From 273565f77a624cbf371fde0ce70a459156ab791e Mon Sep 17 00:00:00 2001 From: Tristan Date: Tue, 7 Jun 2022 07:14:34 +0100 Subject: [PATCH] Add Debian packaging --- .gitignore | 7 + .gitlab-ci.yml | 17 + README.md | 9 + haproxy/Makefile | 82 +- haproxy/debian/NEWS | 35 + haproxy/debian/changelog | 2355 +++++++++++++++++ haproxy/debian/control | 25 + haproxy/debian/copyright | 941 +++++++ haproxy/debian/haproxy.README.Debian | 29 + haproxy/debian/haproxy.cfg | 34 + haproxy/debian/haproxy.default | 10 + haproxy/debian/haproxy.dirs | 4 + haproxy/debian/haproxy.docs | 9 + haproxy/debian/haproxy.examples | 1 + haproxy/debian/haproxy.init | 197 ++ haproxy/debian/haproxy.install | 3 + haproxy/debian/haproxy.maintscript | 1 + haproxy/debian/haproxy.manpages | 1 + haproxy/debian/haproxy.postinst | 22 + haproxy/debian/haproxy.postrm | 16 + haproxy/debian/haproxy.tmpfile | 1 + haproxy/debian/logrotate.conf | 11 + .../haproxy.service-add-documentation.patch | 23 + ...e-systemd-bind-dev-log-inside-chroot.patch | 21 + .../haproxy.service-start-after-syslog.patch | 27 + haproxy/debian/patches/reproducible.patch | 13 + haproxy/debian/patches/series | 4 + haproxy/debian/rsyslog.conf | 9 + haproxy/debian/rules | 83 + haproxy/debian/source/format | 1 + 30 files changed, 3956 insertions(+), 35 deletions(-) create mode 100644 haproxy/debian/NEWS create mode 100644 haproxy/debian/changelog create mode 100644 haproxy/debian/control create mode 100644 haproxy/debian/copyright create mode 100644 haproxy/debian/haproxy.README.Debian create mode 100644 haproxy/debian/haproxy.cfg create mode 100644 haproxy/debian/haproxy.default create mode 100644 haproxy/debian/haproxy.dirs create mode 100644 haproxy/debian/haproxy.docs create mode 100644 haproxy/debian/haproxy.examples create mode 100644 haproxy/debian/haproxy.init create mode 100644 haproxy/debian/haproxy.install create mode 100644 haproxy/debian/haproxy.maintscript create mode 100644 haproxy/debian/haproxy.manpages create mode 100644 haproxy/debian/haproxy.postinst create mode 100644 haproxy/debian/haproxy.postrm create mode 100644 haproxy/debian/haproxy.tmpfile create mode 100644 haproxy/debian/logrotate.conf create mode 100644 haproxy/debian/patches/haproxy.service-add-documentation.patch create mode 100644 haproxy/debian/patches/haproxy.service-make-systemd-bind-dev-log-inside-chroot.patch create mode 100644 haproxy/debian/patches/haproxy.service-start-after-syslog.patch create mode 100644 haproxy/debian/patches/reproducible.patch create mode 100644 haproxy/debian/patches/series create mode 100644 haproxy/debian/rsyslog.conf create mode 100755 haproxy/debian/rules create mode 100644 haproxy/debian/source/format diff --git a/.gitignore b/.gitignore index fe19c3f..6d11d4b 100644 --- a/.gitignore +++ b/.gitignore @@ -1,3 +1,10 @@ **/dist **/src +**/*.build +**/*.dsc **/*.tar.gz +**/*.xz + +# deb build artifacts +haproxy/haproxy_*~* +haproxy/haproxy-dbg*_*~* diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index a2f0dee..140b4ae 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -159,3 +159,20 @@ pkg:haproxy: "${CI_API_V4_URL}/projects/${CI_PROJECT_ID}/packages/generic/haproxy/$PKG_VER/haproxy.tar.gz" variables: GIT_STRATEGY: none + +deb:haproxy: + <<: *build-job + stage: build + script: + - apt install -y --no-install-recommends -qq bzip2 devscripts debhelper git pkg-config + - mkdir deps/lua/dist && tar -C deps/lua/dist -xf deps/lua/lua-dist.tar.gz + - mkdir deps/pcre2/dist && tar -C deps/pcre2/dist -xf deps/pcre2/pcre2-dist.tar.gz + - mkdir deps/quictls/dist && tar -C deps/quictls/dist -xf deps/quictls/quictls-dist.tar.gz + - make -C haproxy + needs: + - job: lua + artifacts: true + - job: pcre2 + artifacts: true + - job: quictls + artifacts: true diff --git a/README.md b/README.md index 10829cd..c1ad885 100644 --- a/README.md +++ b/README.md @@ -114,6 +114,15 @@ Then we want HAProxy to not use the system's OpenSSL but rather our QuicTLS build, which it will look for at the `/opt/quictls` prefix. +## About Debian packaging + +The content of [haproxy/debian](haproxy/debian) is a slightly modified version +of the Debian HAProxy Team's work and essentially all credits wrt that is due to +them. + +It is sourced +from [haproxy-team/haproxy:experimental-2.6](https://salsa.debian.org/haproxy-team/haproxy/-/tree/experimental-2.6) + ## Notes Since we're building our own binaries, we also increase MAX_SESS_STKCTR to 5 diff --git a/haproxy/Makefile b/haproxy/Makefile index 14d98b8..c7b91c8 100644 --- a/haproxy/Makefile +++ b/haproxy/Makefile @@ -1,52 +1,54 @@ HAPROXY_VERSION = 2.6.0 -HAPROXY_VERSION_TAG = v$(HAPROXY_VERSION) HAPROXY_VERSION_MINOR = $(shell echo "$(HAPROXY_VERSION)" | cut -d'.' -f1-2) -HAPROXY_SOURCES = https://git.haproxy.org/?p=haproxy-$(HAPROXY_VERSION_MINOR).git;a=snapshot;h=$(HAPROXY_VERSION_TAG);sf=tgz +HAPROXY_SOURCES = https://www.haproxy.org/download/$(HAPROXY_VERSION_MINOR)/src/haproxy-$(HAPROXY_VERSION).tar.gz HAPROXY_TARBALL = haproxy-$(HAPROXY_VERSION).tar.gz +HAPROXY_DEBORIG = haproxy_$(HAPROXY_VERSION).orig.tar.gz HAPROXY_BUILDIR = src HAPROXY_DESTDIR = dist HAPROXY_DESTDIR_ABS = $(shell realpath $(HAPROXY_DESTDIR)) HAPROXY_ARCHIVE = haproxy-dist.tar.gz -DEP_ROOT_LUA = ../deps/lua -DEP_ROOT_PCRE2 = ../deps/pcre2 -DEP_ROOT_QUICTLS = ../deps/quictls +DEP_DIST_ROOT_LUA = $(shell realpath ../deps/lua/dist) +DEP_DIST_ROOT_PCRE2 = $(shell realpath ../deps/pcre2/dist) +DEP_DIST_ROOT_QUICTLS = $(shell realpath ../deps/quictls/dist) BUILD_VERSION_REPOSHA = $(shell git rev-parse --short HEAD) -HAPROXY_MAKE_ARGS := DEBUG="-DDEBUG_STRICT -DDEBUG_MEMORY_POOLS" \ - DEFINE="-DMAX_SESS_STKCTR=5" \ - LDFLAGS="-Wl,-rpath,/opt/quictls/lib" \ - TARGET="linux-glibc" \ - EXTRAVERSION="+mangadex/$(BUILD_VERSION_REPOSHA)" \ - VERDATE="$$(date -u -I'minutes')" \ - USE_DL=1 \ - USE_GETADDRINFO=1 \ - USE_LINUX_TPROXY=1 \ - USE_LUA=1 \ - LUA_INC="../$(DEP_ROOT_LUA)/dist/include" \ - LUA_LIB="../$(DEP_ROOT_LUA)/dist/lib" \ - LUA_LIB_NAME="lua" \ - USE_OPENSSL=1 \ - SSL_INC="../$(DEP_ROOT_QUICTLS)/dist/opt/quictls/include" \ - SSL_LIB="../$(DEP_ROOT_QUICTLS)/dist/opt/quictls/lib" \ - ADDINC="-lcrypt" \ - USE_PCRE2=1 \ - USE_PCRE2_JIT=1 \ - USE_STATIC_PCRE2=1 \ - PCRE2_INC="../$(DEP_ROOT_PCRE2)/dist/include" \ - PCRE2_LIB="../$(DEP_ROOT_PCRE2)/dist/lib64" \ - PCRE2_CONFIG="../$(DEP_ROOT_PCRE2)/dist/bin/pcre2-config" \ - USE_PROMEX=1 \ - USE_QUIC=1 \ - USE_SLZ=1 \ - USE_TFO=1 \ - USE_SYSTEMD=1 +MAKEARGS = DEBUG="-DDEBUG_STRICT -DDEBUG_MEMORY_POOLS" \ + DEFINE="-DMAX_SESS_STKCTR=5" \ + IGNOREGIT=true \ + LDFLAGS="-Wl,-rpath,/opt/quictls/lib" \ + TARGET="linux-glibc" \ + EXTRAVERSION="+mangadex/$(BUILD_VERSION_REPOSHA)" \ + VERDATE="$(shell date -u -I'minutes')" \ + USE_DL=1 \ + USE_GETADDRINFO=1 \ + USE_LINUX_TPROXY=1 \ + USE_LUA=1 \ + LUA_INC="$(DEP_DIST_ROOT_LUA)/include" \ + LUA_LIB="$(DEP_DIST_ROOT_LUA)/lib" \ + LUA_LIB_NAME="lua" \ + USE_OPENSSL=1 \ + SSL_INC="$(DEP_DIST_ROOT_QUICTLS)/opt/quictls/include" \ + SSL_LIB="$(DEP_DIST_ROOT_QUICTLS)/opt/quictls/lib" \ + ADDINC="-lcrypt" \ + USE_PCRE2=1 \ + USE_PCRE2_JIT=1 \ + USE_STATIC_PCRE2=1 \ + PCRE2_INC="$(DEP_DIST_ROOT_PCRE2)/include" \ + PCRE2_LIB="$(DEP_DIST_ROOT_PCRE2)/lib64" \ + PCRE2_CONFIG="$(DEP_DIST_ROOT_PCRE2)/bin/pcre2-config" \ + USE_PROMEX=1 \ + USE_QUIC=1 \ + USE_SLZ=1 \ + USE_TFO=1 \ + USE_SYSTEMD=1 all: dist-bin dist-bin: build $(HAPROXY_DESTDIR) $(HAPROXY_ARCHIVE) +dist-deb: build-deb $(HAPROXY_TARBALL): curl -sfS -o "$(HAPROXY_TARBALL)" "$(HAPROXY_SOURCES)" @@ -56,8 +58,8 @@ $(HAPROXY_BUILDIR): $(HAPROXY_TARBALL) tar -C "$(HAPROXY_BUILDIR)" --strip-components=1 -xf "$(HAPROXY_TARBALL)" build: $(HAPROXY_BUILDIR) - $(MAKE) -C "$(HAPROXY_BUILDIR)" -j "$(shell nproc)" $(HAPROXY_MAKE_ARGS) opts - $(MAKE) -C "$(HAPROXY_BUILDIR)" -j "$(shell nproc)" $(HAPROXY_MAKE_ARGS) + $(MAKE) -C "$(HAPROXY_BUILDIR)" -j "$(shell nproc)" $(MAKEARGS) opts + $(MAKE) -C "$(HAPROXY_BUILDIR)" -j "$(shell nproc)" $(MAKEARGS) $(HAPROXY_DESTDIR): @if ! [ -d "$(HAPROXY_DESTDIR)" ]; then mkdir -v "$(HAPROXY_DESTDIR)"; fi @@ -66,10 +68,20 @@ $(HAPROXY_DESTDIR): $(HAPROXY_ARCHIVE): $(HAPROXY_DESTDIR) tar -C "$(HAPROXY_DESTDIR)" -cjf "$(HAPROXY_ARCHIVE)" "usr" +$(HAPROXY_DEBORIG): $(HAPROXY_TARBALL) + cp -fv "$(HAPROXY_TARBALL)" "$(HAPROXY_DEBORIG)" + +build-deb: $(HAPROXY_DEBORIG) $(HAPROXY_BUILDIR) + cp -rf debian $(HAPROXY_BUILDIR)/ + cd $(HAPROXY_BUILDIR) && debuild -us -uc + clean: rm -fv "$(HAPROXY_TARBALL)" + rm -rf "$(HAPROXY_DEBORIG)" rm -rf "$(HAPROXY_BUILDIR)" rm -rf "$(HAPROXY_DESTDIR)" rm -fv "$(HAPROXY_ARCHIVE)" + rm -fv "haproxy_$(HAPROXY_VERSION)"* + rm -fv "haproxy-dbgsym_$(HAPROXY_VERSION)"* .PHONY: clean build diff --git a/haproxy/debian/NEWS b/haproxy/debian/NEWS new file mode 100644 index 0000000..1edb770 --- /dev/null +++ b/haproxy/debian/NEWS @@ -0,0 +1,35 @@ +haproxy (1.8.0-1) experimental; urgency=medium + + In order to upgrade to the HAProxy 1.8 new process model, a full service + restart will be performed automatically on upgrade from pre-1.8 versions + when running under systemd. This incurs (minimal) service downtime and + will only be performed once; future upgrades will reload haproxy seamlessly. + + -- Apollon Oikonomopoulos Tue, 28 Nov 2017 23:44:01 +0200 + +haproxy (1.4.23-1) unstable; urgency=low + + As of 1.4.23-1, the Debian package ships an rsyslog snippet to allow logging + via /dev/log from chrooted HAProxy processes. If you are using rsyslog, you + should restart rsyslog after installing this package to enable HAProxy to log + via rsyslog. See /usr/share/doc/haproxy/README.Debian for more details. + + Also note that as of 1.4.23-1, chrooting the HAProxy process is enabled in the + default Debian configuration. + + -- Apollon Oikonomopoulos Thu, 25 Apr 2013 23:26:35 +0300 + +haproxy (1.4.13-1) unstable; urgency=low + + Maintainer of this package has changed. + + -- Christo Buschek Mon, 10 Mar 2011 22:07:10 +0100 + +haproxy (1.3.14.2-1) unstable; urgency=low + + Configuration has moved to /etc/haproxy/haproxy.cfg. This allows to add the + configurable /etc/haproxy/errors directory. + The haproxy binary was also moved to /usr/sbin rather than /usr/bin, update + your init script or reinstall the one provided with the package. + + -- Arnaud Cornet Mon, 21 Jan 2008 23:38:15 +0100 diff --git a/haproxy/debian/changelog b/haproxy/debian/changelog new file mode 100644 index 0000000..91d38ad --- /dev/null +++ b/haproxy/debian/changelog @@ -0,0 +1,2355 @@ +haproxy (2.6.0-100~mangadex+1) experimental; urgency=medium + + * Initial release. Packaging version is set to N+100 to ensure it's higher priority + + -- MangaDex Tue, 07 Jun 2022 08:49:38 +0200 + +haproxy (2.6.0-1) experimental; urgency=medium + + * New upstream release. + + -- Vincent Bernat Thu, 02 Jun 2022 08:49:38 +0200 + +haproxy (2.5.7-1) experimental; urgency=medium + + * New upstream release. + + -- Vincent Bernat Sat, 14 May 2022 12:01:07 +0200 + +haproxy (2.5.6-1) experimental; urgency=medium + + * New upstream release. + + -- Vincent Bernat Tue, 26 Apr 2022 17:59:23 +0200 + +haproxy (2.5.5-1) experimental; urgency=medium + + * New upstream release. + + -- Vincent Bernat Mon, 14 Mar 2022 19:26:46 +0100 + +haproxy (2.5.4-1) experimental; urgency=medium + + * New upstream release. + + -- Vincent Bernat Fri, 25 Feb 2022 17:39:11 +0100 + +haproxy (2.5.3-1) experimental; urgency=medium + + * New upstream release. + + -- Vincent Bernat Fri, 18 Feb 2022 20:22:25 +0100 + +haproxy (2.5.2-1) experimental; urgency=medium + + * New upstream release. + + -- Vincent Bernat Wed, 16 Feb 2022 19:09:04 +0100 + +haproxy (2.5.1-1) experimental; urgency=medium + + * New upstream release. + + -- Vincent Bernat Tue, 11 Jan 2022 19:23:50 +0100 + +haproxy (2.5.0-1) experimental; urgency=medium + + * New upstream release. + * d/patches: patch to make logging work without rsyslog with systemd + + -- Vincent Bernat Thu, 25 Nov 2021 21:20:30 +0100 + +haproxy (2.4.9-1) unstable; urgency=medium + + * New upstream release. + + -- Vincent Bernat Wed, 24 Nov 2021 19:42:28 +0100 + +haproxy (2.4.8-3) unstable; urgency=medium + + * d/logrotate: only use rsyslog-rotate if present. Closes: #1000436. + + -- Vincent Bernat Wed, 24 Nov 2021 09:29:54 +0100 + +haproxy (2.4.8-2) unstable; urgency=medium + + * Non-maintainer upload. + * Enable OpenTracing support. + + -- Stephen Gelman Tue, 09 Nov 2021 23:06:46 -0600 + +haproxy (2.4.8-1) unstable; urgency=medium + + * New upstream release. + + -- Vincent Bernat Thu, 04 Nov 2021 08:36:56 +0100 + +haproxy (2.4.7-2) unstable; urgency=medium + + * Upload to unstable. + + -- Vincent Bernat Sat, 16 Oct 2021 20:43:13 +0200 + +haproxy (2.4.7-1) experimental; urgency=medium + + * New upstream release. + + -- Vincent Bernat Thu, 07 Oct 2021 09:08:09 +0200 + +haproxy (2.4.4-1) experimental; urgency=medium + + * New upstream release. + * d/patches: remove patches applied upstream. + + -- Vincent Bernat Wed, 08 Sep 2021 08:38:05 +0200 + +haproxy (2.4.3-2) experimental; urgency=high + + * d/patches: fix missing header name length check in HTX (CVE-2021-40346). + + -- Vincent Bernat Sat, 04 Sep 2021 11:56:31 +0200 + +haproxy (2.4.3-1) experimental; urgency=medium + + * New upstream release. + * d/patches: remove patches applied upstream. + * d/patches: h2: match absolute-path not path-absolute for :path. + + -- Vincent Bernat Sat, 21 Aug 2021 16:32:25 +0200 + +haproxy (2.4.2-2) experimental; urgency=medium + + * Fix HTTP request smuggling via HTTP/2 desync attacks. + + -- Vincent Bernat Fri, 13 Aug 2021 16:12:31 +0200 + +haproxy (2.4.2-1) experimental; urgency=medium + + * New upstream release. + + -- Vincent Bernat Wed, 07 Jul 2021 21:47:17 +0200 + +haproxy (2.4.1-1) experimental; urgency=medium + + * New upstream release. + + -- Vincent Bernat Thu, 17 Jun 2021 13:57:57 +0200 + +haproxy (2.4.0-1) experimental; urgency=medium + + * New upstream release. + * d/rules: switch to SLZ instead of zlib + * d/rules: update build for contrib → admin + * d/rules: remove use of USE_REGPARM (outdated) + * d/rules: remove hack around gcc_s + * d/copyright: update + + -- Vincent Bernat Tue, 18 May 2021 22:00:05 +0200 + +haproxy (2.3.10-1) experimental; urgency=medium + + * New upstream release. + + -- Vincent Bernat Sat, 24 Apr 2021 18:22:41 +0200 + +haproxy (2.3.9-1) experimental; urgency=medium + + * New upstream release. + + -- Vincent Bernat Tue, 30 Mar 2021 19:50:42 +0200 + +haproxy (2.3.8-1) experimental; urgency=medium + + * New upstream release. + * d/logrotate: reduce log retention to 7 days. Closes: #985441. + + -- Vincent Bernat Thu, 25 Mar 2021 18:17:18 +0100 + +haproxy (2.3.7-1) experimental; urgency=medium + + * New upstream release. + + -- Vincent Bernat Tue, 16 Mar 2021 18:41:25 +0100 + +haproxy (2.3.6-1) experimental; urgency=medium + + * New upstream release. + + -- Vincent Bernat Thu, 04 Mar 2021 13:57:49 +0100 + +haproxy (2.3.5-1) experimental; urgency=medium + + * New upstream release. + + -- Vincent Bernat Sat, 06 Feb 2021 17:12:53 +0100 + +haproxy (2.3.4-1) experimental; urgency=medium + + * New upstream release: + - Revert "BUG/MINOR: dns: SRV records ignores duplicated AR records" + + -- Vincent Bernat Fri, 15 Jan 2021 14:13:28 +0100 + +haproxy (2.3.3-1) experimental; urgency=medium + + * d/tests: sleep before test to let Apache2 start. + Closes: #976997. + * New upstream release: + - BUG/MAJOR: ring: tcp forward on ring can break the reader counter. + - BUG/MAJOR: spoa/python: Fixing return None + - BUG/MEDIUM: local log format regression. Closes: #974977. + + -- Vincent Bernat Sat, 09 Jan 2021 15:18:10 +0100 + +haproxy (2.3.2-1) experimental; urgency=medium + + * New upstream release. + - BUG/MAJOR: connection: reset conn->owner when detaching from session + list + - BUG/MAJOR: filters: Always keep all offsets up to date during data + filtering + - BUG/MAJOR: peers: fix partial message decoding + - BUG/MAJOR: tcpcheck: Allocate input and output buffers from the buffer + pool + + -- Vincent Bernat Sat, 28 Nov 2020 20:25:34 +0100 + +haproxy (2.3.1-1) experimental; urgency=medium + + * New upstream release. + - BUG/MAJOR: spoe: Be sure to remove all references on a released spoe + applet + * d/patches: remove patches applied upstream. + + -- Vincent Bernat Sat, 14 Nov 2020 23:17:20 +0100 + +haproxy (2.3.0-1) experimental; urgency=medium + + * New upstream release. + * d/gbp, d/watch: prepare for 2.3.0 release + + -- Vincent Bernat Wed, 11 Nov 2020 16:30:10 +0100 + +haproxy (2.2.17-1) unstable; urgency=medium + + * New upstream release. + * d/patches: remove upstream-applied patch. + + -- Vincent Bernat Thu, 09 Sep 2021 19:42:08 +0200 + +haproxy (2.2.16-3) unstable; urgency=high + + * d/patches: fix missing header name length check in HTX (CVE-2021-40346). + + -- Vincent Bernat Sat, 04 Sep 2021 16:14:51 +0200 + +haproxy (2.2.16-2) unstable; urgency=medium + + * d/patches: h2: match absolute-path not path-absolute for :path + + -- Vincent Bernat Sat, 21 Aug 2021 16:19:52 +0200 + +haproxy (2.2.16-1) unstable; urgency=high + + * New upstream release. + * Fix CVE-2021-39240, CVE-2021-39241, CVE-2021-39242. + * d/patches: remove upstream-applied patch. + + -- Vincent Bernat Thu, 19 Aug 2021 07:22:05 +0200 + +haproxy (2.2.15-1) UNRELEASED; urgency=medium + + * New upstream release. + + -- Vincent Bernat Fri, 16 Jul 2021 11:18:32 +0200 + +haproxy (2.2.14-1) UNRELEASED; urgency=medium + + * New upstream release. + + -- Vincent Bernat Thu, 29 Apr 2021 15:32:49 +0200 + +haproxy (2.2.13-1) UNRELEASED; urgency=medium + + * New upstream release. + + -- Vincent Bernat Fri, 02 Apr 2021 21:18:28 +0200 + +haproxy (2.2.12-1) UNRELEASED; urgency=medium + + * New upstream release. + + -- Vincent Bernat Wed, 31 Mar 2021 20:31:24 +0200 + +haproxy (2.2.11-1) UNRELEASED; urgency=medium + + * New upstream release. + + -- Vincent Bernat Thu, 18 Mar 2021 21:34:40 +0100 + +haproxy (2.2.10-1) UNRELEASED; urgency=medium + + * New