	32
+-#endif
++#if MAXHOSTNAMELEN
++#define MAX_HOSTNAME_LEN	MAXHOSTNAMELEN
++#else
++#define MAX_HOSTNAME_LEN	64
++#endif // MAXHOSTNAMELEN
++#endif // MAX_HOSTNAME_LEN
+ 
+ /* Maximum health check description length */
+ #ifndef HCHK_DESC_LEN
+-- 
+2.4.10
+
diff --git a/net/haproxy/patches/0006-BUG-MEDIUM-http-don-t-enable-auto-close-on-the-respo.patch b/net/haproxy/patches/0006-BUG-MEDIUM-http-don-t-enable-auto-close-on-the-respo.patch
new file mode 100644
index 0000000000..58d44f0437
--- /dev/null
+++ b/net/haproxy/patches/0006-BUG-MEDIUM-http-don-t-enable-auto-close-on-the-respo.patch
@@ -0,0 +1,49 @@
+From 3de8e7ab8d9125402cc1a8fb48ee475ee21d7d4c Mon Sep 17 00:00:00 2001
+From: Willy Tarreau <w@1wt.eu>
+Date: Wed, 25 Nov 2015 20:11:11 +0100
+Subject: [PATCH 06/10] BUG/MEDIUM: http: don't enable auto-close on the
+ response side
+
+There is a bug where "option http-keep-alive" doesn't force a response
+to stay in keep-alive if the server sends the FIN along with the response
+on the second or subsequent response. The reason is that the auto-close
+was forced enabled when recycling the HTTP transaction and it's never
+disabled along the response processing chain before the SHUTR gets a
+chance to be forwarded to the client side. The MSG_DONE state of the
+HTTP response properly disables it but too late.
+
+There's no more reason for enabling auto-close here, because either it
+doesn't matter in non-keep-alive modes because the connection is closed,
+or it is automatically enabled by process_stream() when it sees there's
+no analyser on the stream.
+
+This bug also affects 1.5 so a backport is desired.
+(cherry picked from commit 714ea78c9a09fe6a35a1f2d86af8f7fc9abb64d1)
+(cherry picked from commit a15091be17f27fcf4e3a84338df1a8b732e396a1)
+---
+ src/proto_http.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/src/proto_http.c b/src/proto_http.c
+index b32e778..5facfbb 100644
+--- a/src/proto_http.c
++++ b/src/proto_http.c
+@@ -4946,11 +4946,13 @@ void http_end_txn_clean_session(struct session *s)
+ 			s->rep->flags |= CF_EXPECT_MORE;
+ 	}
+ 
+-	/* we're removing the analysers, we MUST re-enable events detection */
++	/* we're removing the analysers, we MUST re-enable events detection.
++	 * We don't enable close on the response channel since it's either
++	 * already closed, or in keep-alive with an idle connection handler.
++	 */
+ 	channel_auto_read(s->req);
+ 	channel_auto_close(s->req);
+ 	channel_auto_read(s->rep);
+-	channel_auto_close(s->rep);
+ 
+ 	/* we're in keep-alive with an idle connection, monitor it */
+ 	si_idle_conn(s->req->cons);
+-- 
+2.4.10
+
diff --git a/net/haproxy/patches/0006-DOC-typo-in-redirect-302-code-meaning.patch b/net/haproxy/patches/0006-DOC-typo-in-redirect-302-code-meaning.patch
deleted file mode 100644
index 9b962807c8..0000000000
--- a/net/haproxy/patches/0006-DOC-typo-in-redirect-302-code-meaning.patch
+++ /dev/null
@@ -1,27 +0,0 @@
-From 6c7351bdd0778bc171a2b54faed058eadc8c9d0d Mon Sep 17 00:00:00 2001
-From: Baptiste Assmann <bedis9@gmail.com>
-Date: Mon, 3 Aug 2015 11:42:50 +0200
-Subject: [PATCH 06/13] DOC: typo in 'redirect', 302 code meaning
-
-302 means a temprary move, not a permanent one
-(cherry picked from commit ea849c0cca63b1b56c9c36f9c3504caa5e826816)
----
- doc/configuration.txt | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/doc/configuration.txt b/doc/configuration.txt
-index 64697a4..e8d8b2a 100644
---- a/doc/configuration.txt
-+++ b/doc/configuration.txt
-@@ -5443,7 +5443,7 @@ redirect scheme   <sch> [code <code>] <option> [{if | unless} <condition>]
-               is desired. Only codes 301, 302, 303, 307 and 308 are supported,
-               with 302 used by default if no code is specified. 301 means
-               "Moved permanently", and a browser may cache the Location. 302
--              means "Moved permanently" and means that the browser should not
-+              means "Moved temporarily" and means that the browser should not
-               cache the redirection. 303 is equivalent to 302 except that the
-               browser will fetch the location with a GET method. 307 is just
-               like 302 but makes it clear that the same method must be reused.
