|
[-]
[+]
|
Changed |
_service
|
| @@ -3,5 +3,5 @@
- <param name="protocol">http</param><param name="host">haproxy.1wt.eu</param><param name="path">/download/1.5/src/haproxy-1.5.1.tar.gz</param></service>
+ <param name="protocol">http</param><param name="host">haproxy.1wt.eu</param><param name="path">/download/1.5/src/haproxy-1.5.3.tar.gz</param></service>
</services>
\ No newline at end of file
|
|
[-]
[+]
|
Changed |
_service:download_url:haproxy-1.5.3.tar.gz/CHANGELOG
^
|
| @@ -1,6 +1,42 @@
ChangeLog :
===========
+2014/07/25 : 1.5.3
+ - DOC: fix typo in Unix Socket commands
+ - BUG/MEDIUM: connection: fix memory corruption when building a proxy v2 header
+ - BUG/MEDIUM: ssl: Fix a memory leak in DHE key exchange
+ - DOC: mention that Squid correctly responds 400 to PPv2 header
+ - BUG/MINOR: http: base32+src should use the big endian version of base32
+ - BUG/MEDIUM: connection: fix proxy v2 header again!
+
+2014/07/12 : 1.5.2
+ - BUG/MEDIUM: backend: Update hash to use unsigned int throughout
+ - BUG/MINOR: ssl: Fix external function in order not to return a pointer on an internal trash buffer.
+ - DOC: expand the docs for the provided stats.
+ - BUG/MEDIUM: unix: do not unlink() abstract namespace sockets upon failure.
+ - MINOR: stats: fix minor typo in HTML page
+ - BUG/MEDIUM: http: fetch "base" is not compatible with set-header
+ - BUG/MINOR: counters: do not untrack counters before logging
+ - BUG/MAJOR: sample: correctly reinitialize sample fetch context before calling sample_process()
+ - MINOR: stick-table: make stktable_fetch_key() indicate why it failed
+ - BUG/MEDIUM: counters: fix track-sc* to wait on unstable contents
+ - BUILD: remove TODO from the spec file and add README
+ - MINOR: log: make MAX_SYSLOG_LEN overridable at build time
+ - MEDIUM: log: support a user-configurable max log line length
+ - DOC: provide an example of how to use ssl_c_sha1
+ - BUILD: http: fix isdigit & isspace warnings on Solaris
+ - BUG/MINOR: listener: set the listener's fd to -1 after deletion
+ - BUG/MEDIUM: unix: failed abstract socket binding is retryable
+ - MEDIUM: listener: implement a per-protocol pause() function
+ - MEDIUM: listener: support rebinding during resume()
+ - BUG/MEDIUM: unix: completely unbind abstract sockets during a pause()
+ - DOC: explicitly mention the limits of abstract namespace sockets
+ - DOC: minor fix on {sc,src}_kbytes_{in,out}
+ - DOC: fix alphabetical sort of converters
+ - BUG/MAJOR: http: correctly rewind the request body after start of forwarding
+ - DOC: remove references to CPU=native in the README
+ - DOC: mention that "compression offload" is ignored in defaults section
+
2014/06/24 : 1.5.1
- BUG/MINOR: config: http-request replace-header arg typo
- BUG/MINOR: ssl: rejects OCSP response without nextupdate.
|
|
[-]
[+]
|
Changed |
_service:download_url:haproxy-1.5.3.tar.gz/README
^
|
| @@ -1,9 +1,9 @@
----------------------
HAProxy how-to
----------------------
- version 1.5.1
+ version 1.5.3
willy tarreau
- 2014/06/24
+ 2014/07/25
1) How to build it
@@ -53,8 +53,9 @@
- i686 for intel PentiumPro, Pentium 2 and above, AMD Athlon
- i586 for intel Pentium, AMD K6, VIA C3.
- ultrasparc : Sun UltraSparc I/II/III/IV processor
- - native : use the build machine's specific processor optimizations
- - generic : any other processor or no specific optimization. (default)
+ - native : use the build machine's specific processor optimizations. Use with
+ extreme care, and never in virtualized environments (known to break).
+ - generic : any other processor or no CPU-specific optimization. (default)
Alternatively, you may just set the CPU_CFLAGS value to the optimal GCC options
for your platform.
@@ -132,11 +133,11 @@
And on a classic Linux with SSL and ZLIB support (eg: Red Hat 5.x) :
- $ make TARGET=linux26 CPU=native USE_PCRE=1 USE_OPENSSL=1 USE_ZLIB=1
+ $ make TARGET=linux26 USE_PCRE=1 USE_OPENSSL=1 USE_ZLIB=1
And on a recent Linux >= 2.6.28 with SSL and ZLIB support :
- $ make TARGET=linux2628 CPU=native USE_PCRE=1 USE_OPENSSL=1 USE_ZLIB=1
+ $ make TARGET=linux2628 USE_PCRE=1 USE_OPENSSL=1 USE_ZLIB=1
In order to build a 32-bit binary on an x86_64 Linux system with SSL support
without support for compression but when OpenSSL requires ZLIB anyway :
|
|
[-]
[+]
|
Changed |
_service:download_url:haproxy-1.5.3.tar.gz/VERDATE
^
|
| @@ -1,2 +1,2 @@
$Format:%ci$
-2014/06/24
+2014/07/25
|
|
[-]
[+]
|
Changed |
_service:download_url:haproxy-1.5.3.tar.gz/VERSION
^
|
| @@ -1 +1 @@
-1.5.1
+1.5.3
|
|
[-]
[+]
|
Changed |
_service:download_url:haproxy-1.5.3.tar.gz/doc/configuration.txt
^
|
| @@ -2,9 +2,9 @@
HAProxy
Configuration Manual
----------------------
- version 1.5.1
+ version 1.5.3
willy tarreau
- 2014/06/24
+ 2014/07/25
This document covers the configuration language as implemented in the version
@@ -559,7 +559,7 @@
Similar to "gid" but uses the GID of group name <group name> from /etc/group.
See also "gid" and "user".
-log <address> <facility> [max level [min level]]
+log <address> [len <length>] <facility> [max level [min level]]
Adds a global syslog server. Up to two global servers can be defined. They
will receive logs for startups and exits, as well as all logs from proxies
configured with "log global".
@@ -584,6 +584,18 @@
optionally enclosing them with braces ('{}'), similarly to what is done
in Bourne shell.
+ <length> is an optional maximum line length. Log lines larger than this value
+ will be truncated before being sent. The reason is that syslog
+ servers act differently on log line length. All servers support the
+ default value of 1024, but some servers simply drop larger lines
+ while others do log them. If a server supports long lines, it may
+ make sense to set this value here in order to avoid truncating long
+ lines. Similarly, if a server drops long lines, it is preferable to
+ truncate them before sending them. Accepted values are 80 to 65535
+ inclusive. The default value of 1024 is generally fine for all
+ standard usages. Some specific cases of long captures or
+ JSON-formated logs may require larger values.
+
<facility> must be one of the 24 standard syslog facilities :
kern user mail daemon auth syslog lpr news
@@ -1779,7 +1791,13 @@
- 'ipv4@' -> address is always IPv4
- 'ipv6@' -> address is always IPv6
- 'unix@' -> address is a path to a local unix socket
- - 'abns@' -> address is in abstract namespace (Linux only)
+ - 'abns@' -> address is in abstract namespace (Linux only).
+ Note: since abstract sockets are not "rebindable", they
+ do not cope well with multi-process mode during
+ soft-restart, so it is better to avoid them if
+ nbproc is greater than 1. The effect is that if the
+ new process fails to start, only one of the old ones
+ will be able to rebind to the socket.
- 'fd@<n>' -> use file descriptor <n> inherited from the
parent. The fd must be bound and may or may not already
be listening.
@@ -2131,7 +2149,8 @@
invalid payloads. In this case, simply removing the header in the
configuration does not work because it applies before the header is parsed,
so that prevents haproxy from compressing. The "offload" setting should
- then be used for such scenarios.
+ then be used for such scenarios. Note: for now, the "offload" setting is
+ ignored when set in a defaults section.
Compression is disabled when:
* the request does not advertise a supported compression algorithm in the
@@ -3349,7 +3368,7 @@
log global
-log <address> <facility> [<level> [<minlevel>]]
+log <address> [len <length>] <facility> [<level> [<minlevel>]]
no log
Enable per-instance logging of events and traffic.
May be used in sections : defaults | frontend | listen | backend
@@ -3389,6 +3408,18 @@
sign ('$') and optionally enclosing them with braces ('{}'),
similarly to what is done in Bourne shell.
+ <length> is an optional maximum line length. Log lines larger than this
+ value will be truncated before being sent. The reason is that
+ syslog servers act differently on log line length. All servers
+ support the default value of 1024, but some servers simply drop
+ larger lines while others do log them. If a server supports long
+ lines, it may make sense to set this value here in order to avoid
+ truncating long lines. Similarly, if a server drops long lines,
+ it is preferable to truncate them before sending them. Accepted
+ values are 80 to 65535 inclusive. The default value of 1024 is
+ generally fine for all standard usages. Some specific cases of
+ long captures or JSON-formated logs may require larger values.
+
<facility> must be one of the 24 standard syslog facilities :
kern user mail daemon auth syslog lpr news
@@ -9857,28 +9888,12 @@
transfer binary content in a way that can be reliably transferred (eg:
an SSL ID can be copied in a header).