upstream release. + + -- Vincent Bernat Thu, 04 Mar 2021 19:08:41 +0100 + +haproxy (2.2.9-2) unstable; urgency=medium + + * d/patches: fix agent-check regression putting down servers. + Closes: #988779. + + -- Vincent Bernat Thu, 27 May 2021 15:00:01 +0200 + +haproxy (2.2.9-1) unstable; urgency=medium + + * New upstream release. + - BUG/MAJOR: connection: reset conn->owner when detaching from session + list + + -- Vincent Bernat Sat, 06 Feb 2021 18:52:20 +0100 + +haproxy (2.2.8-1) unstable; urgency=medium + + * New upstream release. + - Revert "BUG/MINOR: dns: SRV records ignores duplicated AR records" + + -- Vincent Bernat Thu, 14 Jan 2021 11:48:52 +0100 + +haproxy (2.2.7-1) unstable; urgency=medium + + * New upstream release. + - BUG/MAJOR: ring: tcp forward on ring can break the reader counter. + - BUG/MAJOR: spoa/python: Fixing return None + + -- Vincent Bernat Sat, 09 Jan 2021 15:31:08 +0100 + +haproxy (2.2.6-2) unstable; urgency=medium + + * d/tests: sleep before test to let Apache2 start. + Closes: #976997. + + -- Vincent Bernat Thu, 07 Jan 2021 07:56:14 +0100 + +haproxy (2.2.6-1) unstable; urgency=medium + + * New upstream release. + - BUG/MAJOR: filters: Always keep all offsets up to date during data + filtering + - BUG/MAJOR: peers: fix partial message decoding + - BUG/MAJOR: spoe: Be sure to remove all references on a released spoe + applet + - BUG/MAJOR: tcpcheck: Allocate input and output buffers from the buffer + pool + * d/patches: remove patches applied upstream + + -- Vincent Bernat Mon, 30 Nov 2020 20:02:49 +0100 + +haproxy (2.2.5-2) unstable; urgency=medium + + * Upload to unstable. + + -- Vincent Bernat Wed, 11 Nov 2020 16:21:12 +0100 + +haproxy (2.2.5-1) experimental; urgency=medium + + * New upstream release. + - BUG/MAJOR: mux-h2: Don't try to send data if we know it is no longer + possible + * d/patches: warn if payload of an errorfile doesn't match the C-L + + -- Vincent Bernat Sun, 08 Nov 2020 19:12:02 +0100 + +haproxy (2.2.4-1) experimental; urgency=medium + + * New upstream release. + * d/patches: drop patch for ARM32 + + -- Vincent Bernat Fri, 02 Oct 2020 21:29:56 +0200 + +haproxy (2.2.3-2) experimental; urgency=medium + + * d/patches: add upstream patch to fix build on ARM32 + + -- Vincent Bernat Wed, 09 Sep 2020 19:38:52 +0200 + +haproxy (2.2.3-1) experimental; urgency=medium + + * New upstream version. + - BUG/MAJOR: dns: disabled servers through SRV records never recover + + -- Vincent Bernat Tue, 08 Sep 2020 23:12:05 +0200 + +haproxy (2.2.2-1) experimental; urgency=medium + + * New upstream version. + - BUG/MAJOR: dns: don't treat Authority records as an error + - BUG/MAJOR: dns: fix null pointer dereference in + snr_update_srv_status + + -- Vincent Bernat Sat, 01 Aug 2020 17:06:42 +0200 + +haproxy (2.2.1-1) experimental; urgency=medium + + * New upstream version. + - BUG/MAJOR: tasks: don't requeue global tasks into the local + queue + - BUG/MAJOR: dns: Make the do-resolve action thread-safe + + -- Vincent Bernat Thu, 23 Jul 2020 13:39:14 +0200 + +haproxy (2.2.0-1) experimental; urgency=medium + + * New upstream version. + * Upload to experimental + * Update d/watch to look for 2.2 stable releases + * d/gbp.conf: set branch names for 2.2 + * d/patches: refresh patches + + -- Vincent Bernat Tue, 14 Jul 2020 16:53:23 +0200 + +haproxy (2.1.7-1) experimental; urgency=medium + + * New upstream version. + + -- Vincent Bernat Fri, 12 Jun 2020 07:50:48 +0200 + +haproxy (2.1.5-1) experimental; urgency=medium + + * New upstream version. + - BUG/MAJOR: mux-fcgi: Stop sending loop if FCGI stream is blocked for + any reason + - Revert "BUG/MINOR: connection: always send address-less LOCAL PROXY + connections" + - Revert "BUG/MINOR: connection: make sure to correctly tag local + PROXY connections" + + -- Vincent Bernat Mon, 01 Jun 2020 08:52:56 +0200 + +haproxy (2.1.4-1) experimental; urgency=medium + + * New upstream version. + - BUG/CRITICAL: hpack: never index a header into the headroom after + wrapping + - BUG/MAJOR: http-ana: Always abort the request when a tarpit is + triggered + - BUG/MAJOR: list: fix invalid element address calculation + - BUG/MAJOR: proxy_protocol: Properly validate TLV lengths + * d/control: fix maintainer address. Closes: #955553. + + -- Vincent Bernat Sun, 12 Apr 2020 13:29:54 +0200 + +haproxy (2.1.3-3) experimental; urgency=medium + + * d/copryight: document OpenSSL exception. Closes: #951782. + * d/haproxy.cfg: use "ssl-min-ver" to set minimum version. + * d/patches: fix an overflow in HTTP/2 header handling. + Fix CVE-2020-11100. + + -- Vincent Bernat Wed, 01 Apr 2020 21:18:57 +0200 + +haproxy (2.1.3-2) experimental; urgency=medium + + * d/dconv: use Python 3 to build the documentation. + Closes: #948296, #950435. + * d/dconv: replace cgi.escape by html.escape. Closes: #951416. + + -- Vincent Bernat Wed, 19 Feb 2020 07:53:53 +0100 + +haproxy (2.1.3-1) experimental; urgency=medium + + * New upstream version. + - BUG/MAJOR: hashes: fix the signedness of the hash inputs + - BUG/MAJOR: memory: Don't forget to unlock the rwlock if the pool is + empty. + + -- Vincent Bernat Mon, 20 Jan 2020 06:53:23 +0100 + +haproxy (2.1.2-1) experimental; urgency=medium + + * New upstream version 2.1.2. + - BUG/MAJOR: task: add a new TASK_SHARED_WQ flag to fix foreign requeuing + * d/logrotate.conf: use rsyslog helper instead of SysV init script. + Closes: #946973. + + -- Vincent Bernat Fri, 20 Dec 2019 08:20:33 +0100 + +haproxy (2.1.1-1) experimental; urgency=medium + + * New upstream version 2.1.1. + - BUG/MAJOR: dns: add minimalist error processing on the Rx path + + -- Vincent Bernat Sat, 14 Dec 2019 11:20:32 +0100 + +haproxy (2.1.0-2) experimental; urgency=medium + + * Link against libatomic on riscv64 + + -- Apollon Oikonomopoulos Fri, 29 Nov 2019 14:03:49 +0200 + +haproxy (2.1.0-1) experimental; urgency=medium + + * New upstream version 2.1.0 + * Upload to experimental + * Update d/watch to look for 2.1 stable releases + * d/gbp.conf: set branch names for 2.1 + * Bump Standards-Version to 4.4.1; no changes needed + * Bump dh compat level to 12 + + B-D on debhelper-compat and remove debian/compat + + Override dh_installsystemd with the same args as dh_installinit + + Add ${misc:Pre-Depends} to haproxy's Pre-Depends + + -- Apollon Oikonomopoulos Wed, 27 Nov 2019 23:30:30 +0200 + +haproxy (2.0.19-1) unstable; urgency=medium + + * New upstream release. + - BUG/MAJOR: mux-h2: Don't try to send data if we know it is no longer + possible + + -- Vincent Bernat Fri, 06 Nov 2020 19:33:59 +0100 + +haproxy (2.0.18-1) unstable; urgency=medium + + * New upstream release. + + -- Vincent Bernat Wed, 30 Sep 2020 13:41:09 +0200 + +haproxy (2.0.17-1) unstable; urgency=medium + + * New upstream release. + - BUG/MAJOR: dns: Make the do-resolve action thread-safe + + -- Vincent Bernat Sat, 01 Aug 2020 20:05:01 +0200 + +haproxy (2.0.16-1) unstable; urgency=medium + + * New upstream release. + - BUG/MAJOR: stream: Mark the server address as unset on new outgoing + connection + * d/patches: refresh patches. + + -- Vincent Bernat Sat, 18 Jul 2020 13:50:56 +0200 + +haproxy (2.0.15-1) unstable; urgency=medium + + * New upstream release. + - BUG/MAJOR: stream-int: always detach a faulty endpoint on connect + failure + + -- Vincent Bernat Sat, 13 Jun 2020 18:48:25 +0200 + +haproxy (2.0.14-1) unstable; urgency=medium + + * New upstream release. + - BUG/CRITICAL: hpack: never index a header into the headroom after + wrapping + - BUG/MAJOR: http-ana: Always abort the request when a tarpit is + triggered + - BUG/MAJOR: list: fix invalid element address calculation + - BUG/MAJOR: proxy_protocol: Properly validate TLV lengths + * d/control: fix maintainer address. Closes: #955553. + + -- Vincent Bernat Thu, 16 Apr 2020 18:34:22 +0200 + +haproxy (2.0.13-2) unstable; urgency=medium + + * d/dconv: replace cgi.escape by html.escape. Closes: #951416. + * d/copryight: document OpenSSL exception. Closes: #951782. + * d/haproxy.cfg: use "ssl-min-ver" to set minimum version. + * Apply one patch to fix an overflow in HTTP/2 header handling. + Fix CVE-2020-11100. + + -- Vincent Bernat Wed, 01 Apr 2020 21:49:32 +0200 + +haproxy (2.0.13-1) unstable; urgency=medium + + * New upstream release. + - BUG/MAJOR: hashes: fix the signedness of the hash inputs + - BUG/MAJOR: memory: Don't forget to unlock the rwlock if the pool is + empty. + * d/dconv: use Python 3 to build the documentation. + Closes: #948296, #950435. + + -- Vincent Bernat Sat, 15 Feb 2020 15:32:32 +0100 + +haproxy (2.0.12-1) unstable; urgency=medium + + * New upstream version. + - BUG/MAJOR: task: add a new TASK_SHARED_WQ flag to fix foreign requeuing + * d/logrotate.conf: use rsyslog helper instead of SysV init script. + Closes: #946973. + + -- Vincent Bernat Fri, 20 Dec 2019 08:20:33 +0100 + +haproxy (2.0.11-1) unstable; urgency=medium + + * New upstream release. + - BUG/MAJOR: dns: add minimalist error processing on the Rx path + + -- Vincent Bernat Fri, 13 Dec 2019 19:22:03 +0100 + +haproxy (2.0.10-1) unstable; urgency=medium + + * New upstream release. + - BUG/MAJOR: h2: make header field name filtering stronger + - BUG/MAJOR: h2: reject header values containing invalid chars + - BUG/MAJOR: mux-h2: don't try to decode a response HEADERS frame in + idle state + + -- Vincent Bernat Tue, 26 Nov 2019 13:22:17 +0100 + +haproxy (2.0.9-1) unstable; urgency=medium + + * New upstream release. + - BUG/MAJOR: stream-int: Don't receive data from mux until SI_ST_EST + is reached + + -- Vincent Bernat Sat, 16 Nov 2019 17:38:51 +0100 + +haproxy (2.0.8-1) unstable; urgency=medium + + * New upstream release. + - BUG/MAJOR: idle conns: schedule the cleanup task on the correct + threads + + -- Vincent Bernat Wed, 23 Oct 2019 08:55:55 +0200 + +haproxy (2.0.7-1) unstable; urgency=medium + + * New upstream release. + - BUG/MAJOR: mux-h2: Handle HEADERS frames received after a RST_STREAM + frame + - BUG/MAJOR: mux_h2: Don't consume more payload than received for + skipped frames + - BUG/MEDIUM: checks: make sure the connection is ready before trying + to recv + + -- Vincent Bernat Fri, 27 Sep 2019 19:14:12 +0200 + +haproxy (2.0.6-2) unstable; urgency=medium + + * d/patches: fix regression with checks. + + -- Vincent Bernat Wed, 18 Sep 2019 08:02:53 +0200 + +haproxy (2.0.6-1) unstable; urgency=medium + + * New upstream release. + - BUG/MAJOR: ssl: ssl_sock was not fully initialized. + + -- Vincent Bernat Fri, 13 Sep 2019 21:25:38 +0200 + +haproxy (2.0.5-1) unstable; urgency=medium + + * New upstream release. + - BUG/MEDIUM: mux_h1: Don't bother subscribing in recv if we're not + connected. + - BUG/MEDIUM: mux_pt: Don't call unsubscribe if we did not subscribe. + - BUG/MEDIUM: proxy: Don't forget the SF_HTX flag when upgrading + TCP=>H1+HTX. + - BUG/MEDIUM: proxy: Don't use cs_destroy() when freeing the + conn_stream. + - BUG/MEDIUM: stick-table: Wrong stick-table backends parsing. + + -- Vincent Bernat Fri, 16 Aug 2019 19:51:24 +0200 + +haproxy (2.0.4-1) unstable; urgency=medium + + * New upstream release. Upload to unstable. + - BUG/MAJOR: http/sample: use a static buffer for raw -> htx + conversion + - BUG/MAJOR: queue/threads: avoid an AB/BA locking issue in + process_srv_queue() + * d/haproxy.cfg: update default cipher lists to more secure defaults. + TLSv1.0 and TLSv1.1 are disabled, as well as TLS tickets (they are + breaking forward secrecy unless correctly rotated). + Closes: #932763. + + -- Vincent Bernat Fri, 09 Aug 2019 14:22:23 +0200 + +haproxy (2.0.3-1) experimental; urgency=medium + + * New upstream version. + - BUG/CRITICAL: http_ana: Fix parsing of malformed cookies which start by + a delimiter (CVE-2019-14241) + - BUG/MEDIUM: checks: Don't attempt to receive data if we already + subscribed. + - BUG/MEDIUM: http/htx: unbreak option http_proxy + - DOC: htx: Update comments in HTX files + - BUG/MEDIUM: mux-h1: Trim excess server data at the end of a transaction + - BUG/MEDIUM: tcp-checks: do not dereference inexisting conn_stream + * Bump Standards-Version to 4.4.0; no changes needed + + -- Apollon Oikonomopoulos Tue, 23 Jul 2019 13:31:31 -0300 + +haproxy (2.0.2-1) experimental; urgency=medium + + * New upstream version. + - BUG/MAJOR: listener: fix thread safety in resume_listener() + + -- Vincent Bernat Wed, 17 Jul 2019 12:19:54 +0200 + +haproxy (2.0.1-1) experimental; urgency=medium + + * New upstream version. + - BUG/MAJOR: sample: Wrong stick-table name parsing in "if/unless" ACL + condition. + - BUG/MAJOR: mux-h1: Don't crush trash chunk area when outgoing + message is formatted + * d/rules: fix crash during reload due to libgcc_s.so missing when + chrooted. + + -- Vincent Bernat Mon, 24 Jun 2019 19:28:26 +0200 + +haproxy (2.0.0-1) experimental; urgency=medium + + * New upstream version. + * d/watch: update to follow 2.0. + * d/gbp.conf: update for 2.0 and experimental. + * d/rules: update to use linux-glibc target. + * d/rules: enable prometheus exporter. + * d/patches: refresh patches. + * d/vim-haproxy.install: update path to vim syntax file. + * d/README.Debian: remove outdated information. + + -- Vincent Bernat Thu, 20 Jun 2019 11:40:19 +0200 + +haproxy (1.9.8-1) experimental; urgency=medium + + * New upstream version. + - BUG/MAJOR: map/acl: real fix segfault during show map/acl on CLI + - BUG/MAJOR: mux-h2: do not add a stream twice to the send list + + -- Vincent Bernat Thu, 16 May 2019 01:50:10 +0200 + +haproxy (1.9.7-1) experimental; urgency=medium + + * New upstream version. + - BUG/MAJOR: http_fetch: Get the channel depending on the keyword used + - BUG/MAJOR: lb/threads: fix AB/BA locking issue in round-robin LB + - BUG/MAJOR: lb/threads: fix insufficient locking on round-robin LB + - BUG/MAJOR: muxes: Use the HTX mode to find the best mux for HTTP + proxies only + - BUG/MAJOR: task: make sure never to delete a queued task + + -- Vincent Bernat Sun, 28 Apr 2019 17:37:04 +0200 + +haproxy (1.9.6-1) experimental; urgency=medium + + * New upstream version. + - BUG/MAJOR: checks: segfault during tcpcheck_main + + -- Vincent Bernat Sat, 30 Mar 2019 12:43:33 +0100 + +haproxy (1.9.5-1) experimental; urgency=medium + + * New upstream version. + - BUG/MAJOR: cache/htx: Set the start-line offset when a cached object + is served + - BUG/MAJOR: fd/threads, task/threads: ensure all spin locks are + unlocked + - BUG/MAJOR: listener: Make sure the listener exist before using it. + - BUG/MAJOR: mux-h2: fix race condition between close on both ends + - BUG/MAJOR: spoe: Don't try to get agent config during SPOP + healthcheck + - BUG/MAJOR: spoe: Fix initialization of thread-dependent fields + - BUG/MAJOR: stats: Fix how huge POST data are read from the channel + - BUG/MAJOR: stream: avoid double free on unique_id + - BUG/MAJOR: tasks: Use the TASK_GLOBAL flag to know if we're in the + global rq. + + -- Vincent Bernat Tue, 19 Mar 2019 20:13:48 +0100 + +haproxy (1.9.4-1) experimental; urgency=medium + + * New upstream version. + - BUG/MAJOR: config: verify that targets of track-sc and stick rules + are present + - BUG/MAJOR: htx/backend: Make all tests on HTTP messages compatible + with HTX + - BUG/MAJOR: spoe: verify that backends used by SPOE cover all their + callers' processes + + -- Vincent Bernat Thu, 07 Feb 2019 12:48:42 +0100 + +haproxy (1.9.3-1) experimental; urgency=medium + + * New upstream version. + - BUG/MAJOR: mux-h2: don't destroy the stream on failed allocation in + h2_snd_buf() + - BUG/MEDIUM: checks: fix recent regression on agent-check making it + crash + - BUG/MEDIUM: ssl: Fix handling of TLS 1.3 KeyUpdate messages + + -- Vincent Bernat Tue, 29 Jan 2019 12:59:10 +0100 + +haproxy (1.9.2-1) experimental; urgency=medium + + * New upstream version. + - BUG/MAJOR: cache: fix confusion between zero and uninitialized cache + key + - BUG/MEDIUM: checks: Avoid having an associated server for email + checks. + - BUG/MEDIUM: connection: properly unregister the mux on failed + initialization + - BUG/MEDIUM: h1: Get the h1m state when restarting the headers + parsing + - BUG/MEDIUM: h1: Make sure we destroy an inactive connectin that did + shutw. + - BUG/MEDIUM: init: Initialize idle_orphan_conns for first server in + server-template + - BUG/MEDIUM: mux-h2: decode trailers in HEADERS frames + - BUG/MEDIUM: ssl: Disable anti-replay protection and set max data + with 0RTT. + - BUG/MEDIUM: ssl: missing allocation failure checks loading tls key + file + - BUG/MEDIUM: stats: Get the right scope pointer depending on HTX is + used or not + * d/patches: removal of CVE-2018-20615.patch (applied upstream) + + -- Vincent Bernat Thu, 17 Jan 2019 19:19:27 +0100 + +haproxy (1.9.0-2) experimental; urgency=medium + + * Fix out-of-bounds read in HTTP2 mux (CVE-2018-20615). + Possible crash in H2 HEADERS frame decoder when the PRIORITY flag + is present, due to a missing frame size check. + * Bump Standards-Version to 4.3.0; no changes needed. + + -- Apollon Oikonomopoulos Thu, 03 Jan 2019 12:41:02 +0200 + +haproxy (1.9.0-1) experimental; urgency=medium + + * New upstream version 1.9.0. + See https://www.haproxy.com/blog/haproxy-1-9-has-arrived/. + * d/watch: update to follow 1.9. + * d/gbp.conf: update for 1.9 and experimental. + * d/rules: do not override CFLAGS, hijack DEBUG_CFLAGS for this instead. + * d/patches: add regression fix for DNS. + + -- Vincent Bernat Fri, 21 Dec 2018 11:13:41 +0100 + +haproxy (1.8.15-1) unstable; urgency=high + + [ Vincent Bernat ] + * d/rules: switch to pcre2. Closes: #911933. + + [ Apollon Oikonomopoulos ] + * New upstream version 1.8.15 + - BUG: dns: Fix off-by-one write in dns_validate_dns_response() ( + - BUG: dns: Fix out-of-bounds read via signedness error in + dns_validate_dns_response() + - BUG: dns: Prevent out-of-bounds read in dns_read_name() + - BUG: dns: Prevent out-of-bounds read in dns_validate_dns_response() + (CVE-2018-20102, closes: #916308) + - BUG: dns: Prevent