Merge ~lucaskanashiro/ubuntu/+source/haproxy:focal-mre into ubuntu/+source/haproxy:ubuntu/focal-devel
- Git
- lp:~lucaskanashiro/ubuntu/+source/haproxy
- focal-mre
- Merge into ubuntu/focal-devel
Proposed by
Lucas Kanashiro
Status: | Superseded |
---|---|
Proposed branch: | ~lucaskanashiro/ubuntu/+source/haproxy:focal-mre |
Merge into: | ubuntu/+source/haproxy:ubuntu/focal-devel |
Diff against target: |
26087 lines (+9825/-2857) 237 files modified
BRANCHES (+1/-1) CHANGELOG (+811/-0) CONTRIBUTING (+3/-3) INSTALL (+3/-3) MAINTAINERS (+10/-1) Makefile (+24/-8) SUBVERS (+1/-1) VERDATE (+2/-2) VERSION (+1/-1) contrib/deviceatlas/dac.c (+3/-2) contrib/halog/fgets2.c (+3/-3) contrib/halog/halog.c (+8/-8) contrib/modsecurity/README (+4/-4) contrib/prometheus-exporter/README (+35/-5) contrib/prometheus-exporter/service-prometheus.c (+50/-20) contrib/spoa_example/include/mini-clist.h (+1/-1) contrib/spoa_server/README (+2/-2) contrib/spoa_server/ps_python.c (+79/-32) contrib/systemd/haproxy.service.in (+4/-3) debian/changelog (+13/-0) debian/patches/haproxy.service-add-documentation.patch (+3/-5) debian/patches/haproxy.service-start-after-syslog.patch (+4/-6) debian/patches/series (+0/-13) dev/null (+0/-51) doc/SPOE.txt (+7/-2) doc/architecture.txt (+2/-2) doc/coding-style.txt (+2/-2) doc/configuration.txt (+306/-212) doc/internals/acl.txt (+3/-3) doc/internals/buffer-api.txt (+1/-1) doc/internals/filters.txt (+9/-9) doc/internals/hashing.txt (+2/-2) doc/internals/htx-api.txt (+498/-0) doc/lua-api/index.rst (+27/-17) doc/lua.txt (+2/-2) doc/management.txt (+39/-24) doc/peers-v2.0.txt (+7/-7) doc/proxy-protocol.txt (+16/-4) doc/regression-testing.txt (+1/-1) ebtree/eb32sctree.h (+6/-1) ebtree/eb32tree.h (+2/-1) ebtree/eb64tree.h (+32/-19) ebtree/ebimtree.h (+2/-2) ebtree/ebmbtree.h (+8/-3) ebtree/ebpttree.h (+4/-1) ebtree/ebtree.c (+19/-0) ebtree/ebtree.h (+10/-3) include/common/compat.h (+10/-0) include/common/compiler.h (+90/-0) include/common/config.h (+0/-8) include/common/h2.h (+2/-0) include/common/hathreads.h (+105/-31) include/common/hpack-tbl.h (+11/-0) include/common/http.h (+3/-0) include/common/htx.h (+27/-1) include/common/ist.h (+12/-0) include/common/memory.h (+41/-37) include/common/mini-clist.h (+1/-1) include/common/openssl-compat.h (+5/-2) include/common/standard.h (+42/-3) include/common/time.h (+2/-0) include/import/atomic-ops.h (+11/-0) include/import/plock.h (+0/-2) include/proto/action.h (+5/-0) include/proto/channel.h (+37/-33) include/proto/checks.h (+3/-1) include/proto/cli.h (+1/-0) include/proto/connection.h (+9/-2) include/proto/dns.h (+1/-1) include/proto/filters.h (+4/-6) include/proto/freq_ctr.h (+15/-11) include/proto/hlua.h (+1/-0) include/proto/http_htx.h (+2/-1) include/proto/http_rules.h (+3/-0) include/proto/lb_chash.h (+1/-1) include/proto/mworker.h (+2/-1) include/proto/obj_type.h (+1/-0) include/proto/pattern.h (+2/-2) include/proto/peers.h (+1/-1) include/proto/port_range.h (+2/-0) include/proto/protocol_buffers.h (+4/-4) include/proto/proxy.h (+2/-2) include/proto/queue.h (+2/-2) include/proto/sample.h (+5/-2) include/proto/server.h (+3/-1) include/proto/shctx.h (+9/-4) include/proto/signal.h (+5/-0) include/proto/stream.h (+2/-1) include/proto/stream_interface.h (+9/-0) include/proto/task.h (+38/-0) include/proto/tcp_rules.h (+5/-0) include/types/channel.h (+1/-1) include/types/checks.h (+6/-4) include/types/cli.h (+3/-1) include/types/connection.h (+6/-5) include/types/counters.h (+1/-1) include/types/dns.h (+8/-3) include/types/filters.h (+1/-0) include/types/global.h (+2/-0) include/types/proto_http.h (+1/-0) include/types/proxy.h (+5/-2) include/types/server.h (+4/-3) include/types/shctx.h (+4/-0) include/types/signal.h (+20/-0) include/types/spoe.h (+1/-0) include/types/stats.h (+1/-0) include/types/stick_table.h (+2/-1) include/types/stream.h (+2/-1) reg-tests/balance/balance-rr.vtc (+73/-0) reg-tests/balance/balance-uri-path-only.vtc (+97/-0) reg-tests/balance/balance-uri.vtc (+74/-0) reg-tests/checks/http-check-send.vtc (+150/-0) reg-tests/checks/ldap-check.vtc (+104/-0) reg-tests/checks/tls_health_checks.vtc (+31/-6) reg-tests/compression/lua_validation.vtc (+2/-2) reg-tests/connection/proxy_protocol_tlv_validation.vtc (+140/-0) reg-tests/converter/field.vtc (+1/-1) reg-tests/http-errorfiles/errorfiles.vtc (+51/-0) reg-tests/http-errorfiles/errors/400-1.http (+9/-0) reg-tests/http-errorfiles/errors/400-2.http (+9/-0) reg-tests/http-errorfiles/errors/400-3.http (+9/-0) reg-tests/http-errorfiles/errors/400.http (+9/-0) reg-tests/http-errorfiles/errors/403-1.http (+9/-0) reg-tests/http-errorfiles/errors/403-2.http (+9/-0) reg-tests/http-errorfiles/errors/403.http (+9/-0) reg-tests/http-errorfiles/errors/404-1.http (+9/-0) reg-tests/http-errorfiles/errors/404-2.http (+9/-0) reg-tests/http-errorfiles/errors/404-3.http (+9/-0) reg-tests/http-errorfiles/errors/404.http (+9/-0) reg-tests/http-errorfiles/errors/500-1.http (+9/-0) reg-tests/http-errorfiles/errors/500.http (+9/-0) reg-tests/http-errorfiles/http_deny_errors.vtc (+57/-0) reg-tests/http-errorfiles/http_errors.vtc (+134/-0) reg-tests/http-messaging/h2_desync_attacks.vtc (+142/-0) reg-tests/http-messaging/http_abortonclose.vtc (+115/-0) reg-tests/http-messaging/http_request_buffer.vtc (+35/-1) reg-tests/http-rules/acl_cli_spaces.vtc (+80/-0) reg-tests/http-rules/agents.acl (+1/-0) reg-tests/http-rules/h1or2_to_h1c.vtc (+2/-0) reg-tests/http-rules/map_regm_with_backref.vtc (+1/-1) reg-tests/lua/txn_get_priv.vtc (+1/-1) reg-tests/sample_fetches/so_name.vtc (+22/-0) reg-tests/seamless-reload/abns_socket.vtc (+5/-4) reg-tests/server/cli_set_fdqn.vtc (+1/-1) reg-tests/ssl/ca-auth.crt (+33/-0) reg-tests/ssl/client1.pem (+81/-0) reg-tests/ssl/client2_expired.pem (+81/-0) reg-tests/ssl/client3_revoked.pem (+81/-0) reg-tests/ssl/crl-auth.pem (+18/-0) reg-tests/ssl/ssl_client_auth.vtc (+85/-0) reg-tests/ssl/ssl_client_samples.vtc (+72/-0) reg-tests/ssl/ssl_frontend_samples.vtc (+72/-0) scripts/announce-release (+94/-40) scripts/build-ssl.sh (+17/-7) scripts/git-show-backports (+10/-4) scripts/publish-release (+3/-2) scripts/run-regtests.sh (+8/-2) src/51d.c (+1/-1) src/action.c (+29/-0) src/applet.c (+10/-0) src/arg.c (+7/-0) src/auth.c (+4/-1) src/backend.c (+42/-20) src/base64.c (+6/-3) src/buffer.c (+1/-1) src/cache.c (+36/-26) src/cfgparse-global.c (+26/-7) src/cfgparse-listen.c (+138/-23) src/cfgparse.c (+92/-104) src/channel.c (+89/-4) src/checks.c (+269/-59) src/chunk.c (+2/-2) src/cli.c (+185/-89) src/compression.c (+7/-0) src/connection.c (+54/-31) src/debug.c (+18/-12) src/dns.c (+221/-112) src/ev_poll.c (+0/-1) src/ev_select.c (+1/-5) src/fd.c (+9/-3) src/filters.c (+78/-10) src/flt_http_comp.c (+34/-12) src/flt_spoe.c (+122/-67) src/flt_trace.c (+6/-6) src/freq_ctr.c (+6/-6) src/h2.c (+8/-0) src/haproxy.c (+379/-86) src/hathreads.c (+28/-3) src/hlua.c (+218/-60) src/hlua_fcn.c (+14/-4) src/hpack-tbl.c (+2/-2) src/http.c (+36/-2) src/http_act.c (+15/-4) src/http_conv.c (+22/-11) src/http_fetch.c (+145/-72) src/http_htx.c (+102/-23) src/http_rules.c (+7/-3) src/htx.c (+106/-52) src/lb_chash.c (+8/-1) src/lb_fwlc.c (+13/-7) src/listener.c (+19/-1) src/log.c (+35/-9) src/map.c (+34/-23) src/memory.c (+75/-71) src/mux_h1.c (+160/-57) src/mux_h2.c (+243/-95) src/mux_pt.c (+29/-10) src/mworker-prog.c (+7/-0) src/mworker.c (+36/-2) src/namespace.c (+2/-1) src/pattern.c (+135/-50) src/peers.c (+229/-108) src/proto_http.c (+69/-52) src/proto_htx.c (+103/-74) src/proto_sockpair.c (+0/-4) src/proto_tcp.c (+18/-6) src/proto_uxst.c (+0/-4) src/proxy.c (+22/-5) src/queue.c (+15/-7) src/raw_sock.c (+2/-3) src/sample.c (+98/-39) src/server.c (+306/-259) src/session.c (+1/-1) src/shctx.c (+10/-11) src/signal.c (+9/-1) src/ssl_sock.c (+285/-129) src/standard.c (+168/-21) src/stats.c (+21/-15) src/stick_table.c (+21/-10) src/stream.c (+108/-51) src/stream_interface.c (+67/-12) src/task.c (+47/-11) src/tcp_rules.c (+25/-8) src/time.c (+13/-1) src/vars.c (+30/-11) src/wdt.c (+8/-10) src/xxhash.c (+14/-2) |
Related bugs: |
Reviewer | Review Type | Date Requested | Status |
---|---|---|---|
git-ubuntu import | Pending | ||
Review via email: mp+429078@code.launchpad.net |
This proposal has been superseded by a proposal from 2022-08-29.
Commit message
Description of the change
To post a comment you must log in.
Unmerged commits
- f25caf3... by Lucas Kanashiro
-
Update changelog
- b3ef0b3... by Lucas Kanashiro
-
Remove all patches applied by upstream
- 708b55d... by Lucas Kanashiro
-
Refresh haproxy.
service- *.patch - eb9b4f1... by Lucas Kanashiro
-
Import upstream version 2.0.29
Preview Diff
[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1 | diff --git a/BRANCHES b/BRANCHES |
2 | index 521c0ee..8655586 100644 |
3 | --- a/BRANCHES |
4 | +++ b/BRANCHES |
5 | @@ -134,7 +134,7 @@ to make a safe guess about what to pick. |
6 | Branches up to 1.8 are all designated as "long-term supported" ("LTS" for |
7 | short), which means that they are maintained for several years after the |
8 | release. These branches were emitted at a pace of one per year since 1.5 in |
9 | -2014. As of 2019, 1.5 is still supported and widely used, eventhough it very |
10 | +2014. As of 2019, 1.5 is still supported and widely used, even though it very |
11 | rarely receives updates. After a few years these LTS branches enter a |
12 | "critical fixes only" status, which means that they will rarely receive a fix |
13 | but if that a critital issue affects them, a release will be made, with or |
14 | diff --git a/CHANGELOG b/CHANGELOG |
15 | index 3e39a96..6ae4bed 100644 |
16 | --- a/CHANGELOG |
17 | +++ b/CHANGELOG |
18 | @@ -1,6 +1,817 @@ |
19 | ChangeLog : |
20 | =========== |
21 | |
22 | +2022/05/13 : 2.0.29 |
23 | + - BUG/MINOR: tools: fix url2sa return value with IPv4 |
24 | + - Revert "BUG/MAJOR: mux-pt: Always destroy the backend connection on detach" |
25 | + - BUG/MAJOR: dns: multi-thread concurrency issue on UDP socket |
26 | + - BUILD: dns: fix backport of previous dns fix |
27 | + - CI: github actions: switch to LibreSSL-3.5.1 |
28 | + - BUG/MEDIUM: mux-h1: only turn CO_FL_ERROR to CS_FL_ERROR with empty ibuf |
29 | + - BUG/MINOR: tools: url2sa reads too far when no port nor path |
30 | + - BUG/MEDIUM: stream-int: do not rely on the connection error once established |
31 | + - MEDIUM: mux-h2: slightly relax timeout management rules |
32 | + - BUG/MEDIUM: mux-h2: make use of http-request and keep-alive timeouts |
33 | + - DOC: reflect H2 timeout changes |
34 | + - BUG/MAJOR: mux_pt: always report the connection error to the conn_stream |
35 | + - BUG/MEDIUM: http-act: Don't replace URI if path is not found or invalid |
36 | + - CI: Update to actions/checkout@v3 |
37 | + - CI: Update to actions/cache@v3 |
38 | + - BUG/MINOR: mux-h2: do not send GOAWAY if SETTINGS were not sent |
39 | + - BUG/MINOR: cache: do not display expired entries in "show cache" |
40 | + - BUG/MINOR: mux-h2: do not use timeout http-keep-alive on backend side |
41 | + - BUG/MINOR: mux-h2: use timeout http-request as a fallback for http-keep-alive |
42 | + - BUG/MEDIUM: mux-h1: Don't request more room on partial trailers |
43 | + - BUG/MEDIUM: compression: Don't forget to update htx_sl and http_msg flags |
44 | + - SCRIPTS: announce-release: update the doc's URL |
45 | + - DOC: lua: update a few doc URLs |
46 | + - SCRIPTS: announce-release: add shortened links to pending issues |
47 | + - BUG/MINOR: cache: Disable cache if applet creation fails |
48 | + - DOC: remove my name from the config doc |
49 | + - REGTESTS: fix the race conditions in be2dec.vtc ad field.vtc |
50 | + - BUG/MINOR: pools: make sure to also destroy shared pools in pool_destroy_all() |
51 | + - BUILD: proto_uxst: do not set unused flag |
52 | + - BUILD: sockpair: do not set unused flag |
53 | + - CI: github actions: update LibreSSL to 3.5.2 |
54 | + - SCRIPTS: announce-release: add URL of dev packages |
55 | + - BUG/MINOR: mux-h2: mark the stream as open before processing it not after |
56 | + - BUG/MEDIUM: cli: make "show cli sockets" really yield |
57 | + - BUG/MINOR: map/cli: protect the backref list during "show map" errors |
58 | + - BUG/MINOR: map/cli: make sure patterns don't vanish under "show map"'s init |
59 | + - DOC: fix typo "ant" for "and" in INSTALL |
60 | + - BUG/MINOR: server: Make SRV_STATE_LINE_MAXLEN value from 512 to 2kB (2000 bytes). |
61 | + - BUG/MEDIUM: wdt: don't trigger the watchdog when p is unitialized |
62 | + - CLEANUP: mux-h1: Fix comments and error messages for global options |
63 | + - BUG/MINOR: ssl: fix build on development versions of openssl-1.1.x |
64 | + |
65 | +2022/03/14 : 2.0.28 |
66 | + - MEDIUM: cli: yield between each pipelined command |
67 | + - MINOR: channel: add new function co_getdelim() to support multiple delimiters |
68 | + - BUG/MINOR: cli: avoid O(bufsize) parsing cost on pipelined commands |
69 | + - BUG/MEDIUM: mcli: do not try to parse empty buffers |
70 | + - BUG/MEDIUM: mcli: always realign wrapping buffers before parsing them |
71 | + - BUG/MEDIUM: mworker: don't lose the stats socket on failed reload |
72 | + - BUG/MINOR: mworker: does not erase the pidfile upon reload |
73 | + - BUG/MAJOR: http/htx: prevent unbounded loop in http_manage_server_side_cookies |
74 | + - BUG/MAJOR: spoe: properly detach all agents when releasing the applet |
75 | + - MINOR: sock: move the unused socket cleaning code into its own function |
76 | + - BUG/MEDIUM: mworker: close unused transferred FDs on load failure |
77 | + - BUG/MINOR: mworker: fix a FD leak of a sockpair upon a failed reload |
78 | + - BUG/MEDIUM: resolvers: Really ignore trailing dot in domain names |
79 | + - CI: ssl: enable parallel builds for OpenSSL on Linux |
80 | + - CI: ssl: do not needlessly build the OpenSSL docs |
81 | + - CI: ssl: keep the old method for ancient OpenSSL versions |
82 | + - BUG/MINOR: mailers: negotiate SMTP, not ESMTP |
83 | + - BUG/MINOR: tools: url2sa reads ipv4 too far |
84 | + - BUG/MEDIUM: mux-h1: Don't wake h1s if mux is blocked on lack of output buffer |
85 | + - BUG/MAJOR: mux-h2: Be sure to always report HTX parsing error to the app layer |
86 | + - BUG/MEDIUM: stream: Abort processing if response buffer allocation fails |
87 | + - CI: github actions: add the output of $CC -dM -E- |
88 | + - CI: github actions: use cache for SSL libs |
89 | + - CLEANUP: atomic: add a fetch-and-xxx variant for common operations |
90 | + - BUG/MAJOR: sched: prevent rare concurrent wakeup of multi-threaded tasks |
91 | + - BUG/MINOR: cli: shows correct mode in "show sess" |
92 | + - BUG/MINOR: hlua: Set conn-stream/channel EOI flags at the end of request |
93 | + - BUG/MINOR: stats: Set conn-stream/channel EOI flags at the end of request |
94 | + - BUG/MINOR: cache: Set conn-stream/channel EOI flags at the end of request |
95 | + - BUG/MINOR: promex: Set conn-stream/channel EOI flags at the end of request |
96 | + - DEBUG: cache: Update underlying buffer when loading HTX message in cache applet |
97 | + - BUG/MEDIUM: mcli: Properly handle errors and timeouts during reponse processing |
98 | + - BUG/MAJOR: mux-pt: Always destroy the backend connection on detach |
99 | + - DOC: ssl: req_ssl_sni needs implicit TLS |
100 | + - DOC: use the req.ssl_sni in examples |
101 | + - BUG/MINOR: stream: make the call_rate only count the no-progress calls |
102 | + - DOC: Fix usage/examples of deprecated ACLs |
103 | + |
104 | +2022/01/26 : 2.0.27 |
105 | + - CI: Expand use of GitHub Actions for CI |
106 | + - CI: Stop hijacking the hosts file |
107 | + - CI: Github Actions: enable prometheus exporter |
108 | + - CI: Github Actions: remove LibreSSL-3.0.2 builds |
109 | + - CI: Github Actions: enable BoringSSL builds |
110 | + - CI: Github Action: run "apt-get update" before packages restore |
111 | + - CI: Pass the github.event_name to matrix.py |
112 | + - CI: Clean up Windows CI |
113 | + - CI: github actions: update LibreSSL to 3.3.0 |
114 | + - CI: github actions: enable 51degrees feature |
115 | + - CI: GitHub Actions: enable daily Coverity scan |
116 | + - CI: github actions: build several popular "contrib" tools |
117 | + - CI: Pin VTest to a known good commit |
118 | + - CI: Fix DEBUG_STRICT definition for Coverity |
119 | + - CI: Fix the coverity builds |
120 | + - CI: github actions: switch to stable LibreSSL release |
121 | + - Revert "CI: Pin VTest to a known good commit" |
122 | + - CI: github actions: update LibreSSL to 3.2.5 |
123 | + - CI: Github Actions: switch to LibreSSL-3.3.3 |
124 | + - CI: Github Actions: temporarily disable BoringSSL builds |
125 | + - BUILD: makefile: add entries to build common debugging tools |
126 | + - BUILD: scripts/build-ssl.sh: use "uname" instead of ${TRAVIS_OS_NAME} |
127 | + - REGTESTS: mark the abns test as broken again |
128 | + - CLEANUP: peers: Remove unused static function `free_dcache` |
129 | + - CLEANUP: peers: Remove unused static function `free_dcache_tx` |
130 | + - BUILD: general: always pass unsigned chars to is* functions |
131 | + - MINOR: cli: "show version" displays the current process version |
132 | + - BUG/MEDIUM: cli: Properly set stream analyzers to process one command at a time |
133 | + - CLEANUP: ssl: Remove useless loop in tlskeys_list_get_next() |
134 | + - CLEANUP: ssl: Remove useless local variable in tlskeys_list_get_next() |
135 | + - MINOR: ssl: make tlskeys_list_get_next() take a list element |
136 | + - DOC: spoe: Clarify use of the event directive in spoe-message section |
137 | + - DOC: config: Specify %Ta is only available in HTTP mode |
138 | + - BUG/MEDIUM: mworker/cli: crash when trying to access an old PID in prompt mode |
139 | + - BUG/MINOR: backend: do not set sni on connection reuse |
140 | + - BUG/MINOR: backend: restore the SF_SRV_REUSED flag original purpose |
141 | + - Revert "BUG/MEDIUM: resolvers: always check a valid item in query_list" |
142 | + - BUG/MINOR: http: fix recent regression on authorization in legacy mode |
143 | + - BUILD: cli: clear a maybe-unused warning on some older compilers |
144 | + - BUILD: ssl: unbreak the build with newer libressl |
145 | + - DOC: fix misspelled keyword "resolve_retries" in resolvers |
146 | + - BUILD: makefile: add -Wno-atomic-alignment to work around clang abusive warning |
147 | + - CLEANUP: ssl: make ssl_sock_free_srv_ctx() zero the pointers after free |
148 | + - BUG/MINOR: cli: fix _getsocks with musl libc |
149 | + - BUG/MEDIUM: http-ana: Preserve response's FLT_END analyser on L7 retry |
150 | + - BUG/MEDIUM: mworker: don't use _getsocks in wait mode |
151 | + - BUILD/MINOR: fix solaris build with clang. |
152 | + - BUG/MEDIUM: cli: Never wait for more data on client shutdown |
153 | + - BUG/MEDIUM: htx: Adjust length to add DATA block in an empty HTX buffer |
154 | + |
155 | +2021/12/03 : 2.0.26 |
156 | + - BUG/MINOR: systemd: ExecStartPre must use -Ws |
157 | + - BUG/MINOR: compat: make sure __WORDSIZE is always defined |
158 | + - BUG/MINOR: cli/payload: do not search for args inside payload |
159 | + - BUG/MEDIUM: http: check for a channel pending data before waiting |
160 | + - BUG/MINOR: stats: fix the POST requests processing in legacy mode |
161 | + - MEDIUM: actions: Fix block ACL. |
162 | + - BUG/MEDIUM: stream-int: Don't block SI on a channel policy if EOI is reached |
163 | + - Revert "REGTESTS: mark http_abortonclose as broken" |
164 | + - BUG/MINOR: server: allow 'enable health' only if check configured |
165 | + - BUG/MEDIUM: mux-h1: Adjust conditions to ask more space in the channel buffer |
166 | + - BUG/MEDIUM: stream-int: Notify stream that the mux wants more room to xfer data |
167 | + - BUG/MEDIUM: stream: Stop waiting for more data if SI is blocked on RXBLK_ROOM |
168 | + - BUG/MINOR: mux-h1/mux-fcgi: Sanitize TE header to only send "trailers" |
169 | + - DOC: peers: fix doc "enable" statement on "peers" sections |
170 | + - BUG/MEDIUM: lua: fix wakeup condition from sleep() |
171 | + - BUG/MAJOR: lua: use task_wakeup() to properly run a task once |
172 | + - BUG/MINOR: tcp-rules: Stop content rules eval on read error and end-of-input |
173 | + - BUG/MINOR: stream: Don't release a stream if FLT_END is still registered |
174 | + - BUG/MEDIUM: http-ana: Reset channels analysers when returning an error |
175 | + - BUG/MINOR: filters: Always set FLT_END analyser when CF_FLT_ANALYZE flag is set |
176 | + - BUG/MINOR: filters: Set right FLT_END analyser depending on channel |
177 | + - BUG/MEDIUM: filters: Fix a typo when a filter is attached blocking the release |
178 | + - BUG/MEDIUM: http-ana: Clear request analyzers when applying redirect rule |
179 | + - BUG/MEDIUM: mux_h2: Handle others remaining read0 cases on partial frames |
180 | + - BUG/MEDIUM: stream: Keep FLT_END analyzers if a stream detects a channel error |
181 | + - CLEANUP: sample: rename sample_conv_var2smp() to *_sint |
182 | + - CLEANUP: sample: uninline sample_conv_var2smp_str() |
183 | + - MINOR: sample: provide a generic var-to-sample conversion function |
184 | + - BUG/MEDIUM: sample: properly verify that variables cast to sample |
185 | + - MINOR: resolvers: fix the resolv_str_to_dn_label() API about trailing zero |
186 | + - BUG/MEDIUM: resolver: make sure to always use the correct hostname length |
187 | + - BUG/MINOR: resolvers: do not reject host names of length 255 in SRV records |
188 | + - MINOR: resolvers: fix the resolv_dn_label_to_str() API about trailing zero |
189 | + - BUG/MEDIUM: resolvers: fix truncated TLD consecutive to the API fix |
190 | + - BUG/MEDIUM: resolvers: use correct storage for the target address |
191 | + - MINOR: resolvers: merge address and target into a union "data" |
192 | + - BUILD: resolvers: avoid a possible warning on null-deref |
193 | + - BUG/MEDIUM: resolvers: always check a valid item in query_list |
194 | + - BUG/MINOR: mux-h2: do not prevent from sending a final GOAWAY frame |
195 | + - BUG/MINOR: mux-h1: Save shutdown mode if the shutdown is delayed |
196 | + - BUG/MEDIUM: mux-h1: Perform a connection shutdown when the h1c is released |
197 | + - CLEANUP: resolvers: do not export resolv_purge_resolution_answer_records() |
198 | + - CLEANUP: always initialize the answer_list |
199 | + - CLEANUP: resolvers: replace all LIST_DELETE with LIST_DEL_INIT |
200 | + - BUG/MEDIUM: http-ana: Drain request data waiting the tarpit timeout expiration |
201 | + - BUG/MINOR: http: Authorization value can have multiple spaces after the scheme |
202 | + - DOC: config: Fix alphabetical order of fc_* samples |
203 | + - MINOR: stream: Improve dump of bogus streams |
204 | + - BUG/MINOR: tcpcheck: Improve LDAP response parsing to fix LDAP check |
205 | + - MINOR: htx: Add an HTX flag to know when a message is fragmented |
206 | + - MINOR: htx: Add a function to know if the free space wraps |
207 | + - BUG/MEDIUM: stream-int: Defrag HTX message in si_cs_recv() if necessary |
208 | + - BUG/MEDIUM: mux-h1: Fix H1C_F_ST_SILENT_SHUT value |
209 | + - DOC: config: Fix typo in ssl_fc_unique_id description |
210 | + - BUG/MINOR: http-ana: Apply stop to the current section for http-response rules |
211 | + - BUG/MEDIUM: conn-stream: Don't reset CS flags on close |
212 | + - BUG/MINOR: mworker: doesn't launch the program postparser |
213 | + - BUG/MINOR: mux-h2: Fix H2_CF_DEM_SHORT_READ value |
214 | + - BUG/MEDIUM: connection: make cs_shutr/cs_shutw//cs_close() idempotent |
215 | + - BUG/MINOR: stick-table/cli: Check for invalid ipv6 key |
216 | + - MINOR: connection: add a new CO_FL_WANT_DRAIN flag to force drain on close |
217 | + - MINOR: mux-h2: perform a full cycle shutdown+drain on close |
218 | + - CLEANUP: ssl: Release cached SSL sessions on deinit |
219 | + - BUG/MEDIUM: ssl: backend TLS resumption with sni and TLSv1.3 |
220 | + - BUG/MEDIUM: mux-h2: always process a pending shut read |
221 | + - BUG/MEDIUM: shctx: leave the block allocator when enough blocks are found |
222 | + - BUG/MINOR: shctx: do not look for available blocks when the first one is enough |
223 | + - BUG/MEDIUM: ssl: abort with the correct SSL error when SNI not found |
224 | + |
225 | +2021/09/07 : 2.0.25 |
226 | + - BUG/MEDIUM: sock: really fix detection of early connection failures in for 2.3- |
227 | + - REGTESTS: abortonclose: after retries, 503 is expected, not close |
228 | + - BUG/MEDIUM: base64: check output boundaries within base64{dec,urldec} |
229 | + - MINOR: compiler: implement an ONLY_ONCE() macro |
230 | + - BUG/MINOR: lua: use strlcpy2() not strncpy() to copy sample keywords |
231 | + - BUG/MINOR: ebtree: remove dependency on incorrect macro for bits per long |
232 | + - BUG/MINOR threads: Use get_(local|gm)time instead of (local|gm)time |
233 | + - BUG/MINOR: tools: Fix loop condition in dump_text() |
234 | + - CLEANUP: Add missing include guard to signal.h |
235 | + - DOC: configuration: remove wrong tcp-request examples in tcp-response |
236 | + - BUG/MINOR: config: reject configs using HTTP with bufsize >= 256 MB |
237 | + - CLEANUP: htx: remove comments about "must be < 256 MB" |
238 | + - BUG/MAJOR: htx: fix missing header name length check in htx_add_header/trailer |
239 | + - Revert "BUG/MINOR: stream-int: Don't block reads in si_update_rx() if chn may receive" |
240 | + - MINOR: action: Use a generic function to check validity of an action rule list |
241 | + - REGTESTS: mark http_abortonclose as broken |
242 | + |
243 | +2021/08/17 : 2.0.24 |
244 | + - BUG/MEDIUM: tcp-check: Do not dereference inexisting connection |
245 | + - BUILD: add detection of missing important CFLAGS |
246 | + - BUG/MEDIUM: mworker: do not register an exit handler if exit is expected |
247 | + - BUG/MINOR: mworker: do not export HAPROXY_MWORKER_REEXEC across programs |
248 | + - BUG/MINOR: systemd: must check the configuration using -Ws |
249 | + - BUG/MINOR: mux-h2: Obey dontlognull option during the preface |
250 | + - BUG/MEDIUM: mux-h2: Handle remaining read0 cases on partial frames |
251 | + - BUG/MINOR: connection: Add missing error labels to conn_err_code_str |
252 | + - BUG/MINOR: server: update last_change on maint->ready transitions too |
253 | + - MINOR: spoe: Add a pointer on the filter config in the spoe_agent structure |
254 | + - BUG/MEDIUM: spoe: Create a SPOE applet if necessary when the last one is released |
255 | + - BUG/MEDIUM: spoe: Fix policy to close applets when SPOE connections are queued |
256 | + - DOC: Improve the lua documentation |
257 | + - DOC: config: Fix 'http-response send-spoe-group' documentation |
258 | + - MINOR: mux-h1/proxy: Add a proxy option to disable clear h2 upgrade |
259 | + - DOC/MINOR: fix typo in management document |
260 | + - BUG/MAJOR: h2: enforce stricter syntax checks on the :method pseudo-header |
261 | + - REGTESTS: add a test to prevent h2 desync attacks |
262 | + |
263 | +2021/07/16 : 2.0.23 |
264 | + - DOC: Explicitly state only IPv4 are supported by forwardfor/originalto options |
265 | + - BUG/MINOR: tools: fix parsing "us" unit for timers |
266 | + - DOC: clarify that compression works for HTTP/2 |
267 | + - BUG/MEDIUM: sample: Fix adjusting size in field converter |
268 | + - BUG/MEDIUM: threads: Ignore current thread to end its harmless period |
269 | + - BUG/MINOR: http-fetch: Make method smp safe if headers were already forwarded |
270 | + - BUG/MINOR: http_htx: Remove BUG_ON() from http_get_stline() function |
271 | + - BUG/MINOR: logs: Report the true number of retries if there was no connection |
272 | + - BUG/MINOR: mux-h1: Release idle server H1 connection if data are received |
273 | + - BUG/MINOR: server: free srv.lb_nodes in free_server |
274 | + - BUG/MAJOR: mux-h2: Properly detect too large frames when decoding headers |
275 | + - BUG/MEDIUM: mux-h2: Fix dfl calculation when merging CONTINUATION frames |
276 | + - BUG/MEDIUM: config: fix cpu-map notation with both process and threads |
277 | + - BUG/MINOR: mworker/init: don't reset nb_oldpids in non-mworker cases |
278 | + - BUG/MINOR: mworker: don't use oldpids[] anymore for reload |
279 | + - BUG/MEDIUM: mux-h2: Properly handle shutdowns when received with data |
280 | + - BUG/MINOR: peers: remove useless table check if initial resync is finished |
281 | + - BUG/MEDIUM: peers: re-work connection to new process during reload. |
282 | + - BUG/MEDIUM: peers: re-work refcnt on table to protect against flush |
283 | + - BUG/MINOR: htx: Preserve HTX flags when draining data from an HTX message |
284 | + - BUG/MINOR: applet: Notify the other side if data were consumed by an applet |
285 | + - BUG/MEDIUM: peers: initialize resync timer to get an initial full resync |
286 | + - BUG/MEDIUM: peers: register last acked value as origin receiving a resync req |
287 | + - BUG/MEDIUM: peers: stop considering ack messages teaching a full resync |
288 | + - BUG/MEDIUM: peers: reset starting point if peers appears longly disconnected |
289 | + - BUG/MEDIUM: peers: reset commitupdate value in new conns |
290 | + - BUG/MEDIUM: peers: re-work updates lookup during the sync on the fly |
291 | + - BUG/MEDIUM: peers: reset tables stage flags stages on new conns |
292 | + - MINOR: peers: add informative flags about resync process for debugging |
293 | + - MINOR: hlua: Add error message relative to the Channel manipulation and HTTP mode |
294 | + - BUG/MINOR: hlua: Don't rely on top of the stack when using Lua buffers |
295 | + - BUG/MEDIUM: cli: prevent memory leak on write errors |
296 | + - BUG/MINOR: stream: Decrement server current session counter on L7 retry |
297 | + - BUG/MINOR: stream: properly clear the previous error mask on L7 retries |
298 | + - BUG/MINOR: stream: Reset stream final state and si error type on L7 retry |
299 | + - BUG/MINOR: http_fetch: fix possible uninit sockaddr in fetch_url_ip/port |
300 | + - MINOR: channel: Rely on HTX version if appropriate in channel_may_recv() |
301 | + - BUG/MINOR: stream-int: Don't block reads in si_update_rx() if chn may receive |
302 | + - MEDIUM: mux-h1: Don't block reads when waiting for the other side |
303 | + - REGTESTS: Add script to test abortonclose option |
304 | + - BUG/MEDIUM: ebtree: Invalid read when looking for dup entry |
305 | + - BUG/MAJOR: server: prevent deadlock when using 'set maxconn server' |
306 | + - BUG/MEDIUM: filters: Exec pre/post analysers only one time per filter |
307 | + - BUG/MINOR: http-comp: Preserve HTTP_MSGF_COMPRESSIONG flag on the response |
308 | + - BUG/MINOR: http-ana: Handle L7 retries on refused early data before K/A aborts |
309 | + - BUG/MINOR: server: Missing calloc return value check in srv_parse_source |
310 | + - BUG/MINOR: peers: Missing calloc return value check in peers_register_table |
311 | + - BUG/MINOR: ssl: Missing calloc return value check in ssl_init_single_engine |
312 | + - BUG/MINOR: http: Missing calloc return value check in parse_http_req_capture |
313 | + - BUG/MINOR: proxy: Missing calloc return value check in proxy_parse_declare |
314 | + - BUG/MINOR: proxy: Missing calloc return value check in proxy_defproxy_cpy |
315 | + - BUG/MINOR: http: Missing calloc return value check while parsing tcp-request/tcp-response |
316 | + - BUG/MINOR: http: Missing calloc return value check while parsing tcp-request rule |
317 | + - BUG/MINOR: compression: Missing calloc return value check in comp_append_type/algo |
318 | + - BUG/MINOR: worker: Missing calloc return value check in mworker_env_to_proc_list |
319 | + - BUG/MINOR: http: Missing calloc return value check while parsing redirect rule |
320 | + - BUG/MINOR: http: Missing calloc return value check in make_arg_list |
321 | + - BUG/MINOR: proxy: Missing calloc return value check in chash_init_server_tree |
322 | + - BUG/MINOR: ssl: OCSP stapling does not work if expire too far in the future |
323 | + - BUG/MEDIUM: compression: Add a flag to know the filter is still processing data |
324 | + - BUG/MEDIUM: dns: reset file descriptor if send returns an error |
325 | + - BUG/MAJOR: htx: Fix htx_defrag() when an HTX block is expanded |
326 | + - DOC: lua: Add a warning about buffers modification in HTTP |
327 | + - BUG/MINOR: stick-table: insert srv in used_name tree even with fixed id |
328 | + - BUG/MEDIUM: shctx: use at least thread-based locking on USE_PRIVATE_CACHE |
329 | + - BUG/MINOR: ssl: use atomic ops to update global shctx stats |
330 | + - BUG/MINOR: mworker: fix typo in chroot error message |
331 | + - BUG/MAJOR: queue: set SF_ASSIGNED when setting strm->target on dequeue |
332 | + - MINOR: mux-h2: obey http-ignore-probes during the preface |
333 | + - BUG/MEDIUM: dns: send messages on closed/reused fd if fd was detected broken |
334 | + - BUG/MEDIUM: spoe: Register pre/post analyzers in start_analyze callback function |
335 | + - BUG/MAJOR: server: fix deadlock when changing maxconn via agent-check |
336 | + - MINOR: tcp-act: Add set-src/set-src-port for "tcp-request content" rules |
337 | + - DOC: config: Add missing actions in "tcp-request session" documentation |
338 | + - BUG/MINOR: resolvers: answser item list was randomly purged or errors |
339 | + - BUG/MEDIUM: server/cli: Fix ABBA deadlock when fqdn is set from the CLI |
340 | + - BUG/MINOR: server/cli: Fix locking in function processing "set server" command |
341 | + - BUG/MEDIUM: sock: make sure to never miss early connection failures |
342 | + - BUG/MINOR: cli: fix server name output in "show fd" |
343 | + - BUG/MINOR: stick-table: fix several printf sign errors dumping tables |
344 | + - DOC: stick-table: add missing documentation about gpt0 stored type |
345 | + - DOC: peers: fix the protocol tag name in the doc |
346 | + - DOC: config: use CREATE USER for mysql-check |
347 | + - BUG/MINOR: resolvers: Reset server IP when no ip is found in the response |
348 | + - MINOR: resolvers: Reset server IP on error in resolv_get_ip_from_response() |
349 | + - BUG/MINOR: peers: fix data_type bit computation more than 32 data_types |
350 | + - Revert "MINOR: tcp-act: Add set-src/set-src-port for "tcp-request content" rules" |
351 | + - MINOR: pools/debug: slightly relax DEBUG_DONT_SHARE_POOLS |
352 | + - BUG/MINOR: pools: fix a possible memory leak in the lockless pool_flush() |
353 | + - MINOR: pools: do not maintain the lock during pool_flush() |
354 | + - BUG/MEDIUM: pools: Always update free_list in pool_gc(). |
355 | + - MEDIUM: memory: make pool_gc() run under thread isolation |
356 | + - MEDIUM: pools: use a single pool_gc() function for locked and lockless |
357 | + - BUG/MAJOR: pools: fix possible race with free() in the lockless variant |
358 | + - CLEANUP: pools: remove now unused seq and pool_free_list |
359 | + - BUG/MINOR: server-state: load SRV resolution only if params match the config |
360 | + - BUG/MINOR: server: Forbid to set fqdn on the CLI if SRV resolution is enabled |
361 | + |
362 | +2021/04/12 : 2.0.22 |
363 | + - MINOR: time: also provide a global, monotonic global_now_ms timer |
364 | + - BUG/MEDIUM: freq_ctr/threads: use the global_now_ms variable |
365 | + - MINOR/BUG: mworker/cli: do not use the unix_bind prefix for the master CLI socket |
366 | + - MINOR: lua: Slightly improve function dumping the lua traceback |
367 | + - BUG/MEDIUM: debug/lua: Use internal hlua function to dump the lua traceback |
368 | + - BUG/MEDIUM: lua: Always init the lua stack before referencing the context |
