diff --git a/net/haproxy/Makefile b/net/haproxy/Makefile index a734cbcb3..49f0c0c33 100644 --- a/net/haproxy/Makefile +++ b/net/haproxy/Makefile @@ -10,12 +10,12 @@ include $(TOPDIR)/rules.mk PKG_NAME:=haproxy -PKG_VERSION:=2.0.0 -PKG_RELEASE:=3 +PKG_VERSION:=2.0.1 +PKG_RELEASE:=1 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz PKG_SOURCE_URL:=https://www.haproxy.org/download/2.0/src -PKG_HASH:=fe0a0d69e1091066a91b8d39199c19af8748e0e872961c6fc43c91ec7a28ff20 +PKG_HASH:=9975c475ba6f19aac4b665d8705f7b9f7911df7fc316ba7b9efd6fe263181eb1 PKG_BUILD_DIR:=$(BUILD_DIR)/$(PKG_NAME)-$(BUILD_VARIANT)/$(PKG_NAME)-$(PKG_VERSION) PKG_MAINTAINER:=Thomas Heil , \ diff --git a/net/haproxy/get-latest-patches.sh b/net/haproxy/get-latest-patches.sh index a60529e64..1e548c6c2 100755 --- a/net/haproxy/get-latest-patches.sh +++ b/net/haproxy/get-latest-patches.sh @@ -1,7 +1,7 @@ #!/bin/bash CLONEURL=http://git.haproxy.org/git/haproxy-2.0.git -BASE_TAG=v2.0.0 +BASE_TAG=v2.0.1 TMP_REPODIR=tmprepo PATCHESDIR=patches diff --git a/net/haproxy/patches/000-BUG-MEDIUM-h2-htx-Update-data-length-of-the-HTX-when-the-cookie-list-is-built.patch b/net/haproxy/patches/000-BUG-MEDIUM-h2-htx-Update-data-length-of-the-HTX-when-the-cookie-list-is-built.patch deleted file mode 100644 index 6d79bf8e6..000000000 --- a/net/haproxy/patches/000-BUG-MEDIUM-h2-htx-Update-data-length-of-the-HTX-when-the-cookie-list-is-built.patch +++ /dev/null @@ -1,32 +0,0 @@ -commit 032cff38c24d8359dc575423a94d19b6ad8bf848 -Author: Christopher Faulet -Date: Mon Jun 17 11:44:47 2019 +0200 - - BUG/MEDIUM: h2/htx: Update data length of the HTX when the cookie list is built - - When an H2 request is converted into an HTX message, All cookie headers are - grouped into one, each value separated by a semicolon (;). To do so, we add the - header "cookie" with the first value and then we update the value by appending - other cookies. But during this operation, only the size of the HTX block is - updated. And not the data length of the whole HTX message. - - It is an old bug and it seems to work by chance till now. But it may lead to - undefined behaviour by time to time. - - This patch must be backported to 2.0 and 1.9 - - (cherry picked from commit 0c6de00d7c842a682bba7586ef34fb10f69ec63c) - Signed-off-by: Christopher Faulet - -diff --git a/src/h2.c b/src/h2.c -index 9681aca5..32c1ef16 100644 ---- a/src/h2.c -+++ b/src/h2.c -@@ -737,6 +737,7 @@ int h2_make_htx_request(struct http_hdr *list, struct htx *htx, unsigned int *ms - goto fail; - - htx_set_blk_value_len(blk, tl); -+ htx->data += vl+2; - *(char *)(htx_get_blk_ptr(htx, blk) + bs + 0) = ';'; - *(char *)(htx_get_blk_ptr(htx, blk) + bs + 1) = ' '; - memcpy(htx_get_blk_ptr(htx, blk) + bs + 2, list[ck].v.ptr, vl); diff --git a/net/haproxy/patches/000-BUG-MINOR-mworker-cli-dont-output-a-n-before-the-response.patch b/net/haproxy/patches/000-BUG-MINOR-mworker-cli-dont-output-a-n-before-the-response.patch new file mode 100644 index 000000000..36fb3e864 --- /dev/null +++ b/net/haproxy/patches/000-BUG-MINOR-mworker-cli-dont-output-a-n-before-the-response.patch @@ -0,0 +1,81 @@ +commit 1bd140ea3fab97ccd37adf9d0c106d52af9e53fa +Author: William Lallemand +Date: Mon Jul 1 10:56:15 2019 +0200 + + BUG/MINOR: mworker/cli: don't output a \n before the response + + When using a level lower than admin on the master CLI, a \n is output + before the response, this is caused by the response of the "operator" or + "user" that are sent before the actual command. + + To fix this problem we introduce the flag APPCTX_CLI_ST1_NOLF which ask + a command response to not be followed by the final \n. + This patch made a special case with the command operator and user + followed by a - so they are not followed by \n. + + This patch must be backported to 2.0 and 1.9. + + (cherry picked from commit ad03288e6b28d816abb443cf8c6d984a72bb91a6) + Signed-off-by: William Lallemand + +diff --git a/include/types/applet.h b/include/types/applet.h +index c9e02d17..1f3a4983 100644 +--- a/include/types/applet.h ++++ b/include/types/applet.h +@@ -50,6 +50,7 @@ struct applet { + + #define APPCTX_CLI_ST1_PROMPT (1 << 0) + #define APPCTX_CLI_ST1_PAYLOAD (1 << 1) ++#define APPCTX_CLI_ST1_NOLF (1 << 2) + + /* Context of a running applet. */ + struct appctx { +diff --git a/src/cli.c b/src/cli.c +index 44ddc7bf..9a9f80f9 100644 +--- a/src/cli.c ++++ b/src/cli.c +@@ -821,7 +821,7 @@ static void cli_io_handler(struct appctx *appctx) + prompt = "\n> "; + } + else { +- if (!(appctx->st1 & APPCTX_CLI_ST1_PAYLOAD)) ++ if (!