--- 
-2.4.6
-
diff --git a/net/haproxy/patches/0007-BUG-MEDIUM-stream-fix-half-closed-timeout-handling.patch b/net/haproxy/patches/0007-BUG-MEDIUM-stream-fix-half-closed-timeout-handling.patch
new file mode 100644
index 0000000000..f80f1b5db7
--- /dev/null
+++ b/net/haproxy/patches/0007-BUG-MEDIUM-stream-fix-half-closed-timeout-handling.patch
@@ -0,0 +1,88 @@
+From 9154bc92ed11c6de75573dec341b6a0ce68bd0eb Mon Sep 17 00:00:00 2001
+From: Willy Tarreau <w@1wt.eu>
+Date: Wed, 25 Nov 2015 20:17:27 +0100
+Subject: [PATCH 07/10] BUG/MEDIUM: stream: fix half-closed timeout handling
+
+client-fin and server-fin are bogus. They are applied on the write
+side after a SHUTR was seen. The immediate effect is that sometimes
+if a SHUTR was seen after a SHUTW on the same side, the timeout is
+enabled again regardless of the fact that the output is already
+closed. This results in the timeout event not to be processed and
+a busy poll loop to happen until another timeout on the stream gets
+rid of it. Note that haproxy continues its job during this, it's just
+that it eats all the CPU trying to handle an event that it ignores.
+
+An reproducible case consists in having a client stop reading data from
+a server to ensure data remain in the response buffer, then the client
+sends a shutdown(write). If abortonclose is enabled on haproxy, the
+shutdown is passed to the server side and the server responds with a
+SHUTR that cannot immediately be forwarded to the client since the
+buffer is full. During this time the event is ignored and the task is
+woken again in loops.
+
+It is worth noting that the timeout handling since 1.5 is a bit fragile
+and that it might be possible that other similar conditions still exist,
+so the timeout handling should be audited regarding this issue.
+
+Many thanks to BaiYang for providing detailed information showing the
+problem in action.
+
+This bug also affects 1.5 thus the fix must be backported.
+(cherry picked from commit f25b3573d65fd2411c7537b7b0a4817b478df909)
+[Note for 1.5, it's in session.c here]
+(cherry picked from commit 44e86286159474a52dc74f80d3271504cc6f1550)
+---
+ src/session.c | 16 ----------------
+ 1 file changed, 16 deletions(-)
+
+diff --git a/src/session.c b/src/session.c
+index 7520a85..2b2ad78 100644
+--- a/src/session.c
++++ b/src/session.c
+@@ -2213,10 +2213,6 @@ struct task *process_session(struct task *t)
+ 	if (unlikely((s->req->flags & (CF_SHUTW|CF_SHUTW_NOW|CF_AUTO_CLOSE|CF_SHUTR)) ==
+ 		     (CF_AUTO_CLOSE|CF_SHUTR))) {
+ 		channel_shutw_now(s->req);
+-		if (tick_isset(s->fe->timeout.clientfin)) {
+-			s->rep->wto = s->fe->timeout.clientfin;
+-			s->rep->wex = tick_add(now_ms, s->rep->wto);
+-		}
+ 	}
+ 
+ 	/* shutdown(write) pending */
+@@ -2241,10 +2237,6 @@ struct task *process_session(struct task *t)
+ 		if (s->req->prod->flags & SI_FL_NOHALF)
+ 			s->req->prod->flags |= SI_FL_NOLINGER;
+ 		si_shutr(s->req->prod);
+-		if (tick_isset(s->fe->timeout.clientfin)) {
+-			s->rep->wto = s->fe->timeout.clientfin;
+-			s->rep->wex = tick_add(now_ms, s->rep->wto);
+-		}
+ 	}
+ 
+ 	/* it's possible that an upper layer has requested a connection setup or abort.
+@@ -2391,10 +2383,6 @@ struct task *process_session(struct task *t)
+ 	if (unlikely((s->rep->flags & (CF_SHUTW|CF_SHUTW_NOW|CF_AUTO_CLOSE|CF_SHUTR)) ==
+ 		     (CF_AUTO_CLOSE|CF_SHUTR))) {
+ 		channel_shutw_now(s->rep);
+-		if (tick_isset(s->be->timeout.serverfin)) {
+-			s->req->wto = s->be->timeout.serverfin;
+-			s->req->wex = tick_add(now_ms, s->req->wto);
+-		}
+ 	}
+ 
+ 	/* shutdown(write) pending */
+@@ -2417,10 +2405,6 @@ struct task *process_session(struct task *t)
+ 		if (s->rep->prod->flags & SI_FL_NOHALF)
+ 			s->rep->prod->flags |= SI_FL_NOLINGER;
+ 		si_shutr(s->rep->prod);
+-		if (tick_isset(s->be->timeout.serverfin)) {
+-			s->req->wto = s->be->timeout.serverfin;
+-			s->req->wex = tick_add(now_ms, s->req->wto);
+-		}
+ 	}
+ 
+ 	if (s->req->prod->state == SI_ST_DIS || s->req->cons->state == SI_ST_DIS)
+-- 
+2.4.10
+
diff --git a/net/haproxy/patches/0007-DOC-mention-that-ms-is-left-padded-with-zeroes.patch b/net/haproxy/patches/0007-DOC-mention-that-ms-is-left-padded-with-zeroes.patch
deleted file mode 100644
index 1cad791508..0000000000
--- a/net/haproxy/patches/0007-DOC-mention-that-ms-is-left-padded-with-zeroes.patch
+++ /dev/null
@@ -1,27 +0,0 @@
-From c3453d53f2862b22d8c8e7d2399dfc38ec966aa4 Mon Sep 17 00:00:00 2001
-From: Willy Tarreau <w@1wt.eu>
-Date: Sun, 9 Aug 2015 10:56:35 +0200
-Subject: [PATCH 07/13] DOC: mention that %ms is left-padded with zeroes.
