haproxy: Update HAProxy to v2.0.3

- Update haproxy download URL and hash - Add new patches Signed-off-by: Christian Lachner <gladiac@gmail.com>
5 years ago · e7faabcf11
--- a/net/haproxy/Makefile
+++ b/net/haproxy/Makefile
@ -10,12 +10,12 @@
 include $(TOPDIR)/rules.mk

 PKG_NAME:=haproxy
 PKG_VERSION:=2.0.1
 PKG_VERSION:=2.0.3
 PKG_RELEASE:=1

 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
 PKG_SOURCE_URL:=https://www.haproxy.org/download/2.0/src
 PKG_HASH:=9975c475ba6f19aac4b665d8705f7b9f7911df7fc316ba7b9efd6fe263181eb1
 PKG_HASH:=aac1ff3e5079997985b6560f46bf265447d0cd841f11c4d77f15942c9fe4b770
 PKG_BUILD_DIR:=$(BUILD_DIR)/$(PKG_NAME)-$(BUILD_VARIANT)/$(PKG_NAME)-$(PKG_VERSION)

 PKG_MAINTAINER:=Thomas Heil <heil@terminal-consulting.de>, \
--- a/net/haproxy/get-latest-patches.sh
+++ b/net/haproxy/get-latest-patches.sh
@ -1,7 +1,7 @@
 #!/bin/bash

 CLONEURL=http://git.haproxy.org/git/haproxy-2.0.git
 BASE_TAG=v2.0.1
 BASE_TAG=v2.0.3
 TMP_REPODIR=tmprepo
 PATCHESDIR=patches

--- a/net/haproxy/patches/000-BUG-MINOR-mworker-cli-dont-output-a-n-before-the-response.patch
+++ b/net/haproxy/patches/000-BUG-MINOR-mworker-cli-dont-output-a-n-before-the-response.patch
@ -1,81 +0,0 @@
 commit 1bd140ea3fab97ccd37adf9d0c106d52af9e53fa
 Author: William Lallemand <wlallemand@haproxy.com>
 Date:   Mon Jul 1 10:56:15 2019 +0200

    BUG/MINOR: mworker/cli: don't output a \n before the response
    
    When using a level lower than admin on the master CLI, a \n is output
    before the response, this is caused by the response of the "operator" or
    "user" that are sent before the actual command.
    
    To fix this problem we introduce the flag APPCTX_CLI_ST1_NOLF which ask
    a command response to not be followed by the final \n.
    This patch made a special case with the command operator and user
    followed by a - so they are not followed by \n.
    
    This patch must be backported to 2.0 and 1.9.
    
    (cherry picked from commit ad03288e6b28d816abb443cf8c6d984a72bb91a6)
    Signed-off-by: William Lallemand <wlallemand@haproxy.org>

 diff --git a/include/types/applet.h b/include/types/applet.h
 index c9e02d17..1f3a4983 100644
 --- a/include/types/applet.h
 +++ b/include/types/applet.h
@@ -50,6 +50,7 @@ struct applet {
 
 #define APPCTX_CLI_ST1_PROMPT  (1 << 0)
 #define APPCTX_CLI_ST1_PAYLOAD (1 << 1)
 +#define APPCTX_CLI_ST1_NOLF    (1 << 2)
 
 /* Context of a running applet. */
 struct appctx {
 diff --git a/src/cli.c b/src/cli.c
 index 44ddc7bf..9a9f80f9 100644
 --- a/src/cli.c
 +++ b/src/cli.c
@@ -821,7 +821,7 @@ static void cli_io_handler(struct appctx *appctx)
 						prompt = "\n> ";
 				}
 				else {
 -					if (!(appctx->st1 & APPCTX_CLI_ST1_PAYLOAD))
 +					if (!(appctx->st1 & (APPCTX_CLI_ST1_PAYLOAD|APPCTX_CLI_ST1_NOLF)))
 						prompt = "\n";
 				}
 
@@ -848,6 +848,8 @@ static void cli_io_handler(struct appctx *appctx)
 
 			/* switch state back to GETREQ to read next requests */
 			appctx->st0 = CLI_ST_GETREQ;
 +			/* reactivate the \n at the end of the response for the next command */
 +			appctx->st1 &= ~APPCTX_CLI_ST1_NOLF;
 		}
 	}
 
