include $(TOPDIR)/rules.mk
PKG_NAME:=haproxy
-PKG_VERSION:=1.5.2
-PKG_RELEASE:=06
+PKG_VERSION:=1.5.14
+PKG_RELEASE:=00
PKG_SOURCE:=haproxy-$(PKG_VERSION).tar.gz
PKG_SOURCE_URL:=http://haproxy.1wt.eu/download/1.5/src/
-PKG_MD5SUM:=e854fed32ea751d6db7f366cb910225a
+PKG_BUILD_DIR:=$(BUILD_DIR)/$(PKG_NAME)-$(BUILD_VARIANT)/$(PKG_NAME)-$(PKG_VERSION)
+PKG_MD5SUM:=ad9d7262b96ba85a0f8c6acc6cb9edde
PKG_MAINTAINER:=Thomas Heil <heil@terminal-consulting.de>
PKG_LICENSE:=GPL-2.0
include $(INCLUDE_DIR)/package.mk
-define Package/haproxy
+define Package/haproxy/Default
SUBMENU:=Web Servers/Proxies
SECTION:=net
CATEGORY:=Network
TITLE:=The Reliable, High Performance TCP/HTTP Load Balancer
URL:=http://haproxy.1wt.eu/
- DEPENDS:=+libpcre +libltdl +libopenssl +zlib +libpthread
endef
-define Package/haproxy/conffiles
+define Package/haproxy/Default/conffiles
/etc/haproxy.cfg
endef
+define Package/haproxy/Default/description
+ Open source Reliable, High Performance TCP/HTTP Load Balancer.
+endef
+
+define Package/haproxy
+ DEPENDS+= +libpcre +libltdl +zlib +libpthread +libopenssl
+ TITLE+= (with SSL support)
+ VARIANT:=ssl
+$(call Package/haproxy/Default)
+endef
+
+define Package/haproxy/conffiles
+$(call Package/haproxy/Default/conffiles)
+endef
+
define Package/haproxy/description
- Open source High Performance TCP/HTTP Load Balancer
+$(call Package/haproxy/Default/description)
+ This package is built with SSL support.
+endef
+
+define Package/haproxy-nossl
+ TITLE+= (without SSL support)
+ VARIANT:=nossl
+ DEPENDS+= +libpcre +libltdl +zlib +libpthread
+ TITLE+= (with SSL support)
+$(call Package/haproxy/Default)
+endef
+
+define Package/haproxy-nossl/conffiles
+$(call Package/haproxy/Default/conffiles)
+endef
+
+define Package/haproxy-nossl/description
+$(call Package/haproxy/Default/description)
+ This package is built without SSL support.
endef
ifeq ($(CONFIG_avr32),y)
LINUX_TARGET:=linux2628
endif
+ifeq ($(BUILD_VARIANT),ssl)
+ USE_OPENSSL=USE_OPENSSL=1
+else
+ USE_OPENSSL=
+endif
+
define Build/Compile
$(MAKE) TARGET=$(LINUX_TARGET) -C $(PKG_BUILD_DIR) \
DESTDIR="$(PKG_INSTALL_DIR)" \
CFLAGS="$(TARGET_CFLAGS) -fno-align-jumps -fno-align-functions -fno-align-labels -fno-align-loops -pipe -fomit-frame-pointer -fhonour-copts" \
LD="$(TARGET_CC)" \
LDFLAGS="$(TARGET_LDFLAGS)" \
- ADDLIB="-lcrypto" \
- PCREDIR="$(STAGING_DIR)/usr/include" \
+ PCREDIR="$(STAGING_DIR)/usr" \
SMALL_OPTS="-DBUFSIZE=16384 -DMAXREWRITE=1030 -DSYSTEM_MAXCONN=165530 " \
- USE_LINUX_TPROXY=1 USE_LINUX_SPLICE=1 USE_REGPARM=1 USE_OPENSSL=1 \
+ USE_LINUX_TPROXY=1 USE_LINUX_SPLICE=1 USE_REGPARM=1 $(USE_OPENSSL) \
USE_ZLIB=yes USE_PCRE=1 \
VERSION="$(PKG_VERSION)-patch$(PKG_RELEASE)" \
install
$(MAKE) -C $(PKG_BUILD_DIR)/contrib/halog \
- DESTDIR="$(PKG_INSTALL_DIR)" \
- CC="$(TARGET_CC)" \
- CFLAGS="$(TARGET_CFLAGS) -fno-align-jumps -fno-align-functions -fno-align-labels -fno-align-loops -pipe -fomit-frame-pointer -fhonour-copts" \
- LD="$(TARGET_CC)" \
- LDFLAGS="$(TARGET_LDFLAGS)" \
- ADDLIB="-lcrypto" \
- VERSION="$(PKG_VERSION)-patch$(PKG_RELEASE)" \
+ CC="$(TARGET_CC) $(TARGET_CFLAGS) $(TARGET_LDFLAGS)" \
+ OPTIMIZE="" \
halog
endef
$(INSTALL_BIN) ./files/haproxy.hotplug $(1)/etc/hotplug.d/net/90-haproxy
endef
+Package/haproxy-nossl/install = $(Package/haproxy/install)