stack-exhaustion via recursion loop in dns_read_name + (CVE-2018-20103, closes: #916307) + - BUG/MAJOR: http: http_txn_get_path() may deference an inexisting buffer + + -- Apollon Oikonomopoulos Fri, 14 Dec 2018 15:31:04 +0200 + +haproxy (1.8.14-1) unstable; urgency=medium + + * New upstream version. + - BUG/CRITICAL: hpack: fix improper sign check on the header index + value (already fixed in 1.8.13-2) + - BUG/MAJOR: kqueue: Don't reset the changes number by accident. + - BUG/MAJOR: thread: lua: Wrong SSL context initialization. + + -- Vincent Bernat Sun, 23 Sep 2018 12:25:03 +0200 + +haproxy (1.8.13-2) unstable; urgency=high + + * Fix improper sign check on the HPACK header index value (CVE-2018-14645) + * Bump Standards-Version to 4.2.1; no changes needed + + -- Apollon Oikonomopoulos Wed, 19 Sep 2018 22:46:58 +0300 + +haproxy (1.8.13-1) unstable; urgency=medium + + * New upstream version. + - BUG/MEDIUM: h2: don't accept new streams if conn_streams are still + in excess + - BUG/MEDIUM: h2: make sure the last stream closes the connection + after a timeout + - BUG/MEDIUM: h2: never leave pending data in the output buffer on close + - BUG/MEDIUM: h2: prevent orphaned streams from blocking a connection + forever + - BUG/MEDIUM: stats: don't ask for more data as long as we're responding + - BUG/MEDIUM: stream-int: don't immediately enable reading when the + buffer was reportedly full + - BUG/MEDIUM: threads/sync: use sched_yield when available + - BUG/MEDIUM: threads: Fix the exit condition of the thread barrier + - BUG/MEDIUM: threads: properly fix nbthreads == MAX_THREADS + - BUG/MEDIUM: threads: unbreak "bind" referencing an incorrect thread + number + * d/patches: drop systemd exit status patch (applied upstream). + + -- Vincent Bernat Wed, 01 Aug 2018 11:36:20 +0200 + +haproxy (1.8.12-1) unstable; urgency=medium + + * New upstream version. + - BUG/MAJOR: stick_table: Complete incomplete SEGV fix + + -- Vincent Bernat Wed, 27 Jun 2018 20:05:50 +0200 + +haproxy (1.8.11-1) unstable; urgency=medium + + * New upstream version. + - BUG/MAJOR: Stick-tables crash with segfault when the key is not in + the stick-table + + -- Vincent Bernat Tue, 26 Jun 2018 18:26:05 +0200 + +haproxy (1.8.10-1) unstable; urgency=medium + + * New upstream version. + - BUG/MAJOR: lua: Dead lock with sockets + - BUG/MAJOR: map: fix a segfault when using http-request set-map + - BUG/MAJOR: ssl: OpenSSL context is stored in non-reserved memory slot + - BUG/MAJOR: ssl: Random crash with cipherlist capture + - BUG/MEDIUM: cache: don't cache when an Authorization header is present + - BUG/MEDIUM: dns: Delay the attempt to run a DNS resolution on check + failure. + - BUG/MEDIUM: fd: Don't modify the update_mask in fd_dodelete(). + - BUG/MEDIUM: fd: Only check update_mask against all_threads_mask. + - BUG/MEDIUM: servers: Add srv_addr default placeholder to the state file + - BUG/MEDIUM: stick-tables: Decrement ref_cnt in table_* converters + - BUG/MEDIUM: threads: Use the sync point to check active jobs and exit + - BUG/MEDIUM: threads: handle signal queue only in thread 0 + * Remove patch from CVE. Included upstream. + * d/patches: add a patch for clean stop with systemd. + + -- Vincent Bernat Fri, 22 Jun 2018 20:21:37 +0200 + +haproxy (1.8.9-2) unstable; urgency=high + + * d/patches: fix CVE-2018-11469: do not cache when an Authorization + header is present. Closes: #900084. + + -- Vincent Bernat Sat, 26 May 2018 16:05:07 +0200 + +haproxy (1.8.9-1) unstable; urgency=medium + + * New upstream version. + - BUG/MAJOR: channel: Fix crash when trying to read from a closed socket + - BUG/MEDIUM: h2: implement missing support for chunked encoded uploads + - BUG/MEDIUM: http: don't always abort transfers on CF_SHUTR + - BUG/MEDIUM: lua: Fix segmentation fault if a Lua task exits + - BUG/MEDIUM: pollers: Use a global list for fd shared between threads + - BUG/MEDIUM: ssl: properly protect SSL cert generation + - BUG/MEDIUM: task: Don't free a task that is about to be run + - BUG/MEDIUM: threads: Fix the sync point for more than 32 threads + * d/rsyslog.conf: use modern syntax and statements, thanks to Guillem + Jover. Closes: #897914. + + -- Vincent Bernat Sat, 19 May 2018 15:00:17 +0200 + +haproxy (1.8.8-1) unstable; urgency=high + + * New upstream version. + - BUG/CRITICAL: h2: fix incorrect frame length check + + -- Vincent Bernat Thu, 19 Apr 2018 17:51:55 +0200 + +haproxy (1.8.7-1) unstable; urgency=medium + + * New upstream version. + - BUG/MAJOR: cache: always initialize newly created objects + * d/control: switch maintainer address to tracker.debian.org. + + -- Vincent Bernat Sat, 07 Apr 2018 07:58:34 +0200 + +haproxy (1.8.6-1) unstable; urgency=medium + + * New upstream version. + - BUG/MAJOR: cache: fix random crashes caused by incorrect delete() on + non-first blocks + - BUG/MAJOR: h2: remove orphaned streams from the send list before closing + - BUG/MEDIUM: h2/threads: never release the task outside of the task + handler + - BUG/MEDIUM: h2: always add a stream to the send or fctl list when + blocked + - BUG/MEDIUM: h2: don't consider pending data on detach if connection + is in error + + -- Vincent Bernat Thu, 05 Apr 2018 21:08:12 +0200 + +haproxy (1.8.5-1) unstable; urgency=medium + + * New upstream version. + - BUG/MAJOR: threads/queue: Fix thread-safety issues on the queues + management + - BUG/MEDIUM: buffer: Fix the wrapping case in bi_putblk + - BUG/MEDIUM: buffer: Fix the wrapping case in bo_putblk + - BUG/MEDIUM: fix a 100% cpu usage with cpu-map and nbthread/nbproc + - BUG/MEDIUM: h2: also arm the h2 timeout when sending + - BUG/MEDIUM: h2: always consume any trailing data after end of output + buffers + - BUG/MEDIUM: h2: properly account for DATA padding in flow control + - BUG/MEDIUM: http: Switch the HTTP response in tunnel mode as earlier + as possible + - BUG/MEDIUM: spoe: Remove idle applets from idle list when HAProxy is + stopping + - BUG/MEDIUM: ssl/sample: ssl_bc_* fetch keywords are broken. + - BUG/MEDIUM: ssl: Don't always treat SSL_ERROR_SYSCALL as + unrecovarable. + - BUG/MEDIUM: ssl: Shutdown the connection for reading on + SSL_ERROR_SYSCALL + - BUG/MEDIUM: tcp-check: single connect rule can't detect DOWN servers + - BUG/MEDIUM: threads/queue: wake up other threads upon dequeue + - BUG/MEDIUM: threads/unix: Fix a deadlock when a listener is + temporarily disabled + * Upload to unstable. + * d/control: update Vcs-* fields to salsa.debian.org. + + -- Vincent Bernat Sun, 25 Mar 2018 11:31:25 +0200 + +haproxy (1.8.4-1) experimental; urgency=medium + + * New upstream stable release. + * d/patches: document why dconv patch is not in series. + * d/docs: ship NOTICE file in haproxy-doc. + + -- Vincent Bernat Sat, 10 Feb 2018 08:43:36 +0100 + +haproxy (1.8.3-1) experimental; urgency=medium + + * New upstream stable release. + * Change default configuration of stats socket to support hitless + reload. + + -- Vincent Bernat Tue, 02 Jan 2018 18:48:24 +0100 + +haproxy (1.8.2-1) experimental; urgency=medium + + * New upstream stable release + * Refresh patches + * Bump Standards-Version to 4.1.2; no changes needed + + -- Apollon Oikonomopoulos Sun, 24 Dec 2017 14:28:28 +0200 + +haproxy (1.8.1-1) experimental; urgency=medium + + * New upstream stable release. + * Enable PCRE JIT. + * systemd: replace Wants/After=syslog.service with After=rsyslog.service + (Closes: #882610) + + -- Apollon Oikonomopoulos Sun, 03 Dec 2017 23:59:03 +0200 + +haproxy (1.8.0-2) experimental; urgency=medium + + * Use libatomic on platforms without 64-bit atomics. Fixes FTBFS on armel, + mips, mipsel, powerpc, powerpcspe, sh4 and m68k. + * d/rules: use variables defined in architecture.mk and buildflags.mk + * d/rules: drop unreachable else case. + + -- Apollon Oikonomopoulos Wed, 29 Nov 2017 01:21:40 +0200 + +haproxy (1.8.0-1) experimental; urgency=medium + + * New upstream stable series. Notable new features include: + + HTTP/2 support + + Support for multiple worker threads to allow scalability across CPUs + (e.g. for SSL termination) + + Seamless reloads + + HTTP small object caching + + Dynamic backend server configuration + See https://www.haproxy.com/blog/whats-new-haproxy-1-8/ and + https://www.mail-archive.com/haproxy@formilux.org/msg28004.html for more + detailed descriptions of the new features. + * Upload to experimental + * Refresh all patches. + * d/watch: switch to the 1.8.x upstream stable series + * Bump Standards to 4.1.1 + + Switch haproxy-doc to Priority: optional from extra. + * Bump compat to 10: + + B-D on debhelper (>= 10) + + Drop explicit dh-systemd dependency and invocation + + Replace --no-restart-on-upgrade with --no-restart-after-upgrade + --no-stop-on-upgrade to make up for DH 10 defaults. + * B-D on libsystemd-dev and enable sd_notify() support on Linux. + * B-D on python3-sphinx instead of python-sphinx. + * d/rules: do not call dpkg-parsechangelog directly. + * d/copyright: drop obsolete section. + * Drop obsolete lintian overrides. + * Do a full-service restart when upgrading from pre-1.8 versions and running + under systemd, to migrate to the new process model and service type. + + Document this in d/NEWS as well. + + -- Apollon Oikonomopoulos Tue, 28 Nov 2017 22:25:11 +0200 + +haproxy (1.7.10-1) unstable; urgency=medium + + * New upstream version release (see CHANGELOG): + - BUG/MAJOR: stream-int: don't re-arm recv if send fails + - BUG/MAJOR: stream: ensure analysers are always called upon close + - BUG/MEDIUM: compression: Fix check on txn in smp_fetch_res_comp_algo + - BUG/MEDIUM: connection: remove useless flag CO_FL_DATA_RD_SH + - BUG/MEDIUM: deinit: correctly deinitialize the proxy and global + listener tasks + - BUG/MEDIUM: deviceatlas: ignore not valuable HTTP request data + - BUG/MEDIUM: epoll: ensure we always consider HUP and ERR + - BUG/MEDIUM: http: Close streams for connections closed before a + redirect + - BUG/MEDIUM: http: Fix a regression bug when a HTTP response is in + TUNNEL mode + - BUG/MEDIUM: http: Return an error when url_dec sample converter + failed + - BUG/MEDIUM: http: don't automatically forward request close + - BUG/MEDIUM: http: don't disable lingering on requests with tunnelled + responses + - BUG/MEDIUM: kqueue: Don't bother closing the kqueue after fork. + - BUG/MEDIUM: lua: HTTP services must take care of body-less status + codes + - BUG/MEDIUM: lua: fix crash when using bogus mode in + register_service() + - BUG/MEDIUM: peers: set NOLINGER on the outgoing stream interface + - BUG/MEDIUM: prevent buffers being overwritten during build_logline() + execution + - BUG/MEDIUM: ssl: fix OCSP expiry calculation + - BUG/MEDIUM: stream: don't ignore res.analyse_exp anymore + - BUG/MEDIUM: stream: properly set the required HTTP analysers on + use-service + - BUG/MEDIUM: tcp-check: don't call tcpcheck_main() from the I/O + handlers! + - BUG/MEDIUM: tcp-check: properly indicate polling state before + performing I/O + - BUG/MEDIUM: tcp/http: set-dst-port action broken + * Fix VERDATE build argument to really use changelog date. + * Bump compat to 10. + * d/control: B-D on python3-sphinx instead of python-sphinx. + * d/control: make haproxy-doc Priority: optional. + * d/rules: enable PCRE JIT. + * d/rules: use variables defined in *.mk. + * d/patches: refresh and replace Wants/After=syslog.service with + After=rsyslog.service. Closes: #882610. + + -- Vincent Bernat Wed, 03 Jan 2018 08:29:48 +0100 + +haproxy (1.7.9-1) unstable; urgency=medium + + * New upstream version release (see CHANGELOG): + - BUG/MAJOR: lua/socket: resources not destroyed when the socket is + aborted + - BUG/MEDIUM: lua: bad memory access + - BUG/MEDIUM: http: Switch HTTP responses in TUNNEL mode when body + length is undefined + + -- Vincent Bernat Sat, 19 Aug 2017 12:05:02 +0200 + +haproxy (1.7.8-1) unstable; urgency=medium + + * New upstream version release (see CHANGELOG): + - BUG/MAJOR: cli: fix custom io_release was crushed by NULL. + - BUG/MAJOR: compression: Be sure to release the compression state in + all cases + - BUG/MAJOR: map: fix segfault during 'show map/acl' on cli. + - BUG/MEDIUM: filters: Be sure to call flt_end_analyze for both + channels + - BUG/MEDIUM: map/acl: fix unwanted flags inheritance. + * Bump Standards-Version to 4.0.0. No changes needed. + * Update d/watch to use https. + + -- Vincent Bernat Sat, 08 Jul 2017 08:24:35 +0200 + +haproxy (1.7.7-1) unstable; urgency=medium + + * New upstream version release (see CHANGELOG): + - BUG/MEDIUM: http: Drop the connection establishment when a redirect + is performed + - BUG/MEDIUM: cfgparse: Check if tune.http.maxhdr is in the range + 1..32767 + + -- Vincent Bernat Mon, 26 Jun 2017 14:06:48 +0200 + +haproxy (1.7.6-1) unstable; urgency=medium + + * New upstream version release (see CHANGELOG): + - BUG/MAJOR: Use -fwrapv. + - BUG/MAJOR: http: call manage_client_side_cookies() before erasing + the buffer + - BUG/MAJOR: server: Segfault after parsing server state file. + - BUG/MEDIUM: acl: don't free unresolved args in prune_acl_expr() + - BUG/MEDIUM: acl: proprely release unused args in prune_acl_expr() + - BUG/MEDIUM: arg: ensure that we properly unlink unresolved arguments + on error + - BUG/MEDIUM: lua: memory leak + - BUG/MEDIUM: lua: segfault if a converter or a sample doesn't return + anything + - BUG/MEDIUM: peers: Peers CLOSE_WAIT issue. + - BUG/MEDIUM: unix: never unlink a unix socket from the file system + + -- Vincent Bernat Sun, 18 Jun 2017 12:34:40 +0200 + +haproxy (1.7.5-2) unstable; urgency=medium + + * Enable getaddrinfo() support, allowing resolution of hostnames to IPv6 + addresses (Closes: #862780). Thanks to Anton Eliasson + ! + + -- Apollon Oikonomopoulos Wed, 17 May 2017 13:01:45 +0300 + +haproxy (1.7.5-1) unstable; urgency=medium + + * New upstream version release (see CHANGELOG): + - BUG/MEDIUM: peers: fix buffer overflow control in intdecode. + - BUG/MEDIUM: buffers: Fix how input/output data are injected into buffers + - BUG/MEDIUM: http: Fix blocked HTTP/1.0 responses when compression is + enabled + + -- Apollon Oikonomopoulos Tue, 04 Apr 2017 14:25:38 +0300 + +haproxy (1.7.4-1) unstable; urgency=medium + + * New upstream release (see CHANGELOG): + - BUG/MAJOR: connection: update CO_FL_CONNECTED before calling the + data layer + - BUG/MAJOR: http: fix typo in http_apply_redirect_rule + - BUG/MAJOR: stream-int: do not depend on connection flags to detect + connection + - BUG/MEDIUM: cli: Prevent double free in CLI ACL lookup + - BUG/MEDIUM: connection: ensure to always report the end of handshakes + - BUG/MEDIUM: listener: do not try to rebind another process' socket + - BUG/MEDIUM: stream: fix client-fin/server-fin handling + - BUG/MEDIUM: tcp: don't require privileges to bind to device + + -- Vincent Bernat Fri, 31 Mar 2017 11:01:14 +0200 + +haproxy (1.7.3-1) unstable; urgency=medium + + * New upstream release (see CHANGELOG): + - BUG/MAJOR: lua segmentation fault when the request is like 'GET + ?arg=val HTTP/1.1' + - BUG/MAJOR: dns: restart sockets after fork() + - BUG/MEDIUM: tcp: don't poll for write when connect() succeeds + - BUG/MEDIUM: http: prevent redirect from overwriting a buffer + - BUG/MEDIUM: filters: Do not truncate HTTP response when body length + is undefined + - BUG/MEDIUM: http: Prevent replace-header from overwriting a buffer + - BUG/MEDIUM: config: reject anything but "if" or "unless" after a + use-backend rule + + -- Vincent Bernat Wed, 01 Mar 2017 20:03:12 +0100 + +haproxy (1.7.2-1) unstable; urgency=medium + + * New upstream release (see CHANGELOG): + + Fix a regression whereby fragmented requests were randomly flagged as + bad requests depending on previous buffer contents; this was noticable + under low load with authenticated requests. + + Fix dynamic address resolution for IPv6-only hosts. + + Make sure SSL sessions are not reused when the SNI changes. This makes + SNI and SSL health checks play nice together. + + Minor improvements: + - Add the ability to perform actions on multiple servers via the stats + page. + - Add the ability to specify a custom HTTP reason field in generated + responses. + - New sample fetch function, `fc_rcvd_proxy', indicating wheter the + PROXY protocol was used on the frontend for a connection or not. + + -- Apollon Oikonomopoulos Fri, 13 Jan 2017 14:49:05 +0200 + +haproxy (1.7.1-1) unstable; urgency=medium + + * New upstream stable release. + * Upload to unstable. + * Notable new features since 1.6: + + SPOE (stream processing offload engine) : ability to delegate some + slow, unreliable or dangerous processing to external processes. + + More statistics in the CSV output. + + Support of directories for config files: if the argument to -f + is a directory, all files found there are loaded in alphabetical order. + + It is now possible to set/unset/preset environment variables directly in + the global section and query them through the CLI. + + The CLI makes it possible to change a server's address, port, maxconn, + check address and port at runtime, without reloading haproxy. + + Support for multiple certificates: different certificates for the same + domain so that the best one can be picked according to browser support. + The main use is to be able to deliver ECDSA certificates to clients + supporting them, without breaking compatibility with older clients. + + SO_REUSEPORT is now configurable and can be disabled. + + Updates to the Lua API, including new classes to access many internal + objects like listeners, servers, proxies etc. + + Support for a new type of maps consisting of regular expressions with + replacement values. + + -- Apollon Oikonomopoulos Tue, 13 Dec 2016 12:32:32 +0200 + +haproxy (1.7.0-1) experimental; urgency=medium + + * New upstream stable series. + + -- Apollon Oikonomopoulos Fri, 25 Nov 2016 18:00:55 +0200 + +haproxy (1.7~dev6-1) experimental; urgency=medium + + * New upstream development