-lower
- Convert a string sample to lower case. This can only be placed after a string
- sample fetch function or after a transformation keyword returning a string
- type. The result is of type string.
-
-upper
- Convert a string sample to upper case. This can only be placed after a string
- sample fetch function or after a transformation keyword returning a string
- type. The result is of type string.
-
hex
Converts a binary input sample to an hex string containing two hex digits per
input byte. It is used to log or transfer hex dumps of some binary input data
in a way that can be reliably transferred (eg: an SSL ID can be copied in a
header).
-ipmask(<mask>)
- Apply a mask to an IPv4 address, and use the result for lookups and storage.
- This can be used to make all hosts within a certain mask to share the same
- table entries and as such use the same server. The mask can be passed in
- dotted form (eg: 255.255.255.0) or in CIDR form (eg: 24).
-
http_date([<offset>])
Converts an integer supposed to contain a date since epoch to a string
representing this date in a format suitable for use in HTTP header fields. If
@@ -9887,6 +9902,12 @@
emit Date header fields, Expires values in responses when combined with a
positive offset, or Last-Modified values when the offset is negative.
+ipmask(<mask>)
+ Apply a mask to an IPv4 address, and use the result for lookups and storage.
+ This can be used to make all hosts within a certain mask to share the same
+ table entries and as such use the same server. The mask can be passed in
+ dotted form (eg: 255.255.255.0) or in CIDR form (eg: 24).
+
language(<value>[,<default>])
Returns the value with the highest q-factor from a list as extracted from the
"accept-language" header using "req.fhdr". Values with no q-factor have a
@@ -9914,6 +9935,11 @@
use_backend english if en
default_backend choose_your_language
+lower
+ Convert a string sample to lower case. This can only be placed after a string
+ sample fetch function or after a transformation keyword returning a string
+ type. The result is of type string.
+
map(<map_file>[,<default_value>])
map_<match_type>(<map_file>[,<default_value>])
map_<match_type>_<output_type>(<map_file>[,<default_value>])
@@ -9971,6 +9997,11 @@
| `---------------------------- key
`------------------------------------ leading spaces ignored
+upper
+ Convert a string sample to upper case. This can only be placed after a string
+ sample fetch function or after a transformation keyword returning a string
+ type. The result is of type string.
+
7.3.2. Fetching samples from internal states
--------------------------------------------
@@ -10356,19 +10387,17 @@
sc0_kbytes_in([<table>]) : integer
sc1_kbytes_in([<table>]) : integer
sc2_kbytes_in([<table>]) : integer
- Returns the amount of client-to-server data from the currently tracked
- counters, measured in kilobytes over the period configured in the table. The
- test is currently performed on 32-bit integers, which limits values to 4
- terabytes. See also src_kbytes_in.
+ Returns the total amount of client-to-server data from the currently tracked
+ counters, measured in kilobytes. The test is currently performed on 32-bit
+ integers, which limits values to 4 terabytes. See also src_kbytes_in.
sc_kbytes_out(<ctr>[,<table>]) : integer
sc0_kbytes_out([<table>]) : integer
sc1_kbytes_out([<table>]) : integer
sc2_kbytes_out([<table>]) : integer
- Returns the amount of server-to-client data from the currently tracked
- counters, measured in kilobytes over the period configured in the table. The
- test is currently performed on 32-bit integers, which limits values to 4
- terabytes. See also src_kbytes_out.
+ Returns the total amount of server-to-client data from the currently tracked
+ counters, measured in kilobytes. The test is currently performed on 32-bit
+ integers, which limits values to 4 terabytes. See also src_kbytes_out.
sc_sess_cnt(<ctr>[,<table>]) : integer
sc0_sess_cnt([<table>]) : integer
@@ -10532,19 +10561,18 @@
tcp-request connection reject if abuse kill
src_kbytes_in([<table>]) : integer
- Returns the amount of data received from the incoming connection's source
- address in the current proxy's stick-table or in the designated stick-table,
- measured in kilobytes over the period configured in the table. If the address
- is not found, zero is returned. The test is currently performed on 32-bit
- integers, which limits values to 4 terabytes. See also
- sc/sc0/sc1/sc2_kbytes_in.
+ Returns the total amount of data received from the incoming connection's
+ source address in the current proxy's stick-table or in the designated
+ stick-table, measured in kilobytes. If the address is not found, zero is
+ returned. The test is currently performed on 32-bit integers, which limits
+ values to 4 terabytes. See also sc/sc0/sc1/sc2_kbytes_in.
src_kbytes_out([<table>]) : integer
- Returns the amount of data sent to the incoming connection's source address
- in the current proxy's stick-table or in the designated stick-table, measured
- in kilobytes over the period configured in the table. If the address is not
- found, zero is returned. The test is currently performed on 32-bit integers,
- which limits values to 4 terabytes. See also sc/sc0/sc1/sc2_kbytes_out.
+ Returns the total amount of data sent to the incoming connection's source
+ address in the current proxy's stick-table or in the designated stick-table,
+ measured in kilobytes. If the address is not found, zero is returned. The
+ test is currently performed on 32-bit integers, which limits values to 4
+ terabytes. See also sc/sc0/sc1/sc2_kbytes_out.
src_port : integer
Returns an integer value corresponding to the TCP source port of the
@@ -10698,6 +10726,10 @@
Returns the SHA-1 fingerprint of the certificate presented by the client when
the incoming connection was made over an SSL/TLS transport layer. This can be
used to stick a client to a server, or to pass this information to a server.
+ Note that the output is binary, so if you want to pass that signature to the
+ server, you need to encode it in hex or base64, such as in the example below:
+
+ http-request set-header X-SSL-Client-SHA1 %[ssl_c_sha1,hex]
ssl_c_sig_alg : string
Returns the name of the algorithm used to sign the certificate presented by
@@ -13041,44 +13073,76 @@
do not insert any column before these ones in order not to break tools which
use hard-coded column positions.
- 0. pxname: proxy name
- 1. svname: service name (FRONTEND for frontend, BACKEND for backend, any name
- for server)
- 2. qcur: current queued requests
- 3. qmax: max queued requests
- 4. scur: current sessions
- 5. smax: max sessions
- 6. slim: sessions limit
- 7. stot: total sessions
- 8. bin: bytes in
- 9. bout: bytes out
- 10. dreq: denied requests
- 11. dresp: denied responses
- 12. ereq: request errors
- 13. econ: connection errors
- 14. eresp: response errors (among which srv_abrt)
- 15. wretr: retries (warning)
- 16. wredis: redispatches (warning)
- 17. status: status (UP/DOWN/NOLB/MAINT/MAINT(via)...)
- 18. weight: server weight (server), total weight (backend)
- 19. act: server is active (server), number of active servers (backend)
- 20. bck: server is backup (server), number of backup servers (backend)
- 21. chkfail: number of failed checks
- 22. chkdown: number of UP->DOWN transitions
- 23. lastchg: last status change (in seconds)
- 24. downtime: total downtime (in seconds)
- 25. qlimit: queue limit
- 26. pid: process id (0 for first instance, 1 for second, ...)
- 27. iid: unique proxy id
- 28. sid: service id (unique inside a proxy)
- 29. throttle: warm up status
- 30. lbtot: total number of times a server was selected
- 31. tracked: id of proxy/server if tracking is enabled
- 32. type (0=frontend, 1=backend, 2=server, 3=socket)
- 33. rate: number of sessions per second over last elapsed second
- 34. rate_lim: limit on new sessions per second
- 35. rate_max: max number of new sessions per second
- 36. check_status: status of last health check, one of:
+In brackets after each field name are the types which may have a value for
+that field. The types are L (Listeners), F (Frontends), B (Backends), and
+S (Servers).
+
+ 0. pxname [LFBS]: proxy name
+ 1. svname [LFBS]: service name (FRONTEND for frontend, BACKEND for backend,
+ any name for server/listener)
+ 2. qcur [..BS]: current queued requests. For the backend this reports the
+ number queued without a server assigned.
+ 3. qmax [..BS]: max value of qcur
+ 4. scur [LFBS]: current sessions
+ 5. smax [LFBS]: max sessions
+ 6. slim [LFBS]: configured session limit
+ 7. stot [LFBS]: cumulative number of connections
+ 8. bin [LFBS]: bytes in
+ 9. bout [LFBS]: bytes out
+ 10. dreq [LFB.]: requests denied because of security concerns.
+ - For tcp this is because of a matched tcp-request content rule.
+ - For http this is because of a matched http-request or tarpit rule.
+ 11. dresp [LFBS]: responses denied because of security concerns.
+ - For http this is because of a matched http-request rule, or
+ "option checkcache".
+ 12. ereq [LF..]: request errors. Some of the possible causes are:
+ - early termination from the client, before the request has been sent.
+ - read error from the client
+ - client timeout
+ - client closed connection
+ - various bad requests from the client.
+ - request was tarpitted.
+ 13. econ [..BS]: number of requests that encountered an error trying to
+ connect to a backend server. The backend stat is the sum of the stat
+ for all servers of that backend, plus any connection errors not
+ associated with a particular server (such as the backend having no
+ active servers).
+ 14. eresp [..BS]: response errors. srv_abrt will be counted here also.
+ Some other errors are:
+ - write error on the client socket (won't be counted for the server stat)
+ - failure applying filters to the response.
+ 15. wretr [..BS]: number of times a connection to a server was retried.