@@ -1442,6 +1444,10 @@ static int cli_parse_show_lvl(char **args, char *payload, struct appctx *appctx,
 /* parse and set the CLI level dynamically */
 static int cli_parse_set_lvl(char **args, char *payload, struct appctx *appctx, void *private)
 {
 +	/* this will ask the applet to not output a \n after the command */
 +	if (!strcmp(args[1], "-"))
 +	    appctx->st1 |= APPCTX_CLI_ST1_NOLF;
 +
 	if (!strcmp(args[0], "operator")) {
 		if (!cli_has_level(appctx, ACCESS_LVL_OPER)) {
 			return 1;
@@ -2097,11 +2103,11 @@ int pcli_parse_request(struct stream *s, struct channel *req, char **errmsg, int
 		if (pcli_has_level(s, ACCESS_LVL_ADMIN)) {
 			goto end;
 		} else if (pcli_has_level(s, ACCESS_LVL_OPER)) {
 -			ci_insert_line2(req, 0, "operator", strlen("operator"));
 -			ret += strlen("operator") + 2;
 +			ci_insert_line2(req, 0, "operator -", strlen("operator -"));
 +			ret += strlen("operator -") + 2;
 		} else if (pcli_has_level(s, ACCESS_LVL_USER)) {
 -			ci_insert_line2(req, 0, "user", strlen("user"));
 -			ret += strlen("user") + 2;
 +			ci_insert_line2(req, 0, "user -", strlen("user -"));
 +			ret += strlen("user -") + 2;
 		}
 	}
 end:
--- a/net/haproxy/patches/000-OPENWRT-add-uclibc-support.patch
+++ b/net/haproxy/patches/000-OPENWRT-add-uclibc-support.patch
--- a/net/haproxy/patches/001-BUG-MEDIUM-ssl-Dont-attempt-to-set-alpn-if-were-not-using-SSL.patch
+++ b/net/haproxy/patches/001-BUG-MEDIUM-ssl-Dont-attempt-to-set-alpn-if-were-not-using-SSL.patch
@ -1,30 +0,0 @@
 commit aa2ecea6f711f50192476b26a5b1d767108bd761
 Author: Olivier Houchard <ohouchard@haproxy.com>
 Date:   Fri Jun 28 14:10:33 2019 +0200

    BUG/MEDIUM: ssl: Don't attempt to set alpn if we're not using SSL.
    
    Checks use ssl_sock_set_alpn() to set the ALPN if check-alpn is used, however
    check-alpn failed to check if the connection was indeed using SSL, and thus,
    would crash if check-alpn was used on a non-SSL connection. Fix this by
    making sure the connection uses SSL before attempting to set the ALPN.
    
    This should be backported to 2.0 and 1.9.
    
    (cherry picked from commit e488ea865a433d93efcb14c0c602918070c6b208)
    Signed-off-by: Willy Tarreau <w@1wt.eu>

 diff --git a/src/ssl_sock.c b/src/ssl_sock.c
 index 05240063..c9fffbec 100644
 --- a/src/ssl_sock.c
 +++ b/src/ssl_sock.c
@@ -6411,6 +6411,9 @@ void ssl_sock_set_alpn(struct connection *conn, const unsigned char *alpn, int l
 #ifdef TLSEXT_TYPE_application_layer_protocol_negotiation
 	struct ssl_sock_ctx *ctx = conn->xprt_ctx;
 
 +	if (!ssl_sock_is_ssl(conn))
 +		return;
 +
 	SSL_set_alpn_protos(ctx->ssl, alpn, len);
 #endif
 }
--- a/net/haproxy/patches/001-OPENWRT-openssl-deprecated.patch
+++ b/net/haproxy/patches/001-OPENWRT-openssl-deprecated.patch
--- a/net/haproxy/patches/002-BUG-MEDIUM-mux-h1-Always-release-H1C-if-a-shutdown-for-writes-was-reported.patch
+++ b/net/haproxy/patches/002-BUG-MEDIUM-mux-h1-Always-release-H1C-if-a-shutdown-for-writes-was-reported.patch
@ -1,35 +0,0 @@
 commit 9fa93f6220a374f724491fd781d44d31f307671f
 Author: Christopher Faulet <cfaulet@haproxy.com>
 Date:   Fri Jun 28 17:41:42 2019 +0200

    BUG/MEDIUM: mux-h1: Always release H1C if a shutdown for writes was reported
    
    We must take care of this when the stream is detached from the
    connection. Otherwise, on the server side, the connexion is inserted in the list
    of idle connections of the session. But when reused, because the shutdown for
    writes was already catched, nothing is sent to the server and the session is
    blocked with a freezed connection.
    