release (Closes: #828337) + * Upload to experimental + * d/watch: look for 1.7 + * B-D on zlib1g-dev + * haproxy: Depend on lsb-base for the initscript + * Ship additional plain-text documentation + * haproxy-doc: ship HTML version of management.txt + * Update the default SSL cipher list and add a link to Mozilla's SSL + configuration generator (Closes: #840735) + * d/rules: use SUBVERS to pass the Debian revision to HAPROXY_VERSION + + -- Apollon Oikonomopoulos Thu, 10 Nov 2016 16:02:27 +0200 + +haproxy (1.6.10-1) unstable; urgency=medium + + * New upstream release (see CHANGELOG): + + Fix retransmits in proxy mode and rare cases of unkillable tasks. + + systemd wrapper: do not leave old processes behind when reloading too + fast. + + systemd wrapper: correctly set the status code. + + Fix two bugs in the peers' task management possibly causing some + CLOSE_WAIT connection after some rare race conditions. + + Make SO_REUSEPORT use configurable via the "-dR" command line switch + or the "noreuseport" config option in the global section. + * B-D on libssl1.0-dev (Closes: #828337); upstream does not currently + support OpenSSL 1.1 for the 1.6 series. + * haproxy: depend on lsb-base for the initscript's use of + /lib/lsb/init-functions. + + -- Apollon Oikonomopoulos Mon, 21 Nov 2016 11:46:16 +0200 + +haproxy (1.6.9-2) unstable; urgency=medium + + * Enable Linux namespace support. + * Pass the full Debian version and package release date from d/changelog to + the build system. + * initscript: reorder the reload command arguments to always parse EXTRAOPTS + properly. + + -- Apollon Oikonomopoulos Wed, 28 Sep 2016 10:45:43 +0300 + +haproxy (1.6.9-1) unstable; urgency=medium + + * New upstream release (see CHANGELOG): + + BUG/MAJOR: stream: properly mark the server address as unset on + connect retry + + -- Vincent Bernat Wed, 31 Aug 2016 07:44:27 +0200 + +haproxy (1.6.8-1) unstable; urgency=medium + + * New upstream release (see CHANGELOG): + + BUG/MAJOR: compression: initialize avail_in/next_in even during + flush + + BUG/MAJOR: server: the "sni" directive could randomly cause trouble + + BUG/MAJOR: stick-counters: possible crash when using sc_trackers + with wrong table + + -- Vincent Bernat Sun, 14 Aug 2016 14:17:08 +0200 + +haproxy (1.6.7-1) unstable; urgency=medium + + * New upstream release (see CHANGELOG): + + BUG/MAJOR: fix use-after-free crash on start + + BUG/MEDIUM: dns: fix alignment issues in the DNS response parser + + -- Vincent Bernat Thu, 14 Jul 2016 08:29:43 +0200 + +haproxy (1.6.6-1) unstable; urgency=medium + + * New upstream release (see CHANGELOG): + + BUG/MAJOR: fix listening IP address storage for frontends + + BUG/MAJOR: http: fix breakage of "reqdeny" causing random crashes + + BUG/MEDIUM: stick-tables: fix breakage in table converters + + BUG/MEDIUM: dns: unbreak DNS resolver after header fix + + BUG/MEDIUM: stats: show servers state may show an servers from another + backend + + BUG/MEDIUM: fix risk of segfault with "show tls-keys" + + BUG/MEDIUM: sticktables: segfault in some configuration error cases + + BUG/MEDIUM: lua: converters doesn't work + + BUG/MEDIUM: http: add-header: buffer overwritten + + BUG/MEDIUM: external-checks: close all FDs right after the fork() + + BUG/MAJOR: external-checks: use asynchronous signal delivery + * Drop haproxy.service-check-config-before-reload.patch. Applied + upstream. + + -- Vincent Bernat Tue, 28 Jun 2016 10:13:33 +0200 + +haproxy (1.6.5-2) unstable; urgency=high + + * Add a patch to fix CVE-2016-5360. Closes: #826869. + + BUG/MAJOR: http: fix breakage of "reqdeny" causing random crashes + + -- Vincent Bernat Sat, 11 Jun 2016 22:23:50 +0200 + +haproxy (1.6.5-1) unstable; urgency=medium + + * New upstream release (see CHANGELOG): + + BUG/MAJOR: channel: fix miscalculation of available buffer space + + BUG/MAJOR: Fix crash in http_get_fhdr with exactly MAX_HDR_HISTORY + headers + + BUG/MEDIUM: channel: don't allow to overwrite the reserve until + connected + + BUG/MEDIUM: channel: fix inconsistent handling of 4GB-1 transfers + + BUG/MEDIUM: channel: incorrect polling condition may delay event + delivery + + BUG/MEDIUM: dns: fix alignment issue when building DNS queries + + BUG/MEDIUM: fix maxaccept computation on per-process listeners + + BUG/MEDIUM: Fix RFC5077 resumption when more than TLS_TICKETS_NO are + present + + BUG/MEDIUM: http: fix risk of CPU spikes with pipelined requests from + dead client + + BUG/MEDIUM: log: fix risk of segfault when logging HTTP fields in TCP + mode + + BUG/MEDIUM: lua: protects the upper boundary of the argument list for + converters/fetches. + + BUG/MEDIUM: peers: fix incorrect age in frequency counters + + BUG/MEDIUM: sample: initialize the pointer before parse_binary call. + + BUG/MEDIUM: stats: show backend may show an empty or incomplete result + + BUG/MEDIUM: stats: show servers state may show an empty or incomplete + result + + BUG/MEDIUM: stick-tables: some sample-fetch doesn't work in the + connection state. + + BUG/MEDIUM: stream: ensure the SI_FL_DONT_WAKE flag is properly cleared + + BUG/MEDIUM: trace.c: rdtsc() is defined in two files + + MEDIUM: unblock signals on startup. + * Bump standards to 3.9.8; no changes needed. + + -- Apollon Oikonomopoulos Wed, 11 May 2016 11:07:24 +0300 + +haproxy (1.6.4-3) unstable; urgency=medium + + * d/init: remove support for dynamic script name. This enable haproxy to + be started on boot. + + -- Vincent Bernat Thu, 24 Mar 2016 20:36:08 +0100 + +haproxy (1.6.4-2) unstable; urgency=medium + + * d/init: fix SysV init script w/ respect to handling EXTRAOPTS on check. + * d/control: add Pre-Depends for dpkg-maintscript-helper support of + dir_to_symlink. + + -- Vincent Bernat Sat, 19 Mar 2016 16:35:20 +0100 + +haproxy (1.6.4-1) unstable; urgency=medium + + * New upstream release (see CHANGELOG): + + BUG/MAJOR: http-reuse: fix risk of orphaned connections. + + BUG/MAJOR: lua: applets can't sleep. + + BUG/MAJOR: samples: check smp->strm before using it. + + BUG/MAJOR: servers state: server port is erased when dns resolution is + enabled on a server. + + BUG/MAJOR: vars: always retrieve the stream and session from the sample + + BUG/MEDIUM: buffers: do not round up buffer size during allocation + + BUG/MEDIUM: dns: no DNS resolution happens if no ports provided to the + nameserver + + BUG/MEDIUM: servers state: server port is used uninitialized + + BUG/MEDIUM: config: Adding validation to stick-table expire value. + + BUG/MEDIUM: sample: http_date() doesn't provide the right day of the + week + + BUG/MEDIUM: channel: fix miscalculation of available buffer space. + + BUG/MEDIUM: http-reuse: do not share private connections across backends + + BUG/MEDIUM: ssl: fix off-by-one in ALPN list allocation + + BUG/MEDIUM: ssl: fix off-by-one in NPN list allocation + + BUG/MEDIUM: stats: stats bind-process doesn't propagate the process mask + correctly + + BUG/MEDIUM: chunks: always reject negative-length chunks + + BUG/MEDIUM: cfgparse: wrong argument offset after parsing server "sni" + keyword + + [ Vincent Bernat ] + * haproxy.init: append ${EXTRAOPTS} when verifying configuration file. + * haproxy.init: move EXTRAOPTS after all other parameters. + * haproxy.init: management of multiple HAProxy instances with SysV + init.d script, courtesy of Ivan Savcic. + + [ Apollon Oikonomopoulos ] + * Bump standards to 3.9.7: + + haproxy-doc: move the additional documentation from + /usr/share/doc/haproxy-doc to /usr/share/doc/haproxy, as per the + recommendation in Policy §12.3. + + Add compatibility symlinks from /usr/share/doc/haproxy-doc to + /usr/share/doc/haproxy. + * Enable all hardening flags. + * d/control: use HTTPS for Vcs-* + * Use www.haproxy.org as the project's homepage in d/control and + d/copyright. + * d/copyright: adjust debian/* years. + * Add basic DEP-8 tests. + * Drop the haproxy-dbg binary package in favor of ddebs. + * haproxy-doc: + + Use dpkg-maintscript-helper dir_to_symlink for the compatibility + symlinks. + + Add Lua documentation doc-base entry. + + -- Apollon Oikonomopoulos Tue, 15 Mar 2016 21:04:11 +0200 + +haproxy (1.6.3-1) unstable; urgency=medium + + [ Apollon Oikonomopoulos ] + * haproxy.init: use s-s-d's --pidfile option. + Thanks to Louis Bouchard (Closes: 804530) + + [ Vincent Bernat ] + * watch: fix d/watch to look for 1.6 version + * Imported Upstream version 1.6.3 + + -- Vincent Bernat Thu, 31 Dec 2015 08:10:10 +0100 + +haproxy (1.6.2-2) unstable; urgency=medium + + * Enable USE_REGPARM on amd64 as well. + + -- Vincent Bernat Tue, 03 Nov 2015 21:21:30 +0100 + +haproxy (1.6.2-1) unstable; urgency=medium + + * New upstream release. + - BUG/MAJOR: dns: first DNS response packet not matching queried + hostname may lead to a loop + - BUG/MAJOR: http: don't requeue an idle connection that is already + queued + * Upload to unstable. + + -- Vincent Bernat Tue, 03 Nov 2015 13:36:22 +0100 + +haproxy (1.6.1-2) experimental; urgency=medium + + * Build the Lua manpage in -arch, fixes FTBFS in binary-only builds. + + -- Apollon Oikonomopoulos Thu, 22 Oct 2015 12:19:41 +0300 + +haproxy (1.6.1-1) experimental; urgency=medium + + [ Vincent Bernat ] + * New upstream release. + - BUG/MAJOR: ssl: free the generated SSL_CTX if the LRU cache is + disabled + * Drop 0001-BUILD-install-only-relevant-and-existing-documentati.patch. + + [ Apollon Oikonomopoulos ] + * Ship and generate Lua API documentation. + + -- Vincent Bernat Thu, 22 Oct 2015 10:45:55 +0200 + +haproxy (1.6.0+ds1-1) experimental; urgency=medium + + * New upstream release! + * Add a patch to fix documentation installation: + + 0001-BUILD-install-only-relevant-and-existing-documentati.patch + * Update HAProxy documentation converter to a more recent version. + + -- Vincent Bernat Wed, 14 Oct 2015 17:29:19 +0200 + +haproxy (1.6~dev7-1) experimental; urgency=medium + + * New upstream release. + + -- Vincent Bernat Tue, 06 Oct 2015 16:01:26 +0200 + +haproxy (1.6~dev5-1) experimental; urgency=medium + + * New upstream release. + + -- Vincent Bernat Mon, 14 Sep 2015 15:50:28 +0200 + +haproxy (1.6~dev4-1) experimental; urgency=medium + + * New upstream release. + * Refresh debian/copyright. + + -- Vincent Bernat Sun, 30 Aug 2015 23:54:10 +0200 + +haproxy (1.6~dev3-1) experimental; urgency=medium + + * New upstream release. + * Enable Lua support. + + -- Vincent Bernat Sat, 15 Aug 2015 17:51:29 +0200 + +haproxy (1.5.15-1) unstable; urgency=medium + + * New upstream stable release including the following fix: + - BUG/MAJOR: http: don't call http_send_name_header() after an error + + -- Vincent Bernat Mon, 02 Nov 2015 07:34:19 +0100 + +haproxy (1.5.14-1) unstable; urgency=high + + * New upstream version. Fix an information leak (CVE-2015-3281): + - BUG/MAJOR: buffers: make the buffer_slow_realign() function + respect output data. + * Add $named as a dependency for init script. Closes: #790638. + + -- Vincent Bernat Fri, 03 Jul 2015 19:49:02 +0200 + +haproxy (1.5.13-1) unstable; urgency=medium + + * New upstream stable release including the following fixes: + - MAJOR: peers: allow peers section to be used with nbproc > 1 + - BUG/MAJOR: checks: always check for end of list before proceeding + - MEDIUM: ssl: replace standards DH groups with custom ones + - BUG/MEDIUM: ssl: fix tune.ssl.default-dh-param value being overwritten + - BUG/MEDIUM: cfgparse: segfault when userlist is misused + - BUG/MEDIUM: stats: properly initialize the scope before dumping stats + - BUG/MEDIUM: http: don't forward client shutdown without NOLINGER + except for tunnels + - BUG/MEDIUM: checks: do not dereference head of a tcp-check at the end + - BUG/MEDIUM: checks: do not dereference a list as a tcpcheck struct + - BUG/MEDIUM: peers: apply a random reconnection timeout + - BUG/MEDIUM: config: properly compute the default number of processes + for a proxy + + -- Vincent Bernat Sat, 27 Jun 2015 20:52:07 +0200 + +haproxy (1.5.12-1) unstable; urgency=medium + + * New upstream stable release including the following fixes: + - BUG/MAJOR: http: don't read past buffer's end in http_replace_value + - BUG/MAJOR: http: prevent risk of reading past end with balance + url_param + - BUG/MEDIUM: Do not consider an agent check as failed on L7 error + - BUG/MEDIUM: patern: some entries are not deleted with case + insensitive match + - BUG/MEDIUM: buffer: one byte miss in buffer free space check + - BUG/MEDIUM: http: thefunction "(req|res)-replace-value" doesn't + respect the HTTP syntax + - BUG/MEDIUM: peers: correctly configure the client timeout + - BUG/MEDIUM: http: hdr_cnt would not count any header when called + without name + - BUG/MEDIUM: listener: don't report an error when resuming unbound + listeners + - BUG/MEDIUM: init: don't limit cpu-map to the first 32 processes only + - BUG/MEDIUM: stream-int: always reset si->ops when si->end is + nullified + - BUG/MEDIUM: http: remove content-length from chunked messages + - BUG/MEDIUM: http: do not restrict parsing of transfer-encoding to + HTTP/1.1 + - BUG/MEDIUM: http: incorrect transfer-coding in the request is a bad + request + - BUG/MEDIUM: http: remove content-length form responses with bad + transfer-encoding + - BUG/MEDIUM: http: wait for the exact amount of body bytes in + wait_for_request_body + + -- Vincent Bernat Sat, 02 May 2015 16:38:28 +0200 + +haproxy (1.5.11-2) unstable; urgency=medium + + * Upload to unstable. + + -- Vincent Bernat Sun, 26 Apr 2015 17:46:58 +0200 + +haproxy (1.5.11-1) experimental; urgency=medium + + * New upstream stable release including the following fixes: + - BUG/MAJOR: log: don't try to emit a log if no logger is set + - BUG/MEDIUM: backend: correctly detect the domain when + use_domain_only is used + - BUG/MEDIUM: Do not set agent health to zero if server is disabled + in config + - BUG/MEDIUM: Only explicitly report "DOWN (agent)" if the agent health + is zero + - BUG/MEDIUM: http: fix header removal when previous header ends with + pure LF + - BUG/MEDIUM: channel: fix possible integer overflow on reserved size + computation + - BUG/MEDIUM: channel: don't schedule data in transit for leaving until + connected + - BUG/MEDIUM: http: make http-request set-header compute the string + before removal + * Upload to experimental. + + -- Vincent Bernat Sun, 01 Feb 2015 09:22:27 +0100 + +haproxy (1.5.10-1) experimental; urgency=medium + + * New upstream stable release including the following fixes: + - BUG/MAJOR: stream-int: properly check the memory allocation return + - BUG/MEDIUM: sample: fix random number upper-bound + - BUG/MEDIUM: patterns: previous fix was incomplete + - BUG/MEDIUM: payload: ensure that a request channel is available + - BUG/MEDIUM: tcp-check: don't rely on random memory contents + - BUG/MEDIUM: tcp-checks: disable quick-ack unless next rule is an expect + - BUG/MEDIUM: config: do not propagate processes between stopped + processes + - BUG/MEDIUM: memory: fix freeing logic in pool_gc2() + - BUG/MEDIUM: compression: correctly report zlib_mem + * Upload to experimental. + + -- Vincent Bernat Sun, 04 Jan 2015 13:17:56 +0100 + +haproxy (1.5.9-1) experimental; urgency=medium + + * New upstream stable release including the following fixes: + - BUG/MAJOR: sessions: unlink session from list on out + of memory + - BUG/MEDIUM: pattern: don't load more than once a pattern + list. + - BUG/MEDIUM: connection: sanitize PPv2 header length before + parsing address information + - BUG/MAJOR: frontend: initialize capture pointers earlier + - BUG/MEDIUM: checks: fix conflicts between agent checks and + ssl healthchecks + - BUG/MEDIUM: ssl: force a full GC in case of memory shortage + - BUG/MEDIUM: ssl: fix bad ssl context init can cause + segfault in case of OOM. + * Upload to experimental. + + -- Vincent Bernat Sun, 07 Dec 2014 16:37:36 +0100 + +haproxy (1.5.8-3) unstable; urgency=medium + + * Remove RC4 from the default cipher string shipped in configuration. + + -- Vincent Bernat Fri, 27 Feb 2015 11:29:23 +0100 + +haproxy (1.5.8-2) unstable; urgency=medium + + * Cherry-pick the following patches from 1.5.9 release: + - 8a0b93bde77e BUG/MAJOR: sessions: unlink session from list on out + of memory + - bae03eaad40a BUG/MEDIUM: pattern: don't load more than once a pattern + list. + - 93637b6e8503 BUG/MEDIUM: connection: sanitize PPv2 header length before + parsing address information + - 8ba50128832b BUG/MAJOR: frontend: initialize capture pointers earlier + - 1f96a87c4e14 BUG/MEDIUM: checks: fix conflicts between agent checks and + ssl healthchecks + - 9bcc01ae2598 BUG/MEDIUM: ssl: force a full GC in case of memory shortage + - 909514970089 BUG/MEDIUM: ssl: fix bad ssl context init can cause + segfault in case of OOM. + * Cherry-pick the following patches from future 1.5.10 release: + - 1e89acb6be9b BUG/MEDIUM: payload: ensure that a request channel is + available + - bad3c6f1b6d7 BUG/MEDIUM: patterns: previous fix was incomplete + + -- Vincent Bernat Sun, 07 Dec 2014 11:11:21 +0100 + +haproxy (1.5.8-1) unstable; urgency=medium + + * New upstream stable release including the following fixes: + + + BUG/MAJOR: buffer: check the space left is enough or not when input + data in a buffer is wrapped + + BUG/MINOR: ssl: correctly initialize ssl ctx for invalid certificates + + BUG/MEDIUM: tcp: don't use SO_ORIGINAL_DST on non-AF_INET sockets + + BUG/MEDIUM: regex: fix pcre_study error handling + + BUG/MEDIUM: tcp: fix outgoing polling based on proxy protocol + + BUG/MINOR: log: fix request flags when keep-alive is enabled + + BUG/MAJOR: cli: explicitly call cli_release_handler() upon error + + BUG/MEDIUM: http: don't dump debug headers on MSG_ERROR + * Also includes the following new features: + + MINOR: ssl: add statement to force some ssl options in global. + + MINOR: ssl: add fetchs 'ssl_c_der' and 'ssl_f_der' to return DER + formatted certs + * Disable SSLv3 in the default configuration file. + + -- Vincent Bernat Fri, 