+ 16. wredis [..BS]: number of times a request was redispatched to another
+ server. The server value counts the number of times that server was
+ switched away from.
+ 17. status [LFBS]: status (UP/DOWN/NOLB/MAINT/MAINT(via)...)
+ 18. weight [..BS]: server weight (server), total weight (backend)
+ 19. act [..BS]: server is active (server), number of active servers (backend)
+ 20. bck [..BS]: server is backup (server), number of backup servers (backend)
+ 21. chkfail [...S]: number of failed checks. (Only counts checks failed when
+ the server is up.)
+ 22. chkdown [..BS]: number of UP->DOWN transitions. The backend counter counts
+ transitions to the whole backend being down, rather than the sum of the
+ counters for each server.
+ 23. lastchg [..BS]: number of seconds since the last UP<->DOWN transition
+ 24. downtime [..BS]: total downtime (in seconds). The value for the backend
+ is the downtime for the whole backend, not the sum of the server downtime.
+ 25. qlimit [...S]: configured maxqueue for the server, or nothing in the
+ value is 0 (default, meaning no limit)
+ 26. pid [LFBS]: process id (0 for first instance, 1 for second, ...)
+ 27. iid [LFBS]: unique proxy id
+ 28. sid [L..S]: server id (unique inside a proxy)
+ 29. throttle [...S]: current throttle percentage for the server, when
+ slowstart is active, or no value if not in slowstart.
+ 30. lbtot [..BS]: total number of times a server was selected, either for new
+ sessions, or when re-dispatching. The server counter is the number
+ of times that server was selected.
+ 31. tracked [...S]: id of proxy/server if tracking is enabled.
+ 32. type [LFBS]: (0=frontend, 1=backend, 2=server, 3=socket/listener)
+ 33. rate [.FBS]: number of sessions per second over last elapsed second
+ 34. rate_lim [.F..]: configured limit on new sessions per second
+ 35. rate_max [.FBS]: max number of new sessions per second
+ 36. check_status [...S]: status of last health check, one of:
UNK -> unknown
INI -> initializing
SOCKERR -> socket error
@@ -13095,31 +13159,36 @@
L7TOUT -> layer 7 (HTTP/SMTP) timeout
L7RSP -> layer 7 invalid response - protocol error
L7STS -> layer 7 response error, for example HTTP 5xx
- 37. check_code: layer5-7 code, if available
- 38. check_duration: time in ms took to finish last health check
- 39. hrsp_1xx: http responses with 1xx code
- 40. hrsp_2xx: http responses with 2xx code
- 41. hrsp_3xx: http responses with 3xx code
- 42. hrsp_4xx: http responses with 4xx code
- 43. hrsp_5xx: http responses with 5xx code
- 44. hrsp_other: http responses with other codes (protocol error)
- 45. hanafail: failed health checks details
- 46. req_rate: HTTP requests per second over last elapsed second
- 47. req_rate_max: max number of HTTP requests per second observed
- 48. req_tot: total number of HTTP requests received
- 49. cli_abrt: number of data transfers aborted by the client
- 50. srv_abrt: number of data transfers aborted by the server (inc. in eresp)
- 51. comp_in: number of HTTP response bytes fed to the compressor
- 52. comp_out: number of HTTP response bytes emitted by the compressor
- 53. comp_byp: number of bytes that bypassed the HTTP compressor (CPU/BW limit)
- 54. comp_rsp: number of HTTP responses that were compressed
- 55. lastsess: number of seconds since last session assigned to server/backend
- 56. last_chk: last health check contents or textual error
- 57. last_agt: last agent check contents or textual error
- 58. qtime: the average queue time in ms over the 1024 last requests
- 59. ctime: the average connect time in ms over the 1024 last requests
- 60. rtime: the average response time in ms over the 1024 last requests (0 for TCP)
- 61. ttime: the average total session time in ms over the 1024 last requests
+ 37. check_code [...S]: layer5-7 code, if available
+ 38. check_duration [...S]: time in ms took to finish last health check
+ 39. hrsp_1xx [.FBS]: http responses with 1xx code
+ 40. hrsp_2xx [.FBS]: http responses with 2xx code
+ 41. hrsp_3xx [.FBS]: http responses with 3xx code
+ 42. hrsp_4xx [.FBS]: http responses with 4xx code
+ 43. hrsp_5xx [.FBS]: http responses with 5xx code
+ 44. hrsp_other [.FBS]: http responses with other codes (protocol error)
+ 45. hanafail [...S]: failed health checks details
+ 46. req_rate [.F..]: HTTP requests per second over last elapsed second
+ 47. req_rate_max [.F..]: max number of HTTP requests per second observed
+ 48. req_tot [.F..]: total number of HTTP requests received
+ 49. cli_abrt [..BS]: number of data transfers aborted by the client
+ 50. srv_abrt [..BS]: number of data transfers aborted by the server
+ (inc. in eresp)
+ 51. comp_in [.FB.]: number of HTTP response bytes fed to the compressor
+ 52. comp_out [.FB.]: number of HTTP response bytes emitted by the compressor
+ 53. comp_byp [.FB.]: number of bytes that bypassed the HTTP compressor
+ (CPU/BW limit)
+ 54. comp_rsp [.FB.]: number of HTTP responses that were compressed
+ 55. lastsess [..BS]: number of seconds since last session assigned to
+ server/backend
+ 56. last_chk [...S]: last health check contents or textual error
+ 57. last_agt [...S]: last agent check contents or textual error
+ 58. qtime [..BS]: the average queue time in ms over the 1024 last requests
+ 59. ctime [..BS]: the average connect time in ms over the 1024 last requests
+ 60. rtime [..BS]: the average response time in ms over the 1024 last requests
+ (0 for TCP)
+ 61. ttime [..BS]: the average total session time in ms over the 1024 last
+ requests
9.2. Unix Socket commands
@@ -13800,7 +13869,7 @@
endless transfer is ongoing. Such terminated sessions are reported with a 'K'
flag in the logs.
-shutdown sessions <backend>/<server>
+shutdown sessions server <backend>/<server>
Immediately terminate all the sessions attached to the specified server. This
can be used to terminate long-running sessions after a server is put into
maintenance mode, for instance. Such terminated sessions are reported with a
|
|
[-]
[+]
|
Changed |
_service:download_url:haproxy-1.5.3.tar.gz/doc/internals/body-parsing.txt
^
|
| @@ -67,12 +67,17 @@
automatically adjusted to the number of bytes already inspected.
msg.sov : start of value. First character of the header's value in the header
- states, start of the body in the data states until headers are
- forwarded. This offset is automatically adjusted when inserting or
- removing some headers. In data states, it always constains the size
- of the whole HTTP headers (including the trailing CRLF) that needs
- to be forwarded before the first byte of body. Once the headers are
- forwarded, this value drops to zero.
+ states, start of the body in the data states. Strictly positive
+ values indicate that headers were not forwarded yet (<buf.p> is
+ before the start of the body), and null or positive values are seen
+ after headers are forwarded (<buf.p> is at or past the start of the
+ body). The value stops changing when data start to leave the buffer
+ (in order to avoid integer overflows). So the maximum possible range
+ is -<buf.size> to +<buf.size>. This offset is automatically adjusted
+ when inserting or removing some headers. It is useful to rewind the
+ request buffer to the beginning of the body at any phase. The
+ response buffer does not really use it since it is immediately
+ forwarded to the client.
msg.sol : start of line. Points to the beginning of the current header line
while parsing headers. It is cleared to zero in the BODY state,
@@ -97,7 +102,8 @@
states nor by forwarding.
