Commit Graph

2915 Commits

Author SHA1 Message Date
Willy Tarreau
5a94037644 BUG/MEDIUM: comp: DEFAULT_MAXZLIBMEM was expressed in bytes and not megabytes
The value is stored in bytes but was not multiplied. It would only affect
packagers.
2012-12-03 14:22:12 +01:00
Dmitry Sivachenko
c9f3b45d7a DOC: add a few precisions on compression
Please consider the attached patch, I hope it will clarify haproxy's behavior a
bit.
2012-12-03 10:50:17 +01:00
Willy Tarreau
8139b9959f MINOR: compression: make the stats a bit more robust
To ensure that we only count when a response was compressed, we also
check for the SN_COMP_READY flag which indicates that the compression
was effectively initialized. Comp_algo alone is meaningless.
2012-11-27 09:34:00 +01:00
Willy Tarreau
9101535038 BUG/MINOR: http: disable compression when message has no body
Compression was not disabled on 1xx, 204, 304 nor HEAD requests. This
is not really a problem, but it reports more compressed responses than
really done.
2012-11-27 09:34:00 +01:00
Willy Tarreau
7d588eed78 BUILD: ssl: OpenSSL 0.9.6 has no renegociation
It did not build anymore on 0.9.6. Not very important but better fix it.
2012-11-26 18:47:31 +01:00
Emeric Brun
786991e8b7 BUG/MEDIUM: ssl: Fix handshake failure on session resumption with client cert.
Openssl session_id_context was not set on cached sessions so handshake returns an error.
2012-11-26 18:43:21 +01:00
Willy Tarreau
78bbeb4a99 BUG/MAJOR: stats: correctly check for a possible divide error when showing compression ratios
Commit 5730c68b changed to display compression ratios based on 2xx
responses, but we should then check that there are such responses
instead of checking for requests. The risk is a divide error if there
are some requests but no 2xx yet (eg: redirect).
2012-11-26 16:44:48 +01:00
Willy Tarreau
0a80a8dbb2 MINOR: http: factor out the content-type checks
Let's only look up the content-type header once. This involves
inverting the condition which is not dramatic.

Also, we now always check the value length before comparing it, and we
always reset the ctx.idx before looking a header up. Otherwise that
could make header lookups depend on their on-wire order. It would be
a minor issue however since at worst it would cause some responses not
to be compressed.
2012-11-26 16:36:00 +01:00
Willy Tarreau
5730c68b46 MINOR: stats: compute the ratio of compressed response based on 2xx responses
Since only responses with status 200 can be compressed, let's only count the
ratio of compressed responses on the basis of the 2xx responses and not all
of them. Note that responses 206 are still included in this count but it gives
a better figure, especially for places where authentication is used and 401 is
common.
2012-11-26 16:19:46 +01:00
William Lallemand
d300261bab MINOR: compression: disable on multipart or status != 200
The compression is disabled when the HTTP status code is not 200, indeed
compression on some HTTP code can create issues (ex: 206, 416).

Multipart message should not be compressed eitherway.
2012-11-26 16:02:58 +01:00
William Lallemand
859550e068 BUG/MINOR: compression: Content-Type is case insensitive
The Content-Type parameter must be case insensitive.
2012-11-26 16:02:58 +01:00
Willy Tarreau
f003d375ec BUG/MINOR: http: don't report client aborts as server errors
If a client aborts with an abortonclose flag, the close is forwarded
to the server and when server response is processed, the analyser thinks
it's the server who has closed first, and logs flags "SD" or "SH" and
counts a server error. In order to avoid this, we now first detect that
the client has closed and log a client abort instead.

This likely is the reason why many people have been observing a small rate
of SD/SH flags without being able to find what the error was.