-
-That's important to emit logs.
-(cherry picked from commit 812c88ec126e8fc4fc0f7853f265594d03c63956)
----
- doc/configuration.txt | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/doc/configuration.txt b/doc/configuration.txt
-index e8d8b2a..1d95b5b 100644
---- a/doc/configuration.txt
-+++ b/doc/configuration.txt
-@@ -12381,7 +12381,7 @@ Please refer to the table below for currently defined variables :
-   |   | %hrl | captured_request_headers CLF style            | string list |
-   |   | %hs  | captured_response_headers default style       | string      |
-   |   | %hsl | captured_response_headers CLF style           | string list |
--  |   | %ms  | accept date milliseconds                      | numeric     |
-+  |   | %ms  | accept date milliseconds (left-padded with 0) | numeric     |
-   |   | %pid | PID                                           | numeric     |
-   | H | %r   | http_request                                  | string      |
-   |   | %rc  | retries                                       | numeric     |
--- 
-2.4.6
-
diff --git a/net/haproxy/patches/0008-BUG-MEDIUM-cli-changing-compression-rate-limiting-mu.patch b/net/haproxy/patches/0008-BUG-MEDIUM-cli-changing-compression-rate-limiting-mu.patch
new file mode 100644
index 0000000000..c42e6569a0
--- /dev/null
+++ b/net/haproxy/patches/0008-BUG-MEDIUM-cli-changing-compression-rate-limiting-mu.patch
@@ -0,0 +1,36 @@
+From 07ccb48add8c8cb0dd8a0f7d3f4994866d0ef32e Mon Sep 17 00:00:00 2001
+From: Willy Tarreau <w@1wt.eu>
+Date: Thu, 26 Nov 2015 18:32:39 +0100
+Subject: [PATCH 08/10] BUG/MEDIUM: cli: changing compression rate-limiting
+ must require admin level
+
+Right now it's possible to change the global compression rate limiting
+without the CLI being at the admin level.
+
+This fix must be backported to 1.6 and 1.5.
+(cherry picked from commit a1c2b2c4f3e65d198a0a4b25a4f655f7b307a855)
+(cherry picked from commit 9e5f1489c9f2d6926729890f249f7ebb9d3bfd43)
+---
+ src/dumpstats.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/src/dumpstats.c b/src/dumpstats.c
+index b4be2cd..b1bbf31 100644
+--- a/src/dumpstats.c
++++ b/src/dumpstats.c
+@@ -1695,6 +1695,12 @@ static int stats_sock_parse_request(struct stream_interface *si, char *line)
+ 				if (strcmp(args[3], "global") == 0) {
+ 					int v;
+ 
++					if (s->listener->bind_conf->level < ACCESS_LVL_ADMIN) {
++						appctx->ctx.cli.msg = stats_permission_denied_msg;
++						appctx->st0 = STAT_CLI_PRINT;
++						return 1;
++					}
++
+ 					if (!*args[4]) {
+ 						appctx->ctx.cli.msg = "Expects a maximum input byte rate in kB/s.\n";
+ 						appctx->st0 = STAT_CLI_PRINT;
+-- 
+2.4.10
+
diff --git a/net/haproxy/patches/0008-CLEANUP-.gitignore-ignore-more-test-files.patch b/net/haproxy/patches/0008-CLEANUP-.gitignore-ignore-more-test-files.patch
deleted file mode 100644
index d8d51bc48f..0000000000
--- a/net/haproxy/patches/0008-CLEANUP-.gitignore-ignore-more-test-files.patch
+++ /dev/null
@@ -1,50 +0,0 @@
-From 1104336c0ba5f474fce8fe7c0125511b59f4dd3d Mon Sep 17 00:00:00 2001
-From: Willy Tarreau <w@1wt.eu>
-Date: Tue, 11 Aug 2015 11:20:45 +0200
-Subject: [PATCH 08/13] CLEANUP: .gitignore: ignore more test files
-
-Exclude from "git status" many of the files that often result from
-development tests and bug reports reproducers.
-(cherry picked from commit de365a320ead43168e78facfa337130759783515)
----
- .gitignore | 27 +++++++++++++++++++++++++++
- 1 file changed, 27 insertions(+)
-
-diff --git a/.gitignore b/.gitignore
-index 762f5ad..f6ccd0e 100644
---- a/.gitignore
-+++ b/.gitignore
-@@ -18,3 +18,30 @@ make-*
- dlmalloc.c
- 00*.patch
- *.service
-+*.bak
-+contrib/base64/base64rev
-+contrib/halog/halog
-+contrib/ip6range/ip6range
-+contrib/iprange/iprange
-+tests/test_hashes
-+/*.cfg
-+/*.conf
-+/*.diff
-+/*.patch
-+/*.c
-+/*.o
-+/*.so
-+/*.txt
-+/*.TXT
-+/*.txt.*
-+/*.prof
-+/*.gprof
-+/*.prof.*
-+/*.gprof.*
-+/*.tar
-+/*.tar.gz
-+/*.tgz
-+/*.mbox
-+/*.sh
-+/bug*
-+/TAGS
--- 
-2.4.6
-
diff --git a/net/haproxy/patches/0009-BUILD-freebsd-double-declaration.patch b/net/haproxy/patches/0009-BUILD-freebsd-double-declaration.patch
new file mode 100644
index 0000000000..bc2072c807
--- /dev/null
+++ b/net/haproxy/patches/0009-BUILD-freebsd-double-declaration.patch
@@ -0,0 +1,31 @@
+From 97ef6f99b8426ffdc97864fc8bb2d85c87cfdad0 Mon Sep 17 00:00:00 2001
+From: Thierry FOURNIER <tfournier@arpalert.org>
+Date: Tue, 3 Nov 2015 19:17:37 +0100
+Subject: [PATCH 09/10] BUILD: freebsd: double declaration
+
+On freebsd, the macro LIST_PREV already exists in the header file
+<sys/queue.h>, and this makes a build error.