369 | + - BUG/MEDIUM: time: make sure to always initialize the global tick |
370 | + - BUG/MEDIUM: thread: Fix a deadlock if an isolated thread is marked as harmless |
371 | + - MINOR: tools: make url2ipv4 return the exact number of bytes parsed |
372 | + - BUG/MINOR: http_fetch: make hdr_ip() reject trailing characters |
373 | + - BUG/MEDIUM: mux-h1: make h1_shutw_conn() idempotent |
374 | + - BUG/MINOR: stats: Apply proper styles in HTML status page. |
375 | + - BUG/MINOR: tcp: fix silent-drop workaround for IPv6 |
376 | + - BUILD: tcp: use IPPROTO_IPV6 instead of SOL_IPV6 on FreeBSD/MacOS |
377 | + - BUG/MINOR: http_fetch: make hdr_ip() resistant to empty fields |
378 | + - BUG/MAJOR: dns: fix null pointer dereference in snr_update_srv_status |
379 | + - BUG/MAJOR: dns: disabled servers through SRV records never recover |
380 | + - BUG/MINOR: resolvers: Unlink DNS resolution to set RMAINT on SRV resolution |
381 | + - MINOR: resolvers: Use a function to remove answers attached to a resolution |
382 | + - MINOR: resolvers: Purge answer items when a SRV resolution triggers an error |
383 | + - MINOR: resolvers: Add function to change the srv status based on SRV resolution |
384 | + - MINOR: resolvers: Directly call srvrq_update_srv_state() when possible |
385 | + - BUG/MEDIUM: resolvers: Don't release resolution from a requester callbacks |
386 | + |
387 | +2021/03/18 : 2.0.21 |
388 | + - BUG/MINOR: sample: check alloc_trash_chunk return value in concat() |
389 | + - BUG/MINOR: sample: Memory leak of sample_expr structure in case of error |
390 | + - BUG/MINOR: init: Use a dynamic buffer to set HAPROXY_CFGFILES env variable |
391 | + - BUG/MINOR: peers: Wrong "new_conn" value for "show peers" CLI command. |
392 | + - BUG/MINOR: mworker: define _GNU_SOURCE for strsignal() |
393 | + - BUG/MEDIUM: mux-h2: fix read0 handling on partial frames |
394 | + - BUILD/MINOR: lua: define _GNU_SOURCE for LLONG_MAX |
395 | + - BUG/MEDIUM: stats: add missing INF_BUILD_INFO definition |
396 | + - BUG/MEDIUM: filters/htx: Fix data forwarding when payload length is unknown |
397 | + - BUG/MINOR: config: fix leak on proxy.conn_src.bind_hdr_name |
398 | + - DOC: management: fix "show resolvers" alphabetical ordering |
399 | + - BUG/MINOR: stick-table: Always call smp_fetch_src() with a valid arg list |
400 | + - BUG/MEDIUM: ssl: check a connection's status before computing a handshake |
401 | + - BUG/MINOR: xxhash: make sure armv6 uses memcpy() |
402 | + - BUILD: Makefile: move REGTESTST_TYPE default setting |
403 | + - BUG/MEDIUM: mux-h2: handle remaining read0 cases |
404 | + - BUG/MEDIUM: mux-h2: do not quit the demux loop before setting END_REACHED |
405 | + - BUG/MEDIUM: mux-h2: Be sure to enter in demux loop even if dbuf is empty |
406 | + - BUG/MEDIUM: mux-h1: Always set CS_FL_EOI for response in MSG_DONE state |
407 | + - BUG/MINOR: server: re-align state file fields number |
408 | + - BUG/MINOR: tools: Fix a memory leak on error path in parse_dotted_uints() |
409 | + - BUG/MINOR: backend: hold correctly lock when killing idle conn |
410 | + - BUG/MINOR: server: Fix server-state-file-name directive |
411 | + - CLEANUP: deinit: release global and per-proxy server-state variables on deinit |
412 | + - BUG/MEDIUM: config: don't pick unset values from last defaults section |
413 | + - BUG/MINOR: cfgparse: do not mention "addr:port" as supported on proxy lines |
414 | + - BUG/MINOR: server: Don't call fopen() with server-state filepath set to NULL |
415 | + - CLEANUP: channel: fix comment in ci_putblk. |
416 | + - BUG/MINOR: server: Remove RMAINT from admin state when loading server state |
417 | + - BUG/MINOR: session: atomically increment the tracked sessions counter |
418 | + - BUG/MINOR: checks: properly handle wrapping time in __health_adjust() |
419 | + - BUG/MINOR: sample: Always consider zero size string samples as unsafe |
420 | + - BUG/MINOR: server: Init params before parsing a new server-state line |
421 | + - BUG/MINOR: server: Be sure to cut the last parsed field of a server-state line |
422 | + - BUG/MEDIUM: mux-h1: Fix handling of responses to CONNECT other than 200-ok |
423 | + - BUG/MINOR: sample: secure convs that accept base64 string and var name as args |
424 | + - BUG/MEDIUM: vars: make functions vars_get_by_{name,desc} thread-safe |
425 | + - BUG/MEDIUM: proxy: use thread-safe stream killing on hard-stop |
426 | + - BUG/MEDIUM: cli/shutdown sessions: make it thread-safe |
427 | + - BUG/MINOR: proxy: wake up all threads when sending the hard-stop signal |
428 | + - BUG/MINOR: resolvers: new callback to properly handle SRV record errors |
429 | + - BUG/MEDIUM: resolvers: Reset server address and port for obselete SRV records |
430 | + - BUG/MEDIUM: resolvers: Reset address for unresolved servers |
431 | + - BUG/MINOR: mux-h1: Immediately report H1C errors from h1_snd_buf() |
432 | + - BUG/MINOR: http-ana: Only consider dst address to process originalto option |
433 | + - BUG/MINOR: tcp-act: Don't forget to set the original port for IPv4 set-dst rule |
434 | + - BUG/MINOR: connection: Use the client's dst family for adressless servers |
435 | + - BUG/MEDIUM: spoe: Kill applets if there are pending connections and nbthread > 1 |
436 | + - DOC: spoe: Add a note about fragmentation support in HAProxy |
437 | + - BUG/MINOR: http-ana: Don't increment HTTP error counter on read error/timeout |
438 | + - BUG/MEDIUM: dns: Consider the fact that dns answers are case-insensitive |
439 | + - BUG/MINOR: hlua: Don't strip last non-LWS char in hlua_pushstrippedstring() |
440 | + - BUG/MINOR: ssl: don't truncate the file descriptor to 16 bits in debug mode |
441 | + - BUG/MEDIUM: session: NULL dereference possible when accessing the listener |
442 | + - BUG/MEDIUM: filters: Set CF_FL_ANALYZE on channels when filters are attached |
443 | + - BUG/MINOR: proxy/session: Be sure to have a listener to increment its counters |
444 | + - BUG/MINOR: session: Add some forgotten tests on session's listener |
445 | + - CLEANUP: tcp-rules: add missing actions in the tcp-request error message |
446 | + - BUG/MINOR: resolvers: Consider server to have no IP on DNS resolution error |
447 | + - BUG/MINOR: resolvers: Reset server address on DNS error only on status change |
448 | + - BUG/MINOR: resolvers: Add missing case-insensitive comparisons of DNS hostnames |
449 | + - MINOR: time: export the global_now variable |
450 | + - BUG/MINOR: freq_ctr/threads: make use of the last updated global time |
451 | + |
452 | +2021/01/08 : 2.0.20 |
453 | + - BUG/MINOR: pattern: a sample marked as const could be written |
454 | + - BUG/MINOR: lua: set buffer size during map lookups |
455 | + - BUG/MINOR: peers: Do not ignore a protocol error for dictionary entries. |
456 | + - BUG/MINOR: peers: Missing TX cache entries reset. |
457 | + - BUG/MEDIUM: peers: fix decoding of multi-byte length in stick-table messages |
458 | + - BUG/MINOR: http-fetch: Extract cookie value even when no cookie name |
459 | + - BUG/MINOR: http-fetch: Fix calls w/o parentheses of the cookie sample fetches |
460 | + - BUG/MAJOR: spoe: Be sure to remove all references on a released spoe applet |
461 | + - MINOR: spoe: Don't close connection in sync mode on processing timeout |
462 | + - MINOR: cfgparse: tighten the scope of newnameserver variable, free it on error. |
463 | + - BUILD: http-htx: fix build warning regarding long type in printf |
464 | + - BUG/MEDIUM: filters: Forward all filtered data at the end of http filtering |
465 | + - BUG/MINOR: http-ana: Don't wait for the body of CONNECT requests |
466 | + - BUG/MAJOR: filters: Always keep all offsets up to date during data filtering |
467 | + - BUG/MAJOR: peers: fix partial message decoding |
468 | + - DOC: config: Move req.hdrs and req.hdrs_bin in L7 samples fetches section |
469 | + - MINOR: plock: use an ARMv8 instruction barrier for the pause instruction |
470 | + - BUG/MINOR: lua: lua-load doesn't check its parameters |
471 | + - BUG/MINOR: lua: Post init register function are not executed beyond the first one |
472 | + - BUG/MINOR: lua: Some lua init operation are processed unsafe |
473 | + - MINOR: actions: Export actions lookup functions |
474 | + - MINOR: actions: add a function returning a service pointer from its name |
475 | + - MINOR: cli: add a function to look up a CLI service description |
476 | + - BUG/MINOR: lua: warn when registering action, conv, sf, cli or applet multiple times |
477 | + - DOC/MINOR: Fix formatting in Management Guide |
478 | + - BUG/MAJOR: spoa/python: Fixing return None |
479 | + - DOC: spoa/python: Fixing typo in IP related error messages |
480 | + - DOC: spoa/python: Rephrasing memory related error messages |
481 | + - DOC: spoa/python: Fixing typos in comments |
482 | + - BUG/MINOR: spoa/python: Cleanup references for failed Module Addobject operations |
483 | + - BUG/MINOR: spoa/python: Cleanup ipaddress objects if initialization fails |
484 | + - BUG/MEDIUM: spoa/python: Fixing PyObject_Call positional arguments |
485 | + - BUG/MEDIUM: spoa/python: Fixing references to None |
486 | + - DOC: email change of the DeviceAtlas maintainer |
487 | + - BUG/MINOR: tools: make parse_time_err() more strict on the timer validity |
488 | + - BUG/MINOR: tools: Reject size format not starting by a digit |
489 | + - BUG/MEDIUM: lb-leastconn: Reposition a server using the right eweight |
490 | + - CLEANUP: lua: Remove declaration of an inexistant function |
491 | + - CLEANUP: contrib/prometheus-exporter: typo fixes for ssl reuse metric |
492 | + - REGTESTS: make use of HAPROXY_ARGS and pass -dM by default |
493 | + - BUILD: Makefile: have "make clean" destroy .o/.a/.s in contrib subdirs as well |
494 | + - BUG/MINOR: mux-h1: Don't set CS_FL_EOI too early for protocol upgrade requests |
495 | + - BUG/MEDIUM: http-ana: Never for sending data in TUNNEL mode |
496 | + - CONTRIB: halog: fix build issue caused by %L printf format |
497 | + - CONTRIB: halog: mark the has_zero* functions unused |
498 | + - CONTRIB: halog: fix signed/unsigned build warnings on counts and timestamps |
499 | + - BUILD: plock: remove dead code that causes a warning in gcc 11 |
500 | + - BUILD: hpack: hpack-tbl-t.h uses VAR_ARRAY but does not include compiler.h |
501 | + - MINOR: atomic: don't use ; to separate instruction on aarch64. |
502 | + - BUG/MINOR: cfgparse: Fail if the strdup() for `rule->be.name` for `use_backend` fails |
503 | + - SCRIPTS: improve announce-release to support different tag and versions |
504 | + - SCRIPTS: make announce release support preparing announces before tag exists |
505 | + - BUG/MINOR: srv: do not init address if backend is disabled |
506 | + - BUILD: Makefile: exclude broken tests by default |
507 | + - MINOR: contrib/prometheus-exporter: export build_info |
508 | + - DOC: fix some spelling issues over multiple files |
509 | + - SCRIPTS: announce-release: fix typo in help message |
510 | + - DOC: Add maintainers for the Prometheus exporter |
511 | + - BUG/MINOR: sample: fix concat() converter's corruption with non-string variables |
512 | + |
513 | +2020/11/06 : 2.0.19 |
514 | + - DOC: ssl: crt-list negative filters are only a hint |
515 | + - BUILD: makefile: Fix building with closefrom() support enabled |
516 | + - BUG/MINOR: Fix several leaks of 'log_tag' in init(). |
517 | + - BUG/MEDIUM: queue: make pendconn_cond_unlink() really thread-safe |
518 | + - MINOR: counters: fix a typo in comment |
519 | + - BUG/MINOR: stats: fix validity of the json schema |
520 | + - MINOR: hlua: Display debug messages on stderr only in debug mode |
521 | + - BUG/MINOR: peers: Inconsistency when dumping peer status codes. |
522 | + - BUG/MINOR: mux-h1: Always set the session on frontend h1 stream |
523 | + - BUG/MEDIUM: mux-h2: Don't handle pending read0 too early on streams |
524 | + - BUG/MINOR: http-htx: Expect no body for 204/304 internal HTTP responses |
525 | + - BUG/MEDIUM: h1: Always try to receive more in h1_rcv_buf(). |
526 | + - BUG/MINOR: init: only keep rlim_fd_cur if max is unlimited |
527 | + - BUG/MINOR: mux-h2: do not stop outgoing connections on stopping |
528 | + - MINOR: fd: report an error message when failing initial allocations |
529 | + - BUG/MEDIUM: task: bound the number of tasks picked from the wait queue at once |
530 | + - BUG/MEDIUM: spoe: Unset variable instead of set it if no data provided |
531 | + - BUG/MEDIUM: mux-h1: Get the session from the H1S when capturing bad messages |
532 | + - BUG/MEDIUM: lb: Always lock the server when calling server_{take,drop}_conn |
533 | + - BUG/MINOR: peers: Possible unexpected peer seesion reset after collisions. |
534 | + - BUG/MINOR: queue: properly report redistributed connections |
535 | + - BUG/MEDIUM: server: support changing the slowstart value from state-file |
536 | + - BUG/MINOR: http-ana: Don't send payload for internal responses to HEAD requests |
537 | + - BUG/MAJOR: mux-h2: Don't try to send data if we know it is no longer possible |
538 | + - BUG/MINOR: extcheck: add missing checks on extchk_setenv() |
539 | + - BUG/MINOR: log: fix memory leak on logsrv parse error |
540 | + - BUG/MINOR: server: fix srv downtime calcul on starting |
541 | + - BUG/MINOR: server: fix down_time report for stats |
542 | + - BUG/MINOR: lua: initialize sample before using it |
543 | + - BUG/MINOR: cache: Inverted variables in http_calc_maxage function |
544 | + - BUG/MEDIUM: filters: Don't try to init filters for disabled proxies |
545 | + - BUG/MINOR: server: Set server without addr but with dns in RMAINT on startup |
546 | + - MINOR: server: Copy configuration file and line for server templates |
547 | + - BUG/MEDIUM: mux-pt: Release the tasklet during an HTTP upgrade |
548 | + - BUG/MINOR: filters: Skip disabled proxies during startup only |
549 | + - BUG/MEDIUM: stick-table: limit the time spent purging old entries |
550 | + - MINOR: http-htx: Add understandable errors for the errorfiles parsing |
551 | + - BUG/MINOR: http-htx: Just warn if payload of an errorfile doesn't match the C-L |
552 | + |
553 | +2020/09/30 : 2.0.18 |
554 | + - SCRIPTS: git-show-backports: make -m most only show the left branch |
555 | + - SCRIPTS: git-show-backports: emit the shell command to backport a commit |
556 | + - BUG/MEDIUM: mux-h2: Don't fail if nothing is parsed for a legacy chunk response |
557 | + - BUG/MEDIUM: mux-h1: Refresh H1 connection timeout after a synchronous send |
558 | + - BUG/MEDIUM: map/lua: Return an error if a map is loaded during runtime |
559 | + - BUG/MINOR: lua: Check argument type to convert it to IPv4/IPv6 arg validation |
560 | + - BUG/MINOR: lua: Check argument type to convert it to IP mask in arg validation |
561 | + - BUG/MINOR: snapshots: leak of snapshots on deinit() |
562 | + - BUG/MINOR: stats: use strncmp() instead of memcmp() on health states |
563 | + - BUG/MEDIUM: htx: smp_prefetch_htx() must always validate the direction |
564 | + - BUG/MINOR: reload: do not fail when no socket is sent |
565 | + - DOC: cache: Use '<name>' instead of '<id>' in error message |
566 | + - BUG/MAJOR: contrib/spoa-server: Fix unhandled python call leading to memory leak |
567 | + - BUG/MINOR: contrib/spoa-server: Ensure ip address references are freed |
568 | + - BUG/MINOR: contrib/spoa-server: Do not free reference to NULL |
569 | + - BUG/MINOR: contrib/spoa-server: Updating references to free in case of failure |
570 | + - BUG/MEDIUM: contrib/spoa-server: Fix ipv4_address used instead of ipv6_address |
571 | + - BUG/MINOR: startup: haproxy -s cause 100% cpu |
572 | + - BUG/MEDIUM: doc: Fix replace-path action description |
573 | + - BUG/MEDIUM: ssl: check OCSP calloc in ssl_sock_load_ocsp() |
574 | + - BUG/MINOR: threads: work around a libgcc_s issue with chrooting |
575 | + - BUILD: thread: limit the libgcc_s workaround to glibc only |
576 | + - MINOR: Commit .gitattributes |
577 | + - CLEANUP: Update .gitignore |
578 | + - BUG/MINOR: auth: report valid crypto(3) support depending on build options |
579 | + - BUG/MEDIUM: mux-h1: always apply the timeout on half-closed connections |
580 | + - BUILD: threads: better workaround for late loading of libgcc_s |
581 | + - BUG/MEDIUM: pattern: Renew the pattern expression revision when it is pruned |
582 | + - BUG/MEDIUM: http-ana: Don't wait to send 1xx responses received from servers |
583 | + - BUG/MEDIUM: ssl: does not look for all SNIs before chosing a certificate |
584 | + - BUG/MINOR: ssl: verifyhost is case sensitive |
585 | + - BUG/MINOR: server: report correct error message for invalid port on "socks4" |
586 | + - BUG/MINOR: http-fetch: Don't set the sample type during the htx prefetch |
587 | + - BUG/MEDIUM: h2: report frame bits only for handled types |
588 | + - BUG/MINOR: Fix memory leaks cfg_parse_peers |
589 | + - BUG/MINOR: config: Fix memory leak on config parse listen |
590 | + - BUG/MEDIUM: listeners: do not pause foreign listeners |
591 | + - DOC: spoa-server: fix false friends `actually` |
592 | + - DOC: agent-check: fix typo in "fail" word expected reply |
593 | + - REGTESTS: add a few load balancing tests |
594 | + - REGTEST: fix host part in balance-uri-path-only.vtc |
595 | + - REGTEST: make abns_socket.vtc require 1.8 |
596 | + - REGTEST: make map_regm_with_backref require 1.7 |
597 | + |
598 | +2020/07/31 : 2.0.17 |
599 | + - BUILD: ebtree: fix build on libmusl after recent introduction of eb_memcmp() |
600 | + - REGEST: Add reg tests about error files |
601 | + - BUG/MINOR: threads: Don't forget to init each thread toremove_lock. |
602 | + - MINOR: pools: increase MAX_BASE_POOLS to 64 |
603 | + - BUILD: thread: add parenthesis around values of locking macros |
604 | + - BUG/MINOR: cfgparse: don't increment linenum on incomplete lines |
605 | + - BUG/MEDIUM: resolve: fix init resolving for ring and peers section. |
606 | + - BUG/MEDIUM: mux-h2: Emit an error if the response chunk formatting is incomplete |
607 | + - BUG/MAJOR: dns: Make the do-resolve action thread-safe |
608 | + - BUG/MEDIUM: dns: Release answer items when a DNS resolution is freed |
609 | + - BUG/MEDIUM: mux-h1: Wakeup the H1C in h1_rcv_buf() if more data are expected |
610 | + - BUG/MEDIUM: mux-h1: Disable the splicing when nothing is received |
611 | + - BUG/MINOR: debug: Don't dump the lua stack if it is not initialized |
612 | + - MEDIUM: lua: Add support for the Lua 5.4 |
613 | + - BUG/MEDIUM: dns: Don't yield in do-resolve action on a final evaluation |
614 | + - BUG/MINOR: tcp-rules: Set the inspect-delay when a tcp-response action yields |
615 | + - MINOR: connection: Preinstall the mux for non-ssl connect |
616 | + - MINOR: stream-int: Be sure to have a mux to do sends and receives |
617 | + - SCRIPTS: announce-release: add the link to the wiki in the announce messages |
618 | + |
619 | +2020/07/17 : 2.0.16 |
620 | + - MINOR: http: Add 410 to http-request deny |
621 | + - MINOR: http: Add 404 to http-request deny |
622 | + - BUG/MINOR: tcp-rules: tcp-response must check the buffer's fullness |
623 | + - BUG/MEDIUM: ebtree: use a byte-per-byte memcmp() to compare memory blocks |
624 | + - BUG/MINOR: spoe: add missing key length check before checking key names |
625 | + - BUG/MINOR: cli: allow space escaping on the CLI |
626 | + - BUG/MINOR: mworker/cli: fix the escaping in the master CLI |
627 | + - BUG/MINOR: mworker/cli: fix semicolon escaping in master CLI |
628 | + - REGTEST: http-rules: test spaces in ACLs |
629 | + - REGTEST: http-rules: test spaces in ACLs with master CLI |
630 | + - MEDIUM: map: make the "clear map" operation yield |
631 | + - BUG/MINOR: systemd: Wait for network to be online |
632 | + - REGTEST: Add a simple script to tests errorfile directives in proxy sections |
633 | + - BUG/MINOR: spoe: correction of setting bits for analyzer |
634 | + - BUG/MINOR: http_ana: clarify connection pointer check on L7 retry |
635 | + - MINOR: spoe: Don't systematically create new applets if processing rate is low |
636 | + - REGTEST: ssl: tests the ssl_f_* sample fetches |
637 | + - REGTEST: ssl: add some ssl_c_* sample fetches test |
638 | + - BUG/MEDIUM: fetch: Fix hdr_ip misparsing IPv4 addresses due to missing NUL |
639 | + - MINOR: cli: make "show sess" stop at the last known session |
640 | + - DOC: ssl: add "allow-0rtt" and "ciphersuites" in crt-list |
641 | + - BUG/MEDIUM: pattern: Add a trailing \0 to match strings only if possible |
642 | + - BUG/MINOR: proxy: fix dump_server_state()'s misuse of the trash |
643 | + - BUG/MINOR: proxy: always initialize the trash in show servers state |
644 | + - DOC: configuration: add missing index entries for tune.pool-{low,high}-fd-ratio |
645 | + - DOC: configuration: fix alphabetical ordering for tune.pool-{high,low}-fd-ratio |
646 | + - BUG/MINOR: http_act: don't check capture id in backend (2) |
647 | + - BUG/MINOR: mux-h1: Fix the splicing in TUNNEL mode |
648 | + - BUG/MINOR: mux-h1: Don't read data from a pipe if the mux is unable to receive |
649 | + - BUG/MINOR: mux-h1: Disable splicing only if input data was processed |
650 | + - BUG/MEDIUM: mux-h1: Disable splicing for the conn-stream if read0 is received |
651 | + - BUG/MEDIUM: mux-h1: Subscribe rather than waking up in h1_rcv_buf() |
652 | + - MINOR: connection: move the CO_FL_WAIT_ROOM cleanup to the reader only |
653 | + - BUG/MEDIUM: connection: Continue to recv data to a pipe when the FD is not ready |
654 | + - BUG/MINOR: backend: Remove CO_FL_SESS_IDLE if a client remains on the last server |
655 | + - MINOR: http: Add support for http 413 status |
656 | + - BUG/MAJOR: stream: Mark the server address as unset on new outgoing connection |
657 | + - BUG/MEDIUM: stream-int: Disable connection retries on plain HTTP proxy mode |
658 | + - DOC: configuration: remove obsolete mentions of H2 being converted to HTTP/1.x |
659 | + - BUG/MINOR: sample: Free str.area in smp_check_const_bool |
660 | + - BUG/MINOR: sample: Free str.area in smp_check_const_meth |
661 | + - CONTRIB: da: fix memory leak in dummy function da_atlas_open() |
662 | + - BUG/MEDIUM: mux-h1: Continue to process request when switching in tunnel mode |
663 | + - BUG/MEDIUM: log: issue mixing sampled to not sampled log servers. |
664 | + - BUG/MEDIUM: channel: Be aware of SHUTW_NOW flag when output data are peeked |
665 | + |
666 | +2020/06/12 : 2.0.15 |
667 | + - BUG/MINOR: protocol_buffer: Wrong maximum shifting. |
668 | + - BUG/MINOR: peers: Incomplete peers sections should be validated. |
669 | + - DOC: hashing: update link to hashing functions |
670 | + - DOC: Improve documentation on http-request set-src |
671 | + - BUG/MINOR: ssl: default settings for ssl server options are not used |
672 | + - BUG/MEDIUM: http-ana: Handle NTLM messages correctly. |
673 | + - BUG/MINOR: tools: fix the i386 version of the div64_32 function |
674 | + - BUG/MINOR: http: make url_decode() optionally convert '+' to SP |
675 | + - DOC: option logasap does not depend on mode |
676 | + - BUG/MINOR: check: Update server address and port to execute an external check |
677 | + - MINOR: checks: Add a way to send custom headers and payload during http chekcs |
678 | + - BUG/MINOR: checks: Respect the no-check-ssl option |
679 | + - BUG/MINOR: checks: chained expect will not properly wait for enough data |
680 | + - BUG/MINOR: obj_type: Handle stream object in obj_base_ptr() function |
681 | + - BUG/MEDIUM: capture: capture-req/capture-res converters crash without a stream |
682 | + - BUG/MEDIUM: capture: capture.{req,res}.* crash without a stream |
683 | + - BUG/MEDIUM: http: the "http_first_req" sample fetch could crash without a steeam |
684 | + - BUG/MEDIUM: http: the "unique-id" sample fetch could crash without a steeam |
685 | + - BUG/MEDIUM: sample: make the CPU and latency sample fetches check for a stream |
686 | + - BUG/MEDIUM: listener: mark the thread as not stuck inside the loop |
687 | + - MINOR: threads: export the POSIX thread ID in panic dumps |
688 | + - BUG/MINOR: debug: properly use long long instead of long for the thread ID |
689 | + - BUG/MEDIUM: shctx: really check the lock's value while waiting |
690 | + - BUG/MEDIUM: shctx: bound the number of loops that can happen around the lock |
691 | + - MINOR: stream: report the list of active filters on stream crashes |
692 | + - REGTEST: ssl: test the client certificate authentication |
693 | + - BUG/MEDIUM: backend: don't access a non-existing mux from a previous connection |
694 | + - Revert "BUG/MINOR: connection: make sure to correctly tag local PROXY connections" |
695 | + - BUG/MEDIUM: server/checks: Init server check during config validity check |
696 | + - BUG/MINOR: checks/server: use_ssl member must be signed |
697 | + - BUG/MEDIUM: checks: Always initialize checks before starting them |
698 | + - BUG/MINOR: checks: Compute the right HTTP request length for HTTP health checks |
699 | + - BUG/MINOR: checks: Remove a warning about http health checks |
700 | + - BUG/MEDIUM: streams: Remove SF_ADDR_SET if we're retrying due to L7 retry. |
701 | + - BUG/MEDIUM: stream: Only allow L7 retries when using HTTP. |
702 | + - BUG/MAJOR: stream-int: always detach a faulty endpoint on connect failure |
703 | + - BUG/MEDIUM: connections: force connections cleanup on server changes |
704 | + - BUG/MEDIUM: ssl: fix the id length check within smp_fetch_ssl_fc_session_id() |
705 | + - CLEANUP: connections: align function declaration |
706 | + - BUG/MINOR: sample: Set the correct type when a binary is converted to a string |
707 | + - BUG/MINOR: threads: fix multiple use of argument inside HA_ATOMIC_CAS() |
708 | + - BUG/MINOR: threads: fix multiple use of argument inside HA_ATOMIC_UPDATE_{MIN,MAX}() |
709 | + - BUG/MEDIUM: lua: Fix dumping of stick table entries for STD_T_DICT |
710 | + - BUG/MINOR: config: Make use_backend and use-server post-parsing less obscur |
711 | + - BUG/MINOR: http-ana: fix NTLM response parsing again |
712 | + - BUG/MEDIUM: http_ana: make the detection of NTLM variants safer |
713 | + - BUG/MINOR: cfgparse: Abort parsing the current line if an invalid \x sequence is encountered |
714 | + - BUG/MINOR: pools: use %u not %d to report pool stats in "show pools" |
715 | + - BUG/MINOR: pollers: remove uneeded free in global init |
716 | + - BUG/MINOR: soft-stop: always wake up waiting threads on stopping |
717 | + - BUILD: select: only declare existing local labels to appease clang |
718 | + - BUG/MINOR: cache: Don't needlessly test "cache" keyword in parse_cache_flt() |
719 | + - BUG/MINOR: checks: Respect check-ssl param when a port or an addr is specified |
720 | + - BUG/MINOR: server: Fix server_finalize_init() to avoid unused variable |
721 | + - BUG/MINOR: lua: Add missing string length for lua sticktable lookup |
722 | + - BUG/MINOR: nameservers: fix error handling in parsing of resolv.conf |
723 | + - Revert "BUG/MEDIUM: connections: force connections cleanup on server changes" |
724 | + - SCRIPTS: publish-release: pass -n to gzip to remove timestamp |
725 | + - BUG/MINOR: peers: fix internal/network key type mapping. |
726 | + - BUG/MEDIUM: lua: Reset analyse expiration timeout before executing a lua action |
727 | + - BUG/MEDIUM: hlua: Lock pattern references to perform set/add/del operations |
728 | + - BUG/MEDIUM: contrib/prometheus-exporter: Properly set flags to dump metrics |
729 | + - BUG/MINOR: logs: prevent double line returns in some events. |
730 | + - BUG/MEDIUM: logs: fix trailing zeros on log message. |
731 | + - BUG/MINOR: proto-http: Fix detection of NTLM for the legacy HTTP version |
732 | + - BUILD: makefile: adjust the sed expression of "make help" for solaris |
733 | + - BUG/MEDIUM: mworker: fix the copy of options in copy_argv() |
734 | + - BUG/MINOR: init: -x can have a parameter starting with a dash |
735 | + - BUG/MINOR: init: -S can have a parameter starting with a dash |
736 | + - BUG/MEDIUM: mworker: fix the reload with an -- option |
737 | + - BUG/MINOR: mworker: fix a memleak when execvp() failed |
738 | + - BUG/MEDIUM: log: don't hold the log lock during writev() on a file descriptor |
739 | + - BUG/MEDIUM: pattern: fix thread safety of pattern matching |
740 | + - REGTESTS: Add missing OPENSSL to REQUIRE_OPTIONS for lua/txn_get_priv |
741 | + - REGTESTS: Add missing OPENSSL to REQUIRE_OPTIONS for compression/lua_validation |
742 | + - BUG/MINOR: ssl: fix ssl-{min,max}-ver with openssl < 1.1.0 |
743 | + - REGTESTS: checks: Fix tls_health_checks when IPv6 addresses are used |
744 | + |
745 | +2020/04/02 : 2.0.14 |
746 | + - BUG/MINOR: namespace: avoid closing fd when socket failed in my_socketat |
747 | + - BUG/MEDIUM: muxes: Use the right argument when calling the destroy method. |
748 | + - SCRIPTS: announce-release: use mutt -H instead of -i to include the draft |
749 | + - MINOR: http-htx: Add a function to retrieve the headers size of an HTX message |
750 | + - MINOR: filters: Forward data only if the last filter forwards something |
751 | + - BUG/MINOR: filters: Count HTTP headers as filtered data but don't forward them |
752 | + - BUG/MINOR: http-ana: Matching on monitor-uri should be case-sensitive |
753 | + - BUG/MAJOR: http-ana: Always abort the request when a tarpit is triggered |
754 | + - MINOR: ist: add an iststop() function |
755 | + - BUG/MINOR: http: http-request replace-path duplicates the query string |
756 | + - BUG/MEDIUM: shctx: make sure to keep all blocks aligned |
757 | + - MINOR: compiler: move CPU capabilities definition from config.h and complete them |
758 | + - BUG/MEDIUM: ebtree: don't set attribute packed without unaligned access support |
759 | + - BUILD: fix recent build failure on unaligned archs |
760 | + - CLEANUP: cfgparse: Fix type of second calloc() parameter |
761 | + - BUG/MINOR: sample: fix the json converter's endian-sensitivity |
762 | + - BUG/MEDIUM: ssl: fix several bad pointer aliases in a few sample fetch functions |
763 | + - BUG/MINOR: connection: make sure to correctly tag local PROXY connections |
764 | + - MINOR: compiler: add new alignment macros |
765 | + - BUILD: ebtree: improve architecture-specific alignment |
766 | + - BUG/MINOR: sample: Make sure to return stable IDs in the unique-id fetch |
767 | + - BUG/MINOR: dns: ignore trailing dot |
768 | + - MINOR: contrib/prometheus-exporter: Add heathcheck status/code in server metrics |
769 | + - MINOR: contrib/prometheus-exporter: Add the last heathcheck duration metric |
770 | + - BUG/MEDIUM: random: initialize the random pool a bit better |
771 | + - MINOR: tools: add 64-bit rotate operators |
772 | + - BUG/MEDIUM: random: implement a thread-safe and process-safe PRNG |
773 | + - MINOR: backend: use a single call to ha_random32() for the random LB algo |
774 | + - BUG/MINOR: checks/threads: use ha_random() and not rand() |
775 | + - BUG/MAJOR: list: fix invalid element address calculation |
776 | + - MINOR: debug: report the task handler's pointer relative to main |
777 | + - BUG/MEDIUM: debug: make the debug_handler check for the thread in threads_to_dump |
778 | + - MINOR: haproxy: export main to ease access from debugger |
779 | + - BUG/MINOR: wdt: do not return an error when the watchdog couldn't be enabled |
780 | + - DOC: fix incorrect indentation of http_auth_* |
781 | + - OPTIM: startup: fast unique_id allocation for acl. |
782 | + - BUG/MINOR: pattern: Do not pass len = 0 to calloc() |
783 | + - DOC: configuration.txt: fix various typos |
784 | + - DOC: assorted typo fixes in the documentation and Makefile |
785 | + - BUG/MINOR: init: make the automatic maxconn consider the max of soft/hard limits |
786 | + - BUG/MAJOR: proxy_protocol: Properly validate TLV lengths |
787 | + - REGTEST: make the PROXY TLV validation depend on version 2.2 |
788 | + - MINOR: htx: Add a function to return a block at a specific offset |
789 | + - BUG/MEDIUM: cache/filters: Fix loop on HTX blocks caching the response payload |
790 | + - BUG/MEDIUM: compression/filters: Fix loop on HTX blocks compressing the payload |
791 | + - BUG/MINOR: http-ana: Reset request analysers on a response side error |
792 | + - BUG/MINOR: lua: Ignore the reserve to know if a channel is full or not |
793 | + - BUG/MINOR: http-rules: Preserve FLT_END analyzers on reject action |
794 | + - BUG/MINOR: http-rules: Fix a typo in the reject action function |
795 | + - BUG/MINOR: rules: Preserve FLT_END analyzers on silent-drop action |
796 | + - BUG/MINOR: rules: Increment be_counters if backend is assigned for a silent-drop |
797 | + - DOC: fix typo about no-tls-tickets |
798 | + - DOC: improve description of no-tls-tickets |
799 | + - DOC: ssl: clarify security implications of TLS tickets |
800 | + - BUILD: wdt: only test for SI_TKILL when compiled with thread support |
801 | + - BUG/MEDIUM: random: align the state on 2*64 bits for ARM64 |
802 | + - BUG/MINOR: haproxy: always initialize sleeping_thread_mask |
803 | + - BUG/MINOR: listener/mq: do not dispatch connections to remote threads when stopping |
804 | + - BUG/MINOR: haproxy/threads: try to make all threads leave together |
805 | + - DOC: proxy_protocol: Reserve TLV type 0x05 as PP2_TYPE_UNIQUE_ID |
806 | + - BUILD: on ARM, must be linked to libatomic. |
807 | + - BUILD: makefile: fix regex syntax in ARM platform detection |
808 | + - BUILD: makefile: fix expression again to detect ARM platform |
809 | + - BUG/MEDIUM: peers: resync ended with RESYNC_PARTIAL in wrong cases. |
810 | + - DOC: assorted typo fixes in the documentation |
811 | + - MINOR: wdt: Move the definitions of WDTSIG and DEBUGSIG into types/signal.h. |
812 | + - BUG/MEDIUM: wdt: Don't ignore WDTSIG and DEBUGSIG in __signal_process_queue(). |
813 | + - MINOR: memory: Change the flush_lock to a spinlock, and don't get it in alloc. |
814 | + - BUG/MINOR: connections: Make sure we free the connection on failure. |
815 | + - REGTESTS: use "command -v" instead of "which" |
816 | + - REGTEST: increase timeouts on the seamless-reload test |
817 | + - BUG/MINOR: haproxy/threads: close a possible race in soft-stop detection |
818 | + - BUG/MINOR: peers: init bind_proc to 1 if it wasn't initialized |
819 | + - BUG/MINOR: peers: avoid an infinite loop with peers_fe is NULL |
820 | + - BUG/MINOR: peers: Use after free of "peers" section. |
821 | + - MINOR: listener: add so_name sample fetch |
822 | + - BUILD: ssl: only pass unsigned chars to isspace() |
823 | + - BUG/MINOR: stats: Fix color of draining servers on stats page |
824 | + - DOC: internals: Fix spelling errors in filters.txt |
825 | + - MINOR: http-rules: Add a flag on redirect rules to know the rule direction |
826 | + - BUG/MINOR: http_ana: make sure redirect flags don't have overlapping bits |
827 | + - MINOR: http-rules: Handle the rule direction when a redirect is evaluated |
828 | + - BUG/MINOR: filters: Use filter offset to decude the amount of forwarded data |
829 | + - BUG/MINOR: filters: Forward everything if no data filters are called |
830 | + - BUG/MINOR: http-ana: Reset request analysers on error when waiting for response |
831 | + - BUG/CRITICAL: hpack: never index a header into the headroom after wrapping |
832 | + |
833 | 2020/02/13 : 2.0.13 |
834 | - BUG/MINOR: checks: refine which errno values are really errors. |
835 | - BUG/MEDIUM: checks: Only attempt to do handshakes if the connection is ready. |
836 | diff --git a/CONTRIBUTING b/CONTRIBUTING |