+
define Package/halog
MENU:=1
- $(call Package/haproxy)
+ $(call Package/haproxy/Default)
TITLE+= halog
DEPENDS:=haproxy
endef
$(INSTALL_BIN) $(PKG_BUILD_DIR)/contrib/halog/halog $(1)/usr/bin/
endef
+$(eval $(call BuildPackage,haproxy-nossl))
$(eval $(call BuildPackage,haproxy))
$(eval $(call BuildPackage,halog))
+++ /dev/null
-From a124eb6d7838eff2c52cc9bf027594c11e87fae9 Mon Sep 17 00:00:00 2001
-From: Willy Tarreau <w@1wt.eu>
-Date: Sat, 12 Jul 2014 17:31:07 +0200
-Subject: [PATCH 1/2] DOC: mention that Squid correctly responds 400 to PPv2
- header
-
-Amos reported that Squid builds 3.5.0.0_20140624 and 3.5.0.0_20140630
-were confirmed to respond correctly here and that any version will do
-the same.
-(cherry picked from commit 9e1382002aa1ba12dcc637870befd077ff887aad)
----
- doc/proxy-protocol.txt | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/doc/proxy-protocol.txt b/doc/proxy-protocol.txt
-index a2dbcea..a3925a4 100644
---- a/doc/proxy-protocol.txt
-+++ b/doc/proxy-protocol.txt
-@@ -692,6 +692,7 @@ presented, even with minimal implementations :
- - thttpd 2.20c : 400 Bad Request + abort => pass/optimal
- - mini-httpd-1.19 : 400 Bad Request + abort => pass/optimal
- - haproxy 1.4.21 : 400 Bad Request + abort => pass/optimal
-+ - Squid 3 : 400 Bad Request + abort => pass/optimal
- - SSL :
- - stud 0.3.47 : connection abort => pass/optimal
- - stunnel 4.45 : connection abort => pass/optimal
---
-1.8.5.5
-
+++ /dev/null
-From de9789b37466c37547d8c5d52d96a9d4466eb431 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Cyril=20Bont=C3=A9?= <cyril.bonte@free.fr>
-Date: Sat, 12 Jul 2014 18:22:42 +0200
-Subject: [PATCH 2/2] DOC: fix typo in Unix Socket commands
-
-Konstantin Romanenko reported a typo in the HTML documentation. The typo is
-already present in the raw text version : the "shutdown sessions" command
-should be "shutdown sessions server".
-(cherry picked from commit e63a1eb290a1c407453dbcaa16535c85a1904f9e)
----
- doc/configuration.txt | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/doc/configuration.txt b/doc/configuration.txt
-index ca21f7d..2d71555 100644
---- a/doc/configuration.txt
-+++ b/doc/configuration.txt
-@@ -13869,7 +13869,7 @@ shutdown session <id>
- endless transfer is ongoing. Such terminated sessions are reported with a 'K'
- flag in the logs.
-
--shutdown sessions <backend>/<server>
-+shutdown sessions server <backend>/<server>
- Immediately terminate all the sessions attached to the specified server. This
- can be used to terminate long-running sessions after a server is put into
- maintenance mode, for instance. Such terminated sessions are reported with a
---
-1.8.5.5
-
+++ /dev/null
-From 60d7aeb6e1450995e721d01f48f60b7db4c44e2b Mon Sep 17 00:00:00 2001
-From: Remi Gacogne <rgacogne[at]aquaray[dot]fr>
-Date: Tue, 15 Jul 2014 11:36:40 +0200
-Subject: [PATCH 3/3] BUG/MEDIUM: ssl: Fix a memory leak in DHE key exchange
-
-OpenSSL does not free the DH * value returned by the callback specified with SSL_CTX_set_tmp_dh_callback(),
-leading to a memory leak for SSL/TLS connections using Diffie Hellman Ephemeral key exchange.
-This patch fixes the leak by allocating the DH * structs holding the DH parameters once, at configuration time.
-
-Note: this fix must be backported to 1.5.