This fix should probably be backported to 1.4.
2012-11-26 13:50:02 +01:00
Willy Tarreau
fee48ce452 [RELEASE] Released version 1.5-dev14
Released version 1.5-dev14 with the following main changes :
    - DOC: fix minor typos
    - BUG/MEDIUM: compression: does not forward trailers
    - MINOR: buffer_dump with ASCII
    - BUG/MEDIUM: checks: mark the check as stopped after a connect error
    - BUG/MEDIUM: checks: ensure we completely disable polling upon success
    - BUG/MINOR: checks: don't mark the FD as closed before transport close
    - MEDIUM: checks: avoid accumulating TIME_WAITs during checks
    - MINOR: cli: report the msg state in full text in "show sess $PTR"
    - CLEANUP: checks: rename some server check flags
    - MAJOR: checks: rework completely bogus state machine
    - BUG/MINOR: checks: slightly clean the state machine up
    - MEDIUM: checks: avoid waking the application up for pure TCP checks
    - MEDIUM: checks: close the socket as soon as we have a response
    - BUG/MAJOR: checks: close FD on all timeouts
    - MINOR: checks: fix recv polling after connect()
    - MEDIUM: connection: provide a common conn_full_close() function
    - BUG/MEDIUM: checks: prevent TIME_WAITs from appearing also on timeouts
    - BUG/MAJOR: peers: the listener's maxaccept was not set and caused loops
    - MINOR: listeners: make the accept loop more robust when maxaccept==0
    - BUG/MEDIUM: acl: correctly resolve all args, not just the first one
    - BUG/MEDIUM: acl: make prue_acl_expr() correctly free ACL expressions upon exit
    - BUG/MINOR: stats: fix inversion of the report of a check in progress
    - MEDIUM: tcp: add explicit support for delayed ACK in connect()
    - BUG/MEDIUM: connection: always disable polling upon error
    - MINOR: connection: abort earlier when errors are detected
    - BUG/MEDIUM: checks: report handshake failures
    - BUG/MEDIUM: connection: local_send_proxy must wait for connection to establish
    - MINOR: tcp: add support for the "v6only" bind option
    - MINOR: stats: also report the computed compression savings in html stats
    - MINOR: stats: report the total number of compressed responses per front/back
    - MINOR: tcp: add support for the "v4v6" bind option
    - DOC: stats: document the comp_rsp stats column
    - BUILD: buffer: fix another isprint() warning on solaris
    - MINOR: cli: add support for the "show sess all" command
    - BUG/MAJOR: cli: show sess <id> may randomly corrupt the back-ref list
    - MINOR: cli: improve output format for show sess $ptr
2012-11-26 03:11:05 +01:00
Willy Tarreau
909d517e3f MINOR: cli: improve output format for show sess $ptr
This change removes pointers for known types (stream_interface, ...),
adds buffer pointers and sizes, and moves buffer information to their
own line. The output is cleaner with shorter lines and slightly more
lines.
2012-11-26 03:04:41 +01:00
Willy Tarreau
5f9a8779b3 BUG/MAJOR: cli: show sess <id> may randomly corrupt the back-ref list
show sess <id> puts a backref into the session it's dumping. If the output
is interrupted, the backref cannot always be removed because it's only done
in the I/O handler. This can randomly corrupt the backref list when the
session closes, because it passes the pointer to the next session which
itself might be watched.

The case is hard to reproduce (hundreds of attempts) but monitoring systems
might encounter it frequently.

Thus we have to add a release handler which does the cleanup even when the
I/O handler is not called.

This issue should also be present in 1.4 so the patch should be backported.
2012-11-26 02:22:40 +01:00
Willy Tarreau
7615366c70 MINOR: cli: add support for the "show sess all" command
Sometimes when debugging haproxy, it is important to take a full
snapshot of all sessions and their respective states. Till now it
was complicated to do because we had to use scripts and sessions
would vanish between two runs.

Now with this command we have the same output as "show sess $id"
but for all sessions in the table. This is a debugging command only,
it should only be used by developers as it is never guaranteed to
perfectly work !
2012-11-26 01:18:33 +01:00
Willy Tarreau
95898ac211 BUILD: buffer: fix another isprint() warning on solaris
This one came with commit recent be0efd8. Solaris wants ints, not chars.
2012-11-26 00:57:40 +01:00
Willy Tarreau
11d4ec85d1 DOC: stats: document the comp_rsp stats column
This was forgotten in recent patch 5e16cbc3.
2012-11-26 00:49:03 +01:00
Willy Tarreau
77e3af9e6f MINOR: tcp: add support for the "v4v6" bind option
Commit 9b6700f added "v6only". As suggested by Vincent Bernat, it is
sometimes useful to have the opposite option to force binding to the
two protocols when the system is configured to bind to v6 only by
default. This option does exactly this. v6only still has precedence.
2012-11-24 15:07:23 +01:00
Willy Tarreau
5e16cbc3bd MINOR: stats: report the total number of compressed responses per front/back
Depending on the content-types and accept-encoding fields, some responses
might or might not be compressed. Let's have a counter of the number of
compressed responses and report it in the stats to help improve compression
usage.

Some cosmetic issues were fixed in the CSV output too (missing commas at the
end).
2012-11-24 14:54:13 +01:00
Willy Tarreau
f149d8f21e MINOR: stats: also report the computed compression savings in html stats
It's interesting to know the average compression ratio obtained on
frontends and backends without having to compute it by hand, so let's
report it in the HTML stats.
2012-11-24 14:06:49 +01:00
Willy Tarreau
9b6700f673 MINOR: tcp: add support for the "v6only" bind option
This option forces a socket to bind to IPv6 only when it uses the
default address (eg: ":::80").
2012-11-24 12:20:28 +01:00
Willy Tarreau
e3635edc88 BUG/MEDIUM: connection: local_send_proxy must wait for connection to establish
The conn_local_send_proxy() function has to retrieve the local and remote
addresses, but the getpeername() and getsockname() functions may fail until
the connection is established. So now we catch this error and poll for write
when this happens.
2012-11-24 11:23:04 +01:00
Willy Tarreau
6c560da279 BUG/MEDIUM: checks: report handshake failures
Up to now, only data layer failures were reported to the task, but
if a handshake failed from the beginning, the error was not reported
as a failure.
2012-11-24 11:14:45 +01:00
Willy Tarreau
9a92cd5985 MINOR: connection: abort earlier when errors are detected
If an uncaught CO_FL_ERROR flag on a connection is detected, we
immediately go to the wakeup function. This ensures that even if
an error is asynchronously delivered, we don't risk re-enabling
polling or doing unexpected things in the handshake handlers.
2012-11-24 11:12:13 +01:00
Willy Tarreau
36fb02c526 BUG/MEDIUM: connection: always disable polling upon error
Commit 0ffde2cc in 1.5-dev13 tried to always disable polling on file
descriptors when errors were encountered. Unfortunately it did not
always succeed in doing so because it relied on detecting polling
changes to disable it. Let's use a dedicated conn_stop_polling()
function that is inconditionally called upon error instead.