31 Oct 2014 13:48:19 +0100 + +haproxy (1.5.6-1) unstable; urgency=medium + + * New upstream stable release including the following fixes: + + BUG/MEDIUM: systemd: set KillMode to 'mixed' + + MINOR: systemd: Check configuration before start + + BUG/MEDIUM: config: avoid skipping disabled proxies + + BUG/MINOR: config: do not accept more track-sc than configured + + BUG/MEDIUM: backend: fix URI hash when a query string is present + * Drop systemd patches: + + haproxy.service-also-check-on-start.patch + + haproxy.service-set-killmode-to-mixed.patch + * Refresh other patches. + + -- Vincent Bernat Mon, 20 Oct 2014 18:10:21 +0200 + +haproxy (1.5.5-1) unstable; urgency=medium + + [ Vincent Bernat ] + * initscript: use start-stop-daemon to reliably terminate all haproxy + processes. Also treat stopping a non-running haproxy as success. + (Closes: #762608, LP: #1038139) + + [ Apollon Oikonomopoulos ] + * New upstream stable release including the following fixes: + + DOC: Address issue where documentation is excluded due to a gitignore + rule. + + MEDIUM: Improve signal handling in systemd wrapper. + + BUG/MINOR: config: don't propagate process binding for dynamic + use_backend + + MINOR: Also accept SIGHUP/SIGTERM in systemd-wrapper + + DOC: clearly state that the "show sess" output format is not fixed + + MINOR: stats: fix minor typo fix in stats_dump_errors_to_buffer() + + DOC: indicate in the doc that track-sc* can wait if data are missing + + MEDIUM: http: enable header manipulation for 101 responses + + BUG/MEDIUM: config: propagate frontend to backend process binding again. + + MEDIUM: config: properly propagate process binding between proxies + + MEDIUM: config: make the frontends automatically bind to the listeners' + processes + + MEDIUM: config: compute the exact bind-process before listener's + maxaccept + + MEDIUM: config: only warn if stats are attached to multi-process bind + directives + + MEDIUM: config: report it when tcp-request rules are misplaced + + MINOR: config: detect the case where a tcp-request content rule has no + inspect-delay + + MEDIUM: systemd-wrapper: support multiple executable versions and names + + BUG/MEDIUM: remove debugging code from systemd-wrapper + + BUG/MEDIUM: http: adjust close mode when switching to backend + + BUG/MINOR: config: don't propagate process binding on fatal errors. + + BUG/MEDIUM: check: rule-less tcp-check must detect connect failures + + BUG/MINOR: tcp-check: report the correct failed step in the status + + DOC: indicate that weight zero is reported as DRAIN + * Add a new patch (haproxy.service-set-killmode-to-mixed.patch) to fix the + systemctl stop action conflicting with the systemd wrapper now catching + SIGTERM. + * Bump standards to 3.9.6; no changes needed. + * haproxy-doc: link to tracker.debian.org instead of packages.qa.debian.org. + * d/copyright: move debian/dconv/* paragraph after debian/*, so that it + actually matches the files it is supposed to. + + -- Apollon Oikonomopoulos Wed, 08 Oct 2014 12:34:53 +0300 + +haproxy (1.5.4-1) unstable; urgency=high + + * New upstream version. + + Fix a critical bug that, under certain unlikely conditions, allows a + client to crash haproxy. + * Prefix rsyslog configuration file to ensure to log only to + /var/log/haproxy. Thanks to Paul Bourke for the patch. + + -- Vincent Bernat Tue, 02 Sep 2014 19:14:38 +0200 + +haproxy (1.5.3-1) unstable; urgency=medium + + * New upstream stable release, fixing the following issues: + + Memory corruption when building a proxy protocol v2 header + + Memory leak in SSL DHE key exchange + + -- Apollon Oikonomopoulos Fri, 25 Jul 2014 10:41:36 +0300 + +haproxy (1.5.2-1) unstable; urgency=medium + + * New upstream stable release. Important fixes: + + A few sample fetch functions when combined in certain ways would return + malformed results, possibly crashing the HAProxy process. + + Hash-based load balancing and http-send-name-header would fail for + requests which contain a body which starts to be forwarded before the + data is used. + + -- Apollon Oikonomopoulos Mon, 14 Jul 2014 00:42:32 +0300 + +haproxy (1.5.1-1) unstable; urgency=medium + + * New upstream stable release: + + Fix a file descriptor leak for clients that disappear before connecting. + + Do not staple expired OCSP responses. + + -- Apollon Oikonomopoulos Tue, 24 Jun 2014 12:56:30 +0300 + +haproxy (1.5.0-1) unstable; urgency=medium + + * New upstream stable series. Notable changes since the 1.4 series: + + Native SSL support on both sides with SNI/NPN/ALPN and OCSP stapling. + + IPv6 and UNIX sockets are supported everywhere + + End-to-end HTTP keep-alive for better support of NTLM and improved + efficiency in static farms + + HTTP/1.1 response compression (deflate, gzip) to save bandwidth + + PROXY protocol versions 1 and 2 on both sides + + Data sampling on everything in request or response, including payload + + ACLs can use any matching method with any input sample + + Maps and dynamic ACLs updatable from the CLI + + Stick-tables support counters to track activity on any input sample + + Custom format for logs, unique-id, header rewriting, and redirects + + Improved health checks (SSL, scripted TCP, check agent, ...) + + Much more scalable configuration supports hundreds of thousands of + backends and certificates without sweating + + * Upload to unstable, merge all 1.5 work from experimental. Most important + packaging changes since 1.4.25-1 include: + + systemd support. + + A more sane default config file. + + Zero-downtime upgrades between 1.5 releases by gracefully reloading + HAProxy during upgrades. + + HTML documentation shipped in the haproxy-doc package. + + kqueue support for kfreebsd. + + * Packaging changes since 1.5~dev26-2: + + Drop patches merged upstream: + o Fix-reference-location-in-manpage.patch + o 0001-BUILD-stats-workaround-stupid-and-bogus-Werror-forma.patch + + d/watch: look for stable 1.5 releases + + systemd: respect CONFIG and EXTRAOPTS when specified in + /etc/default/haproxy. + + initscript: test the configuration before start or reload. + + initscript: remove the ENABLED flag and logic. + + -- Apollon Oikonomopoulos Fri, 20 Jun 2014 11:05:17 +0300 + +haproxy (1.5~dev26-2) experimental; urgency=medium + + * initscript: start should not fail when haproxy is already running + + Fixes upgrades from post-1.5~dev24-1 installations + + -- Apollon Oikonomopoulos Wed, 04 Jun 2014 13:20:39 +0300 + +haproxy (1.5~dev26-1) experimental; urgency=medium + + * New upstream development version. + + Add a patch to fix compilation with -Werror=format-security + + -- Vincent Bernat Wed, 28 May 2014 20:32:10 +0200 + +haproxy (1.5~dev25-1) experimental; urgency=medium + + [ Vincent Bernat ] + * New upstream development version. + * Rename "contimeout", "clitimeout" and "srvtimeout" in the default + configuration file to "timeout connection", "timeout client" and + "timeout server". + + [ Apollon Oikonomopoulos ] + * Build on kfreebsd using the "freebsd" target; enables kqueue support. + + -- Vincent Bernat Thu, 15 May 2014 00:20:11 +0200 + +haproxy (1.5~dev24-2) experimental; urgency=medium + + * New binary package: haproxy-doc + + Contains the HTML documentation built using a version of Cyril Bonté's + haproxy-dconv (https://github.com/cbonte/haproxy-dconv). + + Add Build-Depends-Indep on python and python-mako + + haproxy Suggests: haproxy-doc + * systemd: check config file for validity on reload. + * haproxy.cfg: + + Enable the stats socket by default and bind it to + /run/haproxy/admin.sock, which is accessible by the haproxy group. + /run/haproxy creation is handled by the initscript for sysv-rc and a + tmpfiles.d config for systemd. + + Set the default locations for CA and server certificates to + /etc/ssl/certs and /etc/ssl/private respectively. + + Set the default cipher list to be used on listening SSL sockets to + enable PFS, preferring ECDHE ciphers by default. + * Gracefully reload HAProxy on upgrade instead of performing a full restart. + * debian/rules: split build into binary-arch and binary-indep. + * Build-depend on debhelper >= 9, set compat to 9. + + -- Apollon Oikonomopoulos Sun, 27 Apr 2014 13:37:17 +0300 + +haproxy (1.5~dev24-1) experimental; urgency=medium + + * New upstream development version, fixes major regressions introduced in + 1.5~dev23: + + + Forwarding of a message body (request or response) would automatically + stop after the transfer timeout strikes, and with no error. + + Redirects failed to update the msg->next offset after consuming the + request, so if they were made with keep-alive enabled and starting with + a slash (relative location), then the buffer was shifted by a negative + amount of data, causing a crash. + + The code to standardize DH parameters caused an important performance + regression for, so it was temporarily reverted for the time needed to + understand the cause and to fix it. + + For a complete release announcement, including other bugfixes and feature + enhancements, see http://deb.li/yBVA. + + -- Apollon Oikonomopoulos Sun, 27 Apr 2014 11:09:37 +0300 + +haproxy (1.5~dev23-1) experimental; urgency=medium + + * New upstream development version; notable changes since 1.5~dev22: + + SSL record size optimizations to speed up both, small and large + transfers. + + Dynamic backend name support in use_backend. + + Compressed chunked transfer encoding support. + + Dynamic ACL manipulation via the CLI. + + New "language" converter for extracting language preferences from + Accept-Language headers. + * Remove halog source and systemd unit files from + /usr/share/doc/haproxy/contrib, they are built and shipped in their + appropriate locations since 1.5~dev19-2. + + -- Apollon Oikonomopoulos Wed, 23 Apr 2014 11:12:34 +0300 + +haproxy (1.5~dev22-1) experimental; urgency=medium + + * New upstream development version + * watch: use the source page and not the main one + + -- Apollon Oikonomopoulos Mon, 03 Feb 2014 17:45:51 +0200 + +haproxy (1.5~dev21+20140118-1) experimental; urgency=medium + + * New upstream development snapshot, with the following fixes since + 1.5-dev21: + + 00b0fb9 BUG/MAJOR: ssl: fix breakage caused by recent fix abf08d9 + + 410f810 BUG/MEDIUM: map: segmentation fault with the stats's socket + command "set map ..." + + abf08d9 BUG/MAJOR: connection: fix mismatch between rcv_buf's API and + usage + + 35249cb BUG/MINOR: pattern: pattern comparison executed twice + + c920096 BUG/MINOR: http: don't clear the SI_FL_DONT_WAKE flag between + requests + + b800623 BUG/MEDIUM: stats: fix HTTP/1.0 breakage introduced in previous + patch + + 61f7f0a BUG/MINOR: stream-int: do not clear the owner upon unregister + + 983eb31 BUG/MINOR: channel: CHN_INFINITE_FORWARD must be unsigned + + a3ae932 BUG/MEDIUM: stats: the web interface must check the tracked + servers before enabling + + e24d963 BUG/MEDIUM: checks: unchecked servers could not be enabled + anymore + + 7257550 BUG/MINOR: http: always disable compression on HTTP/1.0 + + 9f708ab BUG/MINOR: checks: successful check completion must not + re-enable MAINT servers + + ff605db BUG/MEDIUM: backend: do not re-initialize the connection's + context upon reuse + + ea90063 BUG/MEDIUM: stream-int: fix the keep-alive idle connection + handler + * Update debian/copyright to reflect the license of ebtree/ + (closes: #732614) + * Synchronize debian/copyright with source + * Add Documentation field to the systemd unit file + + -- Apollon Oikonomopoulos Mon, 20 Jan 2014 10:07:34 +0200 + +haproxy (1.5~dev21-1) experimental; urgency=low + + [ Prach Pongpanich ] + * Bump Standards-Version to 3.9.5 + + [ Thomas Bechtold ] + * debian/control: Add haproxy-dbg binary package for debug symbols. + + [ Apollon Oikonomopoulos ] + * New upstream development version. + * Require syslog to be operational before starting. Closes: #726323. + + -- Vincent Bernat Tue, 17 Dec 2013 01:38:04 +0700 + +haproxy (1.5~dev19-2) experimental; urgency=low + + [ Vincent Bernat ] + * Really enable systemd support by using dh-systemd helper. + * Don't use -L/usr/lib and rely on default search path. Closes: #722777. + + [ Apollon Oikonomopoulos ] + * Ship halog. + + -- Vincent Bernat Thu, 12 Sep 2013 21:58:05 +0200 + +haproxy (1.5~dev19-1) experimental; urgency=high + + [ Vincent Bernat ] + * New upstream version. + + CVE-2013-2175: fix a possible crash when using negative header + occurrences. + + Drop 0002-Fix-typo-in-src-haproxy.patch: applied upstream. + * Enable gzip compression feature. + + [ Prach Pongpanich ] + * Drop bashism patch. It seems useless to maintain a patch to convert + example scripts from /bin/bash to /bin/sh. + * Fix reload/restart action of init script (LP: #1187469) + + -- Vincent Bernat Mon, 17 Jun 2013 22:03:58 +0200 + +haproxy (1.5~dev18-1) experimental; urgency=low + + [ Apollon Oikonomopoulos ] + * New upstream development version + + [ Vincent Bernat ] + * Add support for systemd. Currently, /etc/default/haproxy is not used + when using systemd. + + -- Vincent Bernat Sun, 26 May 2013 12:33:00 +0200 + +haproxy (1.4.25-1) unstable; urgency=medium + + [ Prach Pongpanich ] + * New upstream version. + * Update watch file to use the source page. + * Bump Standards-Version to 3.9.5. + + [ Thomas Bechtold ] + * debian/control: Add haproxy-dbg binary package for debug symbols. + + [ Apollon Oikonomopoulos ] + * Require syslog to be operational before starting. Closes: #726323. + * Document how to bind non-local IPv6 addresses. + * Add a reference to configuration.txt.gz to the manpage. + * debian/copyright: synchronize with source. + + -- Prach Pongpanich Fri, 28 Mar 2014 09:35:09 +0700 + +haproxy (1.4.24-2) unstable; urgency=low + + [ Apollon Oikonomopoulos ] + * Ship contrib/halog as /usr/bin/halog. + + [ Vincent Bernat ] + * Don't use -L/usr/lib and rely on default search path. Closes: #722777. + + -- Vincent Bernat Sun, 15 Sep 2013 14:36:27 +0200 + +haproxy (1.4.24-1) unstable; urgency=high + + [ Vincent Bernat ] + * New upstream version. + + CVE-2013-2175: fix a possible crash when using negative header + occurrences. + + [ Prach Pongpanich ] + * Drop bashism patch. It seems useless to maintain a patch to convert + example scripts from /bin/bash to /bin/sh. + * Fix reload/restart action of init script (LP: #1187469). + + -- Vincent Bernat Mon, 17 Jun 2013 21:56:26 +0200 + +haproxy (1.4.23-1) unstable; urgency=low + + [ Apollon Oikonomopoulos ] + * New upstream version (Closes: #643650, #678953) + + This fixes CVE-2012-2942 (Closes: #674447) + + This fixes CVE-2013-1912 (Closes: #704611) + * Ship vim addon as vim-haproxy (Closes: #702893) + * Check for the configuration file after sourcing /etc/default/haproxy + (Closes: #641762) + * Use /dev/log for logging by default (Closes: #649085) + + [ Vincent Bernat ] + * debian/control: + + add Vcs-* fields + + switch maintenance to Debian HAProxy team. (Closes: #706890) + + drop dependency to quilt: 3.0 (quilt) format is in use. + * debian/rules: + + don't explicitly call dh_installchangelog. + + use dh_installdirs to install directories. + + use dh_install to install error and configuration files. + + switch to `linux2628` Makefile target for Linux. + * debian/postrm: + + remove haproxy user and group on purge. + * Ship a more minimal haproxy.cfg file: no `listen` blocks but `global` + and `defaults` block with appropriate configuration to use chroot and + logging in the expected way. + + [ Prach Pongpanich ] + * debian/copyright: + + add missing copyright holders + + update years of copyright + * debian/rules: + + build with -Wl,--as-needed to get rid of unnecessary depends + * Remove useless files in debian/haproxy.