haproxy public development tree
Go to file
Willy Tarreau ad15d127a7 [RELEASE] Released version 1.5-dev13
Released version 1.5-dev13 with the following main changes :
    - BUILD: fix build issue without USE_OPENSSL
    - BUILD: fix compilation error with DEBUG_FULL
    - DOC: ssl: remove prefer-server-ciphers documentation
    - DOC: ssl: surround keywords with quotes
    - DOC: fix minor typo on http-send-name-header
    - BUG/MEDIUM: acls using IPv6 subnets patterns incorrectly match IPs
    - BUG/MAJOR: fix a segfault on option http_proxy and url_ip acl
    - MEDIUM: http: accept IPv6 values with (s)hdr_ip acl
    - BUILD: report zlib support in haproxy -vv
    - DOC: compression: add some details and clean up the formatting
    - DOC: Change is_ssl acl to ssl_fc acl in example
    - DOC: make it clear what the HTTP request size is
    - MINOR: ssl: try to load Diffie-Hellman parameters from cert file
    - DOC: ssl: update 'crt' statement on 'bind' about Diffie-Hellman parameters loading
    - MINOR: ssl: add elliptic curve Diffie-Hellman support for ssl key generation
    - DOC: ssl: add 'ecdhe' statement on 'bind'
    - MEDIUM: ssl: add client certificate authentication support
    - DOC: ssl: add 'verify', 'cafile' and 'crlfile' statements on 'bind'
    - MINOR: ssl: add fetch and ACL 'client_crt' to test a client cert is present
    - DOC: ssl: add fetch and ACL 'client_cert'
    - MINOR: ssl: add ignore verify errors options
    - DOC: ssl: add 'ca-ignore-err' and 'crt-ignore-err' statements on 'bind'
    - MINOR: ssl: add fetch and ACL 'ssl_verify_result'
    - DOC: ssl: add fetch and ACL 'ssl_verify_result'
    - MINOR: ssl: add fetches and ACLs to return verify errors
    - DOC: ssl: add fetches and ACLs 'ssl_verify_crterr', 'ssl_verify_caerr', and 'ssl_verify_crterr_depth'
    - MINOR: ssl: disable shared memory and locks on session cache if nbproc == 1
    - MINOR: ssl: add build param USE_PRIVATE_CACHE to build cache without shared memory
    - MINOR: ssl : add statements 'notlsv11' and 'notlsv12' and rename 'notlsv1' to 'notlsv10'.
    - DOC: ssl : add statements 'notlsv11' and 'notlsv12' and rename 'notlsv1' to 'notlsv10'.
    - MEDIUM: config: authorize frontend and listen without bind.
    - MINOR: ssl: add statement 'no-tls-tickets' on bind to disable stateless session resumption
    - DOC: ssl: add 'no-tls-tickets' statement documentation.
    - BUG/MINOR: ssl: Fix CRL check was not enabled when crlfile was specified.
    - BUG/MINOR: build: Fix compilation issue on openssl 0.9.6 due to missing CRL feature.
    - BUG/MINOR: conf: Fix 'maxsslconn' statement error if built without OPENSSL.
    - BUG/MINOR: build: Fix failure with USE_OPENSSL=1 and USE_FUTEX=1 on archs i486 and i686.
    - MINOR: ssl: remove prefer-server-ciphers statement and set it as the default on ssl listeners.
    - BUG/MEDIUM: ssl: subsequent handshakes fail after server configuration changes
    - MINOR: ssl: add 'crt-base' and 'ca-base' global statements.
    - MEDIUM: conf: rename 'nosslv3' and 'notlsvXX' statements 'no-sslv3' and 'no-tlsvXX'.
    - MEDIUM: conf: rename 'cafile' and 'crlfile' statements 'ca-file' and 'crl-file'
    - MINOR: ssl: use bit fields to  store ssl options instead of one int each
    - MINOR: ssl: add 'force-sslv3' and 'force-tlsvXX' statements on bind.
    - MINOR: ssl: add 'force-sslv3' and 'force-tlsvXX' statements on server
    - MINOR: ssl: add defines LISTEN_DEFAULT_CIPHERS and CONNECT_DEFAULT_CIPHERS.
    - BUG/MINOR: ssl: Fix issue on server statements 'no-tls*' and 'no-sslv3'
    - MINOR: ssl: move ssl context init for servers from cfgparse.c to ssl_sock.c
    - MEDIUM: ssl: reject ssl server keywords in default-server statement
    - MINOR: ssl: add statement 'no-tls-tickets' on server side.
    - MINOR: ssl: add statements 'verify', 'ca-file' and 'crl-file' on servers.
    - DOC: Fix rename of options cafile and crlfile to ca-file and crl-file.
    - MINOR: sample: manage binary to string type convertion in stick-table and samples.
    - MINOR: acl: add parse and match primitives to use binary type on ACLs
    - MINOR: sample: export 'sample_get_trash_chunk(void)'
    - MINOR: conf: rename all ssl modules fetches using prefix 'ssl_fc' and 'ssl_c'
    - MINOR: ssl: add pattern and ACLs fetches 'ssl_fc_protocol', 'ssl_fc_cipher', 'ssl_fc_use_keysize' and 'ssl_fc_alg_keysize'
    - MINOR: ssl: add pattern fetch 'ssl_fc_session_id'
    - MINOR: ssl: add pattern and ACLs fetches 'ssl_c_version' and 'ssl_f_version'
    - MINOR: ssl: add pattern and ACLs fetches 'ssl_c_s_dn', 'ssl_c_i_dn', 'ssl_f_s_dn' and 'ssl_c_i_dn'
    - MINOR: ssl: add pattern and ACLs 'ssl_c_sig_alg' and 'ssl_f_sig_alg'
    - MINOR: ssl: add pattern and ACLs fetches 'ssl_c_key_alg' and 'ssl_f_key_alg'
    - MINOR: ssl: add pattern and ACLs fetches 'ssl_c_notbefore', 'ssl_c_notafter', 'ssl_f_notbefore' and 'ssl_f_notafter'
    - MINOR: ssl: add 'crt' statement on server.
    - MINOR: ssl: checks the consistency of a private key with the corresponding certificate
    - BUG/MEDIUM: ssl: review polling on reneg.
    - BUG/MEDIUM: ssl: Fix some reneg cases not correctly handled.
    - BUG/MEDIUM: ssl: Fix sometimes reneg fails if requested by server.
    - MINOR: build: allow packagers to specify the ssl cache size
    - MINOR: conf: add warning if ssl is not enabled and a certificate is present on bind.