    This patch must be backported to 2.0 and 1.9. It is related to the issue #136
    reported on Github.
    
    (cherry picked from commit 3ac0f43020e1cd77198020201e4e482a1c2ef8ac)
    Signed-off-by: Willy Tarreau <w@1wt.eu>

 diff --git a/src/mux_h1.c b/src/mux_h1.c
 index 3d2bd8b8..e497e6f6 100644
 --- a/src/mux_h1.c
 +++ b/src/mux_h1.c
@@ -2192,9 +2192,9 @@ static void h1_detach(struct conn_stream *cs)
 		}
 	}
 
 -	/* We don't want to close right now unless the connection is in error */
 -	if ((h1c->flags & (H1C_F_CS_ERROR|H1C_F_CS_SHUTDOWN|H1C_F_UPG_H2C)) ||
 -	    (h1c->conn->flags & CO_FL_ERROR) || !h1c->conn->owner)
 +	/* We don't want to close right now unless the connection is in error or shut down for writes */
 +	if ((h1c->flags & (H1C_F_CS_ERROR|H1C_F_CS_SHUTW_NOW|H1C_F_CS_SHUTDOWN|H1C_F_UPG_H2C)) ||
 +	    (h1c->conn->flags & (CO_FL_ERROR|CO_FL_SOCK_WR_SH)) || !h1c->conn->owner)
 		h1_release(h1c);
 	else {
 		tasklet_wakeup(h1c->wait_event.tasklet);
--- a/net/haproxy/patches/003-BUG-MEDIUM-checks-unblock-signals-in-external-checks.patch
+++ b/net/haproxy/patches/003-BUG-MEDIUM-checks-unblock-signals-in-external-checks.patch
@ -1,51 +0,0 @@
 commit afc313e6cd4be32f3c3d212e875d4dbcef8a0c70
 Author: Willy Tarreau <w@1wt.eu>
 Date:   Mon Jul 1 07:51:29 2019 +0200

    BUG/MEDIUM: checks: unblock signals in external checks
    
    As discussed in issue #140, processes are forked with signals blocked
    resulting in haproxy's kill being ignored. This happens when the command
    takes more time to complete than the configured check timeout or interval.
    Just calling "sleep 30" every second makes the problem obvious.
    
    The fix simply consists in unblocking the signals in the child after the
    fork. It needs to be backported to all stable branches containing external
    checks and where signals are blocked on startup. It's unclear when it
    started, but the following config exhibits the issue :
    
      global
        external-check
    
      listen www
        bind :8001
        timeout client 5s
        timeout server 5s
        timeout connect 5s
        option external-check
        external-check command "$PWD/sleep10.sh"
        server local 127.0.0.1:80 check inter 200
    
      $ cat sleep10.sh
      #!/bin/sh
      exec /bin/sleep 10
    
    The "sleep" processes keep accumulating for 10 seconds and stabilize
    around 25 when the bug is present. Just issuing "killall sleep" has no
    effect on them, and stopping haproxy leaves these processes behind.
    
    (cherry picked from commit 2df8cad0fea2d1a4ca8dd58f384df3c3c3f5d7ee)
    Signed-off-by: Willy Tarreau <w@1wt.eu>

 diff --git a/src/checks.c b/src/checks.c
 index c175a752..e31eb173 100644
 --- a/src/checks.c
 +++ b/src/checks.c
@@ -1997,6 +1997,7 @@ static int connect_proc_chk(struct task *t)
 
 		environ = check->envp;
 		extchk_setenv(check, EXTCHK_HAPROXY_SERVER_CURCONN, ultoa_r(s->cur_sess, buf, sizeof(buf)));
 +		haproxy_unblock_signals();
 		execvp(px->check_command, check->argv);
 		ha_alert("Failed to exec process for external health check: %s. Aborting.\n",
 			 strerror(errno));
--- a/net/haproxy/patches/004-BUG-MINOR-mux-h1-Skip-trailers-for-non-chunked-outgoing-messages.patch
+++ b/net/haproxy/patches/004-BUG-MINOR-mux-h1-Skip-trailers-for-non-chunked-outgoing-messages.patch
@ -1,48 +0,0 @@
 commit 52131680c42ddbfa6f2b5d109ffc79c28f44e42a
 Author: Christopher Faulet <cfaulet@haproxy.com>
 Date:   Thu Jun 27 17:40:14 2019 +0200