(appctx->st1 & (APPCTX_CLI_ST1_PAYLOAD|APPCTX_CLI_ST1_NOLF))) + prompt = "\n"; + } + +@@ -848,6 +848,8 @@ static void cli_io_handler(struct appctx *appctx) + + /* switch state back to GETREQ to read next requests */ + appctx->st0 = CLI_ST_GETREQ; ++ /* reactivate the \n at the end of the response for the next command */ ++ appctx->st1 &= ~APPCTX_CLI_ST1_NOLF; + } + } + +@@ -1442,6 +1444,10 @@ static int cli_parse_show_lvl(char **args, char *payload, struct appctx *appctx, + /* parse and set the CLI level dynamically */ + static int cli_parse_set_lvl(char **args, char *payload, struct appctx *appctx, void *private) + { ++ /* this will ask the applet to not output a \n after the command */ ++ if (!strcmp(args[1], "-")) ++ appctx->st1 |= APPCTX_CLI_ST1_NOLF; ++ + if (!strcmp(args[0], "operator")) { + if (!cli_has_level(appctx, ACCESS_LVL_OPER)) { + return 1; +@@ -2097,11 +2103,11 @@ int pcli_parse_request(struct stream *s, struct channel *req, char **errmsg, int + if (pcli_has_level(s, ACCESS_LVL_ADMIN)) { + goto end; + } else if (pcli_has_level(s, ACCESS_LVL_OPER)) { +- ci_insert_line2(req, 0, "operator", strlen("operator")); +- ret += strlen("operator") + 2; ++ ci_insert_line2(req, 0, "operator -", strlen("operator -")); ++ ret += strlen("operator -") + 2; + } else if (pcli_has_level(s, ACCESS_LVL_USER)) { +- ci_insert_line2(req, 0, "user", strlen("user")); +- ret += strlen("user") + 2; ++ ci_insert_line2(req, 0, "user -", strlen("user -")); ++ ret += strlen("user -") + 2; + } + } + end: diff --git a/net/haproxy/patches/001-BUG-MEDIUM-ssl-Dont-attempt-to-set-alpn-if-were-not-using-SSL.patch b/net/haproxy/patches/001-BUG-MEDIUM-ssl-Dont-attempt-to-set-alpn-if-were-not-using-SSL.patch new file mode 100644 index 000000000..a37cda56f --- /dev/null +++ b/net/haproxy/patches/001-BUG-MEDIUM-ssl-Dont-attempt-to-set-alpn-if-were-not-using-SSL.patch @@ -0,0 +1,30 @@ +commit aa2ecea6f711f50192476b26a5b1d767108bd761 +Author: Olivier Houchard +Date: Fri Jun 28 14:10:33 2019 +0200 + + BUG/MEDIUM: ssl: Don't attempt to set alpn if we're not using SSL. + + Checks use ssl_sock_set_alpn() to set the ALPN if check-alpn is used, however + check-alpn failed to check if the connection was indeed using SSL, and thus, + would crash if check-alpn was used on a non-SSL connection. Fix this by + making sure the connection uses SSL before attempting to set the ALPN. + + This should be backported to 2.0 and 1.9. + + (cherry picked from commit e488ea865a433d93efcb14c0c602918070c6b208) + Signed-off-by: Willy Tarreau + +diff --git a/src/ssl_sock.c b/src/ssl_sock.c +index 05240063..c9fffbec 100644 +--- a/src/ssl_sock.c ++++ b/src/ssl_sock.c +@@ -6411,6 +6411,9 @@ void ssl_sock_set_alpn(struct connection *conn, const unsigned char *alpn, int l + #ifdef TLSEXT_TYPE_application_layer_protocol_negotiation + struct ssl_sock_ctx *ctx = conn->xprt_ctx; + ++ if (!ssl_sock_is_ssl(conn)) ++ return; ++ + SSL_set_alpn_protos(ctx->ssl, alpn, len); + #endif + } diff --git a/net/haproxy/patches/001-BUG-MINOR-lua-htx-Make-txn-req_req_-and-txn-res_rep_-HTX-aware.patch b/net/haproxy/patches/001-BUG-MINOR-lua-htx-Make-txn-req_req_-and-txn-res_rep_-HTX-aware.patch deleted file mode 100644 index 693dd64ac..000000000 --- a/net/haproxy/patches/001-BUG-MINOR-lua-htx-Make-txn-req_req_-and-txn-res_rep_-HTX-aware.patch +++ /dev/null @@ -1,32 +0,0 @@ -commit 5a8549e68225070d0b79cbbb9c5f791e103685e7 -Author: Christopher Faulet -Date: Mon Jun 17 13:36:06 2019 +0200 - - BUG/MINOR: lua/htx: Make txn.req_req_* and txn.res_rep_* HTX aware - - These bindings were not updated to support HTX streams. - - This patch must be backported to 2.0 and 1.9. It fixes the issue #124. - - (cherry picked from commit ea418748dd22331e9798cfd8f5e25b436cd577e3) - Signed-off-by: Christopher Faulet - -diff --git a/src/hlua.c b/src/hlua.c -index 28abd083..32f0e8db 100644 ---- a/src/hlua.c -+++ b/src/hlua.c -@@ -5375,7 +5375,13 @@ __LJMP static inline int hlua_http_rep_hdr(lua_State *L, struct hlua_txn *htxn, - if (!(re = regex_comp(reg, 1, 1, NULL))) - WILL_LJMP(luaL_argerror(L, 3, "invalid regex")); - -- http_transform_header_str(htxn->s, msg, name, name_len, value, re, action); -+ if (IS_HTX_STRM(htxn->s)) { -+ struct htx *htx = htxbuf(&msg->chn->buf); -+ -+ htx_transform_header_str(htxn->s, msg->chn, htx, ist2(name, name_len), value, re, action); -+ } -+ else -+ http_transform_header_str(htxn->s, msg, name, name_len, value, re, action); - regex_free(re); - return 0; - } diff --git a/net/haproxy/patches/002-BUG-MEDIUM-mux-h1-Always-release-H1C-if-a-shutdown-for-writes-was-reported.patch b/net/haproxy/patches/002-BUG-MEDIUM-mux-h1-Always-release-H1C-if-a-shutdown-for-writes-was-reported.patch new file mode 100644 index 000000000..140ec71db --- /dev/null +++ b/net/haproxy/patches/002-BUG-MEDIUM-mux-h1-Always-release-H1C-if-a-shutdown-for-writes-was-reported.patch @@ -0,0 +1,35 @@ +commit 9fa93f6220a374f724491fd781d44d31f307671f +Author: Christopher Faulet +Date: Fri Jun 28 17:41:42 2019 +0200 + + BUG/MEDIUM: mux-h1: Always release H1C if a shutdown for writes was reported + + We must take care of this when the stream is detached from the + connection. Otherwise, on the server side, the connexion is inserted in the list + of idle connections of the session. But when reused, because the shutdown for + writes was already catched, nothing is sent to the server and the session is + blocked with a freezed connection. + + This patch must be backported to 2.0 and 1.9. It is related to the issue #136 + reported on Github. + + (cherry picked from commit 