Ubuntu
haproxy package

Merge ~athos/ubuntu/+source/haproxy:MRE-jammy into ubuntu/+source/haproxy:ubuntu/jammy-devel

Git
lp:~athos/ubuntu/+source/haproxy
MRE-jammy
Merge into ubuntu/jammy-devel

Proposed by Athos Ribeiro on 2023-11-01

Status:

Merged

Approved by:

git-ubuntu bot on 2023-11-22

Approved revision:

not available

Merged at revision:

24ffc1bf80a0965a8d9c202af143f28eb6dc7821

Proposed branch:

~athos/ubuntu/+source/haproxy:MRE-jammy

Merge into:

ubuntu/+source/haproxy:ubuntu/jammy-devel

Diff against target:

5461 lines (+1673/-653)

92 files modified

.cirrus.yml (+1/-1)
.github/matrix.py (+3/-1)
.github/workflows/cross-zoo.yml (+1/-1)
.github/workflows/vtest.yml (+1/-0)
.gitignore (+1/-0)
CHANGELOG (+149/-0)
Makefile (+1/-1)
SUBVERS (+1/-1)
VERDATE (+2/-2)
VERSION (+1/-1)
debian/changelog (+19/-0)
debian/patches/series (+0/-2)
dev/hpack/decode.c (+1/-1)
dev/null (+0/-143)
doc/configuration.txt (+172/-95)
doc/design-thoughts/config-language.txt (+2/-2)
doc/internals/http-parsing.txt (+2/-2)
doc/management.txt (+1/-1)
include/haproxy/connection.h (+11/-1)
include/haproxy/h2.h (+1/-1)
include/haproxy/hlua.h (+1/-0)
include/haproxy/http.h (+19/-0)
include/haproxy/http_ana-t.h (+1/-1)
include/haproxy/http_rules.h (+1/-0)
include/haproxy/listener-t.h (+5/-0)
include/haproxy/listener.h (+27/-11)
include/haproxy/proxy-t.h (+1/-0)
include/haproxy/server.h (+1/-0)
include/haproxy/sink.h (+5/-3)
include/haproxy/spoe-t.h (+1/-0)
include/haproxy/stick_table.h (+1/-1)
include/haproxy/time.h (+2/-1)
include/import/ist.h (+47/-0)
reg-tests/cache/caching_rules.vtc (+96/-0)
reg-tests/http-messaging/h1_to_h1.vtc (+26/-0)
reg-tests/http-messaging/h2_to_h1.vtc (+60/-0)
reg-tests/http-rules/h1or2_to_h1c.vtc (+12/-4)
reg-tests/http-rules/normalize_uri.vtc (+13/-0)
reg-tests/log/log_uri.vtc (+1/-1)
scripts/build-ssl.sh (+1/-1)
scripts/publish-release (+3/-0)
src/backend.c (+0/-2)
src/cache.c (+10/-6)
src/cfgparse-tcp.c (+1/-0)
src/cfgparse.c (+7/-3)
src/channel.c (+1/-1)
src/check.c (+10/-1)
src/chunk.c (+7/-3)
src/debug.c (+24/-3)
src/dns.c (+24/-12)
src/filters.c (+2/-3)
src/flt_spoe.c (+21/-9)
src/h1.c (+36/-7)
src/h1_htx.c (+1/-1)
src/h2.c (+41/-8)
src/haproxy.c (+30/-1)
src/hlua.c (+166/-50)
src/http.c (+1/-1)
src/http_ana.c (+30/-5)
src/http_rules.c (+47/-11)
src/listener.c (+139/-53)
src/log.c (+20/-9)
src/mjson.c (+2/-2)
src/mux_fcgi.c (+1/-1)
src/mux_h1.c (+8/-2)
src/mux_h2.c (+10/-4)
src/mworker.c (+39/-11)
src/namespace.c (+1/-0)
src/proto_uxdg.c (+15/-7)
src/proto_uxst.c (+15/-7)
src/protocol.c (+9/-7)
src/proxy.c (+42/-19)
src/resolvers.c (+5/-2)
src/ring.c (+0/-1)
src/sample.c (+3/-3)
src/server.c (+30/-57)
src/server_state.c (+1/-1)
src/sink.c (+30/-20)
src/sock_inet.c (+18/-0)
src/sock_unix.c (+39/-2)
src/ssl_crtlist.c (+9/-0)
src/ssl_sock.c (+2/-2)
src/stick_table.c (+10/-7)
src/stream_interface.c (+16/-0)
src/task.c (+21/-5)
src/tcp_rules.c (+2/-2)
src/tcp_sample.c (+2/-2)
src/tcpcheck.c (+10/-4)
src/thread.c (+4/-2)
src/time.c (+3/-1)
src/tools.c (+13/-13)
src/trace.c (+1/-1)

Undecided

Invalid

Link a bug report

Reviewer	Date Requested	Status
git-ubuntu bot		Approve on 2023-11-22
Sergio Durigan Junior (community)	2023-11-01	Approve on 2023-11-22
Canonical Server Reporter	2023-11-01	Pending
Review via email: mp+454921@code.launchpad.net

Description of the change

HAProxy MRE introducing the newest point release version for jammy.

All relevant information is available at the MRE bug in LP: #2028418.

PPA: https://launchpad.net/~athos-ribeiro/+archive/ubuntu/haproxy-mre/+packages

DEP8 test results:

  - haproxy/2.4.24-0ubuntu0.22.04.1
    + ✅ haproxy on jammy for amd64 @ 31.10.23 23:06:26 Log️ 🗒️
    + ✅ haproxy on jammy for arm64 @ 31.10.23 23:28:44 Log️ 🗒️
    + ✅ haproxy on jammy for armhf @ 31.10.23 22:56:34 Log️ 🗒️
    + ✅ haproxy on jammy for ppc64el @ 31.10.23 23:00:08 Log️ 🗒️
    + ✅ haproxy on jammy for s390x @ 31.10.23 22:55:01 Log️ 🗒️

Revision history for this message

Sergio Durigan Junior (sergiodj) wrote on 2023-11-22:

Thanks, Athos.

This LGTM. Verified that the package builds, dep8 tests are passing, and I'm satisfied with the results from Microsoft Github's actions, including the "Spec Compliance" test:

https://github.com/athos-ribeiro/haproxy-2.4/actions/runs/6962364281

review: Approve

Revision history for this message

git-ubuntu bot (git-ubuntu-bot) wrote on 2023-11-22:

Approvers: athos-ribeiro, sergiodj
Uploaders: athos-ribeiro, sergiodj
MP auto-approved

review: Approve

Revision history for this message

Athos Ribeiro (athos) wrote on 2023-11-22:

Thanks, Sergio!

Uploaded!

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk

The diff has been truncated for viewing.

Subscribers

People subscribed via source and target branches

to all changes:

Athos Ribeiro

git-ubuntu developers

 diff --git a/.cirrus.yml b/.cirrus.yml
 index deace96..f762e0a 100644
 --- a/.cirrus.yml
 +++ b/.cirrus.yml
@@ -1,7 +1,7 @@
  FreeBSD_task:
    freebsd_instance:
      matrix:
--      image_family: freebsd-13-1
++      image_family: freebsd-13-2
    only_if: $CIRRUS_BRANCH =~ 'master|next'
    install_script:
      - pkg update -f && pkg upgrade -y && pkg install -y openssl git gmake lua53 socat pcre
 diff --git a/.github/matrix.py b/.github/matrix.py
 index abd6caf..e03358b 100644
 --- a/.github/matrix.py
 +++ b/.github/matrix.py
@@ -44,7 +44,9 @@ def determine_latest_openssl(ssl):
      return "OPENSSL_VERSION={}".format(latest_tag[8:])
  def determine_latest_libressl(ssl):
--    libressl_download_list = urllib.request.urlopen("http://ftp.openbsd.org/pub/OpenBSD/LibreSSL/")
++    libressl_download_list = urllib.request.urlopen(
++        "https://cdn.openbsd.org/pub/OpenBSD/LibreSSL/"
++    )
      for line in libressl_download_list.readlines():
          decoded_line = line.decode("utf-8")
          if "libressl-" in decoded_line and ".tar.gz.asc" in decoded_line:
 diff --git a/.github/workflows/cross-zoo.yml b/.github/workflows/cross-zoo.yml
 index e2a5816..f2c8d7a 100644
 --- a/.github/workflows/cross-zoo.yml
 +++ b/.github/workflows/cross-zoo.yml
@@ -97,7 +97,7 @@ jobs:
          sudo apt-get -yq --force-yes install \
              gcc-${{ matrix.platform.arch }} \
              ${{ matrix.platform.libs }}
--    - uses: actions/checkout@v2
++    - uses: actions/checkout@v3
      - name: install quictls
 diff --git a/.github/workflows/vtest.yml b/.github/workflows/vtest.yml
 index 781a2b3..0fdaca8 100644
 --- a/.github/workflows/vtest.yml
 +++ b/.github/workflows/vtest.yml
@@ -166,3 +166,4 @@ jobs:
            sudo cat $asan
            echo "::endgroup::"
          done
++        exit 1
 diff --git a/.gitignore b/.gitignore
 index ec9dd62..62a92d1 100644
 --- a/.gitignore
 +++ b/.gitignore
@@ -38,6 +38,7 @@
  *.rej
  *.orig
  *.bak
++*.sw[op]
  # And reject some specific files
  /admin/halog/halog
  /admin/dyncookie/dyncookie
 diff --git a/CHANGELOG b/CHANGELOG
 index d59309f..29e701e 100644
 --- a/CHANGELOG
 +++ b/CHANGELOG
@@ -1,6 +1,155 @@
  ChangeLog :
  ===========
++2023/08/19 : 2.4.24
++    - MINOR: proto_uxst: add resume method
++    - CLEANUP: listener: function comment typo in stop_listener()
++    - BUG/MINOR: listener: null pointer dereference suspected by coverity
++    - MINOR: listener/api: add lli hint to listener functions
++    - MINOR: listener: add relax_listener() function
++    - MINOR: listener: workaround for closing a tiny race between resume_listener() and stopping
++    - MINOR: listener: make sure we don't pause/resume bypassed listeners
++    - BUG/MEDIUM: listener: fix pause_listener() suspend return value handling
++    - BUG/MINOR: listener: fix resume_listener() resume return value handling
++    - BUG/MEDIUM: resume from LI_ASSIGNED in default_resume_listener()
++    - MINOR: listener: pause_listener() becomes suspend_listener()
++    - BUG/MEDIUM: listener/proxy: fix listeners notify for proxy resume
++    - MEDIUM: proto_ux: properly suspend named UNIX listeners
++    - MINOR: proto_ux: ability to dump ABNS names in error messages
++    - MINOR: lua: Add a function to get a reference on a table in the stack
++    - CLEANUP: Remove unused function hlua_get_top_error_string
++    - MINOR: hlua: add simple hlua reference handling API
++    - BUG/MINOR: hlua: fix reference leak in core.register_task()
++    - BUG/MINOR: hlua: fix reference leak in hlua_post_init_state()
++    - MINOR: hlua: simplify lua locking
++    - BUG/MEDIUM: hlua: prevent deadlocks with main lua lock
++    - BUG/MINOR: server: inherit from netns in srv_settings_cpy()
++    - BUG/MINOR: namespace: missing free in netns_sig_stop()
++    - BUG/MEDIUM: mworker: increase maxsock with each new worker
++    - DOC: Add tune.h2.max-frame-size option to table of contents
++    - BUILD: debug: avoid a build warning related to epoll_wait() in debug code
++    - BUG/MINOR: tcp_sample: bc_{dst,src} return IP not INT
++    - BUG/MINOR: cache: A 'max-age=0' cache-control directive can be overriden by a s-maxage
++    - BUG/MEDIUM: sink: invalid server list in sink_new_from_logsrv()
++    - BUG/MINOR: sink: missing sft free in sink_deinit()
++    - BUG/MINOR: ring: size warning incorrectly reported as fatal error
++    - BUG/MINOR: ring: maxlen warning reported as alert
++    - BUG/MINOR: log: LF upsets maxlen for UDP targets
++    - MINOR: sink/api: pass explicit maxlen parameter to sink_write()
++    - BUG/MEDIUM: log: improper use of logsrv->maxlen for buffer targets
++    - BUG/MINOR: log: fix missing name error message in cfg_parse_log_forward()
++    - BUG/MINOR: log: fix multiple error paths in cfg_parse_log_forward()
++    - BUG/MINOR: log: free errmsg on error in cfg_parse_log_forward()
++    - BUG/MINOR: sink: invalid sft free in sink_deinit()
++    - BUG/MINOR: sink: fix errors handling in cfg_post_parse_ring()
++    - BUG/MINOR: sink/log: properly deinit srv in sink_new_from_logsrv()
++    - BUG/MINOR: config: Remove final '\n' in error messages
++    - BUG/MINOR: hlua: hlua_yieldk ctx argument should support pointers
++    - BUG/MINOR: sample: Fix wrong overflow detection in add/sub conveters
++    - BUG/MINOR: http: Return the right reason for 302
++    - CI: explicitely highlight VTest result section if there's something
++    - BUG/MINOR: hlua: add check for lua_newstate
++    - BUG/MINOR: h1-htx: Return the right reason for 302 FCGI responses
++    - BUG/MEDIUM: listener: Acquire proxy's lock in relax_listener() if necessary
++    - DOC: configuration: describe Td in Timing events
++    - BUG/MINOR: chunk: fix chunk_appendf() to not write a zero if buffer is full
++    - BUG/MAJOR: http-ana: Get a fresh trash buffer for each header value replacement
++    - BUG/MAJOR: http: reject any empty content-length header value
++    - MINOR: ist: add new function ist_find_range() to find a character range
++    - MINOR: http: add new function http_path_has_forbidden_char()
++    - MINOR: h2: pass accept-invalid-http-request down the request parser
++    - REGTESTS: http-rules: add accept-invalid-http-request for normalize-uri tests
++    - BUG/MINOR: h1: do not accept '#' as part of the URI component
++    - BUG/MINOR: h2: reject more chars from the :path pseudo header
++    - REGTESTS: http-rules: verify that we block '#' by default for normalize-uri
++    - DOC: clarify the handling of URL fragments in requests
++    - BUG/MINOR: http: skip leading zeroes in content-length values
++
++2023/06/09 : 2.4.23
++    - DEV: hpack: fix `trash` build regression
++    - BUG/MINOR: ssl: ssl-(min|max)-ver parameter not duplicated for bundles in crt-list
++    - BUG/MINOR: mworker: stop doing strtok directly from the env
++    - BUG/MEDIUM: mworker: don't register mworker_accept_wrapper() when master FD is wrong
++    - MINOR: startup: HAPROXY_STARTUP_VERSION contains the version used to start
++    - BUG/MINOR: sched: properly report long_rq when tasks remain in the queue
++    - BUG/MEDIUM: sched: allow a bit more TASK_HEAVY to be processed when needed
++    - BUG/MINOR: mworker: prevent incorrect values in uptime
++    - BUG/MINOR: cache: Cache response even if request has "no-cache" directive
++    - BUG/MINOR: cache: Check cache entry is complete in case of Vary
++    - BUG/MINOR: ring: do not realign ring contents on resize
++    - DOC: config: Fix description of options about HTTP connection modes
++    - DOC: config: Add the missing tune.fail-alloc option from global listing
++    - DOC: config: Clarify the meaning of 'hold' in the 'resolvers' section
++    - BUG/MINOR: http-check: Don't set HTX_SL_F_BODYLESS flag with a log-format body
++    - BUG/MINOR: http-check: Skip C-L header for empty body when it's not mandatory
++    - BUG/MINOR: http-ana: Do a L7 retry on read error if there is no response
++    - BUG/MINOR: ssl: Use 'date' instead of 'now' in ocsp stapling callback
++    - BUG/MINOR: init: properly detect NUMA bindings on large systems
++    - BUG/MINOR: init: make sure to always limit the total number of threads
++    - DOC/CLEANUP: fix typos
++    - BUG/MINOR: mux-h2: make sure the h2c task exists before refreshing it
++    - BUG/MEDIUM: listener: duplicate inherited FDs if needed
++    - BUG/MEDIUM: spoe: Don't set the default traget for the SPOE agent frontend
++    - BUG/MINOR: proto_ux: report correct error when bind_listener fails
++    - BUG/MINOR: protocol: fix minor memory leak in protocol_bind_all()
++    - BUG/MINOR: sock_unix: match finalname with tempname in sock_unix_addrcmp()
++    - BUG/MEDIUM: connection: Clear flags when a conn is removed from an idle list
++    - BUG/MEDIUM: connection: Preserve flags when a conn is removed from an idle list
++    - BUG/MEDIUM: mux-h2: erase h2c->wait_event.tasklet on error path
++    - BUG/MEDIUM: mux-h1: Wakeup H1C on shutw if there is no I/O subscription
++    - BUILD: da: extends CFLAGS to support API v3 from 3.1.7 and onwards.
++    - MINOR: proxy/pool: prevent unnecessary calls to pool_gc()
++    - DOC: config: strict-sni allows to start without certificate
++    - BUG/MEDIUM: channel: Improve reports for shut in co_getblk()
++    - BUG/MEDIUM: dns: Properly handle error when a response consumed
++    - MINOR: proxy: check if p is NULL in free_proxy()
++    - BUG/MINOR: sink: free forward_px on deinit()
++    - BUG/MINOR: log: free log forward proxies on deinit()
++    - BUG/MINOR: hlua: enforce proper running context for register_x functions
++    - CLEANUP: hlua: fix conflicting comment in hlua_ctx_destroy()
++    - BUG/MEDIUM: resolvers: Force the connect timeout for DNS resolutions
++    - BUG/MINOR: stick_table: alert when type len has incorrect characters
++    - CI: bump "actions/checkout" to v3 for cross zoo matrix
++    - REGTESTS: fix the race conditions in log_uri.vtc
++    - BUG/MEDIUM: log: Properly handle client aborts in syslog applet
++    - CLEANUP: backend: Remove useless debug message in assign_server()
++    - BUG/MINOR: cfgparse: make sure to include openssl-compat
++    - BUG/MEDIUM: proxy/sktable: prevent watchdog trigger on soft-stop
++    - BUG/MEDIUM: Update read expiration date on synchronous send
++    - BUG/MINOR: mux-h2: make sure to produce a log on invalid requests
++    - MINOR: checks: make sure spread-checks is used also at boot time
++    - MINOR: clock: measure the total boot time
++    - BUG/MINOR: checks: postpone the startup of health checks by the boot time
++    - BUG/MINOR: clock: fix the boot time measurement method for 2.6 and older
++    - BUG/MINOR: tcp-rules: Don't shortened the inspect-delay when EOI is set
++    - DOC: config: Clarify conditions to shorten the inspect-delay for TCP rules
++    - DOC: add size format section to manual
++    - DOC/MINOR: config: Fix typo in description for `ssl_bc` in configuration.txt
++    - BUG/MINOR: hlua: unsafe hlua_lua2smp() usage
++    - SCRIPTS: publish-release: update the umask to keep group write access
++    - BUG/MINOR: log: fix memory error handling in parse_logsrv()
++    - BUG/MINOR: proxy: missing free in free_proxy for redirect rules
++    - MINOR: spoe: Don't stop disabled proxies
++    - BUILD: mjson: Fix warning about unused variables
++    - BUG/MINOR: debug: do not emit empty lines in thread dumps
++    - BUG/MEDIUM: spoe: Don't start new applet if there are enough idle ones
++    - CI: switch to Fastly CDN to download LibreSSL
++    - BUILD: ssl: switch LibreSSL to Fastly CDN
++    - BUG/MINOR: server: incorrect report for tracking servers leaving drain
++    - MINOR: server: explicitly commit state change in srv_update_status()
++    - BUG/MINOR: server: don't miss proxy stats update on server state transitions
++    - BUG/MINOR: server: don't miss server stats update on server state transitions
++    - BUG/MINOR: server: don't use date when restoring last_change from state file
++    - CI: cirrus-ci: bump FreeBSD image to 13-1
++    - BUG/MEDIUM: filters: Don't deinit filters for disabled proxies during startup
++    - MINOR: proxy: add http_free_redirect_rule() function
++    - BUG/MINOR: http_rules: fix errors paths in http_parse_redirect_rule()
++    - DOC: config: Fix bind/server/peer documentation in the peers section
++    - CONTRIB: Add vi file extensions to .gitignore
++    - BUG/MINOR: spoe: Only skip sending new frame after a receive attempt
++    - BUG/MINOR: cfgparse-tcp: leak when re-declaring interface from bind line
++    - BUG/MINOR: proxy: add missing interface bind free in free_proxy
++
 /02/14 : 2.4.22
      - BUG/MINOR: fcgi-app: prevent 'use-fcgi-app' in default section
      - BUG/MEDIUM: ssl: wrong eviction from the session cache tree
 diff --git a/Makefile b/Makefile
 index 40c2b10..05067bc 100644
 --- a/Makefile
 +++ b/Makefile
@@ -675,7 +675,7 @@ OPTIONS_OBJS	+= $(DEVICEATLAS_LIB)/json.o
  OPTIONS_OBJS	+= $(DEVICEATLAS_LIB)/dac.o
  endif
  OPTIONS_OBJS	+= addons/deviceatlas/da.o
--OPTIONS_CFLAGS += $(if $(DEVICEATLAS_INC),-I$(DEVICEATLAS_INC))
++OPTIONS_CFLAGS += $(if $(DEVICEATLAS_INC),-I$(DEVICEATLAS_INC)) $(if $(DEVICEATLAS_SRC),-DDATLAS_DA_NOCACHE)
  endif
  ifneq ($(USE_51DEGREES),)
 diff --git a/SUBVERS b/SUBVERS
 index f042fd0..4c00e4a 100644
 --- a/SUBVERS
 +++ b/SUBVERS
@@ -1,2 +1,2 @@
---f8e3218
++-d175670
 diff --git a/VERDATE b/VERDATE
 index d8a3372..ea4dc97 100644
 --- a/VERDATE
 +++ b/VERDATE
@@ -1,2 +1,2 @@
--2023-02-14 16:57:13 +0100
--2023/02/14
++2023-08-19 11:25:53 +0200
++2023/08/19
 diff --git a/VERSION b/VERSION
 index 76cb51e..0cb980f 100644
 --- a/VERSION
 +++ b/VERSION
@@ -1 +1 @@
--2.4.22
++2.4.24
 diff --git a/debian/changelog b/debian/changelog
 index 907c44c..68e9c7d 100644
 --- a/debian/changelog
 +++ b/debian/changelog
@@ -1,3 +1,22 @@
++haproxy (2.4.24-0ubuntu0.22.04.1) jammy; urgency=medium
++
++  * New upstream release (LP: #2028418)
++    - Major and critical bug fixes according to the upstream changelog:
++      + BUG/MAJOR: http-ana: Get a fresh trash buffer for each header value
++        replacement
++      + BUG/MAJOR: http: reject any empty content-length header value
++    - For further information, refer to the upstream changelog at
++      https://www.haproxy.org/download/2.4/src/CHANGELOG and to the upstream
++      release announcements at
++      https://www.mail-archive.com/haproxy@formilux.org/msg43664.html
++      (2.4.23), and
++      https://www.mail-archive.com/haproxy@formilux.org/msg43901.html (2.4.24)
++    - Remove patches applied by upstream in debian/patches:
++      + CVE-2023-40225-1.patch
++      + CVE-2023-40225-2.patch
++
++ -- Athos Ribeiro <athos.ribeiro@canonical.com>  Tue, 31 Oct 2023 11:16:29 -0300
++
  haproxy (2.4.22-0ubuntu0.22.04.2) jammy-security; urgency=medium
    * SECURITY UPDATE: incorrect handling of empty content-length header
 diff --git a/debian/patches/CVE-2023-40225-1.patch b/debian/patches/CVE-2023-40225-1.patch
 deleted file mode 100644
 index a4b918d..0000000
 --- a/debian/patches/CVE-2023-40225-1.patch
 +++ /dev/null
@@ -1,265 +0,0 @@
--From ba9afd2774c03e434165475b537d0462801f49bb Mon Sep 17 00:00:00 2001
--From: Willy Tarreau <w@1wt.eu>
--Date: Wed, 9 Aug 2023 08:32:48 +0200
--Subject: [PATCH] BUG/MAJOR: http: reject any empty content-length header
-- value
--
--The content-length header parser has its dedicated function, in order
--to take extreme care about invalid, unparsable, or conflicting values.
--But there's a corner case in it, by which it stops comparing values
--when reaching the end of the header. This has for a side effect that
--an empty value or a value that ends with a comma does not deserve
--further analysis, and it acts as if the header was absent.
--
--While this is not necessarily a problem for the value ending with a
--comma as it will be cause a header folding and will disappear, it is a
--problem for the first isolated empty header because this one will not
--be recontructed when next ones are seen, and will be passed as-is to the
--backend server. A vulnerable HTTP/1 server hosted behind haproxy that
--would just use this first value as "0" and ignore the valid one would
--then not be protected by haproxy and could be attacked this way, taking
--the payload for an extra request.
--
--In field the risk depends on the server. Most commonly used servers
--already have safe content-length parsers, but users relying on haproxy
--to protect a known-vulnerable server might be at risk (and the risk of
--a bug even in a reputable server should never be dismissed).
--
--A configuration-based work-around consists in adding the following rule
--in the frontend, to explicitly reject requests featuring an empty
--content-length header that would have not be folded into an existing
--one:
--
--    http-request deny if { hdr_len(content-length) 0 }
--
--The real fix consists in adjusting the parser so that it always expects a
--value at the beginning of the header or after a comma. It will now reject
--requests and responses having empty values anywhere in the C-L header.
--
--This needs to be backported to all supported versions. Note that the
--modification was made to functions h1_parse_cont_len_header() and
--http_parse_cont_len_header(). Prior to 2.8 the latter was in
--h2_parse_cont_len_header(). One day the two should be refused but the
--former is also used by Lua.
--
--The HTTP messaging reg-tests were completed to test these cases.
--
--Thanks to Ben Kallus of Dartmouth College and Narf Industries for
--reporting this! (this is in GH #2237).
--
--(cherry picked from commit 6492f1f29d738457ea9f382aca54537f35f9d856)
--Signed-off-by: Amaury Denoyelle <adenoyelle@haproxy.com>
--(cherry picked from commit a32f99f6f991d123ea3e307bf8aa63220836d365)
--Signed-off-by: Amaury Denoyelle <adenoyelle@haproxy.com>
--(cherry picked from commit 65921ee12d88e9fb1fa9f6cd8198fd64b3a3f37f)
--Signed-off-by: Amaury Denoyelle <adenoyelle@haproxy.com>
--(cherry picked from commit d17c50010d591d1c070e1cb0567a06032d8869e9)
--[wt: applied to h2_parse_cont_len_header() in src/h2.c instead]
--Signed-off-by: Willy Tarreau <w@1wt.eu>
-----
-- reg-tests/http-messaging/h1_to_h1.vtc |   26 ++++++++++++++
-- reg-tests/http-messaging/h2_to_h1.vtc |   60 +++++++++++++++++++++++++++++++++
-- src/h1.c                              |   20 +++++++++--
-- src/h2.c                              |   20 +++++++++--
-- 4 files changed, 120 insertions(+), 6 deletions(-)
--
----- haproxy-2.4.22.orig/reg-tests/http-messaging/h1_to_h1.vtc
--+++ haproxy-2.4.22/reg-tests/http-messaging/h1_to_h1.vtc
--@@ -275,3 +275,29 @@ client c3h1 -connect ${h1_feh1_sock} {
-- 	# arrive here.
-- 	expect_close
-- } -run
--+
--+client c4h1 -connect ${h1_feh1_sock} {
--+	# this request is invalid and advertises an invalid C-L ending with an
--+        # empty value, which results in a stream error.
--+	txreq \
--+	  -req "GET" \
--+	  -url "/test31.html" \
--+          -hdr "content-length: 0," \
--+          -hdr "connection: close"
--+	rxresp
--+	expect resp.status == 400
--+	expect_close
--+} -run
--+
--+client c5h1 -connect ${h1_feh1_sock} {
--+	# this request is invalid and advertises an empty C-L, which results
--+	# in a stream error.
--+	txreq \
--+	  -req "GET" \
--+	  -url "/test41.html" \
--+          -hdr "content-length:" \
--+          -hdr "connection: close"
--+	rxresp
--+	expect resp.status == 400
--+	expect_close
--+} -run
----- haproxy-2.4.22.orig/reg-tests/http-messaging/h2_to_h1.vtc
--+++ haproxy-2.4.22/reg-tests/http-messaging/h2_to_h1.vtc
--@@ -10,6 +10,8 @@ barrier b1 cond 2 -cyclic
-- barrier b2 cond 2 -cyclic
-- barrier b3 cond 2 -cyclic
-- barrier b4 cond 2 -cyclic
--+barrier b5 cond 2 -cyclic
--+barrier b6 cond 2 -cyclic
--
-- server s1 {
-- 	rxreq
--@@ -31,6 +33,12 @@ server s1 {
--
-- 	barrier b4 sync
-- 	# the next request is never received
--+
--+	barrier b5 sync
--+	# the next request is never received
--+
--+	barrier b6 sync
--+	# the next request is never received
-- } -repeat 2 -start
--
-- haproxy h1 -conf {
--@@ -121,6 +129,32 @@ client c1h2 -connect ${h1_feh2_sock} {
-- 		txdata -data "this is sent and ignored"
-- 		rxrst
-- 	} -run
--+
--+	# fifth request is invalid and advertises an invalid C-L ending with an
--+        # empty value, which results in a stream error.
--+	stream 9 {
--+		barrier b5 sync
--+		txreq \
--+		  -req "GET" \
--+		  -scheme "https" \
--+		  -url "/test5.html" \
--+		  -hdr "content-length" "0," \
--+		  -nostrend
--+		rxrst
--+	} -run
--+
--+	# sixth request is invalid and advertises an empty C-L, which results
--+	# in a stream error.
--+	stream 11 {
--+		barrier b6 sync
--+		txreq \
--+		  -req "GET" \
--+		  -scheme "https" \
--+		  -url "/test6.html" \
--+		  -hdr "content-length" "" \
--+		  -nostrend
--+		rxrst
--+	} -run
-- } -run
--
-- # HEAD requests : don't work well yet
--@@ -263,4 +297,30 @@ client c3h2 -connect ${h1_feh2_sock} {
-- 		txdata -data "this is sent and ignored"
-- 		rxrst
-- 	} -run
--+
--+	# fifth request is invalid and advertises invalid C-L ending with an
--+        # empty value, which results in a stream error.
--+	stream 9 {
--+		barrier b5 sync
--+		txreq \
--+		  -req "POST" \
--+		  -scheme "https" \
--+		  -url "/test25.html" \
--+		  -hdr "content-length" "0," \
--+		  -nostrend
--+		rxrst
--+	} -run
--+
--+	# sixth request is invalid and advertises an empty C-L, which results
--+	# in a stream error.
--+	stream 11 {
--+		barrier b6 sync
--+		txreq \
--+		  -req "POST" \
--+		  -scheme "https" \
--+		  -url "/test26.html" \
--+		  -hdr "content-length" "" \
--+		  -nostrend
--+		rxrst
--+	} -run
-- } -run
----- haproxy-2.4.22.orig/src/h1.c
--+++ haproxy-2.4.22/src/h1.c
--@@ -34,13 +34,20 @@ int h1_parse_cont_len_header(struct h1m
-- 	int not_first = !!(h1m->flags & H1_MF_CLEN);
-- 	struct ist word;
--
---	word.ptr = value->ptr - 1; // -1 for next loop's pre-increment
--+	word.ptr = value->ptr;
-- 	e = value->ptr + value->len;
--
---	while (++word.ptr < e) {
--+	while (1) {
--+		if (word.ptr >= e) {
--+			/* empty header or empty value */
--+			goto fail;
--+		}
--+
-- 		/* skip leading delimiter and blanks */
---		if (unlikely(HTTP_IS_LWS(*word.ptr)))
--+		if (unlikely(HTTP_IS_LWS(*word.ptr))) {
--+			word.ptr++;
-- 			continue;
--+		}
--
-- 		/* digits only now */
-- 		for (cl = 0, n = word.ptr; n < e; n++) {
--@@ -79,6 +86,13 @@ int h1_parse_cont_len_header(struct h1m
-- 		h1m->flags |= H1_MF_CLEN;
-- 		h1m->curr_len = h1m->body_len = cl;
-- 		*value = word;
--+
--+		/* Now either n==e and we're done, or n points to the comma,
--+		 * and we skip it and continue.
--+		 */
--+		if (n++ == e)
--+			break;
--+
-- 		word.ptr = n;
-- 	}
-- 	/* here we've reached the end with a single value or a series of
----- haproxy-2.4.22.orig/src/h2.c
--+++ haproxy-2.4.22/src/h2.c
--@@ -80,13 +80,20 @@ int h2_parse_cont_len_header(unsigned in
-- 	int not_first = !!(*msgf & H2_MSGF_BODY_CL);
-- 	struct ist word;
--
---	word.ptr = value->ptr - 1; // -1 for next loop's pre-increment
--+	word.ptr = value->ptr;
-- 	e = value->ptr + value->len;
--
---	while (++word.ptr < e) {
--+	while (1) {
--+		if (word.ptr >= e) {
--+			/* empty header or empty value */
--+			goto fail;
--+		}
--+
-- 		/* skip leading delimiter and blanks */
---		if (unlikely(HTTP_IS_LWS(*word.ptr)))
--+		if (unlikely(HTTP_IS_LWS(*word.ptr))) {
--+			word.ptr++;
-- 			continue;
--+		}
--
-- 		/* digits only now */
-- 		for (cl = 0, n = word.ptr; n < e; n++) {
--@@ -125,6 +132,13 @@ int h2_parse_cont_len_header(unsigned in
-- 		*msgf |= H2_MSGF_BODY_CL;
-- 		*body_len = cl;
-- 		*value = word;
--+
--+		/* Now either n==e and we're done, or n points to the comma,
--+		 * and we skip it and continue.
--+		 */
--+		if (n++ == e)
--+			break;
--+
-- 		word.ptr = n;
-- 	}
-- 	/* here we've reached the end with a single value or a series of
 diff --git a/debian/patches/CVE-2023-40225-2.patch b/debian/patches/CVE-2023-40225-2.patch
 deleted file mode 100644
 index 3e92c0d..0000000
 --- a/debian/patches/CVE-2023-40225-2.patch
 +++ /dev/null
@@ -1,143 +0,0 @@
--From c48acd15011dc6c66977bc088065693f430821df Mon Sep 17 00:00:00 2001
--From: Willy Tarreau <w@1wt.eu>
--Date: Wed, 9 Aug 2023 11:02:34 +0200
--Subject: [PATCH] BUG/MINOR: http: skip leading zeroes in content-length
-- values
--
--Ben Kallus also noticed that we preserve leading zeroes on content-length
--values. While this is totally valid, it would be safer to at least trim
--them before passing the value, because a bogus server written to parse
--using "strtol(value, NULL, 0)" could inadvertently take a leading zero
--as a prefix for an octal value. While there is not much that can be done
--to protect such servers in general (e.g. lack of check for overflows etc),
--at least it's quite cheap to make sure the transmitted value is normalized
--and not taken for an octal one.
--
--This is not really a bug, rather a missed opportunity to sanitize the
--input, but is marked as a bug so that we don't forget to backport it to
--stable branches.
--
--A combined regtest was added to h1or2_to_h1c which already validates
--end-to-end syntax consistency on aggregate headers.
--
--(cherry picked from commit 22731762d9fe2c98d9e6c3942b1568266b23c69f)
--Signed-off-by: Amaury Denoyelle <adenoyelle@haproxy.com>
--(cherry picked from commit c33738c7d4ed50e1758dbedd39dfe5bd929a5076)
--Signed-off-by: Amaury Denoyelle <adenoyelle@haproxy.com>
--(cherry picked from commit 84462c9390c3efe95b748bb9fc3bd2edc3decd2f)
--Signed-off-by: Amaury Denoyelle <adenoyelle@haproxy.com>
--(cherry picked from commit e2e464018fda41758bd42d3bcd6ac623c88a110e)
--[wt: applied the http.c to h2.c]
--Signed-off-by: Willy Tarreau <w@1wt.eu>
-----
-- reg-tests/http-rules/h1or2_to_h1c.vtc |   16 ++++++++++++----
-- src/h1.c                              |    8 ++++++++
-- src/h2.c                              |    8 ++++++++
-- 3 files changed, 28 insertions(+), 4 deletions(-)
--
----- haproxy-2.4.22.orig/reg-tests/http-rules/h1or2_to_h1c.vtc
--+++ haproxy-2.4.22/reg-tests/http-rules/h1or2_to_h1c.vtc
--@@ -27,11 +27,11 @@ server s1 {
-- 	  -body "This is a body"
--
-- 	expect req.method == "GET"
---	expect req.http.fe-sl1-crc == 992395575
---	expect req.http.fe-sl2-crc == 1270056220
--+	expect req.http.fe-sl1-crc == 1874847043
--+	expect req.http.fe-sl2-crc == 1142278307
-- 	expect req.http.fe-hdr-crc == 1719311923
---	expect req.http.be-sl1-crc == 2604236007
---	expect req.http.be-sl2-crc == 4181358964
--+	expect req.http.be-sl1-crc == 3455320059
--+	expect req.http.be-sl2-crc == 2509326257
-- 	expect req.http.be-hdr-crc == 3634102538
-- } -repeat 2 -start
--
--@@ -53,6 +53,7 @@ haproxy h1 -conf {
-- 	http-request set-var(req.path)       path
-- 	http-request set-var(req.query)      query
-- 	http-request set-var(req.param)      url_param(qs_arg)
--+	http-request set-var(req.cl)         req.fhdr(content-length)
--
-- 	http-request set-header     sl1      "sl1: "
--
--@@ -65,8 +66,10 @@ haproxy h1 -conf {
--
-- 	http-request set-header     sl1      "%[req.fhdr(sl1)] method=<%[var(req.method)]>; uri=<%[var(req.uri)]>; path=<%[var(req.path)]>;"
-- 	http-request set-header     sl1      "%[req.fhdr(sl1)] query=<%[var(req.query)]>; param=<%[var(req.param)]>"
--+	http-request set-header     sl1      "%[req.fhdr(sl1)] cl=<%[var(req.cl)]>"
-- 	http-request set-header     sl2      "%[req.fhdr(sl2)] method=<%[method]>; uri=<%[url]>; path=<%[path]>; "
-- 	http-request set-header     sl2      "%[req.fhdr(sl2)] query=<%[query]>; param=<%[url_param(qs_arg)]>"
--+	http-request set-header     sl2      "%[req.fhdr(sl2)] cl=<%[req.fhdr(content-length)]>"
-- 	http-request set-header     hdr      "%[req.fhdr(hdr)] hdr1=<%[req.hdr(hdr1)]>; fhdr1=<%[req.fhdr(hdr1)]>;"
-- 	http-request set-header     hdr      "%[req.fhdr(hdr)] hdr2=<%[req.hdr(hdr2)]>; fhdr2=<%[req.fhdr(hdr2)]>;"
-- 	http-request set-header     hdr      "%[req.fhdr(hdr)] hdr3=<%[req.hdr(hdr3)]>; fhdr3=<%[req.fhdr(hdr3)]>;"