This managed to stop a busy loop observed when a health check makes
use of the send-proxy protocol and fails before the connection can
be established.
2012-11-24 11:09:07 +01:00
Willy Tarreau
f0837b259b MEDIUM: tcp: add explicit support for delayed ACK in connect()
Commit 24db47e0 tried to improve support for delayed ACK upon connect
but it was incomplete, because checks with the proxy protocol would
always enable polling for data receive and there was no way of
distinguishing data polling and delayed ack.

So we add a distinct delack flag to the connect() function so that
the caller decides whether or not to use a delayed ack regardless
of pending data (eg: when send-proxy is in use). Doing so covers all
combinations of { (check with data), (sendproxy), (smart-connect) }.
2012-11-24 10:24:27 +01:00
Willy Tarreau
0eb2bed561 BUG/MINOR: stats: fix inversion of the report of a check in progress
Recent fix for health checks 5a78f36d inverted the condition to display
a "*" in front of the check status on the stats page.
2012-11-24 00:20:24 +01:00
Willy Tarreau
4a6e5c6d69 BUG/MEDIUM: acl: make prue_acl_expr() correctly free ACL expressions upon exit
When leaving, during the deinit() process, prune_acl_expr() is called to
delete all ACL expressions. A bug was introduced with commit 34db1084 that
caused every other expression argument to be skipped, and more annoyingly,
it introduced the risk of scanning past the arg list and crashing or
freezing the old process during a reload.

Credits for finding this issue go to Dmitry Sivachenko who first reported
it, and second did a lot of research to narrow it down to a minimal
configuration.
2012-11-24 00:02:14 +01:00
Willy Tarreau
7d1df41171 BUG/MEDIUM: acl: correctly resolve all args, not just the first one
Since 1.5-dev9, ACLs support multiple args. The changes performed in
acl_find_targets() were bogus as they were not always applied to the
current argument being processed, but sometimes to the first one only.

Fortunately till now, all ACLs which support resolvable arguments have
it in the first place only, so there was no impact.
2012-11-23 23:47:36 +01:00
Dmitry Sivachenko
87c208b2c5 DOC: fix minor typos
I am attaching a small patch which fixes 2 typos.
2012-11-23 20:35:13 +01:00
Willy Tarreau
50de90a228 MINOR: listeners: make the accept loop more robust when maxaccept==0
If some listeners are mistakenly configured with 0 as the maxaccept value,
then we now consider them as limited to one accept() at a time. This will
avoid some issues as fixed by the past commit.
2012-11-23 20:22:10 +01:00
Willy Tarreau
ca57de3e7b BUG/MAJOR: peers: the listener's maxaccept was not set and caused loops
Recent commit 16a214 to move the maxaccept parameter to listeners didn't
set it on the peers' listeners, resulting in the value zero being used
there. This caused a busy loop for each peers section, because no incoming
connection could be accepted.

Thanks to Herv Commowick for reporting this issue.
2012-11-23 20:21:37 +01:00
Willy Tarreau
cfd97c6f04 BUG/MEDIUM: checks: prevent TIME_WAITs from appearing also on timeouts
We need to disable lingering before closing on timeout too, otherwise
we accumulate TIME_WAITs.
2012-11-23 17:35:59 +01:00
Willy Tarreau
2b199c9ac3 MEDIUM: connection: provide a common conn_full_close() function
Several places got the connection close sequence wrong because it
was not obvious. In practice we always need the same sequence when
aborting, so let's have a common function for this.
2012-11-23 17:32:21 +01:00
Willy Tarreau
db3b4a2891 MINOR: checks: fix recv polling after connect()
Commit a522f801 moved a call to __conn_data_want_recv() just after the
connect() call, which is not 100% correct. First, it does not take errors
into account, eventhough this is harmless. Second, this change will only
be taken into account after next call do conn_data_polling_update(), which
is not necessarily what is expected (eg: if an error is only reported on
the recv side).

So let's use conn_data_poll_recv() instead, which directly subscribes
the event to polling.
2012-11-23 16:32:33 +01:00
Willy Tarreau
b63b59641e BUG/MAJOR: checks: close FD on all timeouts
Since last commit, some timeouts were converted into an error to report
the status, and as a result, the socket was not closed because it was
supposed to have been done during the wake() call.

Close the socket as soon as the timeout is detected to fix the issue.
Also we now ensure to first initialize the connection flags.
2012-11-23 16:22:08 +01:00
Willy Tarreau
74fa7fbec9 MEDIUM: checks: close the socket as soon as we have a response
Until now, the check socked was closed in the task which handles the
check, which can sometimes be substantially later when many tasks are
running. It's much cleaner to close() in the wake call, which also
helps removing some FD management from the task itself.

