- Update haproxy download URL and hash - Add new patches Signed-off-by: Christian Lachner <gladiac@gmail.com>lilik-openwrt-22.03
@ -1,81 +0,0 @@ | |||||
commit 1bd140ea3fab97ccd37adf9d0c106d52af9e53fa | |||||
Author: William Lallemand <wlallemand@haproxy.com> | |||||
Date: Mon Jul 1 10:56:15 2019 +0200 | |||||
BUG/MINOR: mworker/cli: don't output a \n before the response | |||||
When using a level lower than admin on the master CLI, a \n is output | |||||
before the response, this is caused by the response of the "operator" or | |||||
"user" that are sent before the actual command. | |||||
To fix this problem we introduce the flag APPCTX_CLI_ST1_NOLF which ask | |||||
a command response to not be followed by the final \n. | |||||
This patch made a special case with the command operator and user | |||||
followed by a - so they are not followed by \n. | |||||
This patch must be backported to 2.0 and 1.9. | |||||
(cherry picked from commit ad03288e6b28d816abb443cf8c6d984a72bb91a6) | |||||
Signed-off-by: William Lallemand <wlallemand@haproxy.org> | |||||
diff --git a/include/types/applet.h b/include/types/applet.h | |||||
index c9e02d17..1f3a4983 100644 | |||||
--- a/include/types/applet.h | |||||
+++ b/include/types/applet.h | |||||
@@ -50,6 +50,7 @@ struct applet { | |||||
#define APPCTX_CLI_ST1_PROMPT (1 << 0) | |||||
#define APPCTX_CLI_ST1_PAYLOAD (1 << 1) | |||||
+#define APPCTX_CLI_ST1_NOLF (1 << 2) | |||||
/* Context of a running applet. */ | |||||
struct appctx { | |||||
diff --git a/src/cli.c b/src/cli.c | |||||
index 44ddc7bf..9a9f80f9 100644 | |||||
--- a/src/cli.c | |||||
+++ b/src/cli.c | |||||
@@ -821,7 +821,7 @@ static void cli_io_handler(struct appctx *appctx) | |||||
prompt = "\n> "; | |||||
} | |||||
else { | |||||
- if (!(appctx->st1 & APPCTX_CLI_ST1_PAYLOAD)) | |||||
+ if (!(appctx->st1 & (APPCTX_CLI_ST1_PAYLOAD|APPCTX_CLI_ST1_NOLF))) | |||||
prompt = "\n"; | |||||
} | |||||
@@ -848,6 +848,8 @@ static void cli_io_handler(struct appctx *appctx) | |||||
/* switch state back to GETREQ to read next requests */ | |||||
appctx->st0 = CLI_ST_GETREQ; | |||||
+ /* reactivate the \n at the end of the response for the next command */ | |||||
+ appctx->st1 &= ~APPCTX_CLI_ST1_NOLF; | |||||
} | |||||
} | |||||
@@ -1442,6 +1444,10 @@ static int cli_parse_show_lvl(char **args, char *payload, struct appctx *appctx, | |||||
/* parse and set the CLI level dynamically */ | |||||
static int cli_parse_set_lvl(char **args, char *payload, struct appctx *appctx, void *private) | |||||
{ | |||||
+ /* this will ask the applet to not output a \n after the command */ | |||||
+ if (!strcmp(args[1], "-")) | |||||
+ appctx->st1 |= APPCTX_CLI_ST1_NOLF; | |||||
+ | |||||
if (!strcmp(args[0], "operator")) { | |||||
if (!cli_has_level(appctx, ACCESS_LVL_OPER)) { | |||||
return 1; | |||||
@@ -2097,11 +2103,11 @@ int pcli_parse_request(struct stream *s, struct channel *req, char **errmsg, int | |||||
if (pcli_has_level(s, ACCESS_LVL_ADMIN)) { | |||||
goto end; | |||||
} else if (pcli_has_level(s, ACCESS_LVL_OPER)) { | |||||
- ci_insert_line2(req, 0, "operator", strlen("operator")); | |||||
- ret += strlen("operator") + 2; | |||||
+ ci_insert_line2(req, 0, "operator -", strlen("operator -")); | |||||
+ ret += strlen("operator -") + 2; | |||||
} else if (pcli_has_level(s, ACCESS_LVL_USER)) { | |||||
- ci_insert_line2(req, 0, "user", strlen("user")); | |||||
- ret += strlen("user") + 2; | |||||
+ ci_insert_line2(req, 0, "user -", strlen("user -")); | |||||
+ ret += strlen("user -") + 2; | |||||
} | |||||
} | |||||
end: |
@ -1,30 +0,0 @@ | |||||
commit aa2ecea6f711f50192476b26a5b1d767108bd761 | |||||
Author: Olivier Houchard <ohouchard@haproxy.com> | |||||
Date: Fri Jun 28 14:10:33 2019 +0200 | |||||
BUG/MEDIUM: ssl: Don't attempt to set alpn if we're not using SSL. | |||||
Checks use ssl_sock_set_alpn() to set the ALPN if check-alpn is used, however | |||||
check-alpn failed to check if the connection was indeed using SSL, and thus, | |||||