--@@ -120,6 +123,7 @@ haproxy h1 -conf {
-- 	http-request set-var(req.path)       path
-- 	http-request set-var(req.query)      query
-- 	http-request set-var(req.param)      url_param(qs_arg)
--+	http-request set-var(req.cl)         req.fhdr(content-length)
--
-- 	http-request set-header     sl1      "sl1: "
--
--@@ -132,8 +136,10 @@ haproxy h1 -conf {
--
-- 	http-request set-header     sl1      "%[req.fhdr(sl1)] method=<%[var(req.method)]>; uri=<%[var(req.uri)]>; path=<%[var(req.path)]>;"
-- 	http-request set-header     sl1      "%[req.fhdr(sl1)] query=<%[var(req.query)]>; param=<%[var(req.param)]>"
--+	http-request set-header     sl1      "%[req.fhdr(sl1)] cl=<%[var(req.cl)]>"
-- 	http-request set-header     sl2      "%[req.fhdr(sl2)] method=<%[method]>; uri=<%[url]>; path=<%[path]>; "
-- 	http-request set-header     sl2      "%[req.fhdr(sl2)] query=<%[query]>; param=<%[url_param(qs_arg)]>"
--+	http-request set-header     sl2      "%[req.fhdr(sl2)] cl=<%[req.fhdr(content-length)]>"
-- 	http-request set-header     hdr      "%[req.fhdr(hdr)] hdr1=<%[req.hdr(hdr1)]>; fhdr1=<%[req.fhdr(hdr1)]>;"
-- 	http-request set-header     hdr      "%[req.fhdr(hdr)] hdr2=<%[req.hdr(hdr2)]>; fhdr2=<%[req.fhdr(hdr2)]>;"
-- 	http-request set-header     hdr      "%[req.fhdr(hdr)] hdr3=<%[req.hdr(hdr3)]>; fhdr3=<%[req.fhdr(hdr3)]>;"
--@@ -171,6 +177,7 @@ client c1h1 -connect ${h1_feh1_sock} {
-- 	txreq \
-- 	  -req GET \
-- 	  -url /path/to/file.extension?qs_arg=qs_value \
--+	  -hdr "content-length: 000, 00" \
-- 	  -hdr "hdr1: val1" \
-- 	  -hdr "hdr2:  val2a" \
-- 	  -hdr "hdr2:    val2b" \
--@@ -205,6 +212,7 @@ client c1h2 -connect ${h1_feh2_sock} {
-- 		  -req GET \
-- 		  -scheme "https" \
-- 		  -url /path/to/file.extension?qs_arg=qs_value \
--+		  -hdr "content-length" "000, 00" \
-- 		  -hdr "hdr1" "val1" \
-- 		  -hdr "hdr2" " val2a" \
-- 		  -hdr "hdr2" "   val2b" \
----- haproxy-2.4.22.orig/src/h1.c
--+++ haproxy-2.4.22/src/h1.c
--@@ -58,6 +58,14 @@ int h1_parse_cont_len_header(struct h1m
-- 					goto fail;
-- 				break;
-- 			}
--+
--+			if (unlikely(!cl && n > word.ptr)) {
--+				/* There was a leading zero before this digit,
--+				 * let's trim it.
--+				 */
--+				word.ptr = n;
--+			}
--+
-- 			if (unlikely(cl > ULLONG_MAX / 10ULL))
-- 				goto fail; /* multiply overflow */
-- 			cl = cl * 10ULL;
----- haproxy-2.4.22.orig/src/h2.c
--+++ haproxy-2.4.22/src/h2.c
--@@ -104,6 +104,14 @@ int h2_parse_cont_len_header(unsigned in
-- 					goto fail;
-- 				break;
-- 			}
--+
--+			if (unlikely(!cl && n > word.ptr)) {
--+				/* There was a leading zero before this digit,
--+				 * let's trim it.
--+				 */
--+				word.ptr = n;
--+			}
--+
-- 			if (unlikely(cl > ULLONG_MAX / 10ULL))
-- 				goto fail; /* multiply overflow */
-- 			cl = cl * 10ULL;
 diff --git a/debian/patches/series b/debian/patches/series
 index c488f2c..276b0d5 100644
 --- a/debian/patches/series
 +++ b/debian/patches/series
@@ -4,5 +4,3 @@ haproxy.service-add-documentation.patch
  # applied during the build process:
  # debianize-dconv.patch
  reproducible.patch
--CVE-2023-40225-1.patch
--CVE-2023-40225-2.patch
 diff --git a/dev/hpack/decode.c b/dev/hpack/decode.c
 index ae82512..13c95c7 100644
 --- a/dev/hpack/decode.c
 +++ b/dev/hpack/decode.c
@@ -30,7 +30,7 @@ uint8_t buf[MAX_RQ_SIZE];
  char trash_buf[MAX_RQ_SIZE];
  char tmp_buf[MAX_RQ_SIZE];
--struct buffer trash = { .area = trash_buf, .data = 0, .size = sizeof(trash_buf) };
++THREAD_LOCAL struct buffer trash = { .area = trash_buf, .data = 0, .size = sizeof(trash_buf) };
  struct buffer tmp   = { .area = tmp_buf,   .data = 0, .size = sizeof(tmp_buf)   };
  /* displays a <len> long memory block at <buf>, assuming first byte of <buf>
 diff --git a/doc/configuration.txt b/doc/configuration.txt
 index 0c23dd1..7b5ee65 100644
 --- a/doc/configuration.txt
 +++ b/doc/configuration.txt
@@ -3,7 +3,7 @@
                            Configuration Manual
                           ----------------------
                                version 2.4
--                              2023/02/14
++                              2023/08/19
  This document covers the configuration language as implemented in the version
@@ -42,7 +42,8 @@ Summary
 .3.      Environment variables
 .4.      Conditional blocks
 .5.      Time format
--2.6.      Examples
++2.6.      Size format
++2.7.      Examples
 .    Global parameters
 .1.      Process management and security
@@ -753,6 +754,10 @@ file, or could be inherited by a program (See 3.7. Programs):
  * HAPROXY_MASTER_CLI: In master-worker mode, listeners addresses of the master
    CLI, separated by semicolons.
++* HAPROXY_STARTUP_VERSION: contains the version used to start, in master-worker
++  mode this is the version which was used to start the master, even after
++  updating the binary and reloading.
++
  In addition, some pseudo-variables are internally resolved and may be used as
  regular variables. Pseudo-variables always start with a dot ('.'), and are the
  only ones where the dot is permitted. The current list of pseudo-variables is:
@@ -909,7 +914,23 @@ for every keyword. Supported units are :
    - d  : days.    1d = 24h = 1440m = 86400s = 86400000ms
--2.6. Examples
++2.6. Size format
++----------------
++
++Some parameters involve values representing size, such as bandwidth limits.
++These values are generally expressed in bytes (unless explicitly stated
++otherwise) but may be expressed in any other unit by suffixing the unit to the
++numeric value. It is important to consider this because it will not be repeated
++for every keyword. Supported units are case insensitive :
++
++  - k : kilobytes. 1 kilobyte = 1024 bytes
++  - m : megabytes. 1 megabyte = 1048576 bytes
++  - g : gigabytes. 1 gigabyte = 1073741824 bytes
++
++Both time and size formats require integers, decimal notation is not allowed.
++
++
++2.7. Examples
  -------------
      # Simple configuration for an HTTP proxy listening on port 80 on all
@@ -1063,10 +1084,12 @@ The following keywords are supported in the "global" section :
     - tune.bufsize
     - tune.chksize
     - tune.comp.maxlevel
++   - tune.fail-alloc
     - tune.fd.edge-triggered
     - tune.h2.header-table-size
     - tune.h2.initial-window-size
     - tune.h2.max-concurrent-streams
++   - tune.h2.max-frame-size
     - tune.http.cookielen
     - tune.http.logurilen
     - tune.http.maxhdr
@@ -2975,7 +2998,8 @@ peers <peersect>
    Creates a new peer list with name <peersect>. It is an independent section,
    which is referenced by one or more stick-tables.
--bind [<address>]:<port_range> [, ...] [param*]
++bind [<address>]:port [param*]
++bind /<path> [param*]
    Defines the binding parameters of the local peer of this "peers" section.
    Such lines are not supported with "peer" line in the same "peers" section.
@@ -3010,16 +3034,17 @@ log <address> [len <length>] [format <format>] [sample <ranges>:<sample_size>]
    log information about the "peers" listener. See "log" option for proxies for
    more details.
--peer <peername> <ip>:<port> [param*]
++peer <peername> [<address>]:port [param*]
++peer <peername> /<path> [param*]
    Defines a peer inside a peers section.
    If <peername> is set to the local peer name (by default hostname, or forced
    using "-L" command line option or "localpeer" global configuration setting),
--  HAProxy will listen for incoming remote peer connection on <ip>:<port>.
--  Otherwise, <ip>:<port> defines where to connect to in order to join the
--  remote peer, and <peername> is used at the protocol level to identify and
++  HAProxy will listen for incoming remote peer connection on the provided
++  address.  Otherwise, the address defines where to connect to in order to join
++  the remote peer, and <peername> is used at the protocol level to identify and
    validate the remote peer on the server side.
--  During a soft restart, local peer <ip>:<port> is used by the old instance to
++  During a soft restart, local peer address is used by the old instance to
    connect the new one and initiate a complete replication (teaching process).
    It is strongly recommended to have the exact same peers declaration on all
@@ -3033,12 +3058,13 @@ peer <peername> <ip>:<port> [param*]
    Note: "peer" keyword may transparently be replaced by "server" keyword (see
    "server" keyword explanation below).
--server <peername> [<ip>:<port>] [param*]
++server <peername> [<address>:<port>] [param*]
++server <peername> [/<path>] [param*]
    As previously mentioned, "peer" keyword may be replaced by "server" keyword
    with a support for all "server" parameters found in 5.2 paragraph that are
--  related to transport settings. If the underlying peer is local, <ip>:<port>
--  parameters must not be present; these parameters must be provided on a "bind"
--  line (see "bind" keyword of this "peers" section).
++  related to transport settings. If the underlying peer is local, the address
++  parameter must not be present; it must be provided on a "bind" line (see
++  "bind" keyword of this "peers" section).
    A number of "server" parameters are irrelevant for "peers" sections. Peers by
    nature do not support dynamic host name resolution nor health checks, hence
@@ -8189,7 +8215,8 @@ no option accept-invalid-http-request
    remaining ones are blocked by default unless this option is enabled. This
    option also relaxes the test on the HTTP version, it allows HTTP/0.9 requests
    to pass through (no version specified) and multiple digits for both the major
--  and the minor version.
++  and the minor version. Finally, this option also allows incoming URLs to
++  contain fragment references ('#' after the path).
    This option should never be enabled by default as it hides application bugs
    and open security breaches. It should only be deployed after a problem has
@@ -8632,18 +8659,18 @@ no option http-ignore-probes
  option http-keep-alive
  no option http-keep-alive
--  Enable or disable HTTP keep-alive from client to server
++  Enable or disable HTTP keep-alive from client to server for HTTP/1.x
++  connections
    May be used in sections :   defaults | frontend | listen | backend
                                   yes   |    yes   |   yes  |   yes
    Arguments : none
    By default HAProxy operates in keep-alive mode with regards to persistent
--  connections: for each connection it processes each request and response, and
--  leaves the connection idle on both sides between the end of a response and
--  the start of a new request. This mode may be changed by several options such
--  as "option http-server-close" or "option httpclose". This option allows to
--  set back the keep-alive mode, which can be useful when another mode was used
--  in a defaults section.
++  HTTP/1.x connections: for each connection it processes each request and
++  response, and leaves the connection idle on both sides. This mode may be
++  changed by several options such as "option http-server-close" or "option
++  httpclose". This option allows to set back the keep-alive mode, which can be
++  useful when another mode was used in a defaults section.
    Setting "option http-keep-alive" enables HTTP keep-alive mode on the client-
    and server- sides. This provides the lowest latency on the client side (slow
@@ -8660,15 +8687,6 @@ no option http-keep-alive
        compared to the cost of retrieving the associated object from the server.
    This last case can happen when the server is a fast static server of cache.
--  In this case, the server will need to be properly tuned to support high enough
--  connection counts because connections will last until the client sends another
--  request.
--
--  If the client request has to go to another backend or another server due to
--  content switching or the load balancing algorithm, the idle connection will
--  immediately be closed and a new one re-opened. Option "prefer-last-server" is
--  available to try optimize server selection so that if the server currently
--  attached to an idle connection is usable, it will be used.
    At the moment, logs will not indicate whether requests came from the same
    session or not. The accept date reported in the logs corresponds to the end
@@ -8678,12 +8696,10 @@ no option http-keep-alive
    not set.
    This option disables and replaces any previous "option httpclose" or "option
--  http-server-close". When backend and frontend options differ, all of these 4
--  options have precedence over "option http-keep-alive".
++  http-server-close".
    See also : "option httpclose",, "option http-server-close",
--             "option prefer-last-server", "option http-pretend-keepalive",
--             and "1.1. The HTTP transaction model".
++             "option prefer-last-server" and "option http-pretend-keepalive".
  option http-no-delay
@@ -8722,19 +8738,19 @@ no option http-no-delay
  option http-pretend-keepalive
  no option http-pretend-keepalive
--  Define whether HAProxy will announce keepalive to the server or not
++  Define whether HAProxy will announce keepalive for HTTP/1.x connection to the
++  server or not
    May be used in sections :   defaults | frontend | listen | backend
                                   yes   |    no   |   yes  |   yes
    Arguments : none
    When running with "option http-server-close" or "option httpclose", HAProxy
--  adds a "Connection: close" header to the request forwarded to the server.
--  Unfortunately, when some servers see this header, they automatically refrain
--  from using the chunked encoding for responses of unknown length, while this
--  is totally unrelated. The immediate effect is that this prevents HAProxy from
--  maintaining the client connection alive. A second effect is that a client or
--  a cache could receive an incomplete response without being aware of it, and
--  consider the response complete.
++  adds a "Connection: close" header to the HTTP/1.x request forwarded to the
++  server. Unfortunately, when some servers see this header, they automatically
++  refrain from using the chunked encoding for responses of unknown length,
++  while this is totally unrelated. The effect is that a client or a cache could
++  receive an incomplete response without being aware of it, and consider the
++  response complete.
    By setting "option http-pretend-keepalive", HAProxy will make the server
    believe it will keep the connection alive. The server will then not fall back
@@ -8754,9 +8770,7 @@ no option http-pretend-keepalive
    This option may be set in backend and listen sections. Using it in a frontend
    section will be ignored and a warning will be reported during startup. It is
    a backend related option, so there is no real reason to set it on a
--  frontend. This option may be combined with "option httpclose", which will
--  cause keepalive to be announced to the server and close to be announced to
--  the client. This practice is discouraged though.
++  frontend.
    If this option has been enabled in a "defaults" section, it can be disabled
    in a specific instance by prepending the "no" keyword before it.
@@ -8794,26 +8808,25 @@ option http-restrict-req-hdr-names { preserve | delete | reject }
  option http-server-close
  no option http-server-close
--  Enable or disable HTTP connection closing on the server side
++  Enable or disable HTTP/1.x connection closing on the server side
    May be used in sections :   defaults | frontend | listen | backend
                                   yes   |    yes   |   yes  |   yes
    Arguments : none
    By default HAProxy operates in keep-alive mode with regards to persistent
--  connections: for each connection it processes each request and response, and
--  leaves the connection idle on both sides between the end of a response and
--  the start of a new request. This mode may be changed by several options such
--  as "option http-server-close" or "option httpclose". Setting "option
--  http-server-close" enables HTTP connection-close mode on the server side
--  while keeping the ability to support HTTP keep-alive and pipelining on the
--  client side. This provides the lowest latency on the client side (slow
--  network) and the fastest session reuse on the server side to save server
--  resources, similarly to "option httpclose".  It also permits non-keepalive
--  capable servers to be served in keep-alive mode to the clients if they
--  conform to the requirements of RFC7230. Please note that some servers do not
--  always conform to those requirements when they see "Connection: close" in the
--  request. The effect will be that keep-alive will never be used. A workaround
--  consists in enabling "option http-pretend-keepalive".
++  HTTP/1.x connections: for each connection it processes each request and
++  response, and leaves the connection idle on both sides. This mode may be
++  changed by several options such as "option http-server-close" or "option
++  httpclose". Setting "option http-server-close" enables HTTP connection-close
++  mode on the server side while keeping the ability to support HTTP keep-alive
++  and pipelining on the client side. This provides the lowest latency on the
++  client side (slow network) and the fastest session reuse on the server side
++  to save server resources, similarly to "option httpclose".  It also permits
++  non-keepalive capable servers to be served in keep-alive mode to the clients
++  if they conform to the requirements of RFC7230. Please note that some servers
++  do not always conform to those requirements when they see "Connection: close"
++  in the request. The effect will be that keep-alive will never be used. A
++  workaround consists in enabling "option http-pretend-keepalive".
    At the moment, logs will not indicate whether requests came from the same
    session or not. The accept date reported in the logs corresponds to the end
@@ -8831,8 +8844,8 @@ no option http-server-close
    If this option has been enabled in a "defaults" section, it can be disabled
    in a specific instance by prepending the "no" keyword before it.
--  See also : "option httpclose", "option http-pretend-keepalive",
--             "option http-keep-alive", and "1.1. The HTTP transaction model".
++  See also : "option httpclose", "option http-pretend-keepalive" and
++             "option http-keep-alive".
  option http-use-proxy-header
  no option http-use-proxy-header
@@ -8929,37 +8942,37 @@ option httpchk <method> <uri> <version>
  option httpclose
  no option httpclose
--  Enable or disable HTTP connection closing
++  Enable or disable HTTP/1.x connection closing
    May be used in sections :   defaults | frontend | listen | backend
                                   yes   |    yes   |   yes  |   yes
    Arguments : none
    By default HAProxy operates in keep-alive mode with regards to persistent
--  connections: for each connection it processes each request and response, and
--  leaves the connection idle on both sides between the end of a response and
--  the start of a new request. This mode may be changed by several options such
--  as "option http-server-close" or "option httpclose".
--
--  If "option httpclose" is set, HAProxy will close connections with the server
--  and the client as soon as the request and the response are received. It will
--  also check if a "Connection: close" header is already set in each direction,
--  and will add one if missing. Any "Connection" header different from "close"
--  will also be removed.
++  HTTP/1.x connections: for each connection it processes each request and
++  response, and leaves the connection idle on both sides. This mode may be
++  changed by several options such as "option http-server-close" or "option
++  httpclose".
++
++  If "option httpclose" is set, HAProxy will close the client or the server
++  connection, depending where the option is set. Only the frontend is
++  considered for client connections while the frontend and the backend are
++  considered for server ones. In this case the option is enabled if at least
++  one of the frontend or backend holding the connection has it enabled. If the
++  option is set on a listener, it is applied both on client and server
++  connections. It will check if a "Connection: close" header is already set in
++  each direction, and will add one if missing.
    This option may also be combined with "option http-pretend-keepalive", which
--  will disable sending of the "Connection: close" header, but will still cause
--  the connection to be closed once the whole response is received.
++  will disable sending of the "Connection: close" request header, but will
++  still cause the connection to be closed once the whole response is received.
--  This option may be set both in a frontend and in a backend. It is enabled if
--  at least one of the frontend or backend holding a connection has it enabled.
    It disables and replaces any previous "option http-server-close" or "option
--  http-keep-alive". Please check section 4 ("Proxies") to see how this option
--  combines with others when frontend and backend options differ.
++  http-keep-alive".
    If this option has been enabled in a "defaults" section, it can be disabled
    in a specific instance by prepending the "no" keyword before it.
--  See also : "option http-server-close" and "1.1. The HTTP transaction model".
++  See also : "option http-server-close".
  option httplog [ clf ]
@@ -12558,6 +12571,9 @@ tcp-request inspect-delay <timeout>
    Obviously this is unlikely to be very useful and might even be racy, so such
    setups are not recommended.
++  Note the inspection delay is shortened if an connection error or shutdown is
++  experienced or if the request buffer appears as full.
++
    As soon as a rule matches, the request is released and continues as usual. If
    the timeout is reached and no rule matches, the default policy will be to let
    it pass through unaffected.
@@ -13551,7 +13567,8 @@ crt <cert>
    who provide a valid TLS Server Name Indication field matching one of their
    CN or alt subjects. Wildcards are supported, where a wildcard character '*'
    is used instead of the first hostname component (e.g. *.example.org matches
--  www.example.org but not www.sub.example.org).
++  www.example.org but not www.sub.example.org). If an empty directory is used,
++  HAProxy will not start unless the "strict-sni" keyword is used.
    If no SNI is provided by the client or if the SSL library does not support
    TLS extensions, or if the client provides an SNI hostname which does not
@@ -13972,8 +13989,11 @@ ssl-min-ver [ SSLv3 | TLSv1.0 | TLSv1.1 | TLSv1.2 | TLSv1.3 ]
  strict-sni
    This setting is only available when support for OpenSSL was built in. The
    SSL/TLS negotiation is allow only if the client provided an SNI which match
--  a certificate. The default certificate is not used.
--  See the "crt" option for more information.
++  a certificate. The default certificate is not used. This option also allows
++  to start without any certificate on a bind line, so an empty directory could
++  be used and filled later from the stats socket.
++  See the "crt" option for more information. See "add ssl crt-list" command in
++  the management guide.
  tcp-ut <delay>
    Sets the TCP User Timeout for all incoming connections instantiated from this
@@ -15315,15 +15335,53 @@ parse-resolv-conf
    placed in the resolvers section in place of this directive.
  hold <status> <period>
--  Defines <period> during which the last name resolution should be kept based
--  on last resolution <status>
--    <status> : last name resolution status. Acceptable values are "nx",
--               "other", "refused", "timeout", "valid", "obsolete".
--    <period> : interval between two successive name resolution when the last
--               answer was in <status>. It follows the HAProxy time format.
--               <period> is in milliseconds by default.
++  Upon receiving the DNS response <status>, determines whether a server's state
++  should change from UP to DOWN. To make that determination, it checks whether
++  any valid status has been received during the past <period> in order to
++  counteract the just received invalid status.
++
++    <status> : last name resolution status.
++           nx        After receiving an NXDOMAIN status, check for any valid
++                     status during the concluding period.
++
++           refused   After receiving a REFUSED status, check for any valid
++                     status during the concluding period.
++
++           timeout   After the "timeout retry" has struck, check for any
++                     valid status during the concluding period.
++
++           other     After receiving any other invalid status, check for any
++                     valid status during the concluding period.
++
++           valid     Applies only to "http-request do-resolve" and
++                     "tcp-request content do-resolve" actions. It defines the
++                     period for which the server will maintain a valid response
++                     before triggering another resolution. It does not affect
++                     dynamic resolution of servers.
--  Default value is 10s for "valid", 0s for "obsolete" and 30s for others.
++           obsolete  Defines how long to wait before removing obsolete DNS
++                     records after an updated answer record is received. It
++                     applies to SRV records.
++
++    <period> : Amount of time into the past during which a valid response must
++               have been received. It follows the HAProxy time format and is in
++               milliseconds by default.
++
++  For a server that relies on dynamic DNS resolution to determine its IP
++  address, receiving an invalid DNS response, such as NXDOMAIN, will lead to
++  changing the server's state from UP to DOWN. The hold directives define how
++  far into the past to look for a valid response. If a valid response has been
++  received within <period>, the just received invalid status will be ignored.
++
++  Unless a valid response has been receiving during the concluding period, the
++  server will be marked as DOWN. For example, if "hold nx 30s" is set and the
++  last received DNS response was NXDOMAIN, the server will be marked DOWN
++  unless a valid response has been received during the last 30 seconds.
++
++  A server in the DOWN state will be marked UP immediately upon receiving a
++  valid status from the DNS server.
++
++  A separate behavior exists for "hold valid" and "hold obsolete".
  resolve_retries <nb>
    Defines the number <nb> of queries to send to resolve a server name before
@@ -18450,7 +18508,7 @@ future information. Those generally include the results of SSL negotiations.
  ssl_bc : boolean
    Returns true when the back connection was made via an SSL/TLS transport
    layer and is locally deciphered. This means the outgoing connection was made
--  other a server with the "ssl" option. It can be used in a tcp-check or an
++  to a server with the "ssl" option. It can be used in a tcp-check or an
    http-check ruleset.
  ssl_bc_alg_keysize : integer
@@ -19623,7 +19681,11 @@ path : string
    information from databases and keep them in caches. Note that with outgoing
    caches, it would be wiser to use "url" instead. With ACLs, it's typically
    used to match exact file names (e.g. "/login.php"), or directory parts using
--  the derivative forms. See also the "url" and "base" fetch methods.
++  the derivative forms. See also the "url" and "base" fetch methods. Please
++  note that any fragment reference in the URI ('#' after the path) is strictly
++  forbidden by the HTTP standard and will be rejected. However, if the frontend
++  receiving the request has "option accept-invalid-http-request", then this
++  fragment part will be accepted and will also appear in the path.
    ACL derivatives :