The code is faster and smaller, and fast health checks show a more
predictable behaviour.
2012-11-23 14:43:49 +01:00
Willy Tarreau
24db47e0cc MEDIUM: checks: avoid waking the application up for pure TCP checks
Pure TCP checks only use the SYN/ACK in return to a SYN. By forcing
the system to use delayed ACKs, it is possible to send an RST instead
of the ACK and thus ensure that the application will never be needlessly
woken up. This avoids error logs or counters on checked components since
the application is never made aware of this connection which dies in the
network stack.
2012-11-23 14:18:39 +01:00
Willy Tarreau
acbdc7a760 BUG/MINOR: checks: slightly clean the state machine up
The process_chk() function still did not consider the the timeout when
it was woken up, so a spurious wakeup could trigger a false timeout. Some
checks were now redundant or could not be triggered (eg: L7 timeout).
So remove them and rearrange the timeout detection.
2012-11-23 14:02:57 +01:00
Willy Tarreau
5a78f36db3 MAJOR: checks: rework completely bogus state machine
The porting of checks to using connections was totally bogus. Some checks
were considered successful as soon as the connection was established,
regardless of any response. Some errors would be triggered upon recv
if polling was enabled for send or if the send channel was shut down.

Now the behaviour is much better. It would be cleaner to perform the
fd_delete() in wake_srv_chk() and to process failures and timeouts
separately, but this is already a good start.
2012-11-23 12:47:05 +01:00
Willy Tarreau
d3aac7088e CLEANUP: checks: rename some server check flags
Some server check flag names were not properly choosen and cause
analysis trouble, especially the CHK_RUNNING one which does not
mean that a check is running but that the server is running...

Here's the rename :
  CHK_RUNNING -> CHK_PASSED
  CHK_ERROR   -> CHK_FAILED
2012-11-23 11:32:12 +01:00
Willy Tarreau
e6d9702e7e MINOR: cli: report the msg state in full text in "show sess $PTR"
It's more convenient to debug with real state names.
2012-11-23 11:31:56 +01:00
William Lallemand
be0efd884d MINOR: buffer_dump with ASCII
Improve the buffer_dump function with ASCII output.
2012-11-23 11:13:16 +01:00
William Lallemand
00bf1dee9c BUG/MEDIUM: compression: does not forward trailers
The commit bf3ae617 introduced a regression about the forward of the
trailers in compression mode.
2012-11-23 11:12:33 +01:00
Willy Tarreau
fd29cc537b MEDIUM: checks: avoid accumulating TIME_WAITs during checks
Some checks which do not induce a close from the server accumulate
local TIME_WAIT sockets because they're cleanly shut down. Typically
TCP probes cause this. This is very problematic when there are many
servers, when the checks are fast or when local source ports are rare.

So now we'll disable lingering on the socket instead of sending a
shutdown. Before doing this we try to drain any possibly pending data.
That way we avoid sending an RST when the server has closed first.

This change means that some servers will see more RSTs, but this is
needed to avoid local source port starvation.
2012-11-23 09:18:20 +01:00
Willy Tarreau
ef8a719f70 BUG/MINOR: checks: don't mark the FD as closed before transport close
Some future transport layers might need the connection's file descriptor
on ->close(), so we must not destroy it before we're finished with it.
2012-11-23 09:05:05 +01:00
Willy Tarreau
a522f801fb BUG/MEDIUM: checks: ensure we completely disable polling upon success
When a check succeeds, it used to only disable receive events while
it should disable both directions. The problem is that if the send
event was reported too, it could re-enable the recv event. In theory
this is not a problem as the task is going to be woken up, but if
there are many tasks in the queue and this task is not processed
immediately, we could theorically face a storm of unprocessed events
(typically POLL_HUP).

So better stop both directions, prevent the send side from enabling
recv and have the process_chk() code enable both directions. This
will also help detecting closes before the check is sent.

Note that all this mess has been inherited from the old code that used
the fd as a flag to report if a check was running. We should have a
dedicated flag and perform the fd_delete() in wake_srv_chk() instead.
2012-11-23 09:03:59 +01:00
Willy Tarreau
6b0a850503 BUG/MEDIUM: checks: mark the check as stopped after a connect error
Health checks currently still use the connection's fd to know whether
a check is running (this needs to change). When a health check
immediately fails during connect() because of a lack of local resource
(eg: port), we failed to unset the fd, so each time the process_chk
woken up after such an error, it believed a check was still running
and used to close the fd again instead of starting a new check. This
could result in other connections being closed because they were
assigned the same fd value.

The bug is only marked medium because when this happens, the system
is already in a bad state.