would crash if check-alpn was used on a non-SSL connection. Fix this by | |||||
making sure the connection uses SSL before attempting to set the ALPN. | |||||
This should be backported to 2.0 and 1.9. | |||||
(cherry picked from commit e488ea865a433d93efcb14c0c602918070c6b208) | |||||
Signed-off-by: Willy Tarreau <w@1wt.eu> | |||||
diff --git a/src/ssl_sock.c b/src/ssl_sock.c | |||||
index 05240063..c9fffbec 100644 | |||||
--- a/src/ssl_sock.c | |||||
+++ b/src/ssl_sock.c | |||||
@@ -6411,6 +6411,9 @@ void ssl_sock_set_alpn(struct connection *conn, const unsigned char *alpn, int l | |||||
#ifdef TLSEXT_TYPE_application_layer_protocol_negotiation | |||||
struct ssl_sock_ctx *ctx = conn->xprt_ctx; | |||||
+ if (!ssl_sock_is_ssl(conn)) | |||||
+ return; | |||||
+ | |||||
SSL_set_alpn_protos(ctx->ssl, alpn, len); | |||||
#endif | |||||
} |
@ -1,35 +0,0 @@ | |||||
commit 9fa93f6220a374f724491fd781d44d31f307671f | |||||
Author: Christopher Faulet <cfaulet@haproxy.com> | |||||
Date: Fri Jun 28 17:41:42 2019 +0200 | |||||
BUG/MEDIUM: mux-h1: Always release H1C if a shutdown for writes was reported | |||||
We must take care of this when the stream is detached from the | |||||
connection. Otherwise, on the server side, the connexion is inserted in the list | |||||
of idle connections of the session. But when reused, because the shutdown for | |||||
writes was already catched, nothing is sent to the server and the session is | |||||
blocked with a freezed connection. | |||||
This patch must be backported to 2.0 and 1.9. It is related to the issue #136 | |||||
reported on Github. | |||||
(cherry picked from commit 3ac0f43020e1cd77198020201e4e482a1c2ef8ac) | |||||
Signed-off-by: Willy Tarreau <w@1wt.eu> | |||||
diff --git a/src/mux_h1.c b/src/mux_h1.c | |||||
index 3d2bd8b8..e497e6f6 100644 | |||||
--- a/src/mux_h1.c | |||||
+++ b/src/mux_h1.c | |||||
@@ -2192,9 +2192,9 @@ static void h1_detach(struct conn_stream *cs) | |||||
} | |||||
} | |||||
- /* We don't want to close right now unless the connection is in error */ | |||||
- if ((h1c->flags & (H1C_F_CS_ERROR|H1C_F_CS_SHUTDOWN|H1C_F_UPG_H2C)) || | |||||
- (h1c->conn->flags & CO_FL_ERROR) || !h1c->conn->owner) | |||||
+ /* We don't want to close right now unless the connection is in error or shut down for writes */ | |||||
+ if ((h1c->flags & (H1C_F_CS_ERROR|H1C_F_CS_SHUTW_NOW|H1C_F_CS_SHUTDOWN|H1C_F_UPG_H2C)) || | |||||
+ (h1c->conn->flags & (CO_FL_ERROR|CO_FL_SOCK_WR_SH)) || !h1c->conn->owner) | |||||
h1_release(h1c); | |||||
else { | |||||
tasklet_wakeup(h1c->wait_event.tasklet); |
@ -1,51 +0,0 @@ | |||||
commit afc313e6cd4be32f3c3d212e875d4dbcef8a0c70 | |||||
Author: Willy Tarreau <w@1wt.eu> | |||||
Date: Mon Jul 1 07:51:29 2019 +0200 | |||||
BUG/MEDIUM: checks: unblock signals in external checks | |||||
As discussed in issue #140, processes are forked with signals blocked | |||||
resulting in haproxy's kill being ignored. This happens when the command | |||||
takes more time to complete than the configured check timeout or interval. | |||||
Just calling "sleep 30" every second makes the problem obvious. | |||||
The fix simply consists in unblocking the signals in the child after the | |||||
fork. It needs to be backported to all stable branches containing external | |||||
checks and where signals are blocked on startup. It's unclear when it | |||||
started, but the following config exhibits the issue : | |||||
global | |||||
external-check | |||||
listen www | |||||
bind :8001 | |||||
timeout client 5s | |||||
timeout server 5s | |||||
timeout connect 5s | |||||
option external-check | |||||
external-check command "$PWD/sleep10.sh" | |||||
server local 127.0.0.1:80 check inter 200 | |||||
$ cat sleep10.sh | |||||
#!/bin/sh | |||||
exec /bin/sleep 10 | |||||
The "sleep" processes keep accumulating for 10 seconds and stabilize | |||||
around 25 when the bug is present. Just issuing "killall sleep" has no | |||||
effect on them, and stopping haproxy leaves these processes behind. | |||||