The beginning of the message headers can always be found this way even after
-headers have been forwarded :
+headers or data have been forwarded, provided that everything is still present
+in the buffer :
headers = buf.p + msg->sov - msg->eoh - msg->eol
|
|
[-]
[+]
|
Changed |
_service:download_url:haproxy-1.5.3.tar.gz/doc/proxy-protocol.txt
^
|
| @@ -1,4 +1,4 @@
-2014/06/14 Willy Tarreau
+2014/07/25 Willy Tarreau
HAProxy Technologies
The PROXY protocol
Versions 1 & 2
@@ -21,6 +21,7 @@
2014/05/18 - modify and extend PROXY protocol version 2
2014/06/11 - fix example code to consider ver+cmd merge
2014/06/14 - fix v2 header check in example code, and update Forwarded spec
+ 2014/07/12 - update list of implementations (add Squid)
1. Background
@@ -692,6 +693,7 @@
- thttpd 2.20c : 400 Bad Request + abort => pass/optimal
- mini-httpd-1.19 : 400 Bad Request + abort => pass/optimal
- haproxy 1.4.21 : 400 Bad Request + abort => pass/optimal
+ - Squid 3 : 400 Bad Request + abort => pass/optimal
- SSL :
- stud 0.3.47 : connection abort => pass/optimal
- stunnel 4.45 : connection abort => pass/optimal
|
|
[-]
[+]
|
Changed |
_service:download_url:haproxy-1.5.3.tar.gz/examples/haproxy.spec
^
|
| @@ -1,6 +1,6 @@
Summary: HA-Proxy is a TCP/HTTP reverse proxy for high availability environments
Name: haproxy
-Version: 1.5.1
+Version: 1.5.3
Release: 1
License: GPL
Group: System Environment/Daemons
@@ -67,7 +67,7 @@
%files
%defattr(-,root,root)
-%doc CHANGELOG TODO examples/*.cfg doc/haproxy-en.txt doc/haproxy-fr.txt doc/architecture.txt doc/configuration.txt
+%doc CHANGELOG README examples/*.cfg doc/haproxy-en.txt doc/haproxy-fr.txt doc/architecture.txt doc/configuration.txt doc/proxy-protocol.txt
%doc %{_mandir}/man1/%{name}.1*
%attr(0755,root,root) %{_sbindir}/%{name}
@@ -76,6 +76,12 @@
%attr(0755,root,root) %config %{_sysconfdir}/rc.d/init.d/%{name}
%changelog
+* Fri Jul 25 2014 Willy Tarreau <w@1wt.eu>
+- updated to 1.5.3
+
+* Sat Jul 12 2014 Willy Tarreau <w@1wt.eu>
+- updated to 1.5.2
+
* Tue Jun 24 2014 Willy Tarreau <w@1wt.eu>
- updated to 1.5.1
|
|
[-]
[+]
|
Changed |
_service:download_url:haproxy-1.5.3.tar.gz/include/common/defaults.h
^
|
| @@ -48,6 +48,10 @@
#define CAPTURE_LEN 64
#endif
+#ifndef MAX_SYSLOG_LEN
+#define MAX_SYSLOG_LEN 1024
+#endif
+
// maximum line size when parsing config
#ifndef LINESIZE
#define LINESIZE 2048
|
|
[-]
[+]
|
Changed |
_service:download_url:haproxy-1.5.3.tar.gz/include/common/hash.h
^
|
| @@ -22,8 +22,8 @@
#ifndef _COMMON_HASH_H_
#define _COMMON_HASH_H_
-unsigned long hash_djb2(const char *key, int len);
-unsigned long hash_wt6(const char *key, int len);
-unsigned long hash_sdbm(const char *key, int len);
+unsigned int hash_djb2(const char *key, int len);
+unsigned int hash_wt6(const char *key, int len);
+unsigned int hash_sdbm(const char *key, int len);
#endif /* _COMMON_HASH_H_ */
|
|
[-]
[+]
|
Changed |
_service:download_url:haproxy-1.5.3.tar.gz/include/proto/log.h
^
|
| @@ -39,6 +39,7 @@
extern char default_tcp_log_format[];
extern char default_http_log_format[];
extern char clf_http_log_format[];
+extern char *logline;
int build_logline(struct session *s, char *dst, size_t maxsize, struct list *list_format);
|
|
[-]
[+]
|
Changed |
_service:download_url:haproxy-1.5.3.tar.gz/include/proto/proto_tcp.h
^
|
| @@ -30,6 +30,7 @@
int tcp_bind_socket(int fd, int flags, struct sockaddr_storage *local, struct sockaddr_storage *remote);
void tcpv4_add_listener(struct listener *listener);
void tcpv6_add_listener(struct listener *listener);
+int tcp_pause_listener(struct listener *l);
int tcp_connect_server(struct connection *conn, int data, int delack);
int tcp_connect_probe(struct connection *conn);
int tcp_get_src(int fd, struct sockaddr *sa, socklen_t salen, int dir);
|
|
[-]
[+]
|
Changed |
_service:download_url:haproxy-1.5.3.tar.gz/include/proto/proto_uxst.h
^
|
| @@ -27,6 +27,7 @@
#include <types/task.h>
void uxst_add_listener(struct listener *listener);
+int uxst_pause_listener(struct listener *l);
int uxst_get_src(int fd, struct sockaddr *sa, socklen_t salen, int dir);
int uxst_get_dst(int fd, struct sockaddr *sa, socklen_t salen, int dir);
|
|
[-]
[+]
|
Changed |
_service:download_url:haproxy-1.5.3.tar.gz/include/proto/ssl_sock.h
^
|
| @@ -52,7 +52,7 @@
const char *ssl_sock_get_proto_version(struct connection *conn);
char *ssl_sock_get_version(struct connection *conn);
int ssl_sock_get_cert_used(struct connection *conn);
-char *ssl_sock_get_common_name(struct connection *conn);
+int ssl_sock_get_remote_common_name(struct connection *conn, struct chunk *out);
unsigned int ssl_sock_get_verify_result(struct connection *conn);
#ifdef SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB
int ssl_sock_update_ocsp_response(struct chunk *ocsp_response, char **err);
|
|
[-]
[+]
|
Changed |
_service:download_url:haproxy-1.5.3.tar.gz/include/proto/stick_table.h
^
|
| @@ -48,7 +48,7 @@
struct stksess *stktable_update_key(struct stktable *table, struct stktable_key *key);
struct stktable_key *stktable_fetch_key(struct stktable *t, struct proxy *px,
struct session *l4, void *l7, unsigned int opt,
- struct sample_expr *expr);
+ struct sample_expr *expr, struct sample *smp);
int stktable_compatible_sample(struct sample_expr *expr, unsigned long table_type);
int stktable_get_data_type(char *name);
struct proxy *find_stktable(const char *name);
|
|
[-]
[+]
|
Changed |
_service:download_url:haproxy-1.5.3.tar.gz/include/types/global.h
^
|
| @@ -110,6 +110,7 @@
int last_checks;
int spread_checks;
int max_spread_checks;
+ int max_syslog_len;
char *chroot;
char *pidfile;
char *node, *desc; /* node name & description */
|
|
[-]
[+]
|
Changed |
_service:download_url:haproxy-1.5.3.tar.gz/include/types/log.h
^
|
| @@ -28,7 +28,6 @@
#include <common/config.h>
#include <common/mini-clist.h>
-#define MAX_SYSLOG_LEN 1024
#define NB_LOG_FACILITIES 24
#define NB_LOG_LEVELS 8
#define SYSLOG_PORT 514
@@ -153,6 +152,7 @@
int facility;
int level;
int minlvl;
+ int maxlen;
};
#endif /* _TYPES_LOG_H */
|
|
[-]
[+]
|
Changed |
_service:download_url:haproxy-1.5.3.tar.gz/include/types/proto_http.h
^
|
| @@ -329,7 +329,8 @@
* message or a response message.
*
* The values there are a little bit obscure, because their meaning can change
- * during the parsing :
+ * during the parsing. Please read carefully doc/internal/body-parsing.txt if
+ * you need to manipulate them. Quick reminder :
*
* - eoh (End of Headers) : relative offset in the buffer of first byte that
* is not part of a completely processed header.
@@ -344,9 +345,9 @@
* - sov (start of value) : Before HTTP_MSG_BODY, points to the value of
* the header being parsed. Starting from
* HTTP_MSG_BODY, will point to the start of the
- * body (relative to buffer's origin), or to data
- * following a chunk size. Thus <sov> bytes of
- * headers will have to be sent only once.
+ * body (relative to buffer's origin). It can be
+ * negative when forwarding data. It stops growing
+ * once data start to leave the buffer.
*
* - next (parse pointer) : next relative byte to be parsed. Always points
* to a byte matching the current state.