+
+This patch removes the macros before declaring it. This ensure
+that the error doesn't occurs.
+(cherry picked from commit 1db96672c4cd264ebca8197bec93a5ce1b23aaa9)
+(cherry picked from commit 6cf9c6b270e57f05abf72cd61f4facb5b6980d57)
+---
+ include/common/mini-clist.h | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/include/common/mini-clist.h b/include/common/mini-clist.h
+index 3c3f001..404b6fa 100644
+--- a/include/common/mini-clist.h
++++ b/include/common/mini-clist.h
+@@ -144,6 +144,7 @@ struct cond_wordlist {
+  * which contains list head <lh>, which is known as element <el> in
+  * struct pt.
+  */
++#undef LIST_PREV
+ #define LIST_PREV(lh, pt, el) (LIST_ELEM((lh)->p, pt, el))
+ 
+ /*
+-- 
+2.4.10
+
diff --git a/net/haproxy/patches/0009-CLEANUP-.gitignore-finally-ignore-everything-but-wha.patch b/net/haproxy/patches/0009-CLEANUP-.gitignore-finally-ignore-everything-but-wha.patch
deleted file mode 100644
index fe43df9aaf..0000000000
--- a/net/haproxy/patches/0009-CLEANUP-.gitignore-finally-ignore-everything-but-wha.patch
+++ /dev/null
@@ -1,44 +0,0 @@
-From 5e077624951a65e6aae381c7213fc54984768dd4 Mon Sep 17 00:00:00 2001
-From: Willy Tarreau <w@1wt.eu>
-Date: Tue, 11 Aug 2015 11:21:47 +0200
-Subject: [PATCH 09/13] CLEANUP: .gitignore: finally ignore everything but what
- is known.
-
-Still too many files remain, it's easier to block everything but
-what we know.
-(cherry picked from commit d71f1766bdbb041f80394662b0d293f033f93005)
----
- .gitignore | 20 ++++++++++++++++++++
- 1 file changed, 20 insertions(+)
-
-diff --git a/.gitignore b/.gitignore
-index f6ccd0e..1953ba3 100644
---- a/.gitignore
-+++ b/.gitignore
-@@ -45,3 +45,23 @@ tests/test_hashes
- /*.sh
- /bug*
- /TAGS
-+# Below we forbid everything and only allow what we know, that's much easier
-+# than blocking about 500 different test files and bug report outputs.
-+/.*
-+/*
-+!/.gitignore
-+!/CHANGELOG
-+!/LICENSE
-+!/Makefile
-+!/README
-+!/ROADMAP
-+!/SUBVERS
-+!/VERDATE
-+!/VERSION
-+!/contrib
-+!/doc
-+!/ebtree
-+!/examples
-+!/include
-+!/src
-+!/tests
--- 
-2.4.6
-
diff --git a/net/haproxy/patches/0010-BUG-MEDIUM-sample-urlp-can-t-match-an-empty-value.patch b/net/haproxy/patches/0010-BUG-MEDIUM-sample-urlp-can-t-match-an-empty-value.patch
new file mode 100644
index 0000000000..6dbab2bdd9
--- /dev/null
+++ b/net/haproxy/patches/0010-BUG-MEDIUM-sample-urlp-can-t-match-an-empty-value.patch
@@ -0,0 +1,53 @@
+From 0f836e1361933721c5689c7943143fd6cd260148 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Cyril=20Bont=C3=A9?= <cyril.bonte@free.fr>
+Date: Thu, 26 Nov 2015 21:39:56 +0100
+Subject: [PATCH 10/10] BUG/MEDIUM: sample: urlp can't match an empty value
+
+Currently urlp fetching samples were able to find parameters with an empty
+value, but the return code depended on the value length. The final result was
+that acls using urlp couldn't match empty values.
+
+Example of acl which always returned "false":
+  acl MATCH_EMPTY urlp(foo) -m len 0
+
+The fix consists in unconditionally return 1 when the parameter is found.
+
+This fix must be backported to 1.6 and 1.5.