(cherry picked from commit 2df8cad0fea2d1a4ca8dd58f384df3c3c3f5d7ee) | |||||
Signed-off-by: Willy Tarreau <w@1wt.eu> | |||||
diff --git a/src/checks.c b/src/checks.c | |||||
index c175a752..e31eb173 100644 | |||||
--- a/src/checks.c | |||||
+++ b/src/checks.c | |||||
@@ -1997,6 +1997,7 @@ static int connect_proc_chk(struct task *t) | |||||
environ = check->envp; | |||||
extchk_setenv(check, EXTCHK_HAPROXY_SERVER_CURCONN, ultoa_r(s->cur_sess, buf, sizeof(buf))); | |||||
+ haproxy_unblock_signals(); | |||||
execvp(px->check_command, check->argv); | |||||
ha_alert("Failed to exec process for external health check: %s. Aborting.\n", | |||||
strerror(errno)); |
@ -1,48 +0,0 @@ | |||||
commit 52131680c42ddbfa6f2b5d109ffc79c28f44e42a | |||||
Author: Christopher Faulet <cfaulet@haproxy.com> | |||||
Date: Thu Jun 27 17:40:14 2019 +0200 | |||||
BUG/MINOR: mux-h1: Skip trailers for non-chunked outgoing messages | |||||
Unlike H1, H2 messages may contains trailers while the header "Content-Length" | |||||
is set. Indeed, because of the framed structure of HTTP/2, it is no longer | |||||
necessary to use the chunked transfer encoding. So Trailing HEADERS frames, | |||||
after all DATA frames, may be added on messages with an explicit content length. | |||||
But in H1, it is impossible to have trailers on non-chunked messages. So when | |||||
outgoing messages are formatted by the H1 multiplexer, if the message is not | |||||
chunked, all trailers must be dropped. | |||||
This patch must be backported to 2.0 and 1.9. However, the patch will have to be | |||||
adapted for the 1.9. | |||||
(cherry picked from commit 5433a0b0215c791b4165bddd360a254fa141c6e9) | |||||
Signed-off-by: Christopher Faulet <cfaulet@haproxy.com> | |||||
diff --git a/src/mux_h1.c b/src/mux_h1.c | |||||
index e497e6f6..e7d769b4 100644 | |||||
--- a/src/mux_h1.c | |||||
+++ b/src/mux_h1.c | |||||
@@ -1696,7 +1696,9 @@ static size_t h1_process_output(struct h1c *h1c, struct buffer *buf, size_t coun | |||||
goto done; | |||||
} | |||||
else if (type == HTX_BLK_EOT || type == HTX_BLK_TLR) { | |||||
- if (!chunk_memcat(&tmp, "0\r\n", 3)) | |||||
+ /* If the message is not chunked, never | |||||
+ * add the last chunk. */ | |||||
+ if ((h1m->flags & H1_MF_CHNK) && !chunk_memcat(&tmp, "0\r\n", 3)) | |||||
goto copy; | |||||
goto trailers; | |||||
} | |||||
@@ -1715,6 +1717,11 @@ static size_t h1_process_output(struct h1c *h1c, struct buffer *buf, size_t coun | |||||
goto error; | |||||
trailers: | |||||
h1m->state = H1_MSG_TRAILERS; | |||||
+ /* If the message is not chunked, ignore | |||||
+ * trailers. It may happen with H2 messages. */ | |||||
+ if (!(h1m->flags & H1_MF_CHNK)) | |||||
+ break; | |||||
+ | |||||
if (type == HTX_BLK_EOT) { | |||||
if (!chunk_memcat(&tmp, "\r\n", 2)) | |||||
goto copy; |
@ -1,27 +0,0 @@ | |||||
commit 33d58b51e0f1bf68603aa86c9125ae75d6964454 | |||||
Author: Christopher Faulet <cfaulet@haproxy.com> | |||||
Date: Mon Jul 1 16:17:30 2019 +0200 | |||||
BUG/MINOR: mux-h1: Don't return the empty chunk on HEAD responses | |||||
HEAD responses must not have any body payload. But, because of a bug, for chunk | |||||
reponses, the empty chunk was always added. | |||||
This patch fixes the Github issue #146. It must be backported to 2.0 and 1.9. | |||||
(cherry picked from commit b8fc304e8f996f0d9835e4d6524ef8961d3be076) | |||||
Signed-off-by: Christopher Faulet <cfaulet@haproxy.com> | |||||
diff --git a/src/mux_h1.c b/src/mux_h1.c | |||||
index e7d769b4..37cc8252 100644 | |||||
--- a/src/mux_h1.c | |||||
+++ b/src/mux_h1.c | |||||
@@ -1682,6 +1682,8 @@ static size_t h1_process_output(struct h1c *h1c, struct buffer *buf, size_t coun | |||||
h1m->flags |= (H1_MF_NO_PHDR|H1_MF_CLEAN_CONN_HDR); | |||||
h1s->flags &= ~H1S_F_HAVE_O_CONN; | |||||
} | |||||
+ else if ((h1m->flags & H1_MF_RESP) && h1s->meth == HTTP_METH_HEAD) | |||||
+ h1m->state = H1_MSG_DONE; | |||||
else | |||||
h1m->state = H1_MSG_DATA; | |||||
break; |