837 | index 201e122..c222458 100644 |
838 | --- a/CONTRIBUTING |
839 | +++ b/CONTRIBUTING |
840 | @@ -154,7 +154,7 @@ features are disabled. Similarly, when modifying the SSL stack, please always |
841 | ensure that supported OpenSSL versions continue to build and to work, especially |
842 | if you modify support for alternate libraries. Clean support for the legacy |
843 | OpenSSL libraries is mandatory, support for its derivatives is a bonus and may |
844 | -occasionally break eventhough a great care is taken. In other words, if you |
845 | +occasionally break even though a great care is taken. In other words, if you |
846 | provide a patch for OpenSSL you don't need to test its derivatives, but if you |
847 | provide a patch for a derivative you also need to test with OpenSSL. |
848 | |
849 | @@ -234,7 +234,7 @@ do not think about them anymore after a few patches. |
850 | indented code, which only proves that the person has no consideration for |
851 | quality and/or has done it in a hurry (probably worse). Please note that most |
852 | bugs were found in low-quality code. Reviewers know this and tend to be much |
853 | - more reluctant to accept poorly formated code because by experience they |
854 | + more reluctant to accept poorly formatted code because by experience they |
855 | won't trust their author's ability to write correct code. It is also worth |
856 | noting that poor quality code is painful to read and may result in nobody |
857 | willing to waste their time even reviewing your work. |
858 | @@ -990,7 +990,7 @@ How to be sure to irritate everyone |
859 | Among the best ways to quickly lose everyone's respect, there is this small |
860 | selection, which should help you improve the way you work with others, if |
861 | you notice you're already practising some of them: |
862 | - - repeatedly send improperly formated commit messages, with no type or |
863 | + - repeatedly send improperly formatted commit messages, with no type or |
864 | severity, or with no commit message body. These ones require manual |
865 | edition, maintainers will quickly learn to recognize your name. |
866 | |
867 | diff --git a/INSTALL b/INSTALL |
868 | index 84548df..313173d 100644 |
869 | --- a/INSTALL |
870 | +++ b/INSTALL |
871 | @@ -130,7 +130,7 @@ options involved. |
872 | HAProxy in its basic form does not depend on anything beyond a working libc. |
873 | However a number of options are enabled by default, or are highly recommended, |
874 | and these options will typically involve some external components or libraries, |
875 | -depending on the targetted platform. |
876 | +depending on the targeted platform. |
877 | |
878 | Optional dependencies may be split into several categories : |
879 | |
880 | @@ -210,7 +210,7 @@ to forcefully enable it using "USE_LIBCRYPT=1". |
881 | 4.5) Cryptography |
882 | ----------------- |
883 | For SSL/TLS, it is necessary to use a cryptography library. HAProxy currently |
884 | -supports the OpenSSL library, and is known to build ant work with branches |
885 | +supports the OpenSSL library, and is known to build and work with branches |
886 | 0.9.8, 1.0.0, 1.0.1, 1.0.2, 1.1.0 and 1.1.1. OpenSSL follows a long-term |
887 | support cycle similar to HAProxy's, and each of the branches above receives its |
888 | own fixes, without forcing you to upgrade to another branch. There is no excuse |
889 | @@ -288,7 +288,7 @@ can be downloaded http://libslz.org/ and is even easier to build. |
890 | |
891 | 4.7) Lua |
892 | -------- |
893 | -Lua is an embedded programming langage supported by HAProxy to provide more |
894 | +Lua is an embedded programming language supported by HAProxy to provide more |
895 | advanced scripting capabilities. Only versions 5.3 and above are supported. |
896 | In order to enable Lua support, please specify "USE_LUA=1" on the command line. |
897 | Some systems provide this library under various names to avoid conflicts with |
898 | diff --git a/MAINTAINERS b/MAINTAINERS |
899 | index 9a46d74..3a36525 100644 |
900 | --- a/MAINTAINERS |
901 | +++ b/MAINTAINERS |
902 | @@ -55,7 +55,7 @@ Maintainer: Simon Horman <horms@verge.net.au> |
903 | Files: src/mailers.c, include/*/mailers.h |
904 | |
905 | DeviceAtlas device identification |
906 | -Maintainer: David Carlier <dcarlier@afilias.info> |
907 | +Maintainer: David Carlier <dcarlier@deviceatlas.com> |
908 | Files: src/da.c, include/*/da.h |
909 | |
910 | 51Degrees device identification |
911 | @@ -86,3 +86,12 @@ Note: every change around the locking or synchronization point will require |
912 | ScientiaMobile WURFL Device Detection |
913 | Maintainer: Paul Borile, Massimiliano Bellomi <wurfl-haproxy-support@scientiamobile.com> |
914 | Files: src/wurfl.c |
915 | + |
916 | +Prometheus Exporter |
917 | +Maintainer: Christopher Faulet <cfaulet@haproxy.com> |
918 | +Maintainer: William Dauchy <wdauchy@gmail.com> |
919 | +Files: contrib/prometheus-exporter |
920 | +Note: William is the referent regarding Prometheus. He should be consulted for |
921 | + all additions and modifications of features. Christopher is the referent |
922 | + for the code itself. He should be consulted for questions regarding the |
923 | + exporter integration into HAProxy, as well as for the bugs. |
924 | diff --git a/Makefile b/Makefile |
925 | index 53d7d4d..7eddac0 100644 |
926 | --- a/Makefile |
927 | +++ b/Makefile |
928 | @@ -41,7 +41,8 @@ |
929 | # USE_LUA : enable Lua support. |
930 | # USE_FUTEX : enable use of futex on kernel 2.6. Automatic. |
931 | # USE_ACCEPT4 : enable use of accept4() on linux. Automatic. |
932 | -# USE_MY_ACCEPT4 : use own implemention of accept4() if glibc < 2.10. |
933 | +# USE_MY_ACCEPT4 : use own implementation of accept4() if glibc < 2.10. |
934 | +# USE_CLOSEFROM : enable use of closefrom() on *bsd, solaris. Automatic. |
935 | # USE_PRCTL : enable use of prctl(). Automatic. |
936 | # USE_ZLIB : enable zlib library support. |
937 | # USE_SLZ : enable slz library instead of zlib (pick at most one). |
938 | @@ -139,7 +140,7 @@ MANDIR = $(PREFIX)/share/man |
939 | DOCDIR = $(PREFIX)/doc/haproxy |
940 | |
941 | #### TARGET system |
942 | -# Use TARGET=<target_name> to optimize for a specifc target OS among the |
943 | +# Use TARGET=<target_name> to optimize for a specific target OS among the |
944 | # following list (use the default "generic" if uncertain) : |
945 | # linux-glibc, linux-glibc-legacy, solaris, freebsd, openbsd, netbsd, |
946 | # cygwin, haiku, aix51, aix52, osx, generic, custom |
947 | @@ -193,6 +194,7 @@ SPEC_CFLAGS += $(call cc-nowarn,missing-field-initializers) |
948 | SPEC_CFLAGS += $(call cc-nowarn,implicit-fallthrough) |
949 | SPEC_CFLAGS += $(call cc-nowarn,stringop-overflow) |
950 | SPEC_CFLAGS += $(call cc-nowarn,cast-function-type) |
951 | +SPEC_CFLAGS += $(call cc-nowarn,atomic-alignment) |
952 | SPEC_CFLAGS += $(call cc-opt,-Wtype-limits) |
953 | SPEC_CFLAGS += $(call cc-opt,-Wshift-negative-value) |
954 | SPEC_CFLAGS += $(call cc-opt,-Wshift-overflow=2) |
955 | @@ -244,7 +246,7 @@ SILENT_DEFINE = |
956 | # It's automatically appended depending on the targets. |
957 | EXTRA = |
958 | |
959 | -#### CPU dependant optimizations |
960 | +#### CPU dependent optimizations |
961 | # Some CFLAGS are set by default depending on the target CPU. Those flags only |
962 | # feed CPU_CFLAGS, which in turn feed CFLAGS, so it is not mandatory to use |
963 | # them. You should not have to change these options. Better use CPU_CFLAGS or |
964 | @@ -256,7 +258,7 @@ CPU_CFLAGS.i686 = -O2 -march=i686 |
965 | CPU_CFLAGS.ultrasparc = -O6 -mcpu=v9 -mtune=ultrasparc |
966 | CPU_CFLAGS = $(CPU_CFLAGS.$(CPU)) |
967 | |
968 | -#### ARCH dependant flags, may be overridden by CPU flags |
969 | +#### ARCH dependent flags, may be overridden by CPU flags |
970 | ARCH_FLAGS.32 = -m32 |
971 | ARCH_FLAGS.64 = -m64 |
972 | ARCH_FLAGS.i386 = -m32 -march=i386 |
973 | @@ -287,7 +289,7 @@ use_opts = USE_EPOLL USE_KQUEUE USE_MY_EPOLL USE_MY_SPLICE USE_NETFILTER \ |
974 | USE_STATIC_PCRE USE_STATIC_PCRE2 USE_TPROXY USE_LINUX_TPROXY \ |
975 | USE_LINUX_SPLICE USE_LIBCRYPT USE_CRYPT_H USE_VSYSCALL \ |
976 | USE_GETADDRINFO USE_OPENSSL USE_LUA USE_FUTEX USE_ACCEPT4 \ |
977 | - USE_MY_ACCEPT4 USE_ZLIB USE_SLZ USE_CPU_AFFINITY USE_TFO USE_NS \ |
978 | + USE_CLOSEFROM USE_MY_ACCEPT4 USE_ZLIB USE_SLZ USE_CPU_AFFINITY USE_TFO USE_NS \ |
979 | USE_DL USE_RT USE_DEVICEATLAS USE_51DEGREES USE_WURFL USE_SYSTEMD \ |
980 | USE_OBSOLETE_LINKER USE_PRCTL USE_THREAD_DUMP USE_EVPORTS |
981 | |
982 | @@ -324,6 +326,9 @@ ifeq ($(TARGET),linux-glibc) |
983 | USE_CPU_AFFINITY USE_THREAD USE_EPOLL USE_FUTEX USE_LINUX_TPROXY \ |
984 | USE_ACCEPT4 USE_LINUX_SPLICE USE_PRCTL USE_THREAD_DUMP USE_NS USE_TFO \ |
985 | USE_GETADDRINFO) |
986 | +ifneq ($(shell echo __arm__/__aarch64__ | $(CC) -E -xc - | grep '^[^\#]'),__arm__/__aarch64__) |
987 | + TARGET_LDFLAGS=-latomic |
988 | +endif |
989 | endif |
990 | |
991 | # For linux >= 2.6.28, glibc without new features |
992 | @@ -340,7 +345,7 @@ ifeq ($(TARGET),solaris) |
993 | set_target_defaults = $(call default_opts, \ |
994 | USE_POLL USE_TPROXY USE_LIBCRYPT USE_CRYPT_H USE_GETADDRINFO USE_THREAD \ |
995 | USE_RT USE_OBSOLETE_LINKER USE_EVPORTS) |
996 | - TARGET_CFLAGS = -DFD_SETSIZE=65536 -D_REENTRANT -D_XOPEN_SOURCE=500 -D__EXTENSIONS__ |
997 | + TARGET_CFLAGS = -DFD_SETSIZE=65536 -D_REENTRANT -D_XOPEN_SOURCE=600 -D__EXTENSIONS__ |
998 | TARGET_LDFLAGS = -lnsl -lsocket |
999 | endif |
1000 | |
1001 | @@ -807,7 +812,7 @@ INCLUDES = $(wildcard include/*/*.h ebtree/*.h) |
1002 | DEP = $(INCLUDES) .build_opts |
1003 | |
1004 | help: |
1005 | - $(Q)sed -ne "/^[^#]*$$/q;s/^# \?\(.*\)/\1/p" Makefile |
1006 | + $(Q)sed -ne "/^[^#]*$$/q;s/^# \{0,1\}\(.*\)/\1/;p" Makefile |
1007 | $(Q)echo; \ |
1008 | if [ -n "$(TARGET)" ]; then \ |
1009 | if [ -n "$(set_target_defaults)" ]; then \ |
1010 | @@ -841,6 +846,15 @@ objsize: haproxy |
1011 | %.o: %.c $(DEP) |
1012 | $(cmd_CC) $(COPTS) -c -o $@ $< |
1013 | |
1014 | +contrib/halog/halog: |
1015 | + $(Q)$(MAKE) -C contrib/halog halog CC='$(cmd_CC)' OPTIMIZE='$(COPTS)' |
1016 | + |
1017 | +contrib/debug/flags: |
1018 | + $(Q)$(MAKE) -C contrib/debug flags CC='$(cmd_CC)' OPTIMIZE='$(COPTS)' |
1019 | + |
1020 | +contrib/tcploop/tcploop: |
1021 | + $(Q)$(MAKE) -C contrib/tcploop tcploop CC='$(cmd_CC)' OPTIMIZE='$(COPTS)' |
1022 | + |
1023 | # rebuild it every time |
1024 | .PHONY: src/version.c |
1025 | |
1026 | @@ -896,6 +910,8 @@ clean: |
1027 | $(Q)for dir in . src include/* doc ebtree; do rm -f $$dir/*~ $$dir/*.rej $$dir/core; done |
1028 | $(Q)rm -f haproxy-$(VERSION).tar.gz haproxy-$(VERSION)$(SUBVERS).tar.gz |
1029 | $(Q)rm -f haproxy-$(VERSION) haproxy-$(VERSION)$(SUBVERS) nohup.out gmon.out |
1030 | + $(Q)rm -f contrib/*/*.[oas] contrib/*/*/*.[oas] contrib/*/*/*/*.[oas] |
1031 | + $(Q)rm -f contrib/halog/halog contrib/debug/flags contrib/debug/poll contrib/tcploop/tcploop |
1032 | |
1033 | tags: |
1034 | $(Q)find src include \( -name '*.c' -o -name '*.h' \) -print0 | \ |
1035 | @@ -980,7 +996,7 @@ reg-tests-help: |
1036 | @echo "To run tests with specific types:" |
1037 | @echo " $$ REGTESTS_TYPES=slow,default make reg-tests" |
1038 | @echo |
1039 | - @echo "with 'any' as default value for REGTESTS_TYPES variable." |
1040 | + @echo "with 'default,bug,devel,slow' as default value for REGTESTS_TYPES variable." |
1041 | @echo |
1042 | @echo "About the reg test types:" |
1043 | @echo " any : all the tests without distinction (this is the default" |
1044 | diff --git a/SUBVERS b/SUBVERS |
1045 | index 26d9d35..50af805 100644 |
1046 | --- a/SUBVERS |
1047 | +++ b/SUBVERS |
1048 | @@ -1,2 +1,2 @@ |
1049 | --$Format:%h$ |
1050 | +-5e15b0f |
1051 | |
1052 | diff --git a/VERDATE b/VERDATE |
1053 | index 59c3bdf..cba5e36 100644 |
1054 | --- a/VERDATE |
1055 | +++ b/VERDATE |
1056 | @@ -1,2 +1,2 @@ |
1057 | -$Format:%ci$ |
1058 | -2020/02/13 |
1059 | +2022-05-13 17:43:21 +0200 |
1060 | +2022/05/13 |
1061 | diff --git a/VERSION b/VERSION |
1062 | index 82bd22f..3df5a46 100644 |
1063 | --- a/VERSION |
1064 | +++ b/VERSION |
1065 | @@ -1 +1 @@ |
1066 | -2.0.13 |
1067 | +2.0.29 |
1068 | diff --git a/contrib/deviceatlas/dac.c b/contrib/deviceatlas/dac.c |
1069 | index f94fe8d..720dc6a 100644 |
1070 | --- a/contrib/deviceatlas/dac.c |
1071 | +++ b/contrib/deviceatlas/dac.c |
1072 | @@ -63,8 +63,9 @@ da_atlas_compile(void *ctx, da_read_fn readfn, da_setpos_fn rewind, void **ptr, |
1073 | da_status_t |
1074 | da_atlas_open(da_atlas_t *atlas, da_property_decl_t *extraprops, const void *ptr, size_t len) |
1075 | { |
1076 | - ptr = malloc(len); |
1077 | - return ptr ? DA_OK : DA_NOMEM; |
1078 | + void *ptr2 = malloc(len); |
1079 | + free(ptr2); |
1080 | + return ptr2 ? DA_OK : DA_NOMEM; |
1081 | } |
1082 | |
1083 | void |
1084 | diff --git a/contrib/halog/fgets2.c b/contrib/halog/fgets2.c |
1085 | index 3db762c..776a915 100644 |
1086 | --- a/contrib/halog/fgets2.c |
1087 | +++ b/contrib/halog/fgets2.c |
1088 | @@ -35,7 +35,7 @@ |
1089 | #endif |
1090 | |
1091 | /* return non-zero if the integer contains at least one zero byte */ |
1092 | -static inline unsigned int has_zero32(unsigned int x) |
1093 | +static inline __attribute__((unused)) unsigned int has_zero32(unsigned int x) |
1094 | { |
1095 | unsigned int y; |
1096 | |
1097 | @@ -72,7 +72,7 @@ static inline unsigned int has_zero32(unsigned int x) |
1098 | } |
1099 | |
1100 | /* return non-zero if the argument contains at least one zero byte. See principle above. */ |
1101 | -static inline unsigned long long has_zero64(unsigned long long x) |
1102 | +static inline __attribute__((unused)) unsigned long long has_zero64(unsigned long long x) |
1103 | { |
1104 | unsigned long long y; |
1105 | |
1106 | @@ -81,7 +81,7 @@ static inline unsigned long long has_zero64(unsigned long long x) |
1107 | return y & 0x8080808080808080ULL; |
1108 | } |
1109 | |
1110 | -static inline unsigned long has_zero(unsigned long x) |
1111 | +static inline __attribute__((unused)) unsigned long has_zero(unsigned long x) |
1112 | { |
1113 | return (sizeof(x) == 8) ? has_zero64(x) : has_zero32(x); |
1114 | } |
1115 | diff --git a/contrib/halog/halog.c b/contrib/halog/halog.c |
1116 | index 91e2af3..28afb0c 100644 |
1117 | --- a/contrib/halog/halog.c |
1118 | +++ b/contrib/halog/halog.c |
1119 | @@ -650,11 +650,11 @@ int convert_date_to_timestamp(const char *field) |
1120 | } |
1121 | |
1122 | if (likely(timeinfo)) { |
1123 | - if (timeinfo->tm_min == m && |
1124 | - timeinfo->tm_hour == h && |
1125 | - timeinfo->tm_mday == d && |
1126 | - timeinfo->tm_mon == mo - 1 && |
1127 | - timeinfo->tm_year == y - 1900) |
1128 | + if ((unsigned)timeinfo->tm_min == m && |
1129 | + (unsigned)timeinfo->tm_hour == h && |
1130 | + (unsigned)timeinfo->tm_mday == d && |
1131 | + (unsigned)timeinfo->tm_mon == mo - 1 && |
1132 | + (unsigned)timeinfo->tm_year == y - 1900) |
1133 | return last_res + s; |
1134 | } |
1135 | else { |
1136 | @@ -692,10 +692,10 @@ int main(int argc, char **argv) |
1137 | struct url_stat *ustat = NULL; |
1138 | int val, test; |
1139 | unsigned int uval; |
1140 | - int filter_acc_delay = 0, filter_acc_count = 0; |
1141 | + unsigned int filter_acc_delay = 0, filter_acc_count = 0; |
1142 | int filter_time_resp = 0; |
1143 | int filt_http_status_low = 0, filt_http_status_high = 0; |
1144 | - int filt2_timestamp_low = 0, filt2_timestamp_high = 0; |
1145 | + unsigned int filt2_timestamp_low = 0, filt2_timestamp_high = 0; |
1146 | int skip_fields = 1; |
1147 | |
1148 | void (*line_filter)(const char *accept_field, const char *time_field, struct timer **tptr) = NULL; |
1149 | @@ -1287,7 +1287,7 @@ int main(int argc, char **argv) |
1150 | node = eb_last(&timers[0]); |
1151 | while (node) { |
1152 | ustat = container_of(node, struct url_stat, node.url.node); |
1153 | - printf("%d %d %Ld %Ld %Ld %Ld %Ld %Ld %s\n", |
1154 | + printf("%d %d %llu %llu %llu %llu %llu %llu %s\n", |
1155 | ustat->nb_req, |
1156 | ustat->nb_err, |
1157 | ustat->total_time, |
1158 | diff --git a/contrib/modsecurity/README b/contrib/modsecurity/README |
1159 | index 8031389..8e74016 100644 |
1160 | --- a/contrib/modsecurity/README |
1161 | +++ b/contrib/modsecurity/README |
1162 | @@ -1,7 +1,7 @@ |
1163 | ModSecurity for HAProxy |
1164 | ----------------------- |
1165 | |
1166 | -This is a third party deamon which speaks SPOE. It gives requests send by HAProxy |
1167 | +This is a third party daemon which speaks SPOE. It gives requests send by HAProxy |
1168 | to ModSecurity and returns the verdict. |
1169 | |
1170 | Compilation |
1171 | @@ -24,8 +24,8 @@ the Apache dependencies are installed on the system. |
1172 | cp standalone/*.h $PWD/INSTALL/include |
1173 | cp apache2/*.h $PWD/INSTALL/include |
1174 | |
1175 | -Note that this compilation method works, but is a litle bit rustic. I can't |
1176 | -deal with Lua, I supposed that is a dependecies problem on my computer. |
1177 | +Note that this compilation method works, but is a little bit rustic. I can't |
1178 | +deal with Lua, I supposed that is a dependencies problem on my computer. |
1179 | |
1180 | Start the service |
1181 | --------------------- |
1182 | @@ -113,7 +113,7 @@ Modsecurity bugs: |
1183 | - rc = apr_global_mutex_create(&msce->auditlog_lock, NULL, APR_LOCK_DEFAULT, mp); |
1184 | + rc = apr_global_mutex_create(&msce->auditlog_lock, NULL, APR_LOCK_PROC_PTHREAD, mp); |
1185 | |
1186 | -* Configuration file loaded with wilcard (eg. Include rules/*.conf), are loaded |
1187 | +* Configuration file loaded with wildcard (eg. Include rules/*.conf), are loaded |
1188 | in reverse alphabetical order. You can found a patch below. The ModSecurity |
1189 | team ignored this patch. |
1190 | |
1191 | diff --git a/contrib/prometheus-exporter/README b/contrib/prometheus-exporter/README |
1192 | index b19acc1..a688f10 100644 |
1193 | --- a/contrib/prometheus-exporter/README |
1194 | +++ b/contrib/prometheus-exporter/README |
1195 | @@ -4,14 +4,14 @@ PROMEX: A Prometheus exporter for HAProxy |
1196 | Prometheus is a monitoring and alerting system. More and more people use it to |
1197 | monitor their environment (this is written February 2019). It collects metrics |
1198 | from monitored targets by scraping metrics HTTP endpoints on these targets. For |
1199 | -HAProxy, The Prometheus team offically supports an exporter written in Go |
1200 | +HAProxy, The Prometheus team officially supports an exporter written in Go |
1201 | (https://github.com/prometheus/haproxy_exporter). But it requires an extra |
1202 | software to deploy and monitor. PROMEX, on its side, is a built-in Prometheus |
1203 | exporter for HAProxy. It was developed as a service and is directly available in |
1204 | HAProxy, like the stats applet. |
1205 | |
1206 | However, PROMEX is not built by default with HAProxy. It is provided as an extra |
1207 | -component for everyone want to use it. So you need to explicity build HAProxy |
1208 | +component for everyone want to use it. So you need to explicitly build HAProxy |
1209 | with the PROMEX service, using the Makefile variable "EXTRA_OBJS". For instance: |
1210 | |
1211 | > make TARGET=linux-glibc EXTRA_OBJS="contrib/prometheus-exporter/service-prometheus.o" |
1212 | @@ -46,7 +46,7 @@ applet, all metrics are not grouped by service (proxy, listener or server). With |
1213 | PROMEX, all lines for a given metric are provided as one single group. So |
1214 | instead of collecting all metrics for a proxy before moving to the next one, we |
1215 | must loop on all proxies for each metric. Same for the servers. Thus, it will |
1216 | -spend much more ressources to produce the Prometheus metrics than the CSV export |
1217 | +spend much more resources to produce the Prometheus metrics than the CSV export |
1218 | through the stats page. To give a comparison order, quick benchmarks shown that |
1219 | a PROMEX dump is 5x slower and 20x more verbose than a CSV export. |
1220 | |
1221 | @@ -99,7 +99,7 @@ Exported metrics |
1222 | | haproxy_process_pool_used_bytes | Total amount of memory used in pools (in bytes). | |
1223 | | haproxy_process_pool_failures_total | Total number of failed pool allocations. | |
1224 | | haproxy_process_max_fds | Maximum number of open file descriptors; 0=unset. | |
1225 | -| haproxy_process_max_sockets | Maximum numer of open sockets. | |
1226 | +| haproxy_process_max_sockets | Maximum number of open sockets. | |
1227 | | haproxy_process_max_connections | Maximum number of concurrent connections. | |
1228 | | haproxy_process_hard_max_connections | Initial Maximum number of concurrent connections. | |
1229 | | haproxy_process_current_connections | Number of active sessions. | |
1230 | @@ -122,7 +122,7 @@ Exported metrics |
1231 | | haproxy_process_max_ssl_rate | Maximum observed number of SSL sessions per second. | |
1232 | | haproxy_process_current_frontend_ssl_key_rate | Current frontend SSL Key computation per second over last elapsed second. | |
1233 | | haproxy_process_max_frontend_ssl_key_rate | Maximum observed frontend SSL Key computation per second. | |
1234 | -| haproxy_process_frontent_ssl_reuse | SSL session reuse ratio (percent). | |
1235 | +| haproxy_process_frontend_ssl_reuse | SSL session reuse ratio (percent). | |
1236 | | haproxy_process_current_backend_ssl_key_rate | Current backend SSL Key computation per second over last elapsed second. | |
1237 | | haproxy_process_max_backend_ssl_key_rate | Maximum observed backend SSL Key computation per second. | |
1238 | | haproxy_process_ssl_cache_lookups_total | Total number of SSL session cache lookups. | |
1239 | @@ -268,6 +268,9 @@ Exported metrics |
1240 | | haproxy_server_client_aborts_total | Total number of data transfers aborted by the client. | |
1241 | | haproxy_server_server_aborts_total | Total number of data transfers aborted by the server. | |
1242 | | haproxy_server_weight | Service weight. | |
1243 | +| haproxy_server_check_status | Status of last health check, if enabled. (see below for the mapping) | |
1244 | +| haproxy_server_check_code | layer5-7 code, if available of the last health check. | |
1245 | +| haproxy_server_check_duration_seconds | Total duration of the latest server health check, in seconds. | |
1246 | | haproxy_server_check_failures_total | Total number of failed check (Only when the server is up). | |
1247 | | haproxy_server_check_up_down_total | Total number of UP->DOWN transitions. | |
1248 | | haproxy_server_downtime_seconds_total | Total downtime (in seconds) for the service. | |
1249 | @@ -278,3 +281,30 @@ Exported metrics |
1250 | | haproxy_server_idle_connections_current | Current number of idle connections available for reuse. | |
1251 | | haproxy_server_idle_connections_limit | Limit on the number of available idle connections. | |
1252 | +----------------------------------------------------+---------------------------------------------------------------------------+ |
1253 | + |
1254 | +Mapping of health check status : |
1255 | + |
1256 | + 0 : HCHK_STATUS_UNKNOWN (Unknown) |
1257 | + 1 : HCHK_STATUS_INI (Initializing) |
1258 | + |
1259 | + 4 : HCHK_STATUS_HANA (Health analyze detected enough consecutive errors) |
1260 | + |
1261 | + 5 : HCHK_STATUS_SOCKERR (Socket error) |
1262 | + |
1263 | + 6 : HCHK_STATUS_L4OK (L4 check passed, for example tcp connect) |
1264 | + 7 : HCHK_STATUS_L4TOUT (L4 timeout) |
1265 | + 8 : HCHK_STATUS_L4CON (L4 connection problem) |
1266 | + |
1267 | + 9 : HCHK_STATUS_L6OK (L6 check passed) |
1268 | + 10 : HCHK_STATUS_L6TOUT (L6 (SSL) timeout) |
1269 | + 11 : HCHK_STATUS_L6RSP (L6 invalid response - protocol error) |
1270 | + |
1271 | + 12 : HCHK_STATUS_L7TOUT (L7 (HTTP/SMTP) timeout) |
1272 | + 13 : HCHK_STATUS_L7RSP (L7 invalid response - protocol error) |
1273 | + 15 : HCHK_STATUS_L7OKD (L7 check passed) |
1274 | + 16 : HCHK_STATUS_L7OKCD (L7 check conditionally passed) |
1275 | + 17 : HCHK_STATUS_L7STS (L7 response error, for example HTTP 5xx) |
1276 | + |
1277 | + 18 : HCHK_STATUS_PROCERR (External process check failure) |
1278 | + 19 : HCHK_STATUS_PROCTOUT (External process check timeout) |
1279 | + 20 : HCHK_STATUS_PROCOK (External process check passed) |
1280 | diff --git a/contrib/prometheus-exporter/service-prometheus.c b/contrib/prometheus-exporter/service-prometheus.c |
1281 | index c34ee0e..d420cbc 100644 |
1282 | --- a/contrib/prometheus-exporter/service-prometheus.c |
1283 | +++ b/contrib/prometheus-exporter/service-prometheus.c |
1284 | @@ -20,6 +20,7 @@ |
1285 | #include <common/initcall.h> |
1286 | #include <common/memory.h> |
1287 | #include <common/mini-clist.h> |
1288 | +#include <common/version.h> |
1289 | |
1290 | #include <types/global.h> |
1291 | |
1292 | @@ -83,12 +84,17 @@ enum { |
1293 | */ |
1294 | #define PROMEX_MAX_METRIC_LENGTH 512 |
1295 | |
1296 | +/* Some labels for build_info */ |
1297 | +#define PROMEX_VERSION_LABEL "version=\"" HAPROXY_VERSION "\"" |
1298 | +#define PROMEX_BUILDINFO_LABEL PROMEX_VERSION_LABEL |
1299 | + |
1300 | /* Matrix used to dump global metrics. Each metric points to the next one to be |
1301 | * processed or 0 to stop the dump. */ |
1302 | const int promex_global_metrics[INF_TOTAL_FIELDS] = { |
1303 | - [INF_NAME] = INF_NBTHREAD, |
1304 | + [INF_NAME] = INF_BUILD_INFO, |
1305 | [INF_VERSION] = 0, |
1306 | [INF_RELEASE_DATE] = 0, |
1307 | + [INF_BUILD_INFO] = INF_NBTHREAD, |
1308 | [INF_NBTHREAD] = INF_NBPROC, |
1309 | [INF_NBPROC] = INF_PROCESS_NUM, |
1310 | [INF_PROCESS_NUM] = INF_UPTIME_SEC, |
1311 | @@ -367,7 +373,7 @@ const int promex_srv_metrics[ST_F_TOTAL_FIELDS] = { |
1312 | [ST_F_WRETR] = ST_F_WREDIS, |
1313 | [ST_F_WREDIS] = ST_F_WREW, |
1314 | [ST_F_STATUS] = ST_F_SCUR, |
1315 | - [ST_F_WEIGHT] = ST_F_CHKFAIL, |
1316 | + [ST_F_WEIGHT] = ST_F_CHECK_STATUS, |
1317 | [ST_F_ACT] = 0, |
1318 | [ST_F_BCK] = 0, |
1319 | [ST_F_CHKFAIL] = ST_F_CHKDOWN, |
1320 | @@ -385,9 +391,9 @@ const int promex_srv_metrics[ST_F_TOTAL_FIELDS] = { |
1321 | [ST_F_RATE] = 0, |
1322 | [ST_F_RATE_LIM] = 0, |
1323 | [ST_F_RATE_MAX] = ST_F_LASTSESS, |
1324 | - [ST_F_CHECK_STATUS] = 0, |
1325 | - [ST_F_CHECK_CODE] = 0, |
1326 | - [ST_F_CHECK_DURATION] = 0, |
1327 | + [ST_F_CHECK_STATUS] = ST_F_CHECK_CODE, |
1328 | + [ST_F_CHECK_CODE] = ST_F_CHECK_DURATION, |
1329 | + [ST_F_CHECK_DURATION] = ST_F_CHKFAIL, |
1330 | [ST_F_HRSP_1XX] = ST_F_HRSP_2XX, |
1331 | [ST_F_HRSP_2XX] = ST_F_HRSP_3XX, |
1332 | [ST_F_HRSP_3XX] = ST_F_HRSP_4XX, |
1333 | @@ -450,6 +456,7 @@ const struct ist promex_inf_metric_names[INF_TOTAL_FIELDS] = { |
1334 | [INF_NAME] = IST("name"), |
1335 | [INF_VERSION] = IST("version"), |
1336 | [INF_RELEASE_DATE] = IST("release_date"), |
1337 | + [INF_BUILD_INFO] = IST("build_info"), |
1338 | [INF_NBTHREAD] = IST("nbthread"), |
1339 | [INF_NBPROC] = IST("nbproc"), |
1340 | [INF_PROCESS_NUM] = IST("relative_process_id"), |
1341 | @@ -484,7 +491,7 @@ const struct ist promex_inf_metric_names[INF_TOTAL_FIELDS] = { |
1342 | [INF_MAX_SSL_RATE] = IST("max_ssl_rate"), |
1343 | [INF_SSL_FRONTEND_KEY_RATE] = IST("current_frontend_ssl_key_rate"), |
1344 | [INF_SSL_FRONTEND_MAX_KEY_RATE] = IST("max_frontend_ssl_key_rate"), |
1345 | - [INF_SSL_FRONTEND_SESSION_REUSE_PCT] = IST("frontent_ssl_reuse"), |
1346 | + [INF_SSL_FRONTEND_SESSION_REUSE_PCT] = IST("frontend_ssl_reuse"), |
1347 | [INF_SSL_BACKEND_KEY_RATE] = IST("current_backend_ssl_key_rate"), |
1348 | [INF_SSL_BACKEND_MAX_KEY_RATE] = IST("max_backend_ssl_key_rate"), |
1349 | [INF_SSL_CACHE_LOOKUPS] = IST("ssl_cache_lookups_total"), |
1350 | @@ -549,7 +556,7 @@ const struct ist promex_st_metric_names[ST_F_TOTAL_FIELDS] = { |
1351 | [ST_F_RATE_MAX] = IST("max_session_rate"), |
1352 | [ST_F_CHECK_STATUS] = IST("check_status"), |
1353 | [ST_F_CHECK_CODE] = IST("check_code"), |
1354 | - [ST_F_CHECK_DURATION] = IST("check_duration_milliseconds"), |
1355 | + [ST_F_CHECK_DURATION] = IST("check_duration_seconds"), |
1356 | [ST_F_HRSP_1XX] = IST("http_responses_total"), |
1357 | [ST_F_HRSP_2XX] = IST("http_responses_total"), |
1358 | [ST_F_HRSP_3XX] = IST("http_responses_total"), |
1359 | @@ -611,7 +618,8 @@ const struct ist promex_st_metric_names[ST_F_TOTAL_FIELDS] = { |
1360 | const struct ist promex_inf_metric_desc[INF_TOTAL_FIELDS] = { |
1361 | [INF_NAME] = IST("Product name."), |
1362 | [INF_VERSION] = IST("HAProxy version."), |
1363 | - [INF_RELEASE_DATE] = IST("HAProxy realease date."), |
1364 | + [INF_RELEASE_DATE] = IST("HAProxy release date."), |
1365 | + [INF_BUILD_INFO] = IST("HAProxy build info."), |
1366 | [INF_NBTHREAD] = IST("Configured number of threads."), |
1367 | [INF_NBPROC] = IST("Configured number of processes."), |
1368 | [INF_PROCESS_NUM] = IST("Relative process id, starting at 1."), |
1369 | @@ -709,9 +717,9 @@ const struct ist promex_st_metric_desc[ST_F_TOTAL_FIELDS] = { |
1370 | [ST_F_RATE] = IST("Current number of sessions per second over last elapsed second."), |
1371 | [ST_F_RATE_LIM] = IST("Configured limit on new sessions per second."), |
1372 | [ST_F_RATE_MAX] = IST("Maximum observed number of sessions per second."), |
1373 | - [ST_F_CHECK_STATUS] = IST("Status of last health check (If a check is running, the status will be reported, prefixed with '* ')."), |
1374 | + [ST_F_CHECK_STATUS] = IST("Status of last health check (HCHK_STATUS_* values)."), |
1375 | [ST_F_CHECK_CODE] = IST("layer5-7 code, if available of the last health check."), |
1376 | - [ST_F_CHECK_DURATION] = IST("Time in ms took to finish last health check."), |
1377 | + [ST_F_CHECK_DURATION] = IST("Total duration of the latest server health check, in seconds."), |
1378 | [ST_F_HRSP_1XX] = IST("Total number of HTTP responses."), |
1379 | [ST_F_HRSP_2XX] = IST("Total number of HTTP responses."), |
1380 | [ST_F_HRSP_3XX] = IST("Total number of HTTP responses."), |
1381 | @@ -774,6 +782,7 @@ const struct ist promex_inf_metric_labels[INF_TOTAL_FIELDS] = { |
1382 | [INF_NAME] = IST(""), |
1383 | [INF_VERSION] = IST(""), |
1384 | [INF_RELEASE_DATE] = IST(""), |
1385 | + [INF_BUILD_INFO] = IST(PROMEX_BUILDINFO_LABEL), |
1386 | [INF_NBTHREAD] = IST(""), |
1387 | [INF_NBPROC] = IST(""), |
1388 | [INF_PROCESS_NUM] = IST(""), |
1389 | @@ -930,6 +939,7 @@ const struct ist promex_inf_metric_types[INF_TOTAL_FIELDS] = { |
1390 | [INF_NAME] = IST("untyped"), |
1391 | [INF_VERSION] = IST("untyped"), |
1392 | [INF_RELEASE_DATE] = IST("untyped"), |
1393 | + [INF_BUILD_INFO] = IST("gauge"), |
1394 | [INF_NBTHREAD] = IST("gauge"), |
1395 | [INF_NBPROC] = IST("gauge"), |
1396 | [INF_PROCESS_NUM] = IST("gauge"), |
1397 | @@ -1027,8 +1037,8 @@ const struct ist promex_st_metric_types[ST_F_TOTAL_FIELDS] = { |
1398 | [ST_F_RATE] = IST("untyped"), |
1399 | [ST_F_RATE_LIM] = IST("gauge"), |
1400 | [ST_F_RATE_MAX] = IST("gauge"), |
1401 | - [ST_F_CHECK_STATUS] = IST("untyped"), |
1402 | - [ST_F_CHECK_CODE] = IST("untyped"), |
1403 | + [ST_F_CHECK_STATUS] = IST("gauge"), |
1404 | + [ST_F_CHECK_CODE] = IST("gauge"), |
1405 | [ST_F_CHECK_DURATION] = IST("gauge"), |
1406 | [ST_F_HRSP_1XX] = IST("counter"), |
1407 | [ST_F_HRSP_2XX] = IST("counter"), |
1408 | @@ -1269,6 +1279,9 @@ static int promex_dump_global_metrics(struct appctx *appctx, struct htx *htx) |
1409 | #endif |
1410 | while (appctx->st2 && appctx->st2 < INF_TOTAL_FIELDS) { |
1411 | switch (appctx->st2) { |
1412 | + case INF_BUILD_INFO: |
1413 | + metric = mkf_u32(FN_GAUGE, 1); |
1414 | + break; |
1415 | case INF_NBTHREAD: |
1416 | metric = mkf_u32(FO_CONFIG|FS_SERVICE, global.nbthread); |
1417 | break; |
1418 | @@ -2012,6 +2025,22 @@ static int promex_dump_srv_metrics(struct appctx *appctx, struct htx *htx) |
1419 | weight = (sv->cur_eweight * px->lbprm.wmult + px->lbprm.wdiv - 1) / px->lbprm.wdiv; |
1420 | metric = mkf_u32(FN_AVG, weight); |
1421 | break; |
1422 | + case ST_F_CHECK_STATUS: |
1423 | + if ((sv->check.state & (CHK_ST_ENABLED|CHK_ST_PAUSED)) != CHK_ST_ENABLED) |
1424 | + goto next_sv; |
1425 | + metric = mkf_u32(FN_OUTPUT, sv->check.status); |
1426 | + break; |
1427 | + case ST_F_CHECK_CODE: |
1428 | + if ((sv->check.state & (CHK_ST_ENABLED|CHK_ST_PAUSED)) != CHK_ST_ENABLED) |
1429 | + goto next_sv; |
1430 | + metric = mkf_u32(FN_OUTPUT, (sv->check.status < HCHK_STATUS_L57DATA) ? 0 : sv->check.code); |
1431 | + break; |
1432 | + case ST_F_CHECK_DURATION: |
1433 | + if (sv->check.status < HCHK_STATUS_CHECKED) |
1434 | + goto next_sv; |
1435 | + secs = (double)sv->check.duration / 1000.0; |
1436 | + metric = mkf_flt(FN_DURATION, secs); |
1437 | + break; |
1438 | case ST_F_CHKFAIL: |
1439 | metric = mkf_u64(FN_COUNTER, sv->counters.failed_checks); |
1440 | break; |
1441 | @@ -2113,13 +2142,12 @@ static int promex_dump_srv_metrics(struct appctx *appctx, struct htx *htx) |
1442 | static int promex_dump_metrics(struct appctx *appctx, struct stream_interface *si, struct htx *htx) |
1443 | { |
1444 | int ret; |
1445 | - int flags = appctx->ctx.stats.flags; |
1446 | |
1447 | switch (appctx->st1) { |
1448 | case PROMEX_DUMPER_INIT: |
1449 | appctx->ctx.stats.px = NULL; |
1450 | appctx->ctx.stats.sv = NULL; |
1451 | - appctx->ctx.stats.flags = (flags|PROMEX_FL_METRIC_HDR|PROMEX_FL_INFO_METRIC); |
1452 | + appctx->ctx.stats.flags |= (PROMEX_FL_METRIC_HDR|PROMEX_FL_INFO_METRIC); |
1453 | appctx->st2 = promex_global_metrics[INF_NAME]; |
1454 | appctx->st1 = PROMEX_DUMPER_GLOBAL; |
1455 | /* fall through */ |
1456 | @@ -2136,7 +2164,8 @@ static int promex_dump_metrics(struct appctx *appctx, struct stream_interface *s |
1457 | |
1458 | appctx->ctx.stats.px = proxies_list; |
1459 | appctx->ctx.stats.sv = NULL; |
1460 | - appctx->ctx.stats.flags = (flags|PROMEX_FL_METRIC_HDR|PROMEX_FL_STATS_METRIC); |
1461 | + appctx->ctx.stats.flags &= ~PROMEX_FL_INFO_METRIC; |
1462 | + appctx->ctx.stats.flags |= (PROMEX_FL_METRIC_HDR|PROMEX_FL_STATS_METRIC); |
1463 | appctx->st2 = promex_front_metrics[ST_F_PXNAME]; |
1464 | appctx->st1 = PROMEX_DUMPER_FRONT; |
1465 | /* fall through */ |
1466 | @@ -2153,7 +2182,7 @@ static int promex_dump_metrics(struct appctx *appctx, struct stream_interface *s |
1467 | |
1468 | appctx->ctx.stats.px = proxies_list; |
1469 | appctx->ctx.stats.sv = NULL; |
1470 | - appctx->ctx.stats.flags = (flags|PROMEX_FL_METRIC_HDR|PROMEX_FL_STATS_METRIC); |
1471 | + appctx->ctx.stats.flags |= PROMEX_FL_METRIC_HDR; |
1472 | appctx->st2 = promex_back_metrics[ST_F_PXNAME]; |
1473 | appctx->st1 = PROMEX_DUMPER_BACK; |
1474 | /* fall through */ |
1475 | @@ -2170,7 +2199,7 @@ static int promex_dump_metrics(struct appctx *appctx, struct stream_interface *s |
1476 | |
1477 | appctx->ctx.stats.px = proxies_list; |
1478 | appctx->ctx.stats.sv = (appctx->ctx.stats.px ? appctx->ctx.stats.px->srv : NULL); |
1479 | - appctx->ctx.stats.flags = (flags|PROMEX_FL_METRIC_HDR|PROMEX_FL_STATS_METRIC); |
1480 | + appctx->ctx.stats.flags |= PROMEX_FL_METRIC_HDR; |
1481 | appctx->st2 = promex_srv_metrics[ST_F_PXNAME]; |
1482 | appctx->st1 = PROMEX_DUMPER_SRV; |
1483 | /* fall through */ |
1484 | @@ -2187,7 +2216,7 @@ static int promex_dump_metrics(struct appctx *appctx, struct stream_interface *s |
1485 | |
1486 | appctx->ctx.stats.px = NULL; |
1487 | appctx->ctx.stats.sv = NULL; |
1488 | - appctx->ctx.stats.flags = flags; |
1489 | + appctx->ctx.stats.flags &= ~(PROMEX_FL_METRIC_HDR|PROMEX_FL_INFO_METRIC|PROMEX_FL_STATS_METRIC); |
1490 | appctx->st2 = 0; |
1491 | appctx->st1 = PROMEX_DUMPER_DONE; |