      path     : exact string match
@@ -19641,7 +19703,11 @@ pathq : string
    relative URI, excluding the scheme and the authority part, if any. Indeed,
    while it is the common representation for an HTTP/1.1 request target, in
    HTTP/2, an absolute URI is often used. This sample fetch will return the same
--  result in both cases.
++  result in both cases. Please note that any fragment reference in the URI ('#'
++  after the path) is strictly forbidden by the HTTP standard and will be
++  rejected. However, if the frontend receiving the request has "option
++  accept-invalid-http-request", then this fragment part will be accepted and
++  will also appear in the path.
  query : string
    This extracts the request's query string, which starts after the first
@@ -19874,7 +19940,11 @@ url : string
    "path" is preferred over using "url", because clients may send a full URL as
    is normally done with proxies. The only real use is to match "*" which does
    not match in "path", and for which there is already a predefined ACL. See
--  also "path" and "base".
++  also "path" and "base". Please note that any fragment reference in the URI
++  ('#' after the path) is strictly forbidden by the HTTP standard and will be
++  rejected. However, if the frontend receiving the request has "option
++  accept-invalid-http-request", then this fragment part will be accepted and
++  will also appear in the url.
    ACL derivatives :
      url     : exact string match
@@ -20971,6 +21041,13 @@ Timings events in TCP mode:
      header (empty line) was never seen, most likely because the server timeout
      stroke before the server managed to process the request.
++  - Td: this is the total transfer time of the response payload till the last
++    byte sent to the client. In HTTP it starts after the last response header
++    (after Tr).
++
++    The data sent are not guaranteed to be received by the client, they can be
++    stuck in either the kernel or the network.
++
    - Ta: total active time for the HTTP request, between the moment the proxy
      received the first byte of the request header and the emission of the last
      byte of the response body. The exception is when the "logasap" option is
 diff --git a/doc/design-thoughts/config-language.txt b/doc/design-thoughts/config-language.txt
 index 510ada6..20c4fbd 100644
 --- a/doc/design-thoughts/config-language.txt
 +++ b/doc/design-thoughts/config-language.txt
@@ -24,9 +24,9 @@ Pour les filtres :
      <operator>  = [ == | =~ | =* | =^ | =/ | != | !~ | !* | !^ | !/ ]
      <pattern>   = "<string>"
      <action>    = [ allow | permit | deny | delete | replace | switch | add | set | redir ]
--    <args>      = optionnal action args
++    <args>      = optional action args
--    exemples:
++    examples:
          req in URI     =^ "/images" switch images
          req in h(host) =* ".mydomain.com" switch mydomain
 diff --git a/doc/internals/http-parsing.txt b/doc/internals/http-parsing.txt
 index 494558b..8b3f239 100644
 --- a/doc/internals/http-parsing.txt
 +++ b/doc/internals/http-parsing.txt
@@ -325,11 +325,11 @@ Unfortunately, some products such as Apache allow such characters :-/
  - each http_txn has 1 request message (http_req), and 0 or 1 response message
    (http_rtr). Each of them has 1 and only one http_txn. An http_txn holds
--  informations such as the HTTP method, the URI, the HTTP version, the
++  information such as the HTTP method, the URI, the HTTP version, the
    transfer-encoding, the HTTP status, the authorization, the req and rtr
    content-length, the timers, logs, etc... The backend and server which process
    the request are also known from the http_txn.
--- both request and response messages hold header and parsing informations, such
++- both request and response messages hold header and parsing information, such
    as the parsing state, start of headers, start of message, captures, etc...
 diff --git a/doc/management.txt b/doc/management.txt
 index 56f119e..1177aa2 100644
 --- a/doc/management.txt
 +++ b/doc/management.txt
@@ -2563,7 +2563,7 @@ show resolvers [<resolvers section id>]
      other: any other DNS errors
      invalid: invalid DNS response (from a protocol point of view)
      too_big: too big response
--    outdated: number of response arrived too late (after an other name server)
++    outdated: number of response arrived too late (after another name server)
  show servers conn [<backend>]
    Dump the current and idle connections state of the servers belonging to the
 diff --git a/include/haproxy/connection.h b/include/haproxy/connection.h
 index 4b8b098..157387b 100644
 --- a/include/haproxy/connection.h
 +++ b/include/haproxy/connection.h
@@ -218,6 +218,16 @@ static inline void conn_xprt_shutw_hard(struct connection *c)
  		c->xprt->shutw(c, c->xprt_ctx, 0);
+ }
++/* Used to know if a connection is in an idle list. It returns connection flag
++ * corresponding to the idle list if the connection is idle (CO_FL_SAFE_LIST or
++ * CO_FL_IDLE_LIST) or 0 otherwise. Note that if the connection is scheduled to
++ * be removed, 0 is returned, regardless the connection flags.
++ */
++static inline unsigned int conn_get_idle_flag(const struct connection *conn)
++{
++	return (!MT_LIST_INLIST(&conn->toremove_list) ? conn->flags & CO_FL_LIST_MASK : 0);
++}
++
  /* This is used at the end of the socket IOCB to possibly create the mux if it
   * was not done yet, or wake it up if flags changed compared to old_flags or if
   * need_wake insists on this. It returns <0 if the connection was destroyed and
@@ -266,7 +276,7 @@ static inline int conn_notify_mux(struct connection *conn, int old_flags, int fo
  	     ((conn->flags ^ old_flags) & CO_FL_NOTIFY_DONE) ||
  	     ((old_flags & CO_FL_WAIT_XPRT) && !(conn->flags & CO_FL_WAIT_XPRT))) &&
  	    conn->mux && conn->mux->wake) {
--		uint conn_in_list = conn->flags & CO_FL_LIST_MASK;
++		uint conn_in_list = conn_get_idle_flag(conn);
  		struct server *srv = objt_server(conn->target);
  		if (conn_in_list) {
 diff --git a/include/haproxy/h2.h b/include/haproxy/h2.h
 index 8d2aa95..4f872b9 100644
 --- a/include/haproxy/h2.h
 +++ b/include/haproxy/h2.h
@@ -207,7 +207,7 @@ extern struct h2_frame_definition h2_frame_definition[H2_FT_ENTRIES];
  /* various protocol processing functions */
  int h2_parse_cont_len_header(unsigned int *msgf, struct ist *value, unsigned long long *body_len);
--int h2_make_htx_request(struct http_hdr *list, struct htx *htx, unsigned int *msgf, unsigned long long *body_len);
++int h2_make_htx_request(struct http_hdr *list, struct htx *htx, unsigned int *msgf, unsigned long long *body_len, int relaxed);
  int h2_make_htx_response(struct http_hdr *list, struct htx *htx, unsigned int *msgf, unsigned long long *body_len, char *upgrade_protocol);
  int h2_make_htx_trailers(struct http_hdr *list, struct htx *htx);
 diff --git a/include/haproxy/hlua.h b/include/haproxy/hlua.h
 index 21e4534..d77f92e 100644
 --- a/include/haproxy/hlua.h
 +++ b/include/haproxy/hlua.h
@@ -54,6 +54,7 @@ int hlua_post_init();
  void hlua_applet_tcp_fct(struct appctx *ctx);
  void hlua_applet_http_fct(struct appctx *ctx);
  struct task *hlua_process_task(struct task *task, void *context, unsigned int state);
++void hlua_yieldk(lua_State *L, int nresults, lua_KContext ctx, lua_KFunction k, int timeout, unsigned int flags);
  #else /* USE_LUA */
 diff --git a/include/haproxy/http.h b/include/haproxy/http.h
 index 8a86cb6..e8c5b85 100644
 --- a/include/haproxy/http.h
 +++ b/include/haproxy/http.h
@@ -134,6 +134,25 @@ static inline enum http_etag_type http_get_etag_type(const struct ist etag)
  	return ETAG_INVALID;
+ }
++/* Looks into <ist> for forbidden characters for :path values (0x00..0x1F,
++ * 0x20, 0x23), starting at pointer <start> which must be within <ist>.
++ * Returns non-zero if such a character is found, 0 otherwise. When run on
++ * unlikely header match, it's recommended to first check for the presence
++ * of control chars using ist_find_ctl().
++ */
++static inline int http_path_has_forbidden_char(const struct ist ist, const char *start)
++{
++	do {
++		if ((uint8_t)*start <= 0x23) {
++			if ((uint8_t)*start < 0x20)
++				return 1;
++			if ((1U << ((uint8_t)*start & 0x1F)) & ((1<<3) | (1<<0)))
++				return 1;
++		}
++		start++;
++	} while (start < istend(ist));
++	return 0;
++}
  #endif /* _HAPROXY_HTTP_H */
 diff --git a/include/haproxy/http_ana-t.h b/include/haproxy/http_ana-t.h
 index 89d41dd..508721d 100644
 --- a/include/haproxy/http_ana-t.h
 +++ b/include/haproxy/http_ana-t.h
@@ -59,7 +59,7 @@
  /* cacheability management, bits values 0x1000 to 0x3000 (0-3 shift 12) */
  #define TX_CACHEABLE	0x00001000	/* at least part of the response is cacheable */
  #define TX_CACHE_COOK	0x00002000	/* a cookie in the response is cacheable */
--#define TX_CACHE_IGNORE 0x00004000	/* do not retrieve object from cache, or avoid caching response */
++#define TX_CACHE_IGNORE 0x00004000	/* do not retrieve object from cache */
  #define TX_CACHE_SHIFT	12		/* bit shift */
  #define TX_CON_WANT_TUN 0x00008000	/* Will be a tunnel (CONNECT or 101-Switching-Protocol) */
 diff --git a/include/haproxy/http_rules.h b/include/haproxy/http_rules.h
 index 060e3e8..e048064 100644
 --- a/include/haproxy/http_rules.h
 +++ b/include/haproxy/http_rules.h
@@ -34,6 +34,7 @@ extern struct action_kw_list http_after_res_keywords;
  struct act_rule *parse_http_req_cond(const char **args, const char *file, int linenum, struct proxy *proxy);
  struct act_rule *parse_http_res_cond(const char **args, const char *file, int linenum, struct proxy *proxy);
  struct act_rule *parse_http_after_res_cond(const char **args, const char *file, int linenum, struct proxy *proxy);
++void  http_free_redirect_rule(struct redirect_rule *rdr);
  struct redirect_rule *http_parse_redirect_rule(const char *file, int linenum, struct proxy *curproxy,
                                                 const char **args, char **errmsg, int use_fmt, int dir);
 diff --git a/include/haproxy/listener-t.h b/include/haproxy/listener-t.h
 index 476e65a..dac71ec 100644
 --- a/include/haproxy/listener-t.h
 +++ b/include/haproxy/listener-t.h
@@ -205,6 +205,9 @@ struct bind_conf {
  	struct rx_settings settings; /* all the settings needed for the listening socket */
  };
++#define LI_F_FINALIZED           0x00000002  /* listener made it to the READY||LIMITED||FULL state at least once, may be suspended/resumed safely */
++#define LI_F_SUSPENDED           0x00000004  /* listener has been suspended using suspend_listener(), it is either is LI_PAUSED or LI_ASSIGNED state */
++
  /* The listener will be directly referenced by the fdtab[] which holds its
   * socket. The listener provides the protocol-specific accept() function to
   * the fdtab.
@@ -215,6 +218,8 @@ struct listener {
  	short int nice;                 /* nice value to assign to the instantiated tasks */
  	int luid;			/* listener universally unique ID, used for SNMP */
  	int options;			/* socket options : LI_O_* */
++	uint16_t flags;                 /* listener flags: LI_F_* */
++	/* 2-bytes hole here */
  	__decl_thread(HA_RWLOCK_T lock);
  	struct fe_counters *counters;	/* statistics counters */
 diff --git a/include/haproxy/listener.h b/include/haproxy/listener.h
 index bb502c6..44af4bc 100644
 --- a/include/haproxy/listener.h
 +++ b/include/haproxy/listener.h
@@ -39,29 +39,45 @@ void listener_set_state(struct listener *l, enum li_state st);
   * closes upon SHUT_WR and refuses to rebind. So a common validation path
   * involves SHUT_WR && listen && SHUT_RD. In case of success, the FD's polling
   * is disabled. It normally returns non-zero, unless an error is reported.
-- * It will need to operate under the proxy's lock. The caller is
-- * responsible for indicating in lpx whether the proxy locks is
-- * already held (non-zero) or not (zero) so that the function picks it.
++ * It will need to operate under the proxy's lock and the listener's lock.
++ * suspend() may totally stop a listener if it doesn't support the PAUSED
++ * state, in which case state will be set to ASSIGNED.
++ * The caller is responsible for indicating in lpx, lli whether the respective
++ * locks are already held (non-zero) or not (zero) so that the function pick
++ * the missing ones, in this order.
   */
--int pause_listener(struct listener *l, int lpx);
++int suspend_listener(struct listener *l, int lpx, int lli);
  /* This function tries to resume a temporarily disabled listener.
   * The resulting state will either be LI_READY or LI_FULL. 0 is returned
   * in case of failure to resume (eg: dead socket).
-- * It will need to operate under the proxy's lock. The caller is
-- * responsible for indicating in lpx whether the proxy locks is
-- * already held (non-zero) or not (zero) so that the function picks it.
++ * It will need to operate under the proxy's lock and the listener's lock.
++ * The caller is responsible for indicating in lpx, lli whether the respective
++ * locks are already held (non-zero) or not (zero) so that the function pick
++ * the missing ones, in this order.
   */
--int resume_listener(struct listener *l, int lpx);
++int resume_listener(struct listener *l, int lpx, int lli);
++
++/* Same as resume_listener(), but will only work to resume from
++ * LI_FULL or LI_LIMITED states because we try to relax listeners that
++ * were temporarily restricted and not to resume inactive listeners that
++ * may have been paused or completely stopped in the meantime.
++ * Returns positive value for success and 0 for failure.
++ * It will need to operate under the proxy's lock and the listener's lock.
++ * The caller is responsible for indicating in lpx, lli whether the respective
++ * locks are already held (non-zero) or not (zero) so that the function pick
++ * the missing ones, in this order.
++ */
++int relax_listener(struct listener *l, int lpx, int lli);
  /*
   * This function completely stops a listener. It will need to operate under the
-- * proxy's lock and the protocol's lock. The caller is
-- * responsible for indicating in lpx, lpr whether the respective locks are
++ * proxy's lock, the protocol's and the listener's lock. The caller is
++ * responsible for indicating in lpx, lpr, lli whether the respective locks are
   * already held (non-zero) or not (zero) so that the function picks the missing
   * ones, in this order.
   */
--void stop_listener(struct listener *l, int lpx, int lpr);
++void stop_listener(struct listener *l, int lpx, int lpr, int lli);
  /* This function adds the specified listener's file descriptor to the polling
   * lists if it is in the LI_LISTEN state. The listener enters LI_READY or
 diff --git a/include/haproxy/proxy-t.h b/include/haproxy/proxy-t.h
 index a5a129a..5aa1ad3 100644
 --- a/include/haproxy/proxy-t.h
 +++ b/include/haproxy/proxy-t.h
@@ -402,6 +402,7 @@ struct proxy {
  	unsigned int li_paused;                 /* total number of listeners paused (LI_PAUSED) */
  	unsigned int li_bound;                  /* total number of listeners ready (LI_LISTEN)  */
  	unsigned int li_ready;                  /* total number of listeners ready (>=LI_READY) */
++	unsigned int li_suspended;		/* total number of listeners suspended (could be paused or unbound) */
  	/* warning: these structs are huge, keep them at the bottom */
  	struct sockaddr_storage dispatch_addr;	/* the default address to connect to */
 diff --git a/include/haproxy/server.h b/include/haproxy/server.h
 index fdb285c..66dcaf9 100644
 --- a/include/haproxy/server.h
 +++ b/include/haproxy/server.h
@@ -299,6 +299,7 @@ static inline void srv_release_conn(struct server *srv, struct connection *conn)
  	/* Remove the connection from any tree (safe, idle or available) */
  	HA_SPIN_LOCK(IDLE_CONNS_LOCK, &idle_conns[tid].idle_conns_lock);
  	conn_delete_from_tree(&conn->hash_node->node);
++	conn->flags &= ~CO_FL_LIST_MASK;
  	HA_SPIN_UNLOCK(IDLE_CONNS_LOCK, &idle_conns[tid].idle_conns_lock);
+ }
 diff --git a/include/haproxy/sink.h b/include/haproxy/sink.h
 index a9f8099..71cad0f 100644
 --- a/include/haproxy/sink.h
 +++ b/include/haproxy/sink.h
@@ -32,7 +32,8 @@ extern struct proxy *sink_proxies_list;
  struct sink *sink_find(const char *name);
  struct sink *sink_new_fd(const char *name, const char *desc, enum log_fmt, int fd);
--ssize_t __sink_write(struct sink *sink, const struct ist msg[], size_t nmsg,
++ssize_t __sink_write(struct sink *sink, size_t maxlen,
++                     const struct ist msg[], size_t nmsg,
                       int level, int facility, struct ist * metadata);
  int sink_announce_dropped(struct sink *sink, int facility);
@@ -44,7 +45,8 @@ int sink_announce_dropped(struct sink *sink, int facility);
   * The function returns the number of Bytes effectively sent or announced.
   * or <= 0 in other cases.
   */
--static inline ssize_t sink_write(struct sink *sink, const struct ist msg[], size_t nmsg,
++static inline ssize_t sink_write(struct sink *sink, size_t maxlen,
++                                 const struct ist msg[], size_t nmsg,
                                   int level, int facility, struct ist *metadata)
+ {
  	ssize_t sent;
@@ -69,7 +71,7 @@ static inline ssize_t sink_write(struct sink *sink, const struct ist msg[], size
+ 	}
  	HA_RWLOCK_RDLOCK(LOGSRV_LOCK, &sink->ctx.lock);
--	sent = __sink_write(sink, msg, nmsg, level, facility, metadata);
++	sent = __sink_write(sink, maxlen, msg, nmsg, level, facility, metadata);
  	HA_RWLOCK_RDUNLOCK(LOGSRV_LOCK, &sink->ctx.lock);
   fail:
 diff --git a/include/haproxy/spoe-t.h b/include/haproxy/spoe-t.h
 index 197f47b..38e3272 100644
 --- a/include/haproxy/spoe-t.h
 +++ b/include/haproxy/spoe-t.h
@@ -308,6 +308,7 @@ struct spoe_agent {
  		struct freq_ctr conn_per_sec;   /* connections per second */
  		struct freq_ctr err_per_sec;    /* connection errors per second */
++		unsigned int    idles;          /* # of idle applets */
  		struct eb_root  idle_applets;   /* idle SPOE applets available to process data */
  		struct list     applets;        /* all SPOE applets for this agent */
  		struct list     sending_queue;  /* Queue of streams waiting to send data */
 diff --git a/include/haproxy/stick_table.h b/include/haproxy/stick_table.h
 index c9fb85e..5fd8d1e 100644
 --- a/include/haproxy/stick_table.h
 +++ b/include/haproxy/stick_table.h
@@ -46,7 +46,7 @@ void stksess_free(struct stktable *t, struct stksess *ts);
  int stksess_kill(struct stktable *t, struct stksess *ts, int decrefcount);
  int stktable_init(struct stktable *t);
--int stktable_parse_type(char **args, int *idx, unsigned long *type, size_t *key_size);
++int stktable_parse_type(char **args, int *idx, unsigned long *type, size_t *key_size, const char *file, int linenum);
  int parse_stick_table(const char *file, int linenum, char **args,
                        struct stktable *t, char *id, char *nid, struct peers *peers);
  struct stksess *stktable_get_entry(struct stktable *table, struct stktable_key *key);
 diff --git a/include/haproxy/time.h b/include/haproxy/time.h
 index c8358e0..e3bb74e 100644
 --- a/include/haproxy/time.h
 +++ b/include/haproxy/time.h
@@ -54,7 +54,8 @@ extern THREAD_LOCAL unsigned int   samp_time;        /* total elapsed time over
  extern THREAD_LOCAL unsigned int   idle_time;        /* total idle time over current sample */
  extern THREAD_LOCAL struct timeval now;              /* internal date is a monotonic function of real clock */
  extern THREAD_LOCAL struct timeval date;             /* the real current date */
--extern struct timeval start_date;       /* the process's start date */
++extern struct timeval start_date;                    /* the process's start date */
++extern struct timeval ready_date;                    /* date when the process was considered ready */
  extern THREAD_LOCAL struct timeval before_poll;      /* system date before calling poll() */
  extern THREAD_LOCAL struct timeval after_poll;       /* system date after leaving poll() */
  extern volatile unsigned long long global_now;
 diff --git a/include/import/ist.h b/include/import/ist.h
 index 539a27d..31566b1 100644
 --- a/include/import/ist.h
 +++ b/include/import/ist.h
@@ -746,6 +746,53 @@ static inline const char *ist_find_ctl(const struct ist ist)
  	return NULL;
+ }
++/* Returns a pointer to the first character found <ist> that belongs to the
++ * range [min:max] inclusive, or NULL if none is present. The function is
++ * optimized for strings having no such chars by processing up to sizeof(long)
++ * bytes at once on architectures supporting efficient unaligned accesses.
++ * Despite this it is not very fast (~0.43 byte/cycle) and should mostly be
++ * used on low match probability when it can save a call to a much slower
++ * function. Will not work for characters 0x80 and above. It's optimized for
++ * min and max to be known at build time.
++ */
++static inline const char *ist_find_range(const struct ist ist, unsigned char min, unsigned char max)
++{
++	const union { unsigned long v; } __attribute__((packed)) *u;
++	const char *curr = (void *)ist.ptr - sizeof(long);
++	const char *last = curr + ist.len;
++	unsigned long l1, l2;
++
++	/* easier with an exclusive boundary */
++	max++;
++
++	do {
++		curr += sizeof(long);
++		if (curr > last)
++			break;
++		u = (void *)curr;
++		/* add 0x<min><min><min><min>..<min> then subtract
++		 * 0x<max><max><max><max>..<max> to the value to generate a
++		 * carry in the lower byte if the byte contains a lower value.
++		 * If we generate a bit 7 that was not there, it means the byte
++		 * was min..max.
++		 */
++		l2  = u->v;
++		l1  = ~l2 & ((~0UL / 255) * 0x80); /* 0x808080...80 */
++		l2 += (~0UL / 255) * min;          /* 0x<min><min>..<min> */
++		l2 -= (~0UL / 255) * max;          /* 0x<max><max>..<max> */
++	} while ((l1 & l2) == 0);
++
++	last += sizeof(long);
++	if (__builtin_expect(curr < last, 0)) {
++		do {
++			if ((unsigned char)(*curr - min) < (unsigned char)(max - min))
++				return curr;
++			curr++;
++		} while (curr < last);
++	}
++	return NULL;
++}
++
  /* looks for first occurrence of character <chr> in string <ist> and returns
   * the tail of the string starting with this character, or (ist.end,0) if not
   * found.
 diff --git a/reg-tests/cache/caching_rules.vtc b/reg-tests/cache/caching_rules.vtc
 index 114b2fd..10840e1 100644
 --- a/reg-tests/cache/caching_rules.vtc
 +++ b/reg-tests/cache/caching_rules.vtc
@@ -67,6 +67,42 @@ server s1 {
      txresp -hdr "Cache-Control: max-age=500" \
          -hdr "Age: 100" -bodylen 140
++
++    # "Control-Cache: no-cache" on client request but still stored in cache
++    rxreq
++    expect req.url == "/nocache"
++    txresp -hdr "Cache-Control: max-age=500" \
++        -hdr "Age: 100" -bodylen 140
++
++    rxreq
++    expect req.url == "/nocache"
++    txresp -hdr "Cache-Control: max-age=500" \
++        -hdr "Age: 100" -bodylen 140
++
++
++    # max-age=0
++    rxreq
++    expect req.url == "/maxage_zero"
++    txresp -hdr "Cache-Control: max-age=0" \
++        -bodylen 150
++
++    rxreq
++    expect req.url == "/maxage_zero"
++    txresp -hdr "Cache-Control: max-age=0" \
++        -bodylen 150
++
++    # Overridden null max-age
++    rxreq
++    expect req.url == "/overridden"
++    txresp -hdr "Cache-Control: max-age=1, s-maxage=5" \
++        -bodylen 160
++
++    rxreq
++    expect req.url == "/overridden_null_maxage"
++    txresp -hdr "Cache-Control: max-age=0, s-maxage=5" \
++        -bodylen 190
++
++
  } -start
  server s2 {
@@ -222,4 +258,64 @@ client c1 -connect ${h1_fe_sock} {
          expect resp.bodylen == 140
          expect resp.http.X-Cache-Hit == 1
++        # Cache-Control: no-cache
++        txreq -url "/nocache" -hdr "Cache-Control: no-cache"
++        rxresp
++        expect resp.status == 200
++        expect resp.bodylen == 140
++        expect resp.http.X-Cache-Hit == 0
++
++        txreq -url "/nocache" -hdr "Cache-Control: no-cache"
++        rxresp
++        expect resp.status == 200
++        expect resp.bodylen == 140
++        expect resp.http.X-Cache-Hit == 0
++
++        txreq -url "/nocache"
++        rxresp
++        expect resp.status == 200
++        expect resp.bodylen == 140
++        expect resp.http.X-Cache-Hit == 1
++
++        # max-age=0 (control test for the overridden null max-age test below)
++        txreq -url "/maxage_zero"
++        rxresp
++        expect resp.status == 200
++        expect resp.bodylen == 150
++        expect resp.http.X-Cache-Hit == 0
++
++        txreq -url "/maxage_zero"
++        rxresp
++        expect resp.status == 200
++        expect resp.bodylen == 150
++        expect resp.http.X-Cache-Hit == 0
++
++        # Overridden max-age directive
++        txreq -url "/overridden"
++        rxresp
++        expect resp.status == 200
++        expect resp.bodylen == 160
++        expect resp.http.X-Cache-Hit == 0
++
++        txreq -url "/overridden"
++        rxresp
++        expect resp.status == 200
++        expect resp.bodylen == 160
++        expect resp.http.X-Cache-Hit == 1
++
++        txreq -url "/overridden_null_maxage"
++        rxresp
++        expect resp.status == 200
++        expect resp.bodylen == 190
++        expect resp.http.X-Cache-Hit == 0
++
++        # The previous response should have been cached even if it had
++        # a max-age=0 since it also had a positive s-maxage
++        txreq -url "/overridden_null_maxage"
++        rxresp
++        expect resp.status == 200
++        expect resp.bodylen == 190
++        expect resp.http.X-Cache-Hit == 1
++
++
  } -run
 diff --git a/reg-tests/http-messaging/h1_to_h1.vtc b/reg-tests/http-messaging/h1_to_h1.vtc
 index c7d0085..603c032 100644
 --- a/reg-tests/http-messaging/h1_to_h1.vtc
 +++ b/reg-tests/http-messaging/h1_to_h1.vtc
@@ -275,3 +275,29 @@ client c3h1 -connect ${h1_feh1_sock} {
  	# arrive here.
  	expect_close
  } -run
++
++client c4h1 -connect ${h1_feh1_sock} {
++	# this request is invalid and advertises an invalid C-L ending with an
++        # empty value, which results in a stream error.
++	txreq \
++	  -req "GET" \
++	  -url "/test31.html" \
++          -hdr "content-length: 0," \
++          -hdr "connection: close"
++	rxresp
++	expect resp.status == 400
++	expect_close
++} -run
++
++client c5h1 -connect ${h1_feh1_sock} {
++	# this request is invalid and advertises an empty C-L, which results
++	# in a stream error.
++	txreq \
++	  -req "GET" \
++	  -url "/test41.html" \
++          -hdr "content-length:" \
++          -hdr "connection: close"
++	rxresp
++	expect resp.status == 400
++	expect_close
++} -run
 diff --git a/reg-tests/http-messaging/h2_to_h1.vtc b/reg-tests/http-messaging/h2_to_h1.vtc
 index 0d2b1e5..ec7a7c1 100644
 --- a/reg-tests/http-messaging/h2_to_h1.vtc
 +++ b/reg-tests/http-messaging/h2_to_h1.vtc
@@ -10,6 +10,8 @@ barrier b1 cond 2 -cyclic
  barrier b2 cond 2 -cyclic
  barrier b3 cond 2 -cyclic
  barrier b4 cond 2 -cyclic
++barrier b5 cond 2 -cyclic
++barrier b6 cond 2 -cyclic
  server s1 {
  	rxreq
@@ -31,6 +33,12 @@ server s1 {
  	barrier b4 sync
  	# the next request is never received
++
++	barrier b5 sync
++	# the next request is never received
++
++	barrier b6 sync
++	# the next request is never received
  } -repeat 2 -start
  haproxy h1 -conf {
@@ -121,6 +129,32 @@ client c1h2 -connect ${h1_feh2_sock} {
  		txdata -data "this is sent and ignored"
  		rxrst
  	} -run
++
++	# fifth request is invalid and advertises an invalid C-L ending with an
++        # empty value, which results in a stream error.
++	stream 9 {
++		barrier b5 sync
++		txreq \
++		  -req "GET" \
++		  -scheme "https" \
++		  -url "/test5.html" \
++		  -hdr "content-length" "0," \
++		  -nostrend
++		rxrst
++	} -run
++
++	# sixth request is invalid and advertises an empty C-L, which results
++	# in a stream error.
++	stream 11 {
++		barrier b6 sync
++		txreq \
++		  -req "GET" \
++		  -scheme "https" \
++		  -url "/test6.html" \
++		  -hdr "content-length" "" \