+(cherry picked from commit ce1ef4df0135f9dc1cb6691395eacb487015fe3e)
+(cherry picked from commit 6bd426cf35c95985712369ed528c10a5f80ad8fd)
+[ note: in 1.5 we have value+value_l instead of vstart+vend ]
+---
+ src/proto_http.c | 10 ++++++----
+ 1 file changed, 6 insertions(+), 4 deletions(-)
+
+diff --git a/src/proto_http.c b/src/proto_http.c
+index 5facfbb..3af7880 100644
+--- a/src/proto_http.c
++++ b/src/proto_http.c
+@@ -11050,9 +11050,11 @@ find_url_param_pos(char* query_string, size_t query_string_l,
+ }
+ 
+ /*
+- * Given a url parameter name, returns its value and size into *value and
+- * *value_l respectively, and returns non-zero. If the parameter is not found,
+- * zero is returned and value/value_l are not touched.
++ * Given a url parameter name and a query string, find the next value.
++ * An empty url_param_name matches the first available parameter.
++ * If the parameter is found, 1 is returned and *value / *value_l are updated
++ * to respectively provide a pointer to the value and its length.
++ * Otherwise, 0 is returned and value/value_l are not modified.
+  */
+ static int
+ find_url_param_value(char* path, size_t path_l,
+@@ -11082,7 +11084,7 @@ find_url_param_value(char* path, size_t path_l,
+ 
+ 	*value = value_start;
+ 	*value_l = value_end - value_start;
+-	return value_end != value_start;
++	return 1;
+ }
+ 
+ static int
+-- 
+2.4.10
+
diff --git a/net/haproxy/patches/0010-MEDIUM-config-emit-a-warning-on-a-frontend-without-l.patch b/net/haproxy/patches/0010-MEDIUM-config-emit-a-warning-on-a-frontend-without-l.patch
deleted file mode 100644
index 2a622f5d6e..0000000000
--- a/net/haproxy/patches/0010-MEDIUM-config-emit-a-warning-on-a-frontend-without-l.patch
+++ /dev/null
@@ -1,46 +0,0 @@
-From c7c1e55f09839727ba7defd37347fc500dabb202 Mon Sep 17 00:00:00 2001
-From: Willy Tarreau <w@1wt.eu>
-Date: Tue, 11 Aug 2015 11:36:45 +0200
-Subject: [PATCH 10/13] MEDIUM: config: emit a warning on a frontend without
- listener
-
-Commit c6678e2 ("MEDIUM: config: authorize frontend and listen without bind")
-completely removed the test for bind lines in frontends in order to make it
-easier for automated tools to generate configs (eg: replacing a bind with
-another one passing via a temporary config without any bind line). The
-problem is that some common mistakes are totally hidden now. For example,
-this apparently valid entry is silently ignored :
-
-       listen 1.2.3.4:8000
-           server s1 127.0.0.1:8000
-
-Hint: 1.2.3.4:8000 is mistakenly the proxy name here.
-
-Thus instead we now emit a warning to indicate that a frontend was found
-with no listener. This should be backported to 1.5 to help spot abnormal
-configurations.
-(cherry picked from commit f82d1ca2d7ec83804d6b54e61a35747ad2f85188)
----
- src/cfgparse.c | 6 ++++++
- 1 file changed, 6 insertions(+)
-
-diff --git a/src/cfgparse.c b/src/cfgparse.c
-index 2a5f178..d67edc5 100644
---- a/src/cfgparse.c
-+++ b/src/cfgparse.c
-@@ -6193,6 +6193,12 @@ int check_config_validity()
- 			break;
- 		}
- 
-+		if ((curproxy->cap & PR_CAP_FE) && LIST_ISEMPTY(&curproxy->conf.listeners)) {
-+			Warning("config : %s '%s' has no 'bind' directive. Please declare it as a backend if this was intended.\n",
-+			        proxy_type_str(curproxy), curproxy->id);
-+			err_code |= ERR_WARN;
-+		}
-+
- 		if ((curproxy->cap & PR_CAP_BE) && (curproxy->mode != PR_MODE_HEALTH)) {
- 			if (curproxy->lbprm.algo & BE_LB_KIND) {
- 				if (curproxy->options & PR_O_TRANSP) {
--- 
-2.4.6
-
diff --git a/net/haproxy/patches/0011-BUG-MEDIUM-counters-ensure-that-src_-inc-clr-_gpc0-c.patch b/net/haproxy/patches/0011-BUG-MEDIUM-counters-ensure-that-src_-inc-clr-_gpc0-c.patch
deleted file mode 100644
index 25734dceac..0000000000
--- a/net/haproxy/patches/0011-BUG-MEDIUM-counters-ensure-that-src_-inc-clr-_gpc0-c.patch
+++ /dev/null
@@ -1,93 +0,0 @@
-From ee12145d38a7dee81a20cf232c724ccb7a46ad8b Mon Sep 17 00:00:00 2001
-From: Willy Tarreau <w@1wt.eu>
-Date: Tue, 18 Aug 2015 17:15:20 +0200
-Subject: [PATCH 11/13] BUG/MEDIUM: counters: ensure that src_{inc,clr}_gpc0
- creates a missing entry
-
-During 1.5-dev20 there was some code refactoring to make the src_* fetch
-function use the same code as sc_*. Unfortunately this introduced a
-regression where src_* doesn't create an entry anymore if it does not
-exist in the table. The reason is that smp_fetch_sc_stkctr() only calls
-stktable_lookup_key() while src_inc_*/src_clr_* used to make use of
-stktable_update_key() which additionally create the entry if it does
-not exist.