1492 | /* fall through */ |
1493 | @@ -2261,7 +2290,7 @@ static int promex_parse_uri(struct appctx *appctx, struct stream_interface *si) |
1494 | *(p++) = 0; |
1495 | else if (*p == '#') |
1496 | *p = 0; |
1497 | - len = url_decode(key); |
1498 | + len = url_decode(key, 1); |
1499 | if (len == -1) |
1500 | goto error; |
1501 | |
1502 | @@ -2275,7 +2304,7 @@ static int promex_parse_uri(struct appctx *appctx, struct stream_interface *si) |
1503 | *(p++) = 0; |
1504 | else if (*p == '#') |
1505 | *p = 0; |
1506 | - len = url_decode(value); |
1507 | + len = url_decode(value, 1); |
1508 | if (len == -1) |
1509 | goto error; |
1510 | } |
1511 | @@ -2411,6 +2440,7 @@ static void promex_appctx_handle_io(struct appctx *appctx) |
1512 | goto out; |
1513 | } |
1514 | channel_add_input(res, 1); |
1515 | + res->flags |= CF_EOI; |
1516 | appctx->st0 = PROMEX_ST_END; |
1517 | /* fall through */ |
1518 | |
1519 | diff --git a/contrib/spoa_example/include/mini-clist.h b/contrib/spoa_example/include/mini-clist.h |
1520 | index a89255c..d009704 100644 |
1521 | --- a/contrib/spoa_example/include/mini-clist.h |
1522 | +++ b/contrib/spoa_example/include/mini-clist.h |
1523 | @@ -44,7 +44,7 @@ struct list { |
1524 | * since it's used only once. |
1525 | * Example: LIST_ELEM(cur_node->args.next, struct node *, args) |
1526 | */ |
1527 | -#define LIST_ELEM(lh, pt, el) ((pt)(((void *)(lh)) - ((void *)&((pt)NULL)->el))) |
1528 | +#define LIST_ELEM(lh, pt, el) ((pt)(((const char *)(lh)) - ((size_t)&((pt)NULL)->el))) |
1529 | |
1530 | /* checks if the list head <lh> is empty or not */ |
1531 | #define LIST_ISEMPTY(lh) ((lh)->n == (lh)) |
1532 | diff --git a/contrib/spoa_server/README b/contrib/spoa_server/README |
1533 | index d820807..7eaebd3 100644 |
1534 | --- a/contrib/spoa_server/README |
1535 | +++ b/contrib/spoa_server/README |
1536 | @@ -11,7 +11,7 @@ is done. |
1537 | Compilation |
1538 | --------------- |
1539 | |
1540 | -Actually, the server support Lua and Python. Type "make" with the options: |
1541 | +The server currently supports Lua and Python. Type "make" with the options: |
1542 | USE_LUA=1 and/or USE_PYTHON=1. |
1543 | |
1544 | |
1545 | @@ -66,7 +66,7 @@ Main process: |
1546 | |
1547 | Python: |
1548 | |
1549 | - * Improve repporting: Catch python error message and repport it in the right |
1550 | + * Improve reporting: Catch python error message and report it in the right |
1551 | place. Today the error are dumped on stdout. How using syslog for logging |
1552 | stack traces ? |
1553 | |
1554 | diff --git a/contrib/spoa_server/ps_python.c b/contrib/spoa_server/ps_python.c |
1555 | index 0a9fbff..7eadef6 100644 |
1556 | --- a/contrib/spoa_server/ps_python.c |
1557 | +++ b/contrib/spoa_server/ps_python.c |
1558 | @@ -29,7 +29,7 @@ static PyObject *module_ipaddress; |
1559 | static PyObject *ipv4_address; |
1560 | static PyObject *ipv6_address; |
1561 | static PyObject *spoa_error; |
1562 | -static PyObject *empty_array; |
1563 | +static PyObject *empty_tuple; |
1564 | static struct worker *worker; |
1565 | |
1566 | static int ps_python_start_worker(struct worker *w); |
1567 | @@ -54,7 +54,7 @@ static PyObject *ps_python_register_message(PyObject *self, PyObject *args) |
1568 | |
1569 | ps_register_message(&ps_python_bindings, name, (void *)ref); |
1570 | |
1571 | - return Py_None; |
1572 | + Py_RETURN_NONE; |
1573 | } |
1574 | |
1575 | static PyObject *ps_python_set_var_null(PyObject *self, PyObject *args) |
1576 | @@ -66,10 +66,10 @@ static PyObject *ps_python_set_var_null(PyObject *self, PyObject *args) |
1577 | if (!PyArg_ParseTuple(args, "s#i", &name, &name_len, &scope)) |
1578 | return NULL; |
1579 | if (!set_var_null(worker, name, name_len, scope)) { |
1580 | - PyErr_SetString(spoa_error, "No space left available"); |
1581 | + PyErr_SetString(spoa_error, "No more memory space available"); |
1582 | return NULL; |
1583 | } |
1584 | - return Py_None; |
1585 | + Py_RETURN_NONE; |
1586 | } |
1587 | |
1588 | static PyObject *ps_python_set_var_boolean(PyObject *self, PyObject *args) |
1589 | @@ -82,10 +82,10 @@ static PyObject *ps_python_set_var_boolean(PyObject *self, PyObject *args) |
1590 | if (!PyArg_ParseTuple(args, "s#ii", &name, &name_len, &scope, &value)) |
1591 | return NULL; |
1592 | if (!set_var_bool(worker, name, name_len, scope, value)) { |
1593 | - PyErr_SetString(spoa_error, "No space left available"); |
1594 | + PyErr_SetString(spoa_error, "No more memory space available"); |
1595 | return NULL; |
1596 | } |
1597 | - return Py_None; |
1598 | + Py_RETURN_NONE; |
1599 | } |
1600 | |
1601 | static PyObject *ps_python_set_var_int32(PyObject *self, PyObject *args) |
1602 | @@ -98,10 +98,10 @@ static PyObject *ps_python_set_var_int32(PyObject *self, PyObject *args) |
1603 | if (!PyArg_ParseTuple(args, "s#ii", &name, &name_len, &scope, &value)) |
1604 | return NULL; |
1605 | if (!set_var_int32(worker, name, name_len, scope, value)) { |
1606 | - PyErr_SetString(spoa_error, "No space left available"); |
1607 | + PyErr_SetString(spoa_error, "No more memory space available"); |
1608 | return NULL; |
1609 | } |
1610 | - return Py_None; |
1611 | + Py_RETURN_NONE; |
1612 | } |
1613 | |
1614 | static PyObject *ps_python_set_var_uint32(PyObject *self, PyObject *args) |
1615 | @@ -114,10 +114,10 @@ static PyObject *ps_python_set_var_uint32(PyObject *self, PyObject *args) |
1616 | if (!PyArg_ParseTuple(args, "s#iI", &name, &name_len, &scope, &value)) |
1617 | return NULL; |
1618 | if (!set_var_uint32(worker, name, name_len, scope, value)) { |
1619 | - PyErr_SetString(spoa_error, "No space left available"); |
1620 | + PyErr_SetString(spoa_error, "No more memory space available"); |
1621 | return NULL; |
1622 | } |
1623 | - return Py_None; |
1624 | + Py_RETURN_NONE; |
1625 | } |
1626 | |
1627 | static PyObject *ps_python_set_var_int64(PyObject *self, PyObject *args) |
1628 | @@ -130,10 +130,10 @@ static PyObject *ps_python_set_var_int64(PyObject *self, PyObject *args) |
1629 | if (!PyArg_ParseTuple(args, "s#il", &name, &name_len, &scope, &value)) |
1630 | return NULL; |
1631 | if (!set_var_int64(worker, name, name_len, scope, value)) { |
1632 | - PyErr_SetString(spoa_error, "No space left available"); |
1633 | + PyErr_SetString(spoa_error, "No more memory space available"); |
1634 | return NULL; |
1635 | } |
1636 | - return Py_None; |
1637 | + Py_RETURN_NONE; |
1638 | } |
1639 | |
1640 | static PyObject *ps_python_set_var_uint64(PyObject *self, PyObject *args) |
1641 | @@ -146,10 +146,10 @@ static PyObject *ps_python_set_var_uint64(PyObject *self, PyObject *args) |
1642 | if (!PyArg_ParseTuple(args, "s#ik", &name, &name_len, &scope, &value)) |
1643 | return NULL; |
1644 | if (!set_var_uint64(worker, name, name_len, scope, value)) { |
1645 | - PyErr_SetString(spoa_error, "No space left available"); |
1646 | + PyErr_SetString(spoa_error, "No more memory space available"); |
1647 | return NULL; |
1648 | } |
1649 | - return Py_None; |
1650 | + Py_RETURN_NONE; |
1651 | } |
1652 | |
1653 | static PyObject *ps_python_set_var_ipv4(PyObject *self, PyObject *args) |
1654 | @@ -172,15 +172,17 @@ static PyObject *ps_python_set_var_ipv4(PyObject *self, PyObject *args) |
1655 | if (value == NULL) |
1656 | return NULL; |
1657 | if (PyString_GET_SIZE(value) != sizeof(ip)) { |
1658 | - PyErr_Format(spoa_error, "UPv6 manipulation internal error"); |
1659 | + PyErr_Format(spoa_error, "IPv4 manipulation internal error"); |
1660 | return NULL; |
1661 | } |
1662 | memcpy(&ip, PyString_AS_STRING(value), PyString_GET_SIZE(value)); |
1663 | if (!set_var_ipv4(worker, name, name_len, scope, &ip)) { |
1664 | - PyErr_SetString(spoa_error, "No space left available"); |
1665 | + PyErr_SetString(spoa_error, "No more memory space available"); |
1666 | return NULL; |
1667 | } |
1668 | - return Py_None; |
1669 | + /* Once we set the IP value in the worker, we don't need it anymore... */ |
1670 | + Py_XDECREF(value); |
1671 | + Py_RETURN_NONE; |
1672 | } |
1673 | |
1674 | static PyObject *ps_python_set_var_ipv6(PyObject *self, PyObject *args) |
1675 | @@ -203,15 +205,17 @@ static PyObject *ps_python_set_var_ipv6(PyObject *self, PyObject *args) |
1676 | if (value == NULL) |
1677 | return NULL; |
1678 | if (PyString_GET_SIZE(value) != sizeof(ip)) { |
1679 | - PyErr_Format(spoa_error, "UPv6 manipulation internal error"); |
1680 | + PyErr_Format(spoa_error, "IPv6 manipulation internal error"); |
1681 | return NULL; |
1682 | } |
1683 | memcpy(&ip, PyString_AS_STRING(value), PyString_GET_SIZE(value)); |
1684 | if (!set_var_ipv6(worker, name, name_len, scope, &ip)) { |
1685 | - PyErr_SetString(spoa_error, "No space left available"); |
1686 | + PyErr_SetString(spoa_error, "No more memory space available"); |
1687 | return NULL; |
1688 | } |
1689 | - return Py_None; |
1690 | + /* Once we set the IP value in the worker, we don't need it anymore... */ |
1691 | + Py_XDECREF(value); |
1692 | + Py_RETURN_NONE; |
1693 | } |
1694 | |
1695 | static PyObject *ps_python_set_var_str(PyObject *self, PyObject *args) |
1696 | @@ -225,10 +229,10 @@ static PyObject *ps_python_set_var_str(PyObject *self, PyObject *args) |
1697 | if (!PyArg_ParseTuple(args, "s#is#", &name, &name_len, &scope, &value, &value_len)) |
1698 | return NULL; |
1699 | if (!set_var_string(worker, name, name_len, scope, value, value_len)) { |
1700 | - PyErr_SetString(spoa_error, "No space left available"); |
1701 | + PyErr_SetString(spoa_error, "No more memory space available"); |
1702 | return NULL; |
1703 | } |
1704 | - return Py_None; |
1705 | + Py_RETURN_NONE; |
1706 | } |
1707 | |
1708 | static PyObject *ps_python_set_var_bin(PyObject *self, PyObject *args) |
1709 | @@ -242,10 +246,10 @@ static PyObject *ps_python_set_var_bin(PyObject *self, PyObject *args) |
1710 | if (!PyArg_ParseTuple(args, "s#is#", &name, &name_len, &scope, &value, &value_len)) |
1711 | return NULL; |
1712 | if (!set_var_bin(worker, name, name_len, scope, value, value_len)) { |
1713 | - PyErr_SetString(spoa_error, "No space left available"); |
1714 | + PyErr_SetString(spoa_error, "No more memory space available"); |
1715 | return NULL; |
1716 | } |
1717 | - return Py_None; |
1718 | + Py_RETURN_NONE; |
1719 | } |
1720 | |
1721 | |
1722 | @@ -300,25 +304,42 @@ static int ps_python_start_worker(struct worker *w) |
1723 | |
1724 | ipv4_address = PyObject_GetAttrString(module_ipaddress, "IPv4Address"); |
1725 | if (ipv4_address == NULL) { |
1726 | + Py_DECREF(module_ipaddress); |
1727 | PyErr_Print(); |
1728 | return 0; |
1729 | } |
1730 | |
1731 | ipv6_address = PyObject_GetAttrString(module_ipaddress, "IPv6Address"); |
1732 | - if (ipv4_address == NULL) { |
1733 | + if (ipv6_address == NULL) { |
1734 | + Py_DECREF(ipv4_address); |
1735 | + Py_DECREF(module_ipaddress); |
1736 | PyErr_Print(); |
1737 | return 0; |
1738 | } |
1739 | |
1740 | m = Py_InitModule("spoa", spoa_methods); |
1741 | if (m == NULL) { |
1742 | + Py_DECREF(ipv4_address); |
1743 | + Py_DECREF(ipv6_address); |
1744 | + Py_DECREF(module_ipaddress); |
1745 | PyErr_Print(); |
1746 | return 0; |
1747 | } |
1748 | |
1749 | spoa_error = PyErr_NewException("spoa.error", NULL, NULL); |
1750 | + /* PyModule_AddObject will steal the reference to spoa_error |
1751 | + * in case of success only |
1752 | + * We need to increment the counters to continue using it |
1753 | + * but cleanup in case of failure |
1754 | + */ |
1755 | Py_INCREF(spoa_error); |
1756 | - PyModule_AddObject(m, "error", spoa_error); |
1757 | + ret = PyModule_AddObject(m, "error", spoa_error); |
1758 | + if (ret == -1) { |
1759 | + Py_DECREF(m); |
1760 | + Py_DECREF(spoa_error); |
1761 | + PyErr_Print(); |
1762 | + return 0; |
1763 | + } |
1764 | |
1765 | |
1766 | value = PyLong_FromLong(SPOE_SCOPE_PROC); |
1767 | @@ -329,60 +350,74 @@ static int ps_python_start_worker(struct worker *w) |
1768 | |
1769 | ret = PyModule_AddObject(m, "scope_proc", value); |
1770 | if (ret == -1) { |
1771 | + Py_DECREF(m); |
1772 | + Py_DECREF(value); |
1773 | PyErr_Print(); |
1774 | return 0; |
1775 | } |
1776 | |
1777 | value = PyLong_FromLong(SPOE_SCOPE_SESS); |
1778 | if (value == NULL) { |
1779 | + Py_DECREF(m); |
1780 | PyErr_Print(); |
1781 | return 0; |
1782 | } |
1783 | |
1784 | ret = PyModule_AddObject(m, "scope_sess", value); |
1785 | if (ret == -1) { |
1786 | + Py_DECREF(m); |
1787 | + Py_DECREF(value); |
1788 | PyErr_Print(); |
1789 | return 0; |
1790 | } |
1791 | |
1792 | value = PyLong_FromLong(SPOE_SCOPE_TXN); |
1793 | if (value == NULL) { |
1794 | + Py_DECREF(m); |
1795 | PyErr_Print(); |
1796 | return 0; |
1797 | } |
1798 | |
1799 | ret = PyModule_AddObject(m, "scope_txn", value); |
1800 | if (ret == -1) { |
1801 | + Py_DECREF(m); |
1802 | + Py_DECREF(value); |
1803 | PyErr_Print(); |
1804 | return 0; |
1805 | } |
1806 | |
1807 | value = PyLong_FromLong(SPOE_SCOPE_REQ); |
1808 | if (value == NULL) { |
1809 | + Py_DECREF(m); |
1810 | PyErr_Print(); |
1811 | return 0; |
1812 | } |
1813 | |
1814 | ret = PyModule_AddObject(m, "scope_req", value); |
1815 | if (ret == -1) { |
1816 | + Py_DECREF(m); |
1817 | + Py_DECREF(value); |
1818 | PyErr_Print(); |
1819 | return 0; |
1820 | } |
1821 | |
1822 | value = PyLong_FromLong(SPOE_SCOPE_RES); |
1823 | if (value == NULL) { |
1824 | + Py_DECREF(m); |
1825 | PyErr_Print(); |
1826 | return 0; |
1827 | } |
1828 | |
1829 | ret = PyModule_AddObject(m, "scope_res", value); |
1830 | if (ret == -1) { |
1831 | + Py_DECREF(m); |
1832 | + Py_DECREF(value); |
1833 | PyErr_Print(); |
1834 | return 0; |
1835 | } |
1836 | |
1837 | - empty_array = PyDict_New(); |
1838 | - if (empty_array == NULL) { |
1839 | + empty_tuple = PyTuple_New(0); |
1840 | + if (empty_tuple == NULL) { |
1841 | PyErr_Print(); |
1842 | return 0; |
1843 | } |
1844 | @@ -445,7 +480,6 @@ static int ps_python_exec_message(struct worker *w, void *ref, int nargs, struct |
1845 | ent = PyDict_New(); |
1846 | if (ent == NULL) { |
1847 | Py_DECREF(kw_args); |
1848 | - Py_DECREF(ent); |
1849 | PyErr_Print(); |
1850 | return 0; |
1851 | } |
1852 | @@ -455,6 +489,7 @@ static int ps_python_exec_message(struct worker *w, void *ref, int nargs, struct |
1853 | key = PyString_FromString("name"); |
1854 | if (key == NULL) { |
1855 | Py_DECREF(kw_args); |
1856 | + Py_DECREF(ent); |
1857 | PyErr_Print(); |
1858 | return 0; |
1859 | } |
1860 | @@ -478,7 +513,7 @@ static int ps_python_exec_message(struct worker *w, void *ref, int nargs, struct |
1861 | return 0; |
1862 | } |
1863 | |
1864 | - /* Create th value entry */ |
1865 | + /* Create the value entry */ |
1866 | |
1867 | key = PyString_FromString("value"); |
1868 | if (key == NULL) { |
1869 | @@ -490,6 +525,7 @@ static int ps_python_exec_message(struct worker *w, void *ref, int nargs, struct |
1870 | |
1871 | switch (args[i].value.type) { |
1872 | case SPOE_DATA_T_NULL: |
1873 | + Py_INCREF(Py_None); |
1874 | value = Py_None; |
1875 | break; |
1876 | case SPOE_DATA_T_BOOL: |
1877 | @@ -520,6 +556,7 @@ static int ps_python_exec_message(struct worker *w, void *ref, int nargs, struct |
1878 | if (func == NULL) { |
1879 | Py_DECREF(kw_args); |
1880 | Py_DECREF(ent); |
1881 | + Py_DECREF(key); |
1882 | PyErr_Print(); |
1883 | return 0; |
1884 | } |
1885 | @@ -527,6 +564,7 @@ static int ps_python_exec_message(struct worker *w, void *ref, int nargs, struct |
1886 | if (ip_dict == NULL) { |
1887 | Py_DECREF(kw_args); |
1888 | Py_DECREF(ent); |
1889 | + Py_DECREF(key); |
1890 | Py_DECREF(func); |
1891 | PyErr_Print(); |
1892 | return 0; |
1893 | @@ -535,6 +573,7 @@ static int ps_python_exec_message(struct worker *w, void *ref, int nargs, struct |
1894 | if (ip_name == NULL) { |
1895 | Py_DECREF(kw_args); |
1896 | Py_DECREF(ent); |
1897 | + Py_DECREF(key); |
1898 | Py_DECREF(func); |
1899 | Py_DECREF(ip_dict); |
1900 | PyErr_Print(); |
1901 | @@ -544,6 +583,7 @@ static int ps_python_exec_message(struct worker *w, void *ref, int nargs, struct |
1902 | if (ip_value == NULL) { |
1903 | Py_DECREF(kw_args); |
1904 | Py_DECREF(ent); |
1905 | + Py_DECREF(key); |
1906 | Py_DECREF(func); |
1907 | Py_DECREF(ip_dict); |
1908 | Py_DECREF(ip_name); |
1909 | @@ -554,11 +594,15 @@ static int ps_python_exec_message(struct worker *w, void *ref, int nargs, struct |
1910 | Py_DECREF(ip_name); |
1911 | Py_DECREF(ip_value); |
1912 | if (ret == -1) { |
1913 | + Py_DECREF(kw_args); |
1914 | + Py_DECREF(ent); |
1915 | + Py_DECREF(key); |
1916 | + Py_DECREF(func); |
1917 | Py_DECREF(ip_dict); |
1918 | PyErr_Print(); |
1919 | return 0; |
1920 | } |
1921 | - value = PyObject_Call(func, empty_array, ip_dict); |
1922 | + value = PyObject_Call(func, empty_tuple, ip_dict); |
1923 | Py_DECREF(func); |
1924 | Py_DECREF(ip_dict); |
1925 | break; |
1926 | @@ -570,6 +614,7 @@ static int ps_python_exec_message(struct worker *w, void *ref, int nargs, struct |
1927 | value = PyString_FromStringAndSize(args[i].value.u.buffer.str, args[i].value.u.buffer.len); |
1928 | break; |
1929 | default: |
1930 | + Py_INCREF(Py_None); |
1931 | value = Py_None; |
1932 | break; |
1933 | } |
1934 | @@ -628,11 +673,13 @@ static int ps_python_exec_message(struct worker *w, void *ref, int nargs, struct |
1935 | return 0; |
1936 | } |
1937 | |
1938 | - result = PyObject_Call(python_ref, empty_array, fkw); |
1939 | + result = PyObject_Call(python_ref, empty_tuple, fkw); |
1940 | + Py_DECREF(fkw); |
1941 | if (result == NULL) { |
1942 | PyErr_Print(); |
1943 | return 0; |
1944 | } |
1945 | + Py_DECREF(result); |
1946 | |
1947 | return 1; |
1948 | } |
1949 | diff --git a/contrib/systemd/haproxy.service.in b/contrib/systemd/haproxy.service.in |
1950 | index 9b7c3d1..49d3c52 100644 |
1951 | --- a/contrib/systemd/haproxy.service.in |
1952 | +++ b/contrib/systemd/haproxy.service.in |
1953 | @@ -1,14 +1,15 @@ |
1954 | [Unit] |
1955 | Description=HAProxy Load Balancer |
1956 | -After=network.target |
1957 | +After=network-online.target |
1958 | +Wants=network-online.target |
1959 | |
1960 | [Service] |
1961 | EnvironmentFile=-/etc/default/haproxy |
1962 | EnvironmentFile=-/etc/sysconfig/haproxy |
1963 | Environment="CONFIG=/etc/haproxy/haproxy.cfg" "PIDFILE=/run/haproxy.pid" "EXTRAOPTS=-S /run/haproxy-master.sock" |
1964 | -ExecStartPre=@SBINDIR@/haproxy -f $CONFIG -c -q $EXTRAOPTS |
1965 | +ExecStartPre=@SBINDIR@/haproxy -Ws -f $CONFIG -c -q $EXTRAOPTS |
1966 | ExecStart=@SBINDIR@/haproxy -Ws -f $CONFIG -p $PIDFILE $EXTRAOPTS |
1967 | -ExecReload=@SBINDIR@/haproxy -f $CONFIG -c -q $EXTRAOPTS |
1968 | +ExecReload=@SBINDIR@/haproxy -Ws -f $CONFIG -c -q $EXTRAOPTS |
1969 | ExecReload=/bin/kill -USR2 $MAINPID |
1970 | KillMode=mixed |
1971 | Restart=always |
1972 | diff --git a/debian/changelog b/debian/changelog |
1973 | index c45f3b2..d5459d3 100644 |
1974 | --- a/debian/changelog |
1975 | +++ b/debian/changelog |
1976 | @@ -1,3 +1,16 @@ |
1977 | +haproxy (2.0.29-0ubuntu1) focal; urgency=medium |
1978 | + |
1979 | + * New upstream release (LP: #1987914). |
1980 | + - Refresh haproxy.service-*.patch. |
1981 | + - Remove patches applied by upstream in debian/patches: |
1982 | + + 0001-2.0-2.3-BUG-MAJOR-htx-fix-missing-header-name-length-check-i.patch |
1983 | + + 0001-BUG-CRITICAL-hpack-never-index-a-header-into-the-hea.patch |
1984 | + + 2.0-0001-BUG-MAJOR-h2-enforce-checks-on-the-method-syntax-bef.patch |
1985 | + + CVE-2022-0711.patch |
1986 | + + lp1894879-BUG-MEDIUM-dns-*.patch |
1987 | + |
1988 | + -- Lucas Kanashiro <kanashiro@ubuntu.com> Fri, 26 Aug 2022 17:07:24 -0300 |
1989 | + |
1990 | haproxy (2.0.13-2ubuntu0.5) focal-security; urgency=medium |
1991 | |
1992 | * SECURITY UPDATE: infinite loop via Set-Cookie2 header |
1993 | diff --git a/debian/patches/0001-2.0-2.3-BUG-MAJOR-htx-fix-missing-header-name-length-check-i.patch b/debian/patches/0001-2.0-2.3-BUG-MAJOR-htx-fix-missing-header-name-length-check-i.patch |
1994 | deleted file mode 100644 |
1995 | index 1176bb5..0000000 |
1996 | --- a/debian/patches/0001-2.0-2.3-BUG-MAJOR-htx-fix-missing-header-name-length-check-i.patch |
1997 | +++ /dev/null |
1998 | @@ -1,65 +0,0 @@ |
1999 | -From 86f4f281efb933900ebcc4fdaef95f566382d907 Mon Sep 17 00:00:00 2001 |
2000 | -From: Willy Tarreau <w@1wt.eu> |
2001 | -Date: Thu, 26 Aug 2021 16:23:37 +0200 |
2002 | -Subject: BUG/MAJOR: htx: fix missing header name length check in |
2003 | - htx_add_header/trailer |
2004 | - |
2005 | -Shachar Menashe for JFrog Security reported that htx_add_header() and |
2006 | -htx_add_trailer() were missing a length check on the header name. While |
2007 | -this does not allow to overwrite any memory area, it results in bits of |
2008 | -the header name length to slip into the header value length and may |
2009 | -result in forging certain header names on the input. The sad thing here |
2010 | -is that a FIXME comment was present suggesting to add the required length |
2011 | -checks :-( |
2012 | - |
2013 | -The injected headers are visible to the HTTP internals and to the config |
2014 | -rules, so haproxy will generally stay synchronized with the server. But |
2015 | -there is one exception which is the content-length header field, because |
2016 | -it is already deduplicated on the input, but before being indexed. As |
2017 | -such, injecting a content-length header after the deduplication stage |
2018 | -may be abused to present a different, shorter one on the other side and |
2019 | -help build a request smuggling attack, or even maybe a response splitting |
2020 | -attack. |
2021 | - |
2022 | -As a mitigation measure, it is sufficient to verify that no more than |
2023 | -one such header is present in any message, which is normally the case |
2024 | -thanks to the duplicate checks: |
2025 | - |
2026 | - http-request deny if { req.hdr_cnt(content-length) gt 1 } |
2027 | - http-response deny if { res.hdr_cnt(content-length) gt 1 } |
2028 | - |
2029 | -This must be backported to all HTX-enabled versions, hence as far as 2.0. |
2030 | -In 2.3 and earlier, the functions are in src/htx.c instead. |
2031 | - |
2032 | -Many thanks to Shachar for his work and his responsible report! |
2033 | - |
2034 | -[wt: code is in src/htx.c in 2.3 and older] |
2035 | -Signed-off-by: Willy Tarreau <w@1wt.eu> |
2036 | ---- |
2037 | - src/htx.c | 8 ++++++-- |
2038 | - 1 file changed, 6 insertions(+), 2 deletions(-) |
2039 | - |
2040 | ---- a/src/htx.c |
2041 | -+++ b/src/htx.c |
2042 | -@@ -846,7 +846,9 @@ struct htx_blk *htx_add_header(struct ht |
2043 | - { |
2044 | - struct htx_blk *blk; |
2045 | - |
2046 | -- /* FIXME: check name.len (< 256B) and value.len (< 1MB) */ |
2047 | -+ if (name.len > 255 || value.len > 1048575) |
2048 | -+ return NULL; |
2049 | -+ |
2050 | - blk = htx_add_blk(htx, HTX_BLK_HDR, name.len + value.len); |
2051 | - if (!blk) |
2052 | - return NULL; |
2053 | -@@ -865,7 +867,9 @@ struct htx_blk *htx_add_trailer(struct h |
2054 | - { |
2055 | - struct htx_blk *blk; |
2056 | - |
2057 | -- /* FIXME: check name.len (< 256B) and value.len (< 1MB) */ |
2058 | -+ if (name.len > 255 || value.len > 1048575) |
2059 | -+ return NULL; |
2060 | -+ |
2061 | - blk = htx_add_blk(htx, HTX_BLK_TLR, name.len + value.len); |
2062 | - if (!blk) |
2063 | - return NULL; |
2064 | diff --git a/debian/patches/0001-BUG-CRITICAL-hpack-never-index-a-header-into-the-hea.patch b/debian/patches/0001-BUG-CRITICAL-hpack-never-index-a-header-into-the-hea.patch |
2065 | deleted file mode 100644 |
2066 | index fd33180..0000000 |
2067 | --- a/debian/patches/0001-BUG-CRITICAL-hpack-never-index-a-header-into-the-hea.patch |
2068 | +++ /dev/null |
2069 | @@ -1,51 +0,0 @@ |
2070 | -From 4e372dc350be5c72b88546bf03392a5793cea179 Mon Sep 17 00:00:00 2001 |
2071 | -From: Willy Tarreau <w@1wt.eu> |
2072 | -Date: Sun, 29 Mar 2020 08:53:31 +0200 |
2073 | -Subject: BUG/CRITICAL: hpack: never index a header into the headroom after |
2074 | - wrapping |
2075 | - |
2076 | -The HPACK header table is implemented as a wrapping list inside a contigous |
2077 | -area. Headers names and values are stored from right to left while indexes |
2078 | -are stored from left to right. When there's no more room to store a new one, |
2079 | -we wrap to the right again, or possibly defragment it if needed. The condition |
2080 | -do use the right part (called tailroom) or the left part (called headroom) |
2081 | -depends on the location of the last inserted header. After wrapping happens, |
2082 | -the code forces to stick to tailroom by pretending there's no more headroom, |
2083 | -so that the size fit test always fails. The problem is that nothing prevents |
2084 | -from storing a header with an empty name and empty value, resulting in a |
2085 | -total size of zero bytes, which satisfies the condition to use the headroom. |
2086 | -Doing this in a wrapped buffer results in changing the "front" header index |
2087 | -and causing miscalculations on the available size and the addresses of the |
2088 | -next headers. This may even allow to overwrite some parts of the index, |
2089 | -opening the possibility to perform arbitrary writes into a 32-bit relative |
2090 | -address space. |
2091 | - |
2092 | -This patch fixes the issue by making sure the headroom is considered only |
2093 | -when the buffer does not wrap, instead of relying on the zero size. This |
2094 | -must be backported to all versions supporting H2, which is as far as 1.8. |
2095 | - |
2096 | -Many thanks to Felix Wilhelm of Google Project Zero for responsibly |
2097 | -reporting this problem with a reproducer and a detailed analysis. |
2098 | ---- |
2099 | - src/hpack-tbl.c | 4 ++-- |
2100 | - 1 file changed, 2 insertions(+), 2 deletions(-) |
2101 | - |
2102 | -diff --git a/src/hpack-tbl.c b/src/hpack-tbl.c |
2103 | -index 70d7f35834..727ff7a17b 100644 |
2104 | ---- a/src/hpack-tbl.c |
2105 | -+++ b/src/hpack-tbl.c |
2106 | -@@ -346,9 +346,9 @@ int hpack_dht_insert(struct hpack_dht *dht, struct ist name, struct ist value) |
2107 | - * room left in the tail to suit the protocol, but tests show that in |
2108 | - * practice it almost never happens in other situations so the extra |
2109 | - * test is useless and we simply fill the headroom as long as it's |
2110 | -- * available. |
2111 | -+ * available and we don't wrap. |
2112 | - */ |
2113 | -- if (headroom >= name.len + value.len) { |
2114 | -+ if (prev == dht->front && headroom >= name.len + value.len) { |
2115 | - /* install upfront and update ->front */ |
2116 | - dht->dte[head].addr = dht->dte[dht->front].addr - (name.len + value.len); |
2117 | - dht->front = head; |
2118 | --- |
2119 | -2.20.1 |
2120 | - |
2121 | diff --git a/debian/patches/2.0-0001-BUG-MAJOR-h2-enforce-checks-on-the-method-syntax-bef.patch b/debian/patches/2.0-0001-BUG-MAJOR-h2-enforce-checks-on-the-method-syntax-bef.patch |
2122 | deleted file mode 100644 |
2123 | index bf662b7..0000000 |
2124 | --- a/debian/patches/2.0-0001-BUG-MAJOR-h2-enforce-checks-on-the-method-syntax-bef.patch |
2125 | +++ /dev/null |
2126 | @@ -1,80 +0,0 @@ |
2127 | -From 08f7092fa046b115285bfb0df276a5d1b6d52d37 Mon Sep 17 00:00:00 2001 |
2128 | -Date: Wed, 11 Aug 2021 11:12:46 +0200 |
2129 | -Subject: BUG/MAJOR: h2: enforce checks on the method syntax before translating |
2130 | - to HTX |
2131 | -MIME-Version: 1.0 |
2132 | -Content-Type: text/plain; charset=latin1 |
2133 | -Content-Transfer-Encoding: 8bit |
2134 | - |
2135 | -The situation with message components in H2 is always troubling. They're |
2136 | -produced by the HPACK layer which contains a dictionary of well-known |
2137 | -hardcoded values, yet wants to remain binary transparent and protocol- |
2138 | -agnostic with HTTP just being one user, yet at the H2 layer we're |
2139 | -supposed to enforce some checks on some selected pseudo-headers that |
2140 | -come from internal constants... The :method pseudo-header is no exception |
2141 | -and is not tested when coming from the HPACK layer. This makes it possible |
2142 | -to pass random chars into methods, that can be serialized on another H2 |
2143 | -connection (where they would not harm), or worse, on an H1 connection |
2144 | -where they can be used to transform the forwareded request. This is |
2145 | -similar to the request line injection described here: |
2146 | - |
2147 | - https://portswigger.net/research/http2 |
2148 | - |
2149 | -A workaround here is to reject malformed methods by placing this rule |
2150 | -in the frontend or backend, at least before leaving haproxy in H1: |
2151 | - |
2152 | - http-request reject if { method -m reg [^A-Z0-9] } |
2153 | - |
2154 | -Alternately H2 may be globally disabled by commenting out the "alpn" |
2155 | -directive on "bind" lines, and by rejecting H2 streams creation by |
2156 | -adding the following statement to the global section: |
2157 | - |
2158 | - tune.h2.max-concurrent-streams 0 |
2159 | - |
2160 | -This patch adds a check for each character of the method to be part of |
2161 | -the ones permitted in a token, as mentioned in RFC7231#4.1. This should |
2162 | -be backported to versions 2.0 and above, maybe even 1.8. For older |
2163 | -versions not having HTX_FL_PARSING_ERROR, a "goto fail" works as well |
2164 | -as it results in a protocol error at the stream level. Non-HTX versions |
2165 | -were initially thought to be safe but must be carefully rechecked since |
2166 | -they transcode the request into H1 before processing it. |
2167 | - |
2168 | -Thanks to Tim D�sterhus for reporting that one. |
2169 | - |
2170 | -(cherry picked from commit b4be735a0a7c4a00bf3d774334763536774d7eea) |
2171 | -Signed-off-by: Willy Tarreau <w@1wt.eu> |
2172 | -(cherry picked from commit 6b827f661374704e91322a82197bbfbfbf910f70) |
2173 | -[wt: adapted since no meth_sl in 2.3] |
2174 | -Signed-off-by: Willy Tarreau <w@1wt.eu> |
2175 | -(cherry picked from commit fbeb053d1a83faedbf3edbe04bde39bc7304cddd) |
2176 | -Signed-off-by: Willy Tarreau <w@1wt.eu> |
2177 | -(cherry picked from commit c91c37a122784de872b79ec6832fe8a9cfe675e0) |
2178 | -[wt: context adjustment; non-htx is safe since nul/cr/lf forbidden |
2179 | - in any header, and other invalid chars blocked by H1 parser] |
2180 | -Signed-off-by: Willy Tarreau <w@1wt.eu> |
2181 | ---- |
2182 | - src/h2.c | 8 ++++++++ |
2183 | - 1 file changed, 8 insertions(+) |
2184 | - |
2185 | -diff --git a/src/h2.c b/src/h2.c |
2186 | -index 719b1743b..bfc0bdafe 100644 |
2187 | ---- a/src/h2.c |
2188 | -+++ b/src/h2.c |
2189 | -@@ -571,6 +571,14 @@ static struct htx_sl *h2_prepare_htx_reqline(uint32_t fields, struct ist *phdr, |
2190 | - } |
2191 | - } |
2192 | - |
2193 | -+ /* The method is a non-empty token (RFC7231#4.1) */ |
2194 | -+ if (!phdr[H2_PHDR_IDX_METH].len) |
2195 | -+ goto fail; |
2196 | -+ for (i = 0; i < phdr[H2_PHDR_IDX_METH].len; i++) { |
2197 | -+ if (!HTTP_IS_TOKEN(phdr[H2_PHDR_IDX_METH].ptr[i])) |
2198 | -+ htx->flags |= HTX_FL_PARSING_ERROR; |
2199 | -+ } |
2200 | -+ |
2201 | - /* 7540#8.1.2.3: :path must not be empty */ |
2202 | - if (!phdr[uri_idx].len) |
2203 | - goto fail; |
2204 | --- |
2205 | -2.28.0 |
2206 | - |
2207 | diff --git a/debian/patches/CVE-2022-0711.patch b/debian/patches/CVE-2022-0711.patch |
2208 | deleted file mode 100644 |
2209 | index cbeb71e..0000000 |
2210 | --- a/debian/patches/CVE-2022-0711.patch |
2211 | +++ /dev/null |
2212 | @@ -1,40 +0,0 @@ |
2213 | -Backport of: |
2214 | - |
2215 | -From bfb15ab34ead85f64cd6da0e9fb418c9cd14cee8 Mon Sep 17 00:00:00 2001 |
2216 | -From: Andrew McDermott <aim@frobware.com> |
2217 | -Date: Fri, 11 Feb 2022 18:26:49 +0000 |
2218 | -Subject: [PATCH] BUG/MAJOR: http/htx: prevent unbounded loop in |
2219 | - http_manage_server_side_cookies |
2220 | - |
2221 | -Ensure calls to http_find_header() terminate. If a "Set-Cookie2" |
2222 | -header is found then the while(1) loop in |
2223 | -http_manage_server_side_cookies() will never terminate, resulting in |
2224 | -the watchdog firing and the process terminating via SIGABRT. |
2225 | - |
2226 | -The while(1) loop becomes unbounded because an unmatched call to |
2227 | -http_find_header("Set-Cookie") will leave ctx->blk=NULL. Subsequent |
2228 | -calls to check for "Set-Cookie2" will now enumerate from the beginning |
2229 | -of all the blocks and will once again match on subsequent |
2230 | -passes (assuming a match first time around), hence the loop becoming |
2231 | -unbounded. |
2232 | - |
2233 | -This issue was introduced with HTX and this fix should be backported |
2234 | -to all versions supporting HTX. |
2235 | - |
2236 | -Many thanks to Grant Spence (gspence@redhat.com) for working through |
2237 | -this issue with me. |
2238 | ---- |
2239 | - src/http_ana.c | 2 +- |
2240 | - 1 file changed, 1 insertion(+), 1 deletion(-) |
2241 | - |
2242 | ---- a/src/proto_htx.c |
2243 | -+++ b/src/proto_htx.c |
2244 | -@@ -4389,7 +4389,7 @@ static void htx_manage_server_side_cooki |
2245 | - while (1) { |
2246 | - int is_first = 1; |
2247 | - |
2248 | -- if (!http_find_header(htx, ist("Set-Cookie"), &ctx, 1)) { |
2249 | -+ if (is_cookie2 || !http_find_header(htx, ist("Set-Cookie"), &ctx, 1)) { |
2250 | - if (!http_find_header(htx, ist("Set-Cookie2"), &ctx, 1)) |
2251 | - break; |
2252 | - is_cookie2 = 1; |
2253 | diff --git a/debian/patches/haproxy.service-add-documentation.patch b/debian/patches/haproxy.service-add-documentation.patch |
2254 | index 380b39c..1ebd2f1 100644 |
2255 | --- a/debian/patches/haproxy.service-add-documentation.patch |
2256 | +++ b/debian/patches/haproxy.service-add-documentation.patch |
2257 | @@ -4,13 +4,11 @@ Date: Sun, 25 Mar 2018 11:31:50 +0200 |
2258 | Subject: Add documentation field to the systemd unit |
2259 | |
2260 | Forwarded: no |
2261 | -Last-Update: 2014-01-03 |
2262 | +Last-Update: 2022-08-26 |
2263 | --- |
2264 | contrib/systemd/haproxy.service.in | 2 ++ |
2265 | 1 file changed, 2 insertions(+) |
2266 | |
2267 | -diff --git a/contrib/systemd/haproxy.service.in b/contrib/systemd/haproxy.service.in |
2268 | -index 243acf2..ac88c37 100644 |
2269 | --- a/contrib/systemd/haproxy.service.in |
2270 | +++ b/contrib/systemd/haproxy.service.in |
2271 | @@ -1,5 +1,7 @@ |
2272 | @@ -18,6 +16,6 @@ index 243acf2..ac88c37 100644 |
2273 | Description=HAProxy Load Balancer |
2274 | +Documentation=man:haproxy(1) |
2275 | +Documentation=file:/usr/share/doc/haproxy/configuration.txt.gz |
2276 | - After=network.target rsyslog.service |
2277 | + After=network-online.target rsyslog.service |
2278 | + Wants=network-online.target |
2279 | |
2280 | - [Service] |
2281 | diff --git a/debian/patches/haproxy.service-start-after-syslog.patch b/debian/patches/haproxy.service-start-after-syslog.patch |
2282 | index 1e8e1e4..c81cc30 100644 |
2283 | --- a/debian/patches/haproxy.service-start-after-syslog.patch |
2284 | +++ b/debian/patches/haproxy.service-start-after-syslog.patch |
2285 | @@ -8,20 +8,18 @@ trigger syslog activation, we explicitly order HAProxy after rsyslog.service. |
2286 | Note that we are not using syslog.service here, since the additional socket is |
2287 | rsyslog-specific. |
2288 | Forwarded: no |
2289 | -Last-Update: 2017-12-01 |
2290 | +Last-Update: 2022-08-26 |
2291 | --- |
2292 | contrib/systemd/haproxy.service.in | 2 +- |
2293 | 1 file changed, 1 insertion(+), 1 deletion(-) |
2294 | |
2295 | -diff --git a/contrib/systemd/haproxy.service.in b/contrib/systemd/haproxy.service.in |
2296 | -index 74e66e3..243acf2 100644 |
2297 | --- a/contrib/systemd/haproxy.service.in |