{docs,examples} + * Update debian/watch file, thanks to Bart Martens + + -- Vincent Bernat Mon, 06 May 2013 20:02:14 +0200 + +haproxy (1.4.15-1) unstable; urgency=low + + * New upstream release with critical bug fix (Closes: #631351) + + -- Christo Buschek Thu, 14 Jul 2011 18:17:05 +0200 + +haproxy (1.4.13-1) unstable; urgency=low + + * New maintainer upload (Closes: #615246) + * New upstream release + * Standards-version goes 3.9.1 (no change) + * Added patch bashism (Closes: #581109) + * Added a README.source file. + + -- Christo Buschek Thu, 11 Mar 2011 12:41:59 +0000 + +haproxy (1.4.8-1) unstable; urgency=low + + * New upstream release. + + -- Arnaud Cornet Fri, 18 Jun 2010 00:42:53 +0100 + +haproxy (1.4.4-1) unstable; urgency=low + + * New upstream release + * Add splice and tproxy support + * Add regparm optimization on i386 + * Switch to dpkg-source 3.0 (quilt) format + + -- Arnaud Cornet Thu, 15 Apr 2010 20:00:34 +0100 + +haproxy (1.4.2-1) unstable; urgency=low + + * New upstream release + * Remove debian/patches/haproxy.1-hyphen.patch gone upstream + * Tighten quilt build dep (Closes: #567087) + * standards-version goes 3.8.4 (no change) + * Add $remote_fs to init.d script required start and stop + + -- Arnaud Cornet Sat, 27 Mar 2010 15:19:48 +0000 + +haproxy (1.3.22-1) unstable; urgency=low + + * New upstream bugfix release + + -- Arnaud Cornet Mon, 19 Oct 2009 22:31:45 +0100 + +haproxy (1.3.21-1) unstable; urgency=low + + [ Michael Shuler ] + * New Upstream Version (Closes: #538992) + * Added override for example shell scripts in docs (Closes: #530096) + * Added upstream changelog to docs + * Added debian/watch + * Updated debian/copyright format + * Added haproxy.1-hyphen.patch, to fix hyphen in man page + * Upgrade Standards-Version to 3.8.3 (no change needed) + * Upgrade debian/compat to 7 (no change needed) + + [ Arnaud Cornet ] + * New upstream version. + * Merge Michael's work, few changelog fixes + * Add debian/README.source to point to quilt doc + * Depend on debhelper >= 7.0.50~ and use overrides in debian/rules + + -- Arnaud Cornet Sun, 18 Oct 2009 14:01:29 +0200 + +haproxy (1.3.18-1) unstable; urgency=low + + * New Upstream Version (Closes: #534583). + * Add contrib directory in docs + + -- Arnaud Cornet Fri, 26 Jun 2009 00:11:01 +0200 + +haproxy (1.3.15.7-2) unstable; urgency=low + + * Fix build without debian/patches directory (Closes: #515682) using + /usr/share/quilt/quilt.make. + + -- Arnaud Cornet Tue, 17 Feb 2009 08:55:12 +0100 + +haproxy (1.3.15.7-1) unstable; urgency=low + + * New Upstream Version. + * Remove upstream patches: + -use_backend-consider-unless.patch + -segfault-url_param+check_post.patch + -server-timeout.patch + -closed-fd-remove.patch + -connection-slot-during-retry.patch + -srv_dynamic_maxconn.patch + -do-not-pause-backends-on-reload.patch + -acl-in-default.patch + -cookie-capture-check.patch + -dead-servers-queue.patch + + -- Arnaud Cornet Mon, 16 Feb 2009 11:20:21 +0100 + +haproxy (1.3.15.2-2~lenny1) testing-proposed-updates; urgency=low + + * Rebuild for lenny to circumvent pcre3 shlibs bump. + + -- Arnaud Cornet Wed, 14 Jan 2009 11:28:36 +0100 + +haproxy (1.3.15.2-2) unstable; urgency=low + + * Add stable branch bug fixes from upstream (Closes: #510185). + - use_backend-consider-unless.patch: consider "unless" in use_backend + - segfault-url_param+check_post.patch: fix segfault with url_param + + check_post + - server-timeout.patch: consider server timeout in all circumstances + - closed-fd-remove.patch: drop info about closed file descriptors + - connection-slot-during-retry.patch: do not release the connection slot + during a retry + - srv_dynamic_maxconn.patch: dynamic connection throttling api fix + - do-not-pause-backends-on-reload.patch: make reload reliable + - acl-in-default.patch: allow acl-related keywords in defaults sections + - cookie-capture-check.patch: cookie capture is declared in the frontend + but checked on the backend + - dead-servers-queue.patch: make dead servers not suck pending connections + * Add quilt build-dependancy. Use quilt in debian/rules to apply + patches. + + -- Arnaud Cornet Wed, 31 Dec 2008 08:50:21 +0100 + +haproxy (1.3.15.2-1) unstable; urgency=low + + * New Upstream Version (Closes: #497186). + + -- Arnaud Cornet Sat, 30 Aug 2008 18:06:31 +0200 + +haproxy (1.3.15.1-1) unstable; urgency=low + + * New Upstream Version + * Upgrade standards version to 3.8.0 (no change needed). + * Build with TARGET=linux26 on linux, TARGET=generic on other systems. + + -- Arnaud Cornet Fri, 20 Jun 2008 00:38:50 +0200 + +haproxy (1.3.14.5-1) unstable; urgency=low + + * New Upstream Version (Closes: #484221) + * Use debhelper 7, drop CDBS. + + -- Arnaud Cornet Wed, 04 Jun 2008 19:21:56 +0200 + +haproxy (1.3.14.3-1) unstable; urgency=low + + * New Upstream Version + * Add status argument support to init-script to conform to LSB. + * Cleanup pidfile after stop in init script. Init script return code fixups. + + -- Arnaud Cornet Sun, 09 Mar 2008 21:30:29 +0100 + +haproxy (1.3.14.2-3) unstable; urgency=low + + * Add init script support for nbproc > 1 in configuration. That is, + multiple haproxy processes. + * Use 'option redispatch' instead of redispatch in debian default + config. + + -- Arnaud Cornet Sun, 03 Feb 2008 18:22:28 +0100 + +haproxy (1.3.14.2-2) unstable; urgency=low + + * Fix init scripts's reload function to use -sf instead of -st (to wait for + active session to finish cleanly). Also support dash. Thanks to + Jean-Baptiste Quenot for noticing. + + -- Arnaud Cornet Thu, 24 Jan 2008 23:47:26 +0100 + +haproxy (1.3.14.2-1) unstable; urgency=low + + * New Upstream Version + * Simplify DEB_MAKE_INVOKE, as upstream now supports us overriding + CFLAGS. + * Move haproxy to usr/sbin. + + -- Arnaud Cornet Mon, 21 Jan 2008 22:42:51 +0100 + +haproxy (1.3.14.1-1) unstable; urgency=low + + * New upstream release. + * Drop dfsg list and hash code rewrite (merged upstream). + * Add a HAPROXY variable in init script. + * Drop makefile patch, fix debian/rules accordingly. Drop build-dependancy + on quilt. + * Manpage now upstream. Ship upstream's and drop ours. + + -- Arnaud Cornet Tue, 01 Jan 2008 22:50:09 +0100 + +haproxy (1.3.12.dfsg2-1) unstable; urgency=low + + * New upstream bugfix release. + * Use new Homepage tag. + * Bump standards-version (no change needed). + * Add build-depend on quilt and add patch to allow proper CFLAGS passing to + make. + + -- Arnaud Cornet Tue, 25 Dec 2007 21:52:59 +0100 + +haproxy (1.3.12.dfsg-1) unstable; urgency=low + + * Initial release (Closes: #416397). + * The DFSG removes files with GPL-incompabitle license and adds a + re-implementation by me. + + -- Arnaud Cornet Fri, 17 Aug 2007 09:33:41 +0200 diff --git a/haproxy/debian/control b/haproxy/debian/control new file mode 100644 index 0000000..2a048f5 --- /dev/null +++ b/haproxy/debian/control @@ -0,0 +1,25 @@ +Source: haproxy +Section: net +Priority: optional +Maintainer: MangaDex +Uploaders: Tristan +Standards-Version: 4.4.1 +Build-Depends: debhelper-compat (= 12), + libsystemd-dev [linux-any], + pkg-config +Homepage: http://www.haproxy.org/ +Vcs-Git: https://gitlab.com/mangadex-pub/haproxy.git +Vcs-Browser: https://gitlab.com/mangadex-pub/haproxy + +Package: haproxy +Architecture: any +Depends: ${perl:Depends}, ${shlibs:Depends}, ${misc:Depends}, adduser, lsb-base (>= 3.0-6) +Pre-Depends: dpkg (>= 1.17.14), ${misc:Pre-Depends} +Description: fast and reliable load balancing reverse proxy + HAProxy is a TCP/HTTP reverse proxy which is particularly suited for high + availability environments. It features connection persistence through HTTP + cookies, load balancing, header addition, modification, deletion both ways. It + has request blocking capabilities and provides interface to display server + status. + This package specifically adds the QuicTLS fork of OpenSSL and enables QUIC + frontend support in HAProxy diff --git a/haproxy/debian/copyright b/haproxy/debian/copyright new file mode 100644 index 0000000..7eb0d9a --- /dev/null +++ b/haproxy/debian/copyright @@ -0,0 +1,941 @@ +Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/ +Upstream-Name: haproxy +Upstream-Contact: Willy Tarreau +Source: http://www.haproxy.org/ + +Files: * +Copyright: Copyright 2000-2021 Willy Tarreau . +License: GPL-2+ +Comment: + An OpenSSL exception is present in the LICENSE file: "This program is + released under the GPL with the additional exemption that compiling, + linking, and/or using OpenSSL is allowed." + +Files: .github/matrix.py +Copyright: 2020, Tim Duesterhus + 2019, Ilya Shipitsin +License: GPL-2+ +Comment: + An OpenSSL exception is present in the LICENSE file: "This program is + released under the GPL with the additional exemption that compiling, + linking, and/or using OpenSSL is allowed." + +Files: addons/51degrees/dummy/* +Copyright: 51Degrees Mobile Experts Limited. / 2019, 51Degrees Mobile Experts Limited, 5 Charlotte Close +License: MPL-2.0 +Comment: + An OpenSSL exception is present in the LICENSE file: "This program is + released under the GPL with the additional exemption that compiling, + linking, and/or using OpenSSL is allowed." + +Files: addons/ot/* +Copyright: 2017, 2020, HAProxy Technologies +License: GPL-2+ +Comment: + An OpenSSL exception is present in the LICENSE file: "This program is + released under the GPL with the additional exemption that compiling, + linking, and/or using OpenSSL is allowed." + +Files: addons/promex/service-prometheus.c +Copyright: 2018, 2019, Christopher Faulet +License: GPL-2+ +Comment: + An OpenSSL exception is present in the LICENSE file: "This program is + released under the GPL with the additional exemption that compiling, + linking, and/or using OpenSSL is allowed." + +Files: addons/wurfl/dummy/* +Copyright: ScientiaMobile, Inc. +License: GPL-2+ +Comment: + An OpenSSL exception is present in the LICENSE file: "This program is + released under the GPL with the additional exemption that compiling, + linking, and/or using OpenSSL is allowed." + +Files: addons/wurfl/dummy/Makefile +Copyright: Copyright 2000-2021 Willy Tarreau . +License: GPL-2+ +Comment: + An OpenSSL exception is present in the LICENSE file: "This program is + released under the GPL with the additional exemption that compiling, + linking, and/or using OpenSSL is allowed." + +Files: admin/halog/fgets2.c +Copyright: 2000-2012, Willy Tarreau +License: LGPL-2.1 +Comment: + An OpenSSL exception is present in the LICENSE file: "This program is + released under the GPL with the additional exemption that compiling, + linking, and/or using OpenSSL is allowed." + +Files: admin/halog/halog.c +Copyright: 2000-2020, Willy Tarreau +License: GPL-2+ +Comment: + An OpenSSL exception is present in the LICENSE file: "This program is + released under the GPL with the additional exemption that compiling, + linking, and/or using OpenSSL is allowed." + +Files: admin/iprange/* +Copyright: 2000-2021, Willy Tarreau +License: GPL-2+ +Comment: + An OpenSSL exception is present in the LICENSE file: "This program is + released under the GPL with the additional exemption that compiling, + linking, and/or using OpenSSL is allowed." + +Files: admin/netsnmp-perl/* +Copyright: 2007-2010, Krzysztof Piotr Oledzki +License: GPL-2+ +Comment: + An OpenSSL exception is present in the LICENSE file: "This program is + released under the GPL with the additional exemption that compiling, + linking, and/or using OpenSSL is allowed." + +Files: admin/release-estimator/release-estimator.py +Copyright: 2020, HAProxy Technologies, Daniel Corbett +License: GPL-3+ +Comment: + An OpenSSL exception is present in the LICENSE file: "This program is + released under the GPL with the additional exemption that compiling, + linking, and/or using OpenSSL is allowed." + +Files: admin/wireshark-dissectors/peers/packet-happp.c +Copyright: 2016, Frédéric Lécaille + 1998, Gerald Combs +License: GPL-2+ +Comment: + An OpenSSL exception is present in the LICENSE file: "This program is + released under the GPL with the additional exemption that compiling, + linking, and/or using OpenSSL is allowed." + +Files: debian/* +Copyright: Copyright (C) 2007-2011, Arnaud Cornet + Copyright (C) 2011, Christo Buschek + Copyright (C) 2013, Prach Pongpanich + Copyright (C) 2013-2016, Apollon Oikonomopoulos + Copyright (C) 2013-2016, Vincent Bernat +License: GPL-2 + +Files: debian/dconv/* +Copyright: 2012, Cyril Bonté +License: Apache-2.0 +Comment: + An OpenSSL exception is present in the LICENSE file: "This program is + released under the GPL with the additional exemption that compiling, + linking, and/or using OpenSSL is allowed." + +Files: debian/dconv/js/* +Copyright: 2013-2015, Twitter, Inc. and other contributors; Licensed MIT +License: GPL-2+ +Comment: + An OpenSSL exception is present in the LICENSE file: "This program is + released under the GPL with the additional exemption that compiling, + linking, and/or using OpenSSL is allowed." + +Files: debian/dconv/js/typeahead.bundle.js +Copyright: Copyright 2013-2015 Twitter, Inc. and other contributors +License: Expat + +Files: dev/base64/* +Copyright: 2009, 2010, Krzysztof Piotr Oledzki +License: GPL-2+ +Comment: + An OpenSSL exception is present in the LICENSE file: "This program is + released under the GPL with the additional exemption that compiling, + linking, and/or using OpenSSL is allowed." + +Files: dev/tcploop/tcploop.c +Copyright: 2012-2017, Willy Tarreau +License: Expat +Comment: + An OpenSSL exception is present in the LICENSE file: "This program is + released under the GPL with the additional exemption that compiling, + linking, and/or using OpenSSL is allowed." + +Files: include/* +Copyright: 2000-2020, Willy Tarreau - w@1wt.eu +License: LGPL-2.1 + +Files: include/haproxy/api-t.h + include/haproxy/api.h + include/haproxy/buf-t.h + include/haproxy/buf.h + include/haproxy/bug.h + include/haproxy/initcall.h + include/haproxy/istbuf.h +Copyright: 2000-2020, Willy Tarreau - w@1wt.eu +License: Expat + +Files: include/haproxy/arg-t.h + include/haproxy/arg.h + include/haproxy/protobuf-t.h + include/haproxy/protobuf.h +Copyright: 2012, Willy Tarreau +License: LGPL-2.1 + +Files: include/haproxy/atomic.h + include/haproxy/thread-t.h + include/haproxy/thread.h +Copyright: 2020, Willy Tarreau - w@1wt.eu + 2017, Christopher Faulet - cfaulet@haproxy.com +License: LGPL-2.1 + +Files: include/haproxy/auth-t.h + include/haproxy/auth.h +Copyright: 2009, 2010, Krzysztof Piotr Oledzki +License: GPL-2+ + +Files: include/haproxy/base64.h + include/haproxy/signal-t.h + include/haproxy/signal.h + include/haproxy/uri_auth-t.h + include/haproxy/uri_auth.h +Copyright: 2000-2020, Willy Tarreau +License: GPL-2+ + +Files: include/haproxy/check-t.h +Copyright: 2008, 2009, Krzysztof Piotr Oledzki + 2000-2020, Willy Tarreau - w@1wt.eu +License: GPL-2+ + +Files: include/haproxy/compression-t.h +Copyright: 2012, Exceliance, David Du Colombier +License: LGPL-2.1 + +Files: include/haproxy/compression.h +Copyright: 2012, (C) Exceliance, David Du Colombier +License: LGPL-2.1 + +Files: include/haproxy/counters-t.h +Copyright: 2011-2014, Willy Tarreau + 2008, 2009, Krzysztof Piotr Oledzki +License: LGPL-2.1 + +Files: include/haproxy/dgram-t.h + include/haproxy/dgram.h + include/haproxy/dns-t.h + include/haproxy/fix-t.h + include/haproxy/fix.h + include/haproxy/mqtt-t.h + include/haproxy/mqtt.h + include/haproxy/resolvers-t.h + include/haproxy/resolvers.h +Copyright: 2014, 2020, Baptiste Assmann +License: LGPL-2.1 + +Files: include/haproxy/dict-t.h + include/haproxy/dict.h +Copyright: 2019, Frédéric Lécaille +License: Expat + +Files: include/haproxy/dns.h +Copyright: 2020, HAProxy Technologies +License: LGPL-2.1 + +Files: include/haproxy/extcheck.h +Copyright: 2014, Horms Solutions Ltd, Simon Horman + 2000-2009, 2020, Willy Tarreau +License: LGPL-2.1 + +Files: include/haproxy/fcgi-app-t.h + include/haproxy/fcgi-app.h + include/haproxy/fcgi.h + include/haproxy/h1_htx.h + include/haproxy/http_htx-t.h + include/haproxy/http_htx.h + include/haproxy/htx-t.h + include/haproxy/htx.h + include/haproxy/spoe-t.h + include/haproxy/spoe.h +Copyright: 2017-2019, HAProxy Technologies, Christopher Faulet +License: LGPL-2.1 + +Files: include/haproxy/filters-t.h + include/haproxy/filters.h + include/haproxy/flt_http_comp.h +Copyright: 2015, Qualys Inc., Christopher Faulet +License: LGPL-2.1 + +Files: include/haproxy/h2.h +Copyright: 2017, HAProxy Technologies + 2000-2017, Willy Tarreau - w@1wt.eu +License: Expat + +Files: include/haproxy/hlua-t.h + include/haproxy/hlua.h + include/haproxy/hlua_fcn.h +Copyright: 2015, 2016, Thierry Fournier +License: LGPL-2.1 + +Files: include/haproxy/hpack-dec.h + include/haproxy/hpack-enc.h + include/haproxy/hpack-huff.h + include/haproxy/hpack-tbl-t.h + include/haproxy/hpack-tbl.h + include/haproxy/http-hdr-t.h + include/haproxy/http-hdr.h +Copyright: 2017, HAProxy Technologies + 2014-2020, Willy Tarreau +License: Expat + +Files: include/haproxy/mailers-t.h +Copyright: 2015, Horms Solutions Ltd., Simon Horman + 2010, EXCELIANCE, Emeric Brun +License: LGPL-2.1 + +Files: include/haproxy/mailers.h +Copyright: 2020, Willy Tarreau + 2015, Horms Solutions Ltd., Simon Horman + 2010, EXCELIANCE, Emeric Brun +License: LGPL-2.1 + +Files: include/haproxy/mworker-t.h + include/haproxy/mworker.h +Copyright: HAProxy Technologies 2019, - William Lallemand +License: GPL-2+ + +Files: include/haproxy/namespace-t.h + include/haproxy/namespace.h +Copyright: 2015-2020, Willy Tarreau + 2014, Tamas Kovacs, Sarkozi Laszlo, Krisztian Kovacs +License: LGPL-2.1 + +Files: include/haproxy/net_helper.h +Copyright: 2017-2020, Willy Tarreau + 2017, Olivier Houchard +License: Expat + +Files: include/haproxy/openssl-compat.h +Copyright: Copyright 2000-2013 Willy Tarreau - w@1wt.eu +License: LGPL-2.1 + +Files: include/haproxy/peers-t.h + include/haproxy/peers.h + include/haproxy/ssl_sock-t.h + include/haproxy/ssl_sock.h +Copyright: 2010, 2012, EXCELIANCE, Emeric Brun +License: LGPL-2.1 + +Files: include/haproxy/proto_quic.h + include/haproxy/quic_sock.h +Copyright: 2020, Frédéric Lécaille +License: LGPL-2.1 + +Files: include/haproxy/proto_sockpair.h +Copyright: HAProxy Technologies - William Lallemand +License: LGPL-2.1 + +Files: include/haproxy/proto_udp.h + include/haproxy/quic_cc-t.h + include/haproxy/quic_cc.h + include/haproxy/quic_frame-t.h + include/haproxy/quic_frame.h + include/haproxy/quic_loss-t.h + include/haproxy/quic_loss.h + include/haproxy/xprt_quic-t.h + include/haproxy/xprt_quic.h +Copyright: 2019, 2020, HAProxy Technologies, Frédéric Lécaille +License: LGPL-2.1 + +Files: include/haproxy/qpack-tbl-t.h +Copyright: 2020, HAProxy Technologies, Frédéric Lécaille +License: Expat + +Files: include/haproxy/quic_tls-t.h + include/haproxy/quic_tls.h +Copyright: 2019, 2020, HAProxy Technologies, Frédéric Lécaille +License: GPL-2+ + +Files: include/haproxy/sample-t.h + include/haproxy/sample.h + include/haproxy/sample_data-t.h + include/haproxy/stick_table-t.h + include/haproxy/stick_table.h +Copyright: 2010, 2012, 2013, 2020, Willy Tarreau + 2009, 2010, EXCELIANCE, Emeric Brun +License: LGPL-2.1 + +Files: include/haproxy/shctx-t.h + include/haproxy/shctx.h +Copyright: 2011, 2012, EXCELIANCE +License: GPL-2+ + +Files: include/haproxy/ssl_ckch-t.h + include/haproxy/ssl_ckch.h + include/haproxy/ssl_crtlist-t.h + include/haproxy/ssl_crtlist.h +Copyright: 2020, HAProxy Technologies, William Lallemand +License: LGPL-2.1 + +Files: include/haproxy/ssl_utils.h +Copyright: 2020, HAProxy Technologies, William Lallemand + 2012, EXCELIANCE, Emeric Brun +License: LGPL-2.1 + +Files: include/haproxy/tcpcheck-t.h +Copyright: 2020, Gaetan Rivet + 2020, Christopher Faulet + 2013, Baptiste Assmann + 2007-2010, Krzysztof Piotr Oledzki + 2000-2009, 2020, Willy Tarreau +License: GPL-2+ + +Files: include/haproxy/tcpcheck.h +Copyright: 2020, Gaetan Rivet + 2020, Christopher Faulet + 2013, Baptiste Assmann + 2007-2010, Krzysztof Piotr Oledzki + 2000-2009, 2020, Willy Tarreau +License: LGPL-2.1 + +Files: include/haproxy/uri_normalizer-t.h + include/haproxy/uri_normalizer.h +Copyright: 