haproxy: fixes from upstream

- [PATCH 05/13] BUG/MINOR: http/sample: gmtime/localtime can fail - [PATCH 06/13] DOC: typo in 'redirect', 302 code meaning - [PATCH 07/13] DOC: mention that %ms is left-padded with zeroes. - [PATCH 08/13] CLEANUP: .gitignore: ignore more test files - [PATCH 09/13] CLEANUP: .gitignore: finally ignore everything but what - [PATCH 10/13] MEDIUM: config: emit a warning on a frontend without - [PATCH 11/13] BUG/MEDIUM: counters: ensure that src_{inc,clr}_gpc0 - [PATCH 12/13] DOC: ssl: missing LF - [PATCH 13/13] DOC: fix example of http-request using Signed-off-by: heil <heil@terminal-consulting.de>
2015-09-07 00:00:45 +02:00 · 2015-09-07 00:00:45 +02:00 · e51b71ad78
commit e51b71ad78
parent cad6bb8ee0
10 changed files with 378 additions and 1 deletions
--- a/net/haproxy/Makefile
+++ b/net/haproxy/Makefile
@ -10,7 +10,7 @@ include $(TOPDIR)/rules.mk

 PKG_NAME:=haproxy
 PKG_VERSION:=1.5.14
-PKG_RELEASE:=04
+PKG_RELEASE:=13
 PKG_SOURCE:=haproxy-$(PKG_VERSION).tar.gz
 PKG_SOURCE_URL:=http://haproxy.1wt.eu/download/1.5/src/
 PKG_BUILD_DIR:=$(BUILD_DIR)/$(PKG_NAME)-$(BUILD_VARIANT)/$(PKG_NAME)-$(PKG_VERSION)
--- a/net/haproxy/patches/0005-BUG-MINOR-http-sample-gmtime-localtime-can-fail.patch
+++ b/net/haproxy/patches/0005-BUG-MINOR-http-sample-gmtime-localtime-can-fail.patch
@ -0,0 +1,33 @@
+From 955587271031d66e9b7a768e3bb18dae00b60cc6 Mon Sep 17 00:00:00 2001
+From: Thierry FOURNIER <tfournier@arpalert.org>
+Date: Wed, 8 Jul 2015 00:15:20 +0200
+Subject: [PATCH 05/13] BUG/MINOR: http/sample: gmtime/localtime can fail
+
+The man said that gmtime() and localtime() can return a NULL value.
+This is not tested. It appears that all the values of a 32 bit integer
+are valid, but it is better to check the return of these functions.
+
+However, if the integer move from 32 bits to 64 bits, some 64 values
+can be unsupported.
+(cherry picked from commit fac9ccfb705702f211f99e67d5f5d5129002086a)
+[wt: we only have sample_conv_date() in 1.5]
+---
+ src/proto_http.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/src/proto_http.c b/src/proto_http.c
+index 5db64b5..02dc42b 100644
+--- a/src/proto_http.c
+++ b/src/proto_http.c
+@@ -11249,6 +11249,8 @@ static int sample_conv_http_date(const struct arg *args, struct sample *smp)
+ 		curr_date += args[0].data.sint;
+ 
+ 	tm = gmtime(&curr_date);
+	if (!tm)
+		return 0;
+ 
+ 	temp = get_trash_chunk();
+ 	temp->len = snprintf(temp->str, temp->size - temp->len,
+-- 
+2.4.6
+
--- a/net/haproxy/patches/0006-DOC-typo-in-redirect-302-code-meaning.patch
+++ b/net/haproxy/patches/0006-DOC-typo-in-redirect-302-code-meaning.patch
@ -0,0 +1,27 @@
+From 6c7351bdd0778bc171a2b54faed058eadc8c9d0d Mon Sep 17 00:00:00 2001
+From: Baptiste Assmann <bedis9@gmail.com>
+Date: Mon, 3 Aug 2015 11:42:50 +0200
+Subject: [PATCH 06/13] DOC: typo in 'redirect', 302 code meaning
+
+302 means a temprary move, not a permanent one
+(cherry picked from commit ea849c0cca63b1b56c9c36f9c3504caa5e826816)
+---
+ doc/configuration.txt | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/doc/configuration.txt b/doc/configuration.txt
+index 64697a4..e8d8b2a 100644
+--- a/doc/configuration.txt
+++ b/doc/configuration.txt
+@@ -5443,7 +5443,7 @@ redirect scheme   <sch> [code <code>] <option> [{if | unless} <condition>]
+               is desired. Only codes 301, 302, 303, 307 and 308 are supported,
+               with 302 used by default if no code is specified. 301 means
+               "Moved permanently", and a browser may cache the Location. 302
+-              means "Moved permanently" and means that the browser should not
+              means "Moved temporarily" and means that the browser should not
+               cache the redirection. 303 is equivalent to 302 except that the
+               browser will fetch the location with a GET method. 307 is just
+               like 302 but makes it clear that the same method must be reused.