++		  -nostrend
++		rxrst
++	} -run
  } -run
  # HEAD requests : don't work well yet
@@ -263,4 +297,30 @@ client c3h2 -connect ${h1_feh2_sock} {
  		txdata -data "this is sent and ignored"
  		rxrst
  	} -run
++
++	# fifth request is invalid and advertises invalid C-L ending with an
++        # empty value, which results in a stream error.
++	stream 9 {
++		barrier b5 sync
++		txreq \
++		  -req "POST" \
++		  -scheme "https" \
++		  -url "/test25.html" \
++		  -hdr "content-length" "0," \
++		  -nostrend
++		rxrst
++	} -run
++
++	# sixth request is invalid and advertises an empty C-L, which results
++	# in a stream error.
++	stream 11 {
++		barrier b6 sync
++		txreq \
++		  -req "POST" \
++		  -scheme "https" \
++		  -url "/test26.html" \
++		  -hdr "content-length" "" \
++		  -nostrend
++		rxrst
++	} -run
  } -run
 diff --git a/reg-tests/http-rules/h1or2_to_h1c.vtc b/reg-tests/http-rules/h1or2_to_h1c.vtc
 index 81b53e7..7490172 100644
 --- a/reg-tests/http-rules/h1or2_to_h1c.vtc
 +++ b/reg-tests/http-rules/h1or2_to_h1c.vtc
@@ -27,11 +27,11 @@ server s1 {
  	  -body "This is a body"
  	expect req.method == "GET"
--	expect req.http.fe-sl1-crc == 992395575
--	expect req.http.fe-sl2-crc == 1270056220
++	expect req.http.fe-sl1-crc == 1874847043
++	expect req.http.fe-sl2-crc == 1142278307
  	expect req.http.fe-hdr-crc == 1719311923
--	expect req.http.be-sl1-crc == 2604236007
--	expect req.http.be-sl2-crc == 4181358964
++	expect req.http.be-sl1-crc == 3455320059
++	expect req.http.be-sl2-crc == 2509326257
  	expect req.http.be-hdr-crc == 3634102538
  } -repeat 2 -start
@@ -53,6 +53,7 @@ haproxy h1 -conf {
  	http-request set-var(req.path)       path
  	http-request set-var(req.query)      query
  	http-request set-var(req.param)      url_param(qs_arg)
++	http-request set-var(req.cl)         req.fhdr(content-length)
  	http-request set-header     sl1      "sl1: "
@@ -65,8 +66,10 @@ haproxy h1 -conf {
  	http-request set-header     sl1      "%[req.fhdr(sl1)] method=<%[var(req.method)]>; uri=<%[var(req.uri)]>; path=<%[var(req.path)]>;"
  	http-request set-header     sl1      "%[req.fhdr(sl1)] query=<%[var(req.query)]>; param=<%[var(req.param)]>"
++	http-request set-header     sl1      "%[req.fhdr(sl1)] cl=<%[var(req.cl)]>"
  	http-request set-header     sl2      "%[req.fhdr(sl2)] method=<%[method]>; uri=<%[url]>; path=<%[path]>; "
  	http-request set-header     sl2      "%[req.fhdr(sl2)] query=<%[query]>; param=<%[url_param(qs_arg)]>"
++	http-request set-header     sl2      "%[req.fhdr(sl2)] cl=<%[req.fhdr(content-length)]>"
  	http-request set-header     hdr      "%[req.fhdr(hdr)] hdr1=<%[req.hdr(hdr1)]>; fhdr1=<%[req.fhdr(hdr1)]>;"
  	http-request set-header     hdr      "%[req.fhdr(hdr)] hdr2=<%[req.hdr(hdr2)]>; fhdr2=<%[req.fhdr(hdr2)]>;"
  	http-request set-header     hdr      "%[req.fhdr(hdr)] hdr3=<%[req.hdr(hdr3)]>; fhdr3=<%[req.fhdr(hdr3)]>;"
@@ -120,6 +123,7 @@ haproxy h1 -conf {
  	http-request set-var(req.path)       path
  	http-request set-var(req.query)      query
  	http-request set-var(req.param)      url_param(qs_arg)
++	http-request set-var(req.cl)         req.fhdr(content-length)
  	http-request set-header     sl1      "sl1: "
@@ -132,8 +136,10 @@ haproxy h1 -conf {
  	http-request set-header     sl1      "%[req.fhdr(sl1)] method=<%[var(req.method)]>; uri=<%[var(req.uri)]>; path=<%[var(req.path)]>;"
  	http-request set-header     sl1      "%[req.fhdr(sl1)] query=<%[var(req.query)]>; param=<%[var(req.param)]>"
++	http-request set-header     sl1      "%[req.fhdr(sl1)] cl=<%[var(req.cl)]>"
  	http-request set-header     sl2      "%[req.fhdr(sl2)] method=<%[method]>; uri=<%[url]>; path=<%[path]>; "
  	http-request set-header     sl2      "%[req.fhdr(sl2)] query=<%[query]>; param=<%[url_param(qs_arg)]>"
++	http-request set-header     sl2      "%[req.fhdr(sl2)] cl=<%[req.fhdr(content-length)]>"
  	http-request set-header     hdr      "%[req.fhdr(hdr)] hdr1=<%[req.hdr(hdr1)]>; fhdr1=<%[req.fhdr(hdr1)]>;"
  	http-request set-header     hdr      "%[req.fhdr(hdr)] hdr2=<%[req.hdr(hdr2)]>; fhdr2=<%[req.fhdr(hdr2)]>;"
  	http-request set-header     hdr      "%[req.fhdr(hdr)] hdr3=<%[req.hdr(hdr3)]>; fhdr3=<%[req.fhdr(hdr3)]>;"
@@ -171,6 +177,7 @@ client c1h1 -connect ${h1_feh1_sock} {
  	txreq \
  	  -req GET \
  	  -url /path/to/file.extension?qs_arg=qs_value \
++	  -hdr "content-length: 000, 00" \
  	  -hdr "hdr1: val1" \
  	  -hdr "hdr2:  val2a" \
  	  -hdr "hdr2:    val2b" \
@@ -205,6 +212,7 @@ client c1h2 -connect ${h1_feh2_sock} {
  		  -req GET \
  		  -scheme "https" \
  		  -url /path/to/file.extension?qs_arg=qs_value \
++		  -hdr "content-length" "000, 00" \
  		  -hdr "hdr1" "val1" \
  		  -hdr "hdr2" " val2a" \
  		  -hdr "hdr2" "   val2b" \
 diff --git a/reg-tests/http-rules/normalize_uri.vtc b/reg-tests/http-rules/normalize_uri.vtc
 index 6a1dc31..a144075 100644
 --- a/reg-tests/http-rules/normalize_uri.vtc
 +++ b/reg-tests/http-rules/normalize_uri.vtc
@@ -127,6 +127,7 @@ haproxy h1 -conf {
      frontend fe_fragment_strip
          bind "fd@${fe_fragment_strip}"
++        option accept-invalid-http-request
          http-request set-var(txn.before) url
          http-request normalize-uri fragment-strip
@@ -139,6 +140,7 @@ haproxy h1 -conf {
      frontend fe_fragment_encode
          bind "fd@${fe_fragment_encode}"
++        option accept-invalid-http-request
          http-request set-var(txn.before) url
          http-request normalize-uri fragment-encode
@@ -149,6 +151,11 @@ haproxy h1 -conf {
          default_backend be
++    frontend fe_fragment_block
++        bind "fd@${fe_fragment_block}"
++        http-request normalize-uri fragment-strip
++        default_backend be
++
      backend be
          server s1 ${s1_addr}:${s1_port}
@@ -534,3 +541,9 @@ client c10 -connect ${h1_fe_fragment_encode_sock} {
      expect resp.http.before == "*"
      expect resp.http.after == "*"
  } -run
++
++client c11 -connect ${h1_fe_fragment_block_sock} {
++    txreq -url "/#foo"
++    rxresp
++    expect resp.status == 400
++} -run
 diff --git a/reg-tests/log/log_uri.vtc b/reg-tests/log/log_uri.vtc
 index b5a5753..60b0bdb 100644
 --- a/reg-tests/log/log_uri.vtc
 +++ b/reg-tests/log/log_uri.vtc
@@ -5,7 +5,7 @@ feature ignore_unknown_macro
  server s1 {
      rxreq
--    txresp
++    txresp  -hdr "Connection: close"
  } -repeat 4 -start
  syslog Slg_1 -level info {
 diff --git a/scripts/build-ssl.sh b/scripts/build-ssl.sh
 index e1d89a0..4934a4e 100755
 --- a/scripts/build-ssl.sh
 +++ b/scripts/build-ssl.sh
@@ -59,7 +59,7 @@ build_openssl () {
  download_libressl () {
      if [ ! -f "download-cache/libressl-${LIBRESSL_VERSION}.tar.gz" ]; then
          wget -P download-cache/ \
--	    "https://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-${LIBRESSL_VERSION}.tar.gz"
++	    "https://cdn.openbsd.org/pub/OpenBSD/LibreSSL/libressl-${LIBRESSL_VERSION}.tar.gz"
      fi
+ }
 diff --git a/scripts/publish-release b/scripts/publish-release
 index 3cf32d8..9066d4a 100755
 --- a/scripts/publish-release
 +++ b/scripts/publish-release
@@ -22,6 +22,9 @@ NEW=
  DIR=
  DOC=( )
++# need to have group write on emitted files for others to update
++umask 002
++
  die() {
  	[ "$#" -eq 0 ] || echo "$*" >&2
  	exit 1
 diff --git a/src/backend.c b/src/backend.c
 index 64780e4..c6b5f23 100644
 --- a/src/backend.c
 +++ b/src/backend.c
@@ -590,8 +590,6 @@ int assign_server(struct stream *s)
  	struct server *srv = NULL, *prev_srv;
  	int err;
--	DPRINTF(stderr,"assign_server : s=%p\n",s);
--
  	err = SRV_STATUS_INTERNAL;
  	if (unlikely(s->pend_pos || s->flags & SF_ASSIGNED))
  		goto out_err;
 diff --git a/src/cache.c b/src/cache.c
 index ecf62fb..30e0b7d 100644
 --- a/src/cache.c
 +++ b/src/cache.c
@@ -1083,7 +1083,7 @@ enum act_return http_action_store_cache(struct act_rule *rule, struct proxy *px,
  	http_check_response_for_cacheability(s, &s->res);
--	if (!(txn->flags & TX_CACHEABLE) || !(txn->flags & TX_CACHE_COOK) || (txn->flags & TX_CACHE_IGNORE))
++	if (!(txn->flags & TX_CACHEABLE) || !(txn->flags & TX_CACHE_COOK))
  		goto out;
  	shctx_lock(shctx);
@@ -1776,8 +1776,10 @@ enum act_return http_action_req_cache_use(struct act_rule *rule, struct proxy *p
  	shctx_lock(shctx_ptr(cache));
  	res = entry_exist(cache, s->txn->cache_hash);
--	/* We must not use an entry that is not complete. */
--	if (res && res->complete) {
++	/* We must not use an entry that is not complete but the check will be
++	 * performed after we look for a potential secondary entry (in case of
++	 * Vary). */
++	if (res) {
  		struct appctx *appctx;
  		entry_block = block_ptr(res);
  		shctx_row_inc_hot(shctx_ptr(cache), entry_block);
@@ -1804,9 +1806,11 @@ enum act_return http_action_req_cache_use(struct act_rule *rule, struct proxy *p
  				res = NULL;
+ 		}
--		/* We looked for a valid secondary entry and could not find one,
--		 * the request must be forwarded to the server. */
--		if (!res) {
++		/* We either looked for a valid secondary entry and could not
++		 * find one, or the entry we want to use is not complete. We
++		 * can't use the cache's entry and must forward the request to
++		 * the server. */
++		if (!res || !res->complete) {
  			shctx_lock(shctx_ptr(cache));
  			shctx_row_dec_hot(shctx_ptr(cache), entry_block);
  			shctx_unlock(shctx_ptr(cache));
 diff --git a/src/cfgparse-tcp.c b/src/cfgparse-tcp.c
 index a15a110..e91e7a3 100644
 --- a/src/cfgparse-tcp.c
 +++ b/src/cfgparse-tcp.c
@@ -165,6 +165,7 @@ static int bind_parse_interface(char **args, int cur_arg, struct proxy *px, stru
  		return ERR_ALERT | ERR_FATAL;
+ 	}
++	ha_free(&conf->settings.interface);
  	conf->settings.interface = strdup(args[cur_arg + 1]);
  	return 0;
+ }
 diff --git a/src/cfgparse.c b/src/cfgparse.c
 index 27bab1d..01014c0 100644
 --- a/src/cfgparse.c
 +++ b/src/cfgparse.c
@@ -69,6 +69,7 @@
  #include <haproxy/mailers.h>
  #include <haproxy/namespace.h>
  #include <haproxy/obj_type-t.h>
++#include <haproxy/openssl-compat.h>
  #include <haproxy/peers-t.h>
  #include <haproxy/peers.h>
  #include <haproxy/pool.h>
@@ -2650,9 +2651,6 @@ int check_config_validity()
  	 * Now, check for the integrity of all that we have collected.
  	 */
--	/* will be needed further to delay some tasks */
--	tv_update_date(0,1);
--
  	if (!global.tune.max_http_hdr)
  		global.tune.max_http_hdr = MAX_HTTP_HDR;
@@ -2679,6 +2677,12 @@ int check_config_validity()
  #endif
  			global.nbthread = numa_cores ? numa_cores :
  			                               thread_cpus_enabled_at_boot;
++
++			if (global.nbthread > MAX_THREADS) {
++				ha_diag_warning("nbthread not set, found %d CPUs, limiting to %d threads. Please set nbthreads in the global section to silence this warning.\n",
++					   global.nbthread, MAX_THREADS);
++				global.nbthread = MAX_THREADS;
++			}
+ 		}
  		all_threads_mask = nbits(global.nbthread);
  #endif
 diff --git a/src/channel.c b/src/channel.c
 index 524d104..94dfbcf 100644
 --- a/src/channel.c
 +++ b/src/channel.c
@@ -398,7 +398,7 @@ int co_getblk(const struct channel *chn, char *blk, int len, int offset)
  	if (chn->flags & CF_SHUTW)
  		return -1;
--	if (len + offset > co_data(chn)) {
++	if (len + offset > co_data(chn) || co_data(chn) == 0) {
  		if (chn->flags & (CF_SHUTW|CF_SHUTW_NOW))
  			return -1;
  		return 0;
 diff --git a/src/check.c b/src/check.c
 index 2205063..54704bd 100644
 --- a/src/check.c
 +++ b/src/check.c
@@ -1356,6 +1356,7 @@ static int start_check_task(struct check *check, int mininter,
+ {
  	struct task *t;
  	unsigned long thread_mask = MAX_THREADS_MASK;
++	ulong boottime = tv_ms_remain(&start_date, &ready_date);
  	if (check->type == PR_O2_EXT_CHK)
  		thread_mask = 1;
@@ -1374,11 +1375,19 @@ static int start_check_task(struct check *check, int mininter,
  	if (mininter < srv_getinter(check))
  		mininter = srv_getinter(check);
++	if (global.spread_checks > 0) {
++		int rnd;
++
++		rnd  = srv_getinter(check) * global.spread_checks / 100;
++		rnd -= (int) (2 * rnd * (ha_random32() / 4294967295.0));
++		mininter += rnd;
++	}
++
  	if (global.max_spread_checks && mininter > global.max_spread_checks)
  		mininter = global.max_spread_checks;
  	/* check this every ms */
--	t->expire = tick_add(now_ms, MS_TO_TICKS(mininter * srvpos / nbcheck));
++	t->expire = tick_add(now_ms, MS_TO_TICKS(boottime + mininter * srvpos / nbcheck));
  	check->start = now;
  	task_queue(t);
 diff --git a/src/chunk.c b/src/chunk.c
 index 5c720c1..abc039d 100644
 --- a/src/chunk.c
 +++ b/src/chunk.c
@@ -152,15 +152,19 @@ int chunk_printf(struct buffer *chk, const char *fmt, ...)
  int chunk_appendf(struct buffer *chk, const char *fmt, ...)
+ {
  	va_list argp;
++	size_t room;
  	int ret;
  	if (!chk->area || !chk->size)
  		return 0;
++	room = chk->size - chk->data;
++	if (!room)
++		return chk->data;
++
  	va_start(argp, fmt);
--	ret = vsnprintf(chk->area + chk->data, chk->size - chk->data, fmt,
--			argp);
--	if (ret >= chk->size - chk->data)
++	ret = vsnprintf(chk->area + chk->data, room, fmt, argp);
++	if (ret >= room)
  		/* do not copy anything in case of truncation */
  		chk->area[chk->data] = 0;
  	else
 diff --git a/src/debug.c b/src/debug.c
 index f9eccad..6582381 100644
 --- a/src/debug.c
 +++ b/src/debug.c
@@ -272,9 +272,10 @@ void ha_task_dump(struct buffer *buf, const struct task *task, const char *pfx)
  	if (hlua && hlua->T) {
  		chunk_appendf(buf, "stack traceback:\n    ");
  		append_prefixed_str(buf, hlua_traceback(hlua->T, "\n    "), pfx, '\n', 0);
--		b_putchr(buf, '\n');
+ 	}
--	else
++
++	/* we may need to terminate the current line */
++	if (*b_peek(buf, b_data(buf)-1) != '\n')
  		b_putchr(buf, '\n');
  #endif
+ }
@@ -1037,7 +1038,27 @@ static int debug_iohandler_fd(struct appctx *appctx)
  				      S_ISLNK(statbuf.st_mode)  ? "link":
  				      S_ISSOCK(statbuf.st_mode) ? "sock":
  #ifdef USE_EPOLL
--				      epoll_wait(fd, NULL, 0, 0) != -1 || errno != EBADF ? "epol":
++				      /* trick: epoll_ctl() will return -ENOENT when trying
++				       * to remove from a valid epoll FD an FD that was not
++				       * registered against it. But we don't want to risk
++				       * disabling a random FD. Instead we'll create a new
++				       * one by duplicating 0 (it should be valid since
++				       * pointing to a terminal or /dev/null), and try to
++				       * remove it.
++				       */
++				      ({
++					      int fd2 = dup(0);
++					      int ret = fd2;
++					      if (ret >= 0) {
++						      ret = epoll_ctl(fd, EPOLL_CTL_DEL, fd2, NULL);
++						      if (ret == -1 && errno == ENOENT)
++							      ret = 0; // that's a real epoll
++						      else
++							      ret = -1; // it's something else
++						      close(fd2);
++					      }
++					      ret;
++				      }) == 0 ? "epol" :
  #endif
  				      "????",
  				      (uint)statbuf.st_mode & 07777,
 diff --git a/src/dns.c b/src/dns.c
 index c4b2af0..3277f40 100644
 --- a/src/dns.c
 +++ b/src/dns.c
@@ -656,30 +656,35 @@ read:
  			struct dns_query *query;
  			if (!ds->rx_msg.len) {
--				/* next message len is not fully available into the channel */
--				if (co_data(si_oc(si)) < 2)
--					break;
--
  				/* retrieve message len */
--				co_getblk(si_oc(si), (char *)&msg_len, 2, 0);
++				ret = co_getblk(si_oc(si), (char *)&msg_len, 2, 0);
++				if (ret <= 0) {
++					if (ret == -1)
++						goto close;
++					si_cant_get(si);
++					break;
++				}
  				/* mark as consumed */
  				co_skip(si_oc(si), 2);
  				/* store message len */
  				ds->rx_msg.len = ntohs(msg_len);
--			}
--
--			if (!co_data(si_oc(si))) {
--				/* we need more data but nothing is available */
--				break;
++				if (!ds->rx_msg.len)
++					continue;
+ 			}
  			if (co_data(si_oc(si)) + ds->rx_msg.offset < ds->rx_msg.len) {
  				/* message only partially available */
  				/* read available data */
--				co_getblk(si_oc(si), ds->rx_msg.area + ds->rx_msg.offset, co_data(si_oc(si)), 0);
++				ret = co_getblk(si_oc(si), ds->rx_msg.area + ds->rx_msg.offset, co_data(si_oc(si)), 0);
++				if (ret <= 0) {
++					if (ret == -1)
++						goto close;
++					si_cant_get(si);
++					break;
++				}
  				/* update message offset */
  				ds->rx_msg.offset += co_data(si_oc(si));
@@ -688,13 +693,20 @@ read:
  				co_skip(si_oc(si), co_data(si_oc(si)));
  				/* we need to wait for more data */
++				si_cant_get(si);
  				break;
+ 			}
  			/* enough data is available into the channel to read the message until the end */
  			/* read from the channel until the end of the message */
--			co_getblk(si_oc(si), ds->rx_msg.area + ds->rx_msg.offset, ds->rx_msg.len - ds->rx_msg.offset, 0);
++			ret = co_getblk(si_oc(si), ds->rx_msg.area + ds->rx_msg.offset, ds->rx_msg.len - ds->rx_msg.offset, 0);
++			if (ret <= 0) {
++				if (ret == -1)
++					goto close;
++				si_cant_get(si);
++				break;
++			}
  			/* consume all data until the end of the message from the channel */
  			co_skip(si_oc(si), ds->rx_msg.len - ds->rx_msg.offset);
 diff --git a/src/filters.c b/src/filters.c
 index f64c192..be2b380 100644
 --- a/src/filters.c
 +++ b/src/filters.c
@@ -292,10 +292,9 @@ flt_init_all()
  	int err_code = ERR_NONE;
  	for (px = proxies_list; px; px = px->next) {
--		if (px->disabled) {
--			flt_deinit(px);
++		if (px->disabled)
  			continue;
--		}
++
  		err_code |= flt_init(px);
  		if (err_code & (ERR_ABORT|ERR_FATAL)) {
  			ha_alert("Failed to initialize filters for proxy '%s'.\n",
 diff --git a/src/flt_spoe.c b/src/flt_spoe.c
 index 4826aa0..ff90043 100644
 --- a/src/flt_spoe.c
 +++ b/src/flt_spoe.c
@@ -1245,6 +1245,7 @@ spoe_release_appctx(struct appctx *appctx)
  		if (appctx->st0 == SPOE_APPCTX_ST_IDLE) {
  			eb32_delete(&spoe_appctx->node);
  			_HA_ATOMIC_DEC(&agent->counters.idles);
++			agent->rt[tid].idles--;
+ 		}
  		appctx->st0 = SPOE_APPCTX_ST_END;
@@ -1458,6 +1459,7 @@ spoe_handle_connecting_appctx(struct appctx *appctx)
  		default:
  			_HA_ATOMIC_INC(&agent->counters.idles);
++			agent->rt[tid].idles++;
  			appctx->st0 = SPOE_APPCTX_ST_IDLE;
  			SPOE_APPCTX(appctx)->node.key = 0;
  			eb32_insert(&agent->rt[tid].idle_applets, &SPOE_APPCTX(appctx)->node);
@@ -1700,12 +1702,6 @@ spoe_handle_processing_appctx(struct appctx *appctx)
  		      (agent->b.be->nbpend ||
  		       (srv && (srv->nbpend || (srv->maxconn && srv->served >= srv_dynamic_maxconn(srv))))));
--	/* Don"t try to send new frame we are waiting for at lease a ack, in
--	 * sync mode or if applet must be closed ASAP
--	 */
--	if (appctx->st0 == SPOE_APPCTX_ST_WAITING_SYNC_ACK || (close_asap && SPOE_APPCTX(appctx)->cur_fpa))
--		skip_sending = 1;
--
  	/* receiving_frame loop */
  	while (!skip_receiving) {
  		ret = spoe_handle_receiving_frame_appctx(appctx, &skip_receiving);
@@ -1726,6 +1722,12 @@ spoe_handle_processing_appctx(struct appctx *appctx)
+ 		}
+ 	}
++	/* Don"t try to send new frame we are waiting for at lease a ack, in
++	 * sync mode or if applet must be closed ASAP
++	 */
++	if (appctx->st0 == SPOE_APPCTX_ST_WAITING_SYNC_ACK || (close_asap && SPOE_APPCTX(appctx)->cur_fpa))
++		skip_sending = 1;
++
  	/* send_frame loop */
  	while (!skip_sending && SPOE_APPCTX(appctx)->cur_fpa < agent->max_fpa) {
  		ret = spoe_handle_sending_frame_appctx(appctx, &skip_sending);
@@ -1772,6 +1774,7 @@ spoe_handle_processing_appctx(struct appctx *appctx)
  			goto next;
+ 		}
  		_HA_ATOMIC_INC(&agent->counters.idles);
++		agent->rt[tid].idles++;
  		appctx->st0 = SPOE_APPCTX_ST_IDLE;
  		eb32_insert(&agent->rt[tid].idle_applets, &SPOE_APPCTX(appctx)->node);
+ 	}
@@ -1937,6 +1940,7 @@ spoe_handle_appctx(struct appctx *appctx)
  		case SPOE_APPCTX_ST_IDLE:
  			_HA_ATOMIC_DEC(&agent->counters.idles);
++			agent->rt[tid].idles--;
  			eb32_delete(&SPOE_APPCTX(appctx)->node);
  			if (stopping &&
  			    LIST_ISEMPTY(&agent->rt[tid].sending_queue) &&
@@ -2078,8 +2082,8 @@ spoe_queue_context(struct spoe_context *ctx)
  	struct spoe_appctx *spoe_appctx;
  	/* Check if we need to create a new SPOE applet or not. */
--	if (!eb_is_empty(&agent->rt[tid].idle_applets) &&
--	    (agent->rt[tid].processing == 1 || agent->rt[tid].processing < read_freq_ctr(&agent->rt[tid].processing_per_sec)))
++	if (agent->rt[tid].processing < agent->rt[tid].idles  ||
++	    agent->rt[tid].processing < read_freq_ctr(&agent->rt[tid].processing_per_sec))
  		goto end;
  	SPOE_PRINTF(stderr, "%d.%06d [SPOE/%-15s] %s: stream=%p"
@@ -2995,6 +2999,14 @@ spoe_sig_stop(struct sig_handler *sh)
  	while (p) {
  		struct flt_conf *fconf;
++		/* SPOE filter are not initialized for disabled proxoes. Move to
++		 * the next one
++		 */
++		if (p->disabled) {
++			p = p->next;
++			continue;
++		}
++
  		list_for_each_entry(fconf, &p->filter_configs, list) {
  			struct spoe_config *conf;
  			struct spoe_agent  *agent;
@@ -3036,7 +3048,6 @@ spoe_init(struct proxy *px, struct flt_conf *fconf)
          conf->agent_fe.accept = frontend_accept;
          conf->agent_fe.srv = NULL;
          conf->agent_fe.timeout.client = TICK_ETERNITY;
--	conf->agent_fe.default_target = &spoe_applet.obj_type;
  	conf->agent_fe.fe_req_ana = AN_REQ_SWITCHING_RULES;
  	if (!sighandler_registered) {
@@ -3128,6 +3139,7 @@ spoe_check(struct proxy *px, struct flt_conf *fconf)
  		conf->agent->rt[i].engine_id    = NULL;
  		conf->agent->rt[i].frame_size   = conf->agent->max_frame_size;
  		conf->agent->rt[i].processing   = 0;
++		conf->agent->rt[i].idles        = 0;
  		LIST_INIT(&conf->agent->rt[i].applets);
  		LIST_INIT(&conf->agent->rt[i].sending_queue);
  		LIST_INIT(&conf->agent->rt[i].waiting_queue);
 diff --git a/src/h1.c b/src/h1.c
 index 73de48b..42fe670 100644
 --- a/src/h1.c
 +++ b/src/h1.c
@@ -34,13 +34,20 @@ int h1_parse_cont_len_header(struct h1m *h1m, struct ist *value)
  	int not_first = !!(h1m->flags & H1_MF_CLEN);
  	struct ist word;
--	word.ptr = value->ptr - 1; // -1 for next loop's pre-increment
++	word.ptr = value->ptr;
  	e = value->ptr + value->len;
--	while (++word.ptr < e) {
++	while (1) {
++		if (word.ptr >= e) {
++			/* empty header or empty value */
++			goto fail;
++		}
++
  		/* skip leading delimiter and blanks */
--		if (unlikely(HTTP_IS_LWS(*word.ptr)))
++		if (unlikely(HTTP_IS_LWS(*word.ptr))) {
++			word.ptr++;
  			continue;
++		}
  		/* digits only now */
  		for (cl = 0, n = word.ptr; n < e; n++) {
@@ -51,6 +58,14 @@ int h1_parse_cont_len_header(struct h1m *h1m, struct ist *value)
  					goto fail;
  				break;
+ 			}
++
++			if (unlikely(!cl && n > word.ptr)) {
++				/* There was a leading zero before this digit,
++				 * let's trim it.
++				 */
++				word.ptr = n;
++			}
++
  			if (unlikely(cl > ULLONG_MAX / 10ULL))
  				goto fail; /* multiply overflow */
  			cl = cl * 10ULL;
@@ -79,6 +94,13 @@ int h1_parse_cont_len_header(struct h1m *h1m, struct ist *value)
  		h1m->flags |= H1_MF_CLEN;
  		h1m->curr_len = h1m->body_len = cl;
  		*value = word;
++
++		/* Now either n==e and we're done, or n points to the comma,
++		 * and we skip it and continue.
++		 */
++		if (n++ == e)
++			break;
++
  		word.ptr = n;
+ 	}
  	/* here we've reached the end with a single value or a series of
@@ -466,13 +488,13 @@ int h1_headers_to_hdr_list(char *start, const char *stop,
  	case H1_MSG_RQURI:
  	http_msg_rquri:
  #ifdef HA_UNALIGNED_LE
--		/* speedup: skip bytes not between 0x21 and 0x7e inclusive */
++		/* speedup: skip bytes not between 0x24 and 0x7e inclusive */
  		while (ptr <= end - sizeof(int)) {
--			int x = *(int *)ptr - 0x21212121;
++			int x = *(int *)ptr - 0x24242424;
  			if (x & 0x80808080)
  				break;
--			x -= 0x5e5e5e5e;
++			x -= 0x5b5b5b5b;
  			if (!(x & 0x80808080))
  				break;
@@ -484,8 +506,15 @@ int h1_headers_to_hdr_list(char *start, const char *stop,
  			goto http_msg_ood;
+ 		}
  	http_msg_rquri2:
--		if (likely((unsigned char)(*ptr - 33) <= 93)) /* 33 to 126 included */
++		if (likely((unsigned char)(*ptr - 33) <= 93)) { /* 33 to 126 included */
++			if (*ptr == '#') {
++				if (h1m->err_pos < -1) /* PR_O2_REQBUG_OK not set */
++					goto invalid_char;
++				if (h1m->err_pos == -1) /* PR_O2_REQBUG_OK set: just log */
++					h1m->err_pos = ptr - start + skip;
++			}
  			EAT_AND_JUMP_OR_RETURN(ptr, end, http_msg_rquri2, http_msg_ood, state, H1_MSG_RQURI);
++		}
  		if (likely(HTTP_IS_SPHT(*ptr))) {
  			sl.rq.u.len = ptr - sl.rq.u.ptr;
 diff --git a/src/h1_htx.c b/src/h1_htx.c
 index 650acba..24769f0 100644
 --- a/src/h1_htx.c
 +++ b/src/h1_htx.c
@@ -259,7 +259,7 @@ static int h1_postparse_res_hdrs(struct h1m *h1m, union h1_sl *h1sl, struct htx
  			else if (isteqi(hdrs[hdr].n, ist("location"))) {
  				code = 302;
  				status = ist("302");
--				reason = ist("Moved Temporarily");
++				reason = ist("Found");
+ 			}
+ 		}
  		if (!code) {
 diff --git a/src/h2.c b/src/h2.c
 index dd1f7d9..4da78c8 100644
 --- a/src/h2.c
 +++ b/src/h2.c
@@ -80,13 +80,20 @@ int h2_parse_cont_len_header(unsigned int *msgf, struct ist *value, unsigned lon
  	int not_first = !!(*msgf & H2_MSGF_BODY_CL);
  	struct ist word;
--	word.ptr = value->ptr - 1; // -1 for next loop's pre-increment
++	word.ptr = value->ptr;
  	e = value->ptr + value->len;
--	while (++word.ptr < e) {
++	while (1) {
++		if (word.ptr >= e) {
++			/* empty header or empty value */
++			goto fail;
++		}
++
  		/* skip leading delimiter and blanks */
--		if (unlikely(HTTP_IS_LWS(*word.ptr)))
++		if (unlikely(HTTP_IS_LWS(*word.ptr))) {
++			word.ptr++;
  			continue;
++		}
  		/* digits only now */
  		for (cl = 0, n = word.ptr; n < e; n++) {
@@ -97,6 +104,14 @@ int h2_parse_cont_len_header(unsigned int *msgf, struct ist *value, unsigned lon
  					goto fail;
  				break;
+ 			}
++
++			if (unlikely(!cl && n > word.ptr)) {
++				/* There was a leading zero before this digit,
++				 * let's trim it.
++				 */
++				word.ptr = n;
++			}
++
  			if (unlikely(cl > ULLONG_MAX / 10ULL))
  				goto fail; /* multiply overflow */
  			cl = cl * 10ULL;
@@ -125,6 +140,13 @@ int h2_parse_cont_len_header(unsigned int *msgf, struct ist *value, unsigned lon
  		*msgf |= H2_MSGF_BODY_CL;
  		*body_len = cl;
  		*value = word;
++
++		/* Now either n==e and we're done, or n points to the comma,
++		 * and we skip it and continue.
++		 */
++		if (n++ == e)
++			break;
++
  		word.ptr = n;
+ 	}
  	/* here we've reached the end with a single value or a series of
@@ -385,8 +407,12 @@ static struct htx_sl *h2_prepare_htx_reqline(uint32_t fields, struct ist *phdr,
+  *
   * The Cookie header will be reassembled at the end, and for this, the <list>
   * will be used to create a linked list, so its contents may be destroyed.
++ *
++ * When <relaxed> is non-nul, some non-dangerous checks will be ignored. This
++ * is in order to satisfy "option accept-invalid-http-request" for
++ * interoperability purposes.
   */
--int h2_make_htx_request(struct http_hdr *list, struct htx *htx, unsigned int *msgf, unsigned long long *body_len)
++int h2_make_htx_request(struct http_hdr *list, struct htx *htx, unsigned int *msgf, unsigned long long *body_len, int relaxed)
+ {
  	struct ist phdr_val[H2_PHDR_NUM_ENTRIES];
  	uint32_t fields; /* bit mask of H2_PHDR_FND_* */
@@ -422,11 +448,18 @@ int h2_make_htx_request(struct http_hdr *list, struct htx *htx, unsigned int *ms
+ 		}
  		/* RFC7540#10.3: intermediaries forwarding to HTTP/1 must take care of
--		 * rejecting NUL, CR and LF characters.
++		 * rejecting NUL, CR and LF characters. For :path we reject all CTL
++		 * chars, spaces, and '#'.
  		 */
--		ctl = ist_find_ctl(list[idx].v);
--		if (unlikely(ctl) && has_forbidden_char(list[idx].v, ctl))
--			goto fail;
++		if (phdr == H2_PHDR_IDX_PATH && !relaxed) {
++			ctl = ist_find_range(list[idx].v, 0, '#');
++			if (unlikely(ctl) && http_path_has_forbidden_char(list[idx].v, ctl))
++				goto fail;
++		} else {
++			ctl = ist_find_ctl(list[idx].v);
++			if (unlikely(ctl) && has_forbidden_char(list[idx].v, ctl))
++				goto fail;
++		}
  		if (phdr > 0 && phdr < H2_PHDR_NUM_ENTRIES) {
  			/* insert a pseudo header by its index (in phdr) and value (in value) */
 diff --git a/src/haproxy.c b/src/haproxy.c