3ac0f43020e1cd77198020201e4e482a1c2ef8ac) + Signed-off-by: Willy Tarreau + +diff --git a/src/mux_h1.c b/src/mux_h1.c +index 3d2bd8b8..e497e6f6 100644 +--- a/src/mux_h1.c ++++ b/src/mux_h1.c +@@ -2192,9 +2192,9 @@ static void h1_detach(struct conn_stream *cs) + } + } + +- /* We don't want to close right now unless the connection is in error */ +- if ((h1c->flags & (H1C_F_CS_ERROR|H1C_F_CS_SHUTDOWN|H1C_F_UPG_H2C)) || +- (h1c->conn->flags & CO_FL_ERROR) || !h1c->conn->owner) ++ /* We don't want to close right now unless the connection is in error or shut down for writes */ ++ if ((h1c->flags & (H1C_F_CS_ERROR|H1C_F_CS_SHUTW_NOW|H1C_F_CS_SHUTDOWN|H1C_F_UPG_H2C)) || ++ (h1c->conn->flags & (CO_FL_ERROR|CO_FL_SOCK_WR_SH)) || !h1c->conn->owner) + h1_release(h1c); + else { + tasklet_wakeup(h1c->wait_event.tasklet); diff --git a/net/haproxy/patches/002-BUG-MINOR-mux-h1-Add-the-header-connection-in-lower-case-in-outgoing-messages.patch b/net/haproxy/patches/002-BUG-MINOR-mux-h1-Add-the-header-connection-in-lower-case-in-outgoing-messages.patch deleted file mode 100644 index 73983b434..000000000 --- a/net/haproxy/patches/002-BUG-MINOR-mux-h1-Add-the-header-connection-in-lower-case-in-outgoing-messages.patch +++ /dev/null @@ -1,29 +0,0 @@ -commit 661bfc3d0e1b7756db59d00d86e316f694cae3c6 -Author: Christopher Faulet -Date: Mon Jun 17 14:07:46 2019 +0200 - - BUG/MINOR: mux-h1: Add the header connection in lower case in outgoing messages - - When necessary, this header is directly added in outgoing messages by the H1 - multiplexer. Because there is no HTX conversion first, the header name is not - converserted to its lower case version. So, it must be added in lower case by - the multiplexer. - - This patch must be backported to 2.0 and 1.9. - - (cherry picked from commit a110ecbd843e156dd01c6ac581c735be5e240d5b) - Signed-off-by: Christopher Faulet - -diff --git a/src/mux_h1.c b/src/mux_h1.c -index 317f1a55..21deb354 100644 ---- a/src/mux_h1.c -+++ b/src/mux_h1.c -@@ -1642,7 +1642,7 @@ static size_t h1_process_output(struct h1c *h1c, struct buffer *buf, size_t coun - /* There is no "Connection:" header and - * it the conn_mode must be - * processed. So do it */ -- n = ist("Connection"); -+ n = ist("connection"); - v = ist(""); - h1_process_output_conn_mode(h1s, h1m, &v); - if (v.len) { diff --git a/net/haproxy/patches/003-BUG-MEDIUM-checks-unblock-signals-in-external-checks.patch b/net/haproxy/patches/003-BUG-MEDIUM-checks-unblock-signals-in-external-checks.patch new file mode 100644 index 000000000..d23dbdc9f --- /dev/null +++ b/net/haproxy/patches/003-BUG-MEDIUM-checks-unblock-signals-in-external-checks.patch @@ -0,0 +1,51 @@ +commit afc313e6cd4be32f3c3d212e875d4dbcef8a0c70 +Author: Willy Tarreau +Date: Mon Jul 1 07:51:29 2019 +0200 + + BUG/MEDIUM: checks: unblock signals in external checks + + As discussed in issue #140, processes are forked with signals blocked + resulting in haproxy's kill being ignored. This happens when the command + takes more time to complete than the configured check timeout or interval. + Just calling "sleep 30" every second makes the problem obvious. + + The fix simply consists in unblocking the signals in the child after the + fork. It needs to be backported to all stable branches containing external + checks and where signals are blocked on startup. It's unclear when it + started, but the following config exhibits the issue : + + global + external-check + + listen www + bind :8001 + timeout client 5s + timeout server 5s + timeout connect 5s + option external-check + external-check command "$PWD/sleep10.sh" + server local 127.0.0.1:80 check inter 200 + + $ cat sleep10.sh + #!/bin/sh + exec /bin/sleep 10 + + The "sleep" processes keep accumulating for 10 seconds and stabilize + around 25 when the bug is present. Just issuing "killall sleep" has no + effect on them, and stopping haproxy leaves these processes behind. + + (cherry picked from commit 2df8cad0fea2d1a4ca8dd58f384df3c3c3f5d7ee) + Signed-off-by: Willy Tarreau + +diff --git a/src/checks.c b/src/checks.c +index c175a752..e31eb173 100644 +--- a/src/checks.c ++++ b/src/checks.c +@@ -1997,6 +1997,7 @@ static int connect_proc_chk(struct task *t) + + environ = check->envp; + extchk_setenv(check, EXTCHK_HAPROXY_SERVER_CURCONN, ultoa_r(s->cur_sess, buf, sizeof(buf))); ++ haproxy_unblock_signals(); + execvp(px->check_command, check->argv); + ha_alert("Failed to exec process for external health check: %s. Aborting.