@@ -372,7 +373,7 @@
/* 6 bytes unused here */
struct channel *chn; /* pointer to the channel transporting the message */
unsigned int next; /* pointer to next byte to parse, relative to buf->p */
- unsigned int sov; /* current header: start of value */
+ int sov; /* current header: start of value ; data: start of body */
unsigned int eoh; /* End Of Headers, relative to buffer */
unsigned int sol; /* start of current line during parsing otherwise zero */
unsigned int eol; /* end of line */
|
|
[-]
[+]
|
Changed |
_service:download_url:haproxy-1.5.3.tar.gz/include/types/protocol.h
^
|
| @@ -60,6 +60,7 @@
int (*get_src)(int fd, struct sockaddr *, socklen_t, int dir); /* syscall used to retrieve src addr */
int (*get_dst)(int fd, struct sockaddr *, socklen_t, int dir); /* syscall used to retrieve dst addr */
int (*drain)(int fd); /* indicates whether we can safely close the fd */
+ int (*pause)(struct listener *l); /* temporarily pause this listener for a soft restart */
struct list listeners; /* list of listeners using this protocol */
int nb_listeners; /* number of listeners */
|
|
[-]
[+]
|
Changed |
_service:download_url:haproxy-1.5.3.tar.gz/src/backend.c
^
|
| @@ -63,9 +63,9 @@
}
/* helper function to invoke the correct hash method */
-static unsigned long gen_hash(const struct proxy* px, const char* key, unsigned long len)
+static unsigned int gen_hash(const struct proxy* px, const char* key, unsigned long len)
{
- unsigned long hash;
+ unsigned int hash;
switch (px->lbprm.algo & BE_LB_HASH_FUNC) {
case BE_LB_HFCN_DJB2:
@@ -183,7 +183,7 @@
*/
struct server *get_server_uh(struct proxy *px, char *uri, int uri_len)
{
- unsigned long hash = 0;
+ unsigned int hash = 0;
int c;
int slashes = 0;
const char *start, *end;
@@ -232,7 +232,7 @@
*/
struct server *get_server_ph(struct proxy *px, const char *uri, int uri_len)
{
- unsigned long hash = 0;
+ unsigned int hash = 0;
const char *start, *end;
const char *p;
const char *params;
@@ -294,7 +294,7 @@
*/
struct server *get_server_ph_post(struct session *s)
{
- unsigned long hash = 0;
+ unsigned int hash = 0;
struct http_txn *txn = &s->txn;
struct channel *req = s->req;
struct http_msg *msg = &txn->req;
@@ -372,7 +372,7 @@
*/
struct server *get_server_hh(struct session *s)
{
- unsigned long hash = 0;
+ unsigned int hash = 0;
struct http_txn *txn = &s->txn;
struct proxy *px = s->be;
unsigned int plen = px->hh_len;
@@ -444,7 +444,7 @@
/* RDP Cookie HASH. */
struct server *get_server_rch(struct session *s)
{
- unsigned long hash = 0;
+ unsigned int hash = 0;
struct proxy *px = s->be;
unsigned long len;
int ret;
|
|
[-]
[+]
|
Changed |
_service:download_url:haproxy-1.5.3.tar.gz/src/cfgparse.c
^
|
| @@ -1254,6 +1254,8 @@
struct sockaddr_storage *sk;
int port1, port2;
struct logsrv *logsrv;
+ int arg = 0;
+ int len = 0;
if (*(args[1]) == 0 || *(args[2]) == 0) {
Alert("parsing [%s:%d] : '%s' expects <address> and <facility> as arguments.\n", file, linenum, args[0]);
@@ -1263,28 +1265,50 @@
logsrv = calloc(1, sizeof(struct logsrv));
- logsrv->facility = get_log_facility(args[2]);
+ /* just after the address, a length may be specified */
+ if (strcmp(args[arg+2], "len") == 0) {
+ len = atoi(args[arg+3]);
+ if (len < 80 || len > 65535) {
+ Alert("parsing [%s:%d] : invalid log length '%s', must be between 80 and 65535.\n",
+ file, linenum, args[arg+3]);
+ err_code |= ERR_ALERT | ERR_FATAL;
+ goto out;
+ }
+ logsrv->maxlen = len;
+
+ /* skip these two args */
+ arg += 2;
+ }
+ else
+ logsrv->maxlen = MAX_SYSLOG_LEN;
+
+ if (logsrv->maxlen > global.max_syslog_len) {
+ global.max_syslog_len = logsrv->maxlen;
+ logline = realloc(logline, global.max_syslog_len + 1);
+ }
+
+ logsrv->facility = get_log_facility(args[arg+2]);
if (logsrv->facility < 0) {
- Alert("parsing [%s:%d] : unknown log facility '%s'\n", file, linenum, args[2]);
+ Alert("parsing [%s:%d] : unknown log facility '%s'\n", file, linenum, args[arg+2]);
err_code |= ERR_ALERT | ERR_FATAL;
logsrv->facility = 0;
}
logsrv->level = 7; /* max syslog level = debug */
- if (*(args[3])) {
- logsrv->level = get_log_level(args[3]);
+ if (*(args[arg+3])) {
+ logsrv->level = get_log_level(args[arg+3]);
if (logsrv->level < 0) {
- Alert("parsing [%s:%d] : unknown optional log level '%s'\n", file, linenum, args[3]);
+ Alert("parsing [%s:%d] : unknown optional log level '%s'\n", file, linenum, args[arg+3]);
err_code |= ERR_ALERT | ERR_FATAL;
logsrv->level = 0;
}
}
logsrv->minlvl = 0; /* limit syslog level to this level (emerg) */
- if (*(args[4])) {
- logsrv->minlvl = get_log_level(args[4]);
+ if (*(args[arg+4])) {
+ logsrv->minlvl = get_log_level(args[arg+4]);
if (logsrv->minlvl < 0) {
- Alert("parsing [%s:%d] : unknown optional minimum log level '%s'\n", file, linenum, args[4]);
+ Alert("parsing [%s:%d] : unknown optional minimum log level '%s'\n", file, linenum, args[arg+4]);
err_code |= ERR_ALERT | ERR_FATAL;
logsrv->minlvl = 0;
}
@@ -4791,22 +4815,46 @@
else if (*(args[1]) && *(args[2])) {
struct sockaddr_storage *sk;
int port1, port2;
+ int arg = 0;
+ int len = 0;
logsrv = calloc(1, sizeof(struct logsrv));
- logsrv->facility = get_log_facility(args[2]);
+ /* just after the address, a length may be specified */
+ if (strcmp(args[arg+2], "len") == 0) {
+ len = atoi(args[arg+3]);
+ if (len < 80 || len > 65535) {
+ Alert("parsing [%s:%d] : invalid log length '%s', must be between 80 and 65535.\n",
+ file, linenum, args[arg+3]);
+ err_code |= ERR_ALERT | ERR_FATAL;
+ goto out;
+ }
+ logsrv->maxlen = len;
+
+ /* skip these two args */
+ arg += 2;
+ }
+ else
+ logsrv->maxlen = MAX_SYSLOG_LEN;
+
+ if (logsrv->maxlen > global.max_syslog_len) {
+ global.max_syslog_len = logsrv->maxlen;
+ logline = realloc(logline, global.max_syslog_len + 1);
+ }
+
+ logsrv->facility = get_log_facility(args[arg+2]);
if (logsrv->facility < 0) {
- Alert("parsing [%s:%d] : unknown log facility '%s'\n", file, linenum, args[2]);
+ Alert("parsing [%s:%d] : unknown log facility '%s'\n", file, linenum, args[arg+2]);
err_code |= ERR_ALERT | ERR_FATAL;
goto out;
}
logsrv->level = 7; /* max syslog level = debug */
- if (*(args[3])) {
- logsrv->level = get_log_level(args[3]);
+ if (*(args[arg+3])) {
+ logsrv->level = get_log_level(args[arg+3]);
if (logsrv->level < 0) {
- Alert("parsing [%s:%d] : unknown optional log level '%s'\n", file, linenum, args[3]);
+ Alert("parsing [%s:%d] : unknown optional log level '%s'\n", file, linenum, args[arg+3]);
err_code |= ERR_ALERT | ERR_FATAL;
goto out;
@@ -4814,10 +4862,10 @@
}
logsrv->minlvl = 0; /* limit syslog level to this level (emerg) */
- if (*(args[4])) {
- logsrv->minlvl = get_log_level(args[4]);
+ if (*(args[arg+4])) {
+ logsrv->minlvl = get_log_level(args[arg+4]);
if (logsrv->minlvl < 0) {
- Alert("parsing [%s:%d] : unknown optional minimum log level '%s'\n", file, linenum, args[4]);
+ Alert("parsing [%s:%d] : unknown optional minimum log level '%s'\n", file, linenum, args[arg+4]);
err_code |= ERR_ALERT | ERR_FATAL;
goto out;
|
|
[-]
[+]
|
Changed |
_service:download_url:haproxy-1.5.3.tar.gz/src/connection.c
^
|
| @@ -622,6 +622,7 @@
char *value = NULL;
struct tlv_ssl *tlv;
int ssl_tlv_len = 0;
+ struct chunk *cn_trash;
#endif
if (buf_len < PP2_HEADER_LEN)
@@ -682,9 +683,9 @@
tlv->verify = htonl(ssl_sock_get_verify_result(remote));
}
if (srv->pp_opts & SRV_PP_V2_SSL_CN) {
- value = ssl_sock_get_common_name(remote);
- if (value) {
- tlv_len = make_tlv(&buf[ret+ssl_tlv_len], (buf_len - ret - ssl_tlv_len), PP2_TYPE_SSL_CN, strlen(value), value);
+ cn_trash = get_trash_chunk();
+ if (ssl_sock_get_remote_common_name(remote, cn_trash) > 0) {
+ tlv_len = make_tlv(&buf[ret+ssl_tlv_len], (buf_len - ret - ssl_tlv_len), PP2_TYPE_SSL_CN, cn_trash->len, cn_trash->str);
ssl_tlv_len += tlv_len;
}
}
|
|
[-]
[+]
|
Changed |
_service:download_url:haproxy-1.5.3.tar.gz/src/dumpstats.c
^
|
| @@ -3710,7 +3710,7 @@
"<option value=\"\"></option>"
"<option value=\"ready\">Set state to READY</option>"
"<option value=\"drain\">Set state to DRAIN</option>"
- "<option value=\"maint\">set state to MAINT</option>"
+ "<option value=\"maint\">Set state to MAINT</option>"
"<option value=\"dhlth\">Health: disable checks</option>"
"<option value=\"ehlth\">Health: enable checks</option>"
"<option value=\"hrunn\">Health: force UP</option>"
|
|
[-]
[+]
|
Changed |
_service:download_url:haproxy-1.5.3.tar.gz/src/hash.c
^
|
| @@ -17,7 +17,7 @@
#include <common/hash.h>
-unsigned long hash_wt6(const char *key, int len)
+unsigned int hash_wt6(const char *key, int len)
{
unsigned h0 = 0xa53c965aUL;
unsigned h1 = 0x5ca6953aUL;
@@ -44,9 +44,9 @@
return h0 ^ h1;
}
-unsigned long hash_djb2(const char *key, int len)
+unsigned int hash_djb2(const char *key, int len)
{
- unsigned long hash = 5381;
+ unsigned int hash = 5381;
/* the hash unrolled eight times */
for (; len >= 8; len -= 8) {
@@ -72,9 +72,9 @@
return hash;
}
-unsigned long hash_sdbm(const char *key, int len)
+unsigned int hash_sdbm(const char *key, int len)
{
- unsigned long hash = 0;
+ unsigned int hash = 0;
int c;
while (len--) {
|
|
[-]
[+]
|
Changed |
_service:download_url:haproxy-1.5.3.tar.gz/src/listener.c
^
|
| @@ -95,15 +95,16 @@
if (l->state <= LI_PAUSED)
return 1;
- if (l->proto->sock_prot == IPPROTO_TCP) {
- if (shutdown(l->fd, SHUT_WR) != 0)
- return 0; /* Solaris dies here */
-
- if (listen(l->fd, l->backlog ? l->backlog : l->maxconn) != 0)
- return 0; /* OpenBSD dies here */
+ if (l->proto->pause) {
+ /* Returns < 0 in case of failure, 0 if the listener
+ * was totally stopped, or > 0 if correctly paused.