 index 2f85293..dd1130d 100644
 --- a/src/haproxy.c
 +++ b/src/haproxy.c
@@ -1479,6 +1479,7 @@ static void init(int argc, char **argv)
  	struct post_check_fct *pcf;
  	int ideal_maxconn;
++	setenv("HAPROXY_STARTUP_VERSION", HAPROXY_VERSION, 0);
  	global.mode = MODE_STARTING;
  	old_argv = copy_argv(argc, argv);
  	if (!old_argv) {
@@ -1958,7 +1959,19 @@ static void init(int argc, char **argv)
  	/* defaults sections are not needed anymore */
  	proxy_destroy_all_defaults();
++	/* update the ready date that will be used to count the startup time
++	 * during config checks (e.g. to schedule certain tasks if needed)
++	 */
++	gettimeofday(&date, NULL);
++	ready_date = date;
++
++	/* Note: global.nbthread will be initialized as part of this call */
  	err_code |= check_config_validity();
++
++	/* update the ready date to also account for the check time */
++	gettimeofday(&date, NULL);
++	ready_date = date;
++
  	for (px = proxies_list; px; px = px->next) {
  		struct server *srv;
  		struct post_proxy_check_fct *ppcf;
@@ -2481,6 +2494,18 @@ void deinit(void)
  		free_proxy(p0);
  	}/* end while(p) */
++
++	/* we don't need to free sink_proxies_list proxies since it is
++	 * already handled in sink_deinit()
++	 */
++	p = cfg_log_forward;
++	/* we need to manually clean cfg_log_forward proxy list */
++	while (p) {
++		p0 = p;
++		p = p->next;
++		free_proxy(p0);
++	}
++
  	while (ua) {
  		struct stat_scope *scope, *scopep;
@@ -3153,6 +3178,10 @@ int main(int argc, char **argv)
  				 global.maxsock);
+ 	}
++	/* update the ready date a last time to also account for final setup time */
++	gettimeofday(&date, NULL);
++	ready_date = date;
++
  	if (global.mode & (MODE_DAEMON | MODE_MWORKER | MODE_MWORKER_WAIT)) {
  		struct proxy *px;
  		struct peers *curpeers;
@@ -3219,7 +3248,7 @@ int main(int argc, char **argv)
  						if (child->relative_pid == relative_pid &&
  						    child->reloads == 0 && child->options & PROC_O_TYPE_WORKER &&
  						    child->pid == -1) {
--							child->timestamp = now.tv_sec;
++							child->timestamp = date.tv_sec;
  							child->pid = ret;
  							child->version = strdup(haproxy_version);
  							break;
 diff --git a/src/hlua.c b/src/hlua.c
 index aea338f..2716f84 100644
 --- a/src/hlua.c
 +++ b/src/hlua.c
@@ -146,7 +146,7 @@ lua_State *hlua_init_state(int thread_id);
  /* This function takes the Lua global lock. Keep this function's visibility
   * global so that it can appear in stack dumps and performance profiles!
   */
--void lua_take_global_lock()
++static inline void lua_take_global_lock()
+ {
  	HA_SPIN_LOCK(LUA_LOCK, &hlua_global_lock);
+ }
@@ -156,16 +156,44 @@ static inline void lua_drop_global_lock()
  	HA_SPIN_UNLOCK(LUA_LOCK, &hlua_global_lock);
+ }
++/* lua lock helpers: only lock when required
++ *
++ * state_id == 0: we're operating on the main lua stack (shared between
++ * os threads), so we need to acquire the main lock
++ *
++ * If the thread already owns the lock (_hlua_locked != 0), skip the lock
++ * attempt. This could happen if we run under protected lua environment.
++ * Not doing this could result in deadlocks because of nested locking
++ * attempts from the same thread
++ */
++static THREAD_LOCAL int _hlua_locked = 0;
++static inline void hlua_lock(struct hlua *hlua)
++{
++	if (hlua->state_id != 0)
++		return;
++	if (!_hlua_locked)
++		lua_take_global_lock();
++	_hlua_locked += 1;
++}
++static inline void hlua_unlock(struct hlua *hlua)
++{
++	if (hlua->state_id != 0)
++		return;
++	BUG_ON(_hlua_locked <= 0);
++	_hlua_locked--;
++	/* drop the lock once the lock count reaches 0 */
++	if (!_hlua_locked)
++		lua_drop_global_lock();
++}
++
  #define SET_SAFE_LJMP_L(__L, __HLUA) \
  	({ \
  		int ret; \
--		if ((__HLUA)->state_id == 0) \
--			lua_take_global_lock(); \
++		hlua_lock(__HLUA); \
  		if (setjmp(safe_ljmp_env) != 0) { \
  			lua_atpanic(__L, hlua_panic_safe); \
  			ret = 0; \
--			if ((__HLUA)->state_id == 0) \
--				lua_drop_global_lock(); \
++			hlua_unlock(__HLUA); \
  		} else { \
  			lua_atpanic(__L, hlua_panic_ljmp); \
  			ret = 1; \
@@ -179,8 +207,7 @@ static inline void lua_drop_global_lock()
  #define RESET_SAFE_LJMP_L(__L, __HLUA) \
  	do { \
  		lua_atpanic(__L, hlua_panic_safe); \
--		if ((__HLUA)->state_id == 0) \
--			lua_drop_global_lock(); \
++		hlua_unlock(__HLUA); \
  	} while(0)
  #define SET_SAFE_LJMP(__HLUA) \
@@ -351,7 +378,8 @@ static inline int fcn_ref_to_stack_id(struct hlua_function *fcn)
  /* Used to check an Lua function type in the stack. It creates and
   * returns a reference of the function. This function throws an
-- * error if the rgument is not a "function".
++ * error if the argument is not a "function".
++ * When no longer used, the ref must be released with hlua_unref()
   */
  __LJMP unsigned int hlua_checkfunction(lua_State *L, int argno)
+ {
@@ -363,14 +391,59 @@ __LJMP unsigned int hlua_checkfunction(lua_State *L, int argno)
  	return luaL_ref(L, LUA_REGISTRYINDEX);
+ }
--/* Return the string that is of the top of the stack. */
--const char *hlua_get_top_error_string(lua_State *L)
++/* Used to check an Lua table type in the stack. It creates and
++ * returns a reference of the table. This function throws an
++ * error if the argument is not a "table".
++ * When no longer used, the ref must be released with hlua_unref()
++ */
++__LJMP unsigned int hlua_checktable(lua_State *L, int argno)
++{
++	if (!lua_istable(L, argno)) {
++		const char *msg = lua_pushfstring(L, "table expected, got %s", luaL_typename(L, argno));
++		WILL_LJMP(luaL_argerror(L, argno, msg));
++	}
++	lua_pushvalue(L, argno);
++	return luaL_ref(L, LUA_REGISTRYINDEX);
++}
++
++/* Get a reference to the object that is at the top of the stack
++ * The referenced object will be popped from the stack
++ *
++ * The function returns the reference to the object which must
++ * be cleared using hlua_unref() when no longer used
++ */
++__LJMP int hlua_ref(lua_State *L)
++{
++	return MAY_LJMP(luaL_ref(L, LUA_REGISTRYINDEX));
++}
++
++/* Pushes a reference previously created using luaL_ref(L, LUA_REGISTRYINDEX)
++ * on <L> stack
++ * (ie: hlua_checkfunction(), hlua_checktable() or hlua_ref())
++ *
++ * When the reference is no longer used, it should be released by calling
++ * hlua_unref()
++ *
++ * <L> can be from any co-routine as long as it belongs to the same lua
++ * parent state that the one used to get the reference.
++ */
++void hlua_pushref(lua_State *L, int ref)
++{
++	lua_rawgeti(L, LUA_REGISTRYINDEX, ref);
++}
++
++/* Releases a reference previously created using luaL_ref(L, LUA_REGISTRYINDEX)
++ * (ie: hlua_checkfunction(), hlua_checktable() or hlua_ref())
++ *
++ * This will allow the reference to be reused and the referred object
++ * to be garbage collected.
++ *
++ * <L> can be from any co-routine as long as it belongs to the same lua
++ * parent state that the one used to get the reference.
++ */
++void hlua_unref(lua_State *L, int ref)
+ {
--	if (lua_gettop(L) < 1)
--		return "unknown error";
--	if (lua_type(L, -1) != LUA_TSTRING)
--		return "unknown error";
--	return lua_tostring(L, -1);
++	luaL_unref(L, LUA_REGISTRYINDEX, ref);
+ }
  __LJMP const char *hlua_traceback(lua_State *L, const char* sep)
@@ -1054,7 +1127,7 @@ static inline void hlua_sendlog(struct proxy *px, int level, const char *msg)
  /* This function just ensure that the yield will be always
   * returned with a timeout and permit to set some flags
   */
--__LJMP void hlua_yieldk(lua_State *L, int nresults, int ctx,
++__LJMP void hlua_yieldk(lua_State *L, int nresults, lua_KContext ctx,
                          lua_KFunction k, int timeout, unsigned int flags)
+ {
  	struct hlua *hlua;
@@ -1084,21 +1157,12 @@ __LJMP void hlua_yieldk(lua_State *L, int nresults, int ctx,
   * initialisation fails (example: out of memory error), the lua function
   * throws an error (longjmp).
+  *
-- * In some case (at least one), this function can be called from safe
-- * environment, so we must not initialise it. While the support of
-- * threads appear, the safe environment set a lock to ensure only one
-- * Lua execution at a time. If we initialize safe environment in another
-- * safe environment, we have a dead lock.
-- *
-- * set "already_safe" true if the context is initialized form safe
-- * Lua function.
-- *
   * This function manipulates two Lua stacks: the main and the thread. Only
   * the main stack can fail. The thread is not manipulated. This function
   * MUST NOT manipulate the created thread stack state, because it is not
   * protected against errors thrown by the thread stack.
   */
--int hlua_ctx_init(struct hlua *lua, int state_id, struct task *task, int already_safe)
++int hlua_ctx_init(struct hlua *lua, int state_id, struct task *task)
+ {
  	lua->Mref = LUA_REFNIL;
  	lua->flags = 0;
@@ -1106,30 +1170,26 @@ int hlua_ctx_init(struct hlua *lua, int state_id, struct task *task, int already
  	lua->wake_time = TICK_ETERNITY;
  	lua->state_id = state_id;
  	LIST_INIT(&lua->com);
--	if (!already_safe) {
--		if (!SET_SAFE_LJMP_PARENT(lua)) {
--			lua->Tref = LUA_REFNIL;
--			return 0;
--		}
++	if (!SET_SAFE_LJMP_PARENT(lua)) {
++		lua->Tref = LUA_REFNIL;
++		return 0;
+ 	}
  	lua->T = lua_newthread(hlua_states[state_id]);
  	if (!lua->T) {
  		lua->Tref = LUA_REFNIL;
--		if (!already_safe)
--			RESET_SAFE_LJMP_PARENT(lua);
++		RESET_SAFE_LJMP_PARENT(lua);
  		return 0;
+ 	}
  	hlua_sethlua(lua);
  	lua->Tref = luaL_ref(hlua_states[state_id], LUA_REGISTRYINDEX);
  	lua->task = task;
--	if (!already_safe)
--		RESET_SAFE_LJMP_PARENT(lua);
++	RESET_SAFE_LJMP_PARENT(lua);
  	return 1;
+ }
  /* Used to destroy the Lua coroutine when the attached stream or task
   * is destroyed. The destroy also the memory context. The struct "lua"
-- * is not freed.
++ * will be freed.
   */
  void hlua_ctx_destroy(struct hlua *lua)
+ {
@@ -1291,8 +1351,7 @@ static enum hlua_exec hlua_ctx_resume(struct hlua *lua, int yield_allowed)
  	/* Lock the whole Lua execution. This lock must be before the
  	 * label "resume_execution".
  	 */
--	if (lua->state_id == 0)
--		lua_take_global_lock();
++	hlua_lock(lua);
  resume_execution:
@@ -1439,8 +1498,7 @@ resume_execution:
+ 	}
  	/* This is the main exit point, remove the Lua lock. */
--	if (lua->state_id == 0)
--		lua_drop_global_lock();
++	hlua_unlock(lua);
  	return ret;
+ }
@@ -3770,7 +3828,9 @@ __LJMP static int hlua_applet_tcp_set_var(lua_State *L)
  	memset(&smp, 0, sizeof(smp));
  	hlua_lua2smp(L, 3, &smp);
--	/* Store the sample in a variable. */
++	/* Store the sample in a variable. We don't need to dup the smp, vars API
++	 * already takes care of duplicating dynamic var data.
++	 */
  	smp_set_owner(&smp, s->be, s->sess, s, 0);
  	if (lua_gettop(L) == 4 && lua_toboolean(L, 4))
@@ -4255,7 +4315,9 @@ __LJMP static int hlua_applet_http_set_var(lua_State *L)
  	memset(&smp, 0, sizeof(smp));
  	hlua_lua2smp(L, 3, &smp);
--	/* Store the sample in a variable. */
++	/* Store the sample in a variable. We don't need to dup the smp, vars API
++	 * already takes care of duplicating dynamic var data.
++	 */
  	smp_set_owner(&smp, s->be, s->sess, s, 0);
  	if (lua_gettop(L) == 4 && lua_toboolean(L, 4))
@@ -5350,7 +5412,9 @@ __LJMP static int hlua_set_var(lua_State *L)
  	memset(&smp, 0, sizeof(smp));
  	hlua_lua2smp(L, 3, &smp);
--	/* Store the sample in a variable. */
++	/* Store the sample in a variable. We don't need to dup the smp, vars API
++	 * already takes care of duplicating dynamic var data.
++	 */
  	smp_set_owner(&smp, htxn->p, htxn->s->sess, htxn->s, htxn->dir & SMP_OPT_DIR);
  	if (lua_gettop(L) == 4 && lua_toboolean(L, 4))
@@ -6373,6 +6437,11 @@ __LJMP static int hlua_register_init(lua_State *L)
  	MAY_LJMP(check_args(L, 1, "register_init"));
++	if (hlua_gethlua(L)) {
++		/* runtime processing */
++		WILL_LJMP(luaL_error(L, "register_init: not available outside of body context"));
++	}
++
  	ref = MAY_LJMP(hlua_checkfunction(L, 1));
  	init = calloc(1, sizeof(*init));
@@ -6433,11 +6502,14 @@ static int hlua_register_task(lua_State *L)
  	task->context = hlua;
  	task->process = hlua_process_task;
--	if (!hlua_ctx_init(hlua, state_id, task, 1))
++	if (!hlua_ctx_init(hlua, state_id, task))
  		goto alloc_error;
  	/* Restore the function in the stack. */
  	lua_rawgeti(hlua->T, LUA_REGISTRYINDEX, ref);
++	/* function ref not needed anymore since it was pushed to the substack */
++	hlua_unref(L, ref);
++
  	hlua->nargs = 0;
  	/* Schedule task. */
@@ -6480,7 +6552,7 @@ static int hlua_sample_conv_wrapper(const struct arg *arg_p, struct sample *smp,
+ 		}
  		HLUA_INIT(hlua);
  		stream->hlua = hlua;
--		if (!hlua_ctx_init(stream->hlua, fcn_ref_to_stack_id(fcn), stream->task, 0)) {
++		if (!hlua_ctx_init(stream->hlua, fcn_ref_to_stack_id(fcn), stream->task)) {
  			SEND_ERR(stream->be, "Lua converter '%s': can't initialize Lua context.\n", fcn->name);
  			return 0;
+ 		}
@@ -6548,6 +6620,10 @@ static int hlua_sample_conv_wrapper(const struct arg *arg_p, struct sample *smp,
  		/* Convert the returned value in sample. */
  		hlua_lua2smp(stream->hlua->T, -1, smp);
++		/* dup the smp before popping the related lua value and
++		 * returning it to haproxy
++		 */
++		smp_dup(smp);
  		lua_pop(stream->hlua->T, 1);
  		return 1;
@@ -6617,7 +6693,7 @@ static int hlua_sample_fetch_wrapper(const struct arg *arg_p, struct sample *smp
+ 		}
  		hlua->T = NULL;
  		stream->hlua = hlua;
--		if (!hlua_ctx_init(stream->hlua, fcn_ref_to_stack_id(fcn), stream->task, 0)) {
++		if (!hlua_ctx_init(stream->hlua, fcn_ref_to_stack_id(fcn), stream->task)) {
  			SEND_ERR(stream->be, "Lua sample-fetch '%s': can't initialize Lua context.\n", fcn->name);
  			return 0;
+ 		}
@@ -6683,6 +6759,10 @@ static int hlua_sample_fetch_wrapper(const struct arg *arg_p, struct sample *smp
  		/* Convert the returned value in sample. */
  		hlua_lua2smp(stream->hlua->T, -1, smp);
++		/* dup the smp before popping the related lua value and
++		 * returning it to haproxy
++		 */
++		smp_dup(smp);
  		lua_pop(stream->hlua->T, 1);
  		/* Set the end of execution flag. */
@@ -6740,6 +6820,11 @@ __LJMP static int hlua_register_converters(lua_State *L)
  	MAY_LJMP(check_args(L, 2, "register_converters"));
++	if (hlua_gethlua(L)) {
++		/* runtime processing */
++		WILL_LJMP(luaL_error(L, "register_converters: not available outside of body context"));
++	}
++
  	/* First argument : converter name. */
  	name = MAY_LJMP(luaL_checkstring(L, 1));
@@ -6819,6 +6904,11 @@ __LJMP static int hlua_register_fetches(lua_State *L)
  	MAY_LJMP(check_args(L, 2, "register_fetches"));
++	if (hlua_gethlua(L)) {
++		/* runtime processing */
++		WILL_LJMP(luaL_error(L, "register_fetches: not available outside of body context"));
++	}
++
  	/* First argument : sample-fetch name. */
  	name = MAY_LJMP(luaL_checkstring(L, 1));
@@ -6945,7 +7035,7 @@ static enum act_return hlua_action(struct act_rule *rule, struct proxy *px,
+ 		}
  		HLUA_INIT(hlua);
  		s->hlua = hlua;
--		if (!hlua_ctx_init(s->hlua, fcn_ref_to_stack_id(rule->arg.hlua_rule->fcn), s->task, 0)) {
++		if (!hlua_ctx_init(s->hlua, fcn_ref_to_stack_id(rule->arg.hlua_rule->fcn), s->task)) {
  			SEND_ERR(px, "Lua action '%s': can't initialize Lua context.\n",
  			         rule->arg.hlua_rule->fcn->name);
  			goto end;
@@ -7130,7 +7220,7 @@ static int hlua_applet_tcp_init(struct appctx *ctx, struct proxy *px, struct str
  	 * permits to save performances because a systematic
  	 * Lua initialization cause 5% performances loss.
  	 */
--	if (!hlua_ctx_init(hlua, fcn_ref_to_stack_id(ctx->rule->arg.hlua_rule->fcn), task, 0)) {
++	if (!hlua_ctx_init(hlua, fcn_ref_to_stack_id(ctx->rule->arg.hlua_rule->fcn), task)) {
  		SEND_ERR(px, "Lua applet tcp '%s': can't initialize Lua context.\n",
  		         ctx->rule->arg.hlua_rule->fcn->name);
  		return 0;
@@ -7323,7 +7413,7 @@ static int hlua_applet_http_init(struct appctx *ctx, struct proxy *px, struct st
  	 * permits to save performances because a systematic
  	 * Lua initialization cause 5% performances loss.
  	 */
--	if (!hlua_ctx_init(hlua, fcn_ref_to_stack_id(ctx->rule->arg.hlua_rule->fcn), task, 0)) {
++	if (!hlua_ctx_init(hlua, fcn_ref_to_stack_id(ctx->rule->arg.hlua_rule->fcn), task)) {
  		SEND_ERR(px, "Lua applet http '%s': can't initialize Lua context.\n",
  		         ctx->rule->arg.hlua_rule->fcn->name);
  		return 0;
@@ -7666,6 +7756,11 @@ __LJMP static int hlua_register_action(lua_State *L)
  	if (lua_gettop(L) < 3 || lua_gettop(L) > 4)
  		WILL_LJMP(luaL_error(L, "'register_action' needs between 3 and 4 arguments"));
++	if (hlua_gethlua(L)) {
++		/* runtime processing */
++		WILL_LJMP(luaL_error(L, "register_action: not available outside of body context"));
++	}
++
  	/* First argument : converter name. */
  	name = MAY_LJMP(luaL_checkstring(L, 1));
@@ -7832,6 +7927,11 @@ __LJMP static int hlua_register_service(lua_State *L)
  	MAY_LJMP(check_args(L, 3, "register_service"));
++	if (hlua_gethlua(L)) {
++		/* runtime processing */
++		WILL_LJMP(luaL_error(L, "register_service: not available outside of body context"));
++	}
++
  	/* First argument : converter name. */
  	name = MAY_LJMP(luaL_checkstring(L, 1));
@@ -7949,7 +8049,7 @@ static int hlua_cli_parse_fct(char **args, char *payload, struct appctx *appctx,
  	appctx->ctx.hlua_cli.task->process = hlua_applet_wakeup;
  	/* Initialises the Lua context */
--	if (!hlua_ctx_init(hlua, fcn_ref_to_stack_id(fcn), appctx->ctx.hlua_cli.task, 0)) {
++	if (!hlua_ctx_init(hlua, fcn_ref_to_stack_id(fcn), appctx->ctx.hlua_cli.task)) {
  		SEND_ERR(NULL, "Lua cli '%s': can't initialize Lua context.\n", fcn->name);
  		goto error;
+ 	}
@@ -8105,6 +8205,11 @@ __LJMP static int hlua_register_cli(lua_State *L)
  	MAY_LJMP(check_args(L, 3, "register_cli"));
++	if (hlua_gethlua(L)) {
++		/* runtime processing */
++		WILL_LJMP(luaL_error(L, "register_cli: not available outside of body context"));
++	}
++
  	/* First argument : an array of maximum 5 keywords. */
  	if (!lua_istable(L, 1))
  		WILL_LJMP(luaL_argerror(L, 1, "1st argument must be a table"));
@@ -8546,6 +8651,10 @@ int hlua_post_init_state(lua_State *L)
  	list_for_each_entry(init, &hlua_init_functions[hlua_state_id], l) {
  		lua_rawgeti(L, LUA_REGISTRYINDEX, init->function_ref);
++		/* function ref should be released right away since it was pushed
++		 * on the stack and will not be used anymore
++		 */
++		hlua_unref(L, init->function_ref);
  #if defined(LUA_VERSION_NUM) && LUA_VERSION_NUM >= 504
  		ret = lua_resume(L, L, 0, &nres);
@@ -8784,6 +8893,13 @@ lua_State *hlua_init_state(int thread_num)
  	/* Init main lua stack. */
  	L = lua_newstate(hlua_alloc, &hlua_global_allocator);
++	if (!L) {
++		fprintf(stderr,
++		        "Lua init: critical error: lua_newstate() returned NULL."
++		        " This may possibly be caused by a memory allocation error.\n");
++		exit(1);
++	}
++
  	/* Initialise Lua context to NULL */
  	context = lua_getextraspace(L);
  	*context = NULL;
 diff --git a/src/http.c b/src/http.c
 index c10b433..647f433 100644
 --- a/src/http.c
 +++ b/src/http.c
@@ -403,7 +403,7 @@ const char *http_get_reason(unsigned int status)
  	case 226: return "IM Used";
  	case 300: return "Multiple Choices";
  	case 301: return "Moved Permanently";
--	case 302: return "Moved Temporarily";
++	case 302: return "Found";
  	case 303: return "See Other";
  	case 304: return "Not Modified";
  	case 305: return "Use Proxy";
 diff --git a/src/http_ana.c b/src/http_ana.c
 index 2e2095b..b557da8 100644
 --- a/src/http_ana.c
 +++ b/src/http_ana.c
@@ -1390,6 +1390,13 @@ int http_wait_for_response(struct stream *s, struct channel *rep, int an_bit)
  			if (objt_cs(s->si[1].end))
  				conn = __objt_cs(s->si[1].end)->conn;
++			if ((si_b->flags & SI_FL_L7_RETRY) &&
++			    (s->be->retry_type & PR_RE_DISCONNECTED) &&
++			    (!conn || conn->err_code != CO_ER_SSL_EARLY_FAILED)) {
++				if (co_data(rep) || do_l7_retry(s, si_b) == 0)
++					return 0;
++			}
++
  			/* Perform a L7 retry because server refuses the early data. */
  			if ((si_b->flags & SI_FL_L7_RETRY) &&
  			    (s->be->retry_type & PR_RE_EARLY_ERROR) &&
@@ -2693,10 +2700,11 @@ int http_replace_hdrs(struct stream* s, struct htx *htx, struct ist name,
  		     const char *str, struct my_regex *re, int full)
+ {
  	struct http_hdr_ctx ctx;
--	struct buffer *output = get_trash_chunk();
  	ctx.blk = NULL;
  	while (http_find_header(htx, name, &ctx, full)) {
++		struct buffer *output = get_trash_chunk();
++
  		if (!regex_exec_match2(re, ctx.value.ptr, ctx.value.len, MAX_MATCH, pmatch, 0))
  			continue;
@@ -3862,6 +3870,7 @@ void http_check_response_for_cacheability(struct stream *s, struct channel *res)
  	struct htx *htx;
  	int has_freshness_info = 0;
  	int has_validator = 0;
++	int has_null_maxage = 0;
  	if (txn->status < 200) {
  		/* do not try to cache interim responses! */
@@ -3886,10 +3895,16 @@ void http_check_response_for_cacheability(struct stream *s, struct channel *res)
  			txn->flags |= TX_CACHEABLE | TX_CACHE_COOK;
  			continue;
+ 		}
++		/* This max-age might be overridden by a s-maxage directive, do
++		 * not unset the TX_CACHEABLE yet. */
++		if (isteqi(ctx.value, ist("max-age=0"))) {
++			has_null_maxage = 1;
++			continue;
++		}
++
  		if (isteqi(ctx.value, ist("private")) ||
  		    isteqi(ctx.value, ist("no-cache")) ||
  		    isteqi(ctx.value, ist("no-store")) ||
--		    isteqi(ctx.value, ist("max-age=0")) ||
  		    isteqi(ctx.value, ist("s-maxage=0"))) {
  			txn->flags &= ~TX_CACHEABLE & ~TX_CACHE_COOK;
  			continue;
@@ -3900,13 +3915,23 @@ void http_check_response_for_cacheability(struct stream *s, struct channel *res)
  			continue;
+ 		}
--		if (istmatchi(ctx.value, ist("s-maxage")) ||
--		    istmatchi(ctx.value, ist("max-age"))) {
++		if (istmatchi(ctx.value, ist("s-maxage"))) {
++			has_freshness_info = 1;
++			has_null_maxage = 0;	/* The null max-age is overridden, ignore it */
++			continue;
++		}
++		if (istmatchi(ctx.value, ist("max-age"))) {
  			has_freshness_info = 1;
  			continue;
+ 		}
+ 	}
++	/* We had a 'max-age=0' directive but no extra s-maxage, do not cache
++	 * the response. */
++	if (has_null_maxage) {
++		txn->flags &= ~TX_CACHEABLE & ~TX_CACHE_COOK;
++	}
++
  	/* If no freshness information could be found in Cache-Control values,
  	 * look for an Expires header. */
  	if (!has_freshness_info) {
@@ -3929,7 +3954,7 @@ void http_check_response_for_cacheability(struct stream *s, struct channel *res)
  	/* We won't store an entry that has neither a cache validator nor an
  	 * explicit expiration time, as suggested in RFC 7234#3. */
  	if (!has_freshness_info && !has_validator)
--		txn->flags |= TX_CACHE_IGNORE;
++		txn->flags &= ~TX_CACHEABLE;
+ }
  /*
 diff --git a/src/http_rules.c b/src/http_rules.c
 index 1b21133..52b77c6 100644
 --- a/src/http_rules.c
 +++ b/src/http_rules.c
@@ -301,6 +301,26 @@ struct act_rule *parse_http_after_res_cond(const char **args, const char *file,
  	return NULL;
+ }
++/* completely free redirect rule */
++void http_free_redirect_rule(struct redirect_rule *rdr)
++{
++	struct logformat_node *lf, *lfb;
++
++	if (rdr->cond) {
++		prune_acl_cond(rdr->cond);
++		free(rdr->cond);
++	}
++	free(rdr->rdr_str);
++	free(rdr->cookie_str);
++	list_for_each_entry_safe(lf, lfb, &rdr->rdr_fmt, list) {
++		LIST_DELETE(&lf->list);
++		release_sample_expr(lf->expr);
++		free(lf->arg);
++		free(lf);
++	}
++	free(rdr);
++}
++
  /* Parses a redirect rule. Returns the redirect rule on success or NULL on error,
   * with <err> filled with the error message. If <use_fmt> is not null, builds a
   * dynamic log-format rule instead of a static string. Parameter <dir> indicates
@@ -309,7 +329,7 @@ struct act_rule *parse_http_after_res_cond(const char **args, const char *file,
  struct redirect_rule *http_parse_redirect_rule(const char *file, int linenum, struct proxy *curproxy,
                                                 const char **args, char **errmsg, int use_fmt, int dir)
+ {
--	struct redirect_rule *rule;
++	struct redirect_rule *rule = NULL;
  	int cur_arg;
  	int type = REDIRECT_TYPE_NONE;
  	int code = 302;
@@ -370,7 +390,7 @@ struct redirect_rule *http_parse_redirect_rule(const char *file, int linenum, st
  				memprintf(errmsg,
  				          "'%s': unsupported HTTP code '%s' (must be one of 301, 302, 303, 307 or 308)",
  				          args[cur_arg - 1], args[cur_arg]);
--				return NULL;
++				goto err;
+ 			}
+ 		}
  		else if (strcmp(args[cur_arg], "drop-query") == 0) {
@@ -384,7 +404,7 @@ struct redirect_rule *http_parse_redirect_rule(const char *file, int linenum, st
  			cond = build_acl_cond(file, linenum, &curproxy->acl, curproxy, (const char **)args + cur_arg, errmsg);
  			if (!cond) {
  				memprintf(errmsg, "error in condition: %s", *errmsg);
--				return NULL;
++				goto err;
+ 			}
  			break;
+ 		}
@@ -392,32 +412,32 @@ struct redirect_rule *http_parse_redirect_rule(const char *file, int linenum, st
  			memprintf(errmsg,
  			          "expects 'code', 'prefix', 'location', 'scheme', 'set-cookie', 'clear-cookie', 'drop-query' or 'append-slash' (was '%s')",
  			          args[cur_arg]);
--			return NULL;
++			goto err;
+ 		}
  		cur_arg++;
+ 	}
  	if (type == REDIRECT_TYPE_NONE) {
  		memprintf(errmsg, "redirection type expected ('prefix', 'location', or 'scheme')");
--		return NULL;
++		goto err;
+ 	}
  	if (dir && type != REDIRECT_TYPE_LOCATION) {
  		memprintf(errmsg, "response only supports redirect type 'location'");
--		return NULL;
++		goto err;
+ 	}
  	rule = calloc(1, sizeof(*rule));
--	if (!rule) {
--		memprintf(errmsg, "parsing [%s:%d]: out of memory.", file, linenum);
--		return NULL;
--	}
++	if (!rule)
++		goto out_of_memory;
  	rule->cond = cond;
  	LIST_INIT(&rule->rdr_fmt);
  	if (!use_fmt) {
  		/* old-style static redirect rule */
  		rule->rdr_str = strdup(destination);
++		if (!rule->rdr_str)
++			goto out_of_memory;
  		rule->rdr_len = strlen(destination);
+ 	}
  	else {
@@ -435,7 +455,7 @@ struct redirect_rule *http_parse_redirect_rule(const char *file, int linenum, st
  			cap |= (dir ? SMP_VAL_BE_HRS_HDR : SMP_VAL_BE_HRQ_HDR);
  		if (!(type == REDIRECT_TYPE_PREFIX && destination[0] == '/' && destination[1] == '\0')) {
  			if (!parse_logformat_string(destination, curproxy, &rule->rdr_fmt, LOG_OPT_HTTP, cap, errmsg)) {
--				return  NULL;
++				goto err;
+ 			}
  			free(curproxy->conf.lfs_file);
  			curproxy->conf.lfs_file = strdup(curproxy->conf.args.file);
@@ -450,11 +470,15 @@ struct redirect_rule *http_parse_redirect_rule(const char *file, int linenum, st
  		rule->cookie_len = strlen(cookie);
  		if (cookie_set) {
  			rule->cookie_str = malloc(rule->cookie_len + 10);
++			if (!rule->cookie_str)
++				goto out_of_memory;
  			memcpy(rule->cookie_str, cookie, rule->cookie_len);
  			memcpy(rule->cookie_str + rule->cookie_len, "; path=/;", 10);
  			rule->cookie_len += 9;
  		} else {
  			rule->cookie_str = malloc(rule->cookie_len + 21);
++			if (!rule->cookie_str)
++				goto out_of_memory;
  			memcpy(rule->cookie_str, cookie, rule->cookie_len);
  			memcpy(rule->cookie_str + rule->cookie_len, "; path=/; Max-Age=0;", 21);
  			rule->cookie_len += 20;
@@ -468,6 +492,18 @@ struct redirect_rule *http_parse_redirect_rule(const char *file, int linenum, st
   missing_arg:
  	memprintf(errmsg, "missing argument for '%s'", args[cur_arg]);
++	goto err;
++ out_of_memory:
++	memprintf(errmsg, "parsing [%s:%d]: out of memory.", file, linenum);
++ err:
++	if (rule)
++		http_free_redirect_rule(rule);
++	else if (cond) {
++		/* rule not yet allocated, but cond already is */
++		prune_acl_cond(cond);
++		free(cond);
++	}
++
  	return NULL;
+ }
 diff --git a/src/listener.c b/src/listener.c
 index 67616f5..cd295e9 100644
 --- a/src/listener.c
 +++ b/src/listener.c
@@ -251,6 +251,7 @@ void listener_set_state(struct listener *l, enum li_state st)
  		case LI_LIMITED:
  			BUG_ON(l->rx.fd == -1);
  			_HA_ATOMIC_INC(&px->li_ready);
++			l->flags |= LI_F_FINALIZED;
  			break;
+ 		}
+ 	}