\n", + strerror(errno)); diff --git a/net/haproxy/patches/003-BUG-MEDIUM-compression-Set-Vary-Accept-Encoding-for-compressed-responses.patch b/net/haproxy/patches/003-BUG-MEDIUM-compression-Set-Vary-Accept-Encoding-for-compressed-responses.patch deleted file mode 100644 index b71741cce..000000000 --- a/net/haproxy/patches/003-BUG-MEDIUM-compression-Set-Vary-Accept-Encoding-for-compressed-responses.patch +++ /dev/null @@ -1,253 +0,0 @@ -commit eaf650083924a697cde3379703984c5e7a5ebd41 -Author: Tim Duesterhus -Date: Mon Jun 17 16:10:07 2019 +0200 - - BUG/MEDIUM: compression: Set Vary: Accept-Encoding for compressed responses - - Make HAProxy set the `Vary: Accept-Encoding` response header if it compressed - the server response. - - Technically the `Vary` header SHOULD also be set for responses that would - normally be compressed based off the current configuration, but are not due - to a missing or invalid `Accept-Encoding` request header or due to the - maximum compression rate being exceeded. - - Not setting the header in these cases does no real harm, though: An - uncompressed response might be returned by a Cache, even if a compressed - one could be retrieved from HAProxy. This increases the traffic to the end - user if the cache is unable to compress itself, but it saves another - roundtrip to HAProxy. - - see the discussion on the mailing list: https://www.mail-archive.com/haproxy@formilux.org/msg34221.html - Message-ID: 20190617121708.GA2964@1wt.eu - - A small issue remains: The User-Agent is not added to the `Vary` header, - despite being relevant to the response. Adding the User-Agent header would - make responses effectively uncacheable and it's unlikely to see a Mozilla/4 - in the wild in 2019. - - Add a reg-test to ensure the behaviour as described in this commit message. - - see issue #121 - Should be backported to all branches with compression (i.e. 1.6+). - - (cherry picked from commit 721d686bd10dc6993859f9026ad907753d1d2064) - Signed-off-by: Christopher Faulet - -diff --git a/reg-tests/compression/vary.vtc b/reg-tests/compression/vary.vtc -new file mode 100644 -index 00000000..0a060e4b ---- /dev/null -+++ b/reg-tests/compression/vary.vtc -@@ -0,0 +1,187 @@ -+varnishtest "Compression sets Vary header" -+ -+#REQUIRE_VERSION=1.9 -+#REQUIRE_OPTION=ZLIB|SLZ -+ -+feature ignore_unknown_macro -+ -+server s1 { -+ rxreq -+ expect req.url == "/plain/accept-encoding-gzip" -+ expect req.http.accept-encoding == "gzip" -+ txresp \ -+ -hdr "Content-Type: text/plain" \ -+ -bodylen 100 -+ -+ rxreq -+ expect req.url == "/plain/accept-encoding-invalid" -+ expect req.http.accept-encoding == "invalid" -+ txresp \ -+ -hdr "Content-Type: text/plain" \ -+ -bodylen 100 -+ -+ rxreq -+ expect req.url == "/plain/accept-encoding-null" -+ expect req.http.accept-encoding == "" -+ txresp \ -+ -hdr "Content-Type: text/plain" \ -+ -bodylen 100 -+ -+ rxreq -+ expect req.url == "/html/accept-encoding-gzip" -+ expect req.http.accept-encoding == "gzip" -+ txresp \ -+ -hdr "Content-Type: text/html" \ -+ -bodylen 100 -+ -+ rxreq -+ expect req.url == "/html/accept-encoding-invalid" -+ expect req.http.accept-encoding == "invalid" -+ txresp \ -+ -hdr "Content-Type: text/html" \ -+ -bodylen 100 -+ -+ -+ rxreq -+ expect req.url == "/html/accept-encoding-null" -+ expect req.http.accept-encoding == "" -+ txresp \ -+ -hdr "Content-Type: text/html" \ -+ -bodylen 100 -+ -+ rxreq -+ expect req.url == "/dup-etag/accept-encoding-gzip" -+ expect req.http.accept-encoding == "gzip" -+ txresp \ -+ -hdr "Content-Type: text/plain" \ -+ -hdr "ETag: \"123\"" \ -+ -hdr "ETag: \"123\"" \ -+ -bodylen 100 -+} -repeat 2 -start -+ -+ -+haproxy h1 -conf { -+ defaults -+ mode http -+ ${no-htx} option http-use-htx -+ timeout connect 1s -+ timeout client 1s -+ timeout server 1s -+ -+ frontend fe-gzip -+ bind "fd@${fe_gzip}" -+ default_backend be-gzip -+ -+ backend be-gzip -+ compression algo gzip -+ compression type text/plain -+ server www ${s1_addr}:${s1_port} -+ -+ frontend fe-nothing -+ bind "fd@${fe_nothing}" -+ default_backend be-nothing -+ -+ backend be-nothing -+ server www ${s1_addr}:${s1_port} -+} -start -+ -+client c1 -connect ${h1_fe_gzip_sock} { -+ txreq -url "/plain/accept-encoding-gzip" \ -+ -hdr "Accept-Encoding: gzip" -+ rxresp -+ expect resp.status == 200 -+ expect resp.http.content-encoding == "gzip" -+ expect resp.http.vary == "Accept-Encoding" -+ gunzip -+ expect resp.bodylen == 100 -+ -+ txreq -url "/plain/accept-encoding-invalid" \ -+ -hdr "Accept-Encoding: invalid" -+ rxresp -+ expect resp.status == 200 -+ expect resp.http.vary == "" -+ expect resp.bodylen == 100 -+ -+ txreq -url "/plain/accept-encoding-null" -+ rxresp -+ expect resp.status == 200 -+ expect resp.http.vary == "" -+ expect resp.bodylen == 100 -+ -+ txreq -url "/html/accept-encoding-gzip" \ -+ -hdr "Accept-Encoding: gzip" -+ rxresp -+ expect resp.status == 200 -+ expect resp.http.vary == "" -+ expect resp.bodylen == 100 -+ -+ txreq -url "/html/accept-encoding-invalid" \ -+ -hdr "Accept-Encoding: invalid" -+ rxresp -+ expect resp.status == 200 -+ expect resp.http.vary == "" -+ expect resp.bodylen == 100 -+ -+ txreq -url "/html/accept-encoding-null" -+ rxresp -+ expect resp.status == 200 -+ expect resp.http.vary == "" -+ expect resp.bodylen == 100 -+ -+ txreq -url "/dup-etag/accept-encoding-gzip" \ -+ -hdr "Accept-Encoding: gzip" -+ rxresp -+ expect resp.status == 200 -+ expect resp.http.vary == "" -+ expect resp.bodylen == 100 -+} -run -+ -+# This Client duplicates c1, against the "nothing" frontend, ensuring no Vary header is ever set. -+client c2 -connect ${h1_fe_nothing_sock} { -+ txreq -url "/plain/accept-encoding-gzip" \ -+ -hdr "Accept-Encoding: gzip" -+ rxresp -+ expect resp.status == 200 -+ expect resp.http.vary == "" -+ expect resp.bodylen == 100 -+ -+ txreq -url "/plain/accept-encoding-invalid" \ -+ -hdr "Accept-Encoding: invalid" -+ rxresp -+ expect resp.status == 200 -+ expect resp.http.vary == "" -+ expect resp.bodylen == 100 -+ -+ txreq -url "/plain/accept-encoding-null" -+ rxresp -+ expect resp.status == 200 -+ expect resp.http.vary == "" -+ expect resp.bodylen == 100 -+ -+ txreq -url "/html/accept-encoding-gzip" \ -+ -hdr "Accept-Encoding: gzip" -+ rxresp -+ expect resp.status == 200 -+ expect resp.http.vary == "" -+ expect resp.bodylen == 100 -+ -+ txreq -url "/html/accept-encoding-invalid" \ -+ -hdr "Accept-Encoding: invalid" -+ rxresp -+ expect resp.status == 200 -+ expect resp.http.vary == "" -+ expect resp.bodylen == 100 -+ -+ txreq -url "/html/accept-encoding-null" -+ rxresp -+ expect resp.status == 200 -+ expect resp.http.vary == "" -+ expect resp.bodylen == 100 -+ -+ txreq -url "/dup-etag/accept-encoding-gzip" \ -+ -hdr "Accept-Encoding: gzip" -+ rxresp -+ expect resp.status == 200 -+ expect resp.http.vary == "" -+ expect resp.bodylen == 100 -+} -run -diff --git a/src/flt_http_comp.c b/src/flt_http_comp.c -index b04dcd14..37f237fe 100644 ---- a/src/flt_http_comp.c -+++ b/src/flt_http_comp.c -@@ -523,6 +523,9 @@ http_set_comp_reshdr(struct comp_state *st, struct stream *s, struct http_msg *m - } - } - -+ if (http_header_add_tail2(msg, &txn->hdr_idx, "Vary: Accept-Encoding", 21) < 0) -+ goto error; -+ - return 1; - - error: -@@ -577,6 +580,9 @@ htx_set_comp_reshdr(struct comp_state *st, struct stream *s, struct http_msg *ms - } - } - -+ if (!http_add_header(htx, ist("Vary"), ist("Accept-Encoding"))) -+ goto error; -+ - return 1; - - error: diff --git a/net/haproxy/patches/004-BUG-MINOR-mux-h1-Skip-trailers-for-non-chunked-outgoing-messages.patch b/net/haproxy/patches/004-BUG-MINOR-mux-h1-Skip-trailers-for-non-chunked-outgoing-messages.patch new file mode 100644 index 000000000..2e1640196 --- /dev/null +++ b/net/haproxy/patches/004-BUG-MINOR-mux-h1-Skip-trailers-for-non-chunked-outgoing-messages.patch @@ -0,0 +1,48 @@ +commit 52131680c42ddbfa6f2b5d109ffc79c28f44e42a +Author: Christopher Faulet +Date: Thu Jun 27 17:40:14 2019 +0200 + + BUG/MINOR: mux-h1: Skip trailers for non-chunked outgoing messages + + Unlike H1, H2 messages may contains trailers while the header "Content-Length" + is set. Indeed, because of the framed structure of HTTP/2, it is no longer + necessary to use the chunked transfer encoding. So Trailing HEADERS frames, + after all DATA frames, may be added on messages with an explicit content length. + + But in H1, it is impossible to have trailers on non-chunked messages. So when + outgoing messages are formatted by the H1 multiplexer, if the message is not + chunked, all trailers must be dropped. + + This patch must be backported to 2.0 and 1.9. However, the patch will have to be + adapted for the 1.9. + + (cherry picked from commit 5433a0b0215c791b4165bddd360a254fa141c6e9) + Signed-off-by: Christopher Faulet + +diff --git a/src/mux_h1.c b/src/mux_h1.c +index e497e6f6..e7d769b4 100644 +--- a/src/mux_h1.c ++++ b/src/mux_h1.c +@@ -1696,7 +1696,9 @@ static size_t h1_process_output(struct h1c *h1c, struct buffer *buf, size_t coun + goto done; + } + else if (type == HTX_BLK_EOT || type == HTX_BLK_TLR) { +- if (!chunk_memcat(&tmp, "0\r\n", 3)) ++ /* If the message is not chunked, never ++ * add the last chunk. */ ++ if ((h1m->flags & H1_MF_CHNK) && !chunk_memcat(&tmp, "0\r\n", 3)) + goto copy; + goto trailers; + } +@@ -1715,6 +1717,11 @@ static size_t h1_process_output(struct h1c *h1c, struct buffer *buf, size_t coun + goto error; + trailers: + h1m->state = H1_MSG_TRAILERS; ++ /* If the message is not chunked, ignore ++ * trailers. It may happen with H2 messages. */ ++ if (!(h1m->flags & H1_MF_CHNK)) ++ break; ++ + if (type == HTX_BLK_EOT) { + if (!chunk_memcat(&tmp, "\r\n", 2)) + goto copy; diff --git a/net/haproxy/patches/004-MINOR-htx-Add-the-function-htx_change_blk_value_len.patch b/net/haproxy/patches/004-MINOR-htx-Add-the-function-htx_change_blk_value_len.patch deleted file mode 100644 index 7c308f762..000000000 --- a/net/haproxy/patches/004-MINOR-htx-Add-the-function-htx_change_blk_value_len.patch +++ /dev/null @@ -1,66 +0,0 @@ -commit 8d09dc21dc913d1540d07d1019a51c430317eae1 -Author: Christopher Faulet -Date: Tue Jun 18 09:37:00 2019 +0200 - - MINOR: htx: Add the function htx_change_blk_value_len() - - As its name suggest, this function change the value length of a block. But it - also update the HTX message accordingly. It simplifies the HTX API. The function - htx_set_blk_value_len() is still available and must be used with caution because - this one does not update the HTX message. It just updates the HTX block. It - should be considered as an internal function. When possible, - htx_change_blk_value_len() should be used instead. - - This function is used to fix a bug affecting the 2.0. So, this patch must be - backported to 2.0. - - (cherry picked