Commit Graph

863 Commits

Author SHA1 Message Date
David Carlier
4542b10ae1 MEDIUM: sample: add the da-csv converter
This diff declares the deviceatlas module and can accept up to 5
property names for the API lookup.

[wt: this should probably be moved to its own file using the keyword
      registration mechanism]
2015-06-02 13:24:50 +02:00
David Carlier
8167f30661 MEDIUM: config: add DeviceAtlas global keywords
This diff is for the DeviceAtlas convertor.

This patch adds the following converters :
  deviceatlas-json-file
  deviceatlas-log-level
  deviceatlas-property-separator

First, the configuration keywords handling (only the log
level configuration part does not end the haproxy process
if it is wrongly set, it fallbacks to the default level).
Furthermore, init, deinit phases and the API lookup phase,
the da_haproxy function which is fed by the input provided
and set all necessary properties chosen via the configuration
to the output, separated by the separator.
2015-06-02 13:24:44 +02:00
Remi Gacogne
47783ef05b MEDIUM: ssl: add the possibility to use a global DH parameters file
This patch adds the ssl-dh-param-file global setting. It sets the
default DH parameters that will be used during the SSL/TLS handshake when
ephemeral Diffie-Hellman (DHE) key exchange is used, for all "bind" lines
which do not explicitely define theirs.
2015-05-31 22:02:00 +02:00
William Lallemand
6e62fb6405 MEDIUM: cfgparse: check section maximum number of arguments
This patch checks the number of arguments of the keywords:
'global', 'defaults', 'listen', 'backend', 'frontend', 'peers' and
'userlist'

The 'global' section does not take any arguments.

Proxy sections does not support bind address as argument anymore.  Those
sections supports only an <id> argument.

The 'defaults' section didn't had any check on its arguments. It takes
an optional <name> argument.

'peers' section takes a <peersect> argument.

'userlist' section takes a <listname> argument.
2015-05-28 18:43:03 +02:00
Willy Tarreau
51d861a44f MEDIUM: http: implement http-response redirect rules
Sometimes it's problematic not to have "http-response redirect" rules,
for example to perform a browser-based redirect based on certain server
conditions (eg: match of a header).

This patch adds "http-response redirect location <fmt>" which gives
enough flexibility for most imaginable operations. The connection to
the server is closed when this is performed so that we don't risk to
forward any pending data from the server.

Any pending response data are trimmed so that we don't risk to
forward anything pending to the client. It's harmless to also do that
for requests so we don't need to consider the direction.
2015-05-28 17:45:43 +02:00
Thierry FOURNIER
e80fadaaca MEDIUM: capture: adds http-response capture
This patch adds a http response capture keyword with the same behavior
as the previous patch called "MEDIUM: capture: Allow capture with slot
identifier".
2015-05-28 13:51:00 +02:00
Thierry FOURNIER
82bf70dff4 MEDIUM: capture: Allow capture with slot identifier
This patch modifies the current http-request capture function
and adds a new keyword "id" that permits to identify a capture slot.
If the identified doesn't exists, the action fails silently.

Note that this patch removs an unused list initilisation, which seems
to be inherited from a copy/paste. It's harmless and does not need to
be backported.

   LIST_INIT((struct list *)&rule->arg.act.p[0]);
2015-05-28 13:50:29 +02:00
Thierry FOURNIER
35ab27561e MINOR: capture: add two "capture" converters
This patch adds "capture-req" and "capture-res". These two converters
capture their entry in the allocated slot given in argument and pass
the input on the output.
2015-05-28 13:50:29 +02:00
Thierry FOURNIER
a0a1b75560 MINOR: proxy: custom capture declaration
This patch adds a new keyword called "declare". This keyword
allow to declare some capture slots in requests and response.
It is useful for sharing capture between frontend and backends.
2015-05-28 13:50:28 +02:00
Willy Tarreau
98d0485a90 MAJOR: config: remove the deprecated reqsetbe / reqisetbe actions
These ones were already obsoleted in 1.4, marked for removal in 1.5,
and not documented anymore. They used to emit warnings, and do still
require quite some code to stay in place. Let's remove them now.
2015-05-26 12:18:29 +02:00
Pavlos Parissis
1f673c72c1 DOC: Update doc about weight, act and bck fields in the statistics
Reorder description of the mentioned fields in order to match the
order of types
2015-05-26 07:28:38 +02:00
Joseph Lynch
726ab7145c MEDIUM: backend: Allow redispatch on retry intervals
For backend load balancing it sometimes makes sense to redispatch rather
than retrying against the same server. For example, when machines or routers
fail you may not want to waste time retrying against a dead server and
would instead prefer to immediately redispatch against other servers.

This patch allows backend sections to specify that they want to
redispatch on a particular interval. If the interval N is positive the
redispatch occurs on every Nth retry, and if the interval N is negative then
the redispatch occurs on the Nth retry prior to the last retry (-1 is the
default and maintains backwards compatibility). In low latency environments
tuning this setting can save a few hundred milliseconds when backends fail.
2015-05-22 07:07:40 +02:00
Thierry FOURNIER
9826c7781a DOC: http: req.body_param documentation
This patch adds the req.body_param documentation.
2015-05-20 16:06:11 +02:00
Willy Tarreau
1ede1daab6 MEDIUM: http: make url_param iterate over multiple occurrences
There are some situations hwere it's desirable to scan multiple occurrences
of a same parameter name in the query string. This change ensures this can
work, even with an empty name which will then iterate over all parameters.
2015-05-19 13:16:07 +02:00
Nenad Merdanovic
26ea822190 MINOR: Add sample fetch which identifies if the SSL session has been resumed
Signed-off-by: Nenad Merdanovic <nmerdan@anine.io>
2015-05-18 07:07:53 +02:00
Nenad Merdanovic
c6985f0f6c DOC: Document new socket commands "show tls-keys" and "set ssl tls-key"
Signed-off-by: Nenad Merdanovic <nmerdan@anine.io>
2015-05-16 11:28:04 +02:00
William Lallemand
b2f07451e5 MEDIUM: cfgparse: expand environment variables
Environment variables were expandables only in adresses.
Now there are expandables everywhere in the configuration file within
double quotes.