2298 | +++ b/contrib/systemd/haproxy.service.in |
2299 | @@ -1,6 +1,6 @@ |
2300 | [Unit] |
2301 | Description=HAProxy Load Balancer |
2302 | --After=network.target |
2303 | -+After=network.target rsyslog.service |
2304 | +-After=network-online.target |
2305 | ++After=network-online.target rsyslog.service |
2306 | + Wants=network-online.target |
2307 | |
2308 | [Service] |
2309 | - EnvironmentFile=-/etc/default/haproxy |
2310 | diff --git a/debian/patches/lp1894879-BUG-CRITICAL-dns-Make-the-do-resolve-action-thread-safe.patch b/debian/patches/lp1894879-BUG-CRITICAL-dns-Make-the-do-resolve-action-thread-safe.patch |
2311 | deleted file mode 100644 |
2312 | index e9e6edc..0000000 |
2313 | --- a/debian/patches/lp1894879-BUG-CRITICAL-dns-Make-the-do-resolve-action-thread-safe.patch |
2314 | +++ /dev/null |
2315 | @@ -1,132 +0,0 @@ |
2316 | -From ef131aee357478c45d547abcb0ab21c2a191f578 Mon Sep 17 00:00:00 2001 |
2317 | -From: Christopher Faulet <cfaulet@haproxy.com> |
2318 | -Date: Wed, 22 Jul 2020 11:46:32 +0200 |
2319 | -Subject: [PATCH] BUG/MAJOR: dns: Make the do-resolve action thread-safe |
2320 | - |
2321 | -The do-resolve HTTP action, performing a DNS resolution of a sample expression |
2322 | -output, is not thread-safe at all. The resolver object used to do the resolution |
2323 | -must be locked when the action is executed or when the stream is released |
2324 | -because its curr or wait resolution lists and the requester list inside a |
2325 | -resolution are updated. It is also important to not wake up a released stream |
2326 | -(with a destroyed task). |
2327 | - |
2328 | -Of course, because of this bug, various kind of crashes may be observed. |
2329 | - |
2330 | -This patch should fix the issue #236. It must be backported as far as 2.0. |
2331 | - |
2332 | -(cherry picked from commit 5098a08c2fafb0d9513996729d2a30c9785378f3) |
2333 | -Signed-off-by: Willy Tarreau <w@1wt.eu> |
2334 | -(cherry picked from commit 99f4623952cbbad2bcae451abdd0f3133bcbe75c) |
2335 | -Signed-off-by: Christopher Faulet <cfaulet@haproxy.com> |
2336 | -(cherry picked from commit 6e5861d72fe1e3c9d34b591d6f77ffd28ddde197) |
2337 | -Signed-off-by: Christopher Faulet <cfaulet@haproxy.com> |
2338 | ---- |
2339 | - src/dns.c | 36 +++++++++++++++++++++++++++--------- |
2340 | - src/stream.c | 4 ++++ |
2341 | - 2 files changed, 31 insertions(+), 9 deletions(-) |
2342 | - |
2343 | -diff --git a/src/dns.c b/src/dns.c |
2344 | -index 282fa92..40e29ad 100644 |
2345 | ---- a/src/dns.c |
2346 | -+++ b/src/dns.c |
2347 | -@@ -2162,14 +2162,23 @@ enum act_return dns_action_do_resolve(struct act_rule *rule, struct proxy *px, |
2348 | - struct dns_requester *req; |
2349 | - struct dns_resolvers *resolvers; |
2350 | - struct dns_resolution *res; |
2351 | -- int exp; |
2352 | -+ int exp, locked = 0; |
2353 | -+ enum act_return ret = ACT_RET_CONT; |
2354 | -+ |
2355 | -+ resolvers = rule->arg.dns.resolvers; |
2356 | - |
2357 | - /* we have a response to our DNS resolution */ |
2358 | - use_cache: |
2359 | - if (s->dns_ctx.dns_requester && s->dns_ctx.dns_requester->resolution != NULL) { |
2360 | - resolution = s->dns_ctx.dns_requester->resolution; |
2361 | -+ if (!locked) { |
2362 | -+ HA_SPIN_LOCK(DNS_LOCK, &resolvers->lock); |
2363 | -+ locked = 1; |
2364 | -+ } |
2365 | -+ |
2366 | - if (resolution->step == RSLV_STEP_RUNNING) { |
2367 | -- return ACT_RET_YIELD; |
2368 | -+ ret = ACT_RET_YIELD; |
2369 | -+ goto end; |
2370 | - } |
2371 | - if (resolution->step == RSLV_STEP_NONE) { |
2372 | - /* We update the variable only if we have a valid response. */ |
2373 | -@@ -2211,29 +2220,33 @@ enum act_return dns_action_do_resolve(struct act_rule *rule, struct proxy *px, |
2374 | - pool_free(dns_requester_pool, s->dns_ctx.dns_requester); |
2375 | - s->dns_ctx.dns_requester = NULL; |
2376 | - |
2377 | -- return ACT_RET_CONT; |
2378 | -+ goto end; |
2379 | - } |
2380 | - |
2381 | - /* need to configure and start a new DNS resolution */ |
2382 | - smp = sample_fetch_as_type(px, sess, s, SMP_OPT_DIR_REQ|SMP_OPT_FINAL, rule->arg.dns.expr, SMP_T_STR); |
2383 | - if (smp == NULL) |
2384 | -- return ACT_RET_CONT; |
2385 | -+ goto end; |
2386 | - |
2387 | - fqdn = smp->data.u.str.area; |
2388 | - if (action_prepare_for_resolution(s, fqdn) == -1) |
2389 | -- return ACT_RET_ERR; |
2390 | -+ goto end; /* on error, ignore the action */ |
2391 | - |
2392 | - s->dns_ctx.parent = rule; |
2393 | -+ |
2394 | -+ HA_SPIN_LOCK(DNS_LOCK, &resolvers->lock); |
2395 | -+ locked = 1; |
2396 | -+ |
2397 | - dns_link_resolution(s, OBJ_TYPE_STREAM, 0); |
2398 | - |
2399 | - /* Check if there is a fresh enough response in the cache of our associated resolution */ |
2400 | - req = s->dns_ctx.dns_requester; |
2401 | - if (!req || !req->resolution) { |
2402 | - dns_trigger_resolution(s->dns_ctx.dns_requester); |
2403 | -- return ACT_RET_YIELD; |
2404 | -+ ret = ACT_RET_YIELD; |
2405 | -+ goto end; |
2406 | - } |
2407 | -- res = req->resolution; |
2408 | -- resolvers = res->resolvers; |
2409 | -+ res = req->resolution; |
2410 | - |
2411 | - exp = tick_add(res->last_resolution, resolvers->hold.valid); |
2412 | - if (resolvers->t && res->status == RSLV_STATUS_VALID && tick_isset(res->last_resolution) |
2413 | -@@ -2242,7 +2255,12 @@ enum act_return dns_action_do_resolve(struct act_rule *rule, struct proxy *px, |
2414 | - } |
2415 | - |
2416 | - dns_trigger_resolution(s->dns_ctx.dns_requester); |
2417 | -- return ACT_RET_YIELD; |
2418 | -+ ret = ACT_RET_YIELD; |
2419 | -+ |
2420 | -+ end: |
2421 | -+ if (locked) |
2422 | -+ HA_SPIN_UNLOCK(DNS_LOCK, &resolvers->lock); |
2423 | -+ return ret; |
2424 | - } |
2425 | - |
2426 | - |
2427 | -diff --git a/src/stream.c b/src/stream.c |
2428 | -index 080189e..2eb7cfa 100644 |
2429 | ---- a/src/stream.c |
2430 | -+++ b/src/stream.c |
2431 | -@@ -435,9 +435,13 @@ static void stream_free(struct stream *s) |
2432 | - } |
2433 | - |
2434 | - if (s->dns_ctx.dns_requester) { |
2435 | -+ __decl_hathreads(struct dns_resolvers *resolvers = s->dns_ctx.parent->arg.dns.resolvers); |
2436 | -+ |
2437 | -+ HA_SPIN_LOCK(DNS_LOCK, &resolvers->lock); |
2438 | - free(s->dns_ctx.hostname_dn); s->dns_ctx.hostname_dn = NULL; |
2439 | - s->dns_ctx.hostname_dn_len = 0; |
2440 | - dns_unlink_resolution(s->dns_ctx.dns_requester); |
2441 | -+ HA_SPIN_UNLOCK(DNS_LOCK, &resolvers->lock); |
2442 | - |
2443 | - pool_free(dns_requester_pool, s->dns_ctx.dns_requester); |
2444 | - s->dns_ctx.dns_requester = NULL; |
2445 | --- |
2446 | -1.7.10.4 |
2447 | - |
2448 | diff --git a/debian/patches/lp1894879-BUG-MEDIUM-dns-Dont-yield-in-do-resolve-action-on-a-final.patch b/debian/patches/lp1894879-BUG-MEDIUM-dns-Dont-yield-in-do-resolve-action-on-a-final.patch |
2449 | deleted file mode 100644 |
2450 | index 34a6a37..0000000 |
2451 | --- a/debian/patches/lp1894879-BUG-MEDIUM-dns-Dont-yield-in-do-resolve-action-on-a-final.patch |
2452 | +++ /dev/null |
2453 | @@ -1,106 +0,0 @@ |
2454 | -From 74d704f2f36945d60f1ff7ea75dbfe3f40508861 Mon Sep 17 00:00:00 2001 |
2455 | -From: Christopher Faulet <cfaulet@haproxy.com> |
2456 | -Date: Tue, 28 Jul 2020 10:21:54 +0200 |
2457 | -Subject: [PATCH] BUG/MEDIUM: dns: Don't yield in do-resolve action on a final |
2458 | - evaluation |
2459 | - |
2460 | -When an action is evaluated, flags are passed to know if it is the first call |
2461 | -(ACT_OPT_FIRST) and if it must be the last one (ACT_OPT_FINAL). For the |
2462 | -do-resolve DNS action, the ACT_OPT_FINAL flag must be handled because the |
2463 | -action may yield. It must never yield when this flag is set. Otherwise, it may |
2464 | -lead to a wakeup loop of the stream because the inspected-delay of a tcp-request |
2465 | -content ruleset was reached without stopping the rules evaluation. |
2466 | - |
2467 | -This patch is related to the issue #222. It must be backported as far as 2.0. |
2468 | - |
2469 | -(cherry picked from commit 385101e53816dc1b7bc1fc957adc512ce8a07cb4) |
2470 | -Signed-off-by: Christopher Faulet <cfaulet@haproxy.com> |
2471 | -(cherry picked from commit 5c038f759959adf95b4b347aba9d97e60ab87e93) |
2472 | -Signed-off-by: Christopher Faulet <cfaulet@haproxy.com> |
2473 | -(cherry picked from commit af018c4865400dda4553a732df4c43751a4ff88c) |
2474 | -Signed-off-by: Christopher Faulet <cfaulet@haproxy.com> |
2475 | ---- |
2476 | - src/dns.c | 39 +++++++++++++++++++++------------------ |
2477 | - 1 file changed, 21 insertions(+), 18 deletions(-) |
2478 | - |
2479 | -diff --git a/src/dns.c b/src/dns.c |
2480 | -index 18e64d9..095040e 100644 |
2481 | ---- a/src/dns.c |
2482 | -+++ b/src/dns.c |
2483 | -@@ -2182,10 +2182,8 @@ enum act_return dns_action_do_resolve(struct act_rule *rule, struct proxy *px, |
2484 | - locked = 1; |
2485 | - } |
2486 | - |
2487 | -- if (resolution->step == RSLV_STEP_RUNNING) { |
2488 | -- ret = ACT_RET_YIELD; |
2489 | -- goto end; |
2490 | -- } |
2491 | -+ if (resolution->step == RSLV_STEP_RUNNING) |
2492 | -+ goto yield; |
2493 | - if (resolution->step == RSLV_STEP_NONE) { |
2494 | - /* We update the variable only if we have a valid response. */ |
2495 | - if (resolution->status == RSLV_STATUS_VALID) { |
2496 | -@@ -2219,14 +2217,7 @@ enum act_return dns_action_do_resolve(struct act_rule *rule, struct proxy *px, |
2497 | - } |
2498 | - } |
2499 | - |
2500 | -- free(s->dns_ctx.hostname_dn); s->dns_ctx.hostname_dn = NULL; |
2501 | -- s->dns_ctx.hostname_dn_len = 0; |
2502 | -- dns_unlink_resolution(s->dns_ctx.dns_requester); |
2503 | -- |
2504 | -- pool_free(dns_requester_pool, s->dns_ctx.dns_requester); |
2505 | -- s->dns_ctx.dns_requester = NULL; |
2506 | -- |
2507 | -- goto end; |
2508 | -+ goto release_requester; |
2509 | - } |
2510 | - |
2511 | - /* need to configure and start a new DNS resolution */ |
2512 | -@@ -2247,26 +2238,38 @@ enum act_return dns_action_do_resolve(struct act_rule *rule, struct proxy *px, |
2513 | - |
2514 | - /* Check if there is a fresh enough response in the cache of our associated resolution */ |
2515 | - req = s->dns_ctx.dns_requester; |
2516 | -- if (!req || !req->resolution) { |
2517 | -- dns_trigger_resolution(s->dns_ctx.dns_requester); |
2518 | -- ret = ACT_RET_YIELD; |
2519 | -- goto end; |
2520 | -- } |
2521 | -+ if (!req || !req->resolution) |
2522 | -+ goto release_requester; /* on error, ignore the action */ |
2523 | - res = req->resolution; |
2524 | - |
2525 | - exp = tick_add(res->last_resolution, resolvers->hold.valid); |
2526 | - if (resolvers->t && res->status == RSLV_STATUS_VALID && tick_isset(res->last_resolution) |
2527 | -- && !tick_is_expired(exp, now_ms)) { |
2528 | -+ && !tick_is_expired(exp, now_ms)) { |
2529 | - goto use_cache; |
2530 | - } |
2531 | - |
2532 | - dns_trigger_resolution(s->dns_ctx.dns_requester); |
2533 | -+ |
2534 | -+ yield: |
2535 | -+ if (flags & ACT_FLAG_FINAL) |
2536 | -+ goto release_requester; |
2537 | - ret = ACT_RET_YIELD; |
2538 | - |
2539 | - end: |
2540 | - if (locked) |
2541 | - HA_SPIN_UNLOCK(DNS_LOCK, &resolvers->lock); |
2542 | - return ret; |
2543 | -+ |
2544 | -+ release_requester: |
2545 | -+ free(s->dns_ctx.hostname_dn); |
2546 | -+ s->dns_ctx.hostname_dn = NULL; |
2547 | -+ s->dns_ctx.hostname_dn_len = 0; |
2548 | -+ if (s->dns_ctx.dns_requester) { |
2549 | -+ dns_unlink_resolution(s->dns_ctx.dns_requester); |
2550 | -+ pool_free(dns_requester_pool, s->dns_ctx.dns_requester); |
2551 | -+ s->dns_ctx.dns_requester = NULL; |
2552 | -+ } |
2553 | -+ goto end; |
2554 | - } |
2555 | - |
2556 | - |
2557 | --- |
2558 | -1.7.10.4 |
2559 | - |
2560 | diff --git a/debian/patches/lp1894879-BUG-MEDIUM-dns-Release-answer-items-when-a-DNS-resolution-is-freed.patch b/debian/patches/lp1894879-BUG-MEDIUM-dns-Release-answer-items-when-a-DNS-resolution-is-freed.patch |
2561 | deleted file mode 100644 |
2562 | index f83de45..0000000 |
2563 | --- a/debian/patches/lp1894879-BUG-MEDIUM-dns-Release-answer-items-when-a-DNS-resolution-is-freed.patch |
2564 | +++ /dev/null |
2565 | @@ -1,51 +0,0 @@ |
2566 | -From 39eb766825d8aad09946dfc284d4a73f610ebd64 Mon Sep 17 00:00:00 2001 |
2567 | -From: Christopher Faulet <cfaulet@haproxy.com> |
2568 | -Date: Wed, 22 Jul 2020 15:55:49 +0200 |
2569 | -Subject: [PATCH] BUG/MEDIUM: dns: Release answer items when a DNS resolution |
2570 | - is freed |
2571 | - |
2572 | -When a DNS resolution is freed, the remaining items in .ar_list and .answer_list |
2573 | -are also released. It must be done to avoid a memory leak. And it is the last |
2574 | -chance to release these objects. I've honestly no idea if there is a better |
2575 | -place to release them earlier. But at least, there is no more leak. |
2576 | - |
2577 | -This patch should solve the issue #222. It must be backported, at least, as far |
2578 | -as 2.0, and probably, with caution, as far as 1.8 or 1.7. |
2579 | - |
2580 | -(cherry picked from commit 010ab35a9118daf17a670fb2b42e40447f967f7c) |
2581 | -Signed-off-by: Willy Tarreau <w@1wt.eu> |
2582 | -(cherry picked from commit c58ac80d00284886b108b209a5bf993de5ab38ed) |
2583 | -Signed-off-by: Christopher Faulet <cfaulet@haproxy.com> |
2584 | -(cherry picked from commit 81120e6ea286ae3f2566959167fb56a7d1f0de19) |
2585 | -Signed-off-by: Christopher Faulet <cfaulet@haproxy.com> |
2586 | ---- |
2587 | - src/dns.c | 6 ++++++ |
2588 | - 1 file changed, 6 insertions(+) |
2589 | - |
2590 | -diff --git a/src/dns.c b/src/dns.c |
2591 | -index 40e29ad..18e64d9 100644 |
2592 | ---- a/src/dns.c |
2593 | -+++ b/src/dns.c |
2594 | -@@ -1336,6 +1336,7 @@ static struct dns_resolution *dns_pick_resolution(struct dns_resolvers *resolver |
2595 | - static void dns_free_resolution(struct dns_resolution *resolution) |
2596 | - { |
2597 | - struct dns_requester *req, *reqback; |
2598 | -+ struct dns_answer_item *item, *itemback; |
2599 | - |
2600 | - /* clean up configuration */ |
2601 | - dns_reset_resolution(resolution); |
2602 | -@@ -1347,6 +1348,11 @@ static void dns_free_resolution(struct dns_resolution *resolution) |
2603 | - req->resolution = NULL; |
2604 | - } |
2605 | - |
2606 | -+ list_for_each_entry_safe(item, itemback, &resolution->response.answer_list, list) { |
2607 | -+ LIST_DEL(&item->list); |
2608 | -+ pool_free(dns_answer_item_pool, item); |
2609 | -+ } |
2610 | -+ |
2611 | - LIST_DEL(&resolution->list); |
2612 | - pool_free(dns_resolution_pool, resolution); |
2613 | - } |
2614 | --- |
2615 | -1.7.10.4 |
2616 | - |
2617 | diff --git a/debian/patches/series b/debian/patches/series |
2618 | index f2fb934..0945bb0 100644 |
2619 | --- a/debian/patches/series |
2620 | +++ b/debian/patches/series |
2621 | @@ -1,16 +1,3 @@ |
2622 | 0002-Use-dpkg-buildflags-to-build-halog.patch |
2623 | haproxy.service-start-after-syslog.patch |
2624 | haproxy.service-add-documentation.patch |
2625 | - |
2626 | -# 20200402 security issue (CVE-2020-11100) about HTTP/2 HPACK header table |
2627 | -0001-BUG-CRITICAL-hpack-never-index-a-header-into-the-hea.patch |
2628 | - |
2629 | -# applied during the build process: |
2630 | -# debianize-dconv.patch |
2631 | - |
2632 | -lp1894879-BUG-CRITICAL-dns-Make-the-do-resolve-action-thread-safe.patch |
2633 | -lp1894879-BUG-MEDIUM-dns-Release-answer-items-when-a-DNS-resolution-is-freed.patch |
2634 | -lp1894879-BUG-MEDIUM-dns-Dont-yield-in-do-resolve-action-on-a-final.patch |
2635 | -2.0-0001-BUG-MAJOR-h2-enforce-checks-on-the-method-syntax-bef.patch |
2636 | -0001-2.0-2.3-BUG-MAJOR-htx-fix-missing-header-name-length-check-i.patch |
2637 | -CVE-2022-0711.patch |
2638 | diff --git a/doc/SPOE.txt b/doc/SPOE.txt |
2639 | index 19f00ad..e7c303a 100644 |
2640 | --- a/doc/SPOE.txt |
2641 | +++ b/doc/SPOE.txt |
2642 | @@ -115,7 +115,7 @@ If you specify an engine name on the SPOE filter line, then you need to define |
2643 | scope in the SPOE configuration with the same name. You can have several SPOE |
2644 | scope in the same file. In each scope, you must define one and only one |
2645 | "spoe-agent" section to configure the SPOA linked to your SPOE and several |
2646 | -"spoe-message" and "spoe-group" sections to describe, respecively, messages and |
2647 | +"spoe-message" and "spoe-group" sections to describe, respectively, messages and |
2648 | group of messages sent to servers mananged by your SPOA. |
2649 | |
2650 | A SPOE scope starts with this kind of line : |
2651 | @@ -510,7 +510,8 @@ args [name=]<sample> ... |
2652 | event <name> [ { if | unless } <condition> ] |
2653 | Set the event that triggers sending of the message. It may optionally be |
2654 | followed by an ACL-based condition, in which case it will only be evaluated |
2655 | - if the condition is true. |
2656 | + if the condition is true. A SPOE message can only be sent on one event. If |
2657 | + several events are defined, only the last one is considered. |
2658 | |
2659 | ACL-based conditions are executed in the context of the stream that handle |
2660 | the client and the server connections. |
2661 | @@ -762,6 +763,10 @@ Here are the list of official capabilities that HAProxy and agents can support: |
2662 | |
2663 | Unsupported or unknown capabilities are silently ignored, when possible. |
2664 | |
2665 | +NOTE: HAProxy does not support the fragmentation for now. This means it is not |
2666 | + able to handle fragmented frames. However, if an agent announces the |
2667 | + fragmentation support, HAProxy may choose to send fragemented frames. |
2668 | + |
2669 | 3.2.2. Frame types overview |
2670 | ---------------------------- |
2671 | |
2672 | diff --git a/doc/architecture.txt b/doc/architecture.txt |
2673 | index 85d5219..8174b5d 100644 |
2674 | --- a/doc/architecture.txt |
2675 | +++ b/doc/architecture.txt |
2676 | @@ -257,7 +257,7 @@ Description : |
2677 | - if a request does not contain a cookie, it will be forwarded to a valid |
2678 | server |
2679 | - in return, if a JESSIONID cookie is seen, the server name will be prefixed |
2680 | - into it, followed by a delimitor ('~') |
2681 | + into it, followed by a delimiter ('~') |
2682 | - when the client comes again with the cookie "JSESSIONID=A~xxx", LB1 will |
2683 | know that it must be forwarded to server A. The server name will then be |
2684 | extracted from cookie before it is sent to the server. |
2685 | @@ -1265,7 +1265,7 @@ S2L2. So only initial users will load the inter-site link, not the new ones. |
2686 | =================== |
2687 | |
2688 | Sometimes it may reveal useful to access servers from a pool of IP addresses |
2689 | -instead of only one or two. Some equipments (NAT firewalls, load-balancers) |
2690 | +instead of only one or two. Some equipment (NAT firewalls, load-balancers) |
2691 | are sensible to source address, and often need many sources to distribute the |
2692 | load evenly amongst their internal hash buckets. |
2693 | |
2694 | diff --git a/doc/coding-style.txt b/doc/coding-style.txt |
2695 | index 9f1bd79..24550f1 100644 |
2696 | --- a/doc/coding-style.txt |
2697 | +++ b/doc/coding-style.txt |
2698 | @@ -111,7 +111,7 @@ with "#", we get this : |
2699 | | [-Tabs-][-Tabs-]ctx->del = len; |
2700 | | [-Tabs-]} |
2701 | |
2702 | -It is worth noting that some editors tend to confuse indentations and aligment. |
2703 | +It is worth noting that some editors tend to confuse indentations and alignment. |
2704 | Emacs is notoriously known for this brokenness, and is responsible for almost |
2705 | all of the alignment mess. The reason is that Emacs only counts spaces, tries |
2706 | to fill as many as possible with tabs and completes with spaces. Once you know |
2707 | @@ -1218,7 +1218,7 @@ Wrong use of comments : |
2708 | |
2709 | Right use of comments : |
2710 | |
2711 | - | /* This function returns the positoin of the highest bit set in the lowest |
2712 | + | /* This function returns the position of the highest bit set in the lowest |
2713 | | * byte of <x>, between 0 and 7. It only works if <x> is non-null. It uses |
2714 | | * a 32-bit value as a lookup table to return one of 4 values for the |
2715 | | * highest 16 possible 4-bit values. |
2716 | diff --git a/doc/configuration.txt b/doc/configuration.txt |
2717 | index b2ee835..4394d07 100644 |
2718 | --- a/doc/configuration.txt |
2719 | +++ b/doc/configuration.txt |
2720 | @@ -3,8 +3,7 @@ |
2721 | Configuration Manual |
2722 | ---------------------- |
2723 | version 2.0 |
2724 | - willy tarreau |
2725 | - 2020/02/13 |
2726 | + 2022/05/13 |
2727 | |
2728 | |
2729 | This document covers the configuration language as implemented in the version |
2730 | @@ -190,11 +189,6 @@ HAProxy supports 4 connection modes : |
2731 | - server close : the server-facing connection is closed after the response. |
2732 | - close : the connection is actively closed after end of response. |
2733 | |
2734 | -For HTTP/2, the connection mode resembles more the "server close" mode : given |
2735 | -the independence of all streams, there is currently no place to hook the idle |
2736 | -server connection after a response, so it is closed after the response. HTTP/2 |
2737 | -is only supported for incoming connections, not on connections going to |
2738 | -servers. |
2739 | |
2740 | |
2741 | 1.2. HTTP request |
2742 | @@ -263,10 +257,6 @@ specific to the language, framework or application in use. |
2743 | |
2744 | HTTP/2 doesn't convey a version information with the request, so the version is |
2745 | assumed to be the same as the one of the underlying protocol (i.e. "HTTP/2"). |
2746 | -However, haproxy natively processes HTTP/1.x requests and headers, so requests |
2747 | -received over an HTTP/2 connection are transcoded to HTTP/1.1 before being |
2748 | -processed. This explains why they still appear as "HTTP/1.1" in haproxy's logs |
2749 | -as well as in server logs. |
2750 | |
2751 | |
2752 | 1.2.2. The request headers |
2753 | @@ -284,7 +274,10 @@ define a total of 3 values for the "Accept:" header. |
2754 | Contrary to a common misconception, header names are not case-sensitive, and |
2755 | their values are not either if they refer to other header names (such as the |
2756 | "Connection:" header). In HTTP/2, header names are always sent in lower case, |
2757 | -as can be seen when running in debug mode. |
2758 | +as can be seen when running in debug mode. Internally, all header names are |
2759 | +normalized to lower case so that HTTP/1.x and HTTP/2 use the exact same |
2760 | +representation, and they are sent as-is on the other side. This explains why an |
2761 | +HTTP/1.x request typed with camel case is delivered in lower case. |
2762 | |
2763 | The end of the headers is indicated by the first empty line. People often say |
2764 | that it's a double line feed, which is not exact, even if a double line feed |
2765 | @@ -365,7 +358,10 @@ HAProxy may emit the following status codes by itself : |
2766 | 401 when an authentication is required to perform the action (when |
2767 | accessing the stats page) |
2768 | 403 when a request is forbidden by a "block" ACL or "reqdeny" filter |
2769 | + 404 when the requested resource could not be found |
2770 | 408 when the request timeout strikes before the request is complete |
2771 | + 410 when the requested resource is no longer available and will not |
2772 | + be available again |
2773 | 500 when haproxy encounters an unrecoverable internal error, such as a |
2774 | memory allocation failure, which should never happen |
2775 | 502 when the server returns an empty, invalid or incomplete response, or |
2776 | @@ -668,6 +664,8 @@ The following keywords are supported in the "global" section : |
2777 | - tune.maxrewrite |
2778 | - tune.pattern.cache-size |
2779 | - tune.pipesize |
2780 | + - tune.pool-high-fd-ratio |
2781 | + - tune.pool-low-fd-ratio |
2782 | - tune.rcvbuf.client |
2783 | - tune.rcvbuf.server |
2784 | - tune.recv_enough |
2785 | @@ -817,7 +815,7 @@ external-check |
2786 | See "option external-check". |
2787 | |
2788 | gid <number> |
2789 | - Changes the process' group ID to <number>. It is recommended that the group |
2790 | + Changes the process's group ID to <number>. It is recommended that the group |
2791 | ID is dedicated to HAProxy or to a small set of similar daemons. HAProxy must |
2792 | be started with a user belonging to this group, or with superuser privileges. |
2793 | Note that if haproxy is started from a user having supplementary groups, it |
2794 | @@ -849,7 +847,7 @@ h1-case-adjust <from> <to> |
2795 | <from>, to change it to <to> before sending it to HTTP/1 clients or |
2796 | servers. <from> must be in lower case, and <from> and <to> must not differ |
2797 | except for their case. It may be repeated if several header names need to be |
2798 | - ajusted. Duplicate entries are not allowed. If a lot of header names have to |
2799 | + adjusted. Duplicate entries are not allowed. If a lot of header names have to |
2800 | be adjusted, it might be more convenient to use "h1-case-adjust-file". |
2801 | Please note that no transformation will be applied unless "option |
2802 | h1-case-adjust-bogus-client" or "option h1-case-adjust-bogus-server" is |
2803 | @@ -1244,7 +1242,7 @@ stats maxconn <connections> |
2804 | possible to change this value with "stats maxconn". |
2805 | |
2806 | uid <number> |
2807 | - Changes the process' user ID to <number>. It is recommended that the user ID |
2808 | + Changes the process's user ID to <number>. It is recommended that the user ID |
2809 | is dedicated to HAProxy or to a small set of similar daemons. HAProxy must |
2810 | be started with superuser privileges in order to be able to switch to another |
2811 | one. See also "gid" and "user". |
2812 | @@ -1853,12 +1851,6 @@ tune.pipesize <number> |
2813 | performed. This has an impact on the kernel's memory footprint, so this must |
2814 | not be changed if impacts are not understood. |
2815 | |
2816 | -tune.pool-low-fd-ratio <number> |
2817 | - This setting sets the max number of file descriptors (in percentage) used by |
2818 | - haproxy globally against the maximum number of file descriptors haproxy can |
2819 | - use before we stop putting connection into the idle pool for reuse. The |
2820 | - default is 20. |
2821 | - |
2822 | tune.pool-high-fd-ratio <number> |
2823 | This setting sets the max number of file descriptors (in percentage) used by |
2824 | haproxy globally against the maximum number of file descriptors haproxy can |
2825 | @@ -1868,6 +1860,12 @@ tune.pool-high-fd-ratio <number> |
2826 | keep an idle connection behind, anything beyond this probably doesn't make |
2827 | much sense in the general case when targeting connection reuse). |
2828 | |
2829 | +tune.pool-low-fd-ratio <number> |
2830 | + This setting sets the max number of file descriptors (in percentage) used by |
2831 | + haproxy globally against the maximum number of file descriptors haproxy can |
2832 | + use before we stop putting connection into the idle pool for reuse. The |
2833 | + default is 20. |
2834 | + |
2835 | tune.rcvbuf.client <number> |
2836 | tune.rcvbuf.server <number> |
2837 | Forces the kernel socket receive buffer size on the client or the server side |
2838 | @@ -2114,8 +2112,9 @@ default-server [param*] |
2839 | |
2840 | See also: "server" and section 5 about server options |
2841 | |
2842 | -enable |
2843 | - This re-enables a disabled peers section which was previously disabled. |
2844 | +enabled |
2845 | + This re-enables a peers section which was previously disabled via the |
2846 | + "disabled" keyword. |
2847 | |
2848 | peer <peername> <ip>:<port> [param*] |
2849 | Defines a peer inside a peers section. |
2850 | @@ -2455,6 +2454,7 @@ option allbackups (*) X - X X |
2851 | option checkcache (*) X - X X |
2852 | option clitcpka (*) X X X - |
2853 | option contstats (*) X X X - |
2854 | +option disable-h2-upgrade (*) X X X - |
2855 | option dontlog-normal (*) X X X - |
2856 | option dontlognull (*) X X X - |
2857 | -- keyword -------------------------- defaults - frontend - listen -- backend - |
2858 | @@ -2807,7 +2807,7 @@ balance url_param <param> [check_post] |
2859 | rdp-cookie(<name>) |
2860 | The RDP cookie <name> (or "mstshash" if omitted) will be |
2861 | looked up and hashed for each incoming TCP request. Just as |
2862 | - with the equivalent ACL 'req_rdp_cookie()' function, the name |
2863 | + with the equivalent ACL 'req.rdp_cookie()' function, the name |
2864 | is not case-sensitive. This mechanism is useful as a degraded |
2865 | persistence mode, as it makes it possible to always send the |
2866 | same user (or the same session ID) to the same server. If the |
2867 | @@ -2817,14 +2817,12 @@ balance url_param <param> [check_post] |
2868 | Note that for this to work, the frontend must ensure that an |
2869 | RDP cookie is already present in the request buffer. For this |
2870 | you must use 'tcp-request content accept' rule combined with |
2871 | - a 'req_rdp_cookie_cnt' ACL. |
2872 | + a 'req.rdp_cookie_cnt' ACL. |
2873 | |
2874 | This algorithm is static by default, which means that |
2875 | changing a server's weight on the fly will have no effect, |
2876 | but this can be changed using "hash-type". |
2877 | |
2878 | - See also the rdp_cookie pattern fetch function. |
2879 | - |
2880 | <arguments> is an optional list of arguments which may be needed by some |
2881 | algorithms. Right now, only "url_param" and "uri" support an |
2882 | optional argument. |
2883 | @@ -3295,7 +3293,7 @@ compression offload |
2884 | Compression is disabled when: |
2885 | * the request does not advertise a supported compression algorithm in the |
2886 | "Accept-Encoding" header |
2887 | - * the response message is not HTTP/1.1 |
2888 | + * the response message is not HTTP/1.1 or above |
2889 | * HTTP status code is not one of 200, 201, 202, or 203 |
2890 | * response contain neither a "Content-Length" header nor a |
2891 | "Transfer-Encoding" whose last value is "chunked" |
2892 | @@ -3666,8 +3664,8 @@ errorfile <code> <file> |
2893 | yes | yes | yes | yes |
2894 | Arguments : |
2895 | <code> is the HTTP status code. Currently, HAProxy is capable of |
2896 | - generating codes 200, 400, 403, 405, 408, 425, 429, 500, 502, |
2897 | - 503, and 504. |
2898 | + generating codes 200, 400, 403, 404, 405, 408, 410, 413, 425, 429, |
2899 | + 500, 502, 503, and 504. |
2900 | |
2901 | <file> designates a file containing the full HTTP response. It is |
2902 | recommended to follow the common practice of appending ".http" to |
2903 | @@ -3715,8 +3713,8 @@ errorloc302 <code> <url> |
2904 | yes | yes | yes | yes |
2905 | Arguments : |
2906 | <code> is the HTTP status code. Currently, HAProxy is capable of |
2907 | - generating codes 200, 400, 403, 405, 408, 425, 429, 500, 502, |
2908 | - 503, and 504. |
2909 | + generating codes 200, 400, 403, 404, 405, 408, 410, 413, 425, 429, |
2910 | + 500, 502, 503, and 504. |
2911 | |
2912 | <url> it is the exact contents of the "Location" header. It may contain |
2913 | either a relative URI to an error page hosted on the same site, |
2914 | @@ -3747,8 +3745,8 @@ errorloc303 <code> <url> |
2915 | yes | yes | yes | yes |
2916 | Arguments : |
2917 | <code> is the HTTP status code. Currently, HAProxy is capable of |
2918 | - generating codes 200, 400, 403, 405, 408, 425, 429, 500, 502, |
2919 | - 503, and 504. |
2920 | + generating codes 200, 400, 403, 404, 405, 408, 410, 413, 425, 429, |
2921 | + 500, 502, 503, and 504. |
2922 | |
2923 | <url> it is the exact contents of the "Location" header. It may contain |
2924 | either a relative URI to an error page hosted on the same site, |
2925 | @@ -4213,6 +4211,33 @@ http-check expect [!] <match> <pattern> |
2926 | See also : "option httpchk", "http-check disable-on-404" |
2927 | |
2928 | |
2929 | +http-check send [hdr <name> <value>]* [body <string>] |
2930 | + Add a possible list of headers and/or a body to the request sent during HTTP |
2931 | + health checks. |
2932 | + May be used in sections : defaults | frontend | listen | backend |
2933 | + yes | no | yes | yes |
2934 | + Arguments : |
2935 | + hdr <name> <value> adds the HTTP header field whose name is specified in |
2936 | + <name> and whose value is defined by <value> to the |
2937 | + request sent during HTTP health checks. |
2938 | + |
2939 | + body <string> add the body defined by <string> to the request sent |
2940 | + sent during HTTP health checks. If defined, the |
2941 | + "Content-Length" header is thus automatically added |
2942 | + to the request. |
2943 | + |
2944 | + In addition to the request line defined by the "option httpchk" directive, |
2945 | + this one is the valid way to add some headers and optionally a body to the |
2946 | + request sent during HTTP health checks. If a body is defined, the associate |
2947 | + "Content-Length" header is automatically added. The old trick consisting to |
2948 | + add headers after the version string on the "option httpchk" line is now |
2949 | + deprecated. Note also the "Connection: close" header is still added if a |
2950 | + "http-check expect" direcive is defined independently of this directive, just |
2951 | + like the state header if the directive "http-check send-state" is defined. |
2952 | + |
2953 | + See also : "option httpchk", "http-check send-state" and "http-check expect" |
2954 | + |
2955 | + |
2956 | http-check send-state |
2957 | Enable emission of a state header with HTTP health checks |
2958 | May be used in sections : defaults | frontend | listen | backend |
2959 | @@ -4509,7 +4534,7 @@ http-request reject [ { if | unless } <condition> ] |
2960 | http-request replace-header <name> <match-regex> <replace-fmt> |
2961 | [ { if | unless } <condition> ] |
2962 | |
2963 | - This matches the value of all occurences of header field <name> against |
2964 | + This matches the value of all occurrences of header field <name> against |
2965 | <match-regex>. Matching is performed case-sensitively. Matching values are |
2966 | completely replaced by <replace-fmt>. Format characters are allowed in |
2967 | <replace-fmt> and work like <fmt> arguments in "http-request add-header". |
2968 | @@ -4546,8 +4571,9 @@ http-request replace-path <match-regex> <replace-fmt> |
2969 | |
2970 | This works like "replace-header" except that it works on the request's path |
2971 | component instead of a header. The path component starts at the first '/' |
2972 | - after an optional scheme+authority. It does contain the query string if any |
2973 | - is present. The replacement does not modify the scheme nor authority. |
2974 | + after an optional scheme+authority and ends before the question mark. Thus, |
2975 | + the replacement does not modify the scheme, the authority and the |
2976 | + query-string. |
2977 | |
2978 | It is worth noting that regular expressions may be more expensive to evaluate |
2979 | than certain ACLs, so rare replacements may benefit from a condition to avoid |
2980 | @@ -4557,9 +4583,6 @@ http-request replace-path <match-regex> <replace-fmt> |
2981 | # prefix /foo : turn /bar?q=1 into /foo/bar?q=1 : |
2982 | http-request replace-path (.*) /foo\1 |
2983 | |
2984 | - # suffix /foo : turn /bar?q=1 into /bar/foo?q=1 : |
2985 | - http-request replace-path ([^?]*)(\?(.*))? \1/foo\2 |
2986 | - |
2987 | # strip /foo : turn /foo/bar?q=1 into /bar?q=1 |
2988 | http-request replace-path /foo/(.*) /\1 |
2989 | # or more efficient if only some requests match : |