    - MINOR: ssl: Add tune.ssl.lifetime statement in global.
    - MINOR: compression: Enable compression for IE6 w/SP2, IE7 and IE8
    - BUG: http: revert broken optimisation from 82fe75c1a7
    - DOC: duplicate ssl_sni section
    - MEDIUM: HTTP compression (zlib library support)
    - CLEANUP: use struct comp_ctx instead of union
    - BUILD: remove dependency to zlib.h
    - MINOR: compression: memlevel and windowsize
    - MEDIUM: use pool for zlib
    - MINOR: compression: try init in cfgparse.c
    - MINOR: compression: init before deleting headers
    - MEDIUM: compression: limit RAM usage
    - MINOR: compression: tune.comp.maxlevel
    - MINOR: compression: maximum compression rate limit
    - MINOR: log-format: check number of arguments in cfgparse.c
    - BUG/MEDIUM: compression: no Content-Type header but type in configuration
    - BUG/MINOR: compression: deinit zlib only when required
    - MEDIUM: compression: don't compress when no data
    - MEDIUM: compression: use pool for comp_ctx
    - MINOR: compression: rate limit in 'show info'
    - MINOR: compression: report zlib memory usage
    - BUG/MINOR: compression: dynamic level increase
    - DOC: compression: unsupported cases.
    - MINOR: compression: CPU usage limit
    - MEDIUM: http: add "redirect scheme" to ease HTTP to HTTPS redirection
    - BUG/MAJOR: ssl: missing tests in ACL fetch functions
    - MINOR: config: add a function to indent error messages
    - REORG: split "protocols" files into protocol and listener
    - MEDIUM: config: replace ssl_conf by bind_conf
    - CLEANUP: listener: remove unused conf->file and conf->line
    - MEDIUM: listener: add a minimal framework to register "bind" keyword options
    - MEDIUM: config: move the "bind" TCP parameters to proto_tcp
    - MEDIUM: move bind SSL parsing to ssl_sock
    - MINOR: config: improve error reporting for "bind" lines
    - MEDIUM: config: move the common "bind" settings to listener.c
    - MEDIUM: config: move all unix-specific bind keywords to proto_uxst.c
    - MEDIUM: config: enumerate full list of registered "bind" keywords upon error
    - MINOR: listener: add a scope field in the bind keyword lists
    - MINOR: config: pass the file and line to config keyword parsers
    - MINOR: stats: fill the file and line numbers in the stats frontend
    - MINOR: config: set the bind_conf entry on listeners created from a "listen" line.
    - MAJOR: listeners: use dual-linked lists to chain listeners with frontends
    - REORG: listener: move unix perms from the listener to the bind_conf
    - BUG: backend: balance hdr was broken since 1.5-dev11
    - MINOR: standard: make memprintf() support a NULL destination
    - MINOR: config: make str2listener() use memprintf() to report errors.
    - MEDIUM: stats: remove the stats_sock struct from the global struct
    - MINOR: ssl: set the listeners' data layer to ssl during parsing
    - MEDIUM: stats: make use of the standard "bind" parsers to parse global socket
    - DOC: move bind options to their own section
    - DOC: stats: refer to "bind" section for "stats socket" settings
    - DOC: fix index to reference bind and server options
    - BUG: http: do not print garbage on invalid requests in debug mode
    - BUG/MINOR: config: check the proper pointer to report unknown protocol
    - CLEANUP: connection: offer conn_prepare() to set up a connection
    - CLEANUP: config: fix typo inteface => interface
    - BUG: stats: fix regression introduced by commit 4348fad1
    - MINOR: cli: allow to set frontend maxconn to zero
    - BUG/MAJOR: http: chunk parser was broken with buffer changes
    - MEDIUM: monitor: simplify handling of monitor-net and mode health
    - MINOR: connection: add a pointer to the connection owner
    - MEDIUM: connection: make use of the owner instead of container_of
    - BUG/MINOR: ssl: report the L4 connection as established when possible
    - BUG/MEDIUM: proxy: must not try to stop disabled proxies upon reload
    - BUG/MINOR: config: use a copy of the file name in proxy configurations
    - BUG/MEDIUM: listener: don't pause protocols that do not support it
    - MEDIUM: proxy: add the global frontend to the list of normal proxies
    - BUG/MINOR: epoll: correctly disable FD polling in fd_rem()
    - MINOR: signal: really ignore signals configured with no handler
    - MINOR: buffers: add a few functions to write chars, strings and blocks
    - MINOR: raw_sock: always report asynchronous connection errors
    - MEDIUM: raw_sock: improve connection error reporting
    - REORG: connection: rename the data layer the "transport layer"
    - REORG: connection: rename app_cb "data"
    - MINOR: connection: provide a generic data layer wakeup callback
    - MINOR: connection: split conn_prepare() in two functions
    - MINOR: connection: add an init callback to the data_cb struct
    - MEDIUM: session: use a specific data_cb for embryonic sessions
    - MEDIUM: connection: use a generic data-layer init() callback
    - MEDIUM: connection: reorganize connection flags
    - MEDIUM: connection: only call the data->wake callback on activity
    - MEDIUM: connection: make it possible for data->wake to return an error
    - MEDIUM: session: register a data->wake callback to process errors
    - MEDIUM: connection: don't call the data->init callback upon error
    - MEDIUM: connection: it's not the data layer's role to validate the connection