+-- 
+2.4.6
+
--- a/net/haproxy/patches/0007-DOC-mention-that-ms-is-left-padded-with-zeroes.patch
+++ b/net/haproxy/patches/0007-DOC-mention-that-ms-is-left-padded-with-zeroes.patch
@ -0,0 +1,27 @@
+From c3453d53f2862b22d8c8e7d2399dfc38ec966aa4 Mon Sep 17 00:00:00 2001
+From: Willy Tarreau <w@1wt.eu>
+Date: Sun, 9 Aug 2015 10:56:35 +0200
+Subject: [PATCH 07/13] DOC: mention that %ms is left-padded with zeroes.
+
+That's important to emit logs.
+(cherry picked from commit 812c88ec126e8fc4fc0f7853f265594d03c63956)
+---
+ doc/configuration.txt | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/doc/configuration.txt b/doc/configuration.txt
+index e8d8b2a..1d95b5b 100644
+--- a/doc/configuration.txt
+++ b/doc/configuration.txt
+@@ -12381,7 +12381,7 @@ Please refer to the table below for currently defined variables :
+   |   | %hrl | captured_request_headers CLF style            | string list |
+   |   | %hs  | captured_response_headers default style       | string      |
+   |   | %hsl | captured_response_headers CLF style           | string list |
+-  |   | %ms  | accept date milliseconds                      | numeric     |
+  |   | %ms  | accept date milliseconds (left-padded with 0) | numeric     |
+   |   | %pid | PID                                           | numeric     |
+   | H | %r   | http_request                                  | string      |
+   |   | %rc  | retries                                       | numeric     |
+-- 
+2.4.6
+
--- a/net/haproxy/patches/0008-CLEANUP-.gitignore-ignore-more-test-files.patch
+++ b/net/haproxy/patches/0008-CLEANUP-.gitignore-ignore-more-test-files.patch
@ -0,0 +1,50 @@
+From 1104336c0ba5f474fce8fe7c0125511b59f4dd3d Mon Sep 17 00:00:00 2001
+From: Willy Tarreau <w@1wt.eu>
+Date: Tue, 11 Aug 2015 11:20:45 +0200
+Subject: [PATCH 08/13] CLEANUP: .gitignore: ignore more test files
+
+Exclude from "git status" many of the files that often result from
+development tests and bug reports reproducers.