@@ -297,15 +298,15 @@ void enable_listener(struct listener *listener)
+ }
  /*
-- * This function completely stops a listener. It will need to operate under the
-- * It will need to operate under the proxy's lock and the protocol's lock.
-- * The caller is responsible for indicating in lpx, lpr whether the
-- * respective locks are already held (non-zero) or not (zero) so that the
-- * function picks the missing ones, in this order.
++ * This function completely stops a listener.
   * The proxy's listeners count is updated and the proxy is
   * disabled and woken up after the last one is gone.
++ * It will need to operate under the proxy's lock, the protocol's lock and
++ * the listener's lock. The caller is responsible for indicating in lpx,
++ * lpr, lli whether the respective locks are already held (non-zero) or
++ * not (zero) so that the function picks the missing ones, in this order.
   */
--void stop_listener(struct listener *l, int lpx, int lpr)
++void stop_listener(struct listener *l, int lpx, int lpr, int lli)
+ {
  	struct proxy *px = l->bind_conf->frontend;
@@ -316,13 +317,14 @@ void stop_listener(struct listener *l, int lpx, int lpr)
  		return;
+ 	}
--	if (!lpx)
++	if (!lpx && px)
  		HA_RWLOCK_WRLOCK(PROXY_LOCK, &px->lock);
  	if (!lpr)
  		HA_SPIN_LOCK(PROTO_LOCK, &proto_lock);
--	HA_RWLOCK_WRLOCK(LISTENER_LOCK, &l->lock);
++	if (!lli)
++		HA_RWLOCK_WRLOCK(LISTENER_LOCK, &l->lock);
  	if (l->state > LI_INIT) {
  		do_unbind_listener(l);
@@ -330,15 +332,17 @@ void stop_listener(struct listener *l, int lpx, int lpr)
  		if (l->state >= LI_ASSIGNED)
  			__delete_listener(l);
--		proxy_cond_disable(px);
++		if (px)
++			proxy_cond_disable(px);
+ 	}
--	HA_RWLOCK_WRUNLOCK(LISTENER_LOCK, &l->lock);
++	if (!lli)
++		HA_RWLOCK_WRUNLOCK(LISTENER_LOCK, &l->lock);
  	if (!lpr)
  		HA_SPIN_UNLOCK(PROTO_LOCK, &proto_lock);
--	if (!lpx)
++	if (!lpx && px)
  		HA_RWLOCK_WRUNLOCK(PROXY_LOCK, &px->lock);
+ }
@@ -359,19 +363,17 @@ void default_add_listener(struct protocol *proto, struct listener *listener)
  /* default function called to suspend a listener: it simply passes the call to
   * the underlying receiver. This is find for most socket-based protocols. This
-- * must be called under the listener's lock. It will return non-zero on success,
-- * 0 on failure. If no receiver-level suspend is provided, the operation is
-- * assumed to succeed.
++ * must be called under the listener's lock. It will return < 0 in case of
++ * failure, 0 if the listener was totally stopped, or > 0 if correctly paused..
++ * If no receiver-level suspend is provided, the operation is assumed
++ * to succeed.
   */
  int default_suspend_listener(struct listener *l)
+ {
--	int ret = 1;
--
  	if (!l->rx.proto->rx_suspend)
  		return 1;
--	ret = l->rx.proto->rx_suspend(&l->rx);
--	return ret > 0 ? ret : 0;
++	return l->rx.proto->rx_suspend(&l->rx);
+ }
@@ -389,8 +391,28 @@ int default_resume_listener(struct listener *l)
  	if (l->state == LI_ASSIGNED) {
  		char msg[100];
++		char *errmsg;
  		int err;
++		/* first, try to bind the receiver */
++		err = l->rx.proto->fam->bind(&l->rx, &errmsg);
++		if (err != ERR_NONE) {
++			if (err & ERR_WARN)
++				ha_warning("Resuming listener: %s\n", errmsg);
++			else if (err & ERR_ALERT)
++				ha_alert("Resuming listener: %s\n", errmsg);
++			ha_free(&errmsg);
++			if (err & (ERR_FATAL | ERR_ABORT)) {
++				ret = 0;
++				goto end;
++			}
++		}
++
++		/* then, try to listen:
++		 * for now there's still always a listening function
++		 * (same check performed in protocol_bind_all()
++		 */
++		BUG_ON(!l->rx.proto->listen);
  		err = l->rx.proto->listen(l, msg, sizeof(msg));
  		if (err & ERR_ALERT)
  			ha_alert("Resuming listener: %s\n", msg);
@@ -422,42 +444,66 @@ int default_resume_listener(struct listener *l)
   * closes upon SHUT_WR and refuses to rebind. So a common validation path
   * involves SHUT_WR && listen && SHUT_RD. In case of success, the FD's polling
   * is disabled. It normally returns non-zero, unless an error is reported.
-- * It will need to operate under the proxy's lock. The caller is
-- * responsible for indicating in lpx whether the proxy locks is
-- * already held (non-zero) or not (zero) so that the function picks it.
++ * suspend() may totally stop a listener if it doesn't support the PAUSED
++ * state, in which case state will be set to ASSIGNED.
++ * It will need to operate under the proxy's lock and the listener's lock.
++ * The caller is responsible for indicating in lpx, lli whether the respective
++ * locks are already held (non-zero) or not (zero) so that the function pick
++ * the missing ones, in this order.
   */
--int pause_listener(struct listener *l, int lpx)
++int suspend_listener(struct listener *l, int lpx, int lli)
+ {
  	struct proxy *px = l->bind_conf->frontend;
  	int ret = 1;
--	if (!lpx)
++	if (!lpx && px)
  		HA_RWLOCK_WRLOCK(PROXY_LOCK, &px->lock);
--	HA_RWLOCK_WRLOCK(LISTENER_LOCK, &l->lock);
++	if (!lli)
++		HA_RWLOCK_WRLOCK(LISTENER_LOCK, &l->lock);
  	if ((global.mode & (MODE_DAEMON | MODE_MWORKER)) &&
  	    !(proc_mask(l->rx.settings->bind_proc) & pid_bit))
  		goto end;
--	if (l->state <= LI_PAUSED)
++	if (!(l->flags & LI_F_FINALIZED) || l->state <= LI_PAUSED)
  		goto end;
--	if (l->rx.proto->suspend)
++	if (l->rx.proto->suspend) {
  		ret = l->rx.proto->suspend(l);
++		/* if the suspend() fails, we don't want to change the
++		 * current listener state
++		 */
++		if (ret < 0)
++			goto end;
++	}
  	MT_LIST_DELETE(&l->wait_queue);
--	listener_set_state(l, LI_PAUSED);
++	/* ret == 0 means that the suspend() has been turned into
++	 * an unbind(), meaning the listener is now stopped (ie: ABNS), we need
++	 * to report this state change properly
++	 */
++	listener_set_state(l, ((ret) ? LI_PAUSED : LI_ASSIGNED));
++
++	if (px && !(l->flags & LI_F_SUSPENDED))
++		px->li_suspended++;
++	l->flags |= LI_F_SUSPENDED;
++
++	/* at this point, everything is under control, no error should be
++	 * returned to calling function
++	 */
++	ret = 1;
  	if (px && !px->li_ready) {
  		ha_warning("Paused %s %s.\n", proxy_cap_str(px->cap), px->id);
  		send_log(px, LOG_WARNING, "Paused %s %s.\n", proxy_cap_str(px->cap), px->id);
+ 	}
    end:
--	HA_RWLOCK_WRUNLOCK(LISTENER_LOCK, &l->lock);
++	if (!lli)
++		HA_RWLOCK_WRUNLOCK(LISTENER_LOCK, &l->lock);
--	if (!lpx)
++	if (!lpx && px)
  		HA_RWLOCK_WRUNLOCK(PROXY_LOCK, &px->lock);
  	return ret;
@@ -469,23 +515,24 @@ int pause_listener(struct listener *l, int lpx)
   * or LI_FULL. 0 is returned in case of failure to resume (eg: dead socket).
   * Listeners bound to a different process are not woken up unless we're in
   * foreground mode, and are ignored. If the listener was only in the assigned
-- * state, it's totally rebound. This can happen if a pause() has completely
++ * state, it's totally rebound. This can happen if a suspend() has completely
   * stopped it. If the resume fails, 0 is returned and an error might be
   * displayed.
-- * It will need to operate under the proxy's lock. The caller is
-- * responsible for indicating in lpx whether the proxy locks is
-- * already held (non-zero) or not (zero) so that the function picks it.
++ * It will need to operate under the proxy's lock and the listener's lock.
++ * The caller is responsible for indicating in lpx, lli whether the respective
++ * locks are already held (non-zero) or not (zero) so that the function pick
++ * the missing ones, in this order.
   */
--int resume_listener(struct listener *l, int lpx)
++int resume_listener(struct listener *l, int lpx, int lli)
+ {
  	struct proxy *px = l->bind_conf->frontend;
--	int was_paused = px && px->li_paused;
  	int ret = 1;
--	if (!lpx)
++	if (!lpx && px)
  		HA_RWLOCK_WRLOCK(PROXY_LOCK, &px->lock);
--	HA_RWLOCK_WRLOCK(LISTENER_LOCK, &l->lock);
++	if (!lli)
++		HA_RWLOCK_WRLOCK(LISTENER_LOCK, &l->lock);
  	/* check that another thread didn't to the job in parallel (e.g. at the
  	 * end of listen_accept() while we'd come from dequeue_all_listeners().
@@ -497,15 +544,14 @@ int resume_listener(struct listener *l, int lpx)
  	    !(proc_mask(l->rx.settings->bind_proc) & pid_bit))
  		goto end;
--	if (l->state == LI_READY)
--		goto end;
--
--	/* the listener might have been stopped in parallel */
--	if (l->state < LI_PAUSED)
++	if (!(l->flags & LI_F_FINALIZED) || l->state == LI_READY)
  		goto end;
--	if (l->rx.proto->resume)
++	if (l->rx.proto->resume) {
  		ret = l->rx.proto->resume(l);
++		if (!ret)
++			goto end; /* failure to resume */
++	}
  	if (l->maxconn && l->nbconn >= l->maxconn) {
  		l->rx.proto->disable(l);
@@ -517,21 +563,61 @@ int resume_listener(struct listener *l, int lpx)
  	listener_set_state(l, LI_READY);
    done:
--	if (was_paused && !px->li_paused) {
++	if (px && (l->flags & LI_F_SUSPENDED))
++		px->li_suspended--;
++	l->flags &= ~LI_F_SUSPENDED;
++
++	if (px && !px->li_suspended) {
  		ha_warning("Resumed %s %s.\n", proxy_cap_str(px->cap), px->id);
  		send_log(px, LOG_WARNING, "Resumed %s %s.\n", proxy_cap_str(px->cap), px->id);
+ 	}
    end:
--	HA_RWLOCK_WRUNLOCK(LISTENER_LOCK, &l->lock);
++	if (!lli)
++		HA_RWLOCK_WRUNLOCK(LISTENER_LOCK, &l->lock);
++
++	if (!lpx && px)
++		HA_RWLOCK_WRUNLOCK(PROXY_LOCK, &px->lock);
++
++	return ret;
++}
++
++/* Same as resume_listener(), but will only work to resume from
++ * LI_FULL or LI_LIMITED states because we try to relax listeners that
++ * were temporarily restricted and not to resume inactive listeners that
++ * may have been paused or completely stopped in the meantime.
++ * Returns positive value for success and 0 for failure.
++ * It will need to operate under the proxy's lock and the listener's lock.
++ * The caller is responsible for indicating in lpx, lli whether the respective
++ * locks are already held (non-zero) or not (zero) so that the function pick
++ * the missing ones, in this order.
++ */
++int relax_listener(struct listener *l, int lpx, int lli)
++{
++	struct proxy *px = l->bind_conf->frontend;
++	int ret = 1;
++
++	if (!lpx && px)
++		HA_RWLOCK_WRLOCK(PROXY_LOCK, &px->lock);
++
++	if (!lli)
++		HA_RWLOCK_WRLOCK(LISTENER_LOCK, &l->lock);
++
++	if (l->state != LI_FULL && l->state != LI_LIMITED)
++		goto end; /* listener may be suspended or even stopped */
++	ret = resume_listener(l, 1, 1);
++
++ end:
++	if (!lli)
++		HA_RWLOCK_WRUNLOCK(LISTENER_LOCK, &l->lock);
--	if (!lpx)
++	if (!lpx && px)
  		HA_RWLOCK_WRUNLOCK(PROXY_LOCK, &px->lock);
  	return ret;
+ }
  /* Marks a ready listener as full so that the stream code tries to re-enable
-- * it upon next close() using resume_listener().
++ * it upon next close() using relax_listener().
   */
  static void listener_full(struct listener *l)
+ {
@@ -569,7 +655,7 @@ void dequeue_all_listeners()
  		/* This cannot fail because the listeners are by definition in
  		 * the LI_LIMITED state.
  		 */
--		resume_listener(listener, 0);
++		relax_listener(listener, 0, 0);
+ 	}
+ }
@@ -582,7 +668,7 @@ void dequeue_proxy_listeners(struct proxy *px)
  		/* This cannot fail because the listeners are by definition in
  		 * the LI_LIMITED state.
  		 */
--		resume_listener(listener, 0);
++		relax_listener(listener, 0, 0);
+ 	}
+ }
@@ -1108,7 +1194,7 @@ void listener_accept(struct listener *l)
  	      (!tick_isset(global_listener_queue_task->expire) ||
  	       tick_is_expired(global_listener_queue_task->expire, now_ms))))) {
  		/* at least one thread has to this when quitting */
--		resume_listener(l, 0);
++		relax_listener(l, 0, 0);
  		/* Dequeues all of the listeners waiting for a resource */
  		dequeue_all_listeners();
@@ -1127,7 +1213,7 @@ void listener_accept(struct listener *l)
  	 * Let's put it to pause in this case.
  	 */
  	if (l->rx.proto && l->rx.proto->rx_listening(&l->rx) == 0) {
--		pause_listener(l, 0);
++		suspend_listener(l, 0, 0);
  		goto end;
+ 	}
@@ -1167,12 +1253,12 @@ void listener_release(struct listener *l)
  	_HA_ATOMIC_DEC(&l->thr_conn[tid]);
  	if (l->state == LI_FULL || l->state == LI_LIMITED)
--		resume_listener(l, 0);
++		relax_listener(l, 0, 0);
  	/* Dequeues all of the listeners waiting for a resource */
  	dequeue_all_listeners();
--	if (!MT_LIST_ISEMPTY(&fe->listener_queue) &&
++	if (fe && !MT_LIST_ISEMPTY(&fe->listener_queue) &&
  	    (!fe->fe_sps_lim || freq_ctr_remain(&fe->fe_sess_per_sec, fe->fe_sps_lim, 0) > 0))
  		dequeue_proxy_listeners(fe);
+ }
 diff --git a/src/log.c b/src/log.c
 index fbc8a2f..c112a49 100644
 --- a/src/log.c
 +++ b/src/log.c
@@ -856,6 +856,10 @@ int parse_logsrv(char **args, struct list *logsrvs, int do_del, const char *file
+ 			}
  			node = malloc(sizeof(*node));
++			if (!node) {
++				memprintf(err, "out of memory error");
++				goto error;
++			}
  			memcpy(node, logsrv, sizeof(struct logsrv));
  			node->ref = logsrv;
  			LIST_INIT(&node->list);
@@ -1877,12 +1881,18 @@ static inline void __do_send_log(struct logsrv *logsrv, int nblogger, int level,
   send:
  	if (logsrv->type == LOG_TARGET_BUFFER) {
  		struct ist msg;
++		size_t maxlen = logsrv->maxlen;
  		msg = ist2(message, size);
  		if (msg.len > logsrv->maxlen)
  			msg.len = logsrv->maxlen;
--		sent = sink_write(logsrv->sink, &msg, 1, level, facility, metadata);
++		/* make room for the final '\n' which may be forcefully inserted
++		 * by tcp forwarder applet (sink_forward_io_handler)
++		 */
++		maxlen -= 1;
++
++		sent = sink_write(logsrv->sink, maxlen, &msg, 1, level, facility, metadata);
+ 	}
  	else if (logsrv->addr.ss_family == AF_CUST_EXISTING_FD) {
  		struct ist msg;
@@ -1895,7 +1905,7 @@ static inline void __do_send_log(struct logsrv *logsrv, int nblogger, int level,
+ 	}
  	else {
  		int i = 0;
--		int totlen = logsrv->maxlen;
++		int totlen = logsrv->maxlen - 1; /* save space for the final '\n' */
  		for (i = 0 ; i < nbelem ; i++ ) {
  			iovec[i].iov_base = msg_header[i].ptr;
@@ -3767,7 +3777,7 @@ static void syslog_io_handler(struct appctx *appctx)
  	size_t size;
  	max_accept = l->maxaccept ? l->maxaccept : 1;
--	while (co_data(si_oc(si))) {
++	while (1) {
  		char c;
  		if (max_accept <= 0)
@@ -3898,14 +3908,14 @@ static struct applet syslog_applet = {
   */
  int cfg_parse_log_forward(const char *file, int linenum, char **args, int kwm)
+ {
--	int err_code = 0;
++	int err_code = ERR_NONE;
  	struct proxy *px;
  	char *errmsg = NULL;
  	const char *err = NULL;
  	if (strcmp(args[0], "log-forward") == 0) {
  		if (!*args[1]) {
--			ha_alert("parsing [%s:%d] : missing name for ip-forward section.\n", file, linenum);
++			ha_alert("parsing [%s:%d] : missing name for log-forward section.\n", file, linenum);
  			err_code |= ERR_ALERT | ERR_ABORT;
  			goto out;
+ 		}
@@ -3926,6 +3936,7 @@ int cfg_parse_log_forward(const char *file, int linenum, char **args, int kwm)
  			ha_alert("Parsing [%s:%d]: log-forward section '%s' has the same name as another log-forward section declared at %s:%d.\n",
  				 file, linenum, args[1], px->conf.file, px->conf.line);
  			err_code |= ERR_ALERT | ERR_FATAL;
++			goto out;
+ 		}
  		px = proxy_find_by_name(args[1], 0, 0);
@@ -3934,6 +3945,7 @@ int cfg_parse_log_forward(const char *file, int linenum, char **args, int kwm)
  			         file, linenum, args[1], proxy_type_str(px),
  			         px->id, px->conf.file, px->conf.line);
  			err_code |= ERR_ALERT | ERR_FATAL;
++			goto out;
+ 		}
  		px = calloc(1, sizeof *px);
@@ -3955,7 +3967,6 @@ int cfg_parse_log_forward(const char *file, int linenum, char **args, int kwm)
  		px->accept = frontend_accept;
  		px->default_target = &syslog_applet.obj_type;
  		px->id = strdup(args[1]);
--
+ 	}
  	else if (strcmp(args[0], "maxconn") == 0) {  /* maxconn */
  		if (warnifnotcap(cfg_log_forward, PR_CAP_FE, file, linenum, args[0], " Maybe you want 'fullconn' instead ?"))
@@ -4007,9 +4018,9 @@ int cfg_parse_log_forward(const char *file, int linenum, char **args, int kwm)
  			else {
  				ha_alert("parsing [%s:%d] : '%s %s' : error encountered while parsing listening address %s.\n",
  				         file, linenum, args[0], args[1], args[2]);
--				err_code |= ERR_ALERT | ERR_FATAL;
--				goto out;
+ 			}
++			err_code |= ERR_ALERT | ERR_FATAL;
++			goto out;
+ 		}
  		list_for_each_entry(l, &bind_conf->listeners, by_bind) {
  			l->maxaccept = global.tune.maxaccept ? global.tune.maxaccept : MAX_ACCEPT;
@@ -4147,7 +4158,6 @@ int cfg_parse_log_forward(const char *file, int linenum, char **args, int kwm)
+ 		}
  		else if (res) {
  			memprintf(&errmsg, "unexpected character '%c' in 'timeout client'", *res);
--			return -1;
+ 		}
  		if (res) {
@@ -4163,6 +4173,7 @@ int cfg_parse_log_forward(const char *file, int linenum, char **args, int kwm)
  		goto out;
+ 	}
  out:
++	ha_free(&errmsg);
  	return err_code;
+ }
 diff --git a/src/mjson.c b/src/mjson.c
 index 549b0d5..73b7a57 100644
 --- a/src/mjson.c
 +++ b/src/mjson.c
@@ -192,7 +192,7 @@ static int plen1(const char *s) {
+ }
  static int plen2(const char *s) {
--  int i = 0, n = 0;
++  int i = 0, __attribute__((unused)) n = 0;
    while (s[i] != '\0' && s[i] != '.' && s[i] != '[')
      n++, i += s[i] == '\\' ? 2 : 1;
    // printf("PLEN: s: [%s], [%.*s] => %d\n", s, i, s, n);
@@ -724,7 +724,7 @@ static int is_digit(int c) {
  /* NOTE: strtod() implementation by Yasuhiro Matsumoto. */
  static double mystrtod(const char *str, char **end) {
    double d = 0.0;
--  int sign = 1, n = 0;
++  int sign = 1, __attribute__((unused)) n = 0;
    const char *p = str, *a = str;
    /* decimal part */
 diff --git a/src/mux_fcgi.c b/src/mux_fcgi.c
 index 7334b56..5025163 100644
 --- a/src/mux_fcgi.c
 +++ b/src/mux_fcgi.c
@@ -3031,7 +3031,7 @@ struct task *fcgi_io_cb(struct task *t, void *ctx, unsigned int state)
  		conn = fconn->conn;
  		TRACE_POINT(FCGI_EV_FCONN_WAKE, conn);
--		conn_in_list = conn->flags & CO_FL_LIST_MASK;
++		conn_in_list = conn_get_idle_flag(conn);
  		if (conn_in_list)
  			conn_delete_from_tree(&conn->hash_node->node);
 diff --git a/src/mux_h1.c b/src/mux_h1.c
 index c29c4ed..1324c20 100644
 --- a/src/mux_h1.c
 +++ b/src/mux_h1.c
@@ -935,8 +935,10 @@ static void h1_release(struct h1c *h1c)
  			h1c->task = NULL;
+ 		}
--		if (h1c->wait_event.tasklet)
++		if (h1c->wait_event.tasklet) {
  			tasklet_free(h1c->wait_event.tasklet);
++			h1c->wait_event.tasklet = NULL;
++		}
  		h1s_destroy(h1c->h1s);
  		if (conn) {
@@ -2912,7 +2914,7 @@ struct task *h1_io_cb(struct task *t, void *ctx, unsigned int state)
  		/* Remove the connection from the list, to be sure nobody attempts
  		 * to use it while we handle the I/O events
  		 */
--		conn_in_list = conn->flags & CO_FL_LIST_MASK;
++		conn_in_list = conn_get_idle_flag(conn);
  		if (conn_in_list)
  			conn_delete_from_tree(&conn->hash_node->node);
@@ -3340,6 +3342,10 @@ static void h1_shutw_conn(struct connection *conn)
  	TRACE_ENTER(H1_EV_H1C_END, conn);
  	conn_xprt_shutw(conn);
  	conn_sock_shutw(conn, (h1c && !(h1c->flags & H1C_F_ST_SILENT_SHUT)));
++
++	if (h1c->wait_event.tasklet && !h1c->wait_event.events)
++		tasklet_wakeup(h1c->wait_event.tasklet);
++
  	TRACE_LEAVE(H1_EV_H1C_END, conn);
+ }
 diff --git a/src/mux_h2.c b/src/mux_h2.c
 index c880c37..61fd1a4 100644
 --- a/src/mux_h2.c
 +++ b/src/mux_h2.c
@@ -987,6 +987,7 @@ static int h2_init(struct connection *conn, struct proxy *prx, struct session *s
  	h2c->proxy = prx;
  	h2c->task = NULL;
++	h2c->wait_event.tasklet = NULL;
  	h2c->idle_start = now_ms;
  	if (tick_isset(h2c->timeout)) {
  		t = task_new(tid_bit);
@@ -2759,6 +2760,7 @@ static struct h2s *h2c_frt_handle_headers(struct h2c *h2c, struct h2s *h2s)
  			/* unrecoverable error ? */
  			if (h2c->st0 >= H2_CS_ERROR) {
  				TRACE_USER("Unrecoverable error decoding H2 trailers", H2_EV_RX_FRAME|H2_EV_RX_HDR|H2_EV_STRM_NEW|H2_EV_STRM_END, h2c->conn, 0, &rxbuf);
++				sess_log(h2c->conn->owner);
  				goto out;
+ 			}
@@ -2773,6 +2775,7 @@ static struct h2s *h2c_frt_handle_headers(struct h2c *h2c, struct h2s *h2s)
  				/* Failed to decode this frame (e.g. too large request)
  				 * but the HPACK decompressor is still synchronized.
  				 */
++				sess_log(h2c->conn->owner);
  				h2s_error(h2s, H2_ERR_INTERNAL_ERROR);
  				TRACE_USER("Stream error decoding H2 trailers", H2_EV_RX_FRAME|H2_EV_RX_HDR|H2_EV_STRM_NEW|H2_EV_STRM_END, h2c->conn, 0, &rxbuf);
  				h2c->st0 = H2_CS_FRAME_E;
@@ -2784,6 +2787,7 @@ static struct h2s *h2c_frt_handle_headers(struct h2c *h2c, struct h2s *h2s)
  		 * the data and send another RST.
  		 */
  		error = h2c_decode_headers(h2c, &rxbuf, &flags, &body_len, NULL);
++		sess_log(h2c->conn->owner);
  		h2s = (struct h2s*)h2_error_stream;
  		goto send_rst;
+ 	}
@@ -2803,6 +2807,7 @@ static struct h2s *h2c_frt_handle_headers(struct h2c *h2c, struct h2s *h2s)
  	/* unrecoverable error ? */
  	if (h2c->st0 >= H2_CS_ERROR) {
  		TRACE_USER("Unrecoverable error decoding H2 request", H2_EV_RX_FRAME|H2_EV_RX_HDR|H2_EV_STRM_NEW|H2_EV_STRM_END, h2c->conn, 0, &rxbuf);
++		sess_log(h2c->conn->owner);
  		goto out;
+ 	}
@@ -2817,6 +2822,7 @@ static struct h2s *h2c_frt_handle_headers(struct h2c *h2c, struct h2s *h2s)
  		/* Failed to decode this stream (e.g. too large request)
  		 * but the HPACK decompressor is still synchronized.
  		 */
++		sess_log(h2c->conn->owner);
  		h2s = (struct h2s*)h2_error_stream;
  		goto send_rst;
+ 	}
@@ -3977,11 +3983,10 @@ struct task *h2_io_cb(struct task *t, void *ctx, unsigned int state)
  		conn = h2c->conn;
  		TRACE_ENTER(H2_EV_H2C_WAKE, conn);
--		conn_in_list = conn->flags & CO_FL_LIST_MASK;
--
  		/* Remove the connection from the list, to be sure nobody attempts
  		 * to use it while we handle the I/O events
  		 */
++		conn_in_list = conn_get_idle_flag(conn);
  		if (conn_in_list)
  			conn_delete_from_tree(&conn->hash_node->node);
@@ -4386,7 +4391,7 @@ static void h2_detach(struct conn_stream *cs)
  		/* refresh the timeout if none was active, so that the last
  		 * leaving stream may arm it.
  		 */
--		if (!tick_isset(h2c->task->expire))
++		if (h2c->task && !tick_isset(h2c->task->expire))
  			h2c_update_timeout(h2c);
  		return;
+ 	}
@@ -4912,7 +4917,8 @@ next_frame:
  	if (h2c->flags & H2_CF_IS_BACK)
  		outlen = h2_make_htx_response(list, htx, &msgf, body_len, upgrade_protocol);
  	else
--		outlen = h2_make_htx_request(list, htx, &msgf, body_len);
++		outlen = h2_make_htx_request(list, htx, &msgf, body_len,
++					     !!(((const struct session *)h2c->conn->owner)->fe->options2 & PR_O2_REQBUG_OK));
  	if (outlen < 0 || htx_free_space(htx) < global.tune.maxrewrite) {
  		/* too large headers? this is a stream error only */
 diff --git a/src/mworker.c b/src/mworker.c
 index d78f4ce..6415fd4 100644
 --- a/src/mworker.c
 +++ b/src/mworker.c
@@ -130,15 +130,24 @@ void mworker_proc_list_to_env()
  /*
   * unserialize the proc list from the environment
++ * Return < 0 upon error.
   */
  int mworker_env_to_proc_list()
+ {
--	char *msg, *token = NULL, *s1;
++	char *env, *msg, *omsg = NULL, *token = NULL, *s1;
++	int err = 0;
--	msg = getenv("HAPROXY_PROCESSES");
--	if (!msg)
++	env = getenv("HAPROXY_PROCESSES");
++	if (!env)
  		return 0;
++	omsg = msg = strdup(env);
++	if (!msg) {
++		ha_alert("Out of memory while trying to allocate a worker process structure.");
++		err = -1;
++		goto out;
++	}
++
  	while ((token = strtok_r(msg, "|", &s1))) {
  		struct mworker_proc *child;
  		char *subtoken = NULL;
@@ -148,8 +157,9 @@ int mworker_env_to_proc_list()
  		child = calloc(1, sizeof(*child));
  		if (!child) {
--			ha_alert("Out of memory while trying to allocate a worker process structure.");
--			return -1;
++			ha_alert("out of memory while trying to allocate a worker process structure.");
++			err = -1;
++			goto out;
+ 		}
  		while ((subtoken = strtok_r(token, ";", &s2))) {
@@ -171,6 +181,8 @@ int mworker_env_to_proc_list()
  			} else if (strncmp(subtoken, "fd=", 3) == 0) {
  				child->ipc_fd[0] = atoi(subtoken+3);
++				if (child->ipc_fd[0] > -1)
++					global.maxsock++;
  			} else if (strncmp(subtoken, "pid=", 4) == 0) {
  				child->pid = atoi(subtoken+4);
  			} else if (strncmp(subtoken, "rpid=", 5) == 0) {
@@ -198,7 +210,9 @@ int mworker_env_to_proc_list()
  	unsetenv("HAPROXY_PROCESSES");
--	return 0;
++out:
++	free(omsg);
++	return err;
+ }
  /* Signal blocking and unblocking */
@@ -394,6 +408,9 @@ static int mworker_pipe_register_per_thread()
  	if (tid != 0)
  		return 1;
++	if (proc_self->ipc_fd[1] < 0) /* proc_self was incomplete and we can't find the socketpair */
++		return 1;
++
  	fcntl(proc_self->ipc_fd[1], F_SETFL, O_NONBLOCK);
  	/* In multi-tread, we need only one thread to process
  	 * events on the pipe with master
@@ -487,12 +504,15 @@ static int cli_io_handler_show_proc(struct appctx *appctx)
  	struct stream_interface *si = appctx->owner;
  	struct mworker_proc *child;
  	int old = 0;
--	int up = now.tv_sec - proc_self->timestamp;
++	int up = date.tv_sec - proc_self->timestamp;
  	char *uptime = NULL;
  	if (unlikely(si_ic(si)->flags & (CF_WRITE_ERROR|CF_SHUTW)))
  		return 1;
++	if (up < 0) /* must never be negative because of clock drift */
++		up = 0;
++
  	chunk_reset(&trash);
  	chunk_printf(&trash, "#%-14s %-15s %-15s %-15s %-15s %-15s\n", "<PID>", "<type>", "<relative PID>", "<reloads>", "<uptime>", "<version>");
@@ -504,7 +524,9 @@ static int cli_io_handler_show_proc(struct appctx *appctx)
  	chunk_appendf(&trash, "# workers\n");
  	list_for_each_entry(child, &proc_list, list) {
--		up = now.tv_sec - child->timestamp;
++		up = date.tv_sec - child->timestamp;
++		if (up < 0) /* must never be negative because of clock drift */
++			up = 0;
  		if (!(child->options & PROC_O_TYPE_WORKER))
  			continue;
@@ -525,7 +547,9 @@ static int cli_io_handler_show_proc(struct appctx *appctx)
  		chunk_appendf(&trash, "# old workers\n");
  		list_for_each_entry(child, &proc_list, list) {
--			up = now.tv_sec - child->timestamp;
++			up = date.tv_sec - child->timestamp;
++			if (up <= 0) /* must never be negative because of clock drift */
++				up = 0;
  			if (!(child->options & PROC_O_TYPE_WORKER))
  				continue;
@@ -544,7 +568,9 @@ static int cli_io_handler_show_proc(struct appctx *appctx)
  	chunk_appendf(&trash, "# programs\n");
  	old = 0;
  	list_for_each_entry(child, &proc_list, list) {
--		up = now.tv_sec - child->timestamp;
++		up = date.tv_sec - child->timestamp;
++		if (up < 0) /* must never be negative because of clock drift */
++			up = 0;
  		if (!(child->options & PROC_O_TYPE_PROG))
  			continue;
@@ -561,7 +587,9 @@ static int cli_io_handler_show_proc(struct appctx *appctx)
  	if (old) {
  		chunk_appendf(&trash, "# old programs\n");
  		list_for_each_entry(child, &proc_list, list) {
--			up = now.tv_sec - child->timestamp;
++			up = date.tv_sec - child->timestamp;
++			if (up < 0) /* must never be negative because of clock drift */
++				up = 0;
  			if (!(child->options & PROC_O_TYPE_PROG))
  				continue;
 diff --git a/src/namespace.c b/src/namespace.c
 index 1fc8439..9cc85a3 100644
 --- a/src/namespace.c
 +++ b/src/namespace.c
@@ -54,6 +54,7 @@ static void netns_sig_stop(struct sig_handler *sh)
  		entry = container_of(node, struct netns_entry, node);
  		free(entry->node.key);
  		close(entry->fd);
++		free(entry);
  		node = next;
+ 	}
+ }
 diff --git a/src/proto_uxdg.c b/src/proto_uxdg.c
 index 7eb5a62..b4583c5 100644
 --- a/src/proto_uxdg.c
 +++ b/src/proto_uxdg.c
@@ -30,6 +30,7 @@
  #include <haproxy/protocol.h>
  #include <haproxy/sock.h>
  #include <haproxy/sock_unix.h>
++#include <haproxy/tools.h>
  static int uxdg_bind_listener(struct listener *listener, char *errmsg, int errlen);
  static void uxdg_enable_listener(struct listener *listener);
@@ -95,6 +96,7 @@ int uxdg_bind_listener(struct listener *listener, char *errmsg, int errlen)
  	if (!(listener->rx.flags & RX_F_BOUND)) {
  		msg = "receiving socket not bound";
++		err |= ERR_FATAL | ERR_ALERT;
  		goto uxdg_return;
+ 	}
@@ -102,8 +104,11 @@ int uxdg_bind_listener(struct listener *listener, char *errmsg, int errlen)
   uxdg_return:
  	if (msg && errlen) {
--		const char *path = ((struct sockaddr_un *)&listener->rx.addr)->sun_path;