-(cherry picked from commit 8de5415b85512da871d58d1e9a0a33bd67f3b570)
----
- src/ssl_sock.c | 43 ++++++++++++++++++++++++++++++++++++-------
- 1 file changed, 36 insertions(+), 7 deletions(-)
-
-diff --git a/src/ssl_sock.c b/src/ssl_sock.c
-index 375225d..cf8adc7 100644
---- a/src/ssl_sock.c
-+++ b/src/ssl_sock.c
-@@ -105,6 +105,13 @@ enum {
- int sslconns = 0;
- int totalsslconns = 0;
-
-+#ifndef OPENSSL_NO_DH
-+static DH *local_dh_1024 = NULL;
-+static DH *local_dh_2048 = NULL;
-+static DH *local_dh_4096 = NULL;
-+static DH *local_dh_8192 = NULL;
-+#endif /* OPENSSL_NO_DH */
-+
- #ifdef SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB
- struct certificate_ocsp {
- struct ebmb_node key;
-@@ -1034,16 +1041,16 @@ static DH *ssl_get_tmp_dh(SSL *ssl, int export, int keylen)
- }
-
- if (keylen >= 8192) {
-- dh = ssl_get_dh_8192();
-+ dh = local_dh_8192;
- }
- else if (keylen >= 4096) {
-- dh = ssl_get_dh_4096();
-+ dh = local_dh_4096;
- }
- else if (keylen >= 2048) {
-- dh = ssl_get_dh_2048();
-+ dh = local_dh_2048;
- }
- else {
-- dh = ssl_get_dh_1024();
-+ dh = local_dh_1024;
- }
-
- return dh;
-@@ -1079,11 +1086,11 @@ int ssl_sock_load_dh_params(SSL_CTX *ctx, const char *file)
-
- if (global.tune.ssl_default_dh_param <= 1024) {
- /* we are limited to DH parameter of 1024 bits anyway */
-- dh = ssl_get_dh_1024();
-- if (dh == NULL)
-+ local_dh_1024 = ssl_get_dh_1024();
-+ if (local_dh_1024 == NULL)
- goto end;
-
-- SSL_CTX_set_tmp_dh(ctx, dh);
-+ SSL_CTX_set_tmp_dh(ctx, local_dh_1024);
- }
- else {
- SSL_CTX_set_tmp_dh_callback(ctx, ssl_get_tmp_dh);
-@@ -1594,6 +1601,28 @@ int ssl_sock_prepare_ctx(struct bind_conf *bind_conf, SSL_CTX *ctx, struct proxy
- global.tune.ssl_default_dh_param = 1024;
- }
-
-+#ifndef OPENSSL_NO_DH
-+ if (global.tune.ssl_default_dh_param >= 1024) {
-+ if (local_dh_1024 == NULL) {
-+ local_dh_1024 = ssl_get_dh_1024();
-+ }
-+ if (global.tune.ssl_default_dh_param >= 2048) {
-+ if (local_dh_2048 == NULL) {
-+ local_dh_2048 = ssl_get_dh_2048();
-+ }
-+ if (global.tune.ssl_default_dh_param >= 4096) {
-+ if (local_dh_4096 == NULL) {
-+ local_dh_4096 = ssl_get_dh_4096();
-+ }
-+ if (global.tune.ssl_default_dh_param >= 8192 &&
-+ local_dh_8192 == NULL) {
-+ local_dh_8192 = ssl_get_dh_8192();
-+ }
-+ }
-+ }
-+ }
-+#endif /* OPENSSL_NO_DH */
-+
- SSL_CTX_set_info_callback(ctx, ssl_sock_infocbk);
- #if OPENSSL_VERSION_NUMBER >= 0x00907000L
- SSL_CTX_set_msg_callback(ctx, ssl_sock_msgcbk);
---
-1.8.5.5
-
+++ /dev/null
-From 0dff81c6a5876172bc1d4725a7a07fddd9d1f369 Mon Sep 17 00:00:00 2001
-From: Willy Tarreau <w@1wt.eu>
-Date: Tue, 15 Jul 2014 21:34:06 +0200
-Subject: [PATCH 4/5] BUG/MINOR: http: base32+src should use the big endian
- version of base32
-
-We're using the internal memory representation of base32 here, which is
-wrong since these data might be exported to headers for logs or be used
-to stick to a server and replicated to other peers. Let's convert base32
-to big endian (network representation) when building the binary block.
-
-This mistake is also present in 1.5, it would be better to backport it.