2021, Tim Duesterhus +License: GPL-2+ + +Files: include/haproxy/vars-t.h + include/haproxy/vars.h +Copyright: 2015, Thierry FOURNIER +License: LGPL-2.1 + +Files: include/haproxy/xref-t.h + include/haproxy/xref.h +Copyright: 2020, Willy Tarreau - w@1wt.eu + 2017, Thierry Fournier +License: Expat + +Files: include/import/* +Copyright: 2002-2011, - Willy Tarreau +License: LGPL-2.1 + +Files: include/import/atomic-ops.h +Copyright: Copyright 2000-2013 Willy Tarreau - w@1wt.eu +License: LGPL-2.1 + +Files: include/import/eb32sctree.h +Copyright: 2002-2017, - Willy Tarreau +License: LGPL-2.1 + +Files: include/import/ist.h +Copyright: 2000-2020, Willy Tarreau - w@1wt.eu +License: Expat + +Files: include/import/lru.h + include/import/plock.h + include/import/slz.h +Copyright: 2012-2017, Willy Tarreau +License: Expat + +Files: include/import/mjson.h +Copyright: 2018-2020, Cesanta Software Limited +License: Expat + +Files: include/import/sha1.h +Copyright: 2009-2015, Linus Torvalds and others. +License: LGPL-2.1 + +Files: include/import/xxhash.h +Copyright: 2012-2020, Yann Collet +License: BSD-2-clause + +Files: src/* +Copyright: 2000-2020, Willy Tarreau +License: GPL-2+ +Comment: + An OpenSSL exception is present in the LICENSE file: "This program is + released under the GPL with the additional exemption that compiling, + linking, and/or using OpenSSL is allowed." + +Files: src/action.c + src/fcgi-app.c + src/flt_spoe.c + src/h1_htx.c + src/http_ana.c + src/http_htx.c + src/htx.c + src/mux_fcgi.c + src/server_state.c +Copyright: 2016-2019, 2021, HAProxy Technologies, Christopher Faulet +License: GPL-2+ +Comment: + An OpenSSL exception is present in the LICENSE file: "This program is + released under the GPL with the additional exemption that compiling, + linking, and/or using OpenSSL is allowed." + +Files: src/auth.c +Copyright: 2009, 2010, Krzysztof Piotr Oledzki +License: GPL-2+ + +Files: src/base64.c + src/server.c + src/stats.c +Copyright: 2007-2010, Krzysztof Piotr Oledzki + 2000-2012, Willy Tarreau +License: GPL-2+ + +Files: src/cache.c +Copyright: 2017, 2020, HAProxy Technologies +License: GPL-2+ +Comment: + An OpenSSL exception is present in the LICENSE file: "This program is + released under the GPL with the additional exemption that compiling, + linking, and/or using OpenSSL is allowed." + +Files: src/cfgparse-global.c + src/cfgparse-listen.c + src/dict.c + src/namespace.c + src/vars.c + src/version.c +Copyright: Copyright 2000-2015 Willy Tarreau . +License: GPL-2+ +Comment: + An OpenSSL exception is present in the LICENSE file: "This program is + released under the GPL with the additional exemption that compiling, + linking, and/or using OpenSSL is allowed." + +Files: src/cfgparse-ssl.c + src/ssl_sample.c + src/ssl_utils.c +Copyright: 2020, HAProxy Technologies, William Lallemand + 2012, EXCELIANCE, Emeric Brun +License: GPL-2+ +Comment: + An OpenSSL exception is present in the LICENSE file: "This program is + released under the GPL with the additional exemption that compiling, + linking, and/or using OpenSSL is allowed." + +Files: src/check.c + src/cli.c +Copyright: 2007-2010, Krzysztof Piotr Oledzki + 2000-2012, Willy Tarreau +License: GPL-2+ +Comment: + An OpenSSL exception is present in the LICENSE file: "This program is + released under the GPL with the additional exemption that compiling, + linking, and/or using OpenSSL is allowed." + +Files: src/compression.c +Copyright: 2012, Exceliance, David Du Colombier +License: GPL-2+ + +Files: src/debug.c + src/haproxy.c + src/wdt.c +Copyright: 2000-2021, Willy Tarreau . +License: GPL-2+ +Comment: + An OpenSSL exception is present in the LICENSE file: "This program is + released under the GPL with the additional exemption that compiling, + linking, and/or using OpenSSL is allowed." + +Files: src/dgram.c + src/fix.c + src/mqtt.c + src/resolvers.c +Copyright: 2014, 2020, Baptiste Assmann +License: GPL-2+ +Comment: + An OpenSSL exception is present in the LICENSE file: "This program is + released under the GPL with the additional exemption that compiling, + linking, and/or using OpenSSL is allowed." + +Files: src/dns.c +Copyright: 2017, 2020, HAProxy Technologies +License: GPL-2+ + +Files: src/eb32sctree.c + src/eb32tree.c + src/eb64tree.c + src/ebimtree.c + src/ebistree.c + src/ebmbtree.c + src/ebpttree.c + src/ebsttree.c + src/ebtree.c +Copyright: 2002-2011, - Willy Tarreau +License: LGPL-2.1 +Comment: + An OpenSSL exception is present in the LICENSE file: "This program is + released under the GPL with the additional exemption that compiling, + linking, and/or using OpenSSL is allowed." + +Files: src/ev_evports.c +Copyright: 2018, Joyent, Inc. +License: GPL-2+ +Comment: + An OpenSSL exception is present in the LICENSE file: "This program is + released under the GPL with the additional exemption that compiling, + linking, and/or using OpenSSL is allowed." + +Files: src/extcheck.c +Copyright: 2014, Horms Solutions Ltd, Simon Horman + 2000-2009, 2020, Willy Tarreau +License: GPL-2+ +Comment: + An OpenSSL exception is present in the LICENSE file: "This program is + released under the GPL with the additional exemption that compiling, + linking, and/or using OpenSSL is allowed." + +Files: src/fcgi.c +Copyright: 2019, HAProxy Technologies, Christopher Faulet +License: Expat +Comment: + An OpenSSL exception is present in the LICENSE file: "This program is + released under the GPL with the additional exemption that compiling, + linking, and/or using OpenSSL is allowed." + +Files: src/filters.c + src/flt_http_comp.c + src/flt_trace.c +Copyright: 2015, Qualys Inc., Christopher Faulet +License: GPL-2+ +Comment: + An OpenSSL exception is present in the LICENSE file: "This program is + released under the GPL with the additional exemption that compiling, + linking, and/or using OpenSSL is allowed." + +Files: src/h2.c +Copyright: 2017, Willy Tarreau + 2017, HAProxy Technologies +License: Expat +Comment: + An OpenSSL exception is present in the LICENSE file: "This program is + released under the GPL with the additional exemption that compiling, + linking, and/or using OpenSSL is allowed." + +Files: src/hlua.c + src/hlua_fcn.c +Copyright: 2015, 2016, Thierry Fournier +License: GPL-2+ +Comment: + An OpenSSL exception is present in the LICENSE file: "This program is + released under the GPL with the additional exemption that compiling, + linking, and/or using OpenSSL is allowed." + +Files: src/hpack-dec.c + src/hpack-enc.c + src/hpack-huff.c + src/hpack-tbl.c +Copyright: 2017, HAProxy Technologies + 2014-2020, Willy Tarreau +License: Expat +Comment: + An OpenSSL exception is present in the LICENSE file: "This program is + released under the GPL with the additional exemption that compiling, + linking, and/or using OpenSSL is allowed." + +Files: src/lru.c +Copyright: 2012-2017, Willy Tarreau +License: Expat + +Files: src/mailers.c +Copyright: 2020, Willy Tarreau + 2015, Horms Solutions Ltd, Simon Horman +License: GPL-2+ + +Files: src/mjson.c +Copyright: 2018-2020, Cesanta Software Limited +License: Expat +Comment: + An OpenSSL exception is present in the LICENSE file: "This program is + released under the GPL with the additional exemption that compiling, + linking, and/or using OpenSSL is allowed." + +Files: src/mux_h1.c +Copyright: 2018, 2019, Christopher Faulet +License: GPL-2+ +Comment: + An OpenSSL exception is present in the LICENSE file: "This program is + released under the GPL with the additional exemption that compiling, + linking, and/or using OpenSSL is allowed." + +Files: src/mworker-prog.c + src/proto_sockpair.c +Copyright: HAProxy Technologies - William Lallemand +License: GPL-2+ +Comment: + An OpenSSL exception is present in the LICENSE file: "This program is + released under the GPL with the additional exemption that compiling, + linking, and/or using OpenSSL is allowed." + +Files: src/mworker.c +Copyright: HAProxy Technologies 2019, - William Lallemand +License: GPL-2+ +Comment: + An OpenSSL exception is present in the LICENSE file: "This program is + released under the GPL with the additional exemption that compiling, + linking, and/or using OpenSSL is allowed." + +Files: src/peers.c + src/ssl_sock.c +Copyright: 2010, 2012, EXCELIANCE, Emeric Brun +License: GPL-2+ + +Files: src/proto_quic.c +Copyright: 2020, Frédéric Lécaille +License: GPL-2+ +Comment: + An OpenSSL exception is present in the LICENSE file: "This program is + released under the GPL with the additional exemption that compiling, + linking, and/or using OpenSSL is allowed." + +Files: src/proto_udp.c + src/quic_frame.c + src/quic_sock.c + src/xprt_quic.c +Copyright: 2019, 2020, HAProxy Technologies, Frédéric Lécaille +License: GPL-2+ +Comment: + An OpenSSL exception is present in the LICENSE file: "This program is + released under the GPL with the additional exemption that compiling, + linking, and/or using OpenSSL is allowed." + +Files: src/proto_uxdg.c +Copyright: 2020, HAProxy Technologies, Emeric Brun +License: GPL-2+ +Comment: + An OpenSSL exception is present in the LICENSE file: "This program is + released under the GPL with the additional exemption that compiling, + linking, and/or using OpenSSL is allowed." + +Files: src/qpack-tbl.c +Copyright: 2020, HAProxy Technologies, Frédéric Lécaille +License: Expat +Comment: + An OpenSSL exception is present in the LICENSE file: "This program is + released under the GPL with the additional exemption that compiling, + linking, and/or using OpenSSL is allowed." + +Files: src/quic_cc.c + src/quic_cc_newreno.c +Copyright: 2019, 2020, HAProxy Technologies, Frédéric Lécaille +License: LGPL-2.1 +Comment: + An OpenSSL exception is present in the LICENSE file: "This program is + released under the GPL with the additional exemption that compiling, + linking, and/or using OpenSSL is allowed." + +Files: src/ring.c + src/sink.c + src/trace.c +Copyright: 2000-2020, Willy Tarreau - w@1wt.eu +License: LGPL-2.1 +Comment: + An OpenSSL exception is present in the LICENSE file: "This program is + released under the GPL with the additional exemption that compiling, + linking, and/or using OpenSSL is allowed." + +Files: src/sample.c + src/stick_table.c +Copyright: 2010, 2012, Willy Tarreau + 2009, 2010, EXCELIANCE, Emeric Brun +License: GPL-2+ + +Files: src/sha1.c +Copyright: 2009-2015, Linus Torvalds and others. +License: LGPL-2.1 +Comment: + An OpenSSL exception is present in the LICENSE file: "This program is + released under the GPL with the additional exemption that compiling, + linking, and/or using OpenSSL is allowed." + +Files: src/shctx.c +Copyright: 2011, 2012, EXCELIANCE +License: GPL-2+ + +Files: src/slz.c +Copyright: 2012-2017, Willy Tarreau +License: Expat +Comment: + An OpenSSL exception is present in the LICENSE file: "This program is + released under the GPL with the additional exemption that compiling, + linking, and/or using OpenSSL is allowed." + +Files: src/ssl_ckch.c + src/ssl_crtlist.c +Copyright: 2020, HAProxy Technologies, William Lallemand +License: GPL-2+ +Comment: + An OpenSSL exception is present in the LICENSE file: "This program is + released under the GPL with the additional exemption that compiling, + linking, and/or using OpenSSL is allowed." + +Files: src/tcpcheck.c +Copyright: 2020, Gaetan Rivet + 2020, Christopher Faulet + 2013, Baptiste Assmann + 2007-2010, Krzysztof Piotr Oledzki + 2000-2009, 2020, Willy Tarreau +License: GPL-2+ +Comment: + An OpenSSL exception is present in the LICENSE file: "This program is + released under the GPL with the additional exemption that compiling, + linking, and/or using OpenSSL is allowed." + +Files: src/thread.c +Copyright: 2017, Christopher Fauet - cfaulet@haproxy.com +License: GPL-2+ +Comment: + An OpenSSL exception is present in the LICENSE file: "This program is + released under the GPL with the additional exemption that compiling, + linking, and/or using OpenSSL is allowed." + +Files: src/uri_normalizer.c +Copyright: 2021, Tim Duesterhus +License: GPL-2+ +Comment: + An OpenSSL exception is present in the LICENSE file: "This program is + released under the GPL with the additional exemption that compiling, + linking, and/or using OpenSSL is allowed." + +Files: src/xprt_handshake.c +Copyright: 2019, HAProxy Technologies, Olivier Houchard +License: GPL-2+ +Comment: + An OpenSSL exception is present in the LICENSE file: "This program is + released under the GPL with the additional exemption that compiling, + linking, and/or using OpenSSL is allowed." + +Files: tests/exp/filltab25.c +Copyright: 2007, willy tarreau. +License: GPL-2+ +Comment: + An OpenSSL exception is present in the LICENSE file: "This program is + released under the GPL with the additional exemption that compiling, + linking, and/or using OpenSSL is allowed." + +License: Apache-2.0 + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + . + http://www.apache.org/licenses/LICENSE-2.0 + . + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. + . + On Debian systems, the full text of the Apache License version 2.0 can be + found in the file `/usr/share/common-licenses/Apache-2.0'. + +License: BSD-2-clause + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are + met: + . + * Redistributions of source code must retain the above copyright + notice, this list of conditions and the following disclaimer. + * Redistributions in binary form must reproduce the above + copyright notice, this list of conditions and the following disclaimer + in the documentation and/or other materials provided with the + distribution. + . + THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR + A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT + OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, + SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT + LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, + DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY + THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE + OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + +License: Expat + Permission is hereby granted, free of charge, to any person obtaining + a copy of this software and associated documentation files (the + "Software"), to deal in the Software without restriction, including + without limitation the rights to use, copy, modify, merge, publish, + distribute, sublicense, and/or sell copies of the Software, and to + permit persons to whom the Software is furnished to do so, subject to + the following conditions: + . + The above copyright notice and this permission notice shall be + included in all copies or substantial portions of the Software. + . + THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, + EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF + MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND + NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE + LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION + OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION + WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. + +License: GPL-2 + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License version 2 as + published by the Free Software Foundation. + . + On Debian systems, the complete text of the GNU General Public License, version + 2, can be found in /usr/share/common-licenses/GPL-2. + +License: GPL-2+ + This program is free software; you can redistribute it + and/or modify it under the terms of the GNU General Public + License as published by the Free Software Foundation; either + version 2 of the License, or (at your option) any later + version. + . + This program is distributed in the hope that it will be + useful, but WITHOUT ANY WARRANTY; without even the implied + warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR + PURPOSE. See the GNU General Public License for more + details. + . + You should have received a copy of the GNU General Public + License along with this package; if not, write to the Free + Software Foundation, Inc., 51 Franklin St, Fifth Floor, + Boston, MA 02110-1301 USA + . + On Debian systems, the full text of the GNU General Public + License version 2 can be found in the file + `/usr/share/common-licenses/GPL-2'. + +License: GPL-3+ + This software is Copyright (c) 2020 by X. Ample. + . + This is free software, licensed under: + . + The GNU General Public License, Version 3, June 2007 + . + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; version 3 dated June, 2007, or (at + your option) any later version. + On Debian systems, the complete text of version 3 of the GNU General + Public License can be found in '/usr/share/common-licenses/GPL-3'. + +License: LGPL-2.1 + This library is free software; you can redistribute it and/or + modify it under the terms of the GNU Lesser General Public + License as published by the Free Software Foundation; either + version 2.1 of the License, or (at your option) any later version. + . + This library is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + Lesser General Public License for more details. + . + You should have received a copy of the GNU Lesser General Public + License along with this library; if not, write to the Free Software + Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA + . + On Debian systems, the complete text of the GNU Lesser General Public License, + version 2.1, can be found in /usr/share/common-licenses/LGPL-2.1. + +License: MPL-2.0 + This software is Copyright (c) 2020 by X. Ample. + . + This is free software, licensed under: + . + Mozilla Public License Version 2.0 + . + This Source Code Form is subject to the terms of the Mozilla Public + License, v. 2.0. + On Debian systems, the complete text of Mozilla Public License v 2.0 + can be found in '/usr/share/common-licenses/MPL-2.0'. diff --git a/haproxy/debian/haproxy.README.Debian b/haproxy/debian/haproxy.README.Debian new file mode 100644 index 0000000..6e3e3ab --- /dev/null +++ b/haproxy/debian/haproxy.README.Debian @@ -0,0 +1,29 @@ +Syslog support +-------------- +Upstream recommends using syslog over UDP to log from HAProxy processes, as +this allows seamless logging from chroot'ed processes without access to +/dev/log. However, many syslog implementations do not enable UDP syslog by +default. + +The default HAProxy configuration in Debian uses /dev/log for logging and +ships an rsyslog snippet that creates /dev/log in HAProxy's chroot and logs all +HAProxy messages to /var/log/haproxy.log. To take advantage of this, you must +restart rsyslog after installing this package. For other syslog daemons you +will have to take manual measures to enable UDP logging or create /dev/log +under HAProxy's chroot: +a. For sysklogd, add SYSLOG="-a /var/lib/haproxy/dev/log" to + /etc/default/syslog. +b. For inetutils-syslogd, add SYSLOGD_OPTS="-a /var/lib/haproxy/dev/log" to + /etc/default/inetutils-syslogd. + +Prometheus exporter +------------------- +HAProxy is shipped with a builtin Prometheus exporter. To enable it, +you need to configure the Prometheus endpoint: + + frontend stats + bind *:8404 + http-request use-service prometheus-exporter if { path /metrics } + stats enable + stats uri /stats + stats refresh 10s diff --git a/haproxy/debian/haproxy.cfg b/haproxy/debian/haproxy.cfg new file mode 100644 index 0000000..71e45a0 --- /dev/null +++ b/haproxy/debian/haproxy.cfg @@ -0,0 +1,34 @@ +global + log /dev/log local0 + log /dev/log local1 notice + chroot /var/lib/haproxy + stats socket /run/haproxy/admin.sock mode 660 level admin + stats timeout 30s + user haproxy + group haproxy + daemon + + # Default SSL material locations + ca-base /etc/ssl/certs + crt-base /etc/ssl/private + + # See: https://ssl-config.mozilla.org/#server=haproxy&server-version=2.0.3&config=intermediate + ssl-default-bind-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384 + ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256 + ssl-default-bind-options ssl-min-ver TLSv1.2 no-tls-tickets + +defaults + log global + mode http + option httplog + option dontlognull + timeout connect 5000 + timeout client 50000 + timeout server 50000 + errorfile 400 /etc/haproxy/errors/400.http + errorfile 403 /etc/haproxy/errors/403.http + errorfile 408 /etc/haproxy/errors/408.http + errorfile 500 /etc/haproxy/errors/500.http + errorfile 502 /etc/haproxy/errors/502.http + errorfile 503 /etc/haproxy/errors/503.http + errorfile 504 /etc/haproxy/errors/504.http diff --git a/haproxy/debian/haproxy.default b/haproxy/debian/haproxy.default new file mode 100644 index 0000000..e15c193 --- /dev/null +++ b/haproxy/debian/haproxy.default @@ -0,0 +1,10 @@ +# Defaults file for HAProxy +# +# This is sourced by both, the initscript and the systemd unit file, so do not +# treat it as a shell script fragment. + +# Change the config file location if needed +#CONFIG="/etc/haproxy/haproxy.cfg" + +# Add extra flags here, see haproxy(1) for a few options +#EXTRAOPTS="-de -m 16" diff --git a/haproxy/debian/haproxy.dirs b/haproxy/debian/haproxy.dirs new file mode 100644 index 0000000..b2e3c52 --- /dev/null +++ b/haproxy/debian/haproxy.dirs @@ -0,0 +1,4 @@ +etc/haproxy +etc/haproxy/errors +var/lib/haproxy +var/lib/haproxy/dev diff --git a/haproxy/debian/haproxy.docs b/haproxy/debian/haproxy.docs new file mode 100644 index 0000000..a392a17 --- /dev/null +++ b/haproxy/debian/haproxy.docs @@ -0,0 +1,9 @@ +doc/architecture.txt +doc/configuration.txt +doc/intro.txt +doc/lua.txt +doc/management.txt +doc/network-namespaces.txt +doc/SPOE.txt +admin +README diff --git a/haproxy/debian/haproxy.examples b/haproxy/debian/haproxy.examples new file mode 100644 index 0000000..08088cb --- /dev/null +++ b/haproxy/debian/haproxy.examples @@ -0,0 +1 @@ +examples/*.cfg diff --git a/haproxy/debian/haproxy.init b/haproxy/debian/haproxy.init new file mode 100644 index 0000000..6f4096b --- /dev/null +++ b/haproxy/debian/haproxy.init @@ -0,0 +1,197 @@ +#!/bin/sh +### BEGIN INIT INFO +# Provides: haproxy +# Required-Start: $local_fs $network $remote_fs $syslog $named +# Required-Stop: $local_fs $remote_fs $syslog $named +# Default-Start: 2 3 4 5 +# Default-Stop: 0 1 6 +# Short-Description: fast and reliable load balancing reverse proxy +# Description: This file should be used to start and stop haproxy. +### END INIT INFO + +# Author: Arnaud Cornet + +PATH=/sbin:/usr/sbin:/bin:/usr/bin +BASENAME=haproxy +PIDFILE=/var/run/${BASENAME}.pid +CONFIG=/etc/${BASENAME}/${BASENAME}.cfg +HAPROXY=/usr/sbin/haproxy +RUNDIR=/run/${BASENAME} +EXTRAOPTS= + +test -x $HAPROXY || exit 0 + +if [ -e /etc/default/${BASENAME} ]; then + . /etc/default/${BASENAME} +fi + +test -f "$CONFIG" || exit 0 + +[ -f /etc/default/rcS ] && . /etc/default/rcS +. /lib/lsb/init-functions + + +check_haproxy_config() +{ + $HAPROXY -c -f "$CONFIG" $EXTRAOPTS >/dev/null + if [ $? -eq 1 ]; then + log_end_msg 1 + exit 1 + fi +} + +haproxy_start() +{ + [ -d "$RUNDIR" ] || mkdir "$RUNDIR" + chown haproxy:haproxy "$RUNDIR" + chmod 2775 "$RUNDIR" + + check_haproxy_config + + start-stop-daemon --quiet --oknodo --start --pidfile "$PIDFILE" \ + --exec $HAPROXY -- -f "$CONFIG" -D -p "$PIDFILE" \ + $EXTRAOPTS || return 2 + return 0 +} + +haproxy_stop() +{ + if [ ! -f $PIDFILE ] ; then + # This is a success according to LSB + return 0 + fi + + ret=0 + tmppid="$(mktemp)" + + # HAProxy's pidfile may contain multiple PIDs, if nbproc > 1, so loop + # over each PID. Note that start-stop-daemon has a --pid option, but it + # was introduced in dpkg 1.17.6, post wheezy, so we use a temporary + # pidfile instead to ease backports. + for pid in $(cat $PIDFILE); do + echo "$pid" > "$tmppid" + start-stop-daemon --quiet --oknodo --stop \ + --retry 5 --pidfile "$tmppid" --exec $HAPROXY || ret=$? + done + + rm -f "$tmppid" + [ $ret -eq 0 ] && rm -f $PIDFILE + + return $ret +} + +haproxy_reload() +{ + check_haproxy_config + + $HAPROXY -f "$CONFIG" -p $PIDFILE -sf $(cat $PIDFILE) -D $EXTRAOPTS \ + || return 2 + return 0 +} + +haproxy_status() +{ + if [ ! -f $PIDFILE ] ; then + # program not running + return 3 + fi + + for pid in $(cat $PIDFILE) ; do + if ! ps --no-headers p "$pid" | grep haproxy > /dev/null ; then + # program running, bogus pidfile + return 1 + fi + done + + return 0 +} + + +case "$1" in +start) + log_daemon_msg "Starting haproxy" "${BASENAME}" + haproxy_start + ret=$? + case "$ret" in + 0) + log_end_msg 0 + ;; + 1) + log_end_msg 1 + echo "pid file '$PIDFILE' found, ${BASENAME} not started." + ;; + 2) + log_end_msg 1 + ;; + esac + exit $ret + ;; +stop) + log_daemon_msg "Stopping haproxy" "${BASENAME}" + haproxy_stop + ret=$? + case "$ret" in + 0|1) + log_end_msg 0 + ;; + 2) + log_end_msg 1 + ;; + esac + exit $ret + ;; +reload|force-reload) + log_daemon_msg "Reloading haproxy" "${BASENAME}" + haproxy_reload + ret=$? + case "$ret" in + 0|1) + log_end_msg 0 + ;; + 2) + log_end_msg 1 + ;; + esac + exit $ret + ;; +restart) + log_daemon_msg "Restarting haproxy" "${BASENAME}" + haproxy_stop + haproxy_start + ret=$? + case "$ret" in + 0) + log_end_msg 0 + ;; + 1) + log_end_msg 1 + ;; + 2) + log_end_msg 1 + ;; + esac + exit $ret + ;; +status) + haproxy_status + ret=$? + case "$ret" in + 0) + echo "${BASENAME} is running." + ;; + 1) + echo "${BASENAME} dead, but $PIDFILE exists." + ;; + *) + echo "${BASENAME} not running." + ;; + esac + exit $ret + ;; +*) + echo "Usage: /etc/init.d/${BASENAME} {start|stop|reload|restart|status}" + exit 2 + ;; +esac + +: diff --git a/haproxy/debian/haproxy.install b/haproxy/debian/haproxy.install new file mode 100644 index 0000000..fa41e38 --- /dev/null +++ b/haproxy/debian/haproxy.install @@ -0,0 +1,3 @@ +debian/haproxy.cfg etc/haproxy +examples/errorfiles/*.http etc/haproxy/errors +admin/systemd/haproxy.service lib/systemd/system diff --git a/haproxy/debian/haproxy.maintscript b/haproxy/debian/haproxy.maintscript new file mode 100644 index 0000000..7a45edb --- /dev/null +++ b/haproxy/debian/haproxy.maintscript @@ -0,0 +1 @@ +mv_conffile /etc/rsyslog.d/haproxy.conf /etc/rsyslog.d/49-haproxy.conf 1.5.3-2~ diff --git a/haproxy/debian/haproxy.manpages b/haproxy/debian/haproxy.manpages new file mode 100644 index 0000000..196ce88 --- /dev/null +++ b/haproxy/debian/haproxy.manpages @@ -0,0 +1 @@ +doc/haproxy.1 diff --git a/haproxy/debian/haproxy.postinst b/haproxy/debian/haproxy.postinst new file mode 100644 index 0000000..08feb12 --- /dev/null +++ b/haproxy/debian/haproxy.postinst @@ -0,0 +1,22 @@ +#!/bin/sh + +set -e + +adduser --system --disabled-password --disabled-login --home /var/lib/haproxy \ + --no-create-home --quiet --force-badname --group haproxy + +#DEBHELPER# + +if [ -n "$2" ]; then + if dpkg --compare-versions "$2" lt "1.8.0-1~" && [ -d /run/systemd/system ]; then + # Do a full restart when upgrading to 1.8 series on systemd, as + # the systemd wrapper is no longer there. + invoke-rc.d haproxy restart || true + elif dpkg --compare-versions "$2" gt "1.5~dev24-2~"; then + # Reload already running instances. Since 1.5~dev24-2 we do not stop + # haproxy in prerm during upgrades. + invoke-rc.d haproxy reload || true + fi +fi + +exit 0 diff --git a/haproxy/debian/haproxy.postrm b/haproxy/debian/haproxy.postrm new file mode 100644 index 0000000..5e41016 --- /dev/null +++ b/haproxy/debian/haproxy.postrm @@ -0,0 +1,16 @@ +#!/bin/sh + +set -e + +#DEBHELPER# + +case "$1" in + purge) + deluser --system haproxy || true + delgroup --system haproxy || true + ;; + *) + ;; +esac + +exit 0 diff --git a/haproxy/debian/haproxy.tmpfile b/haproxy/debian/haproxy.tmpfile new file mode 100644 index 0000000..9978887 --- /dev/null +++ b/haproxy/debian/haproxy.tmpfile @@ -0,0 +1 @@ +d /run/haproxy 2775 haproxy haproxy - diff --git a/haproxy/debian/logrotate.conf b/haproxy/debian/logrotate.conf new file mode 100644 index 0000000..0086ee1 --- /dev/null +++ b/haproxy/debian/logrotate.conf @@ -0,0 +1,11 @@ +/var/log/haproxy.log { + daily + rotate 7 + missingok + notifempty + compress + delaycompress + postrotate + [ ! -x /usr/lib/rsyslog/rsyslog-rotate ] || /usr/lib/rsyslog/rsyslog-rotate + endscript +} diff --git a/haproxy/debian/patches/haproxy.service-add-documentation.patch b/haproxy/debian/patches/haproxy.service-add-documentation.patch new file mode 100644 index 0000000..a60b0d1 --- /dev/null +++ b/haproxy/debian/patches/haproxy.service-add-documentation.patch @@ -0,0 +1,23 @@ +From: Debian HAProxy Maintainers + +Date: Sun, 25 Mar 2018 11:31:50 +0200 +Subject: Add documentation field to the systemd unit + +Forwarded: no +Last-Update: 2014-01-03 +--- + admin/systemd/haproxy.service.in | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/admin/systemd/haproxy.service.in b/admin/systemd/haproxy.service.in +index 243acf2..ac88c37 100644 +--- a/admin/systemd/haproxy.service.in ++++ b/admin/systemd/haproxy.service.in +@@ -1,5 +1,7 @@ + [Unit] + Description=HAProxy Load Balancer ++Documentation=man:haproxy(1) ++Documentation=file:/usr/share/doc/haproxy/configuration.txt.gz + After=network-online.target rsyslog.service + Wants=network-online.target + diff --git a/haproxy/debian/patches/haproxy.service-make-systemd-bind-dev-log-inside-chroot.patch b/haproxy/debian/patches/haproxy.service-make-systemd-bind-dev-log-inside-chroot.patch new file mode 100644 index 0000000..666f916 --- /dev/null +++ b/haproxy/debian/patches/haproxy.service-make-systemd-bind-dev-log-inside-chroot.patch @@ -0,0 +1,21 @@ +From: Vincent Bernat +Date: Thu, 25 Nov 2021 21:35:48 +0100 +Subject: haproxy.service: make systemd bind /dev/log inside chroot + +This enables logging to work without rsyslog being present. +--- + admin/systemd/haproxy.service.in | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/admin/systemd/haproxy.service.in b/admin/systemd/haproxy.service.in +index 0288568..20824df 100644 +--- a/admin/systemd/haproxy.service.in ++++ b/admin/systemd/haproxy.service.in +@@ -8,6 +8,7 @@ Wants=network-online.target + [Service] + EnvironmentFile=-/etc/default/haproxy + EnvironmentFile=-/etc/sysconfig/haproxy ++BindReadOnlyPaths=/dev/log:/var/lib/haproxy/dev/log + Environment="CONFIG=/etc/haproxy/haproxy.cfg" "PIDFILE=/run/haproxy.pid" "EXTRAOPTS=-S /run/haproxy-master.sock" + ExecStart=@SBINDIR@/haproxy -Ws -f $CONFIG -p $PIDFILE $EXTRAOPTS + ExecReload=@SBINDIR@/haproxy -Ws -f $CONFIG -c -q $EXTRAOPTS diff --git a/haproxy/debian/patches/haproxy.service-start-after-syslog.patch b/haproxy/debian/patches/haproxy.service-start-after-syslog.patch new file mode 100644 index 0000000..14577bd --- /dev/null +++ b/haproxy/debian/patches/haproxy.service-start-after-syslog.patch @@ -0,0 +1,27 @@ +From: Apollon Oikonomopoulos +Date: Sun, 25 Mar 2018 11:31:50 +0200 +Subject: Start after rsyslog.service + +As HAProxy is running chrooted by default, we rely on an additional syslog +socket created by rsyslog inside the chroot for logging. As this socket cannot +trigger syslog activation, we explicitly order HAProxy after rsyslog.service. +Note that we are not using syslog.service here, since the additional socket is +rsyslog-specific. +Forwarded: no +Last-Update: 2017-12-01 +--- + admin/systemd/haproxy.service.in | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/admin/systemd/haproxy.service.in b/admin/systemd/haproxy.service.in +index 74e66e3..243acf2 100644 +--- a/admin/systemd/haproxy.service.in ++++ b/admin/systemd/haproxy.service.in +@@ -1,6 +1,6 @@ + [Unit] + Description=HAProxy Load Balancer +-After=network-online.target ++After=network-online.target rsyslog.service + Wants=network-online.target + + [Service] diff --git a/haproxy/debian/patches/reproducible.patch b/haproxy/debian/patches/reproducible.patch new file mode 100644 index 0000000..bbc95b8 --- /dev/null +++ b/haproxy/debian/patches/reproducible.patch @@ -0,0 +1,13 @@ +diff --git a/Makefile b/Makefile +index 566bdb26a3e7..8603dea25c21 100644 +--- a/Makefile ++++ b/Makefile +@@ -975,7 +975,7 @@ src/haproxy.o: src/haproxy.c $(DEP) + -DBUILD_ARCH='"$(strip $(ARCH))"' \ + -DBUILD_CPU='"$(strip $(CPU))"' \ + -DBUILD_CC='"$(strip $(CC))"' \ +- -DBUILD_CFLAGS='"$(strip $(VERBOSE_CFLAGS))"' \ ++ -DBUILD_CFLAGS='"$(filter-out -ffile-prefix-map=%,$(strip $(VERBOSE_CFLAGS)))"' \ + -DBUILD_OPTIONS='"$(strip $(BUILD_OPTIONS))"' \ + -DBUILD_DEBUG='"$(strip $(DEBUG))"' \ + -DBUILD_FEATURES='"$(strip $(BUILD_FEATURES))"' \ diff --git a/haproxy/debian/patches/series b/haproxy/debian/patches/series new file mode 100644 index 0000000..83412a7 --- /dev/null +++ b/haproxy/debian/patches/series @@ -0,0 +1,4 @@ +haproxy.service-start-after-syslog.patch +haproxy.service-add-documentation.patch +haproxy.service-make-systemd-bind-dev-log-inside-chroot.patch +reproducible.patch diff --git a/haproxy/debian/rsyslog.conf b/haproxy/debian/rsyslog.conf new file mode 100644 index 0000000..36a1261 --- /dev/null +++ b/haproxy/debian/rsyslog.conf @@ -0,0 +1,9 @@ +# Create an additional socket in haproxy's chroot in order to allow logging via +# /dev/log to chroot'ed HAProxy processes +$AddUnixListenSocket /var/lib/haproxy/dev/log + +# Send HAProxy messages to a dedicated logfile +:programname, startswith, "haproxy" { + /var/log/haproxy.log + stop +} diff --git a/haproxy/debian/rules b/haproxy/debian/rules new file mode 100755 index 0000000..7cecbb7 --- /dev/null +++ b/haproxy/debian/rules @@ -0,0 +1,83 @@ +#!/usr/bin/make -f + +DEP_DIST_ROOT_LUA = $(shell realpath ../../deps/lua/dist) +DEP_DIST_ROOT_PCRE2 = $(shell realpath ../../deps/pcre2/dist) +DEP_DIST_ROOT_QUICTLS = $(shell realpath ../../deps/quictls/dist) + +BUILD_VERSION_REPOSHA = $(shell git rev-parse --short HEAD) + +MAKEARGS = DEBUG="-DDEBUG_STRICT -DDEBUG_MEMORY_POOLS" \ + DEFINE="-DMAX_SESS_STKCTR=5" \ + IGNOREGIT=true \ + LDFLAGS="-Wl,-rpath,/opt/quictls/lib" \ + TARGET="linux-glibc" \ + EXTRAVERSION="+mangadex/$(BUILD_VERSION_REPOSHA)" \ + VERDATE="$(shell date -u -I'minutes')" \ + USE_DL=1 \ + USE_GETADDRINFO=1 \ + USE_LINUX_TPROXY=1 \ + USE_LUA=1 \ + LUA_INC="$(DEP_DIST_ROOT_LUA)/include" \ + LUA_LIB="$(DEP_DIST_ROOT_LUA)/lib" \ + LUA_LIB_NAME="lua" \ + USE_OPENSSL=1 \ + SSL_INC="$(DEP_DIST_ROOT_QUICTLS)/opt/quictls/include" \ + SSL_LIB="$(DEP_DIST_ROOT_QUICTLS)/opt/quictls/lib" \ + ADDINC="-lcrypt" \ + USE_PCRE2=1 \ + USE_PCRE2_JIT=1 \ + USE_STATIC_PCRE2=1 \ + PCRE2_INC="$(DEP_DIST_ROOT_PCRE2)/include" \ + PCRE2_LIB="$(DEP_DIST_ROOT_PCRE2)/lib64" \ + PCRE2_CONFIG="$(DEP_DIST_ROOT_PCRE2)/bin/pcre2-config" \ + USE_PROMEX=1 \ + USE_QUIC=1 \ + USE_SLZ=1 \ + USE_TFO=1 \ + USE_SYSTEMD=1 + +# Extra flags necessary for debian packaging +MAKEARGS += DESTDIR=debian/haproxy +MAKEARGS += PREFIX=/usr +MAKEARGS += IGNOREGIT=true +MAKEARGS += MANDIR=/usr/share/man +MAKEARGS += DOCDIR=/usr/share/doc/haproxy + +%: + dh $@ + +override_dh_auto_configure: + +override_dh_auto_build-arch: + $(MAKE) -j $(shell nproc) $(MAKEARGS) + $(MAKE) -j $(shell nproc) -C admin/systemd $(MAKEARGS) + +override_dh_auto_clean: + $(MAKE) -j $(shell nproc) -C admin/systemd clean + dh_auto_clean + +override_dh_auto_install-arch: + cp -rf $(DEP_DIST_ROOT_QUICTLS)/opt debian/haproxy/opt + $(MAKE) -j $(shell nproc) $(MAKEARGS) install + install -m 0644 -D debian/rsyslog.conf debian/haproxy/etc/rsyslog.d/49-haproxy.conf + install -m 0644 -D debian/logrotate.conf debian/haproxy/etc/logrotate.d/haproxy + +override_dh_auto_install-indep: + +override_dh_installdocs: + dh_installdocs -Xsystemd/ + +override_dh_installexamples: + dh_installexamples -X build.cfg + +override_dh_installinit: + dh_installinit --no-restart-after-upgrade --no-stop-on-upgrade + +override_dh_installsystemd: + dh_installsystemd --no-restart-after-upgrade --no-stop-on-upgrade + +override_dh_strip: + dh_strip --dbgsym-migration="haproxy-dbg" + +override_dh_dwz: + dh_dwz --exclude="openssl" diff --git a/haproxy/debian/source/format b/haproxy/debian/source/format new file mode 100644 index 0000000..163aaf8 --- /dev/null +++ b/haproxy/debian/source/format @@ -0,0 +1 @@ +3.0 (quilt)