+ */
+ int ret = l->proto->pause(l);
- if (shutdown(l->fd, SHUT_RD) != 0)
- return 0; /* should always be OK */
+ if (ret < 0)
+ return 0;
+ else if (ret == 0)
+ return 1;
}
if (l->state == LI_LIMITED)
@@ -119,10 +120,26 @@
* may replace enable_listener(). The resulting state will either be LI_READY
* or LI_FULL. 0 is returned in case of failure to resume (eg: dead socket).
* Listeners bound to a different process are not woken up unless we're in
- * foreground mode.
+ * foreground mode. If the listener was only in the assigned state, it's totally
+ * rebound. This can happen if a pause() has completely stopped it. If the
+ * resume fails, 0 is returned and an error might be displayed.
*/
int resume_listener(struct listener *l)
{
+ if (l->state == LI_ASSIGNED) {
+ char msg[100];
+ int err;
+
+ err = l->proto->bind(l, msg, sizeof(msg));
+ if (err & ERR_ALERT)
+ Alert("Resuming listener: %s\n", msg);
+ else if (err & ERR_WARN)
+ Warning("Resuming listener: %s\n", msg);
+
+ if (err & (ERR_FATAL | ERR_ABORT))
+ return 0;
+ }
+
if (l->state < LI_PAUSED)
return 0;
@@ -236,6 +253,7 @@
if (listener->state >= LI_PAUSED) {
fd_delete(listener->fd);
+ listener->fd = -1;
listener->state = LI_ASSIGNED;
}
return ERR_NONE;
|
|
[-]
[+]
|
Changed |
_service:download_url:haproxy-1.5.3.tar.gz/src/log.c
^
|
| @@ -146,7 +146,7 @@
/* This is a global syslog line, common to all outgoing messages. It begins
* with the syslog tag and the date that are updated by update_log_hdr().
*/
-static char logline[MAX_SYSLOG_LEN];
+char *logline = NULL;
struct logformat_var_args {
char *name;
@@ -736,7 +736,7 @@
tvsec = date.tv_sec;
get_localtime(tvsec, &tm);
- hdr_len = snprintf(logline, MAX_SYSLOG_LEN,
+ hdr_len = snprintf(logline, global.max_syslog_len,
"<<<<>%s %2d %02d:%02d:%02d %s%s[%d]: ",
monthname[tm.tm_mon],
tm.tm_mday, tm.tm_hour, tm.tm_min, tm.tm_sec,
@@ -746,8 +746,8 @@
* either -1 or the number of bytes that would be needed to store
* the total message. In both cases, we must adjust it.
*/
- if (hdr_len < 0 || hdr_len > MAX_SYSLOG_LEN)
- hdr_len = MAX_SYSLOG_LEN;
+ if (hdr_len < 0 || hdr_len > global.max_syslog_len)
+ hdr_len = global.max_syslog_len;
dataptr = logline + hdr_len;
}
@@ -772,9 +772,9 @@
data_len = dataptr - logline;
va_start(argp, format);
- data_len += vsnprintf(dataptr, logline + sizeof(logline) - dataptr, format, argp);
- if (data_len < 0 || data_len > MAX_SYSLOG_LEN)
- data_len = MAX_SYSLOG_LEN;
+ data_len += vsnprintf(dataptr, logline + global.max_syslog_len - dataptr, format, argp);
+ if (data_len < 0 || data_len > global.max_syslog_len)
+ data_len = global.max_syslog_len;
va_end(argp);
__send_log(p, level, logline, data_len);
@@ -811,8 +811,6 @@
if (!logsrvs)
return;
- message[size - 1] = '\n';
-
/* Send log messages to syslog server. */
nblogger = 0;
list_for_each_entry(tmp, logsrvs, list) {
@@ -820,6 +818,8 @@
int *plogfd = logsrv->addr.ss_family == AF_UNIX ?
&logfdunix : &logfdinet;
int sent;
+ int max;
+ char backup;
nblogger++;
@@ -858,9 +858,23 @@
} while (fac_level && log_ptr > dataptr);
*log_ptr = '<';
- sent = sendto(*plogfd, log_ptr, size - (log_ptr - dataptr),
+ max = size - (log_ptr - dataptr);
+ if (max > logsrv->maxlen)
+ max = logsrv->maxlen;
+
+ /* insert a \n at the end of the message, but save what was
+ * there first because we could have different max lengths
+ * for different log targets.
+ */
+ backup = log_ptr[max - 1];
+ log_ptr[max - 1] = '\n';
+
+ sent = sendto(*plogfd, log_ptr, max,
MSG_DONTWAIT | MSG_NOSIGNAL,
(struct sockaddr *)&logsrv->addr, get_addr_len(&logsrv->addr));
+
+ log_ptr[max - 1] = backup;
+
if (sent < 0) {
Alert("sendto logger #%d failed: %s (errno=%d)\n",
nblogger, strerror(errno), errno);
@@ -1604,7 +1618,7 @@
tmplog = update_log_hdr();
size = tmplog - logline;
- size += build_logline(s, tmplog, sizeof(logline) - size, &s->fe->logformat);
+ size += build_logline(s, tmplog, global.max_syslog_len - size, &s->fe->logformat);
if (size > 0) {
__send_log(s->fe, level, logline, size + 1);
s->logs.logwait = 0;
|
|
[-]
[+]
|
Changed |
_service:download_url:haproxy-1.5.3.tar.gz/src/proto_http.c
^
|
| @@ -2143,22 +2143,22 @@
{
int q = 1000;
- if (!isdigit(*qvalue))
+ if (!isdigit((unsigned char)*qvalue))
goto out;
q = (*qvalue++ - '0') * 1000;
if (*qvalue++ != '.')
goto out;
- if (!isdigit(*qvalue))
+ if (!isdigit((unsigned char)*qvalue))
goto out;
q += (*qvalue++ - '0') * 100;
- if (!isdigit(*qvalue))
+ if (!isdigit((unsigned char)*qvalue))
goto out;
q += (*qvalue++ - '0') * 10;
- if (!isdigit(*qvalue))
+ if (!isdigit((unsigned char)*qvalue))
goto out;
q += (*qvalue++ - '0') * 1;
out:
@@ -4808,7 +4808,6 @@
s->logs.t_close = tv_ms_elapsed(&s->logs.tv_accept, &now);
session_process_counters(s);
- session_stop_content_counters(s);
if (s->txn.status) {
int n;
@@ -4842,6 +4841,8 @@
s->do_log(s);
}
+ /* stop tracking content-based counters */
+ session_stop_content_counters(s);
session_update_time_stats(s);
s->logs.accept_date = date; /* user-visible date for logging */
@@ -5314,7 +5315,7 @@
* an "Expect: 100-continue" header.
*/
- if (msg->sov) {
+ if (msg->sov > 0) {
/* we have msg->sov which points to the first byte of message
* body, and req->buf.p still points to the beginning of the
* message. We forward the headers now, as we don't need them
@@ -5428,6 +5429,8 @@
* such as last chunk of data or trailers.
*/
b_adv(req->buf, msg->next);
+ if (unlikely(!(s->rep->flags & CF_READ_ATTACHED)))
+ msg->sov -= msg->next;
msg->next = 0;
/* for keep-alive we don't want to forward closes on DONE */
@@ -5478,6 +5481,9 @@
missing_data:
/* we may have some pending data starting at req->buf->p */
b_adv(req->buf, msg->next);
+ if (unlikely(!(s->rep->flags & CF_READ_ATTACHED)))
+ msg->sov -= msg->next + MIN(msg->chunk_len, req->buf->i);
+
msg->next = 0;
msg->chunk_len -= channel_forward(req, msg->chunk_len);
@@ -6492,7 +6498,7 @@
/* in most states, we should abort in case of early close */
channel_auto_close(res);
- if (msg->sov) {
+ if (msg->sov > 0) {
/* we have msg->sov which points to the first byte of message
* body, and res->buf.p still points to the beginning of the
* message. We forward the headers now, as we don't need them
@@ -9747,6 +9753,9 @@
return 1;
}
+/* Note: these functinos *do* modify the sample. Even in case of success, at
+ * least the type and uint value are modified.