    - MEDIUM: connection: automatically disable polling on error
    - REORG: connection: move the PROXY protocol management to connection.c
    - MEDIUM: connection: add a new local send-proxy transport callback
    - MAJOR: checks: make use of the connection layer to send checks
    - REORG: server: move the check-specific parts into a check subsection
    - MEDIUM: checks: use real buffers to store requests and responses
    - MEDIUM: check: add the ctrl and transport layers in the server check structure
    - MAJOR: checks: completely use the connection transport layer
    - MEDIUM: checks: add the "check-ssl" server option
    - MEDIUM: checks: enable the PROXY protocol with health checks
    - CLEANUP: checks: remove minor warnings for assigned but not used variables
    - MEDIUM: tcp: enable TCP Fast Open on systems which support it
    - BUG: connection: fix regression from commit 9e272bf9
    - CLEANUP: cttproxy: remove a warning on undeclared close()
    - BUG/MAJOR: ensure that hdr_idx is always reserved when L7 fetches are used
    - MEDIUM: listener: add support for linux's accept4() syscall
    - MINOR: halog: sort output by cookie code
    - BUG/MINOR: halog: -ad/-ac report the correct number of output lines
    - BUG/MINOR: halog: fix help message for -ut/-uto
    - MINOR: halog: add a parameter to limit output line count
    - BUILD: accept4: move the socketcall declaration outside of accept4()
    - MINOR: server: add minimal infrastructure to parse keywords
    - MINOR: standard: make indent_msg() support empty messages
    - MEDIUM: server: check for registered keywords when parsing unknown keywords
    - MEDIUM: server: move parsing of keyword "id" to server.c
    - BUG/MEDIUM: config: check-send-proxy was ignored if SSL was not builtin
    - MEDIUM: ssl: move "server" keyword SSL options parsing to ssl_sock.c
    - MEDIUM: log: suffix the frontend's name with '~' when using SSL
    - MEDIUM: connection: always unset the transport layer upon close
    - BUG/MINOR: session: fix some leftover from debug code
    - BUG/MEDIUM: session: enable the conn_session_update() callback
    - MEDIUM: connection: add a flag to hold the transport layer
    - MEDIUM: log: add a new LW_XPRT flag to pin the transport layer
    - MINOR: log: make lf_text use a const char *
    - MEDIUM: log: report SSL ciphers and version in logs using logformat %sslc/%sslv
    - REORG: http: rename msg->buf to msg->chn since it's a channel
    - CLEANUP: http: use 'chn' to name channel variables, not 'buf'
    - CLEANUP: channel: use 'chn' instead of 'buf' as local variable names
    - CLEANUP: tcp: use 'chn' instead of 'buf' or 'b' for channel pointer names
    - CLEANUP: stream_interface: use 'chn' instead of 'b' to name channel pointers
    - CLEANUP: acl: use 'chn' instead of 'b' to name channel pointers
    - MAJOR: channel: replace the struct buffer with a pointer to a buffer
    - OPTIM: channel: reorganize struct members to improve cache efficiency
    - CLEANUP: session: remove term_trace which is not used anymore
    - OPTIM: session: reorder struct session fields
    - OPTIM: connection: pack the struct target
    - DOC: document relations between internal entities
    - MINOR: ssl: add 'ssl_npn' sample/acl to extract TLS/NPN information
    - BUILD: ssl: fix shctx build on older compilers
    - MEDIUM: ssl: add support for the "npn" bind keyword
    - BUG: ssl: fix ssl_sni ACLs to correctly process regular expressions
    - MINOR: chunk: provide string compare functions
    - MINOR: sample: accept fetch keywords without parenthesis
    - MEDIUM: sample: pass an empty list instead of a null for fetch args
    - MINOR: ssl: improve socket behaviour upon handshake abort.
    - BUG/MEDIUM: http: set DONTWAIT on data when switching to tunnel mode
    - MEDIUM: listener: provide a fallback for accept4() when not supported
    - BUG/MAJOR: connection: risk of crash on certain tricky close scenario
    - MEDIUM: cli: allow the stats socket to be bound to a specific set of processes
    - OPTIM: channel: inline channel_forward's fast path
    - OPTIM: http: inline http_parse_chunk_size() and http_skip_chunk_crlf()
    - OPTIM: tools: inline hex2i()
    - CLEANUP: http: rename HTTP_MSG_DATA_CRLF state
    - MINOR: compression: automatically disable compression for older browsers
    - MINOR: compression: optimize memLevel to improve byte rate
    - BUG/MINOR: http: compression should consider all Accept-Encoding header values
    - BUILD: fix coexistence of openssl and zlib
    - MINOR: ssl: add pattern and ACLs fetches 'ssl_c_serial' and 'ssl_f_serial'
    - BUG/MEDIUM: command-line option -D must have precedence over "debug"
    - MINOR: tools: add a clear_addr() function to unset an address
    - BUG/MEDIUM: tcp: transparent bind to the source only when address is set
    - CLEANUP: remove trashlen
    - MAJOR: session: detach the connections from the stream interfaces
    - DOC: update document describing relations between internal entities
    - BUILD: make it possible to specify ZLIB path
    - MINOR: compression: add an offload option to remove the Accept-Encoding header
    - BUG: compression: disable auto-close and enable MSG_MORE during transfer
    - CLEANUP: completely remove trashlen
    - MINOR: chunk: add a function to reset a chunk
    - CLEANUP: replace chunk_printf() with chunk_appendf()
    - MEDIUM: make the trash be a chunk instead of a char *