This patch breaks compatibility with the previous behavior of
environment variables in adresses, you must enclose adresses with double
quotes to make it work.
2015-05-12 15:28:20 +02:00
Baptiste Assmann
d60a9e5a39 DOC: tcpcheck comment documentation
Introduction of new tcpcheck comment directive and also update texpcheck
ruleset examples.
2015-05-12 11:06:21 +02:00
Thierry FOURNIER
82ff3c9b05 MINOR: sample: add url_dec converter
This converter decodes an url-encoded string. It takes a string as
input and returns string as output.
2015-05-11 11:40:36 +02:00
Willy Tarreau
a9083d0722 MEDIUM: http: add new "capture" action for http-request
This is only possible in frontends of course, but it will finally
make it possible to capture arbitrary http parts, including URL
parameters or parts of the message body.

It's worth noting that an ugly (char **) cast had to be done to
call sample_fetch_string() which is caused by a 5- or 6- levels
of inheritance of this type in the API. Here it's harmless since
the function uses it as a const, but this API madness must be
fixed, starting with the one or two rare functions that modify
the args and inflict this on each and every keyword parser.
(cherry picked from commit 484a4f38460593919a1c1d9a047a043198d69f45)
2015-05-08 15:43:54 +02:00
William Lallemand
f9873ba63a MEDIUM: cfgparse: introduce weak and strong quoting
This patch introduces quoting which allows to write configuration string
including spaces without escaping them.

Strong (with single quotes) and weak (with double quotes) quoting are
supported. Weak quoting supports escaping and special characters when
strong quoting does not interpret anything.

This patch could break configuration files where ' and " where used.
2015-05-05 21:05:44 +02:00
Willy Tarreau
7b7011ca37 DOC: update the doc on the proxy protocol
Mention a few new implementations and explain the TLV format used
for SSL/TLS.
2015-05-02 15:13:07 +02:00
Willy Tarreau
a5910cc6ef MEDIUM: http: provide 3 fetches for the body
Body processing is still fairly limited, but this is a start. It becomes
possible to apply regex to find contents in order to decide where to route
a request for example. Only the first chunk is parsed for now, and the
response is not yet available (the parsing function must be duplicated for
this).

req.body : binary
  This returns the HTTP request's available body as a block of data. It
  requires that the request body has been buffered made available using
  "option http-buffer-request". In case of chunked-encoded body, currently only
  the first chunk is analyzed.

req.body_len : integer
  This returns the length of the HTTP request's available body in bytes. It may
  be lower than the advertised length if the body is larger than the buffer. It
  requires that the request body has been buffered made available using
  "option http-buffer-request".

req.body_size : integer
  This returns the advertised length of the HTTP request's body in bytes. It
  will represent the advertised Content-Length header, or the size of the first
  chunk in case of chunked encoding. In order to parse the chunks, it requires
  that the request body has been buffered made available using
  "option http-buffer-request".
2015-05-02 00:46:08 +02:00
Willy Tarreau
9fbe18e174 MEDIUM: http: add a new option http-buffer-request
It is sometimes desirable to wait for the body of an HTTP request before
taking a decision. This is what is being done by "balance url_param" for
example. The first use case is to buffer requests from slow clients before
connecting to the server. Another use case consists in taking the routing
decision based on the request body's contents. This option placed in a
frontend or backend forces the HTTP processing to wait until either the whole
body is received, or the request buffer is full, or the first chunk is
complete in case of chunked encoding. It can have undesired side effects with
some applications abusing HTTP by expecting unbufferred transmissions between
the frontend and the backend, so this should definitely not be used by
default.

Note that it would not work for the response because we don't reset the
message state before starting to forward. For the response we need to
1) reset the message state to MSG_100_SENT or BODY , and 2) to reset
body_len in case of chunked encoding to avoid counting it twice.
2015-05-02 00:10:44 +02:00
Willy Tarreau
82649f9ef3 DOC: document option http-ignore-probes
This one was forgotten.
2015-05-01 22:43:17 +02:00
Willy Tarreau
1abc6731ed DOC: relax the peers restriction to single-process 2015-05-01 20:16:31 +02:00
Willy Tarreau
77e4bd1497 MEDIUM: peers: add the ability to disable a peers section
Sometimes it's very hard to disable the use of peers because an empty
section is not valid, so it is necessary to comment out all references
to the section, and not to forget to restore them in the same state
after the operation.

Let's add a "disabled" keyword just like for proxies. A ->state member
in the peers struct is even present for this purpose but was never used
at all.

Maybe it would make sense to backport this to 1.5 as it's really cumbersome
there.
2015-05-01 20:16:31 +02:00
Willy Tarreau
0f228a037a MEDIUM: http: add option-ignore-probes to get rid of the floods of 408
Recently some browsers started to implement a "pre-connect" feature
consisting in speculatively connecting to some recently visited web sites
just in case the user would like to visit them. This results in many
connections being established to web sites, which end up in 408 Request
Timeout if the timeout strikes first, or 400 Bad Request when the browser
decides to close them first. These ones pollute the log and feed the error
counters. There was already "option dontlognull" but it's insufficient in
this case. Instead, this option does the following things :
   - prevent any 400/408 message from being sent to the client if nothing
     was received over a connection before it was closed ;
   - prevent any log from being emitted in this situation ;
   - prevent any error counter from being incremented

That way the empty connection is silently ignored. Note that it is better
not to use this unless it is clear that it is needed, because it will hide
real problems. The most common reason for not receiving a request and seeing
a 408 is due to an MTU inconsistency between the client and an intermediary
element such as a VPN, which blocks too large packets. These issues are
generally seen with POST requests as well as GET with large cookies. The logs
are often the only way to detect them.