from commit bb0efcdd293de33607a6eba075971b49857375e2) - Signed-off-by: Christopher Faulet - -diff --git a/include/common/htx.h b/include/common/htx.h -index 9631c618..7d15365a 100644 ---- a/include/common/htx.h -+++ b/include/common/htx.h -@@ -470,7 +470,41 @@ static inline struct htx_blk *htx_get_next_blk(const struct htx *htx, - } - - /* Changes the size of the value. It is the caller responsibility to change the -- * value itself, make sure there is enough space and update allocated value. -+ * value itself, make sure there is enough space and update allocated -+ * value. This function updates the HTX message accordingly. -+ */ -+static inline void htx_change_blk_value_len(struct htx *htx, struct htx_blk *blk, uint32_t newlen) -+{ -+ enum htx_blk_type type = htx_get_blk_type(blk); -+ uint32_t oldlen, sz; -+ int32_t delta; -+ -+ sz = htx_get_blksz(blk); -+ switch (type) { -+ case HTX_BLK_HDR: -+ case HTX_BLK_TLR: -+ oldlen = (blk->info >> 8) & 0xfffff; -+ blk->info = (type << 28) + (newlen << 8) + (blk->info & 0xff); -+ break; -+ default: -+ oldlen = blk->info & 0xfffffff; -+ blk->info = (type << 28) + newlen; -+ break; -+ } -+ -+ /* Update HTTP message */ -+ delta = (newlen - oldlen); -+ htx->data += delta; -+ if (blk->addr+sz == htx->tail_addr) -+ htx->tail_addr += delta; -+ else if (blk->addr+sz == htx->head_addr) -+ htx->head_addr += delta; -+} -+ -+/* Changes the size of the value. It is the caller responsibility to change the -+ * value itself, make sure there is enough space and update allocated -+ * value. Unlike the function htx_change_blk_value_len(), this one does not -+ * update the HTX message. So it should be used with caution. - */ - static inline void htx_set_blk_value_len(struct htx_blk *blk, uint32_t vlen) - { diff --git a/net/haproxy/patches/005-BUG-MEDIUM-htx-Fully-update-HTX-message-when-the-block-value-is-changed.patch b/net/haproxy/patches/005-BUG-MEDIUM-htx-Fully-update-HTX-message-when-the-block-value-is-changed.patch deleted file mode 100644 index 5a9fda464..000000000 --- a/net/haproxy/patches/005-BUG-MEDIUM-htx-Fully-update-HTX-message-when-the-block-value-is-changed.patch +++ /dev/null @@ -1,133 +0,0 @@ -commit 41dc8432f87622145390dc1b1467a5ee14ba184c -Author: Christopher Faulet -Date: Tue Jun 18 09:49:16 2019 +0200 - - BUG/MEDIUM: htx: Fully update HTX message when the block value is changed - - Everywhere the value length of a block is changed, calling the function - htx_set_blk_value_len(), the HTX message must be updated. But at many places, - because of the recent changes in the HTX structure, this update was only - partially done. tail_addr and head_addr values were not systematically updated. - - In fact, the function htx_set_blk_value_len() was designed as an internal - function to the HTX API. And we used it from outside by convenience. But it is - really painfull and error prone to let the caller update the HTX message. So - now, we use the function htx_change_blk_value_len() wherever is possible. It - changes the value length of a block and updates the HTX message accordingly. - - This patch must be backported to 2.0. - - (cherry picked from commit 3e2638ee04407a1d9e9376f0c518f67fca7deaa4) - Signed-off-by: Christopher Faulet - -diff --git a/src/h2.c b/src/h2.c -index 32c1ef16..990d602b 100644 ---- a/src/h2.c -+++ b/src/h2.c -@@ -736,8 +736,7 @@ int h2_make_htx_request(struct http_hdr *list, struct htx *htx, unsigned int *ms - if (tl > fs) - goto fail; - -- htx_set_blk_value_len(blk, tl); -- htx->data += vl+2; -+ htx_change_blk_value_len(htx, blk, tl); - *(char *)(htx_get_blk_ptr(htx, blk) + bs + 0) = ';'; - *(char *)(htx_get_blk_ptr(htx, blk) + bs + 1) = ' '; - memcpy(htx_get_blk_ptr(htx, blk) + bs + 2, list[ck].v.ptr, vl); -diff --git a/src/http_htx.c b/src/http_htx.c -index 7322b337..bc26e5ba 100644 ---- a/src/http_htx.c -+++ b/src/http_htx.c -@@ -461,10 +461,7 @@ int http_remove_header(struct htx *htx, struct http_hdr_ctx *ctx) - } - /* Update the block content and its len */ - memmove(start, start+len, v.len-len); -- htx_set_blk_value_len(blk, v.len-len); -- -- /* Update HTX msg */ -- htx->data -= len; -+ htx_change_blk_value_len(htx, blk, v.len-len); - - /* Finally update the ctx */ - ctx->value.ptr = start; -diff --git a/src/htx.c b/src/htx.c -index bfd136f4..81492598 100644 ---- a/src/htx.c -+++ b/src/htx.c -@@ -406,15 +406,8 @@ void htx_truncate(struct htx *htx, uint32_t offset) - offset -= sz; - continue; - } -- if (type == HTX_BLK_DATA) { -- htx_set_blk_value_len(blk, offset); -- htx->data -= (sz - offset); -- -- if (blk->addr+sz == htx->tail_addr) -- htx->tail_addr -= offset; -- else if (blk->addr+sz == htx->head_addr) -- htx->head_addr -= offset; -- } -+ if (type == HTX_BLK_DATA) -+ htx_change_blk_value_len(htx, blk, offset); - offset = 0; - } - while (blk) -@@ -522,14 +515,7 @@ struct htx_blk *htx_add_data_atonce(struct htx *htx, struct ist data) - /* Append data and update the block itself */ - ptr = htx_get_blk_ptr(htx, tailblk); - memcpy(ptr+sz, data.ptr, len); -- htx_set_blk_value_len(tailblk, sz+len); -- -- /* Update