    - MEDIUM: remove remains of BUFSIZE in HTTP auth and sample conversions
    - MEDIUM: stick-table: allocate the table key of size buffer size
    - BUG/MINOR: stream_interface: don't loop over ->snd_buf()
    - BUG/MINOR: session: ensure that we don't retry connection if some data were sent
    - OPTIM: session: don't process the whole session when only timers need a refresh
    - BUG/MINOR: session: mark the handshake as complete earlier
    - MAJOR: connection: remove the CO_FL_CURR_*_POL flag
    - BUG/MAJOR: always clear the CO_FL_WAIT_* flags after updating polling flags
    - MAJOR: sepoll: make the poller totally event-driven
    - OPTIM: stream_interface: disable reading when CF_READ_DONTWAIT is set
    - BUILD: compression: remove a build warning
    - MEDIUM: fd: don't unset fdtab[].updated upon delete
    - REORG: fd: move the speculative I/O management from ev_sepoll
    - REORG: fd: move the fd state management from ev_sepoll
    - REORG: fd: centralize the processing of speculative events
    - BUG: raw_sock: also consider ENOTCONN in addition to EAGAIN
    - BUILD: stream_interface: remove si_fd() and its references
    - BUILD: compression: enable build in BSD and OSX Makefiles
    - MAJOR: ev_select: make the poller support speculative events
    - MAJOR: ev_poll: make the poller support speculative events
    - MAJOR: ev_kqueue: make the poller support speculative events
    - MAJOR: polling: replace epoll with sepoll and remove sepoll
    - MAJOR: polling: remove unused callbacks from the poller struct
    - MEDIUM: http: refrain from sending "Connection: close" when Upgrade is present
    - CLEANUP: channel: remove any reference of the hijackers
    - CLEANUP: stream_interface: remove the external task type target
    - MAJOR: connection: replace struct target with a pointer to an enum
    - BUG: connection: fix typo in previous commit
    - BUG: polling: don't skip polled events in the spec list
    - MINOR: splice: disable it when the system returns EBADF
    - MINOR: build: allow packagers to specify the default maxzlibmem
    - BUG: halog: fix broken output limitation
    - BUG: proxy: fix server name lookup in get_backend_server()
    - BUG: compression: do not always increment the round counter on allocation failure
    - BUG/MEDIUM: compression: release the zlib pools between keep-alive requests
    - MINOR: global: don't prevent nbproc from being redefined
    - MINOR: config: support process ranges for "bind-process"
    - MEDIUM: global: add support for CPU binding on Linux ("cpu-map")
    - MINOR: ssl: rename and document the tune.ssl.cachesize option
    - DOC: update the PROXY protocol spec to support v2
    - MINOR: standard: add a simple popcount function
    - MEDIUM: adjust the maxaccept per listener depending on the number of processes
    - BUG: compression: properly disable compression when content-type does not match
    - MINOR: cli: report connection status in "show sess xxx"
    - BUG/MAJOR: stream_interface: certain workloads could cause get stuck
    - BUILD: cli: fix build when SSL is enabled
    - MINOR: cli: report the fd state in "show sess xxx"
    - MINOR: cli: report an error message on missing argument to compression rate
    - MINOR: http: add some debugging functions to pretty-print msg state names
    - BUG/MAJOR: stream_interface: read0 not always handled since dev12
    - DOC: documentation on http header capture is wrong
    - MINOR: http: allow the cookie capture size to be changed
    - DOC: http header capture has not been limited in size for a long time
    - DOC: update readme with build methods for BSD
    - BUILD: silence a warning on Solaris about usage of isdigit()
    - MINOR: stats: report HTTP compression stats per frontend and per backend
    - MINOR: log: add '%Tl' to log-format
    - MINOR: samples: update the url_param fetch to match parameters in the path
2012-11-22 01:11:33 +01:00
contrib BUG: halog: fix broken output limitation 2012-11-13 20:48:15 +01:00
doc [RELEASE] Released version 1.5-dev13 2012-11-22 01:11:33 +01:00
ebtree BUG/MEDIUM: ebtree: ebmb_insert() must not call cmp_bits on full-length matches 2012-06-09 18:48:22 +02:00
examples [RELEASE] Released version 1.5-dev13 2012-11-22 01:11:33 +01:00
include MINOR: stats: report HTTP compression stats per frontend and per backend 2012-11-22 01:07:40 +01:00
src MINOR: stats: report HTTP compression stats per frontend and per backend 2012-11-22 01:07:40 +01:00
tests BUG/MAJOR: trash must always be the size of a buffer 2012-05-16 14:21:55 +02:00
.gitignore [CLEANUP] update .gitignore to ignore more temporary files 2008-03-07 09:39:37 +01:00
CHANGELOG [RELEASE] Released version 1.5-dev13 2012-11-22 01:11:33 +01:00
LICENSE LICENSE: add licence exception for OpenSSL 2012-09-07 13:52:26 +02:00
Makefile MEDIUM: global: add support for CPU binding on Linux ("cpu-map") 2012-11-16 16:16:53 +01:00
Makefile.bsd BUILD: compression: enable build in BSD and OSX Makefiles 2012-11-11 20:53:29 +01:00
Makefile.osx BUILD: compression: enable build in BSD and OSX Makefiles 2012-11-11 20:53:29 +01:00
README [RELEASE] Released version 1.5-dev13 2012-11-22 01:11:33 +01:00
ROADMAP [DOC] update ROADMAP file 2011-09-10 23:40:59 +02:00
SUBVERS
TODO
VERDATE [RELEASE] Released version 1.5-dev13 2012-11-22 01:11:33 +01:00
VERSION [RELEASE] Released version 1.5-dev13 2012-11-22 01:11:33 +01:00