+ */
#define CHECK_HTTP_MESSAGE_FIRST() \
do { int r = smp_prefetch_http(px, l4, l7, opt, args, smp, 1); if (r <= 0) return r; } while (0)
@@ -10247,6 +10256,7 @@
struct http_txn *txn = l7;
char *ptr, *end, *beg;
struct hdr_ctx ctx;
+ struct chunk *temp;
CHECK_HTTP_MESSAGE_FIRST();
@@ -10255,9 +10265,10 @@
return smp_fetch_path(px, l4, l7, opt, args, smp, kw);
/* OK we have the header value in ctx.line+ctx.val for ctx.vlen bytes */
- memcpy(trash.str, ctx.line + ctx.val, ctx.vlen);
+ temp = get_trash_chunk();
+ memcpy(temp->str, ctx.line + ctx.val, ctx.vlen);
smp->type = SMP_T_STR;
- smp->data.str.str = trash.str;
+ smp->data.str.str = temp->str;
smp->data.str.len = ctx.vlen;
/* now retrieve the path */
@@ -10347,8 +10358,8 @@
return 0;
temp = get_trash_chunk();
- memcpy(temp->str + temp->len, &smp->data.uint, sizeof(smp->data.uint));
- temp->len += sizeof(smp->data.uint);
+ *(unsigned int *)temp->str = htonl(smp->data.uint);
+ temp->len += sizeof(unsigned int);
switch (cli_conn->addr.from.ss_family) {
case AF_INET:
@@ -11220,7 +11231,7 @@
while (1) {
/* Jump spaces, quit if the end is detected. */
- while (al < end && isspace(*al))
+ while (al < end && isspace((unsigned char)*al))
al++;
if (al >= end)
break;
@@ -11229,7 +11240,7 @@
token = al;
/* Look for separator: isspace(), ',' or ';'. Next value if 0 length word. */
- while (al < end && *al != ';' && *al != ',' && !isspace(*al))
+ while (al < end && *al != ';' && *al != ',' && !isspace((unsigned char)*al))
al++;
if (al == token)
goto expect_comma;
@@ -11258,7 +11269,7 @@
look_for_q:
/* Jump spaces, quit if the end is detected. */
- while (al < end && isspace(*al))
+ while (al < end && isspace((unsigned char)*al))
al++;
if (al >= end)
goto process_value;
@@ -11277,7 +11288,7 @@
al++;
/* Jump spaces, process value if the end is detected. */
- while (al < end && isspace(*al))
+ while (al < end && isspace((unsigned char)*al))
al++;
if (al >= end)
goto process_value;
@@ -11288,7 +11299,7 @@
al++;
/* Jump spaces, process value if the end is detected. */
- while (al < end && isspace(*al))
+ while (al < end && isspace((unsigned char)*al))
al++;
if (al >= end)
goto process_value;
@@ -11299,7 +11310,7 @@
al++;
/* Jump spaces, process value if the end is detected. */
- while (al < end && isspace(*al))
+ while (al < end && isspace((unsigned char)*al))
al++;
if (al >= end)
goto process_value;
|
|
[-]
[+]
|
Changed |
_service:download_url:haproxy-1.5.3.tar.gz/src/proto_tcp.c
^
|
| @@ -80,6 +80,7 @@
.get_src = tcp_get_src,
.get_dst = tcp_get_dst,
.drain = tcp_drain,
+ .pause = tcp_pause_listener,
.listeners = LIST_HEAD_INIT(proto_tcpv4.listeners),
.nb_listeners = 0,
};
@@ -102,6 +103,7 @@
.get_src = tcp_get_src,
.get_dst = tcp_get_dst,
.drain = tcp_drain,
+ .pause = tcp_pause_listener,
.listeners = LIST_HEAD_INIT(proto_tcpv6.listeners),
.nb_listeners = 0,
};
@@ -947,6 +949,22 @@
proto_tcpv6.nb_listeners++;
}
+/* Pause a listener. Returns < 0 in case of failure, 0 if the listener
+ * was totally stopped, or > 0 if correctly paused.
+ */
+int tcp_pause_listener(struct listener *l)
+{
+ if (shutdown(l->fd, SHUT_WR) != 0)
+ return -1; /* Solaris dies here */
+
+ if (listen(l->fd, l->backlog ? l->backlog : l->maxconn) != 0)
+ return -1; /* OpenBSD dies here */
+
+ if (shutdown(l->fd, SHUT_RD) != 0)
+ return -1; /* should always be OK */
+ return 1;
+}
+
/* This function performs the TCP request analysis on the current request. It
* returns 1 if the processing can continue on next analysers, or zero if it
* needs more data, encounters an error, or wants to immediately abort the
@@ -1022,12 +1040,16 @@
* applies.
*/
struct stktable_key *key;
+ struct sample smp;
if (stkctr_entry(&s->stkctr[tcp_trk_idx(rule->action)]))
continue;
t = rule->act_prm.trk_ctr.table.t;
- key = stktable_fetch_key(t, s->be, s, &s->txn, SMP_OPT_DIR_REQ|SMP_OPT_FINAL, rule->act_prm.trk_ctr.expr);
+ key = stktable_fetch_key(t, s->be, s, &s->txn, SMP_OPT_DIR_REQ | partial, rule->act_prm.trk_ctr.expr, &smp);
+
+ if (smp.flags & SMP_F_MAY_CHANGE)
+ goto missing_data;
if (key && (ts = stktable_get_entry(t, key))) {
session_track_stkctr(&s->stkctr[tcp_trk_idx(rule->action)], t, ts);
@@ -1228,7 +1250,7 @@
continue;
t = rule->act_prm.trk_ctr.table.t;
- key = stktable_fetch_key(t, s->be, s, &s->txn, SMP_OPT_DIR_REQ|SMP_OPT_FINAL, rule->act_prm.trk_ctr.expr);
+ key = stktable_fetch_key(t, s->be, s, &s->txn, SMP_OPT_DIR_REQ|SMP_OPT_FINAL, rule->act_prm.trk_ctr.expr, NULL);
if (key && (ts = stktable_get_entry(t, key)))
session_track_stkctr(&s->stkctr[tcp_trk_idx(rule->action)], t, ts);
|
|
[-]
[+]
|
Changed |
_service:download_url:haproxy-1.5.3.tar.gz/src/proto_uxst.c
^
|
| @@ -68,6 +68,7 @@
.disable_all = disable_all_listeners,
.get_src = uxst_get_src,
.get_dst = uxst_get_dst,
+ .pause = uxst_pause_listener,
.listeners = LIST_HEAD_INIT(proto_unix.listeners),
.nb_listeners = 0,
};
@@ -166,9 +167,11 @@
const char *path;
int ext, ready;
socklen_t ready_len;
-
+ int err;
int ret;
+ err = ERR_NONE;
+
/* ensure we never return garbage */
if (errlen)
*errmsg = 0;
@@ -191,29 +194,34 @@
if (path[0]) {
ret = snprintf(tempname, MAXPATHLEN, "%s.%d.tmp", path, pid);
if (ret < 0 || ret >= MAXPATHLEN) {
+ err |= ERR_FATAL | ERR_ALERT;
msg = "name too long for UNIX socket";
goto err_return;
}
ret = snprintf(backname, MAXPATHLEN, "%s.%d.bak", path, pid);
if (ret < 0 || ret >= MAXPATHLEN) {
+ err |= ERR_FATAL | ERR_ALERT;
msg = "name too long for UNIX socket";
goto err_return;
}
/* 2. clean existing orphaned entries */
if (unlink(tempname) < 0 && errno != ENOENT) {
+ err |= ERR_FATAL | ERR_ALERT;
msg = "error when trying to unlink previous UNIX socket";
goto err_return;
}
if (unlink(backname) < 0 && errno != ENOENT) {
+ err |= ERR_FATAL | ERR_ALERT;
msg = "error when trying to unlink previous UNIX socket";
goto err_return;
}
/* 3. backup existing socket */
if (link(path, backname) < 0 && errno != ENOENT) {
+ err |= ERR_FATAL | ERR_ALERT;
msg = "error when trying to preserve previous UNIX socket";
goto err_return;
}
@@ -231,24 +239,35 @@
fd = socket(PF_UNIX, SOCK_STREAM, 0);
if (fd < 0) {
+ err |= ERR_FATAL | ERR_ALERT;
msg = "cannot create UNIX socket";
goto err_unlink_back;
}
fd_ready:
if (fd >= global.maxsock) {
+ err |= ERR_FATAL | ERR_ALERT;
msg = "socket(): not enough free sockets, raise -n argument";
goto err_unlink_temp;
}
if (fcntl(fd, F_SETFL, O_NONBLOCK) == -1) {
+ err |= ERR_FATAL | ERR_ALERT;
msg = "cannot make UNIX socket non-blocking";
goto err_unlink_temp;
}
if (!ext && bind(fd, (struct sockaddr *)&addr, sizeof(addr)) < 0) {
/* note that bind() creates the socket <tempname> on the file system */
- msg = "cannot bind UNIX socket";
+ if (errno == EADDRINUSE) {
+ /* the old process might still own it, let's retry */
+ err |= ERR_RETRYABLE | ERR_ALERT;
+ msg = "cannot listen to socket";
+ }
+ else {
+ err |= ERR_FATAL | ERR_ALERT;
+ msg = "cannot bind UNIX socket";
+ }
goto err_unlink_temp;
}
@@ -261,6 +280,7 @@
(((listener->bind_conf->ux.uid != -1 || listener->bind_conf->ux.gid != -1) &&
(chown(tempname, listener->bind_conf->ux.uid, listener->bind_conf->ux.gid) == -1)) ||
(listener->bind_conf->ux.mode != 0 && chmod(tempname, listener->bind_conf->ux.mode) == -1))) {
+ err |= ERR_FATAL | ERR_ALERT;
msg = "cannot change UNIX socket ownership";
goto err_unlink_temp;
}
@@ -272,6 +292,7 @@
if (!(ext && ready) && /* only listen if not already done by external process */
listen(fd, listener->backlog ? listener->backlog : listener->maxconn) < 0) {
+ err |= ERR_FATAL | ERR_ALERT;
msg = "cannot listen to UNIX socket";
goto err_unlink_temp;
}
@@ -281,6 +302,7 @@
* backname. Abstract sockets are not renamed.