2990 | @@ -4785,16 +4808,23 @@ http-request set-src <expr> [ { if | unless } <condition> ] |
2991 | This is used to set the source IP address to the value of specified |
2992 | expression. Useful when a proxy in front of HAProxy rewrites source IP, but |
2993 | provides the correct IP in a HTTP header; or you want to mask source IP for |
2994 | - privacy. |
2995 | + privacy. All subsequent calls to "src" fetch will return this value |
2996 | + (see example). |
2997 | |
2998 | Arguments : |
2999 | <expr> Is a standard HAProxy expression formed by a sample-fetch followed |
3000 | by some converters. |
3001 | |
3002 | + See also "option forwardfor". |
3003 | + |
3004 | Example: |
3005 | http-request set-src hdr(x-forwarded-for) |
3006 | http-request set-src src,ipmask(24) |
3007 | |
3008 | + # After the masking this will track connections |
3009 | + # based on the IP address with the last byte zeroed out. |
3010 | + http-request track-sc0 src |
3011 | + |
3012 | When possible, set-src preserves the original source port as long as the |
3013 | address family allows it, otherwise the source port is set to 0. |
3014 | |
3015 | @@ -5163,7 +5193,8 @@ http-response sc-set-gpt0(<sc-id>) <int> [ { if | unless } <condition> ] |
3016 | <sc-id> and the value of <int>. The expected result is a boolean. If an error |
3017 | occurs, this action silently fails and the actions evaluation continues. |
3018 | |
3019 | -http-response send-spoe-group [ { if | unless } <condition> ] |
3020 | +http-response send-spoe-group <engine-name> <group-name> |
3021 | + [ { if | unless } <condition> ] |
3022 | |
3023 | This action is used to trigger sending of a group of SPOE messages. To do so, |
3024 | the SPOE engine used to send messages must be defined, as well as the SPOE |
3025 | @@ -6204,6 +6235,25 @@ option contstats |
3026 | not enabled by default, as it can cause a lot of wakeups for very large |
3027 | session counts and cause a small performance drop. |
3028 | |
3029 | +option disable-h2-upgrade |
3030 | +no option disable-h2-upgrade |
3031 | + Enable or disable the implicit HTTP/2 upgrade from an HTTP/1.x client |
3032 | + connection. |
3033 | + May be used in sections : defaults | frontend | listen | backend |
3034 | + yes | yes | yes | no |
3035 | + Arguments : none |
3036 | + |
3037 | + By default, HAProxy is able to implicitly upgrade an HTTP/1.x client |
3038 | + connection to an HTTP/2 connection if the first request it receives from a |
3039 | + given HTTP connection matches the HTTP/2 connection preface (i.e. the string |
3040 | + "PRI * HTTP/2.0\r\n\r\nSM\r\n\r\n"). This way, it is possible to support |
3041 | + HTTP/1.x and HTTP/2 clients on a non-SSL connections. This option must be used to |
3042 | + disable the implicit upgrade. Note this implicit upgrade is only supported |
3043 | + for HTTP proxies, thus this option too. Note also it is possible to force the |
3044 | + HTTP/2 on clear connections by specifying "proto h2" on the bind line. |
3045 | + |
3046 | + If this option has been enabled in a "defaults" section, it can be disabled |
3047 | + in a specific instance by prepending the "no" keyword before it. |
3048 | |
3049 | option dontlog-normal |
3050 | no option dontlog-normal |
3051 | @@ -6297,6 +6347,9 @@ option forwardfor [ except <network> ] [ header <name> ] [ if-none ] |
3052 | environment, as this might cause a security issue if headers reaching haproxy |
3053 | are under the control of the end-user. |
3054 | |
3055 | + Only IPv4 addresses are supported. "http-request add-header" or "http-request |
3056 | + set-header" rules may be used to work around this limitation. |
3057 | + |
3058 | This option may be specified either in the frontend or in the backend. If at |
3059 | least one of them uses it, the header will be added. Note that the backend's |
3060 | setting of the header subargument takes precedence over the frontend's if |
3061 | @@ -6747,8 +6800,7 @@ option httpchk <method> <uri> <version> |
3062 | <version> is the optional HTTP version string. It defaults to "HTTP/1.0" |
3063 | but some servers might behave incorrectly in HTTP 1.0, so turning |
3064 | it to HTTP/1.1 may sometimes help. Note that the Host field is |
3065 | - mandatory in HTTP/1.1, and as a trick, it is possible to pass it |
3066 | - after "\r\n" following the version string. |
3067 | + mandatory in HTTP/1.1, use "http-check send" directive to add it. |
3068 | |
3069 | By default, server health checks only consist in trying to establish a TCP |
3070 | connection. When "option httpchk" is specified, a complete HTTP request is |
3071 | @@ -6762,12 +6814,18 @@ option httpchk <method> <uri> <version> |
3072 | plain TCP backends. This is particularly useful to check simple scripts bound |
3073 | to some dedicated ports using the inetd daemon. |
3074 | |
3075 | + Note : For a while, there was no way to add headers or body in the request |
3076 | + used for HTTP health checks. So a workaround was to hide it at the end |
3077 | + of the version string with a "\r\n" after the version. It is now |
3078 | + deprecated. The directive "http-check send" must be used instead. |
3079 | + |
3080 | Examples : |
3081 | # Relay HTTPS traffic to Apache instance and check service availability |
3082 | # using HTTP request "OPTIONS * HTTP/1.1" on port 80. |
3083 | backend https_relay |
3084 | mode tcp |
3085 | - option httpchk OPTIONS * HTTP/1.1\r\nHost:\ www |
3086 | + option httpchk OPTIONS * HTTP/1.1 |
3087 | + http-check send hdr Host www |
3088 | server apache1 192.168.1.1:443 check port 80 |
3089 | |
3090 | See also : "option ssl-hello-chk", "option smtpchk", "option mysql-check", |
3091 | @@ -6992,21 +7050,27 @@ no option log-separate-errors |
3092 | |
3093 | option logasap |
3094 | no option logasap |
3095 | - Enable or disable early logging of HTTP requests |
3096 | + Enable or disable early logging. |
3097 | May be used in sections : defaults | frontend | listen | backend |
3098 | yes | yes | yes | no |
3099 | Arguments : none |
3100 | |
3101 | - By default, HTTP requests are logged upon termination so that the total |
3102 | - transfer time and the number of bytes appear in the logs. When large objects |
3103 | - are being transferred, it may take a while before the request appears in the |
3104 | - logs. Using "option logasap", the request gets logged as soon as the server |
3105 | - sends the complete headers. The only missing information in the logs will be |
3106 | - the total number of bytes which will indicate everything except the amount |
3107 | - of data transferred, and the total time which will not take the transfer |
3108 | - time into account. In such a situation, it's a good practice to capture the |
3109 | - "Content-Length" response header so that the logs at least indicate how many |
3110 | - bytes are expected to be transferred. |
3111 | + By default, logs are emitted when all the log format variables and sample |
3112 | + fetches used in the definition of the log-format string return a value, or |
3113 | + when the session is terminated. This allows the built in log-format strings |
3114 | + to account for the transfer time, or the number of bytes in log messages. |
3115 | + |
3116 | + When handling long lived connections such as large file transfers or RDP, |
3117 | + it may take a while for the request or connection to appear in the logs. |
3118 | + Using "option logasap", the log message is created as soon as the server |
3119 | + connection is established in mode tcp, or as soon as the server sends the |
3120 | + complete headers in mode http. Missing information in the logs will be the |
3121 | + total number of bytes which will only indicate the amount of data transfered |
3122 | + before the message was created and the total time which will not take the |
3123 | + remainder of the connection life or transfer time into account. For the case |
3124 | + of HTTP, it is good practice to capture the Content-Length response header |
3125 | + so that the logs at least indicate how many bytes are expected to be |
3126 | + transfered. |
3127 | |
3128 | Examples : |
3129 | listen http_proxy 0.0.0.0:80 |
3130 | @@ -7037,12 +7101,13 @@ option mysql-check [ user <username> [ post-41 ] ] |
3131 | one Client Authentication packet, and one QUIT packet, to correctly close |
3132 | MySQL session. We then parse the MySQL Handshake Initialization packet and/or |
3133 | Error packet. It is a basic but useful test which does not produce error nor |
3134 | - aborted connect on the server. However, it requires adding an authorization |
3135 | - in the MySQL table, like this : |
3136 | + aborted connect on the server. However, it requires an unlocked authorised |
3137 | + user without a password. To create a basic limited user in MySQL with |
3138 | + optional resource limits: |
3139 | |
3140 | - USE mysql; |
3141 | - INSERT INTO user (Host,User) values ('<ip_of_haproxy>','<username>'); |
3142 | - FLUSH PRIVILEGES; |
3143 | + CREATE USER '<username>'@'<ip_of_haproxy|network_of_haproxy/netmask>' |
3144 | + /*!50701 WITH MAX_QUERIES_PER_HOUR 1 MAX_UPDATES_PER_HOUR 0 */ |
3145 | + /*M!100201 MAX_STATEMENT_TIME 0.0001 */; |
3146 | |
3147 | If you don't specify a username (it is deprecated and not recommended), the |
3148 | check only consists in parsing the Mysql Handshake Initialization packet or |
3149 | @@ -7136,6 +7201,9 @@ option originalto [ except <network> ] [ header <name> ] |
3150 | network will not cause an addition of this header. Most common uses are with |
3151 | private networks or 127.0.0.1. |
3152 | |
3153 | + Only IPv4 addresses are supported. "http-request add-header" or "http-request |
3154 | + set-header" rules may be used to work around this limitation. |
3155 | + |
3156 | This option may be specified either in the frontend or in the backend. If at |
3157 | least one of them uses it, the header will be added. Note that the backend's |
3158 | setting of the header subargument takes precedence over the frontend's if |
3159 | @@ -7838,8 +7906,7 @@ persist rdp-cookie(<name>) |
3160 | server srv1 1.1.1.1:3389 |
3161 | server srv2 1.1.1.2:3389 |
3162 | |
3163 | - See also : "balance rdp-cookie", "tcp-request", the "req_rdp_cookie" ACL and |
3164 | - the rdp_cookie pattern fetch function. |
3165 | + See also : "balance rdp-cookie", "tcp-request" and the "req.rdp_cookie" ACL. |
3166 | |
3167 | |
3168 | rate-limit sessions <rate> |
3169 | @@ -8570,13 +8637,17 @@ server <name> <address>[:[port]] [param*] |
3170 | See also: "default-server", "http-send-name-header" and section 5 about |
3171 | server options |
3172 | |
3173 | -server-state-file-name [<file>] |
3174 | +server-state-file-name [ { use-backend-name | <file> } ] |
3175 | Set the server state file to read, load and apply to servers available in |
3176 | - this backend. It only applies when the directive "load-server-state-from-file" |
3177 | - is set to "local". When <file> is not provided or if this directive is not |
3178 | - set, then backend name is used. If <file> starts with a slash '/', then it is |
3179 | - considered as an absolute path. Otherwise, <file> is concatenated to the |
3180 | - global directive "server-state-file-base". |
3181 | + this backend. |
3182 | + May be used in sections: defaults | frontend | listen | backend |
3183 | + no | no | yes | yes |
3184 | + |
3185 | + It only applies when the directive "load-server-state-from-file" is set to |
3186 | + "local". When <file> is not provided, if "use-backend-name" is used or if |
3187 | + this directive is not set, then backend name is used. If <file> starts with a |
3188 | + slash '/', then it is considered as an absolute path. Otherwise, <file> is |
3189 | + concatenated to the global directive "server-state-base". |
3190 | |
3191 | Example: the minimal configuration below would make HAProxy look for the |
3192 | state server file '/etc/haproxy/states/bk': |
3193 | @@ -8584,10 +8655,10 @@ server-state-file-name [<file>] |
3194 | global |
3195 | server-state-file-base /etc/haproxy/states |
3196 | |
3197 | - backend bk |
3198 | + backend bk |
3199 | load-server-state-from-file |
3200 | |
3201 | - See also: "server-state-file-base", "load-server-state-from-file", and |
3202 | + See also: "server-state-base", "load-server-state-from-file", and |
3203 | "show servers state" |
3204 | |
3205 | server-template <prefix> <num | range> <fqdn>[:<port>] [params*] |
3206 | @@ -9589,6 +9660,11 @@ stick-table type {ip | integer | string [len <length>] | binary [len <length>]} |
3207 | incremented. Most of the time it will be used to measure the frequency of |
3208 | occurrence of certain events (e.g. requests to a specific URL). |
3209 | |
3210 | + - gpt0 : first General Purpose Tag. It is a positive 32-bit integer |
3211 | + integer which may be used for anything. Most of the time it will be used |
3212 | + to put a special tag on some entries, for instance to note that a |
3213 | + specific behavior was detected and must be known for future matches |
3214 | + |
3215 | - conn_cnt : Connection Count. It is a positive 32-bit integer which counts |
3216 | the absolute number of connections received from clients which matched |
3217 | this entry. It does not mean the connections were accepted, just that |
3218 | @@ -9772,8 +9848,8 @@ stick store-response <pattern> [table <table>] [{if | unless} <condition>] |
3219 | # maximum SSL session ID length is 32 bytes. |
3220 | stick-table type binary len 32 size 30k expire 30m |
3221 | |
3222 | - acl clienthello req_ssl_hello_type 1 |
3223 | - acl serverhello rep_ssl_hello_type 2 |
3224 | + acl clienthello req.ssl_hello_type 1 |
3225 | + acl serverhello rep.ssl_hello_type 2 |
3226 | |
3227 | # use tcp content accepts to detects ssl client and server hello. |
3228 | tcp-request inspect-delay 5s |
3229 | @@ -9787,10 +9863,10 @@ stick store-response <pattern> [table <table>] [{if | unless} <condition>] |
3230 | # at offset 44. |
3231 | |
3232 | # Match and learn on request if client hello. |
3233 | - stick on payload_lv(43,1) if clienthello |
3234 | + stick on req.payload_lv(43,1) if clienthello |
3235 | |
3236 | # Learn on response if server hello. |
3237 | - stick store-response payload_lv(43,1) if serverhello |
3238 | + stick store-response resp.payload_lv(43,1) if serverhello |
3239 | |
3240 | server s1 192.168.1.1:443 |
3241 | server s2 192.168.1.1:443 |
3242 | @@ -10390,12 +10466,12 @@ tcp-request content <action> [{if | unless} <condition>] |
3243 | Example: |
3244 | # reject SMTP connection if client speaks first |
3245 | tcp-request inspect-delay 30s |
3246 | - acl content_present req_len gt 0 |
3247 | + acl content_present req.len gt 0 |
3248 | tcp-request content reject if content_present |
3249 | |
3250 | # Forward HTTPS connection only if client speaks |
3251 | tcp-request inspect-delay 30s |
3252 | - acl content_present req_len gt 0 |
3253 | + acl content_present req.len gt 0 |
3254 | tcp-request content accept if content_present |
3255 | tcp-request content reject |
3256 | |
3257 | @@ -10530,7 +10606,7 @@ tcp-response content <action> [{if | unless} <condition>] |
3258 | the rules evaluation. Rejected session are immediately closed. |
3259 | |
3260 | - set-var(<var-name>) <expr> |
3261 | - Sets a variable. |
3262 | + Sets a variable from an expression. |
3263 | |
3264 | - unset-var(<var-name>) |
3265 | Unsets a variable. |
3266 | @@ -10602,17 +10678,9 @@ tcp-response content <action> [{if | unless} <condition>] |
3267 | <expr> Is a standard HAProxy expression formed by a sample-fetch |
3268 | followed by some converters. |
3269 | |
3270 | - Example: |
3271 | - |
3272 | - tcp-request content set-var(sess.my_var) src |
3273 | - |
3274 | The "unset-var" is used to unset a variable. See above for details about |
3275 | <var-name>. |
3276 | |
3277 | - Example: |
3278 | - |
3279 | - tcp-request content unset-var(sess.my_var) |
3280 | - |
3281 | The "send-spoe-group" is used to trigger sending of a group of SPOE |
3282 | messages. To do so, the SPOE engine used to send messages must be defined, as |
3283 | well as the SPOE group to send. Of course, the SPOE engine must refer to an |
3284 | @@ -10671,6 +10739,10 @@ tcp-request session <action> [{if | unless} <condition>] |
3285 | - sc-inc-gpc0(<sc-id>) |
3286 | - sc-inc-gpc1(<sc-id>) |
3287 | - sc-set-gpt0(<sc-id>) <int> |
3288 | + - set-dst <expr> |
3289 | + - set-dst-port <expr> |
3290 | + - set-src <expr> |
3291 | + - set-src-port <expr> |
3292 | - set-var(<var-name>) <expr> |
3293 | - unset-var(<var-name>) |
3294 | - silent-drop |
3295 | @@ -10793,8 +10865,6 @@ timeout clitimeout <timeout> (deprecated) |
3296 | during startup because it may result in accumulation of expired sessions in |
3297 | the system if the system's timeouts are not configured either. |
3298 | |
3299 | - This also applies to HTTP/2 connections, which will be closed with GOAWAY. |
3300 | - |
3301 | This parameter replaces the old, deprecated "clitimeout". It is recommended |
3302 | to use it to write new configurations. The form "timeout clitimeout" is |
3303 | provided only by backwards compatibility but its use is strongly discouraged. |
3304 | @@ -10900,10 +10970,6 @@ timeout http-keep-alive <timeout> |
3305 | set in the frontend to take effect, unless the frontend is in TCP mode, in |
3306 | which case the HTTP backend's timeout will be used. |
3307 | |
3308 | - When using HTTP/2 "timeout client" is applied instead. This is so we can keep |
3309 | - using short keep-alive timeouts in HTTP/1.1 while using longer ones in HTTP/2 |
3310 | - (where we only have one connection per client and a connection setup). |
3311 | - |
3312 | See also : "timeout http-request", "timeout client". |
3313 | |
3314 | |
3315 | @@ -11286,16 +11352,17 @@ use-server <server> unless <condition> |
3316 | |
3317 | The "use-server" statement works both in HTTP and TCP mode. This makes it |
3318 | suitable for use with content-based inspection. For instance, a server could |
3319 | - be selected in a farm according to the TLS SNI field. And if these servers |
3320 | - have their weight set to zero, they will not be used for other traffic. |
3321 | + be selected in a farm according to the TLS SNI field when using protocols with |
3322 | + implicit TLS (also see "req.ssl_sni"). And if these servers have their weight |
3323 | + set to zero, they will not be used for other traffic. |
3324 | |
3325 | Example : |
3326 | # intercept incoming TLS requests based on the SNI field |
3327 | - use-server www if { req_ssl_sni -i www.example.com } |
3328 | + use-server www if { req.ssl_sni -i www.example.com } |
3329 | server www 192.168.0.1:443 weight 0 |
3330 | - use-server mail if { req_ssl_sni -i mail.example.com } |
3331 | - server mail 192.168.0.1:587 weight 0 |
3332 | - use-server imap if { req_ssl_sni -i imap.example.com } |
3333 | + use-server mail if { req.ssl_sni -i mail.example.com } |
3334 | + server mail 192.168.0.1:465 weight 0 |
3335 | + use-server imap if { req.ssl_sni -i imap.example.com } |
3336 | server imap 192.168.0.1:993 weight 0 |
3337 | # all the rest is forwarded to this server |
3338 | server default 192.168.0.2:443 check |
3339 | @@ -11561,13 +11628,17 @@ crt-list <file> |
3340 | |
3341 | <crtfile> [\[<sslbindconf> ...\]] [[!]<snifilter> ...] |
3342 | |
3343 | - sslbindconf support "npn", "alpn", "verify", "ca-file", "no-ca-names", |
3344 | - crl-file", "ecdhe", "curves", "ciphers" configuration. With BoringSSL |
3345 | - and Openssl >= 1.1.1 "ssl-min-ver" and "ssl-max-ver" are also supported. |
3346 | - It override the configuration set in bind line for the certificate. |
3347 | - |
3348 | - Wildcards are supported in the SNI filter. Negative filter are also supported, |
3349 | - only useful in combination with a wildcard filter to exclude a particular SNI. |
3350 | + sslbindconf supports "allow-0rtt", "alpn", "ca-file", "ciphers", |
3351 | + "ciphersuites", "crl-file", "curves", "ecdhe", "no-ca-names", "npn", |
3352 | + "verify" configuration. With BoringSSL and Openssl >= 1.1.1 |
3353 | + "ssl-min-ver" and "ssl-max-ver" are also supported. It overrides the |
3354 | + configuration set in bind line for the certificate. |
3355 | + |
3356 | + Wildcards are supported in the SNI filter. Negative filters can be specified |
3357 | + in the configuration, but they are only used as a hint, they don't do |
3358 | + anything. (this changes in newer haproxy versions) If you want to exclude a |
3359 | + SNI from a wildcard, use this positive SNI on another line. (like in the |
3360 | + example). |
3361 | The certificates will be presented to clients who provide a valid TLS Server |
3362 | Name Indication field matching one of the SNI filters. If no SNI filter is |
3363 | specified, the CN and alt subjects are used. This directive may be specified |
3364 | @@ -11779,6 +11850,9 @@ no-tls-tickets |
3365 | extension) and force to use stateful session resumption. Stateless |
3366 | session resumption is more expensive in CPU usage. This option is also |
3367 | available on global statement "ssl-default-bind-options". |
3368 | + The TLS ticket mechanism is only used up to TLS 1.2. |
3369 | + Forward Secrecy is compromised with TLS tickets, unless ticket keys |
3370 | + are periodically rotated (via reload or by using "tls-ticket-keys"). |
3371 | |
3372 | no-tlsv10 |
3373 | This setting is only available when support for OpenSSL was built in. It |
3374 | @@ -12041,7 +12115,7 @@ agent-check |
3375 | MAINT mode, thus it will not accept any new connections at all, and health |
3376 | checks will be stopped. |
3377 | |
3378 | - - The words "down", "failed", or "stopped", optionally followed by a |
3379 | + - The words "down", "fail", or "stopped", optionally followed by a |
3380 | description string after a sharp ('#'). All of these mark the server's |
3381 | operating state as DOWN, but since the word itself is reported on the stats |
3382 | page, the difference allows an administrator to know if the situation was |
3383 | @@ -12478,6 +12552,9 @@ no-tls-tickets |
3384 | extension) and force to use stateful session resumption. Stateless |
3385 | session resumption is more expensive in CPU usage for servers. This option |
3386 | is also available on global statement "ssl-default-server-options". |
3387 | + The TLS ticket mechanism is only used up to TLS 1.2. |
3388 | + Forward Secrecy is compromised with TLS tickets, unless ticket keys |
3389 | + are periodically rotated (via reload or by using "tls-ticket-keys"). |
3390 | See also "tls-tickets". |
3391 | |
3392 | no-tlsv10 |
3393 | @@ -12902,8 +12979,11 @@ tls-tickets |
3394 | This option may be used as "server" setting to reset any "no-tls-tickets" |
3395 | setting which would have been inherited from "default-server" directive as |
3396 | default value. |
3397 | + The TLS ticket mechanism is only used up to TLS 1.2. |
3398 | + Forward Secrecy is compromised with TLS tickets, unless ticket keys |
3399 | + are periodically rotated (via reload or by using "tls-ticket-keys"). |
3400 | It may also be used as "default-server" setting to reset any previous |
3401 | - "default-server" "no-tlsv-tickets" setting. |
3402 | + "default-server" "no-tls-tickets" setting. |
3403 | |
3404 | verify [none|required] |
3405 | This setting is only available when support for OpenSSL was built in. If set |
3406 | @@ -12948,7 +13028,7 @@ weight <weight> |
3407 | |
3408 | HAProxy allows using a host name on the server line to retrieve its IP address |
3409 | using name servers. By default, HAProxy resolves the name when parsing the |
3410 | -configuration file, at startup and cache the result for the process' life. |
3411 | +configuration file, at startup and cache the result for the process's life. |
3412 | This is not sufficient in some cases, such as in Amazon where a server's IP |
3413 | can change after a reboot or an ELB Virtual IP can change based on current |
3414 | workload. |
3415 | @@ -13013,7 +13093,7 @@ used by HAProxy. The following processing is applied on this error: |
3416 | 2. When the fallback on the query type was done (or not applicable), HAProxy |
3417 | retries the original DNS query, with the preferred query type. |
3418 | |
3419 | - 3. HAProxy retries previous steps <resolve_retires> times. If no valid |
3420 | + 3. HAProxy retries previous steps <resolve_retries> times. If no valid |
3421 | response is received after that, it stops the DNS resolution and reports |
3422 | the error. |
3423 | |
3424 | @@ -13425,17 +13505,17 @@ be placed first. The pattern matching method must be one of the following : |
3425 | For example, to quickly detect the presence of cookie "JSESSIONID" in an HTTP |
3426 | request, it is possible to do : |
3427 | |
3428 | - acl jsess_present cook(JSESSIONID) -m found |
3429 | + acl jsess_present req.cook(JSESSIONID) -m found |
3430 | |
3431 | In order to apply a regular expression on the 500 first bytes of data in the |
3432 | buffer, one would use the following acl : |
3433 | |
3434 | - acl script_tag payload(0,500) -m reg -i <script> |
3435 | + acl script_tag req.payload(0,500) -m reg -i <script> |
3436 | |
3437 | On systems where the regex library is much slower when using "-i", it is |
3438 | possible to convert the sample to lowercase before matching, like this : |
3439 | |
3440 | - acl script_tag payload(0,500),lower -m reg <script> |
3441 | + acl script_tag req.payload(0,500),lower -m reg <script> |
3442 | |
3443 | All ACL-specific criteria imply a default matching method. Most often, these |
3444 | criteria are composed by concatenating the name of the original sample fetch |
3445 | @@ -13541,11 +13621,11 @@ Available operators for integer matching are : |
3446 | |
3447 | For instance, the following ACL matches any negative Content-Length header : |
3448 | |
3449 | - acl negative-length hdr_val(content-length) lt 0 |
3450 | + acl negative-length req.hdr_val(content-length) lt 0 |
3451 | |
3452 | This one matches SSL versions between 3.0 and 3.1 (inclusive) : |
3453 | |
3454 | - acl sslv3 req_ssl_ver 3:3.1 |
3455 | + acl sslv3 req.ssl_ver 3:3.1 |
3456 | |
3457 | |
3458 | 7.1.3. Matching strings |
3459 | @@ -13613,7 +13693,7 @@ digits may be used upper or lower case. |
3460 | |
3461 | Example : |
3462 | # match "Hello\n" in the input stream (\x48 \x65 \x6c \x6c \x6f \x0a) |
3463 | - acl hello payload(0,6) -m bin 48656c6c6f0a |
3464 | + acl hello req.payload(0,6) -m bin 48656c6c6f0a |
3465 | |
3466 | |
3467 | 7.1.6. Matching IPv4 and IPv6 addresses |
3468 | @@ -13684,7 +13764,7 @@ For instance, to block HTTP requests to the "*" URL with methods other than |
3469 | requests with a content-length greater than 0, and finally every request which |
3470 | is not either GET/HEAD/POST/OPTIONS ! |
3471 | |
3472 | - acl missing_cl hdr_cnt(Content-length) eq 0 |
3473 | + acl missing_cl req.hdr_cnt(Content-length) eq 0 |
3474 | http-request deny if HTTP_URL_STAR !METH_OPTIONS || METH_POST missing_cl |
3475 | http-request deny if METH_GET HTTP_CONTENT |
3476 | http-request deny unless METH_GET or METH_POST or METH_OPTIONS |
3477 | @@ -13709,12 +13789,12 @@ the braces must be seen as independent words). Example : |
3478 | |
3479 | The following rule : |
3480 | |
3481 | - acl missing_cl hdr_cnt(Content-length) eq 0 |
3482 | + acl missing_cl req.hdr_cnt(Content-length) eq 0 |
3483 | http-request deny if METH_POST missing_cl |
3484 | |
3485 | Can also be written that way : |
3486 | |
3487 | - http-request deny if METH_POST { hdr_cnt(Content-length) eq 0 } |
3488 | + http-request deny if METH_POST { req.hdr_cnt(Content-length) eq 0 } |
3489 | |
3490 | It is generally not recommended to use this construct because it's a lot easier |
3491 | to leave errors in the configuration when written that way. However, for very |
3492 | @@ -14511,9 +14591,13 @@ upper |
3493 | sample fetch function or after a transformation keyword returning a string |
3494 | type. The result is of type string. |
3495 | |
3496 | -url_dec |
3497 | - Takes an url-encoded string provided as input and returns the decoded |
3498 | - version as output. The input and the output are of type string. |
3499 | +url_dec([<in_form>]) |
3500 | + Takes an url-encoded string provided as input and returns the decoded version |
3501 | + as output. The input and the output are of type string. If the <in_form> |
3502 | + argument is set to a non-zero integer value, the input string is assumed to |
3503 | + be part of a form or query string and the '+' character will be turned into a |
3504 | + space (' '). Otherwise this will only happen after a question mark indicating |
3505 | + a query string ('?'). |
3506 | |
3507 | ungrpc(<field_number>,[<field_type>]) |
3508 | This extracts the protocol buffers message field in raw mode of an input binary |
3509 | @@ -14852,7 +14936,7 @@ env(<name>) : string |
3510 | http-request add-header Via 1.1\ %[env(HOSTNAME)] |
3511 | |
3512 | # reject cookie-less requests when the STOP environment variable is set |
3513 | - http-request deny if !{ cook(SESSIONID) -m found } { env(STOP) -m found } |
3514 | + http-request deny if !{ req.cook(SESSIONID) -m found } { env(STOP) -m found } |
3515 | |
3516 | fe_conn([<frontend>]) : integer |
3517 | Returns the number of currently established connections on the frontend, |
3518 | @@ -15155,15 +15239,39 @@ dst_port : integer |
3519 | a same server, or to pass the destination port information to a server using |
3520 | an HTTP header. |
3521 | |
3522 | +fc_fackets : integer |
3523 | + Returns the fack counter measured by the kernel for the client |
3524 | + connection. If the server connection is not established, if the connection is |
3525 | + not TCP or if the operating system does not support TCP_INFO, for example |
3526 | + Linux kernels before 2.4, the sample fetch fails. |
3527 | + |
3528 | fc_http_major : integer |
3529 | Reports the front connection's HTTP major version encoding, which may be 1 |
3530 | for HTTP/0.9 to HTTP/1.1 or 2 for HTTP/2. Note, this is based on the on-wire |
3531 | encoding and not on the version present in the request header. |
3532 | |
3533 | +fc_lost : integer |
3534 | + Returns the lost counter measured by the kernel for the client |
3535 | + connection. If the server connection is not established, if the connection is |
3536 | + not TCP or if the operating system does not support TCP_INFO, for example |
3537 | + Linux kernels before 2.4, the sample fetch fails. |
3538 | + |
3539 | fc_rcvd_proxy : boolean |
3540 | Returns true if the client initiated the connection with a PROXY protocol |
3541 | header. |
3542 | |
3543 | +fc_reordering : integer |
3544 | + Returns the reordering counter measured by the kernel for the client |
3545 | + connection. If the server connection is not established, if the connection is |
3546 | + not TCP or if the operating system does not support TCP_INFO, for example |
3547 | + Linux kernels before 2.4, the sample fetch fails. |
3548 | + |
3549 | +fc_retrans : integer |
3550 | + Returns the retransmits counter measured by the kernel for the client |
3551 | + connection. If the server connection is not established, if the connection is |
3552 | + not TCP or if the operating system does not support TCP_INFO, for example |
3553 | + Linux kernels before 2.4, the sample fetch fails. |
3554 | + |
3555 | fc_rtt(<unit>) : integer |
3556 | Returns the Round Trip Time (RTT) measured by the kernel for the client |
3557 | connection. <unit> is facultative, by default the unit is milliseconds. <unit> |
3558 | @@ -15180,41 +15288,18 @@ fc_rttvar(<unit>) : integer |
3559 | operating system does not support TCP_INFO, for example Linux kernels before |
3560 | 2.4, the sample fetch fails. |
3561 | |
3562 | -fc_unacked : integer |
3563 | - Returns the unacked counter measured by the kernel for the client connection. |
3564 | - If the server connection is not established, if the connection is not TCP or |
3565 | - if the operating system does not support TCP_INFO, for example Linux kernels |
3566 | - before 2.4, the sample fetch fails. |
3567 | - |
3568 | fc_sacked : integer |
3569 | Returns the sacked counter measured by the kernel for the client connection. |
3570 | If the server connection is not established, if the connection is not TCP or |
3571 | if the operating system does not support TCP_INFO, for example Linux kernels |
3572 | before 2.4, the sample fetch fails. |
3573 | |
3574 | -fc_retrans : integer |
3575 | - Returns the retransmits counter measured by the kernel for the client |
3576 | - connection. If the server connection is not established, if the connection is |
3577 | - not TCP or if the operating system does not support TCP_INFO, for example |
3578 | - Linux kernels before 2.4, the sample fetch fails. |
3579 | - |
3580 | -fc_fackets : integer |
3581 | - Returns the fack counter measured by the kernel for the client |
3582 | - connection. If the server connection is not established, if the connection is |
3583 | - not TCP or if the operating system does not support TCP_INFO, for example |
3584 | - Linux kernels before 2.4, the sample fetch fails. |
3585 | - |
3586 | -fc_lost : integer |
3587 | - Returns the lost counter measured by the kernel for the client |
3588 | - connection. If the server connection is not established, if the connection is |
3589 | - not TCP or if the operating system does not support TCP_INFO, for example |
3590 | - Linux kernels before 2.4, the sample fetch fails. |
3591 | |
3592 | -fc_reordering : integer |
3593 | - Returns the reordering counter measured by the kernel for the client |
3594 | - connection. If the server connection is not established, if the connection is |
3595 | - not TCP or if the operating system does not support TCP_INFO, for example |
3596 | - Linux kernels before 2.4, the sample fetch fails. |
3597 | +fc_unacked : integer |
3598 | + Returns the unacked counter measured by the kernel for the client connection. |
3599 | + If the server connection is not established, if the connection is not TCP or |
3600 | + if the operating system does not support TCP_INFO, for example Linux kernels |
3601 | + before 2.4, the sample fetch fails. |
3602 | |
3603 | fe_defbe : string |
3604 | Returns a string containing the frontend's default backend name. It can be |
3605 | @@ -15464,6 +15549,11 @@ so_id : integer |
3606 | in frontends involving many "bind" lines, or to stick all users coming via a |
3607 | same socket to the same server. |
3608 | |
3609 | +so_name : string |
3610 | + Returns a string containing the current listening socket's name, as defined |
3611 | + with name on a "bind" line. It can serve the same purposes as so_id but with |
3612 | + strings instead of integers. |
3613 | + |
3614 | src : ip |
3615 | This is the source IPv4 address of the client of the session. It is of type |
3616 | IP and works on both IPv4 and IPv6 tables. On IPv6 tables, IPv4 addresses are |
3617 | @@ -16045,7 +16135,7 @@ ssl_fc_protocol : string |
3618 | ssl_fc_unique_id : binary |
3619 | When the incoming connection was made over an SSL/TLS transport layer, |
3620 | returns the TLS unique ID as defined in RFC5929 section 3. The unique id |
3621 | - can be encoded to base64 using the converter: "ssl_bc_unique_id,base64". |
3622 | + can be encoded to base64 using the converter: "ssl_fc_unique_id,base64". |
3623 | |
3624 | ssl_fc_server_random : binary |