A comment was added above tcp_connect_server() to clarify that the
fd is *not* valid on error.
2012-11-23 09:03:29 +01:00
Willy Tarreau
ad15d127a7 [RELEASE] Released version 1.5-dev13
Released version 1.5-dev13 with the following main changes :
    - BUILD: fix build issue without USE_OPENSSL
    - BUILD: fix compilation error with DEBUG_FULL
    - DOC: ssl: remove prefer-server-ciphers documentation
    - DOC: ssl: surround keywords with quotes
    - DOC: fix minor typo on http-send-name-header
    - BUG/MEDIUM: acls using IPv6 subnets patterns incorrectly match IPs
    - BUG/MAJOR: fix a segfault on option http_proxy and url_ip acl
    - MEDIUM: http: accept IPv6 values with (s)hdr_ip acl
    - BUILD: report zlib support in haproxy -vv
    - DOC: compression: add some details and clean up the formatting
    - DOC: Change is_ssl acl to ssl_fc acl in example
    - DOC: make it clear what the HTTP request size is
    - MINOR: ssl: try to load Diffie-Hellman parameters from cert file
    - DOC: ssl: update 'crt' statement on 'bind' about Diffie-Hellman parameters loading
    - MINOR: ssl: add elliptic curve Diffie-Hellman support for ssl key generation
    - DOC: ssl: add 'ecdhe' statement on 'bind'
    - MEDIUM: ssl: add client certificate authentication support
    - DOC: ssl: add 'verify', 'cafile' and 'crlfile' statements on 'bind'
    - MINOR: ssl: add fetch and ACL 'client_crt' to test a client cert is present
    - DOC: ssl: add fetch and ACL 'client_cert'
    - MINOR: ssl: add ignore verify errors options
    - DOC: ssl: add 'ca-ignore-err' and 'crt-ignore-err' statements on 'bind'
    - MINOR: ssl: add fetch and ACL 'ssl_verify_result'
    - DOC: ssl: add fetch and ACL 'ssl_verify_result'
    - MINOR: ssl: add fetches and ACLs to return verify errors
    - DOC: ssl: add fetches and ACLs 'ssl_verify_crterr', 'ssl_verify_caerr', and 'ssl_verify_crterr_depth'
    - MINOR: ssl: disable shared memory and locks on session cache if nbproc == 1
    - MINOR: ssl: add build param USE_PRIVATE_CACHE to build cache without shared memory
    - MINOR: ssl : add statements 'notlsv11' and 'notlsv12' and rename 'notlsv1' to 'notlsv10'.
    - DOC: ssl : add statements 'notlsv11' and 'notlsv12' and rename 'notlsv1' to 'notlsv10'.
    - MEDIUM: config: authorize frontend and listen without bind.
    - MINOR: ssl: add statement 'no-tls-tickets' on bind to disable stateless session resumption
    - DOC: ssl: add 'no-tls-tickets' statement documentation.
    - BUG/MINOR: ssl: Fix CRL check was not enabled when crlfile was specified.
    - BUG/MINOR: build: Fix compilation issue on openssl 0.9.6 due to missing CRL feature.
    - BUG/MINOR: conf: Fix 'maxsslconn' statement error if built without OPENSSL.
    - BUG/MINOR: build: Fix failure with USE_OPENSSL=1 and USE_FUTEX=1 on archs i486 and i686.
    - MINOR: ssl: remove prefer-server-ciphers statement and set it as the default on ssl listeners.
    - BUG/MEDIUM: ssl: subsequent handshakes fail after server configuration changes
    - MINOR: ssl: add 'crt-base' and 'ca-base' global statements.
    - MEDIUM: conf: rename 'nosslv3' and 'notlsvXX' statements 'no-sslv3' and 'no-tlsvXX'.
    - MEDIUM: conf: rename 'cafile' and 'crlfile' statements 'ca-file' and 'crl-file'
    - MINOR: ssl: use bit fields to  store ssl options instead of one int each
    - MINOR: ssl: add 'force-sslv3' and 'force-tlsvXX' statements on bind.
    - MINOR: ssl: add 'force-sslv3' and 'force-tlsvXX' statements on server
    - MINOR: ssl: add defines LISTEN_DEFAULT_CIPHERS and CONNECT_DEFAULT_CIPHERS.
    - BUG/MINOR: ssl: Fix issue on server statements 'no-tls*' and 'no-sslv3'
    - MINOR: ssl: move ssl context init for servers from cfgparse.c to ssl_sock.c
    - MEDIUM: ssl: reject ssl server keywords in default-server statement
    - MINOR: ssl: add statement 'no-tls-tickets' on server side.
    - MINOR: ssl: add statements 'verify', 'ca-file' and 'crl-file' on servers.
    - DOC: Fix rename of options cafile and crlfile to ca-file and crl-file.
    - MINOR: sample: manage binary to string type convertion in stick-table and samples.
    - MINOR: acl: add parse and match primitives to use binary type on ACLs
    - MINOR: sample: export 'sample_get_trash_chunk(void)'
    - MINOR: conf: rename all ssl modules fetches using prefix 'ssl_fc' and 'ssl_c'
    - MINOR: ssl: add pattern and ACLs fetches 'ssl_fc_protocol', 'ssl_fc_cipher', 'ssl_fc_use_keysize' and 'ssl_fc_alg_keysize'
    - MINOR: ssl: add pattern fetch 'ssl_fc_session_id'
    - MINOR: ssl: add pattern and ACLs fetches 'ssl_c_version' and 'ssl_f_version'
    - MINOR: ssl: add pattern and ACLs fetches 'ssl_c_s_dn', 'ssl_c_i_dn', 'ssl_f_s_dn' and 'ssl_c_i_dn'
    - MINOR: ssl: add pattern and ACLs 'ssl_c_sig_alg' and 'ssl_f_sig_alg'
    - MINOR: ssl: add pattern and ACLs fetches 'ssl_c_key_alg' and 'ssl_f_key_alg'
    - MINOR: ssl: add pattern and ACLs fetches 'ssl_c_notbefore', 'ssl_c_notafter', 'ssl_f_notbefore' and 'ssl_f_notafter'
    - MINOR: ssl: add 'crt' statement on server.