-
-There's no point modifying the common function for these two exceptions,
-so instead we now have a function dedicated to the creation of this entry
-for src_* only. It is called when the entry didn't exist, so that requires
-minimal modifications to existing code.
-
-Thanks to Thierry Fournier for helping diagnose the issue.
-
-This fix must be backported to 1.5.
-(cherry picked from commit 0f4eadd4830279f5ee83aa545728fb750f5c8185)
-
-[Note: the backport to 1.5 significantly differs from the version in 1.6
- since we need to use the table's type and to retrieve the source address
- directly from the connection. At least it matches the way other src_*
- fetch functions work, and it's been verified to work fine]
----
- src/session.c | 33 +++++++++++++++++++++++++++++++++
- 1 file changed, 33 insertions(+)
-
-diff --git a/src/session.c b/src/session.c
-index 5b9e407..6d62e36 100644
---- a/src/session.c
-+++ b/src/session.c
-@@ -2806,6 +2806,33 @@ smp_fetch_sc_stkctr(struct session *l4, const struct arg *args, const char *kw)
- 	return &l4->stkctr[num];
- }
- 
-+/* same as smp_fetch_sc_stkctr() but dedicated to src_* and can create
-+ * the entry if it doesn't exist yet. This is needed for a few fetch
-+ * functions which need to create an entry, such as src_inc_gpc* and
-+ * src_clr_gpc*.
-+ */
-+struct stkctr *
-+smp_create_src_stkctr(struct session *sess, const struct arg *args, const char *kw)
-+{
-+	static struct stkctr stkctr;
-+	struct stktable_key *key;
-+	struct connection *conn = objt_conn(sess->si[0].end);
-+
-+	if (strncmp(kw, "src_", 4) != 0)
-+		return NULL;
-+
-+	if (!conn)
-+		return NULL;
-+
-+	key = addr_to_stktable_key(&conn->addr.from, args->data.prx->table.type);
-+	if (!key)
-+		return NULL;
-+
-+	stkctr.table = &args->data.prx->table;
-+	stkctr_set_entry(&stkctr, stktable_update_key(stkctr.table, key));
-+	return &stkctr;
-+}
-+
- /* set return a boolean indicating if the requested session counter is
-  * currently being tracked or not.
-  * Supports being called as "sc[0-9]_tracked" only.
-@@ -2887,6 +2914,9 @@ smp_fetch_sc_inc_gpc0(struct proxy *px, struct session *l4, void *l7, unsigned i
- 	if (!stkctr)
- 		return 0;
- 
-+	if (stkctr_entry(stkctr) == NULL)
-+		stkctr = smp_create_src_stkctr(l4, args, kw);
-+
- 	smp->flags = SMP_F_VOL_TEST;
- 	smp->type = SMP_T_UINT;
- 	smp->data.uint = 0;
-@@ -2924,6 +2954,9 @@ smp_fetch_sc_clr_gpc0(struct proxy *px, struct session *l4, void *l7, unsigned i
- 	if (!stkctr)
- 		return 0;
- 
-+	if (stkctr_entry(stkctr) == NULL)
-+		stkctr = smp_create_src_stkctr(l4, args, kw);
-+
- 	smp->flags = SMP_F_VOL_TEST;
- 	smp->type = SMP_T_UINT;
- 	smp->data.uint = 0;
--- 
-2.4.6
-
diff --git a/net/haproxy/patches/0012-DOC-ssl-missing-LF.patch b/net/haproxy/patches/0012-DOC-ssl-missing-LF.patch
deleted file mode 100644
index bfa2207830..0000000000
--- a/net/haproxy/patches/0012-DOC-ssl-missing-LF.patch
+++ /dev/null
@@ -1,27 +0,0 @@
-From 2272b4ffde38c836adfd9a9b43ff5c019ef4190a Mon Sep 17 00:00:00 2001
-From: Thierry FOURNIER <tfournier@arpalert.org>
-Date: Wed, 26 Aug 2015 08:21:26 +0200
-Subject: [PATCH 12/13] DOC: ssl: missing LF
-
-An error message miss LF
-(cherry picked from commit bc965348d7ccc0a306504232ab85dc240fd31fbf)
----
- src/ssl_sock.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/src/ssl_sock.c b/src/ssl_sock.c
-index 2ae45ec..8f698c0 100644
---- a/src/ssl_sock.c
-+++ b/src/ssl_sock.c
-@@ -1760,7 +1760,7 @@ int ssl_sock_prepare_srv_ctx(struct server *srv, struct proxy *curproxy)
- #ifndef OPENSSL_NO_SSL3
- 		SSL_CTX_set_ssl_version(srv->ssl_ctx.ctx, SSLv3_client_method());
- #else
--		Alert("SSLv3 support requested but unavailable.");
-+		Alert("SSLv3 support requested but unavailable.\n");
- 		cfgerr++;
- #endif
- 	}
--- 
-2.4.6
-
diff --git a/net/haproxy/patches/0013-DOC-fix-example-of-http-request-using-ssl_fc_session.patch b/net/haproxy/patches/0013-DOC-fix-example-of-http-request-using-ssl_fc_session.patch
deleted file mode 100644
index f63de1325c..0000000000
--- a/net/haproxy/patches/0013-DOC-fix-example-of-http-request-using-ssl_fc_session.patch
+++ /dev/null
@@ -1,30 +0,0 @@
-From d3a93a932430bc1a4cd5d1350820c2bec706e26d Mon Sep 17 00:00:00 2001
-From: Willy Tarreau <w@1wt.eu>
-Date: Thu, 27 Aug 2015 17:15:05 +0200
-Subject: [PATCH 13/13] DOC: fix example of http-request using
- ssl_fc_session_id
-
-It was missing the ",hex" resulting in raw binary data being dumped in
-the header or the logs. Now we know where these crazy logs originated
-from!