*/
if (!ext && path[0] && rename(tempname, path) < 0) {
+ err |= ERR_FATAL | ERR_ALERT;
msg = "cannot switch final and temporary UNIX sockets";
goto err_rename;
}
@@ -303,17 +325,18 @@
fd_insert(fd);
fdtab[fd].iocb = listener->proto->accept;
fdtab[fd].owner = listener; /* reference the listener instead of a task */
- return ERR_NONE;
+ return err;
+
err_rename:
ret = rename(backname, path);
if (ret < 0 && errno == ENOENT)
unlink(path);
err_unlink_temp:
- if (!ext)
+ if (!ext && path[0])
unlink(tempname);
close(fd);
err_unlink_back:
- if (!ext)
+ if (!ext && path[0])
unlink(backname);
err_return:
if (msg && errlen) {
@@ -322,7 +345,7 @@
else
snprintf(errmsg, errlen, "%s [fd %d]", msg, fd);
}
- return ERR_FATAL | ERR_ALERT;
+ return err;
}
/* This function closes the UNIX sockets for the specified listener.
@@ -351,6 +374,20 @@
proto_unix.nb_listeners++;
}
+/* Pause a listener. Returns < 0 in case of failure, 0 if the listener
+ * was totally stopped, or > 0 if correctly paused. Nothing is done for
+ * plain unix sockets since currently it's the new process which handles
+ * the renaming. Abstract sockets are completely unbound.
+ */
+int uxst_pause_listener(struct listener *l)
+{
+ if (((struct sockaddr_un *)&l->addr)->sun_path[0])
+ return 1;
+
+ unbind_listener(l);
+ return 0;
+}
+
/*
* This function initiates a UNIX connection establishment to the target assigned
|
|
[-]
[+]
|
Changed |
_service:download_url:haproxy-1.5.3.tar.gz/src/sample.c
^
|
| @@ -905,7 +905,7 @@
if (p == NULL) {
p = &temp_smp;
- p->flags = 0;
+ memset(p, 0, sizeof(*p));
}
if (!expr->fetch->process(px, l4, l7, opt, expr->arg_p, p, expr->fetch->kw))
@@ -1160,7 +1160,8 @@
{
struct sample *smp = &temp_smp;
- smp->flags = 0;
+ memset(smp, 0, sizeof(*smp));
+
if (!sample_process(px, l4, l7, opt, expr, smp)) {
if ((smp->flags & SMP_F_MAY_CHANGE) && !(opt & SMP_OPT_FINAL))
return smp;
|
|
[-]
[+]
|
Changed |
_service:download_url:haproxy-1.5.3.tar.gz/src/session.c
^
|
| @@ -1458,7 +1458,7 @@
if (ret) {
struct stktable_key *key;
- key = stktable_fetch_key(rule->table.t, px, s, &s->txn, SMP_OPT_DIR_REQ|SMP_OPT_FINAL, rule->expr);
+ key = stktable_fetch_key(rule->table.t, px, s, &s->txn, SMP_OPT_DIR_REQ|SMP_OPT_FINAL, rule->expr, NULL);
if (!key)
continue;
@@ -1561,7 +1561,7 @@
if (ret) {
struct stktable_key *key;
- key = stktable_fetch_key(rule->table.t, px, s, &s->txn, SMP_OPT_DIR_RES|SMP_OPT_FINAL, rule->expr);
+ key = stktable_fetch_key(rule->table.t, px, s, &s->txn, SMP_OPT_DIR_RES|SMP_OPT_FINAL, rule->expr, NULL);
if (!key)
continue;
|
|
[-]
[+]
|
Changed |
_service:download_url:haproxy-1.5.3.tar.gz/src/ssl_sock.c
^
|
| @@ -105,6 +105,13 @@
int sslconns = 0;
int totalsslconns = 0;
+#ifndef OPENSSL_NO_DH
+static DH *local_dh_1024 = NULL;
+static DH *local_dh_2048 = NULL;
+static DH *local_dh_4096 = NULL;
+static DH *local_dh_8192 = NULL;
+#endif /* OPENSSL_NO_DH */
+
#ifdef SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB
struct certificate_ocsp {
struct ebmb_node key;
@@ -1034,16 +1041,16 @@
}
if (keylen >= 8192) {
- dh = ssl_get_dh_8192();
+ dh = local_dh_8192;
}
else if (keylen >= 4096) {
- dh = ssl_get_dh_4096();
+ dh = local_dh_4096;
}
else if (keylen >= 2048) {
- dh = ssl_get_dh_2048();
+ dh = local_dh_2048;
}
else {
- dh = ssl_get_dh_1024();
+ dh = local_dh_1024;
}
return dh;
@@ -1079,11 +1086,11 @@
if (global.tune.ssl_default_dh_param <= 1024) {
/* we are limited to DH parameter of 1024 bits anyway */
- dh = ssl_get_dh_1024();
- if (dh == NULL)
+ local_dh_1024 = ssl_get_dh_1024();
+ if (local_dh_1024 == NULL)
goto end;
- SSL_CTX_set_tmp_dh(ctx, dh);
+ SSL_CTX_set_tmp_dh(ctx, local_dh_1024);
}
else {
SSL_CTX_set_tmp_dh_callback(ctx, ssl_get_tmp_dh);
@@ -1594,6 +1601,28 @@
global.tune.ssl_default_dh_param = 1024;
}
+#ifndef OPENSSL_NO_DH
+ if (global.tune.ssl_default_dh_param >= 1024) {
+ if (local_dh_1024 == NULL) {
+ local_dh_1024 = ssl_get_dh_1024();
+ }
+ if (global.tune.ssl_default_dh_param >= 2048) {
+ if (local_dh_2048 == NULL) {
+ local_dh_2048 = ssl_get_dh_2048();
+ }
+ if (global.tune.ssl_default_dh_param >= 4096) {
+ if (local_dh_4096 == NULL) {
+ local_dh_4096 = ssl_get_dh_4096();
+ }
+ if (global.tune.ssl_default_dh_param >= 8192 &&
+ local_dh_8192 == NULL) {
+ local_dh_8192 = ssl_get_dh_8192();
+ }
+ }
+ }
+ }
+#endif /* OPENSSL_NO_DH */
+
SSL_CTX_set_info_callback(ctx, ssl_sock_infocbk);
#if OPENSSL_VERSION_NUMBER >= 0x00907000L
SSL_CTX_set_msg_callback(ctx, ssl_sock_msgcbk);
@@ -2654,21 +2683,25 @@
return (char *)SSL_get_version(conn->xprt_ctx);
}
-/* returns common name, NULL terminated, from client certificate, or NULL if none */
-char *ssl_sock_get_common_name(struct connection *conn)
+/* Extract peer certificate's common name into the chunk dest
+ * Returns
+ * the len of the extracted common name
+ * or 0 if no CN found in DN
+ * or -1 on error case (i.e. no peer certificate)
+ */
+int ssl_sock_get_remote_common_name(struct connection *conn, struct chunk *dest)
{
X509 *crt = NULL;
X509_NAME *name;
- struct chunk *cn_trash;
const char find_cn[] = "CN";
const struct chunk find_cn_chunk = {
.str = (char *)&find_cn,
.len = sizeof(find_cn)-1
};
- char *result = NULL;
+ int result = -1;
if (!ssl_sock_is_ssl(conn))
- return NULL;
+ goto out;
/* SSL_get_peer_certificate, it increase X509 * ref count */
crt = SSL_get_peer_certificate(conn->xprt_ctx);
@@ -2679,13 +2712,8 @@
if (!name)
goto out;
- cn_trash = get_trash_chunk();
- if (ssl_sock_get_dn_entry(name, &find_cn_chunk, 1, cn_trash) <= 0)
- goto out;
- cn_trash->str[cn_trash->len] = '\0';
- result = cn_trash->str;
-
- out:
+ result = ssl_sock_get_dn_entry(name, &find_cn_chunk, 1, dest);
+out:
if (crt)
X509_free(crt);
|
|
[-]
[+]
|
Changed |
_service:download_url:haproxy-1.5.3.tar.gz/src/stick_table.c
^
|
| @@ -601,15 +601,17 @@
* Process a fetch + format conversion as defined by the sample expression <expr>
* on request or response considering the <opt> parameter. Returns either NULL if
* no key could be extracted, or a pointer to the converted result stored in
- * static_table_key in format <table_type>.
+ * static_table_key in format <table_type>. If <smp> is not NULL, it will be reset
+ * and its flags will be initialized so that the caller gets a copy of the input
+ * sample, and knows why it was not accepted (eg: SMP_F_MAY_CHANGE is present).
*/
struct stktable_key *stktable_fetch_key(struct stktable *t, struct proxy *px, struct session *l4, void *l7,
- unsigned int opt,
- struct sample_expr *expr)
+ unsigned int opt, struct sample_expr *expr, struct sample *smp)
{
- struct sample *smp;
+ if (smp)
+ memset(smp, 0, sizeof(*smp));
- smp = sample_process(px, l4, l7, opt, expr, NULL);
+ smp = sample_process(px, l4, l7, opt, expr, smp);
if (!smp)
return NULL;
|