    - MINOR: ssl: checks the consistency of a private key with the corresponding certificate
    - BUG/MEDIUM: ssl: review polling on reneg.
    - BUG/MEDIUM: ssl: Fix some reneg cases not correctly handled.
    - BUG/MEDIUM: ssl: Fix sometimes reneg fails if requested by server.
    - MINOR: build: allow packagers to specify the ssl cache size
    - MINOR: conf: add warning if ssl is not enabled and a certificate is present on bind.
    - MINOR: ssl: Add tune.ssl.lifetime statement in global.
    - MINOR: compression: Enable compression for IE6 w/SP2, IE7 and IE8
    - BUG: http: revert broken optimisation from 82fe75c1a7
    - DOC: duplicate ssl_sni section
    - MEDIUM: HTTP compression (zlib library support)
    - CLEANUP: use struct comp_ctx instead of union
    - BUILD: remove dependency to zlib.h
    - MINOR: compression: memlevel and windowsize
    - MEDIUM: use pool for zlib
    - MINOR: compression: try init in cfgparse.c
    - MINOR: compression: init before deleting headers
    - MEDIUM: compression: limit RAM usage
    - MINOR: compression: tune.comp.maxlevel
    - MINOR: compression: maximum compression rate limit
    - MINOR: log-format: check number of arguments in cfgparse.c
    - BUG/MEDIUM: compression: no Content-Type header but type in configuration
    - BUG/MINOR: compression: deinit zlib only when required
    - MEDIUM: compression: don't compress when no data
    - MEDIUM: compression: use pool for comp_ctx
    - MINOR: compression: rate limit in 'show info'
    - MINOR: compression: report zlib memory usage
    - BUG/MINOR: compression: dynamic level increase
    - DOC: compression: unsupported cases.
    - MINOR: compression: CPU usage limit
    - MEDIUM: http: add "redirect scheme" to ease HTTP to HTTPS redirection
    - BUG/MAJOR: ssl: missing tests in ACL fetch functions
    - MINOR: config: add a function to indent error messages
    - REORG: split "protocols" files into protocol and listener
    - MEDIUM: config: replace ssl_conf by bind_conf
    - CLEANUP: listener: remove unused conf->file and conf->line
    - MEDIUM: listener: add a minimal framework to register "bind" keyword options
    - MEDIUM: config: move the "bind" TCP parameters to proto_tcp
    - MEDIUM: move bind SSL parsing to ssl_sock
    - MINOR: config: improve error reporting for "bind" lines
    - MEDIUM: config: move the common "bind" settings to listener.c
    - MEDIUM: config: move all unix-specific bind keywords to proto_uxst.c
    - MEDIUM: config: enumerate full list of registered "bind" keywords upon error
    - MINOR: listener: add a scope field in the bind keyword lists
    - MINOR: config: pass the file and line to config keyword parsers
    - MINOR: stats: fill the file and line numbers in the stats frontend
    - MINOR: config: set the bind_conf entry on listeners created from a "listen" line.
    - MAJOR: listeners: use dual-linked lists to chain listeners with frontends
    - REORG: listener: move unix perms from the listener to the bind_conf
    - BUG: backend: balance hdr was broken since 1.5-dev11
    - MINOR: standard: make memprintf() support a NULL destination
    - MINOR: config: make str2listener() use memprintf() to report errors.
    - MEDIUM: stats: remove the stats_sock struct from the global struct
    - MINOR: ssl: set the listeners' data layer to ssl during parsing
    - MEDIUM: stats: make use of the standard "bind" parsers to parse global socket
    - DOC: move bind options to their own section
    - DOC: stats: refer to "bind" section for "stats socket" settings
    - DOC: fix index to reference bind and server options
    - BUG: http: do not print garbage on invalid requests in debug mode
    - BUG/MINOR: config: check the proper pointer to report unknown protocol
    - CLEANUP: connection: offer conn_prepare() to set up a connection
    - CLEANUP: config: fix typo inteface => interface
    - BUG: stats: fix regression introduced by commit 4348fad1
    - MINOR: cli: allow to set frontend maxconn to zero
    - BUG/MAJOR: http: chunk parser was broken with buffer changes
    - MEDIUM: monitor: simplify handling of monitor-net and mode health
    - MINOR: connection: add a pointer to the connection owner
    - MEDIUM: connection: make use of the owner instead of container_of
    - BUG/MINOR: ssl: report the L4 connection as established when possible
    - BUG/MEDIUM: proxy: must not try to stop disabled proxies upon reload
    - BUG/MINOR: config: use a copy of the file name in proxy configurations
    - BUG/MEDIUM: listener: don't pause protocols that do not support it
    - MEDIUM: proxy: add the global frontend to the list of normal proxies
    - BUG/MINOR: epoll: correctly disable FD polling in fd_rem()
    - MINOR: signal: really ignore signals configured with no handler
    - MINOR: buffers: add a few functions to write chars, strings and blocks
    - MINOR: raw_sock: always report asynchronous connection errors
    - MEDIUM: raw_sock: improve connection error reporting
    - REORG: connection: rename the data layer the "transport layer"
    - REORG: connection: rename app_cb "data"