This patch should be backported to 1.5 since it avoids false alerts and
makes it easier to monitor haproxy's status.
2015-05-01 15:39:23 +02:00
Willy Tarreau
13317669d5 MEDIUM: http: disable support for HTTP/0.9 by default
There's not much reason for continuing to accept HTTP/0.9 requests
nowadays except for manual testing. Now we disable support for these
by default, unless option accept-invalid-http-request is specified,
in which case they continue to be upgraded to 1.0.
2015-05-01 14:57:54 +02:00
Willy Tarreau
91852eb428 MEDIUM: http: restrict the HTTP version token to 1 digit as per RFC7230
While RFC2616 used to allow an undeterminate amount of digits for the
major and minor components of the HTTP version, RFC7230 has reduced
that to a single digit for each.

If a server can't properly parse the version string and falls back to 0.9,
it could then send a head-less response whose payload would be taken for
headers, which could confuse downstream agents.

Since there's no more reason for supporting a version scheme that was
never used, let's upgrade to the updated version of the standard. It is
still possible to enforce support for the old behaviour using options
accept-invalid-http-request and accept-invalid-http-response.

It would be wise to backport this to 1.5 as well just in case.
2015-05-01 14:57:01 +02:00
Simon Horman
1421e21fe4 MEDIUM: Document when email-alerts are sent
Document the influence of email-alert level and other configuration
parameters on when email-alerts are sent.

Signed-off-by: Simon Horman <horms@verge.net.au>
2015-04-30 07:30:51 +02:00
Willy Tarreau
f3045d2a06 MAJOR: pattern: add LRU-based cache on pattern matching
The principle of this cache is to have a global cache for all pattern
matching operations which rely on lists (reg, sub, dir, dom, ...). The
input data, the expression and a random seed are used as a hashing key.
The cached entries contains a pointer to the expression and a revision
number for that expression so that we don't accidently used obsolete
data after a pattern update or a very unlikely hash collision.

Regarding the risk of collisions, 10k entries at 10k req/s mean 1% risk
of a collision after 60 years, that's already much less than the memory's
reliability in most machines and more durable than most admin's life
expectancy. A collision will result in a valid result to be returned
for a different entry from the same list. If this is not acceptable,
the cache can be disabled using tune.pattern.cache-size.

A test on a file containing 10k small regex showed that the regex
matching was limited to 6k/s instead of 70k with regular strings.
When enabling the LRU cache, the performance was back to 70k/s.
2015-04-29 19:15:24 +02:00
Andrew Hayworth
0ebc55f6b4 MEDIUM: logs: Add HTTP request-line log format directives
This commit adds 4 new log format variables that parse the
HTTP Request-Line for more specific logging than "%r" provides.

For example, we can parse the following HTTP Request-Line with
these new variables:

  "GET /foo?bar=baz HTTP/1.1"

- %HM: HTTP Method ("GET")
- %HV: HTTP Version ("HTTP/1.1")
- %HU: HTTP Request-URI ("/foo?bar=baz")
- %HP: HTTP Request-URI without query string ("/foo")
2015-04-28 21:03:05 +02:00
Jason Harvey
8310480499 DOC: Fix L4TOUT typo in documentation
Fix documentation typo. L4TMOUT->L4TOUT.
2015-04-21 18:20:06 +02:00
Willy Tarreau
e3a71ffc54 DOC: update the entities diagrams
The recent changes were significant enough to warrant an update to the
entities diagram. It tries to be accurate, though it doesn't represent
applets.
2015-04-21 14:15:40 +02:00
CJ Ess
108b1dd69d MEDIUM: http: configurable http result codes for http-request deny
This patch adds support for error codes 429 and 405 to Haproxy and a
"deny_status XXX" option to "http-request deny" where you can specify which
code is returned with 403 being the default. We really want to do this the
"haproxy way" and hope to have this patch included in the mainline. We'll
be happy address any feedback on how this is implemented.
2015-04-11 10:34:54 +02:00
Thierry FOURNIER
3def393f8d MINOR: lua: map system integration in Lua
This patch cretes a new Map class that permits to do some lookup in
HAProxy maps. This Map class is integration in the HAProxy update
system, so we can modify the map throught the socket.
2015-04-07 15:56:21 +02:00
Thierry FOURNIER
2e4893cb7f DOC: lua: some fixes
- remove trailing spces
 - update fetches ans converters documentation
2015-04-07 15:55:58 +02:00
Willy Tarreau
c91840aa33 MEDIUM: compression: add new "raw-deflate" compression algorithm
This algorithm is exactly the same as "deflate" without the zlib wrapper,
and used as an alternative when the browser wants "deflate". All major
browsers understand it and despite violating the standards, it is known
to work better than "deflate", at least on MSIE and some versions of
Safari. Do not use it in conjunction with "deflate", use either one or
the other since both react to the same Accept-Encoding token. Note that
the lack of Adler32 checksum makes it slightly faster.
2015-03-28 17:01:30 +01:00
Joseph Lynch
514061c414 MEDIUM: check: include server address and port in the send-state header
This fixes an issue that occurs when backend servers run on different
addresses or ports and you wish to healthcheck them via a consistent
port. For example, if you allocate backends dynamically as containers
that expose different ports and you use an inetd based healthchecking
component that runs on a dedicated port.

By adding the server address and port to the send-state header, the
healthcheck component can deduce which address and port to check by
reading the X-Haproxy-Server-State header out of the healthcheck and
parsing out the address and port.
2015-03-26 23:40:42 +01:00
Willy Tarreau
32f61e288d MEDIUM: lua: implement a simple memory allocator
Lua supports a memory allocator. This is very important as it's the
only way we can control the amount of memory allocatable by Lua scripts.
That avoids prevents bogus scripts from eating all of the system's memory.
The value can be enforced using tune.lua.maxmem in the global section.
2015-03-18 17:54:59 +01:00
Thierry FOURNIER
c798b5d282 MINOR: lua: add log functions
Thispatch adds global log function. Each log message is writed on
the stderr and is sent to the default syslog server. These two
actions are done according the configuration.
2015-03-18 11:34:06 +01:00
Thierry FOURNIER
486f5a059a DOC: lua: fix some typos
The class name before the function doesn't have the same
syntax than the declared class names.