HTTP message */ -- htx->data += len; -- if (tailblk->addr+sz == htx->tail_addr) -- htx->tail_addr += len; -- else if (tailblk->addr+sz == htx->head_addr) -- htx->head_addr += len; -+ htx_change_blk_value_len(htx, tailblk, sz+len); - - if (data.len == len) { - blk = tailblk; -@@ -988,14 +974,7 @@ size_t htx_add_data(struct htx *htx, const struct ist data) - /* Append data and update the block itself */ - ptr = htx_get_blk_ptr(htx, tailblk); - memcpy(ptr + sz, data.ptr, len); -- htx_set_blk_value_len(tailblk, sz + len); -- -- /* Update HTTP message */ -- htx->data += len; -- if (tailblk->addr+sz == htx->tail_addr) -- htx->tail_addr += len; -- else if (tailblk->addr+sz == htx->head_addr) -- htx->head_addr += len; -+ htx_change_blk_value_len(htx, tailblk, sz+len); - - BUG_ON((int32_t)htx->tail_addr < 0); - BUG_ON((int32_t)htx->head_addr < 0); -diff --git a/src/proto_htx.c b/src/proto_htx.c -index 7f501366..d821e38c 100644 ---- a/src/proto_htx.c -+++ b/src/proto_htx.c -@@ -4314,10 +4314,8 @@ static void htx_manage_client_side_cookies(struct stream *s, struct channel *req - hdr_end = (preserve_hdr ? del_from : hdr_beg); - } - if ((hdr_end - hdr_beg) != ctx.value.len) { -- if (hdr_beg != hdr_end) { -- htx_set_blk_value_len(ctx.blk, hdr_end - hdr_beg); -- htx->data -= ctx.value.len - (hdr_end - hdr_beg); -- } -+ if (hdr_beg != hdr_end) -+ htx_change_blk_value_len(htx, ctx.blk, hdr_end - hdr_beg); - else - http_remove_header(htx, &ctx); - } -@@ -4495,8 +4493,7 @@ static void htx_manage_server_side_cookies(struct stream *s, struct channel *res - next += stripped_before; - hdr_end += stripped_before; - -- htx_set_blk_value_len(ctx.blk, hdr_end - hdr_beg); -- htx->data -= ctx.value.len - (hdr_end - hdr_beg); -+ htx_change_blk_value_len(htx, ctx.blk, hdr_end - hdr_beg); - ctx.value.len = hdr_end - hdr_beg; - } - diff --git a/net/haproxy/patches/005-BUG-MINOR-mux-h1-Dont-return-the-empty-chunk-on-HEAD-responses.patch b/net/haproxy/patches/005-BUG-MINOR-mux-h1-Dont-return-the-empty-chunk-on-HEAD-responses.patch new file mode 100644 index 000000000..d1619601c --- /dev/null +++ b/net/haproxy/patches/005-BUG-MINOR-mux-h1-Dont-return-the-empty-chunk-on-HEAD-responses.patch @@ -0,0 +1,27 @@ +commit 33d58b51e0f1bf68603aa86c9125ae75d6964454 +Author: Christopher Faulet +Date: Mon Jul 1 16:17:30 2019 +0200 + + BUG/MINOR: mux-h1: Don't return the empty chunk on HEAD responses + + HEAD responses must not have any body payload. But, because of a bug, for chunk + reponses, the empty chunk was always added. + + This patch fixes the Github issue #146. It must be backported to 2.0 and 1.9. + + (cherry picked from commit b8fc304e8f996f0d9835e4d6524ef8961d3be076) + Signed-off-by: Christopher Faulet + +diff --git a/src/mux_h1.c b/src/mux_h1.c +index e7d769b4..37cc8252 100644 +--- a/src/mux_h1.c ++++ b/src/mux_h1.c +@@ -1682,6 +1682,8 @@ static size_t h1_process_output(struct h1c *h1c, struct buffer *buf, size_t coun + h1m->flags |= (H1_MF_NO_PHDR|H1_MF_CLEAN_CONN_HDR); + h1s->flags &= ~H1S_F_HAVE_O_CONN; + } ++ else if ((h1m->flags & H1_MF_RESP) && h1s->meth == HTTP_METH_HEAD) ++ h1m->state = H1_MSG_DONE; + else + h1m->state = H1_MSG_DATA; + break; diff --git a/net/haproxy/patches/006-BUG-MEDIUM-mux-h2-Reset-padlen-when-several-frames-are-demux.patch b/net/haproxy/patches/006-BUG-MEDIUM-mux-h2-Reset-padlen-when-several-frames-are-demux.patch deleted file mode 100644 index 3a18eeeb8..000000000 --- a/net/haproxy/patches/006-BUG-MEDIUM-mux-h2-Reset-padlen-when-several-frames-are-demux.patch +++ /dev/null @@ -1,27 +0,0 @@ -commit 3d574a587dc3704e93bcd29b16d54d96069667b4 -Author: Christopher Faulet -Date: Tue Jun 18 12:22:38 2019 +0200 - - BUG/MEDIUM: mux-h2: Reset padlen when several frames are demux - - In the function h2_process_demux(), if several frames are parsed, the padding - length must be reset between each frame. Otherwise we may wrongly think a frame - has a padding block because the previous one was padded. - - This patch must be backported to 2.0 and 1.9. - - (cherry picked from commit dd2a5620d594523cd515a629e105a9a2b64345bb) - Signed-off-by: Christopher Faulet - -diff --git a/src/mux_h2.c b/src/mux_h2.c -index d02168df..c06d5d68 100644 ---- a/src/mux_h2.c -+++ b/src/mux_h2.c -@@ -2316,6 +2316,7 @@ static void h2_process_demux(struct h2c *h2c) - break; - } - -+ padlen = 0; - if (h2_ft_bit(hdr.ft) & H2_FT_PADDED_MASK && hdr.ff & H2_F_PADDED) { - /* If the frame is padded (HEADERS, PUSH_PROMISE or DATA), - * we read the pad length and drop it from the remaining diff --git a/net/haproxy/patches/010-add-uclibc-support.patch b/net/haproxy/patches/006-OPENWRT-add-uclibc-support.patch similarity index 100% rename from net/haproxy/patches/010-add-uclibc-support.patch rename to net/haproxy/patches/006-OPENWRT-add-uclibc-support.patch diff --git a/net/haproxy/patches/007-BUG-MEDIUM-mux-h2-Remove-the-padding-length-when-a-DATA-frame-size-is-checked.patch b/net/haproxy/patches/007-BUG-MEDIUM-mux-h2-Remove-the-padding-length-when-a-DATA-frame-size-is-checked.patch deleted file mode 