3625 | Returns the server random of the front connection when the incoming connection |
3626 | @@ -16072,7 +16162,7 @@ ssl_fc_sni : string |
3627 | matching the HTTPS host name (253 chars or less). The SSL library must have |
3628 | been built with support for TLS extensions enabled (check haproxy -vv). |
3629 | |
3630 | - This fetch is different from "req_ssl_sni" above in that it applies to the |
3631 | + This fetch is different from "req.ssl_sni" above in that it applies to the |
3632 | connection being deciphered by haproxy and not to SSL contents being blindly |
3633 | forwarded. See also "ssl_fc_sni_end" and "ssl_fc_sni_reg" below. This |
3634 | requires that the SSL library is built with support for TLS extensions |
3635 | @@ -16110,25 +16200,6 @@ payload_lv(<offset1>,<length>[,<offset2>]) : binary (deprecated) |
3636 | (e.g. "stick on", "stick match"), and for "res.payload_lv" when used in the |
3637 | context of a response such as in "stick store response". |
3638 | |
3639 | -req.hdrs : string |
3640 | - Returns the current request headers as string including the last empty line |
3641 | - separating headers from the request body. The last empty line can be used to |
3642 | - detect a truncated header block. This sample fetch is useful for some SPOE |
3643 | - headers analyzers and for advanced logging. |
3644 | - |
3645 | -req.hdrs_bin : binary |
3646 | - Returns the current request headers contained in preparsed binary form. This |
3647 | - is useful for offloading some processing with SPOE. Each string is described |
3648 | - by a length followed by the number of bytes indicated in the length. The |
3649 | - length is represented using the variable integer encoding detailed in the |
3650 | - SPOE documentation. The end of the list is marked by a couple of empty header |
3651 | - names and values (length of 0 for both). |
3652 | - |
3653 | - *(<str:header-name><str:header-value>)<empty string><empty string> |
3654 | - |
3655 | - int: refer to the SPOE documentation for the encoding |
3656 | - str: <int:length><bytes> |
3657 | - |
3658 | req.len : integer |
3659 | req_len : integer (deprecated) |
3660 | Returns an integer value corresponding to the number of bytes present in the |
3661 | @@ -16147,8 +16218,8 @@ req.payload(<offset>,<length>) : binary |
3662 | with ACLs in order to check for the presence of some content in a buffer at |
3663 | any location. |
3664 | |
3665 | - ACL alternatives : |
3666 | - payload(<offset>,<length>) : hex binary match |
3667 | + ACL derivatives : |
3668 | + req.payload(<offset>,<length>) : hex binary match |
3669 | |
3670 | req.payload_lv(<offset1>,<length>[,<offset2>]) : binary |
3671 | This extracts a binary block whose size is specified at <offset1> for <length> |
3672 | @@ -16156,8 +16227,8 @@ req.payload_lv(<offset1>,<length>[,<offset2>]) : binary |
3673 | the request buffer. The <offset2> parameter also supports relative offsets if |
3674 | prepended with a '+' or '-' sign. |
3675 | |
3676 | - ACL alternatives : |
3677 | - payload_lv(<offset1>,<length>[,<offset2>]) : hex binary match |
3678 | + ACL derivatives : |
3679 | + req.payload_lv(<offset1>,<length>[,<offset2>]) : hex binary match |
3680 | |
3681 | Example : please consult the example from the "stick store-response" keyword. |
3682 | |
3683 | @@ -16195,7 +16266,7 @@ rdp_cookie([<name>]) : string (deprecated) |
3684 | rdp-cookie". |
3685 | |
3686 | ACL derivatives : |
3687 | - req_rdp_cookie([<name>]) : exact string match |
3688 | + req.rdp_cookie([<name>]) : exact string match |
3689 | |
3690 | Example : |
3691 | listen tse-farm |
3692 | @@ -16214,7 +16285,7 @@ rdp_cookie([<name>]) : string (deprecated) |
3693 | server srv1 1.1.1.2:3389 |
3694 | |
3695 | See also : "balance rdp-cookie", "persist rdp-cookie", "tcp-request" and the |
3696 | - "req_rdp_cookie" ACL. |
3697 | + "req.rdp_cookie" ACL. |
3698 | |
3699 | req.rdp_cookie_cnt([name]) : integer |
3700 | rdp_cookie_cnt([name]) : integer (deprecated) |
3701 | @@ -16224,7 +16295,7 @@ rdp_cookie_cnt([name]) : integer (deprecated) |
3702 | used in ACL. |
3703 | |
3704 | ACL derivatives : |
3705 | - req_rdp_cookie_cnt([<name>]) : integer match |
3706 | + req.rdp_cookie_cnt([<name>]) : integer match |
3707 | |
3708 | req.ssl_alpn : string |
3709 | Returns a string containing the values of the Application-Layer Protocol |
3710 | @@ -16238,7 +16309,7 @@ req.ssl_alpn : string |
3711 | Examples : |
3712 | # Wait for a client hello for at most 5 seconds |
3713 | tcp-request inspect-delay 5s |
3714 | - tcp-request content accept if { req_ssl_hello_type 1 } |
3715 | + tcp-request content accept if { req.ssl_hello_type 1 } |
3716 | use_backend bk_acme if { req.ssl_alpn acme-tls/1 } |
3717 | default_backend bk_default |
3718 | |
3719 | @@ -16268,22 +16339,24 @@ req_ssl_sni : string (deprecated) |
3720 | contains data that parse as a complete SSL (v3 or superior) client hello |
3721 | message. Note that this only applies to raw contents found in the request |
3722 | buffer and not to contents deciphered via an SSL data layer, so this will not |
3723 | - work with "bind" lines having the "ssl" option. SNI normally contains the |
3724 | - name of the host the client tries to connect to (for recent browsers). SNI is |
3725 | - useful for allowing or denying access to certain hosts when SSL/TLS is used |
3726 | - by the client. This test was designed to be used with TCP request content |
3727 | - inspection. If content switching is needed, it is recommended to first wait |
3728 | - for a complete client hello (type 1), like in the example below. See also |
3729 | - "ssl_fc_sni". |
3730 | + work with "bind" lines having the "ssl" option. This will only work for actual |
3731 | + implicit TLS based protocols like HTTPS (443), IMAPS (993), SMTPS (465), |
3732 | + however it will not work for explicit TLS based protocols, like SMTP (25/587) |
3733 | + or IMAP (143). SNI normally contains the name of the host the client tries to |
3734 | + connect to (for recent browsers). SNI is useful for allowing or denying access |
3735 | + to certain hosts when SSL/TLS is used by the client. This test was designed to |
3736 | + be used with TCP request content inspection. If content switching is needed, |
3737 | + it is recommended to first wait for a complete client hello (type 1), like in |
3738 | + the example below. See also "ssl_fc_sni". |
3739 | |
3740 | ACL derivatives : |
3741 | - req_ssl_sni : exact string match |
3742 | + req.ssl_sni : exact string match |
3743 | |
3744 | Examples : |
3745 | # Wait for a client hello for at most 5 seconds |
3746 | tcp-request inspect-delay 5s |
3747 | - tcp-request content accept if { req_ssl_hello_type 1 } |
3748 | - use_backend bk_allow if { req_ssl_sni -f allowed_sites } |
3749 | + tcp-request content accept if { req.ssl_hello_type 1 } |
3750 | + use_backend bk_allow if { req.ssl_sni -f allowed_sites } |
3751 | default_backend bk_sorry_page |
3752 | |
3753 | req.ssl_st_ext : integer |
3754 | @@ -16310,7 +16383,7 @@ req_ssl_ver : integer (deprecated) |
3755 | fetch is mostly used in ACL. |
3756 | |
3757 | ACL derivatives : |
3758 | - req_ssl_ver : decimal match |
3759 | + req.ssl_ver : decimal match |
3760 | |
3761 | res.len : integer |
3762 | Returns an integer value corresponding to the number of bytes present in the |
3763 | @@ -16493,14 +16566,14 @@ cook([<name>]) : string (deprecated) |
3764 | presence. Use the res.cook() variant for response cookies sent by the server. |
3765 | |
3766 | ACL derivatives : |
3767 | - cook([<name>]) : exact string match |
3768 | - cook_beg([<name>]) : prefix match |
3769 | - cook_dir([<name>]) : subdir match |
3770 | - cook_dom([<name>]) : domain match |
3771 | - cook_end([<name>]) : suffix match |
3772 | - cook_len([<name>]) : length match |
3773 | - cook_reg([<name>]) : regex match |
3774 | - cook_sub([<name>]) : substring match |
3775 | + req.cook([<name>]) : exact string match |
3776 | + req.cook_beg([<name>]) : prefix match |
3777 | + req.cook_dir([<name>]) : subdir match |
3778 | + req.cook_dom([<name>]) : domain match |
3779 | + req.cook_end([<name>]) : suffix match |
3780 | + req.cook_len([<name>]) : length match |
3781 | + req.cook_reg([<name>]) : regex match |
3782 | + req.cook_sub([<name>]) : substring match |
3783 | |
3784 | req.cook_cnt([<name>]) : integer |
3785 | cook_cnt([<name>]) : integer (deprecated) |
3786 | @@ -16588,7 +16661,11 @@ hdr_ip([<name>[,<occ>]]) : ip (deprecated) |
3787 | This extracts the last occurrence of header <name> in an HTTP request, |
3788 | converts it to an IPv4 or IPv6 address and returns this address. When used |
3789 | with ACLs, all occurrences are checked, and if <name> is omitted, every value |
3790 | - of every header is checked. Optionally, a specific occurrence might be |
3791 | + of every header is checked. The parser strictly adheres to the format |
3792 | + described in RFC7239, with the extension that IPv4 addresses may optionally |
3793 | + be followed by a colon (':') and a valid decimal port number (0 to 65535), |
3794 | + which will be silently dropped. All other forms will not match and will |
3795 | + cause the address to be ignored. Optionally, a specific occurrence might be |
3796 | specified as a position number. Positive values indicate a position from the |
3797 | first occurrence, with 1 being the first one. Negative values indicate |
3798 | positions relative to the last one, with -1 being the last one. A typical use |
3799 | @@ -16604,7 +16681,24 @@ hdr_val([<name>[,<occ>]]) : integer (deprecated) |
3800 | the first one. Negative values indicate positions relative to the last one, |
3801 | with -1 being the last one. A typical use is with the X-Forwarded-For header. |
3802 | |
3803 | +req.hdrs : string |
3804 | + Returns the current request headers as string including the last empty line |
3805 | + separating headers from the request body. The last empty line can be used to |
3806 | + detect a truncated header block. This sample fetch is useful for some SPOE |
3807 | + headers analyzers and for advanced logging. |
3808 | + |
3809 | +req.hdrs_bin : binary |
3810 | + Returns the current request headers contained in preparsed binary form. This |
3811 | + is useful for offloading some processing with SPOE. Each string is described |
3812 | + by a length followed by the number of bytes indicated in the length. The |
3813 | + length is represented using the variable integer encoding detailed in the |
3814 | + SPOE documentation. The end of the list is marked by a couple of empty header |
3815 | + names and values (length of 0 for both). |
3816 | + |
3817 | + *(<str:header-name><str:header-value>)<empty string><empty string> |
3818 | |
3819 | + int: refer to the SPOE documentation for the encoding |
3820 | + str: <int:length><bytes> |
3821 | |
3822 | http_auth(<userlist>) : boolean |
3823 | Returns a boolean indicating whether the authentication data received from |
3824 | @@ -16689,7 +16783,7 @@ req_ver : string (deprecated) |
3825 | check for versions 1.0 and 1.1. |
3826 | |
3827 | ACL derivatives : |
3828 | - req_ver : exact string match |
3829 | + req.ver : exact string match |
3830 | |
3831 | res.comp : boolean |
3832 | Returns the boolean "true" value if the response has been compressed by |
3833 | @@ -16708,7 +16802,7 @@ scook([<name>]) : string (deprecated) |
3834 | specified, the first cookie value is returned. |
3835 | |
3836 | ACL derivatives : |
3837 | - scook([<name>] : exact string match |
3838 | + res.scook([<name>] : exact string match |
3839 | |
3840 | res.cook_cnt([<name>]) : integer |
3841 | scook_cnt([<name>]) : integer (deprecated) |
3842 | @@ -16752,14 +16846,14 @@ shdr([<name>[,<occ>]]) : string (deprecated) |
3843 | res.fhdr() fetch should be used instead. |
3844 | |
3845 | ACL derivatives : |
3846 | - shdr([<name>[,<occ>]]) : exact string match |
3847 | - shdr_beg([<name>[,<occ>]]) : prefix match |
3848 | - shdr_dir([<name>[,<occ>]]) : subdir match |
3849 | - shdr_dom([<name>[,<occ>]]) : domain match |
3850 | - shdr_end([<name>[,<occ>]]) : suffix match |
3851 | - shdr_len([<name>[,<occ>]]) : length match |
3852 | - shdr_reg([<name>[,<occ>]]) : regex match |
3853 | - shdr_sub([<name>[,<occ>]]) : substring match |
3854 | + res.hdr([<name>[,<occ>]]) : exact string match |
3855 | + res.hdr_beg([<name>[,<occ>]]) : prefix match |
3856 | + res.hdr_dir([<name>[,<occ>]]) : subdir match |
3857 | + res.hdr_dom([<name>[,<occ>]]) : domain match |
3858 | + res.hdr_end([<name>[,<occ>]]) : suffix match |
3859 | + res.hdr_len([<name>[,<occ>]]) : length match |
3860 | + res.hdr_reg([<name>[,<occ>]]) : regex match |
3861 | + res.hdr_sub([<name>[,<occ>]]) : substring match |
3862 | |
3863 | res.hdr_cnt([<name>]) : integer |
3864 | shdr_cnt([<name>]) : integer (deprecated) |
3865 | @@ -16799,7 +16893,7 @@ resp_ver : string (deprecated) |
3866 | can be useful for logs, but is mostly there for ACL. |
3867 | |
3868 | ACL derivatives : |
3869 | - resp_ver : exact string match |
3870 | + resp.ver : exact string match |
3871 | |
3872 | set-cookie([<name>]) : string (deprecated) |
3873 | This extracts the last occurrence of the cookie name <name> on a "Set-Cookie" |
3874 | @@ -17570,7 +17664,7 @@ Please refer to the table below for currently defined variables : |
3875 | | | %ID | unique-id | string | |
3876 | | | %ST | status_code | numeric | |
3877 | | | %T | gmt_date_time | date | |
3878 | - | | %Ta | Active time of the request (from TR to end) | numeric | |
3879 | + | H | %Ta | Active time of the request (from TR to end) | numeric | |
3880 | | | %Tc | Tc | numeric | |
3881 | | | %Td | Td = Tt - (Tq + Tw + Tc + Tr) | numeric | |
3882 | | | %Tl | local_date_time | date | |
3883 | @@ -18184,7 +18278,7 @@ easier finding and understanding. |
3884 | external attacks. |
3885 | |
3886 | PC The proxy refused to establish a connection to the server because the |
3887 | - process' socket limit has been reached while attempting to connect. |
3888 | + process's socket limit has been reached while attempting to connect. |
3889 | The global "maxconn" parameter may be increased in the configuration |
3890 | so that it does not happen anymore. This status is very rare and |
3891 | might happen when the global "ulimit-n" parameter is forced by hand. |
3892 | diff --git a/doc/internals/acl.txt b/doc/internals/acl.txt |
3893 | index 320381a..0379331 100644 |
3894 | --- a/doc/internals/acl.txt |
3895 | +++ b/doc/internals/acl.txt |
3896 | @@ -25,7 +25,7 @@ reports no more value. This makes sense for instance when checking IP addresses |
3897 | found in HTTP headers, which can appear multiple times. The acl_test is kept |
3898 | intact between calls and even holds a context so that the fetch function knows |
3899 | where to start from for subsequent calls. The match function may also use the |
3900 | -context eventhough it was not designed for that purpose. |
3901 | +context even though it was not designed for that purpose. |
3902 | |
3903 | An ACL is defined only by its name and can be a series of ACL expressions. The |
3904 | ACL is deemed true when any of its expressions is true. They are evaluated in |
3905 | @@ -35,7 +35,7 @@ So in summary : |
3906 | |
3907 | - an ACL is a series of tests to perform on a stream, any of which is enough |
3908 | to validate the result. |
3909 | - |
3910 | + |
3911 | - each test is defined by an expression associating a keyword and a series of |
3912 | patterns. |
3913 | |
3914 | @@ -59,7 +59,7 @@ a suite. A term simply is a pointer to an ACL. |
3915 | |
3916 | We could then represent a rule by the following BNF : |
3917 | |
3918 | - rule = if-cond |
3919 | + rule = if-cond |
3920 | | unless-cond |
3921 | |
3922 | if-cond (struct acl_cond with ->pol = ACL_COND_IF) |
3923 | diff --git a/doc/internals/buffer-api.txt b/doc/internals/buffer-api.txt |
3924 | index abb5e9f..90113a1 100644 |
3925 | --- a/doc/internals/buffer-api.txt |
3926 | +++ b/doc/internals/buffer-api.txt |
3927 | @@ -9,7 +9,7 @@ used during data transformation such as compression, header insertion or |
3928 | defragmentation, and are used to carry intermediary representations between the |
3929 | various internal layers. They support wrapping at the end, and they carry their |
3930 | own size information so that in theory it would be possible to use different |
3931 | -buffer sizes in parallel eventhough this is not currently implemented. |
3932 | +buffer sizes in parallel even though this is not currently implemented. |
3933 | |
3934 | The format of this structure has evolved over time, to reach a point where it |
3935 | is convenient and versatile enough to have permitted to make several internal |
3936 | diff --git a/doc/internals/filters.txt b/doc/internals/filters.txt |
3937 | index 7705ee2..d1e0c4d 100644 |
3938 | --- a/doc/internals/filters.txt |
3939 | +++ b/doc/internals/filters.txt |
3940 | @@ -54,7 +54,7 @@ places, mainly around channel analyzers. Their purpose is to allow filters to |
3941 | be involved in the data processing, from the stream creation/destruction to |
3942 | the data forwarding. Depending of what it should do, a filter can implement all |
3943 | or part of these callbacks. For now, existing callbacks are focused on |
3944 | -streams. But futur improvements could enlarge filters scope. For example, it |
3945 | +streams. But future improvements could enlarge filters scope. For example, it |
3946 | could be useful to handle events at the connection level. |
3947 | |
3948 | In HAProxy configuration file, a filter is declared in a proxy section, except |
3949 | @@ -84,7 +84,7 @@ filters are also chained, frontend ones called first. Even if the filters |
3950 | processing is serialized, each filter will bahave as it was alone (unless it was |
3951 | developed to be aware of other filters). For all that, some constraints are |
3952 | imposed to filters, especially when data exchanged between the client and the |
3953 | -server are processed. We will dicuss again these contraints when we will tackle |
3954 | +server are processed. We will discuss again these constraints when we will tackle |
3955 | the subject of writing a filter. |
3956 | |
3957 | |
3958 | @@ -122,11 +122,11 @@ The list of available filters is reported by 'haproxy -vv': |
3959 | Multiple filter lines can be used in a proxy section to chain filters. Filters |
3960 | will be called in the declaration order. |
3961 | |
3962 | -Some filters can support implicit declarartions in certain circumstances |
3963 | -(without the filter line). This is not recommanded for new features but are |
3964 | +Some filters can support implicit declarations in certain circumstances |
3965 | +(without the filter line). This is not recommended for new features but are |
3966 | useful for existing ones moved in a filter, for backward compatibility |
3967 | -reasons. Implicit declarartions are supported when there is only one filter used |
3968 | -on a proxy. When several filters are used, explicit declarartions are mandatory. |
3969 | +reasons. Implicit declarations are supported when there is only one filter used |
3970 | +on a proxy. When several filters are used, explicit declarations are mandatory. |
3971 | The HTTP compression filter is one of these filters. Alone, using 'compression' |
3972 | keywords is enough to use it. But when at least a second filter is used, a |
3973 | filter line must be added. |
3974 | @@ -283,7 +283,7 @@ the structure 'stream', the field 'strm_flt' is the state of all filter |
3975 | instances attached to a stream: |
3976 | |
3977 | /* |
3978 | - * Structure reprensenting the "global" state of filters attached to a |
3979 | + * Structure representing the "global" state of filters attached to a |
3980 | * stream. |
3981 | */ |
3982 | struct strm_flt { |
3983 | @@ -302,7 +302,7 @@ Filter instances attached to a stream are stored in the field |
3984 | 'strm_flt.filters', each instance is of type 'struct filter *': |
3985 | |
3986 | /* |
3987 | - * Structure reprensenting a filter instance attached to a stream |
3988 | + * Structure representing a filter instance attached to a stream |
3989 | * |
3990 | * 2D-Array fields are used to store info per channel. The first index |
3991 | * stands for the request channel, and the second one for the response |
3992 | @@ -659,7 +659,7 @@ For example: |
3993 | The main purpose of filters is to take part in the channels analyzing. To do so, |
3994 | there is 2 callbacks, 'flt_ops.channel_pre_analyze' and |
3995 | 'flt_ops.channel_post_analyze', called respectively before and after each |
3996 | -analyzer attached to a channel, execpt analyzers responsible for the data |
3997 | +analyzer attached to a channel, except analyzers responsible for the data |
3998 | parsing/forwarding (TCP or HTTP data). Concretely, on the request channel, these |
3999 | callbacks could be called before following analyzers: |
4000 | |
4001 | diff --git a/doc/internals/hashing.txt b/doc/internals/hashing.txt |
4002 | index 281dcf6..af66de2 100644 |
4003 | --- a/doc/internals/hashing.txt |
4004 | +++ b/doc/internals/hashing.txt |
4005 | @@ -2,7 +2,7 @@ |
4006 | |
4007 | This document describes how Haproxy implements hashing both map-based and |
4008 | consistent hashing, both prior to versions 1.5 and the motivation and tests |
4009 | -that were done when providing additional options starting in version 1.5. |
4010 | +that were done when providing additional options starting in version 2.0 |
4011 | |
4012 | A note on hashing in general, hash functions strive to have little |
4013 | correlation between input and output. The heart of a hash function is its |
4014 | @@ -79,5 +79,5 @@ algorithms that are better for different inputs. Avalanche is not always |
4015 | applicable and may result in less smooth distribution. |
4016 | |
4017 | References: |
4018 | -Mixing Functions/Avalanche: http://home.comcast.net/~bretm/hash/3.html |
4019 | +Mixing Functions/Avalanche: https://papa.bretmulvey.com/post/124027987928/hash-functions |
4020 | Hash Functions: http://www.cse.yorku.ca/~oz/hash.html |
4021 | diff --git a/doc/internals/htx-api.txt b/doc/internals/htx-api.txt |
4022 | new file mode 100644 |
4023 | index 0000000..f1e38d1 |
4024 | --- /dev/null |
4025 | +++ b/doc/internals/htx-api.txt |
4026 | @@ -0,0 +1,498 @@ |
4027 | + ----------------------------------------------- |
4028 | + HTX API |
4029 | + Version 1.0 |
4030 | + ( Last update: 2019-06-20 ) |
4031 | + ----------------------------------------------- |
4032 | + Author : Christopher Faulet |
4033 | + Contact : cfaulet at haproxy dot com |
4034 | + |
4035 | +1. Background |
4036 | + |
4037 | +Historically, HAProxy stored HTTP messages in a raw fashion in buffers, keeping |
4038 | +parsing information separately in a "struct http_msg" owned by the stream. It was |
4039 | +optimized to the data transfer, but not so much for rewrites. It was also HTTP/1 |
4040 | +centered. While it was the only HTTP version supported, it was not a |
4041 | +problem. But with the rise of HTTP/2, it starts to be hard to still use this |
4042 | +representation. |
4043 | + |
4044 | +At the first age of the HTTP/2 in HAProxy, H2 messages were converted into |
4045 | +H1. This was terribly unefficient because it required two parsing passes, a |
4046 | +first one in H2 and a second one in H1, with a conversion in the middle. And of |
4047 | +course, the same was also true in the opposite direction. outgoing H1 messages |
4048 | +had to be converted back in H2 to be sent. Even worse, because the H2->H1 |
4049 | +conversion, only client H2 connections were supported. |
4050 | + |
4051 | +So, to address all these problems, we decided to replace the old raw |
4052 | +representation by a version-agnostic and self-structured internal HTTP |
4053 | +representation, the HTX. As an additional benefit, with this new representation, |
4054 | +the message parsing and its processing are now separated, making all the HTTP |
4055 | +analysis simpler and cleaner. The parsing of HTTP messages is now handled by |
4056 | +the multiplexers (h1 or h2). |
4057 | + |
4058 | + |
4059 | +2. The HTX message |
4060 | + |
4061 | +The HTX is a structure containing useful information about an HTTP message |
4062 | +followed by a contiguous array with some parts of the message. These parts are |
4063 | +called blocks. A block is composed of metadata (htx_blk) and an associated |
4064 | +payload. Blocks' metadata are stored starting from the end of the array while |
4065 | +their payload are stored at the beginning. Blocks' metadata are often simply |
4066 | +called blocks. it is a misuse of language that's simplify explanations. |
4067 | + |
4068 | +Internally, this structure is "hidden" in a buffer. This way, there are few |
4069 | +changes into intermediate layers (stream-interface and channels). They still |
4070 | +manipulate buffers. Only the multiplexer and the stream have to know how data |
4071 | +are really stored. From the HTX perspective, a buffer is just a memory |
4072 | +area. When an HTX message is stored in a buffer, this one appears as full. |
4073 | + |
4074 | + * General view of an HTX message : |
4075 | + |
4076 | + |
4077 | + buffer->area |
4078 | + | |
4079 | + |<------------ buffer->size == buffer->data ----------------------| |
4080 | + | | |
4081 | + | |<------------- Blocks array (htx->size) ------------------>| |
4082 | + V | | |
4083 | + +-----+-----------------+-------------------------+---------------+ |
4084 | + | HTX | PAYLOADS ==> | | <== HTX_BLKs | |
4085 | + +-----+-----------------+-------------------------+---------------+ |
4086 | + | | | | |
4087 | + |<-payloads part->|<----- free space ------>|<-blocks part->| |
4088 | + (htx->data) |
4089 | + |
4090 | + |
4091 | +The blocks part remains linear and sorted. You may think about it as an array |
4092 | +with negative indexes. But, instead of using negative indexes, we use positive |
4093 | +positions to identify a block. This position is then converted to an address |
4094 | +relatively to the beginning of the blocks array. |
4095 | + |
4096 | + tail head |
4097 | + | | |
4098 | + V V |
4099 | + .....--+----+-----------------------+------+------+ |
4100 | + | Bn | ... | B1 | B0 | |
4101 | + .....--+----+-----------------------+------+------+ |
4102 | + ^ ^ ^ |
4103 | + Addr of the block Addr of the block Addr of the block |
4104 | + at the position N at the position 1 at the position 0 |
4105 | + |
4106 | + |
4107 | +In the HTX structure, 3 "special" positions are stored: |
4108 | + |
4109 | + - tail : Position of the newest inserted block |
4110 | + - head : Position of the oldest inserted block |
4111 | + - first : Position of the first block to (re)start the analyse |
4112 | + |
4113 | +The blocks part never wrap. If we have no space to allocate a new block and if |
4114 | +there is a hole at the beginning of the blocks part (so at the end of the blocks |
4115 | +array), we move back all blocks. |
4116 | + |
4117 | + |
4118 | + tail head tail head |
4119 | + | | | | |
4120 | + V V V V |
4121 | + ...+--------------+---------+ blocks ...----------+--------------+ |
4122 | + | X== HTX_BLKS | | defrag | <== HTX_BLKS | |
4123 | + ...+--------------+---------+ =====> ...----------+--------------+ |
4124 | + |
4125 | + |
4126 | +The payloads part is a raw space that may wrap. You never access to a block's |
4127 | +payload directly. Instead you get a block to retrieve the address of its |
4128 | +payload. |
4129 | + |
4130 | + |
4131 | + +------------------------( B0.addr )--------------------------+ |
4132 | + | +-------------------( B1.addr )----------------------+ | |
4133 | + | | +-----------( B2.addr )----------------+ | | |
4134 | + V V V | | | |
4135 | + +-----+----+-------+----+--------+-------------+-------+----+----+----+ |
4136 | + | HTX | P0 | P1 | P2 | ...==> | | <=... | B2 | B1 | B0 | |
4137 | + +-----+----+-------+----+--------+-------------+-------+----+----+----+ |
4138 | + |
4139 | + |
4140 | +Because the payloads part may wrap, there are 2 usable free spaces: |
4141 | + |
4142 | + - The free space in front of the blocks part. This one is used if and only if |
4143 | + the other one was not used yet. |
4144 | + |
4145 | + - The free space at the beginning of the message. Once this one is used, the |
4146 | + other one is never used again, until a message defragmentation. |
4147 | + |
4148 | + |
4149 | + * Linear payloads part : |
4150 | + |
4151 | + |
4152 | + head_addr end_addr tail_addr |
4153 | + | | | |
4154 | + V V V |
4155 | + +-----+--------------------+-------------+--------------------+-------... |
4156 | + | HTX | | PAYLOADS | | HTX_BLKs |
4157 | + +-----+--------------------+-------------+--------------------+-------... |
4158 | + |<-- free space 2 -->| |<-- free space 1 -->| |
4159 | + (used if the other is too small) (used in priority) |
4160 | + |
4161 | + |
4162 | + * Wrapping payloads part : |
4163 | + |
4164 | + |
4165 | + head_addr end_addr tail_addr |
4166 | + | | | |
4167 | + V V V |
4168 | + +-----+----+----------------+--------+----------------+-------+-------... |
4169 | + | HTX | | PAYLOADS part2 | | PAYLOADS part1 | | HTX_BLKs |
4170 | + +-----+----+----------------+--------+----------------+-------+-------... |
4171 | + |<-->| |<------>| |<----->| |
4172 | + unusable free space unusable |
4173 | + free space free space |
4174 | + |
4175 | + |
4176 | +Finally, when the usable free space is not enough to store a new block, unsuable |
4177 | +parts may be get back with a full defragmentation. The payloads part is then |
4178 | +realigned at the beginning of the blocks array and the free space becomes |
4179 | +continuous again. |
4180 | + |
4181 | + |
4182 | +3. The HTX blocks |
4183 | + |
4184 | +An HTX block can be as well a start-line as a header, a body part or a |
4185 | +trailer. For all these types of block, a payload is attached to the block. It |
4186 | +can also be a marker, the end-of-headers, end-of-trailers or end-of-message. For |
4187 | +these blocks, there is no payload but it counts for a byte. It is important to |
4188 | +not skip it when data are forwarded. |
4189 | + |
4190 | +As already said, a block is composed of metadata and a payload. Metadata are |
4191 | +stored in the blocks part and are composed of 2 fields : |
4192 | + |
4193 | + - info : It a 32 bits field containing the block's type on 4 bits followed |
4194 | + by the payload length. See below for details. |
4195 | + |
4196 | + - addr : The payload's address, if any, relatively to the beginning the |
4197 | + array used to store part of the HTTP message itself. |
4198 | + |
4199 | + |
4200 | + * Block's info representation : |
4201 | + |
4202 | + 0b 0000 0000 0000 0000 0000 0000 0000 0000 |
4203 | + ---- ------------------------ --------- |
4204 | + type value (1 MB max) name length (header/trailer - 256B max) |
4205 | + ---------------------------------- |
4206 | + data length (256 MB max) |
4207 | + (body, method, path, version, status, reason) |
4208 | + |
4209 | + |
4210 | +Supported types are : |
4211 | + |
4212 | + - 0000 (0) : The request start-line |
4213 | + - 0001 (1) : The response start-line |
4214 | + - 0010 (2) : A header block |
4215 | + - 0011 (3) : The end-of-headers marker |
4216 | + - 0100 (4) : A data block |
4217 | + - 0101 (5) : A trailer block |
4218 | + - 0110 (6) : The end-of-trailers marker |
4219 | + - 0111 (7) : The end-of-message marker |
4220 | + - 1111 (15) : An unused block |
4221 | + |
4222 | +Other types are unused for now and reserved for futur extensions. |
4223 | + |
4224 | +An HTX message is typically composed of following blocks, in this order : |
4225 | + |
4226 | + - a start-line |
4227 | + - zero or more header blocks |
4228 | + - an end-of-headers marker |
4229 | + - zero or more data blocks |
4230 | + - zero or more trailer blocks (optional) |
4231 | + - an end-of-trailers marker (optional but always set if there is at least |
4232 | + one trailer block) |
4233 | + - an end-of-message marker. |
4234 | + |
4235 | +Only one HTTP request at a time can be stored in an HTX message. For HTTP |
4236 | +response, it is more complicated. Only one "final" response can be stored in an |
4237 | +HTX message. It is a response with status-code 101 or greater or equal to |
4238 | +200. But it may be preceded by several 1xx informational responses. Such |
4239 | +responses are part of the same HTX message, so there is no end-of-message marker |
4240 | +for them. |
4241 | + |
4242 | + |
4243 | +3.1. The start-line |
4244 | + |
4245 | +Every HTX message starts with a start-line. Its payload is a "struct htx_sl". In |
4246 | +addition to the parts of the HTTP start-line, this structure contains some |
4247 | +information about the represented HTTP message, mainly in the form of flags |
4248 | +(HTX_SL_F_*). For instance, if an HTTP message contains the header |
4249 | +"conten-length", then the flag HTX_SL_F_CLEN is set. |
4250 | + |
4251 | +Each HTTP message has its own start-line. So an HTX request has one and only one |
4252 | +start-line because it must contain only one HTTP request at a time. But an HTX |
4253 | +response may have more than one start-line if the final HTTP response is |
4254 | +precedeed by some 1xx informational responses. |
4255 | + |
4256 | +In HTTP/2, there is no start-line. So the H2 multiplexer must create one when it |
4257 | +converts an H2 message to HTX : |
4258 | + |
4259 | + - For the request, it uses the pseudo headers ":method", ":path" or |
4260 | + ":authority" depending on the method and the hardcoded version "HTTP/2.0". |
4261 | + |
4262 | + - For the response, it used the hardcoded version "HTTP/2.0", the |
4263 | + pseudo-header ":status" and an empty reason. |
4264 | + |
4265 | + |
4266 | +3.2. The headers and trailers |
4267 | + |
4268 | +HTX Headers and trailers are quite similar. Different types are used to simplify |
4269 | +headers processing. But from the HTX point of view, there is no real difference, |
4270 | +except their position in the HTX message. The header blocks always follow an HTX |
4271 | +start-line while trailer blocks come after the data. If there is no data, they |
4272 | +follow the end-of-headers marker. |
4273 | + |
4274 | +Headers and trailers are the only blocks containing a Key/Value payload. The |
4275 | +corresponding end-of marker must always be placed after each group to mark, as |
4276 | +it name suggests, the end. |
4277 | + |
4278 | +In HTTP/1, trailers are only present on chunked messages. But chunked messages |
4279 | +do not always have trailers. In this case, the end-of-trailers block may or may |
4280 | +not be present. Multiplexers must be able to handle both situations. In HTTP/2, |
4281 | +trailers are only present if a HEADERS frame is sent after DATA frames. |
4282 | + |
4283 | + |
4284 | +3.3. The data |
4285 | + |
4286 | +The payload body of an HTTP message is stored as DATA blocks in the HTX |
4287 | +message. For HTTP/1 messages, it is the message body without the chunks |
4288 | +formatting, if any. For HTTP/2, it is the payload of DATA frames. |
4289 | + |
4290 | +The DATA blocks are the only HTX blocks that may be partially processed (copied |
4291 | +or removed). All other types of block must be entierly processed. This means |