The return code is not declared in the prototype of the function.

After the last API modification, the hello world example does not
yet run.
2015-03-18 11:34:06 +01:00
Thierry FOURNIER
08504f4e19 MINOR: lua: create and register HTTP class
This class is accessible via the TXN object. It is created only if
the attached proxy have HTTP mode. It contain all the HTTP
manipulation functions:

 - req_get_headers
 - req_del_header
 - req_rep_header
 - req_rep_value
 - req_add_header
 - req_set_header
 - req_set_method
 - req_set_path
 - req_set_query
 - req_set_uri

 - res_get_headers
 - res_del_header
 - res_rep_header
 - res_rep_value
 - res_add_header
 - res_set_header
2015-03-18 11:34:06 +01:00
Thierry FOURNIER
2cce3538ca MINOR: lua: txn: add function set_(loglevel|tos|mark)
This patch adds the "loglevel", "tos" and "mark" manipulation related to
one transaction.
2015-03-18 11:34:06 +01:00
Willy Tarreau
8747b6dbc8 [RELEASE] Released version 1.6-dev1
Released version 1.6-dev1 with the following main changes :
    - CLEANUP: extract temporary $CFG to eliminate duplication
    - CLEANUP: extract temporary $BIN to eliminate duplication
    - CLEANUP: extract temporary $PIDFILE to eliminate duplication
    - CLEANUP: extract temporary $LOCKFILE to eliminate duplication
    - CLEANUP: extract quiet_check() to avoid duplication
    - BUG/MINOR: don't start haproxy on reload
    - DOC: Address issue where documentation is excluded due to a gitignore rule.
    - BUG/MEDIUM: systemd: set KillMode to 'mixed'
    - BUILD: fix "make install" to support spaces in the install dirs
    - BUG/MINOR: config: http-request replace-header arg typo
    - BUG: config: error in http-response replace-header number of arguments
    - DOC: missing track-sc* in http-request rules
    - BUILD: lua: missing ifdef related to SSL when enabling LUA
    - BUG/MEDIUM: regex: fix pcre_study error handling
    - MEDIUM: regex: Use pcre_study always when PCRE is used, regardless of JIT
    - BUG/MINOR: Fix search for -p argument in systemd wrapper.
    - MEDIUM: Improve signal handling in systemd wrapper.
    - DOC: fix typo in Unix Socket commands
    - BUG/MEDIUM: checks: external checks can't change server status to UP
    - BUG/MEDIUM: checks: segfault with external checks in a backend section
    - BUG/MINOR: checks: external checks shouldn't wait for timeout to return the result
    - BUG/MEDIUM: auth: fix segfault with http-auth and a configuration with an unknown encryption algorithm
    - BUG/MEDIUM: config: userlists should ensure that encrypted passwords are supported
    - BUG/MINOR: config: don't propagate process binding for dynamic use_backend
    - BUG/MINOR: log: fix request flags when keep-alive is enabled
    - BUG/MEDIUM: checks: fix conflicts between agent checks and ssl healthchecks
    - MINOR: checks: allow external checks in backend sections
    - MEDIUM: checks: provide environment variables to the external checks
    - MINOR: checks: update dynamic environment variables in external checks
    - DOC: checks: environment variables used by "external-check command"
    - BUG/MEDIUM: backend: correctly detect the domain when use_domain_only is used
    - MINOR: ssl: load certificates in alphabetical order
    - BUG/MINOR: checks: prevent http keep-alive with http-check expect
    - MINOR: lua: typo in an error message
    - MINOR: report the Lua version in -vv
    - MINOR: lua: add a compilation error message when compiled with an incompatible version
    - BUG/MEDIUM: lua: segfault when calling haproxy sample fetches from lua
    - BUILD: try to automatically detect the Lua library name
    - BUILD/CLEANUP: systemd: avoid a warning due to mixed code and declaration
    - BUG/MEDIUM: backend: Update hash to use unsigned int throughout
    - BUG/MEDIUM: connection: fix memory corruption when building a proxy v2 header
    - MEDIUM: connection: add new bit in Proxy Protocol V2
    - BUG/MINOR: ssl: rejects OCSP response without nextupdate.
    - BUG/MEDIUM: ssl: Fix to not serve expired OCSP responses.
    - BUG/MINOR: ssl: Fix OCSP resp update fails with the same certificate configured twice.
    - BUG/MINOR: ssl: Fix external function in order not to return a pointer on an internal trash buffer.
    - MINOR: add fetchs 'ssl_c_der' and 'ssl_f_der' to return DER formatted certs
    - MINOR: ssl: add statement to force some ssl options in global.
    - BUG/MINOR: ssl: correctly initialize ssl ctx for invalid certificates
    - BUG/MEDIUM: ssl: fix bad ssl context init can cause segfault in case of OOM.
    - BUG/MINOR: samples: fix unnecessary memcopy converting binary to string.
    - MINOR: samples: adds the bytes converter.
    - MINOR: samples: adds the field converter.
    - MINOR: samples: add the word converter.
    - BUG/MINOR: server: move the directive #endif to the end of file
    - BUG/MAJOR: buffer: check the space left is enough or not when input data in a buffer is wrapped
    - DOC: fix a few typos
    - CLEANUP: epoll: epoll_events should be allocated according to global.tune.maxpollevents
    - BUG/MINOR: http: fix typo: "401 Unauthorized" => "407 Unauthorized"
    - BUG/MINOR: parse: refer curproxy instead of proxy
    - BUG/MINOR: parse: check the validity of size string in a more strict way
    - BUILD: add new target 'make uninstall' to support uninstalling haproxy from OS
    - DOC: expand the docs for the provided stats.
    - BUG/MEDIUM: unix: do not unlink() abstract namespace sockets upon failure.
    - MEDIUM: ssl: Certificate Transparency support
    - MEDIUM: stats: proxied stats admin forms fix
    - MEDIUM: http: Compress HTTP responses with status codes 201,202,203 in addition to 200