                         ----------------------
                             HAProxy how-to
                         ----------------------
                            version 1.5-dev13
                             willy tarreau
                               2012/11/22


1) How to build it
------------------

To build haproxy, you will need :
  - GNU make. Neither Solaris nor OpenBSD's make work with the GNU Makefile.
    However, specific Makefiles for BSD and OSX are provided.
  - GCC between 2.91 and 4.5.0. Others may work, but not tested.
  - GNU ld

Also, you might want to build with libpcre support, which will provide a very
efficient regex implementation and will also fix some badness on Solaris' one.

To build haproxy, you have to choose your target OS amongst the following ones
and assign it to the TARGET variable :

  - linux22     for Linux 2.2
  - linux24     for Linux 2.4 and above (default)
  - linux24e    for Linux 2.4 with support for a working epoll (> 0.21)
  - linux26     for Linux 2.6 and above
  - linux2628   for Linux 2.6.28 and above (enables splice and tproxy)
  - solaris     for Solaris 8 or 10 (others untested)
  - freebsd     for FreeBSD 5 to 8.0 (others untested)
  - openbsd     for OpenBSD 3.1 to 5.2 (others untested)
  - aix52       for AIX 5.2
  - cygwin      for Cygwin
  - generic     for any other OS.
  - custom      to manually adjust every setting

You may also choose your CPU to benefit from some optimizations. This is
particularly important on UltraSparc machines. For this, you can assign
one of the following choices to the CPU variable :

  - i686 for intel PentiumPro, Pentium 2 and above, AMD Athlon
  - i586 for intel Pentium, AMD K6, VIA C3.
  - ultrasparc : Sun UltraSparc I/II/III/IV processor
  - native : use the build machine's specific processor optimizations
  - generic : any other processor or no specific optimization. (default)

Alternatively, you may just set the CPU_CFLAGS value to the optimal GCC options
for your platform.

You may want to build specific target binaries which do not match your native
compiler's target. This is particularly true on 64-bit systems when you want
to build a 32-bit binary. Use the ARCH variable for this purpose. Right now
it only knows about a few x86 variants (i386,i486,i586,i686,x86_64), two
generic ones (32,64) and sets -m32/-m64 as well as -march=<arch> accordingly.