+(cherry picked from commit de365a320ead43168e78facfa337130759783515)
+---
+ .gitignore | 27 +++++++++++++++++++++++++++
+ 1 file changed, 27 insertions(+)
+
+diff --git a/.gitignore b/.gitignore
+index 762f5ad..f6ccd0e 100644
+--- a/.gitignore
+++ b/.gitignore
+@@ -18,3 +18,30 @@ make-*
+ dlmalloc.c
+ 00*.patch
+ *.service
+*.bak
+contrib/base64/base64rev
+contrib/halog/halog
+contrib/ip6range/ip6range
+contrib/iprange/iprange
+tests/test_hashes
+/*.cfg
+/*.conf
+/*.diff
+/*.patch
+/*.c
+/*.o
+/*.so
+/*.txt
+/*.TXT
+/*.txt.*
+/*.prof
+/*.gprof
+/*.prof.*
+/*.gprof.*
+/*.tar
+/*.tar.gz
+/*.tgz
+/*.mbox
+/*.sh
+/bug*
+/TAGS
+-- 
+2.4.6
+
--- a/net/haproxy/patches/0009-CLEANUP-.gitignore-finally-ignore-everything-but-wha.patch
+++ b/net/haproxy/patches/0009-CLEANUP-.gitignore-finally-ignore-everything-but-wha.patch
@ -0,0 +1,44 @@
+From 5e077624951a65e6aae381c7213fc54984768dd4 Mon Sep 17 00:00:00 2001
+From: Willy Tarreau <w@1wt.eu>
+Date: Tue, 11 Aug 2015 11:21:47 +0200
+Subject: [PATCH 09/13] CLEANUP: .gitignore: finally ignore everything but what
+ is known.
+
+Still too many files remain, it's easier to block everything but
+what we know.
+(cherry picked from commit d71f1766bdbb041f80394662b0d293f033f93005)
+---
+ .gitignore | 20 ++++++++++++++++++++
+ 1 file changed, 20 insertions(+)
+
+diff --git a/.gitignore b/.gitignore
+index f6ccd0e..1953ba3 100644
+--- a/.gitignore
+++ b/.gitignore
+@@ -45,3 +45,23 @@ tests/test_hashes
+ /*.sh
+ /bug*
+ /TAGS
+# Below we forbid everything and only allow what we know, that's much easier
+# than blocking about 500 different test files and bug report outputs.
+/.*
+/*
+!/.gitignore
+!/CHANGELOG
+!/LICENSE
+!/Makefile
+!/README
+!/ROADMAP
+!/SUBVERS
+!/VERDATE
+!/VERSION
+!/contrib
+!/doc
+!/ebtree
+!/examples
+!/include
+!/src
+!/tests
+-- 
+2.4.6
+
--- a/net/haproxy/patches/0010-MEDIUM-config-emit-a-warning-on-a-frontend-without-l.patch
+++ b/net/haproxy/patches/0010-MEDIUM-config-emit-a-warning-on-a-frontend-without-l.patch
@ -0,0 +1,46 @@
+From c7c1e55f09839727ba7defd37347fc500dabb202 Mon Sep 17 00:00:00 2001
+From: Willy Tarreau <w@1wt.eu>
+Date: Tue, 11 Aug 2015 11:36:45 +0200
+Subject: [PATCH 10/13] MEDIUM: config: emit a warning on a frontend without
+ listener
+
+Commit c6678e2 ("MEDIUM: config: authorize frontend and listen without bind")
+completely removed the test for bind lines in frontends in order to make it
+easier for automated tools to generate configs (eg: replacing a bind with
+another one passing via a temporary config without any bind line). The
+problem is that some common mistakes are totally hidden now. For example,
+this apparently valid entry is silently ignored :
+
+       listen 1.2.3.4:8000
+           server s1 127.0.0.1:8000
+
+Hint: 1.2.3.4:8000 is mistakenly the proxy name here.
+
+Thus instead we now emit a warning to indicate that a frontend was found
+with no listener. This should be backported to 1.5 to help spot abnormal
+configurations.