    - BUG/MEDIUM: connection: sanitize PPv2 header length before parsing address information
    - MAJOR: namespace: add Linux network namespace support
    - MINOR: systemd: Check configuration before start
    - BUILD: ssl: handle boringssl in openssl version detection
    - BUILD: ssl: disable OCSP when using boringssl
    - BUILD: ssl: don't call get_rfc2409_prime when using boringssl
    - MINOR: ssl: don't use boringssl's cipher_list
    - BUILD: ssl: use OPENSSL_NO_OCSP to detect OCSP support
    - MINOR: stats: fix minor typo in HTML page
    - MINOR: Also accept SIGHUP/SIGTERM in systemd-wrapper
    - MEDIUM: Add support for configurable TLS ticket keys
    - DOC: Document the new tls-ticket-keys bind keyword
    - DOC: clearly state that the "show sess" output format is not fixed
    - MINOR: stats: fix minor typo fix in stats_dump_errors_to_buffer()
    - DOC: httplog does not support 'no'
    - BUG/MEDIUM: ssl: Fix a memory leak in DHE key exchange
    - MINOR: ssl: use SSL_get_ciphers() instead of directly accessing the cipher list.
    - BUG/MEDIUM: Consistently use 'check' in process_chk
    - MEDIUM: Add external check
    - BUG/MEDIUM: Do not set agent health to zero if server is disabled in config
    - MEDIUM/BUG: Only explicitly report "DOWN (agent)" if the agent health is zero
    - MEDIUM: Remove connect_chk
    - MEDIUM: Refactor init_check and move to checks.c
    - MEDIUM: Add free_check() helper
    - MEDIUM: Move proto and addr fields struct check
    - MEDIUM: Attach tcpcheck_rules to check
    - MEDIUM: Add parsing of mailers section
    - MEDIUM: Allow configuration of email alerts
    - MEDIUM: Support sending email alerts
    - DOC: Document email alerts
    - MINOR: Remove trailing '.' from email alert messages
    - MEDIUM: Allow suppression of email alerts by log level
    - BUG/MEDIUM: Do not consider an agent check as failed on L7 error
    - MINOR: deinit: fix memory leak
    - MINOR: http: export the function 'smp_fetch_base32'
    - BUG/MEDIUM: http: tarpit timeout is reset
    - MINOR: sample: add "json" converter
    - BUG/MEDIUM: pattern: don't load more than once a pattern list.
    - MINOR: map/acl/dumpstats: remove the "Done." message
    - BUG/MAJOR: ns: HAProxy segfault if the cli_conn is not from a network connection
    - BUG/MINOR: pattern: error message missing
    - BUG/MEDIUM: pattern: some entries are not deleted with case insensitive match
    - BUG/MINOR: ARG6 and ARG7 don't fit in a 32 bits word
    - MAJOR: poll: only rely on wake_expired_tasks() to compute the wait delay
    - MEDIUM: task: call session analyzers if the task is woken by a message.
    - MEDIUM: protocol: automatically pick the proto associated to the connection.
    - MEDIUM: channel: wake up any request analyzer on response activity
    - MINOR: converters: add a "void *private" argument to converters
    - MINOR: converters: give the session pointer as converter argument
    - MINOR: sample: add private argument to the struct sample_fetch
    - MINOR: global: export function and permits to not resolve DNS names
    - MINOR: sample: add function for browsing samples.
    - MINOR: global: export many symbols.
    - MINOR: includes: fix a lot of missing or useless includes
    - MEDIUM: tcp: add register keyword system.
    - MEDIUM: buffer: make bo_putblk/bo_putstr/bo_putchk return the number of bytes copied.
    - MEDIUM: http: change the code returned by the response processing rule functions
    - MEDIUM: http/tcp: permit to resume http and tcp custom actions
    - MINOR: channel: functions to get data from a buffer without copy
    - MEDIUM: lua: lua integration in the build and init system.
    - MINOR: lua: add ease functions
    - MINOR: lua: add runtime execution context
    - MEDIUM: lua: "com" signals
    - MINOR: lua: add the configuration directive "lua-load"
    - MINOR: lua: core: create "core" class and object
    - MINOR: lua: post initialisation bindings
    - MEDIUM: lua: add coroutine as tasks.
    - MINOR: lua: add sample and args type converters
    - MINOR: lua: txn: create class TXN associated with the transaction.
    - MINOR: lua: add shared context in the lua stack
    - MINOR: lua: txn: import existing sample-fetches in the class TXN
    - MINOR: lua: txn: add lua function in TXN that returns an array of http headers
    - MINOR: lua: register and execute sample-fetches in LUA
    - MINOR: lua: register and execute converters in LUA
    - MINOR: lua: add bindings for tcp and http actions
    - MINOR: lua: core: add sleep functions
    - MEDIUM: lua: socket: add "socket" class for TCP I/O
    - MINOR: lua: core: pattern and acl manipulation
    - MINOR: lua: channel: add "channel" class
    - MINOR: lua: txn: object "txn" provides two objects "channel"
    - MINOR: lua: core: can set the nice of the current task
    - MINOR: lua: core: can yield an execution stack
    - MINOR: lua: txn: add binding for closing the client connection.
    - MEDIUM: lua: Lua initialisation "on demand"
    - BUG/MAJOR: lua: send function fails and return bad bytes
    - MINOR: remove unused declaration.
    - MINOR: lua: remove some #define
    - MINOR: lua: use bitfield and macro in place of integer and enum
    - MINOR: lua: set skeleton for Lua execution expiration
    - MEDIUM: lua: each yielding function returns a wake up time.
    - MINOR: lua: adds "forced yield" flag
    - MEDIUM: lua: interrupt the Lua execution for running other process
    - MEDIUM: lua: change the sleep function core
    - BUG/MEDIUM: lua: the execution timeout is ignored in yield case
    - DOC: lua: Lua configuration documentation