If your system supports PCRE (Perl Compatible Regular Expressions), then you
really should build with libpcre which is between 2 and 10 times faster than
other libc implementations. Regex are used for header processing (deletion,
rewriting, allow, deny). The only inconvenient of libpcre is that it is not
yet widely spread, so if you build for other systems, you might get into
trouble if they don't have the dynamic library. In this situation, you should
statically link libpcre into haproxy so that it will not be necessary to
install it on target systems. Available build options for PCRE are :

  - USE_PCRE=1 to use libpcre, in whatever form is available on your system
    (shared or static)

  - USE_STATIC_PCRE=1 to use a static version of libpcre even if the dynamic
    one is available. This will enhance portability.

  - with no option, use your OS libc's standard regex implemntation (default).
    Warning! group references on Solaris seem broken. Use static-pcre whenever
    possible.

Recent systems can resolve IPv6 host names using getaddrinfo(). This primitive
is not present in all libcs and does not work in all of them either. Support in
glibc was broken before 2.3. Some embedded libs may not properly work either,
thus, support is disabled by default, meaning that some host names which only
resolve as IPv6 addresses will not resolve and configs might emit an error
during parsing. If you know that your OS libc has reliable support for
getaddrinfo(), you can add USE_GETADDRINFO=1 on the make command line to enable
it. This is the recommended option for most Linux distro packagers since it's
working fine on all recent mainstream distros. It is automatically enabled on
Solaris 8 and above, as it's known to work.

It is possible to add native support for SSL using the GNU makefile only, and
by passing "USE_OPENSSL=1" on the make commande line. The libssl and libcrypto
will automatically be linked with haproxy. Some systems also require libz, so
if the build fails due to missing symbols such as deflateInit(), then try again
with "ADDLIB=-lz".

It is also possible to include native support for ZLIB to benefit from HTTP
compression. For this, pass "USE_ZLIB=1" on the "make" command line and ensure
that zlib is present on the system.

By default, the DEBUG variable is set to '-g' to enable debug symbols. It is
not wise to disable it on uncommon systems, because it's often the only way to
get a complete core when you need one. Otherwise, you can set DEBUG to '-s' to
strip the binary.

For example, I use this to build for Solaris 8 :

    $ make TARGET=solaris CPU=ultrasparc USE_STATIC_PCRE=1

And I build it this way on OpenBSD or FreeBSD :

    $ make -f Makefile.bsd REGEX=pcre DEBUG= COPTS.generic="-Os -fomit-frame-pointer -mgnu"

And on a recent Linux with SSL and ZLIB support :

    $ make TARGET=linux2628 CPU=native USE_PCRE=1 USE_OPENSSL=1 USE_ZLIB=1

In order to build a 32-bit binary on an x86_64 Linux system with SSL support
without support for compression but when OpenSSL requires ZLIB anyway :

    $ make TARGET=linux26 ARCH=i386 USE_OPENSSL=1 ADDLIB=-lz

The BSD and OSX makefiles do not support build options for OpenSSL nor zlib.
Also, at least on OpenBSD, pthread_mutexattr_setpshared() does not exist so
the SSL session cache cannot be shared between multiple processes. If you want
to enable these options, you need to use GNU make with the default makefile as
follows :

    $ gmake TARGET=openbsd USE_OPENSSL=1 USE_ZLIB=1 USE_PRIVATE_CACHE=1

If you need to pass other defines, includes, libraries, etc... then please
check the Makefile to see which ones will be available in your case, and
use the USE_* variables in the GNU Makefile, or ADDINC, ADDLIB, and DEFINE
variables in the BSD makefiles.

AIX 5.3 is known to work with the generic target. However, for the binary to
also run on 5.2 or earlier, you need to build with DEFINE="-D_MSGQSUPPORT",
otherwise __fd_select() will be used while not being present in the libc.
If you get build errors because of strange symbols or section mismatches,
simply remove -g from DEBUG_CFLAGS.


2) How to install it
--------------------

To install haproxy, you can either copy the single resulting binary to the
place you want, or run :

    $ sudo make install

If you're packaging it for another system, you can specify its root directory
in the usual DESTDIR variable.


3) How to set it up
-------------------

There is some documentation in the doc/ directory :

    - architecture.txt : this is the architecture manual. It is quite old and
      does not tell about the nice new features, but it's still a good starting
      point when you know what you want but don't know how to do it.

    - configuration.txt : this is the configuration manual. It recalls a few
      essential HTTP basic concepts, and details all the configuration file
      syntax (keywords, units). It also describes the log and stats format. It
      is normally always up to date. If you see that something is missing from
      it, please report it as this is a bug.

    - haproxy-en.txt / haproxy-fr.txt : these are the old outdated docs. You
      should never need them. If you do, then please report what you didn't
      find in the other ones.

    - gpl.txt / lgpl.txt : the copy of the licenses covering the software. See
      the 'LICENSE' file at the top for more information.

    - the rest is mainly for developers.

There are also a number of nice configuration examples in the "examples"
directory as well as on several sites and articles on the net which are linked
to from the haproxy web site.