+(cherry picked from commit f82d1ca2d7ec83804d6b54e61a35747ad2f85188)
+---
+ src/cfgparse.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/src/cfgparse.c b/src/cfgparse.c
+index 2a5f178..d67edc5 100644
+--- a/src/cfgparse.c
+++ b/src/cfgparse.c
+@@ -6193,6 +6193,12 @@ int check_config_validity()
+ 			break;
+ 		}
+ 
+		if ((curproxy->cap & PR_CAP_FE) && LIST_ISEMPTY(&curproxy->conf.listeners)) {
+			Warning("config : %s '%s' has no 'bind' directive. Please declare it as a backend if this was intended.\n",
+			        proxy_type_str(curproxy), curproxy->id);
+			err_code |= ERR_WARN;
+		}
+
+ 		if ((curproxy->cap & PR_CAP_BE) && (curproxy->mode != PR_MODE_HEALTH)) {
+ 			if (curproxy->lbprm.algo & BE_LB_KIND) {
+ 				if (curproxy->options & PR_O_TRANSP) {
+-- 
+2.4.6
+
--- a/net/haproxy/patches/0011-BUG-MEDIUM-counters-ensure-that-src_-inc-clr-_gpc0-c.patch
+++ b/net/haproxy/patches/0011-BUG-MEDIUM-counters-ensure-that-src_-inc-clr-_gpc0-c.patch
@ -0,0 +1,93 @@
+From ee12145d38a7dee81a20cf232c724ccb7a46ad8b Mon Sep 17 00:00:00 2001
+From: Willy Tarreau <w@1wt.eu>
+Date: Tue, 18 Aug 2015 17:15:20 +0200
+Subject: [PATCH 11/13] BUG/MEDIUM: counters: ensure that src_{inc,clr}_gpc0
+ creates a missing entry
+
+During 1.5-dev20 there was some code refactoring to make the src_* fetch
+function use the same code as sc_*. Unfortunately this introduced a
+regression where src_* doesn't create an entry anymore if it does not
+exist in the table. The reason is that smp_fetch_sc_stkctr() only calls
+stktable_lookup_key() while src_inc_*/src_clr_* used to make use of
+stktable_update_key() which additionally create the entry if it does
+not exist.
+
+There's no point modifying the common function for these two exceptions,
+so instead we now have a function dedicated to the creation of this entry
+for src_* only. It is called when the entry didn't exist, so that requires
+minimal modifications to existing code.
+
+Thanks to Thierry Fournier for helping diagnose the issue.
+
+This fix must be backported to 1.5.
+(cherry picked from commit 0f4eadd4830279f5ee83aa545728fb750f5c8185)
+
+[Note: the backport to 1.5 significantly differs from the version in 1.6
+ since we need to use the table's type and to retrieve the source address
+ directly from the connection. At least it matches the way other src_*
+ fetch functions work, and it's been verified to work fine]
+---
+ src/session.c | 33 +++++++++++++++++++++++++++++++++
+ 1 file changed, 33 insertions(+)
+
+diff --git a/src/session.c b/src/session.c
+index 5b9e407..6d62e36 100644
+--- a/src/session.c
+++ b/src/session.c
+@@ -2806,6 +2806,33 @@ smp_fetch_sc_stkctr(struct session *l4, const struct arg *args, const char *kw)
+ 	return &l4->stkctr[num];
+ }
+ 
+/* same as smp_fetch_sc_stkctr() but dedicated to src_* and can create
+ * the entry if it doesn't exist yet. This is needed for a few fetch
+ * functions which need to create an entry, such as src_inc_gpc* and
+ * src_clr_gpc*.
+ */
+struct stkctr *
+smp_create_src_stkctr(struct session *sess, const struct arg *args, const char *kw)
+{
+	static struct stkctr stkctr;
+	struct stktable_key *key;
+	struct connection *conn = objt_conn(sess->si[0].end);
+
+	if (strncmp(kw, "src_", 4) != 0)
+		return NULL;
+
+	if (!conn)
+		return NULL;
+
+	key = addr_to_stktable_key(&conn->addr.from, args->data.prx->table.type);
+	if (!key)
+		return NULL;
+
+	stkctr.table = &args->data.prx->table;
+	stkctr_set_entry(&stkctr, stktable_update_key(stkctr.table, key));
+	return &stkctr;
+}
+
+ /* set return a boolean indicating if the requested session counter is
+  * currently being tracked or not.
+  * Supports being called as "sc[0-9]_tracked" only.