    - MINOR: lua: add the struct session in the lua channel struct
    - BUG/MINOR: lua: set buffer if it is nnot avalaible.
    - BUG/MEDIUM: lua: reset flags before resuming execution
    - BUG/MEDIUM: lua: fix infinite loop about channel
    - BUG/MEDIUM: lua: the Lua process is not waked up after sending data on requests side
    - BUG/MEDIUM: lua: many errors when we try to send data with the channel API
    - MEDIUM: lua: use the Lua-5.3 version of the library
    - BUG/MAJOR: lua: some function are not yieldable, the forced yield causes errors
    - BUG/MEDIUM: lua: can't handle the response bytes
    - BUG/MEDIUM: lua: segfault with buffer_replace2
    - BUG/MINOR: lua: check buffers before initializing socket
    - BUG/MINOR: log: segfault if there are no proxy reference
    - BUG/MEDIUM: lua: sockets don't have buffer to write data
    - BUG/MEDIUM: lua: cannot connect socket
    - BUG/MINOR: lua: sockets receive behavior doesn't follows the specs
    - BUG/BUILD: lua: The strict Lua 5.3 version check is not done.
    - BUG/MEDIUM: buffer: one byte miss in buffer free space check
    - MEDIUM: lua: make the functions hlua_gethlua() and hlua_sethlua() faster
    - MINOR: replace the Core object by a simple model.
    - MEDIUM: lua: change the objects configuration
    - MEDIUM: lua: create a namespace for the fetches
    - MINOR: converters: add function to browse converters
    - MINOR: lua: wrapper for converters
    - MINOR: lua: replace function (req|get)_channel by a variable
    - MINOR: lua: fetches and converters can return an empty string in place of nil
    - DOC: lua api
    - BUG/MEDIUM: sample: fix random number upper-bound
    - BUG/MINOR: stats:Fix incorrect printf type.
    - BUG/MAJOR: session: revert all the crappy client-side timeout changes
    - BUG/MINOR: logs: properly initialize and count log sockets
    - BUG/MEDIUM: http: fetch "base" is not compatible with set-header
    - BUG/MINOR: counters: do not untrack counters before logging
    - BUG/MAJOR: sample: correctly reinitialize sample fetch context before calling sample_process()
    - MINOR: stick-table: make stktable_fetch_key() indicate why it failed
    - BUG/MEDIUM: counters: fix track-sc* to wait on unstable contents
    - BUILD: remove TODO from the spec file and add README
    - MINOR: log: make MAX_SYSLOG_LEN overridable at build time
    - MEDIUM: log: support a user-configurable max log line length
    - DOC: provide an example of how to use ssl_c_sha1
    - BUILD: checks: external checker needs signal.h
    - BUILD: checks: kill a minor warning on Solaris in external checks
    - BUILD: http: fix isdigit & isspace warnings on Solaris
    - BUG/MINOR: listener: set the listener's fd to -1 after deletion
    - BUG/MEDIUM: unix: failed abstract socket binding is retryable
    - MEDIUM: listener: implement a per-protocol pause() function
    - MEDIUM: listener: support rebinding during resume()
    - BUG/MEDIUM: unix: completely unbind abstract sockets during a pause()
    - DOC: explicitly mention the limits of abstract namespace sockets
    - DOC: minor fix on {sc,src}_kbytes_{in,out}
    - DOC: fix alphabetical sort of converters
    - MEDIUM: stick-table: implement lookup from a sample fetch
    - MEDIUM: stick-table: add new converters to fetch table data
    - MINOR: samples: add two converters for the date format
    - BUG/MAJOR: http: correctly rewind the request body after start of forwarding
    - DOC: remove references to CPU=native in the README
    - DOC: mention that "compression offload" is ignored in defaults section
    - DOC: mention that Squid correctly responds 400 to PPv2 header
    - BUILD: fix dependencies between config and compat.h
    - MINOR: session: export the function 'smp_fetch_sc_stkctr'
    - MEDIUM: stick-table: make it easier to register extra data types
    - BUG/MINOR: http: base32+src should use the big endian version of base32
    - MINOR: sample: allow IP address to cast to binary
    - MINOR: sample: add new converters to hash input
    - MINOR: sample: allow integers to cast to binary
    - BUILD: report commit ID in git versions as well
    - CLEANUP: session: move the stick counters declarations to stick_table.h
    - MEDIUM: http: add the track-sc* actions to http-request rules
    - BUG/MEDIUM: connection: fix proxy v2 header again!
    - BUG/MAJOR: tcp: fix a possible busy spinning loop in content track-sc*
    - OPTIM/MINOR: proxy: reduce struct proxy by 48 bytes on 64-bit archs
    - MINOR: log: add a new field "%lc" to implement a per-frontend log counter
    - BUG/MEDIUM: http: fix inverted condition in pat_match_meth()
    - BUG/MEDIUM: http: fix improper parsing of HTTP methods for use with ACLs
    - BUG/MINOR: pattern: remove useless allocation of unused trash in pat_parse_reg()
    - BUG/MEDIUM: acl: correctly compute the output type when a converter is used
    - CLEANUP: acl: cleanup some of the redundancy and spaghetti after last fix
    - BUG/CRITICAL: http: don't update msg->sov once data start to leave the buffer
    - MEDIUM: http: enable header manipulation for 101 responses
    - BUG/MEDIUM: config: propagate frontend to backend process binding again.
    - MEDIUM: config: properly propagate process binding between proxies
    - MEDIUM: config: make the frontends automatically bind to the listeners' processes
    - MEDIUM: config: compute the exact bind-process before listener's maxaccept
    - MEDIUM: config: only warn if stats are attached to multi-process bind directives
    - MEDIUM: config: report it when tcp-request rules are misplaced
    - DOC: indicate in the doc that track-sc* can wait if data are missing