-(cherry picked from commit fca4261dacab51db960d30120f4bb4201f7e4a51)
----
- doc/configuration.txt | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/doc/configuration.txt b/doc/configuration.txt
-index 1d95b5b..67d273b 100644
---- a/doc/configuration.txt
-+++ b/doc/configuration.txt
-@@ -3135,7 +3135,7 @@ http-request { allow | deny | tarpit | auth [realm <realm>] | redirect <rule> |
-   Example:
-         http-request set-header X-Haproxy-Current-Date %T
-         http-request set-header X-SSL                  %[ssl_fc]
--        http-request set-header X-SSL-Session_ID       %[ssl_fc_session_id]
-+        http-request set-header X-SSL-Session_ID       %[ssl_fc_session_id,hex]
-         http-request set-header X-SSL-Client-Verify    %[ssl_c_verify]
-         http-request set-header X-SSL-Client-DN        %{+Q}[ssl_c_s_dn]
-         http-request set-header X-SSL-Client-CN        %{+Q}[ssl_c_s_dn(cn)]
--- 
-2.4.6
-
diff --git a/net/haproxy/patches/0014-BUG-MINOR-http-remove-stupid-HTTP_METH_NONE-entry.patch b/net/haproxy/patches/0014-BUG-MINOR-http-remove-stupid-HTTP_METH_NONE-entry.patch
deleted file mode 100644
index 6b5154310d..0000000000
--- a/net/haproxy/patches/0014-BUG-MINOR-http-remove-stupid-HTTP_METH_NONE-entry.patch
+++ /dev/null
@@ -1,78 +0,0 @@
-From bcd033699c5a4904967652de4980e4f35f17ee34 Mon Sep 17 00:00:00 2001
-From: Willy Tarreau <w@1wt.eu>
-Date: Thu, 3 Sep 2015 17:15:21 +0200
-Subject: [PATCH 14/16] BUG/MINOR: http: remove stupid HTTP_METH_NONE entry
-
-When converting the "method" fetch to a string, we used to get an empty
-string if the first character was not an upper case. This was caused by
-the lookup function which returns HTTP_METH_NONE when a lookup is not
-possible, and this method being mapped to an empty string in the array.
-
-This is a totally stupid mechanism, there's no reason for having the
-result depend on the first char. In fact the message parser already
-checks that the syntax matches an HTTP token so we can only land there
-with a valid token, hence only HTTP_METH_OTHER should be returned.
-
-This fix should be backported to all actively supported branches.
-(cherry picked from commit b7ce424be2bc9df73a3b971fa9dd6daea0332bf1)
----
- include/types/proto_http.h |  1 -
- src/proto_http.c           | 11 ++++-------
- 2 files changed, 4 insertions(+), 8 deletions(-)
-
-diff --git a/include/types/proto_http.h b/include/types/proto_http.h
-index a5a5d31..dbce972 100644
---- a/include/types/proto_http.h
-+++ b/include/types/proto_http.h
-@@ -219,7 +219,6 @@ enum {
- 
- /* Known HTTP methods */
- enum http_meth_t {
--	HTTP_METH_NONE = 0,
- 	HTTP_METH_OPTIONS,
- 	HTTP_METH_GET,
- 	HTTP_METH_HEAD,
-diff --git a/src/proto_http.c b/src/proto_http.c
-index 02dc42b..46694cb 100644
---- a/src/proto_http.c
-+++ b/src/proto_http.c
-@@ -361,12 +361,11 @@ const struct http_method_desc http_methods[26][3] = {
- 		[0] = {	.meth = HTTP_METH_TRACE   , .len=5, .text="TRACE"   },
- 	},
- 	/* rest is empty like this :
--	 *      [1] = {	.meth = HTTP_METH_NONE    , .len=0, .text=""        },
-+	 *      [0] = {	.meth = HTTP_METH_OTHER   , .len=0, .text=""        },
- 	 */
- };
- 
- const struct http_method_name http_known_methods[HTTP_METH_OTHER] = {
--	[HTTP_METH_NONE]    = { "",         0 },
- 	[HTTP_METH_OPTIONS] = { "OPTIONS",  7 },
- 	[HTTP_METH_GET]     = { "GET",      3 },
- 	[HTTP_METH_HEAD]    = { "HEAD",     4 },
-@@ -793,8 +792,8 @@ struct chunk *http_error_message(struct session *s, int msgnum)
- }
- 
- /*
-- * returns HTTP_METH_NONE if there is nothing valid to read (empty or non-text
-- * string), HTTP_METH_OTHER for unknown methods, or the identified method.
-+ * returns a known method among HTTP_METH_* or HTTP_METH_OTHER for all unknown
-+ * ones.