4) How to report a bug
----------------------

It is possible that from time to time you'll find a bug. A bug is a case where
what you see is not what is documented. Otherwise it can be a misdesign. If you
find that something is stupidly design, please discuss it on the list (see the
"how to contribute" section below). If you feel like you're proceeding right
and haproxy doesn't obey, then first ask yourself if it is possible that nobody
before you has even encountered this issue. If it's unlikely, the you probably
have an issue in your setup. Just in case of doubt, please consult the mailing
list archives :

                        http://marc.info/?l=haproxy

Otherwise, please try to gather the maximum amount of information to help
reproduce the issue and send that to the mailing list :

                        haproxy@formilux.org

Please include your configuration and logs. You can mask your IP addresses and
passwords, we don't need them. But it's essential that you post your config if
you want people to guess what is happening.

Also, keep in mind that haproxy is designed to NEVER CRASH. If you see it die
without any reason, then it definitely is a critical bug that must be reported
and urgently fixed. It has happened a couple of times in the past, essentially
on development versions running on new architectures. If you think your setup
is fairly common, then it is possible that the issue is totally unrelated.
Anyway, if that happens, feel free to contact me directly, as I will give you
instructions on how to collect a usable core file, and will probably ask for
other captures that you'll not want to share with the list.


5) How to contribute
--------------------

It is possible that you'll want to add a specific feature to satisfy your needs
or one of your customers'. Contributions are welcome, however I'm often very
picky about changes. I will generally reject patches that change massive parts
of the code, or that touch the core parts without any good reason if those
changes have not been discussed first.

The proper place to discuss your changes is the HAProxy Mailing List. There are
enough skilled readers to catch hazardous mistakes and to suggest improvements.
I trust a number of them enough to merge a patch if they say it's OK, so using
the list is the fastest way to get your code reviewed and merged. You can
subscribe to it by sending an empty e-mail at the following address :

                        haproxy+subscribe@formilux.org

If you have an idea about something to implement, *please* discuss it on the
list first. It has already happened several times that two persons did the same
thing simultaneously. This is a waste of time for both of them. It's also very
common to see some changes rejected because they're done in a way that will
conflict with future evolutions, or that does not leave a good feeling. It's
always unpleasant for the person who did the work, and it is unpleasant for me
too because I value people's time and efforts. That would not happen if these
were discussed first. There is no problem posting work in progress to the list,
it happens quite often in fact. Also, don't waste your time with the doc when
submitting patches for review, only add the doc with the patch you consider
ready to merge.

If your work is very confidential and you can't publicly discuss it, you can
also mail me directly about it, but your mail may be waiting several days in
the queue before you get a response.

If you'd like a feature to be added but you think you don't have the skills to
implement it yourself, you should follow these steps :

    1. discuss the feature on the mailing list. It is possible that someone
       else has already implemented it, or that someone will tell you how to
       proceed without it, or even why not to do it. It is also possible that
       in fact it's quite easy to implement and people will guide you through
       the process. That way you'll finally have YOUR patch merged, providing
       the feature YOU need.

    2. if you really can't code it yourself after discussing it, then you may
       consider contacting someone to do the job for you. Some people on the
       list might be OK with trying to do it. Otherwise, you can check the list
       of contributors at the URL below, some of the regular contributors may
       be able to do the work, probably not for free but their time is as much
       valuable as yours after all, you can't eat the cake and have it too.

The list of past and regular contributors is available below. It lists not only
significant code contributions (features, fixes), but also time or money
donations :

                        http://haproxy.1wt.eu/contrib.html

Note to contributors: it's very handy when patches comes with a properly
formated subject. There are 3 criteria of particular importance in any patch :

  - its nature (is it a fix for a bug, a new feature, an optimization, ...)
  - its importance, which generally reflects the risk of merging/not merging it
  - what area it applies to (eg: http, stats, startup, config, doc, ...)

It's important to make these 3 criteria easy to spot in the patch's subject,
because it's the first (and sometimes the only) thing which is read when
reviewing patches to find which ones need to be backported to older versions.

Specifically, bugs must be clearly easy to spot so that they're never missed.
Any patch fixing a bug must have the "BUG" tag in its subject. Most common
patch types include :

  - BUG      fix for a bug. The severity of the bug should also be indicated
             when known. Similarly, if a backport is needed to older versions,
             it should be indicated on the last line of the commit message. If
             the bug has been identified as a regression brought by a specific
             patch or version, this indication will be appreciated too. New
             maintenance releases are generally emitted when a few of these
             patches are merged.

  - CLEANUP  code cleanup, silence of warnings, etc... theorically no impact.
             These patches will rarely be seen in stable branches, though they
             may appear when they remove some annoyance or when they make
             backporting easier. By nature, a cleanup is always minor.

  - REORG    code reorganization. Some blocks may be moved to other places,
             some important checks might be swapped, etc... These changes
             always present a risk of regression. For this reason, they should
             never be mixed with any bug fix nor functional change. Code is
             only moved as-is. Indicating the risk of breakage is highly
             recommended.

  - BUILD    updates or fixes for build issues. Changes to makefiles also fall
             into this category. The risk of breakage should be indicated if
             known. It is also appreciated to indicate what platforms and/or
             configurations were tested after the change.