    - MINOR: config: detect the case where a tcp-request content rule has no inspect-delay
    - MEDIUM: systemd-wrapper: support multiple executable versions and names
    - BUG/MEDIUM: remove debugging code from systemd-wrapper
    - BUG/MEDIUM: http: adjust close mode when switching to backend
    - BUG/MINOR: config: don't propagate process binding on fatal errors.
    - BUG/MEDIUM: check: rule-less tcp-check must detect connect failures
    - BUG/MINOR: tcp-check: report the correct failed step in the status
    - DOC: indicate that weight zero is reported as DRAIN
    - BUG/MEDIUM: config: avoid skipping disabled proxies
    - BUG/MINOR: config: do not accept more track-sc than configured
    - BUG/MEDIUM: backend: fix URI hash when a query string is present
    - BUG/MEDIUM: http: don't dump debug headers on MSG_ERROR
    - BUG/MAJOR: cli: explicitly call cli_release_handler() upon error
    - BUG/MEDIUM: tcp: fix outgoing polling based on proxy protocol
    - BUILD/MINOR: ssl: de-constify "ciphers" to avoid a warning on openssl-0.9.8
    - BUG/MEDIUM: tcp: don't use SO_ORIGINAL_DST on non-AF_INET sockets
    - BUG/BUILD: revert accidental change in the makefile from latest SSL fix
    - BUG/MEDIUM: ssl: force a full GC in case of memory shortage
    - MEDIUM: ssl: add support for smaller SSL records
    - MINOR: session: release a few other pools when stopping
    - MINOR: task: release the task pool when stopping
    - BUG/MINOR: config: don't inherit the default balance algorithm in frontends
    - BUG/MAJOR: frontend: initialize capture pointers earlier
    - BUG/MINOR: stats: correctly set the request/response analysers
    - MAJOR: polling: centralize calls to I/O callbacks
    - DOC: fix typo in the body parser documentation for msg.sov
    - BUG/MINOR: peers: the buffer size is global.tune.bufsize, not trash.size
    - MINOR: sample: add a few basic internal fetches (nbproc, proc, stopping)
    - DEBUG: pools: apply poisonning on every allocated pool
    - BUG/MAJOR: sessions: unlink session from list on out of memory
    - BUG/MEDIUM: patterns: previous fix was incomplete
    - BUG/MEDIUM: payload: ensure that a request channel is available
    - BUG/MINOR: tcp-check: don't condition data polling on check type
    - BUG/MEDIUM: tcp-check: don't rely on random memory contents
    - BUG/MEDIUM: tcp-checks: disable quick-ack unless next rule is an expect
    - BUG/MINOR: config: fix typo in condition when propagating process binding
    - BUG/MEDIUM: config: do not propagate processes between stopped processes
    - BUG/MAJOR: stream-int: properly check the memory allocation return
    - BUG/MEDIUM: memory: fix freeing logic in pool_gc2()
    - BUG/MAJOR: namespaces: conn->target is not necessarily a server
    - BUG/MEDIUM: compression: correctly report zlib_mem
    - CLEANUP: lists: remove dead code
    - CLEANUP: memory: remove dead code
    - CLEANUP: memory: replace macros pool_alloc2/pool_free2 with functions
    - MINOR: memory: cut pool allocator in 3 layers
    - MEDIUM: memory: improve pool_refill_alloc() to pass a refill count
    - MINOR: stream-int: retrieve session pointer from stream-int
    - MINOR: buffer: reset a buffer in b_reset() and not channel_init()
    - MEDIUM: buffer: use b_alloc() to allocate and initialize a buffer
    - MINOR: buffer: move buffer initialization after channel initialization
    - MINOR: buffer: only use b_free to release buffers
    - MEDIUM: buffer: always assign a dummy empty buffer to channels
    - MEDIUM: buffer: add a new buf_wanted dummy buffer to report failed allocations
    - MEDIUM: channel: do not report full when buf_empty is present on a channel
    - MINOR: session: group buffer allocations together
    - MINOR: buffer: implement b_alloc_fast()
    - MEDIUM: buffer: implement b_alloc_margin()
    - MEDIUM: session: implement a basic atomic buffer allocator
    - MAJOR: session: implement a wait-queue for sessions who need a buffer
    - MAJOR: session: only allocate buffers when needed
    - MINOR: stats: report a "waiting" flags for sessions
    - MAJOR: session: only wake up as many sessions as available buffers permit
    - MINOR: config: implement global setting tune.buffers.reserve
    - MINOR: config: implement global setting tune.buffers.limit
    - MEDIUM: channel: implement a zero-copy buffer transfer
    - MEDIUM: stream-int: support splicing from applets
    - OPTIM: stream-int: try to send pending spliced data
    - CLEANUP: session: remove session_from_task()
    - DOC: add missing entry for log-format and clarify the text
    - MINOR: logs: add a new per-proxy "log-tag" directive
    - BUG/MEDIUM: http: fix header removal when previous header ends with pure LF
    - MINOR: config: extend the default max hostname length to 64 and beyond
    - BUG/MEDIUM: channel: fix possible integer overflow on reserved size computation
    - BUG/MINOR: channel: compare to_forward with buf->i, not buf->size
    - MINOR: channel: add channel_in_transit()
    - MEDIUM: channel: make buffer_reserved() use channel_in_transit()
    - MEDIUM: channel: make bi_avail() use channel_in_transit()
    - BUG/MEDIUM: channel: don't schedule data in transit for leaving until connected
    - CLEANUP: channel: rename channel_reserved -> channel_is_rewritable
    - MINOR: channel: rename channel_full() to !channel_may_recv()
    - MINOR: channel: rename buffer_reserved() to channel_reserved()
    - MINOR: channel: rename buffer_max_len() to channel_recv_limit()
    - MINOR: channel: rename bi_avail() to channel_recv_max()
    - MINOR: channel: rename bi_erase() to channel_truncate()