+@@ -2887,6 +2914,9 @@ smp_fetch_sc_inc_gpc0(struct proxy *px, struct session *l4, void *l7, unsigned i
+ 	if (!stkctr)
+ 		return 0;
+ 
+	if (stkctr_entry(stkctr) == NULL)
+		stkctr = smp_create_src_stkctr(l4, args, kw);
+
+ 	smp->flags = SMP_F_VOL_TEST;
+ 	smp->type = SMP_T_UINT;
+ 	smp->data.uint = 0;
+@@ -2924,6 +2954,9 @@ smp_fetch_sc_clr_gpc0(struct proxy *px, struct session *l4, void *l7, unsigned i
+ 	if (!stkctr)
+ 		return 0;
+ 
+	if (stkctr_entry(stkctr) == NULL)
+		stkctr = smp_create_src_stkctr(l4, args, kw);
+
+ 	smp->flags = SMP_F_VOL_TEST;
+ 	smp->type = SMP_T_UINT;
+ 	smp->data.uint = 0;
+-- 
+2.4.6
+
--- a/net/haproxy/patches/0012-DOC-ssl-missing-LF.patch
+++ b/net/haproxy/patches/0012-DOC-ssl-missing-LF.patch
@ -0,0 +1,27 @@
+From 2272b4ffde38c836adfd9a9b43ff5c019ef4190a Mon Sep 17 00:00:00 2001
+From: Thierry FOURNIER <tfournier@arpalert.org>
+Date: Wed, 26 Aug 2015 08:21:26 +0200
+Subject: [PATCH 12/13] DOC: ssl: missing LF
+
+An error message miss LF
+(cherry picked from commit bc965348d7ccc0a306504232ab85dc240fd31fbf)
+---
+ src/ssl_sock.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/ssl_sock.c b/src/ssl_sock.c
+index 2ae45ec..8f698c0 100644
+--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
+@@ -1760,7 +1760,7 @@ int ssl_sock_prepare_srv_ctx(struct server *srv, struct proxy *curproxy)
+ #ifndef OPENSSL_NO_SSL3
+ 		SSL_CTX_set_ssl_version(srv->ssl_ctx.ctx, SSLv3_client_method());
+ #else
+-		Alert("SSLv3 support requested but unavailable.");
+		Alert("SSLv3 support requested but unavailable.\n");
+ 		cfgerr++;
+ #endif
+ 	}
+-- 
+2.4.6
+
--- a/net/haproxy/patches/0013-DOC-fix-example-of-http-request-using-ssl_fc_session.patch
+++ b/net/haproxy/patches/0013-DOC-fix-example-of-http-request-using-ssl_fc_session.patch
@ -0,0 +1,30 @@
+From d3a93a932430bc1a4cd5d1350820c2bec706e26d Mon Sep 17 00:00:00 2001
+From: Willy Tarreau <w@1wt.eu>
+Date: Thu, 27 Aug 2015 17:15:05 +0200
+Subject: [PATCH 13/13] DOC: fix example of http-request using
+ ssl_fc_session_id
+
+It was missing the ",hex" resulting in raw binary data being dumped in
+the header or the logs. Now we know where these crazy logs originated
+from!
+(cherry picked from commit fca4261dacab51db960d30120f4bb4201f7e4a51)
+---
+ doc/configuration.txt | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/doc/configuration.txt b/doc/configuration.txt
+index 1d95b5b..67d273b 100644
+--- a/doc/configuration.txt
+++ b/doc/configuration.txt
+@@ -3135,7 +3135,7 @@ http-request { allow | deny | tarpit | auth [realm <realm>] | redirect <rule> |
+   Example:
+         http-request set-header X-Haproxy-Current-Date %T
+         http-request set-header X-SSL                  %[ssl_fc]
+-        http-request set-header X-SSL-Session_ID       %[ssl_fc_session_id]
+        http-request set-header X-SSL-Session_ID       %[ssl_fc_session_id,hex]
+         http-request set-header X-SSL-Client-Verify    %[ssl_c_verify]
+         http-request set-header X-SSL-Client-DN        %{+Q}[ssl_c_s_dn]
+         http-request set-header X-SSL-Client-CN        %{+Q}[ssl_c_s_dn(cn)]
+-- 
+2.4.6
+