100644 index d23f66fc3..000000000 --- a/net/haproxy/patches/007-BUG-MEDIUM-mux-h2-Remove-the-padding-length-when-a-DATA-frame-size-is-checked.patch +++ /dev/null @@ -1,30 +0,0 @@ -commit 4fb65f421b4d650711e5d8b9dbcbf4bf589d26cc -Author: Christopher Faulet -Date: Wed Jun 19 09:25:58 2019 +0200 - - BUG/MEDIUM: mux-h2: Remove the padding length when a DATA frame size is checked - - When a DATA frame is processed for a message with a content-length, we first - take care to not have a frame size that exceeds the remaining to - read. Otherwise, an error is triggered. But we must remove the padding length - from the frame size because the padding is not included in the announced - content-length. - - This patch must be backported to 2.0 and 1.9. - - (cherry picked from commit 4f09ec812adbd9336cddc054660a7fb5cd54b459) - Signed-off-by: Christopher Faulet - -diff --git a/src/mux_h2.c b/src/mux_h2.c -index c06d5d68..5bb85181 100644 ---- a/src/mux_h2.c -+++ b/src/mux_h2.c -@@ -2177,7 +2177,7 @@ static int h2c_frt_handle_data(struct h2c *h2c, struct h2s *h2s) - goto strm_err; - } - -- if ((h2s->flags & H2_SF_DATA_CLEN) && h2c->dfl > h2s->body_len) { -+ if ((h2s->flags & H2_SF_DATA_CLEN) && (h2c->dfl - h2c->dpl) > h2s->body_len) { - /* RFC7540#8.1.2 */ - error = H2_ERR_PROTOCOL_ERROR; - goto strm_err; diff --git a/net/haproxy/patches/020-openssl-deprecated.patch b/net/haproxy/patches/007-OPENWRT-openssl-deprecated.patch similarity index 100% rename from net/haproxy/patches/020-openssl-deprecated.patch rename to net/haproxy/patches/007-OPENWRT-openssl-deprecated.patch diff --git a/net/haproxy/patches/008-BUG-MEDIUM-lb_fwlc-Dont-test-the-servers-lb_tree-from-outside-the-lock.patch b/net/haproxy/patches/008-BUG-MEDIUM-lb_fwlc-Dont-test-the-servers-lb_tree-from-outside-the-lock.patch deleted file mode 100644 index 129c0b7d4..000000000 --- a/net/haproxy/patches/008-BUG-MEDIUM-lb_fwlc-Dont-test-the-servers-lb_tree-from-outside-the-lock.patch +++ /dev/null @@ -1,39 +0,0 @@ -commit 3f0b1de623d09f8668db34c1be696f7245de7d50 -Author: Christopher Faulet -Date: Wed Jun 19 10:50:38 2019 +0200 - - BUG/MEDIUM: lb_fwlc: Don't test the server's lb_tree from outside the lock - - In the function fwlc_srv_reposition(), the server's lb_tree is tested from - outside the lock. So it is possible to remove it after the test and then call - eb32_insert() in fwlc_queue_srv() with a NULL root pointer, which is - invalid. Moving the test in the scope of the lock fixes the bug. - - This issue was reported on Github, issue #126. - - This patch must be backported to 2.0, 1.9 and 1.8. - - (cherry picked from commit 1ae2a8878170ded922f2c4d32b6704af7689bbfd) - Signed-off-by: Christopher Faulet - -diff --git a/src/lb_fwlc.c b/src/lb_fwlc.c -index 174dc67e..5fa81739 100644 ---- a/src/lb_fwlc.c -+++ b/src/lb_fwlc.c -@@ -66,12 +66,11 @@ static inline void fwlc_queue_srv(struct server *s) - */ - static void fwlc_srv_reposition(struct server *s) - { -- if (!s->lb_tree) -- return; -- - HA_SPIN_LOCK(LBPRM_LOCK, &s->proxy->lbprm.lock); -- fwlc_dequeue_srv(s); -- fwlc_queue_srv(s); -+ if (s->lb_tree) { -+ fwlc_dequeue_srv(s); -+ fwlc_queue_srv(s); -+ } - HA_SPIN_UNLOCK(LBPRM_LOCK, &s->proxy->lbprm.lock); - } - diff --git a/net/haproxy/patches/009-BUG-MAJOR-sample-Wrong-stick-table-name-parsing-in-if-unless-ACL-condition.patch b/net/haproxy/patches/009-BUG-MAJOR-sample-Wrong-stick-table-name-parsing-in-if-unless-ACL-condition.patch deleted file mode 100644 index 66b5f1aec..000000000 --- a/net/haproxy/patches/009-BUG-MAJOR-sample-Wrong-stick-table-name-parsing-in-if-unless-ACL-condition.patch +++ /dev/null @@ -1,40 +0,0 @@ -commit 9eae8935663bc0b27c23018e8cc24ae9a3e31732 -Author: Frédéric Lécaille -Date: Thu Jun 20 09:31:04 2019 +0200 - - BUG/MAJOR: sample: Wrong stick-table name parsing in "if/unless" ACL condition. - - This bug was introduced by 1b8e68e commit which supposed the stick-table was always - stored in struct arg at parsing time. This is never the case with the usage of - "if/unless" conditions in stick-table declared as backends. In this case, this is - the name of the proxy which must be considered as the stick-table name. - - This must be backported to 2.0. - - (cherry picked from commit 9417f4534ad742eda35c4cc3d1ccb390f75ea4b1) - Signed-off-by: Willy Tarreau - -diff --git a/src/sample.c b/src/sample.c -index 67f59e84..77ec9b1e 100644 ---- a/src/sample.c -+++ b/src/sample.c -@@ -1245,15 +1245,11 @@ int smp_resolve_args(struct proxy *p) - break; - - case ARGT_TAB: -- if (!arg->data.str.data) { -- ha_alert("parsing [%s:%d] : missing table name in arg %d of %s%s%s%s '%s' %s proxy '%s'.\n", -- cur->file, cur->line, -- cur->arg_pos + 1, conv_pre, conv_ctx, conv_pos, ctx, cur->kw, where, p->id); -- cfgerr++; -- continue; -- } -+ if (arg->data.str.data) -+ stktname = arg->data.str.area; -+ else -+ stktname = px->id; - -- stktname = arg->data.str.area; - t = stktable_find_by_name(stktname); - if (!t) { - ha_alert("parsing [%s:%d] : unable to find table '%s' referenced in arg %d of %s%s%s%s '%s' %s proxy '%s'.\n",