4292 | +DATA blocks can be resized. |
4293 | + |
4294 | + |
4295 | +3.4. The end-of markers |
4296 | + |
4297 | +These blocks are used to delimit parts of an HTX message. It exists three |
4298 | +markers: |
4299 | + |
4300 | + - end-of-headers (EOH) |
4301 | + - end-of-trailers (EOT) |
4302 | + - end-of-message (EOM) |
4303 | + |
4304 | +EOH and EOM are always present in an HTX message. EOT is optional. |
4305 | + |
4306 | + |
4307 | +4. The HTX API |
4308 | + |
4309 | + |
4310 | +4.1. Get/set HTX message from/to the underlying buffer |
4311 | + |
4312 | +The first thing to do to process an HTX message is to get it from the underlying |
4313 | +buffer. There are 2 functions to do so, the second one relying on the first: |
4314 | + |
4315 | + - htxbuf() returns an HTX message from a buffer. It does not modify the |
4316 | + buffer. It only initialize the HTX message if the buffer is empty. |
4317 | + |
4318 | + - htx_from_buf() uses htxbuf(). But it also updates the underlying buffer so |
4319 | + that it appears as full. |
4320 | + |
4321 | +Both functions return a "zero-sized" HTX message if the buffer is null. This |
4322 | +way, you are sure to always have a valid HTX message. The first function is the |
4323 | +default function to use. The second one is only useful when some content will be |
4324 | +added. For instance, it used by the HTX analyzers when HAproxy generates a |
4325 | +response. This way, the buffer is in a right state and you don't need to take |
4326 | +care of it anymore outside the possible error paths. |
4327 | + |
4328 | +Once the processing done, if the HTX message has been modified, the underlying |
4329 | +buffer must be also updated, except you uses htx_from_buf() and you only add |
4330 | +data. For all other cases, the function htx_to_buf() must be called. |
4331 | + |
4332 | +Finally, the function htx_reset() may be called at any time to reset an HTX |
4333 | +message. And the function buf_room_for_htx_data() may be called to know if a raw |
4334 | +buffer is full from the HTX perspective. It is used during conversion from/to |
4335 | +the HTX. |
4336 | + |
4337 | + |
4338 | +4.2. Helpers to deal with free space in an HTX message |
4339 | + |
4340 | +Once you have an HTX message, following functions may help you to process it : |
4341 | + |
4342 | + - htx_used_space() and htx_meta_space() return, respectively, the total |
4343 | + space used in an HTX message and the space used by block's metadata only. |
4344 | + |
4345 | + - htx_free_space() and htx_free_data_space() return, respectively, the total |
4346 | + free space in an HTX message and the free space available for the payload |
4347 | + if a new HTX block is stored (so it is the total free space minus the size |
4348 | + of an HTX block). |
4349 | + |
4350 | + - htx_is_empty() and htx_is_not_empty() are boolean functions to know if an |
4351 | + HTX message is empty or not. |
4352 | + |
4353 | + - htx_get_max_blksz() returns the maximum size available for the payload, |
4354 | + not exceeding a maximum, metadata included. |
4355 | + |
4356 | + - htx_almost_full() should be used to know if an HTX message uses at least |
4357 | + 3/4 of its capacity. |
4358 | + |
4359 | + |
4360 | +4.3. HTX Blocks manipulations |
4361 | + |
4362 | +Once you know how much space is available in an HTX message, the next step is to |
4363 | +add HTX blocks. First of all the function htx_nbblks() returns the number of |
4364 | +blocks allocated in an HTX message. Then, there is an add function per block's |
4365 | +type: |
4366 | + |
4367 | + - htx_add_stline() adds a start-line. The type (request or response) and the |
4368 | + flags of the start-line must be provided, as well as its three parts |
4369 | + (method,uri,version or version,status-code,reason). |
4370 | + |
4371 | + - htx_add_header() and htx_add_trailers() are similar. The name and the |
4372 | + value must be provided. The inserted HTX block is returned on success or |
4373 | + NULL if an error occurred. |
4374 | + |
4375 | + - htx_add_endof() must be used to add any end-of marker. The block's type |
4376 | + (EOH, EOT or EOM) must be specified. The inserted HTX block is returned on |
4377 | + success or NULL if an error occurred. |
4378 | + |
4379 | + - htx_add_all_headers() and htx_add_all_trailers() add, respectively, a list |
4380 | + of headers and a list of trailers, followed by the appropriate end-of |
4381 | + marker. On success, this marker is returned. Otherwise, NULL is |
4382 | + returned. Note there is no rollback on the HTX message when an error |
4383 | + occurred. Some headers or trailers may have been added. So it is the |
4384 | + caller responsibility to take care of that. |
4385 | + |
4386 | + - htx_add_data() must be used to add a DATA block. Unlike previous |
4387 | + functions, this one returns the number of bytes copied or 0 if nothing was |
4388 | + copied. If possible, the data are appended to the last DATA block, if |
4389 | + any. Only a part of the payload may be copied because this function will |
4390 | + try to limit the message defragmentation and the wrapping of blocks as far |
4391 | + as possible. If you really need to add all data or nothing, the function |
4392 | + htx_add_data_atonce() must be used instead. Because it tries to insert all |
4393 | + the payload, this function returns the inserted block on success. |
4394 | + Otherwise it returns NULL. |
4395 | + |
4396 | +When an HTX block is added, it is always the last one (the tail). But, if you |
4397 | +need to add a block at a specific place, it is not really handy. 2 functions may |
4398 | +help you (others could be added) : |
4399 | + |
4400 | + - htx_add_last_data() adds a DATA block just after all other DATA blocks and |
4401 | + before any trailers and EOT or EOM markers. It relies on |
4402 | + htx_add_data_atonce(), so a defragmentation may be performed. |
4403 | + |
4404 | + - htx_move_blk_before() moves a specific block just after another one. Both |
4405 | + blocks must already be in the HTX message and the block to move must |
4406 | + always be placed after the "pivot". |
4407 | + |
4408 | +Once added, there are three functions to update the block's payload : |
4409 | + |
4410 | + - htx_replace_stline() updates a start-line. The HTX block must be passed as |
4411 | + argument. Only string parts of the start-line are updated by this |
4412 | + function. On success, it returns the new start-line. So it is pretty easy |
4413 | + to update its flags. NULL is returned if an error occurred. |
4414 | + |
4415 | + - htx_replace_header() fully replaces a header (its name and its value) by a |
4416 | + new one. The HTX block must be passed a argument, as well as its new name |
4417 | + and its new value. The new header can be smaller or larger than the old |
4418 | + one. This function returns the new HTX block on success, or NULL is an |
4419 | + error occurred. |
4420 | + |
4421 | + - htx_replace_blk_value() replaces a part of a block's payload or its |
4422 | + totality. It works for HEADERS, TRAILERS or DATA blocks. The HTX block |
4423 | + must be provided with the part to remove and the new one. The new part can |
4424 | + be smaller or larger than the old one. This function returns the new HTX |
4425 | + block on success, or NULL is an error occurred. |
4426 | + |
4427 | +Finally, You may remove a block using the function htx_remove_blk(). This |
4428 | +function returns the block following the one removed or NULL if it is the tail |
4429 | +block. |
4430 | + |
4431 | + |
4432 | +4.4. The HTX start-line |
4433 | + |
4434 | +Unlike other HTX blocks, the start-line is a bit special because its payload is |
4435 | +a structure followed by its three parts : |
4436 | + |
4437 | + +--------+-------+-------+-------+ |
4438 | + | HTX_SL | PART1 | PART2 | PART3 | |
4439 | + +--------+-------+-------+-------+ |
4440 | + |
4441 | +Some macros and functions may help to manipulate these parts : |
4442 | + |
4443 | + - HTX_SL_P{N}_LEN() and HTX_SL_P{N}_PTR() are macros to get the length of a |
4444 | + part and a pointer on it. {N} should be 1, 2 or 3. |
4445 | + |
4446 | + - HTX_SL_REQ_MLEN(), HTX_SL_REQ_ULEN(), HTX_SL_REQ_VLEN(), |
4447 | + HTX_SL_REQ_MPTR(), HTX_SL_REQ_UPTR() and HTX_SL_REQ_VPTR() are macros to |
4448 | + get info about a request start-line. These macros only wrap HTX_SL_P* |
4449 | + ones. |
4450 | + |
4451 | + - HTX_SL_RES_VLEN(), HTX_SL_RES_CLEN(), HTX_SL_RES_RLEN(), |
4452 | + HTX_SL_RES_VPTR(), HTX_SL_RES_CPTR() and HTX_SL_RES_RPTR() are macros to |
4453 | + get info about a response start-line. These macros only wrap HTX_SL_P* |
4454 | + ones. |
4455 | + |
4456 | + - htx_sl_p1(), htx_sl_p2() and htx_sl_p2() are functions to get the ist |
4457 | + corresponding to the right part of a start-line. |
4458 | + |
4459 | + - htx_sl_req_meth(), htx_sl_req_uri() and htx_sl_req_vsn() get the ist |
4460 | + corresponding to the right part of a request start-line. |
4461 | + |
4462 | + - htx_sl_res_vsn(), htx_sl_res_code() and htx_sl_res_reason() get the ist |
4463 | + corresponding to the right part of a response start-line. |
4464 | + |
4465 | + |
4466 | +4.5. Iterate on the HTX message |
4467 | + |
4468 | +To iterate on an HTX message, the first thing to do is to get the HTX block to |
4469 | +start the loop. There are three special blocks in an HTX message that may be |
4470 | +good candidates to start a loop : |
4471 | + |
4472 | + * the head block. It is the oldest inserted block. Multiplexers always start |
4473 | + to consume an HTX message from this block. The function htx_get_head() |
4474 | + returns its position and htx_get_head_blk() returns the blocks itself. In |
4475 | + addition, the function htx_get_head_type() returns its block's type. |
4476 | + |
4477 | + * the tail block. It is the newest inserted block. The function htx_get_tail() |
4478 | + returns its position and htx_get_tail_blk() returns the blocks itself. In |
4479 | + addition, the function htx_get_tail_type() returns its block's type. |
4480 | + |
4481 | + * the first block. It is the block where to (re)start the analyse. It is used |
4482 | + as start point by HTX analyzers. The function htx_get_first() returns its |
4483 | + position and htx_get_first_blk() returns the blocks itself. In addition, the |
4484 | + function htx_get_first_type() returns its block's type. |
4485 | + |
4486 | +For all these functions, if the HTX message is empty, -1 is returned for the |
4487 | +block's position, NULL instead of a block and HTX_BLK_UNUSED for its type. |
4488 | + |
4489 | +Then to iterate on blocks, you may move foreword or backward : |
4490 | + |
4491 | + * htx_get_prev() and htx_get_next() return, respectively, the position of the |
4492 | + previous block or the next block, given a specific position. Or -1 if an edge |
4493 | + is reached. |
4494 | + |
4495 | + * htx_get_prev_blk() and htx_get_next_blk() return, respectively, the previous |
4496 | + block or the next one, given a specific block. Or NULL if an edge is |
4497 | + reached. |
4498 | + |
4499 | + |
4500 | +4.6. Advanced functions |
4501 | + |
4502 | +Some more advanced functions may be used to do complex processing on the HTX |
4503 | +message. These functions are used by HTX analyzers or by multiplexers. |
4504 | + |
4505 | + * htx_truncate() removes all blocks after the one containing a specific offset |
4506 | + relatively to the head block of the HTX message. If the offset is inside a |
4507 | + DATA block, it is truncated. For all other blocks, the removal starts to the |
4508 | + next block. |
4509 | + |
4510 | + * htx_drain() tries to remove a specific amount of bytes of payload. If the |
4511 | + last block is a DATA block, it may be truncated if necessary. All other |
4512 | + block are removed at once or kept. This function returns a mixed value, with |
4513 | + the first block not removed, or NULL if everything was removed, and the |
4514 | + amount of data drained. |
4515 | + |
4516 | + * htx_xfer_blks() transfers HTX blocks from an HTX message to another, |
4517 | + stopping on the first block of a specified type or when a specific amount of |
4518 | + bytes, including meta-data, was moved. If the last block is a DATA block, it |
4519 | + may be partially moved. All other block are transferred at once or |
4520 | + kept. This function returns a mixed value, with the last block moved, or |
4521 | + NULL if nothing was moved, and the amount of data transferred. When HEADERS |
4522 | + or TRAILERS blocks must be transferred, this function transfers all of |
4523 | + them. Otherwise, if it is not possible, it triggers an error. It is the |
4524 | + caller responsibility to transfer all headers or trailers at once. |
4525 | diff --git a/doc/lua-api/index.rst b/doc/lua-api/index.rst |
4526 | index 7085dc8..6d1b653 100644 |
4527 | --- a/doc/lua-api/index.rst |
4528 | +++ b/doc/lua-api/index.rst |
4529 | @@ -55,9 +55,10 @@ functions. Lua have 6 execution context. |
4530 | function `core.register_fetches()`. Each declared sample-fetch is prefixed by |
4531 | the string "lua.". |
4532 | |
4533 | - **NOTE**: It is possible that this function cannot found the required data |
4534 | - in the original HAProxy sample-fetches, in this case, it cannot return the |
4535 | - result. This case is not yet supported |
4536 | + .. note:: |
4537 | + It is possible that this function cannot found the required data in the |
4538 | + original HAProxy sample-fetches, in this case, it cannot return the |
4539 | + result. This case is not yet supported |
4540 | |
4541 | 6. The **converter context**. It is a Lua function that takes a string as input |
4542 | and returns another string as output. These types of function are stateless, |
4543 | @@ -173,8 +174,9 @@ Core class |
4544 | proxy give an access to his list of listeners and servers. The table is |
4545 | indexed by proxy name, and each entry is of type :ref:`proxy_class`. |
4546 | |
4547 | - Warning, if you are declared frontend and backend with the same name, only one |
4548 | - of these are listed. |
4549 | + .. Warning:: |
4550 | + if you are declared frontend and backend with the same name, only one of |
4551 | + these are listed. |
4552 | |
4553 | :see: :js:attr:`core.backends` |
4554 | :see: :js:attr:`core.frontends` |
4555 | @@ -437,8 +439,9 @@ Core class |
4556 | configuration file. The table is indexed by the proxy name, and each entry |
4557 | of the proxies table is an object of type :ref:`proxy_class`. |
4558 | |
4559 | - Warning, if you have declared a frontend and backend with the same name, only |
4560 | - one of these are listed. |
4561 | + .. warning:: |
4562 | + if you have declared a frontend and backend with the same name, only one of |
4563 | + these are listed. |
4564 | |
4565 | .. js:function:: core.register_action(name, actions, func [, nb_args]) |
4566 | |
4567 | @@ -605,10 +608,11 @@ Core class |
4568 | :ref:`applethttp_class`. If the *mode* value is 'tcp', the applet will gets |
4569 | a :ref:`applettcp_class`. |
4570 | |
4571 | - **warning**: Applets of type 'http' cannot be called from 'tcp-*' |
4572 | - rulesets. Only the 'http-*' rulesets are authorized, this means |
4573 | - that is not possible to call an HTTP applet from a proxy in tcp |
4574 | - mode. Applets of type 'tcp' can be called from anywhere. |
4575 | + .. warning:: |
4576 | + Applets of type 'http' cannot be called from 'tcp-*' rulesets. Only the |
4577 | + 'http-*' rulesets are authorized, this means that is not possible to call |
4578 | + an HTTP applet from a proxy in tcp mode. Applets of type 'tcp' can be |
4579 | + called from anywhere. |
4580 | |
4581 | Here, an example of service registration. The service just send an 'Hello world' |
4582 | as an http response. |
4583 | @@ -1199,8 +1203,9 @@ Fetches class |
4584 | HAProxy "configuration.txt" documentation for more information about her |
4585 | usage. They are the chapters 7.3.2 to 7.3.6. |
4586 | |
4587 | - **warning** some sample fetches are not available in some context. These |
4588 | - limitations are specified in this documentation when they're useful. |
4589 | + .. warning:: |
4590 | + some sample fetches are not available in some context. These limitations |
4591 | + are specified in this documentation when they're useful. |
4592 | |
4593 | :see: :js:attr:`TXN.f` |
4594 | :see: :js:attr:`TXN.sf` |
4595 | @@ -1271,6 +1276,10 @@ Channel class |
4596 | **Warning**: It is not possible to read from the response in request action, |
4597 | and it is not possible to read for the request channel in response action. |
4598 | |
4599 | + **Warning**: It is forbidden to alter the Channels buffer from HTTP contexts. |
4600 | + So only :js:func:`Channel.get_in_length`, :js:func:`Channel.get_out_length` |
4601 | + and :js:func:`Channel.is_full` can be called from an HTTP conetext. |
4602 | + |
4603 | .. image:: _static/channel.png |
4604 | |
4605 | .. js:function:: Channel.dup(channel) |
4606 | @@ -1739,10 +1748,11 @@ TXN class |
4607 | session. It can be used when a critical error is detected or to terminate |
4608 | processing after some data have been returned to the client (eg: a redirect). |
4609 | |
4610 | - *Warning*: It not make sense to call this function from sample-fetches. In |
4611 | - this case the behaviour of this one is the same than core.done(): it quit |
4612 | - the Lua execution. The transaction is really aborted only from an action |
4613 | - registered function. |
4614 | + .. warning:: |
4615 | + It not make sense to call this function from sample-fetches. In this case |
4616 | + the behaviour of this one is the same than core.done(): it quit the Lua |
4617 | + execution. The transaction is really aborted only from an action registered |
4618 | + function. |
4619 | |
4620 | :param class_txn txn: The class txn object containing the data. |
4621 | |
4622 | diff --git a/doc/lua.txt b/doc/lua.txt |
4623 | index a0a1d61..a86979d 100644 |
4624 | --- a/doc/lua.txt |
4625 | +++ b/doc/lua.txt |
4626 | @@ -83,9 +83,9 @@ Prerequisite |
4627 | Reading the following documentation links is required to understand the |
4628 | current paragraph: |
4629 | |
4630 | - HAProxy doc: http://cbonte.github.io/haproxy-dconv/ |
4631 | + HAProxy doc: http://docs.haproxy.org/ |
4632 | Lua API: http://www.lua.org/manual/5.3/ |
4633 | - HAProxy API: http://www.arpalert.org/src/haproxy-lua-api/1.9dev/index.html |
4634 | + HAProxy API: http://www.arpalert.org/src/haproxy-lua-api/2.6/index.html |
4635 | Lua guide: http://www.lua.org/pil/ |
4636 | |
4637 | more about Lua choice |
4638 | diff --git a/doc/management.txt b/doc/management.txt |
4639 | index 2ba460d..337cc14 100644 |
4640 | --- a/doc/management.txt |
4641 | +++ b/doc/management.txt |
4642 | @@ -475,7 +475,7 @@ continues to process existing connections. If the binding still fails (because |
4643 | for example a port is shared with another daemon), then the new process sends a |
4644 | SIGTTIN signal to the old processes to instruct them to resume operations just |
4645 | as if nothing happened. The old processes will then restart listening to the |
4646 | -ports and continue to accept connections. Not that this mechanism is system |
4647 | +ports and continue to accept connections. Note that this mechanism is system |
4648 | dependent and some operating systems may not support it in multi-process mode. |
4649 | |
4650 | If the new process manages to bind correctly to all ports, then it sends either |
4651 | @@ -1111,7 +1111,7 @@ S (Servers). |
4652 | 93. ttime_max [..BS]: the maximum observed total session time in ms |
4653 | |
4654 | |
4655 | -9.2) Typed output format |
4656 | +9.2. Typed output format |
4657 | ------------------------ |
4658 | |
4659 | Both "show info" and "show stat" support a mode where each output value comes |
4660 | @@ -1507,7 +1507,7 @@ disable agent <backend>/<server> |
4661 | level "admin". |
4662 | |
4663 | disable dynamic-cookie backend <backend> |
4664 | - Disable the generation of dynamic cookies fot the backend <backend> |
4665 | + Disable the generation of dynamic cookies for the backend <backend> |
4666 | |
4667 | disable frontend <frontend> |
4668 | Mark the frontend as temporarily stopped. This corresponds to the mode which |
4669 | @@ -1859,7 +1859,7 @@ show activity |
4670 | of reports of abnormal behaviours. A typical example would be a properly |
4671 | running process never sleeping and eating 100% of the CPU. The output fields |
4672 | will be made of one line per metric, and per-thread counters on the same |
4673 | - line. These counters are 32-bit and will wrap during the process' life, which |
4674 | + line. These counters are 32-bit and will wrap during the process's life, which |
4675 | is not a problem since calls to this command will typically be performed |
4676 | twice. The fields are purposely not documented so that their exact meaning is |
4677 | verified in the code where the counters are fed. These values are also reset |
4678 | @@ -2166,6 +2166,25 @@ show profiling |
4679 | Dumps the current profiling settings, one per line, as well as the command |
4680 | needed to change them. |
4681 | |
4682 | +show resolvers [<resolvers section id>] |
4683 | + Dump statistics for the given resolvers section, or all resolvers sections |
4684 | + if no section is supplied. |
4685 | + |
4686 | + For each name server, the following counters are reported: |
4687 | + sent: number of DNS requests sent to this server |
4688 | + valid: number of DNS valid responses received from this server |
4689 | + update: number of DNS responses used to update the server's IP address |
4690 | + cname: number of CNAME responses |
4691 | + cname_error: CNAME errors encountered with this server |
4692 | + any_err: number of empty response (IE: server does not support ANY type) |
4693 | + nx: non existent domain response received from this server |
4694 | + timeout: how many time this server did not answer in time |
4695 | + refused: number of requests refused by this server |
4696 | + other: any other DNS errors |
4697 | + invalid: invalid DNS response (from a protocol point of view) |
4698 | + too_big: too big response |
4699 | + outdated: number of response arrived too late (after an other name server) |
4700 | + |
4701 | show servers state [<backend>] |
4702 | Dump the state of the servers found in the running configuration. A backend |
4703 | name or identifier may be provided to limit the output to this backend only. |
4704 | @@ -2266,7 +2285,11 @@ show servers state [<backend>] |
4705 | show sess |
4706 | Dump all known sessions. Avoid doing this on slow connections as this can |
4707 | be huge. This command is restricted and can only be issued on sockets |
4708 | - configured for levels "operator" or "admin". |
4709 | + configured for levels "operator" or "admin". Note that on machines with |
4710 | + quickly recycled connections, it is possible that this output reports less |
4711 | + entries than really exist because it will dump all existing sessions up to |
4712 | + the last one that was created before the command was entered; those which |
4713 | + die in the mean time will not appear. |
4714 | |
4715 | show sess <id> |
4716 | Display a lot of internal information about the specified session identifier. |
4717 | @@ -2435,25 +2458,6 @@ show stat [{<iid>|<proxy>} <type> <sid>] [typed|json] |
4718 | $ echo "show stat json" | socat /var/run/haproxy.sock stdio | \ |
4719 | python -m json.tool |
4720 | |
4721 | -show resolvers [<resolvers section id>] |
4722 | - Dump statistics for the given resolvers section, or all resolvers sections |
4723 | - if no section is supplied. |
4724 | - |
4725 | - For each name server, the following counters are reported: |
4726 | - sent: number of DNS requests sent to this server |
4727 | - valid: number of DNS valid responses received from this server |
4728 | - update: number of DNS responses used to update the server's IP address |
4729 | - cname: number of CNAME responses |
4730 | - cname_error: CNAME errors encountered with this server |
4731 | - any_err: number of empty response (IE: server does not support ANY type) |
4732 | - nx: non existent domain response received from this server |
4733 | - timeout: how many time this server did not answer in time |
4734 | - refused: number of requests refused by this server |
4735 | - other: any other DNS errors |
4736 | - invalid: invalid DNS response (from a protocol point of view) |
4737 | - too_big: too big response |
4738 | - outdated: number of response arrived too late (after an other name server) |
4739 | - |
4740 | show table |
4741 | Dump general information on all known stick-tables. Their name is returned |
4742 | (the name of the proxy which holds them), their type (currently zero, always |
4743 | @@ -2570,6 +2574,17 @@ show schema json |
4744 | stat json" against the schema. |
4745 | |
4746 | |
4747 | +show version |
4748 | + Show the version of the current HAProxy process. This is available from |
4749 | + master and workers CLI. |
4750 | + Example: |
4751 | + |
4752 | + $ echo "show version" | socat /var/run/haproxy.sock stdio |
4753 | + 2.4.9 |
4754 | + |
4755 | + $ echo "show version" | socat /var/run/haproxy-master.sock stdio |
4756 | + 2.5.0 |
4757 | + |
4758 | shutdown frontend <frontend> |
4759 | Completely delete the specified frontend. All the ports it was bound to will |
4760 | be released. It will not be possible to enable the frontend anymore after |
4761 | diff --git a/doc/peers-v2.0.txt b/doc/peers-v2.0.txt |
4762 | index 477e7bb..b9f82f7 100644 |
4763 | --- a/doc/peers-v2.0.txt |
4764 | +++ b/doc/peers-v2.0.txt |
4765 | @@ -1,4 +1,4 @@ |
4766 | - Haproxy's peers v2.0 protocol 08/18/2016 |
4767 | + HAProxy's peers v2.0 protocol 08/18/2016 |
4768 | |
4769 | Author: Emeric Brun ebrun@haproxy.com |
4770 | |
4771 | @@ -36,7 +36,7 @@ Hello message is composed of 3 lines: |
4772 | <remotepeerid> |
4773 | <localpeerid> <processpid> <relativepid> |
4774 | |
4775 | -protocol: current value is "HaproxyS" |
4776 | +protocol: current value is "HAProxyS" |
4777 | version: current value is "2.0" |
4778 | remotepeerid: is the name of the target peer as defined in the configuration peers section. |
4779 | localpeerid: is the name of the local peer as defined on cmdline or using hostname. |
4780 | @@ -191,11 +191,11 @@ between the "Sender Table ID" to identify it directly in case of "Table Switch M |
4781 | |
4782 | Table Type present the numeric type of key used to store stick table entries: |
4783 | integer |
4784 | - 0: signed integer |
4785 | - 1: IPv4 address |
4786 | - 2: IPv6 address |
4787 | - 3: string |
4788 | - 4: binary |
4789 | + 2: signed integer |
4790 | + 4: IPv4 address |
4791 | + 5: IPv6 address |
4792 | + 6: string |
4793 | + 7: binary |
4794 | |
4795 | Table Keylen present the key length or max length in case of strings or binary (padded with 0). |
4796 | |
4797 | diff --git a/doc/proxy-protocol.txt b/doc/proxy-protocol.txt |
4798 | index 52d7bc7..ff64c8b 100644 |
4799 | --- a/doc/proxy-protocol.txt |
4800 | +++ b/doc/proxy-protocol.txt |
4801 | @@ -1,4 +1,4 @@ |
4802 | -2017/03/10 Willy Tarreau |
4803 | +2020/03/05 Willy Tarreau |
4804 | HAProxy Technologies |
4805 | The PROXY protocol |
4806 | Versions 1 & 2 |
4807 | @@ -27,6 +27,7 @@ Revision history |
4808 | reserved TLV type ranges, added TLV documentation, clarified |
4809 | string encoding. With contributions from Andriy Palamarchuk |
4810 | (Amazon.com). |
4811 | + 2020/03/05 - added the unique ID TLV type (Tim Düsterhus) |
4812 | |
4813 | |
4814 | 1. Background |
4815 | @@ -538,6 +539,7 @@ The following types have already been registered for the <type> field : |
4816 | #define PP2_TYPE_AUTHORITY 0x02 |
4817 | #define PP2_TYPE_CRC32C 0x03 |
4818 | #define PP2_TYPE_NOOP 0x04 |
4819 | + #define PP2_TYPE_UNIQUE_ID 0x05 |
4820 | #define PP2_TYPE_SSL 0x20 |
4821 | #define PP2_SUBTYPE_SSL_VERSION 0x21 |
4822 | #define PP2_SUBTYPE_SSL_CN 0x22 |
4823 | @@ -602,7 +604,17 @@ bytes. Can be used for data padding or alignment. Note that it can be used |
4824 | to align only by 3 or more bytes because a TLV can not be smaller than that. |
4825 | |
4826 | |
4827 | -2.2.5. The PP2_TYPE_SSL type and subtypes |
4828 | +2.2.5. PP2_TYPE_UNIQUE_ID |
4829 | + |
4830 | +The value of the type PP2_TYPE_UNIQUE_ID is an opaque byte sequence of up to |
4831 | +128 bytes generated by the upstream proxy that uniquely identifies the |
4832 | +connection. |
4833 | + |
4834 | +The unique ID can be used to easily correlate connections across multiple |
4835 | +layers of proxies, without needing to look up IP addresses and port numbers. |
4836 | + |
4837 | + |
4838 | +2.2.6. The PP2_TYPE_SSL type and subtypes |
4839 | |
4840 | For the type PP2_TYPE_SSL, the value is itself a defined like this : |
4841 | |
4842 | @@ -654,13 +666,13 @@ In all cases, the string representation (in UTF8) of the Common Name field |
4843 | using the TLV format and the type PP2_SUBTYPE_SSL_CN. E.g. "example.com". |
4844 | |
4845 | |
4846 | -2.2.6. The PP2_TYPE_NETNS type |
4847 | +2.2.7. The PP2_TYPE_NETNS type |
4848 | |
4849 | The type PP2_TYPE_NETNS defines the value as the US-ASCII string representation |
4850 | of the namespace's name. |
4851 | |
4852 | |
4853 | -2.2.7. Reserved type ranges |
4854 | +2.2.8. Reserved type ranges |
4855 | |
4856 | The following range of 16 type values is reserved for application-specific |
4857 | data and will be never used by the PROXY Protocol. If you need more values |
4858 | diff --git a/doc/regression-testing.txt b/doc/regression-testing.txt |
4859 | index 320c51c..1b6c21d 100644 |
4860 | --- a/doc/regression-testing.txt |
4861 | +++ b/doc/regression-testing.txt |
4862 | @@ -131,7 +131,7 @@ instance. |
4863 | # BUG/MINOR: spoe: Initialize variables used during conf parsing before any check |
4864 | |
4865 | # Some initializations must be done at the beginning of parse_spoe_flt to avoid |
4866 | - # segmentaion fault when first errors are caught, when the "filter spoe" line is |
4867 | + # segmentation fault when first errors are caught, when the "filter spoe" line is |
4868 | # parsed. |
4869 | |
4870 | haproxy h1 -conf-BAD {} { |
4871 | diff --git a/ebtree/eb32sctree.h b/ebtree/eb32sctree.h |
4872 | index 51a2664..0ab057b 100644 |
4873 | --- a/ebtree/eb32sctree.h |
4874 | +++ b/ebtree/eb32sctree.h |
4875 | @@ -38,13 +38,18 @@ typedef signed int s32; |
4876 | * have put some sort of transparent union here to reduce the indirection |
4877 | * level, but the fact is, the end user is not meant to manipulate internals, |
4878 | * so this is pointless. |
4879 | + * In case sizeof(void*)>=sizeof(long), we know there will be some padding after |
4880 | + * the leaf if it's unaligned. In this case we force the alignment on void* so |
4881 | + * that we prefer to have the padding before for more efficient accesses. |
4882 | */ |
4883 | struct eb32sc_node { |
4884 | struct eb_node node; /* the tree node, must be at the beginning */ |
4885 | + MAYBE_ALIGN(sizeof(u32)); |
4886 | u32 key; |
4887 | + ALWAYS_ALIGN(sizeof(void*)); |
4888 | unsigned long node_s; /* visibility of this node's branches */ |
4889 | unsigned long leaf_s; /* visibility of this node's leaf */ |
4890 | -}; |
4891 | +} ALIGNED(sizeof(void*)); |
4892 | |
4893 | /* |
4894 | * Exported functions and macros. |
4895 | diff --git a/ebtree/eb32tree.h b/ebtree/eb32tree.h |
4896 | index 08ff900..b10a5ed 100644 |
4897 | --- a/ebtree/eb32tree.h |
4898 | +++ b/ebtree/eb32tree.h |
4899 | @@ -41,8 +41,9 @@ typedef signed int s32; |
4900 | */ |
4901 | struct eb32_node { |
4902 | struct eb_node node; /* the tree node, must be at the beginning */ |
4903 | + MAYBE_ALIGN(sizeof(u32)); |
4904 | u32 key; |
4905 | -}; |
4906 | +} ALIGNED(sizeof(void*)); |
4907 | |
4908 | /* |
4909 | * Exported functions and macros. |
4910 | diff --git a/ebtree/eb64tree.h b/ebtree/eb64tree.h |
4911 | index 6d0d039..5fcf137 100644 |
4912 | --- a/ebtree/eb64tree.h |
4913 | +++ b/ebtree/eb64tree.h |
4914 | @@ -38,11 +38,16 @@ typedef signed long long s64; |
4915 | * eb_node so that it can be cast into an eb_node. We could also have put some |
4916 | * sort of transparent union here to reduce the indirection level, but the fact |
4917 | * is, the end user is not meant to manipulate internals, so this is pointless. |
4918 | + * In case sizeof(void*)>=sizeof(u64), we know there will be some padding after |
4919 | + * the key if it's unaligned. In this case we force the alignment on void* so |
4920 | + * that we prefer to have the padding before for more efficient accesses. |
4921 | */ |
4922 | struct eb64_node { |
4923 | struct eb_node node; /* the tree node, must be at the beginning */ |
4924 | + MAYBE_ALIGN(sizeof(u64)); |
4925 | + ALWAYS_ALIGN(sizeof(void*)); |
4926 | u64 key; |
4927 | -}; |
4928 | +} ALIGNED(sizeof(void*)); |
4929 | |
4930 | /* |
4931 | * Exported functions and macros. |
4932 | @@ -370,17 +375,21 @@ __eb64_insert(struct eb_root *root, struct eb64_node *new) { |
4933 | |
4934 | /* walk down */ |
4935 | root = &old->node.branches; |
4936 | -#if BITS_PER_LONG >= 64 |
4937 | - side = (newkey >> old_node_bit) & EB_NODE_BRANCH_MASK; |
4938 | -#else |
4939 | - side = newkey; |
4940 | - side >>= old_node_bit; |
4941 | - if (old_node_bit >= 32) { |
4942 | - side = newkey >> 32; |
4943 | - side >>= old_node_bit & 0x1F; |
4944 | + |
4945 | + if (sizeof(long) >= 8) { |
4946 | + side = newkey >> old_node_bit; |
4947 | + } else { |
4948 | + /* note: provides the best code on low-register count archs |
4949 | + * such as i386. |
4950 | + */ |
4951 | + side = newkey; |
4952 | + side >>= old_node_bit; |
4953 | + if (old_node_bit >= 32) { |
4954 | + side = newkey >> 32; |
4955 | + side >>= old_node_bit & 0x1F; |
4956 | + } |
4957 | } |
4958 | side &= EB_NODE_BRANCH_MASK; |
4959 | -#endif |
4960 | troot = root->b[side]; |
4961 | } |
4962 | |
4963 | @@ -548,17 +557,21 @@ __eb64i_insert(struct eb_root *root, struct eb64_node *new) { |
4964 | |
4965 | /* walk down */ |
4966 | root = &old->node.branches; |
4967 | -#if BITS_PER_LONG >= 64 |
4968 | - side = (newkey >> old_node_bit) & EB_NODE_BRANCH_MASK; |
4969 | -#else |
4970 | - side = newkey; |
4971 | - side >>= old_node_bit; |
4972 | - if (old_node_bit >= 32) { |
4973 | - side = newkey >> 32; |
4974 | - side >>= old_node_bit & 0x1F; |
4975 | + |
4976 | + if (sizeof(long) >= 8) { |
4977 | + side = newkey >> old_node_bit; |
4978 | + } else { |
4979 | + /* note: provides the best code on low-register count archs |
4980 | + * such as i386. |
4981 | + */ |
4982 | + side = newkey; |
4983 | + side >>= old_node_bit; |
4984 | + if (old_node_bit >= 32) { |
4985 | + side = newkey >> 32; |
4986 | + side >>= old_node_bit & 0x1F; |
4987 | + } |
4988 | } |
4989 | side &= EB_NODE_BRANCH_MASK; |
4990 | -#endif |
4991 | troot = root->b[side]; |
4992 | } |
4993 | |
4994 | diff --git a/ebtree/ebimtree.h b/ebtree/ebimtree.h |
4995 | index 4a98c96..28a9f14 100644 |
4996 | --- a/ebtree/ebimtree.h |
4997 | +++ b/ebtree/ebimtree.h |
4998 | @@ -62,7 +62,7 @@ __ebim_lookup(struct eb_root *root, const void *x, unsigned int len) |
4999 | if (eb_gettag(troot) == EB_LEAF) { |
5000 | node = container_of(eb_untag(troot, EB_LEAF), |
The diff has been truncated for viewing.