    - MINOR: connection: provide a generic data layer wakeup callback
    - MINOR: connection: split conn_prepare() in two functions
    - MINOR: connection: add an init callback to the data_cb struct
    - MEDIUM: session: use a specific data_cb for embryonic sessions
    - MEDIUM: connection: use a generic data-layer init() callback
    - MEDIUM: connection: reorganize connection flags
    - MEDIUM: connection: only call the data->wake callback on activity
    - MEDIUM: connection: make it possible for data->wake to return an error
    - MEDIUM: session: register a data->wake callback to process errors
    - MEDIUM: connection: don't call the data->init callback upon error
    - MEDIUM: connection: it's not the data layer's role to validate the connection
    - MEDIUM: connection: automatically disable polling on error
    - REORG: connection: move the PROXY protocol management to connection.c
    - MEDIUM: connection: add a new local send-proxy transport callback
    - MAJOR: checks: make use of the connection layer to send checks
    - REORG: server: move the check-specific parts into a check subsection
    - MEDIUM: checks: use real buffers to store requests and responses
    - MEDIUM: check: add the ctrl and transport layers in the server check structure
    - MAJOR: checks: completely use the connection transport layer
    - MEDIUM: checks: add the "check-ssl" server option
    - MEDIUM: checks: enable the PROXY protocol with health checks
    - CLEANUP: checks: remove minor warnings for assigned but not used variables
    - MEDIUM: tcp: enable TCP Fast Open on systems which support it
    - BUG: connection: fix regression from commit 9e272bf9
    - CLEANUP: cttproxy: remove a warning on undeclared close()
    - BUG/MAJOR: ensure that hdr_idx is always reserved when L7 fetches are used
    - MEDIUM: listener: add support for linux's accept4() syscall
    - MINOR: halog: sort output by cookie code
    - BUG/MINOR: halog: -ad/-ac report the correct number of output lines
    - BUG/MINOR: halog: fix help message for -ut/-uto
    - MINOR: halog: add a parameter to limit output line count
    - BUILD: accept4: move the socketcall declaration outside of accept4()
    - MINOR: server: add minimal infrastructure to parse keywords
    - MINOR: standard: make indent_msg() support empty messages
    - MEDIUM: server: check for registered keywords when parsing unknown keywords
    - MEDIUM: server: move parsing of keyword "id" to server.c
    - BUG/MEDIUM: config: check-send-proxy was ignored if SSL was not builtin
    - MEDIUM: ssl: move "server" keyword SSL options parsing to ssl_sock.c
    - MEDIUM: log: suffix the frontend's name with '~' when using SSL
    - MEDIUM: connection: always unset the transport layer upon close
    - BUG/MINOR: session: fix some leftover from debug code
    - BUG/MEDIUM: session: enable the conn_session_update() callback
    - MEDIUM: connection: add a flag to hold the transport layer
    - MEDIUM: log: add a new LW_XPRT flag to pin the transport layer
    - MINOR: log: make lf_text use a const char *
    - MEDIUM: log: report SSL ciphers and version in logs using logformat %sslc/%sslv
    - REORG: http: rename msg->buf to msg->chn since it's a channel
    - CLEANUP: http: use 'chn' to name channel variables, not 'buf'
    - CLEANUP: channel: use 'chn' instead of 'buf' as local variable names
    - CLEANUP: tcp: use 'chn' instead of 'buf' or 'b' for channel pointer names
    - CLEANUP: stream_interface: use 'chn' instead of 'b' to name channel pointers
    - CLEANUP: acl: use 'chn' instead of 'b' to name channel pointers
    - MAJOR: channel: replace the struct buffer with a pointer to a buffer
    - OPTIM: channel: reorganize struct members to improve cache efficiency
    - CLEANUP: session: remove term_trace which is not used anymore
    - OPTIM: session: reorder struct session fields
    - OPTIM: connection: pack the struct target
    - DOC: document relations between internal entities
    - MINOR: ssl: add 'ssl_npn' sample/acl to extract TLS/NPN information
    - BUILD: ssl: fix shctx build on older compilers
    - MEDIUM: ssl: add support for the "npn" bind keyword
    - BUG: ssl: fix ssl_sni ACLs to correctly process regular expressions
    - MINOR: chunk: provide string compare functions
    - MINOR: sample: accept fetch keywords without parenthesis
    - MEDIUM: sample: pass an empty list instead of a null for fetch args
    - MINOR: ssl: improve socket behaviour upon handshake abort.
    - BUG/MEDIUM: http: set DONTWAIT on data when switching to tunnel mode
    - MEDIUM: listener: provide a fallback for accept4() when not supported
    - BUG/MAJOR: connection: risk of crash on certain tricky close scenario
    - MEDIUM: cli: allow the stats socket to be bound to a specific set of processes
    - OPTIM: channel: inline channel_forward's fast path
    - OPTIM: http: inline http_parse_chunk_size() and http_skip_chunk_crlf()
    - OPTIM: tools: inline hex2i()
    - CLEANUP: http: rename HTTP_MSG_DATA_CRLF state
    - MINOR: compression: automatically disable compression for older browsers