    BUG/MINOR: mux-h1: Skip trailers for non-chunked outgoing messages
    
    Unlike H1, H2 messages may contains trailers while the header "Content-Length"
    is set. Indeed, because of the framed structure of HTTP/2, it is no longer
    necessary to use the chunked transfer encoding. So Trailing HEADERS frames,
    after all DATA frames, may be added on messages with an explicit content length.
    
    But in H1, it is impossible to have trailers on non-chunked messages. So when
    outgoing messages are formatted by the H1 multiplexer, if the message is not
    chunked, all trailers must be dropped.
    
    This patch must be backported to 2.0 and 1.9. However, the patch will have to be
    adapted for the 1.9.
    
    (cherry picked from commit 5433a0b0215c791b4165bddd360a254fa141c6e9)
    Signed-off-by: Christopher Faulet <cfaulet@haproxy.com>

 diff --git a/src/mux_h1.c b/src/mux_h1.c
 index e497e6f6..e7d769b4 100644
 --- a/src/mux_h1.c
 +++ b/src/mux_h1.c
@@ -1696,7 +1696,9 @@ static size_t h1_process_output(struct h1c *h1c, struct buffer *buf, size_t coun
 					goto done;
 				}
 				else if (type == HTX_BLK_EOT || type == HTX_BLK_TLR) {
 -					if (!chunk_memcat(&tmp, "0\r\n", 3))
 +					/* If the message is not chunked, never
 +					 * add the last chunk. */
 +					if ((h1m->flags & H1_MF_CHNK) && !chunk_memcat(&tmp, "0\r\n", 3))
 						goto copy;
 					goto trailers;
 				}
@@ -1715,6 +1717,11 @@ static size_t h1_process_output(struct h1c *h1c, struct buffer *buf, size_t coun
 					goto error;
 			  trailers:
 				h1m->state = H1_MSG_TRAILERS;
 +				/* If the message is not chunked, ignore
 +				 * trailers. It may happen with H2 messages. */
 +				if (!(h1m->flags & H1_MF_CHNK))
 +					break;
 +
 				if (type == HTX_BLK_EOT) {
 					if (!chunk_memcat(&tmp, "\r\n", 2))
 						goto copy;
--- a/net/haproxy/patches/005-BUG-MINOR-mux-h1-Dont-return-the-empty-chunk-on-HEAD-responses.patch
+++ b/net/haproxy/patches/005-BUG-MINOR-mux-h1-Dont-return-the-empty-chunk-on-HEAD-responses.patch
@ -1,27 +0,0 @@
 commit 33d58b51e0f1bf68603aa86c9125ae75d6964454
 Author: Christopher Faulet <cfaulet@haproxy.com>
 Date:   Mon Jul 1 16:17:30 2019 +0200

    BUG/MINOR: mux-h1: Don't return the empty chunk on HEAD responses
    
    HEAD responses must not have any body payload. But, because of a bug, for chunk
    reponses, the empty chunk was always added.
    
    This patch fixes the Github issue #146. It must be backported to 2.0 and 1.9.
    
    (cherry picked from commit b8fc304e8f996f0d9835e4d6524ef8961d3be076)
    Signed-off-by: Christopher Faulet <cfaulet@haproxy.com>

 diff --git a/src/mux_h1.c b/src/mux_h1.c
 index e7d769b4..37cc8252 100644
 --- a/src/mux_h1.c
 +++ b/src/mux_h1.c
@@ -1682,6 +1682,8 @@ static size_t h1_process_output(struct h1c *h1c, struct buffer *buf, size_t coun
 					h1m->flags |= (H1_MF_NO_PHDR|H1_MF_CLEAN_CONN_HDR);
 					h1s->flags &= ~H1S_F_HAVE_O_CONN;
 				}
 +				else if ((h1m->flags & H1_MF_RESP) &&  h1s->meth == HTTP_METH_HEAD)
 +					h1m->state = H1_MSG_DONE;
 				else
 					h1m->state = H1_MSG_DATA;
 				break;