--                snprintf(errmsg, errlen, "%s [%s]", msg, path);
++		char *path_str;
++
++		path_str = sa2str((struct sockaddr_storage *)&listener->rx.addr, 0, 0);
++		snprintf(errmsg, errlen, "%s for [%s]", msg, ((path_str) ? path_str : ""));
++		ha_free(&path_str);
+ 	}
  	return err;
+ }
@@ -125,17 +130,20 @@ static void uxdg_disable_listener(struct listener *l)
+ }
  /* Suspend a receiver. Returns < 0 in case of failure, 0 if the receiver
-- * was totally stopped, or > 0 if correctly suspended. Nothing is done for
-- * plain unix sockets since currently it's the new process which handles
-- * the renaming. Abstract sockets are completely unbound and closed so
-- * there's no need to stop the poller.
++ * was totally stopped, or > 0 if correctly suspended. For plain unix sockets
++ * we only disable the listener to prevent data from being handled but nothing
++ * more is done since currently it's the new process which handles the renaming.
++ * Abstract sockets are completely unbound and closed so there's no need to stop
++ * the poller.
   */
  static int uxdg_suspend_receiver(struct receiver *rx)
+ {
          struct listener *l = LIST_ELEM(rx, struct listener *, rx);
--        if (((struct sockaddr_un *)&rx->addr)->sun_path[0])
++        if (((struct sockaddr_un *)&rx->addr)->sun_path[0]) {
++		uxdg_disable_listener(l);
                  return 1;
++	}
          /* Listener's lock already held. Call lockless version of
           * unbind_listener. */
 diff --git a/src/proto_uxst.c b/src/proto_uxst.c
 index 621eb39..121450b 100644
 --- a/src/proto_uxst.c
 +++ b/src/proto_uxst.c
@@ -59,6 +59,7 @@ struct protocol proto_uxst = {
  	.add            = default_add_listener,
  	.unbind         = default_unbind_listener,
  	.suspend        = default_suspend_listener,
++	.resume         = default_resume_listener,
  	.accept_conn    = sock_accept_conn,
  	.ctrl_init      = sock_conn_ctrl_init,
  	.ctrl_close     = sock_conn_ctrl_close,
@@ -120,6 +121,7 @@ static int uxst_bind_listener(struct listener *listener, char *errmsg, int errle
  	if (!(listener->rx.flags & RX_F_BOUND)) {
  		msg = "receiving socket not bound";
++		err |= ERR_FATAL | ERR_ALERT;
  		goto uxst_return;
+ 	}
@@ -141,8 +143,11 @@ static int uxst_bind_listener(struct listener *listener, char *errmsg, int errle
  	close(fd);
   uxst_return:
  	if (msg && errlen) {
--		const char *path = ((struct sockaddr_un *)&listener->rx.addr)->sun_path;
--		snprintf(errmsg, errlen, "%s [%s]", msg, path);
++		char *path_str;
++
++		path_str = sa2str((struct sockaddr_storage *)&listener->rx.addr, 0, 0);
++		snprintf(errmsg, errlen, "%s for [%s]", msg, ((path_str) ? path_str : ""));
++		ha_free(&path_str);
+ 	}
  	return err;
+ }
@@ -164,17 +169,20 @@ static void uxst_disable_listener(struct listener *l)
+ }
  /* Suspend a receiver. Returns < 0 in case of failure, 0 if the receiver
-- * was totally stopped, or > 0 if correctly suspended. Nothing is done for
-- * plain unix sockets since currently it's the new process which handles
-- * the renaming. Abstract sockets are completely unbound and closed so
-- * there's no need to stop the poller.
++ * was totally stopped, or > 0 if correctly suspended. For plain unix sockets
++ * we only disable the listener to prevent data from being handled but nothing
++ * more is done since currently it's the new process which handles the renaming.
++ * Abstract sockets are completely unbound and closed so there's no need to stop
++ * the poller.
   */
  static int uxst_suspend_receiver(struct receiver *rx)
+ {
  	struct listener *l = LIST_ELEM(rx, struct listener *, rx);
--	if (((struct sockaddr_un *)&rx->addr)->sun_path[0])
++	if (((struct sockaddr_un *)&rx->addr)->sun_path[0]) {
++		uxst_disable_listener(l);
  		return 1;
++	}
  	/* Listener's lock already held. Call lockless version of
  	 * unbind_listener. */
 diff --git a/src/protocol.c b/src/protocol.c
 index 1806bed..7e56b9a 100644
 --- a/src/protocol.c
 +++ b/src/protocol.c
@@ -86,8 +86,10 @@ int protocol_bind_all(int verbose)
  				else if (lerr & ERR_WARN)
  					ha_warning("Starting %s %s: %s\n",
  						   proxy_type_str(px), px->id, errmsg);
--				ha_free(&errmsg);
+ 			}
++			if (lerr != ERR_NONE)
++				ha_free(&errmsg);
++
  			if (lerr & ERR_ABORT)
  				break;
@@ -155,15 +157,15 @@ void protocol_stop_now(void)
  	list_for_each_entry(proto, &protocols, list) {
  		list_for_each_entry_safe(listener, lback, &proto->receivers, rx.proto_list)
  			if (!listener->bind_conf->frontend->grace)
--				stop_listener(listener, 0, 1);
++				stop_listener(listener, 0, 1, 0);
+ 	}
  	HA_SPIN_UNLOCK(PROTO_LOCK, &proto_lock);
+ }
--/* pauses all listeners of all registered protocols. This is typically
++/* suspends all listeners of all registered protocols. This is typically
   * used on SIG_TTOU to release all listening sockets for the time needed to
-- * try to bind a new process. The listeners enter LI_PAUSED. It returns
-- * ERR_NONE, with ERR_FATAL on failure.
++ * try to bind a new process. The listeners enter LI_PAUSED or LI_ASSIGNED.
++ * It returns ERR_NONE, with ERR_FATAL on failure.
   */
  int protocol_pause_all(void)
+ {
@@ -175,7 +177,7 @@ int protocol_pause_all(void)
  	HA_SPIN_LOCK(PROTO_LOCK, &proto_lock);
  	list_for_each_entry(proto, &protocols, list) {
  		list_for_each_entry(listener, &proto->receivers, rx.proto_list)
--			if (!pause_listener(listener, 0))
++			if (!suspend_listener(listener, 0, 0))
  				err |= ERR_FATAL;
+ 	}
  	HA_SPIN_UNLOCK(PROTO_LOCK, &proto_lock);
@@ -197,7 +199,7 @@ int protocol_resume_all(void)
  	HA_SPIN_LOCK(PROTO_LOCK, &proto_lock);
  	list_for_each_entry(proto, &protocols, list) {
  		list_for_each_entry(listener, &proto->receivers, rx.proto_list)
--			if (!resume_listener(listener, 0))
++			if (!resume_listener(listener, 0, 0))
  				err |= ERR_FATAL;
+ 	}
  	HA_SPIN_UNLOCK(PROTO_LOCK, &proto_lock);
 diff --git a/src/proxy.c b/src/proxy.c
 index 0e204e7..21966c0 100644
 --- a/src/proxy.c
 +++ b/src/proxy.c
@@ -32,6 +32,7 @@
  #include <haproxy/global.h>
  #include <haproxy/http_ana.h>
  #include <haproxy/http_htx.h>
++#include <haproxy/http_rules.h>
  #include <haproxy/listener.h>
  #include <haproxy/log.h>
  #include <haproxy/obj_type-t.h>
@@ -146,6 +147,9 @@ void free_proxy(struct proxy *p)
  	struct proxy_deinit_fct *pxdf;
  	struct server_deinit_fct *srvdf;
++	if (!p)
++		return;
++
  	free(p->conf.file);
  	free(p->id);
  	free(p->cookie_name);
@@ -218,18 +222,7 @@ void free_proxy(struct proxy *p)
  	list_for_each_entry_safe(rdr, rdrb, &p->redirect_rules, list) {
  		LIST_DELETE(&rdr->list);
--		if (rdr->cond) {
--			prune_acl_cond(rdr->cond);
--			free(rdr->cond);
--		}
--		free(rdr->rdr_str);
--		list_for_each_entry_safe(lf, lfb, &rdr->rdr_fmt, list) {
--			LIST_DELETE(&lf->list);
--			release_sample_expr(lf->expr);
--			free(lf->arg);
--			free(lf);
--		}
--		free(rdr);
++		http_free_redirect_rule(rdr);
+ 	}
  	list_for_each_entry_safe(log, logb, &p->logsrvs, list) {
@@ -310,6 +303,7 @@ void free_proxy(struct proxy *p)
  			bind_conf->xprt->destroy_bind_conf(bind_conf);
  		free(bind_conf->file);
  		free(bind_conf->arg);
++		free(bind_conf->settings.interface);
  		LIST_DELETE(&bind_conf->by_fe);
  		free(bind_conf);
+ 	}
@@ -1872,11 +1866,40 @@ struct task *manage_proxy(struct task *t, void *context, unsigned int state)
  			 * to push to a new process and
  			 * we are free to flush the table.
  			 */
--			stktable_trash_oldest(p->table, p->table->current);
--			pool_gc(NULL);
++			int budget;
++			int cleaned_up;
++
++			/* We purposely enforce a budget limitation since we don't want
++			 * to spend too much time purging old entries
++			 *
++			 * This is known to cause the watchdog to occasionnaly trigger if
++			 * the table is huge and all entries become available for purge
++			 * at the same time
++			 *
++			 * Moreover, we must also anticipate the pool_gc() call which
++			 * will also be much slower if there is too much work at once
++			 */
++			budget = MIN(p->table->current, (1 << 15)); /* max: 32K */
++			cleaned_up = stktable_trash_oldest(p->table, budget);
++			if (cleaned_up) {
++				/* immediately release freed memory since we are stopping */
++				pool_gc(NULL);
++				if (cleaned_up > (budget / 2)) {
++					/* most of the budget was used to purge entries,
++					 * it is very likely that there are still trashable
++					 * entries in the table, reschedule a new cleanup
++					 * attempt ASAP
++					 */
++					t->expire = TICK_ETERNITY;
++					task_wakeup(t, TASK_WOKEN_RES);
++					return t;
++				}
++			}
+ 		}
  		if (p->table->current) {
--			/* some entries still remain, let's recheck in one second */
++			/* some entries still remain but are not yet available
++			 * for cleanup, let's recheck in one second
++			 */
  			next = tick_first(next, tick_add(now_ms, 1000));
+ 		}
+ 	}
@@ -2052,7 +2075,7 @@ int pause_proxy(struct proxy *p)
  		goto end;
  	list_for_each_entry(l, &p->conf.listeners, by_fe)
--		pause_listener(l, 1);
++		suspend_listener(l, 1, 0);
  	if (p->li_ready) {
  		ha_warning("%s %s failed to enter pause mode.\n", proxy_cap_str(p->cap), p->id);
@@ -2081,7 +2104,7 @@ void stop_proxy(struct proxy *p)
  	HA_RWLOCK_WRLOCK(PROXY_LOCK, &p->lock);
  	list_for_each_entry(l, &p->conf.listeners, by_fe)
--		stop_listener(l, 1, 0);
++		stop_listener(l, 1, 0, 0);
  	if (!p->disabled && !p->li_ready) {
  		/* might be just a backend */
@@ -2110,7 +2133,7 @@ int resume_proxy(struct proxy *p)
  	fail = 0;
  	list_for_each_entry(l, &p->conf.listeners, by_fe) {
--		if (!resume_listener(l, 1)) {
++		if (!resume_listener(l, 1, 0)) {
  			int port;
  			port = get_host_port(&l->rx.addr);
@@ -2813,7 +2836,7 @@ static int cli_parse_set_maxconn_frontend(char **args, char *payload, struct app
  	px->maxconn = v;
  	list_for_each_entry(l, &px->conf.listeners, by_fe) {
  		if (l->state == LI_FULL)
--			resume_listener(l, 1);
++			relax_listener(l, 1, 0);
+ 	}
  	if (px->maxconn > px->feconn)
 diff --git a/src/resolvers.c b/src/resolvers.c
 index 7a37b33..b0bc6de 100644
 --- a/src/resolvers.c
 +++ b/src/resolvers.c
@@ -3206,7 +3206,7 @@ void resolvers_setup_proxy(struct proxy *px)
  	px->conn_retries = 1;
  	px->timeout.server = TICK_ETERNITY;
  	px->timeout.client = TICK_ETERNITY;
--	px->timeout.connect = TICK_ETERNITY;
++	px->timeout.connect = 1000; // by default same than timeout.resolve
  	px->accept = NULL;
  	px->options2 |= PR_O2_INDEPSTR | PR_O2_SMARTCON;
  	px->bind_proc = 0; /* will be filled by users */
@@ -3627,8 +3627,11 @@ resolv_out:
+ 			}
  			if (args[1][2] == 't')
  				curr_resolvers->timeout.retry = tout;
--			else
++			else {
  				curr_resolvers->timeout.resolve = tout;
++				curr_resolvers->px->timeout.connect = tout;
++			}
++
+ 		}
  		else {
  			ha_alert("parsing [%s:%d] : '%s' expects 'retry' or 'resolve' and <time> as arguments got '%s'.\n",
 diff --git a/src/ring.c b/src/ring.c
 index ba1da1b..977b58e 100644
 --- a/src/ring.c
 +++ b/src/ring.c
@@ -91,7 +91,6 @@ struct ring *ring_resize(struct ring *ring, size_t size)
  		b_getblk(&ring->buf, area, ring->buf.data, 0);
  		area = HA_ATOMIC_XCHG(&ring->buf.area, area);
  		ring->buf.size = size;
--		ring->buf.head = 0;
+ 	}
  	HA_RWLOCK_WRUNLOCK(LOGSRV_LOCK, &ring->lock);
 diff --git a/src/sample.c b/src/sample.c
 index d9ae4c1..a294f80 100644
 --- a/src/sample.c
 +++ b/src/sample.c
@@ -1528,7 +1528,7 @@ static int sample_conv_debug(const struct arg *arg_p, struct sample *smp, void *
   done:
  	line = ist2(buf->area, buf->data);
--	sink_write(sink, &line, 1, 0, 0, NULL);
++	sink_write(sink, 0, &line, 1, 0, 0, NULL);
   end:
  	free_trash_chunk(buf);
  	return 1;
@@ -2964,12 +2964,12 @@ static inline long long int arith_add(long long int a, long long int b)
  	 * +------+----------+----------+
  	 */
  	if ((a ^ b) >= 0) {
--		/* signs are different. */
++		/* signs are same. */
  		if (a < 0) {
  			if (LLONG_MIN - a > b)
  				return LLONG_MIN;
+ 		}
--		if (LLONG_MAX - a < b)
++		else if (LLONG_MAX - a < b)
  			return LLONG_MAX;
+ 	}
  	return a + b;
 diff --git a/src/server.c b/src/server.c
 index df67e1d..fe82679 100644
 --- a/src/server.c
 +++ b/src/server.c
@@ -2279,6 +2279,7 @@ void srv_settings_cpy(struct server *srv, const struct server *src, int srv_tmpl
  	if (srv_tmpl)
  		srv->srvrq = src->srvrq;
++	srv->netns                    = src->netns;
  	srv->check.via_socks4         = src->check.via_socks4;
  	srv->socks4_addr              = src->socks4_addr;
+ }
@@ -4901,6 +4902,7 @@ static void srv_update_status(struct server *s)
  	struct proxy *px = s->proxy;
  	int prev_srv_count = s->proxy->srv_bck + s->proxy->srv_act;
  	int srv_was_stopping = (s->cur_state == SRV_ST_STOPPING) || (s->cur_admin & SRV_ADMF_DRAIN);
++	enum srv_state srv_prev_state = s->cur_state;
  	int log_level;
  	struct buffer *tmptrash = NULL;
@@ -4915,7 +4917,6 @@ static void srv_update_status(struct server *s)
  		s->next_admin = s->cur_admin;
  		if ((s->cur_state != SRV_ST_STOPPED) && (s->next_state == SRV_ST_STOPPED)) {
--			s->last_change = now.tv_sec;
  			if (s->proxy->lbprm.set_server_status_down)
  				s->proxy->lbprm.set_server_status_down(s);
@@ -4946,13 +4947,9 @@ static void srv_update_status(struct server *s)
  				free_trash_chunk(tmptrash);
  				tmptrash = NULL;
+ 			}
--			if (prev_srv_count && s->proxy->srv_bck == 0 && s->proxy->srv_act == 0)
--				set_backend_down(s->proxy);
--
  			s->counters.down_trans++;
+ 		}
  		else if ((s->cur_state != SRV_ST_STOPPING) && (s->next_state == SRV_ST_STOPPING)) {
--			s->last_change = now.tv_sec;
  			if (s->proxy->lbprm.set_server_status_down)
  				s->proxy->lbprm.set_server_status_down(s);
@@ -4976,22 +4973,10 @@ static void srv_update_status(struct server *s)
  				free_trash_chunk(tmptrash);
  				tmptrash = NULL;
+ 			}
--
--			if (prev_srv_count && s->proxy->srv_bck == 0 && s->proxy->srv_act == 0)
--				set_backend_down(s->proxy);
+ 		}
  		else if (((s->cur_state != SRV_ST_RUNNING) && (s->next_state == SRV_ST_RUNNING))
  			 || ((s->cur_state != SRV_ST_STARTING) && (s->next_state == SRV_ST_STARTING))) {
--			if (s->proxy->srv_bck == 0 && s->proxy->srv_act == 0) {
--				if (s->proxy->last_change < now.tv_sec)		// ignore negative times
--					s->proxy->down_time += now.tv_sec - s->proxy->last_change;
--				s->proxy->last_change = now.tv_sec;
--			}
--
--			if (s->cur_state == SRV_ST_STOPPED && s->last_change < now.tv_sec)	// ignore negative times
--				s->down_time += now.tv_sec - s->last_change;
--			s->last_change = now.tv_sec;
  			if (s->next_state == SRV_ST_STARTING && s->warmup)
  				task_schedule(s->warmup, tick_add(now_ms, MS_TO_TICKS(MAX(1000, s->slowstart / 20))));
@@ -5037,9 +5022,6 @@ static void srv_update_status(struct server *s)
  				free_trash_chunk(tmptrash);
  				tmptrash = NULL;
+ 			}
--
--			if (prev_srv_count && s->proxy->srv_bck == 0 && s->proxy->srv_act == 0)
--				set_backend_down(s->proxy);
+ 		}
  		else if (s->cur_eweight != s->next_eweight) {
  			/* now propagate the status change to any LB algorithms */
@@ -5053,9 +5035,6 @@ static void srv_update_status(struct server *s)
  				if (px->lbprm.set_server_status_down)
  					px->lbprm.set_server_status_down(s);
+ 			}
--
--			if (prev_srv_count && s->proxy->srv_bck == 0 && s->proxy->srv_act == 0)
--				set_backend_down(s->proxy);
+ 		}
  		s->next_admin = next_admin;
@@ -5093,13 +5072,9 @@ static void srv_update_status(struct server *s)
  				free_trash_chunk(tmptrash);
  				tmptrash = NULL;
+ 			}
--			/* commit new admin status */
--
--			s->cur_admin = s->next_admin;
+ 		}
  		else {	/* server was still running */
  			check->health = 0; /* failure */
--			s->last_change = now.tv_sec;
  			s->next_state = SRV_ST_STOPPED;
  			if (s->proxy->lbprm.set_server_status_down)
@@ -5134,9 +5109,6 @@ static void srv_update_status(struct server *s)
  				free_trash_chunk(tmptrash);
  				tmptrash = NULL;
+ 			}
--			if (prev_srv_count && s->proxy->srv_bck == 0 && s->proxy->srv_act == 0)
--				set_backend_down(s->proxy);
--
  			s->counters.down_trans++;
+ 		}
+ 	}
@@ -5156,7 +5128,6 @@ static void srv_update_status(struct server *s)
  		 * that the server might still be in drain mode, which is naturally dealt
  		 * with by the lower level functions.
  		 */
--
  		if (s->check.state & CHK_ST_ENABLED) {
  			s->check.state &= ~CHK_ST_PAUSED;
  			check->health = check->rise; /* start OK but check immediately */
@@ -5169,7 +5140,6 @@ static void srv_update_status(struct server *s)
  				s->next_state = SRV_ST_STOPPING;
+ 			}
  			else {
--				s->last_change = now.tv_sec;
  				s->next_state = SRV_ST_STARTING;
  				if (s->slowstart > 0) {
  					if (s->warmup)
@@ -5227,11 +5197,6 @@ static void srv_update_status(struct server *s)
  				px->lbprm.set_server_status_down(s);
+ 		}
--		if (prev_srv_count && s->proxy->srv_bck == 0 && s->proxy->srv_act == 0)
--			set_backend_down(s->proxy);
--		else if (!prev_srv_count && (s->proxy->srv_bck || s->proxy->srv_act))
--			s->proxy->last_change = now.tv_sec;
--
  		/* If the server is set with "on-marked-up shutdown-backup-sessions",
  		 * and it's not a backup server and its effective weight is > 0,
  		 * then it can accept new connections, so we shut down all streams
@@ -5301,15 +5266,12 @@ static void srv_update_status(struct server *s)
+ 			}
+ 		}
  		/* don't report anything when leaving drain mode and remaining in maintenance */
--
--		s->cur_admin = s->next_admin;
+ 	}
  	if (!(s->next_admin & SRV_ADMF_MAINT)) {
  		if (!(s->cur_admin & SRV_ADMF_DRAIN) && (s->next_admin & SRV_ADMF_DRAIN)) {
  			/* drain state is applied only if not yet in maint */
--			s->last_change = now.tv_sec;
  			if (px->lbprm.set_server_status_down)
  				px->lbprm.set_server_status_down(s);
@@ -5337,26 +5299,14 @@ static void srv_update_status(struct server *s)
  				free_trash_chunk(tmptrash);
  				tmptrash = NULL;
+ 			}
--
--			if (prev_srv_count && s->proxy->srv_bck == 0 && s->proxy->srv_act == 0)
--				set_backend_down(s->proxy);
+ 		}
  		else if ((s->cur_admin & SRV_ADMF_DRAIN) && !(s->next_admin & SRV_ADMF_DRAIN)) {
  			/* OK completely leaving drain mode */
--			if (s->proxy->srv_bck == 0 && s->proxy->srv_act == 0) {
--				if (s->proxy->last_change < now.tv_sec)         // ignore negative times
--					s->proxy->down_time += now.tv_sec - s->proxy->last_change;
--				s->proxy->last_change = now.tv_sec;
--			}
--
--			if (s->last_change < now.tv_sec)                        // ignore negative times
--				s->down_time += now.tv_sec - s->last_change;
--			s->last_change = now.tv_sec;
  			server_recalc_eweight(s, 0);
  			tmptrash = alloc_trash_chunk();
  			if (tmptrash) {
--				if (!(s->next_admin & SRV_ADMF_FDRAIN)) {
++				if (s->cur_admin & SRV_ADMF_FDRAIN) {
  					chunk_printf(tmptrash,
  						     "%sServer %s/%s is %s (leaving forced drain)",
  						     s->flags & SRV_F_BACKUP ? "Backup " : "",
@@ -5420,15 +5370,38 @@ static void srv_update_status(struct server *s)
  				free_trash_chunk(tmptrash);
  				tmptrash = NULL;
+ 			}
--
--			/* commit new admin status */
--
--			s->cur_admin = s->next_admin;
+ 		}
+ 	}
  	/* Re-set log strings to empty */
  	*s->adm_st_chg_cause = 0;
++
++	/* explicitly commit state changes (even if it was already applied implicitly
++	 * by some lb state change function), so we don't miss anything
++	 */
++	srv_lb_commit_status(s);
++
++	/* check if server stats must be updated due the the server state change */
++	if (srv_prev_state != s->cur_state) {
++		if (srv_prev_state == SRV_ST_STOPPED) {
++			/* server was down and no longer is */
++			if (s->last_change < now.tv_sec)                        // ignore negative times
++				s->down_time += now.tv_sec - s->last_change;
++		}
++		s->last_change = now.tv_sec;
++	}
++
++	/* check if backend stats must be updated due to the server state change */
++	if (prev_srv_count && s->proxy->srv_bck == 0 && s->proxy->srv_act == 0)
++		set_backend_down(s->proxy); /* backend going down */
++	else if (!prev_srv_count && (s->proxy->srv_bck || s->proxy->srv_act)) {
++		/* backend was down and is back up again:
++		 * no helper function, updating last_change and backend downtime stats
++		 */
++		if (s->proxy->last_change < now.tv_sec)         // ignore negative times
++			s->proxy->down_time += now.tv_sec - s->proxy->last_change;
++		s->proxy->last_change = now.tv_sec;
++	}
+ }
  struct task *srv_cleanup_toremove_conns(struct task *task, void *context, unsigned int state)
 diff --git a/src/server_state.c b/src/server_state.c
 index 18d9cd6..4ef5167 100644
 --- a/src/server_state.c
 +++ b/src/server_state.c
@@ -322,7 +322,7 @@ static void srv_state_srv_update(struct server *srv, int version, char **params)
  			srv_adm_set_drain(srv);
+ 	}
--	srv->last_change = date.tv_sec - srv_last_time_change;
++	srv->last_change = now.tv_sec - srv_last_time_change;
  	srv->check.status = srv_check_status;
  	srv->check.result = srv_check_result;
 diff --git a/src/sink.c b/src/sink.c
 index b7f111c..4d811eb 100644
 --- a/src/sink.c
 +++ b/src/sink.c
@@ -162,10 +162,13 @@ struct sink *sink_new_buf(const char *name, const char *desc, enum log_fmt fmt,
   * array <msg> to sink <sink>. Formatting according to the sink's preference is
   * done here. Lost messages are NOT accounted for. It is preferable to call
   * sink_write() instead which will also try to emit the number of dropped
-- * messages when there are any. It returns >0 if it could write anything,
-- * <=0 otherwise.
++ * messages when there are any. It will stop writing at <maxlen> instead of
++ * sink->maxlen if <maxlen> is positive and inferior to sink->maxlen.
++ *
++ * It returns >0 if it could write anything, <=0 otherwise.
   */
-- ssize_t __sink_write(struct sink *sink, const struct ist msg[], size_t nmsg,
++ ssize_t __sink_write(struct sink *sink, size_t maxlen,
++	             const struct ist msg[], size_t nmsg,
  	             int level, int facility, struct ist *metadata)
+  {
  	struct ist *pfx = NULL;
@@ -177,11 +180,13 @@ struct sink *sink_new_buf(const char *name, const char *desc, enum log_fmt fmt,
  	pfx = build_log_header(sink->fmt, level, facility, metadata, &npfx);
  send:
++	if (!maxlen)
++		maxlen = ~0;
  	if (sink->type == SINK_TYPE_FD) {
--		return fd_write_frag_line(sink->ctx.fd, sink->maxlen, pfx, npfx, msg, nmsg, 1);
++		return fd_write_frag_line(sink->ctx.fd, MIN(maxlen, sink->maxlen), pfx, npfx, msg, nmsg, 1);
+ 	}
  	else if (sink->type == SINK_TYPE_BUFFER) {
--		return ring_write(sink->ctx.ring, sink->maxlen, pfx, npfx, msg, nmsg);
++		return ring_write(sink->ctx.ring, MIN(maxlen, sink->maxlen), pfx, npfx, msg, nmsg);
+ 	}
  	return 0;
+ }
@@ -223,7 +228,7 @@ int sink_announce_dropped(struct sink *sink, int facility)
  			metadata[LOG_META_PID] = ist2(pidstr, strlen(pidstr));
+ 		}
--		if (__sink_write(sink, msgvec, 1, LOG_NOTICE, facility, metadata) <= 0)
++		if (__sink_write(sink, 0, msgvec, 1, LOG_NOTICE, facility, metadata) <= 0)
  			return 0;
  		/* success! */
  		HA_ATOMIC_SUB(&sink->ctx.dropped, dropped);
@@ -829,7 +834,7 @@ int cfg_parse_ring(const char *file, int linenum, char **args, int kwm)
  		if (size < cfg_sink->ctx.ring->buf.size) {
  			ha_warning("parsing [%s:%d] : ignoring new size '%llu' that is smaller than current size '%llu' for ring '%s'.\n",
  				   file, linenum, (ullong)size, (ullong)cfg_sink->ctx.ring->buf.size, cfg_sink->name);
--			err_code |= ERR_ALERT | ERR_FATAL;
++			err_code |= ERR_WARN;
  			goto err;
+ 		}
@@ -1023,8 +1028,8 @@ struct sink *sink_new_from_logsrv(struct logsrv *logsrv)
  	/* the servers are linked backwards
  	 * first into proxy
  	 */
--	p->srv = srv;
  	srv->next = p->srv;
++	p->srv = srv;
  	/* allocate sink_forward_target descriptor */
  	sft = calloc(1, sizeof(*sft));
@@ -1074,6 +1079,9 @@ struct sink *sink_new_from_logsrv(struct logsrv *logsrv)
  	return sink;
  error:
++	if (srv)
++		free_server(srv);
++
  	if (p) {
  		if (p->id)
  			free(p->id);
@@ -1083,16 +1091,6 @@ error:
  		free(p);
+ 	}
--	if (srv) {
--		if (srv->id)
--			free(srv->id);
--		if (srv->conf.file)
--			free((void *)srv->conf.file);
--		if (srv->per_thr)
--		       free(srv->per_thr);
--		free(srv);
--	}
--
  	if (sft)
  		free(sft);
@@ -1125,7 +1123,7 @@ int cfg_post_parse_ring()
  			ha_warning("ring '%s' event max length '%u' exceeds size, forced to size '%lu'.\n",
  			           cfg_sink->name, cfg_sink->maxlen, (unsigned long)b_size(&cfg_sink->ctx.ring->buf));
  			cfg_sink->maxlen = b_size(&cfg_sink->ctx.ring->buf);
--			err_code |= ERR_ALERT;
++			err_code |= ERR_WARN;
+ 		}
  		/* prepare forward server descriptors */
@@ -1151,11 +1149,16 @@ int cfg_post_parse_ring()
  				if (!ring_attach(cfg_sink->ctx.ring)) {
  					ha_alert("server '%s' sets too many watchers > 255 on ring '%s'.\n", srv->id, cfg_sink->name);
  					err_code |= ERR_ALERT | ERR_FATAL;
++					ha_free(&sft);
++					break;
+ 				}
  				cfg_sink->sft = sft;
  				srv = srv->next;
+ 			}
--			sink_init_forward(cfg_sink);
++			if (sink_init_forward(cfg_sink) == 0) {
++				ha_alert("error when trying to initialize sink buffer forwarding.\n");
++				err_code |= ERR_ALERT | ERR_FATAL;
++			}
+ 		}
+ 	}
  	cfg_sink = NULL;
@@ -1284,14 +1287,21 @@ static void sink_init()
  static void sink_deinit()
+ {
  	struct sink *sink, *sb;
++	struct sink_forward_target *sft_next;
  	list_for_each_entry_safe(sink, sb, &sink_list, sink_list) {
  		if (sink->type == SINK_TYPE_BUFFER)
  			ring_free(sink->ctx.ring);
  		LIST_DELETE(&sink->sink_list);
  		task_destroy(sink->forward_task);
++		free_proxy(sink->forward_px);
  		free(sink->name);
  		free(sink->desc);
++		while (sink->sft) {
++			sft_next = sink->sft->next;
++			free(sink->sft);
++			sink->sft = sft_next;
++		}
  		free(sink);
+ 	}
+ }
 diff --git a/src/sock_inet.c b/src/sock_inet.c
 index fb69981..7523617 100644
 --- a/src/sock_inet.c
 +++ b/src/sock_inet.c
@@ -313,6 +313,24 @@ int sock_inet_bind_receiver(struct receiver *rx, char **errmsg)
+ 		}
+ 	}
++	if (ext && fd < global.maxsock && fdtab[fd].owner) {
++		/* This FD was already bound so this means that it was already
++		 * known and registered before parsing, hence it's an inherited
++		 * FD. The only reason why it's already known here is that it
++		 * has been registered multiple times (multiple listeners on the
++		 * same, or a "shards" directive on the line). There cannot be
++		 * multiple listeners on one FD but at least we can create a
++		 * new one from the original one. We won't reconfigure it,
++		 * however, as this was already done for the first one.
++		 */
++		fd = dup(fd);
++		if (fd == -1) {
++			err |= ERR_RETRYABLE | ERR_ALERT;
++			memprintf(errmsg, "cannot dup() receiving socket (%s)", strerror(errno));
++			goto bind_return;
++		}
++	}
++
  	if (fd >= global.maxsock) {
  		err |= ERR_FATAL | ERR_ABORT | ERR_ALERT;
  		memprintf(errmsg, "not enough free sockets (raise '-n' parameter)");
 diff --git a/src/sock_unix.c b/src/sock_unix.c
 index 9913f4f..d62c164 100644
 --- a/src/sock_unix.c
 +++ b/src/sock_unix.c
@@ -94,7 +94,21 @@ int sock_unix_addrcmp(const struct sockaddr_storage *a, const struct sockaddr_st
  	/* Now we have a difference. It's OK if they are within or after a
  	 * sequence of digits following a dot, and are followed by ".tmp".
++	 *
++	 * make sure to perform the check against tempname if the compared
++	 * string is in "final" format (does not end with ".XXXX.tmp").
++	 *
++	 * Examples:
++	 *     /tmp/test matches with /tmp/test.1822.tmp
++	 *     /tmp/test.1822.tmp matches with /tmp/test.XXXX.tmp
  	 */
++	if (au->sun_path[idx] == 0 || bu->sun_path[idx] == 0) {
++		if (au->sun_path[idx] == '.' || bu->sun_path[idx] == '.')
++			dot = idx; /* try to match against temp path */
++		else
++			return -1; /* invalid temp path */
++	}
++

Ubuntuhaproxy package

Merge ~athos/ubuntu/+source/haproxy:MRE-jammy into ubuntu/+source/haproxy:ubuntu/jammy-devel

Commit message

Description of the change

Preview Diff

Subscribers

Ubuntu
haproxy package