-(cherry picked from commit 5ad6e1dc09f0a85aabf86f154b1817b9ebffb568)
----
- src/proto_http.c | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/src/proto_http.c b/src/proto_http.c
-index 94afed7..b7ed85d 100644
---- a/src/proto_http.c
-+++ b/src/proto_http.c
-@@ -10358,8 +10358,8 @@ smp_fetch_base32_src(struct proxy *px, struct session *l4, void *l7, unsigned in
- return 0;
-
- temp = get_trash_chunk();
-- memcpy(temp->str + temp->len, &smp->data.uint, sizeof(smp->data.uint));
-- temp->len += sizeof(smp->data.uint);
-+ *(unsigned int *)temp->str = htonl(smp->data.uint);
-+ temp->len += sizeof(unsigned int);
-
- switch (cli_conn->addr.from.ss_family) {
- case AF_INET:
---
-1.8.5.5
-
+++ /dev/null
-From 66dbae025876a65c81ae3c4011e3aa3b630b42f7 Mon Sep 17 00:00:00 2001
-From: Dave McCowan <11235david@gmail.com>
-Date: Thu, 17 Jul 2014 14:34:01 -0400
-Subject: [PATCH 5/5] BUG/MEDIUM: connection: fix memory corruption when
- building a proxy v2 header
-
-Use temporary trash chunk, instead of global trash chunk in
-make_proxy_line_v2() to avoid memory overwrite.
-
-This fix must also be backported to 1.5.
-(cherry picked from commit 77d1f0143e210c13ee8ec6aaf6b3150fa4ce6c5b)
----
- src/connection.c | 6 ++++--
- 1 file changed, 4 insertions(+), 2 deletions(-)
-
-diff --git a/src/connection.c b/src/connection.c
-index 20a911b..3435b1a 100644
---- a/src/connection.c
-+++ b/src/connection.c
-@@ -622,6 +622,7 @@ int make_proxy_line_v2(char *buf, int buf_len, struct server *srv, struct connec
- char *value = NULL;
- struct tlv_ssl *tlv;
- int ssl_tlv_len = 0;
-+ struct chunk *cn_trash;
- #endif
-
- if (buf_len < PP2_HEADER_LEN)
-@@ -682,8 +683,9 @@ int make_proxy_line_v2(char *buf, int buf_len, struct server *srv, struct connec
- tlv->verify = htonl(ssl_sock_get_verify_result(remote));
- }
- if (srv->pp_opts & SRV_PP_V2_SSL_CN) {
-- if (ssl_sock_get_remote_common_name(remote, &trash) > 0) {
-- tlv_len = make_tlv(&buf[ret+ssl_tlv_len], (buf_len - ret - ssl_tlv_len), PP2_TYPE_SSL_CN, trash.len, trash.str);
-+ cn_trash = get_trash_chunk();
-+ if (ssl_sock_get_remote_common_name(remote, &cn_trash) > 0) {
-+ tlv_len = make_tlv(&buf[ret+ssl_tlv_len], (buf_len - ret - ssl_tlv_len), PP2_TYPE_SSL_CN, cn_trash->len, cn_trash->str);
- ssl_tlv_len += tlv_len;
- }
- }
---
-1.8.5.5
-
+++ /dev/null
-From 04b80cd29b23d02f373c095569e871275d128b43 Mon Sep 17 00:00:00 2001
-From: Willy Tarreau <w@1wt.eu>
-Date: Sat, 19 Jul 2014 06:37:33 +0200
-Subject: [PATCH 6/6] BUG/MEDIUM: connection: fix proxy v2 header again!
-
-Last commit 77d1f01 ("BUG/MEDIUM: connection: fix memory corruption
-when building a proxy v2 header") was wrong, using &cn_trash instead
-of cn_trash resulting in a warning and the client's SSL cert CN not
-being stored at the proper location.
-
-Thanks to Lukas Tribus for spotting this quickly.
-
-This should be backported to 1.5 after the patch above is backported.
-(cherry picked from commit 3b9a0c9d4d083d749846d66f9bd4caabafe4ee78)
----
- src/connection.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/src/connection.c b/src/connection.c
-index 3435b1a..2dd2c02 100644
---- a/src/connection.c
-+++ b/src/connection.c
-@@ -684,7 +684,7 @@ int make_proxy_line_v2(char *buf, int buf_len, struct server *srv, struct connec
- }
- if (srv->pp_opts & SRV_PP_V2_SSL_CN) {
- cn_trash = get_trash_chunk();
-- if (ssl_sock_get_remote_common_name(remote, &cn_trash) > 0) {
-+ if (ssl_sock_get_remote_common_name(remote, cn_trash) > 0) {
- tlv_len = make_tlv(&buf[ret+ssl_tlv_len], (buf_len - ret - ssl_tlv_len), PP2_TYPE_SSL_CN, cn_trash->len, cn_trash->str);
- ssl_tlv_len += tlv_len;
- }
---
-1.8.5.5
-
projects / feed / packages.git / commitdiff