-  */
- enum http_meth_t find_http_meth(const char *str, const int len)
- {
-@@ -810,10 +809,8 @@ enum http_meth_t find_http_meth(const char *str, const int len)
- 			if (likely(memcmp(str, h->text, h->len) == 0))
- 				return h->meth;
- 		};
--		return HTTP_METH_OTHER;
- 	}
--	return HTTP_METH_NONE;
--
-+	return HTTP_METH_OTHER;
- }
- 
- /* Parse the URI from the given transaction (which is assumed to be in request
--- 
-2.4.6
-
diff --git a/net/haproxy/patches/0015-BUG-MAJOR-http-don-t-call-http_send_name_header-afte.patch b/net/haproxy/patches/0015-BUG-MAJOR-http-don-t-call-http_send_name_header-afte.patch
deleted file mode 100644
index 97ac07bb1e..0000000000
--- a/net/haproxy/patches/0015-BUG-MAJOR-http-don-t-call-http_send_name_header-afte.patch
+++ /dev/null
@@ -1,49 +0,0 @@
-From 3f34b5539e7ba31e44055d853b9ba496e73e0bae Mon Sep 17 00:00:00 2001
-From: Willy Tarreau <w@1wt.eu>
-Date: Mon, 7 Sep 2015 19:32:33 +0200
-Subject: [PATCH 15/16] BUG/MAJOR: http: don't call http_send_name_header()
- after an error
-
-A crash was reported when using the "famous" http-send-name-header
-directive. This time it's a bit tricky, it requires a certain number of
-conditions to be met including maxconn on a server, queuing, timeout in
-the queue and cookie-based persistence.
-
-The problem is that in stream.c, before calling http_send_name_header(),
-we check a number of conditions to know if we have to replace the header
-name. But prior to reaching this place, it's possible for
-sess_update_stream_int() to fail and change the stream-int's state to
-SI_ST_CLO, send an error 503 to the client, and flush all buffers. But
-http_send_name_header() can only be called with valid buffer contents
-matching the http_msg's description. So when it rewinds the stream to
-modify the header, buf->o becomes negative by the size of the incoming
-request and is used as the argument to memmove() which basically
-displaces 4GB of memory off a few bytes to write the new name, resulting
-in a core and a core file that's really not fun to play with.
-
-The solution obviously consists in refraining from calling this nasty
-function when the stream interface is already closed.
-
-This bug also affects 1.5 and possibly 1.4, so the fix must be backported
-there.
-(cherry picked from commit 9c03b33329cb4924716edc1c851913a18b0670dc)
----
- src/session.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/src/session.c b/src/session.c
-index 6d62e36..7520a85 100644
---- a/src/session.c
-+++ b/src/session.c
-@@ -2293,7 +2293,7 @@ struct task *process_session(struct task *t)
- 
- 			/* Now we can add the server name to a header (if requested) */
- 			/* check for HTTP mode and proxy server_name_hdr_name != NULL */
--			if ((s->si[1].state >= SI_ST_CON) &&
-+			if ((s->si[1].state >= SI_ST_CON) && (s->si[1].state < SI_ST_CLO) &&
- 			    (s->be->server_id_hdr_name != NULL) &&
- 			    (s->be->mode == PR_MODE_HTTP) &&
- 			    objt_server(s->target)) {
--- 
-2.4.6
-
diff --git a/net/haproxy/patches/0016-BUG-MINOR-tools-make-str2sa_range-report-unresolvabl.patch b/net/haproxy/patches/0016-BUG-MINOR-tools-make-str2sa_range-report-unresolvabl.patch
deleted file mode 100644
index c2b6a0f743..0000000000
--- a/net/haproxy/patches/0016-BUG-MINOR-tools-make-str2sa_range-report-unresolvabl.patch
+++ /dev/null
@@ -1,36 +0,0 @@
-From 36456071ea34546d98d3b66a696cd4c4c4643de5 Mon Sep 17 00:00:00 2001
-From: Willy Tarreau <w@1wt.eu>
-Date: Tue, 8 Sep 2015 16:01:25 +0200
-Subject: [PATCH 16/16] BUG/MINOR: tools: make str2sa_range() report
- unresolvable addresses
-
-If an environment variable is used in an address, and is not set, it's
-silently considered as ":" or "0.0.0.0:0" which is not correct as it
-can hide environment issues and lead to unexpected behaviours. Let's
-report this case when it happens.
-
-This fix should be backported to 1.5.
-(cherry picked from commit 9f69f46d1f1b1d116c00b4b0483c519747f977b7)
----
- src/standard.c | 5 +++++
- 1 file changed, 5 insertions(+)
-
-diff --git a/src/standard.c b/src/standard.c
-index f57724c..9299882 100644
---- a/src/standard.c
-+++ b/src/standard.c
-@@ -709,6 +709,11 @@ struct sockaddr_storage *str2sa_range(const char *str, int *low, int *high, char
- 		goto out;
- 	}
- 
-+	if (!*str2) {
-+		memprintf(err, "'%s' resolves to an empty address (environment variable missing?)\n", str);
-+		goto out;
-+	}
-+
- 	memset(&ss, 0, sizeof(ss));
- 
- 	if (strncmp(str2, "unix@", 5) == 0) {
--- 
-2.4.6
-
-- 
2.30.2