    - MINOR: compression: optimize memLevel to improve byte rate
    - BUG/MINOR: http: compression should consider all Accept-Encoding header values
    - BUILD: fix coexistence of openssl and zlib
    - MINOR: ssl: add pattern and ACLs fetches 'ssl_c_serial' and 'ssl_f_serial'
    - BUG/MEDIUM: command-line option -D must have precedence over "debug"
    - MINOR: tools: add a clear_addr() function to unset an address
    - BUG/MEDIUM: tcp: transparent bind to the source only when address is set
    - CLEANUP: remove trashlen
    - MAJOR: session: detach the connections from the stream interfaces
    - DOC: update document describing relations between internal entities
    - BUILD: make it possible to specify ZLIB path
    - MINOR: compression: add an offload option to remove the Accept-Encoding header
    - BUG: compression: disable auto-close and enable MSG_MORE during transfer
    - CLEANUP: completely remove trashlen
    - MINOR: chunk: add a function to reset a chunk
    - CLEANUP: replace chunk_printf() with chunk_appendf()
    - MEDIUM: make the trash be a chunk instead of a char *
    - MEDIUM: remove remains of BUFSIZE in HTTP auth and sample conversions
    - MEDIUM: stick-table: allocate the table key of size buffer size
    - BUG/MINOR: stream_interface: don't loop over ->snd_buf()
    - BUG/MINOR: session: ensure that we don't retry connection if some data were sent
    - OPTIM: session: don't process the whole session when only timers need a refresh
    - BUG/MINOR: session: mark the handshake as complete earlier
    - MAJOR: connection: remove the CO_FL_CURR_*_POL flag
    - BUG/MAJOR: always clear the CO_FL_WAIT_* flags after updating polling flags
    - MAJOR: sepoll: make the poller totally event-driven
    - OPTIM: stream_interface: disable reading when CF_READ_DONTWAIT is set
    - BUILD: compression: remove a build warning
    - MEDIUM: fd: don't unset fdtab[].updated upon delete
    - REORG: fd: move the speculative I/O management from ev_sepoll
    - REORG: fd: move the fd state management from ev_sepoll
    - REORG: fd: centralize the processing of speculative events
    - BUG: raw_sock: also consider ENOTCONN in addition to EAGAIN
    - BUILD: stream_interface: remove si_fd() and its references
    - BUILD: compression: enable build in BSD and OSX Makefiles
    - MAJOR: ev_select: make the poller support speculative events
    - MAJOR: ev_poll: make the poller support speculative events
    - MAJOR: ev_kqueue: make the poller support speculative events
    - MAJOR: polling: replace epoll with sepoll and remove sepoll
    - MAJOR: polling: remove unused callbacks from the poller struct
    - MEDIUM: http: refrain from sending "Connection: close" when Upgrade is present
    - CLEANUP: channel: remove any reference of the hijackers
    - CLEANUP: stream_interface: remove the external task type target
    - MAJOR: connection: replace struct target with a pointer to an enum
    - BUG: connection: fix typo in previous commit
    - BUG: polling: don't skip polled events in the spec list
    - MINOR: splice: disable it when the system returns EBADF
    - MINOR: build: allow packagers to specify the default maxzlibmem
    - BUG: halog: fix broken output limitation
    - BUG: proxy: fix server name lookup in get_backend_server()
    - BUG: compression: do not always increment the round counter on allocation failure
    - BUG/MEDIUM: compression: release the zlib pools between keep-alive requests
    - MINOR: global: don't prevent nbproc from being redefined
    - MINOR: config: support process ranges for "bind-process"
    - MEDIUM: global: add support for CPU binding on Linux ("cpu-map")
    - MINOR: ssl: rename and document the tune.ssl.cachesize option
    - DOC: update the PROXY protocol spec to support v2
    - MINOR: standard: add a simple popcount function
    - MEDIUM: adjust the maxaccept per listener depending on the number of processes
    - BUG: compression: properly disable compression when content-type does not match
    - MINOR: cli: report connection status in "show sess xxx"
    - BUG/MAJOR: stream_interface: certain workloads could cause get stuck
    - BUILD: cli: fix build when SSL is enabled
    - MINOR: cli: report the fd state in "show sess xxx"
    - MINOR: cli: report an error message on missing argument to compression rate
    - MINOR: http: add some debugging functions to pretty-print msg state names
    - BUG/MAJOR: stream_interface: read0 not always handled since dev12
    - DOC: documentation on http header capture is wrong
    - MINOR: http: allow the cookie capture size to be changed
    - DOC: http header capture has not been limited in size for a long time
    - DOC: update readme with build methods for BSD
    - BUILD: silence a warning on Solaris about usage of isdigit()
    - MINOR: stats: report HTTP compression stats per frontend and per backend
    - MINOR: log: add '%Tl' to log-format
    - MINOR: samples: update the url_param fetch to match parameters in the path
2012-11-22 01:11:33 +01:00