    - BUG/MAJOR: log: don't try to emit a log if no logger is set
    - MINOR: tools: add new round_2dig() function to round integers
    - MINOR: global: always export some SSL-specific metrics
    - MINOR: global: report information about the cost of SSL connections
    - MAJOR: init: automatically set maxconn and/or maxsslconn when possible
    - MINOR: http: add a new fetch "query" to extract the request's query string
    - MINOR: hash: add new function hash_crc32
    - MINOR: samples: provide a "crc32" converter
    - MEDIUM: backend: add the crc32 hash algorithm for load balancing
    - BUG/MINOR: args: add missing entry for ARGT_MAP in arg_type_names
    - BUG/MEDIUM: http: make http-request set-header compute the string before removal
    - MEDIUM: args: use #define to specify the number of bits used by arg types and counts
    - MEDIUM: args: increase arg type to 5 bits and limit arg count to 5
    - MINOR: args: add type-specific flags for each arg in a list
    - MINOR: args: implement a new arg type for regex : ARGT_REG
    - MEDIUM: regex: add support for passing regex flags to regex_exec_match()
    - MEDIUM: samples: add a regsub converter to perform regex-based transformations
    - BUG/MINOR: sample: fix case sensitivity for the regsub converter
    - MEDIUM: http: implement http-request set-{method,path,query,uri}
    - DOC: fix missing closing brackend on regsub
    - MEDIUM: samples: provide basic arithmetic and bitwise operators
    - MEDIUM: init: continue to enforce SYSTEM_MAXCONN with auto settings if set
    - BUG/MINOR: http: fix incorrect header value offset in replace-hdr/replace-value
    - BUG/MINOR: http: abort request processing on filter failure
    - MEDIUM: tcp: implement tcp-ut bind option to set TCP_USER_TIMEOUT
    - MINOR: ssl/server: add the "no-ssl-reuse" server option
    - BUG/MAJOR: peers: initialize s->buffer_wait when creating the session
    - MINOR: http: add a new function to iterate over each header line
    - MINOR: http: add the new sample fetches req.hdr_names and res.hdr_names
    - MEDIUM: task: always ensure that the run queue is consistent
    - BUILD: Makefile: add -Wdeclaration-after-statement
    - BUILD/CLEANUP: ssl: avoid a warning due to mixed code and declaration
    - BUILD/CLEANUP: config: silent 3 warnings about mixed declarations with code
    - MEDIUM: protocol: use a family array to index the protocol handlers
    - BUILD: lua: cleanup many mixed occurrences declarations & code
    - BUG/MEDIUM: task: fix recently introduced scheduler skew
    - BUG/MINOR: lua: report the correct function name in an error message
    - BUG/MAJOR: http: fix stats regression consecutive to HTTP_RULE_RES_YIELD
    - Revert "BUG/MEDIUM: lua: can't handle the response bytes"
    - MINOR: lua: convert IP addresses to type string
    - CLEANUP: lua: use the same function names in C and Lua
    - REORG/MAJOR: move session's req and resp channels back into the session
    - CLEANUP: remove now unused channel pool
    - REORG/MEDIUM: stream-int: introduce si_ic/si_oc to access channels
    - MEDIUM: stream-int: add a flag indicating which side the SI is on
    - MAJOR: stream-int: only rely on SI_FL_ISBACK to find the requested channel
    - MEDIUM: stream-interface: remove now unused pointers to channels
    - MEDIUM: stream-int: make si_sess() use the stream int's side
    - MEDIUM: stream-int: use si_task() to retrieve the task from the stream int
    - MEDIUM: stream-int: remove any reference to the owner
    - CLEANUP: stream-int: add si_ib/si_ob to dereference the buffers
    - CLEANUP: stream-int: add si_opposite() to find the other stream interface
    - REORG/MEDIUM: channel: only use chn_prod / chn_cons to find stream-interfaces
    - MEDIUM: channel: add a new flag "CF_ISRESP" for the response channel
    - MAJOR: channel: only rely on the new CF_ISRESP flag to find the SI
    - MEDIUM: channel: remove now unused ->prod and ->cons pointers
    - CLEANUP: session: simplify references to chn_{prod,cons}(&s->{req,res})
    - CLEANUP: session: use local variables to access channels / stream ints
    - CLEANUP: session: don't needlessly pass a pointer to the stream-int
    - CLEANUP: session: don't use si_{ic,oc} when we know the session.
    - CLEANUP: stream-int: limit usage of si_ic/si_oc
    - CLEANUP: lua: limit usage of si_ic/si_oc
    - MINOR: channel: add chn_sess() helper to retrieve session from channel
    - MEDIUM: session: simplify receive buffer allocator to only use the channel
    - MEDIUM: lua: use CF_ISRESP to detect the channel's side
    - CLEANUP: lua: remove the session pointer from hlua_channel
    - CLEANUP: lua: hlua_channel_new() doesn't need the pointer to the session anymore
    - MEDIUM: lua: remove struct hlua_channel
    - MEDIUM: lua: remove hlua_sample_fetch
2015-03-11 23:57:23 +01:00
Janusz Dziemidowicz
2c701b5f3b MEDIUM: ssl: Certificate Transparency support
Adds ability to include Signed Certificate Timestamp List in TLS
extension. File containing SCTL must be present at the same path of
the certificate file, suffixed with '.sctl'. This requires OpenSSL
1.0.2 or later.
2015-03-11 23:27:05 +01:00
Thierry FOURNIER
17bd152b58 DOC: lua api
This contains the Lua API documentation and the build environment
for Sphinx.
2015-03-11 20:41:33 +01:00
Thierry FOURNIER
90da191345 DOC: lua: Lua configuration documentation
This patch adds the documentation of the Lua configuration directives.
The documentation was read back by Andjelko Iharos.
2015-03-09 17:47:52 +01:00
Nenad Merdanovic
188ad3e9a2 DOC: Document the new tls-ticket-keys bind keyword
Signed-off-by: Nenad Merdanovic <nmerdan@anine.io>
2015-02-28 23:10:22 +01:00