  - OPTIM    some code was optimised. Sometimes if the regression risk is very
             low and the gains significant, such patches may be merged in the
             stable branch. Depending on the amount of code changed or replaced
             and the level of trust the author has in the change, the risk of
             regression should be indicated.

  - RELEASE  release of a new version (development or stable).

  - LICENSE  licensing updates (may impact distro packagers).


When the patch cannot be categorized, it's best not to put any tag. This is
commonly the case for new features, which development versions are mostly made
of.

Additionally, the importance of the patch should be indicated when known. A
single upper-case word is preferred, among :

  - MINOR    minor change, very low risk of impact. It is often the case for
             code additions that don't touch live code. For a bug, it generally
             indicates an annoyance, nothing more.

  - MEDIUM   medium risk, may cause unexpected regressions of low importance or
             which may quickly be discovered. For a bug, it generally indicates
             something odd which requires changing the configuration in an
             undesired way to work around the issue.

  - MAJOR    major risk of hidden regression. This happens when I rearrange
             large parts of code, when I play with timeouts, with variable
             initializations, etc... We should only exceptionally find such
             patches in stable branches. For a bug, it indicates severe
             reliability issues for which workarounds are identified with or
             without performance impacts.

  - CRITICAL medium-term reliability or security is at risk and workarounds,
             if they exist, might not always be acceptable. An upgrade is
             absolutely required. A maintenance release may be emitted even if
             only one of these bugs are fixed. Note that this tag is only used
             with bugs. Such patches must indicate what is the first version
             affected, and if known, the commit ID which introduced the issue.

If this criterion doesn't apply, it's best not to put it. For instance, most
doc updates and most examples or test files are just added or updated without
any need to qualify a level of importance.

The area the patch applies to is quite important, because some areas are known
to be similar in older versions, suggesting a backport might be desirable, and
conversely, some areas are known to be specific to one version. When the tag is
used alone, uppercase is preferred for readability, otherwise lowercase is fine
too. The following tags are suggested but not limitative :

 - doc       documentation updates or fixes. No code is affected, no need to
             upgrade. These patches can also be sent right after a new feature,
             to document it.

 - examples  example files. Be careful, sometimes these files are packaged.

 - tests     regression test files. No code is affected, no need to upgrade.

 - init      initialization code, arguments parsing, etc...

 - config    configuration parser, mostly used when adding new config keywords

 - http      the HTTP engine

 - stats     the stats reporting engine as well as the stats socket CLI

 - checks    the health checks engine (eg: when adding new checks)

 - acl       the ACL processing core or some ACLs from other areas

 - peers     the peer synchronization engine

 - listeners everything related to incoming connection settings

 - frontend  everything related to incoming connection processing

 - backend   everything related to LB algorithms and server farm

 - session   session processing and flags (very sensible, be careful)

 - server    server connection management, queueing

 - proxy     proxy maintenance (start/stop)

 - log       log management

 - poll      any of the pollers

 - halog     the halog sub-component in the contrib directory

 - contrib   any addition to the contrib directory

Other names may be invented when more precise indications are meaningful, for
instance : "cookie" which indicates cookie processing in the HTTP core. Last,
indicating the name of the affected file is also a good way to quickly spot
changes. Many commits were already tagged with "stream_sock" or "cfgparse" for
instance.

It is desired that AT LEAST one of the 3 criteria tags is reported in the patch
subject. Ideally, we would have the 3 most often. The two first criteria should
be present before a first colon (':'). If both are present, then they should be
delimited with a slash ('/'). The 3rd criterion (area) should appear next, also
followed by a colon. Thus, all of the following messages are valid :

Examples of messages :
  - DOC: document options forwardfor to logasap
  - DOC/MAJOR: reorganize the whole document and change indenting
  - BUG: stats: connection reset counters must be plain ascii, not HTML
  - BUG/MINOR: stats: connection reset counters must be plain ascii, not HTML
  - MEDIUM: checks: support multi-packet health check responses
  - RELEASE: Released version 1.4.2
  - BUILD: stats: stdint is not present on solaris
  - OPTIM/MINOR: halog: make fgets parse more bytes by blocks
  - REORG/MEDIUM: move syscall redefinition to specific places

Please do not use square brackets anymore around the tags, because they give me
more work when merging patches. By default I'm asking Git to keep them but this
causes trouble when patches are prefixed with the [PATCH] tag because in order
not to store it, I have to hand-edit the patches. So as of now, I will ask Git
to remove whatever is located between square brackets, which implies that any
subject formatted the old way will have its tag stripped out.

In fact, one of the only square bracket tags that still makes sense is '[RFC]'
at the beginning of the subject, when you're asking for someone to review your
change before getting it merged. If the patch is OK to be merged, then I can
merge it as-is and the '[RFC]' tag will automatically be removed. If you don't
want it to be merged at all, you can simply state it in the message, or use an
alternate '[WIP]' tag ("work in progress").

The tags are not rigid, follow your intuition first, anyway I reserve the right
to change them when merging the patch. It may happen that a same patch has a
different tag in two distinct branches. The reason is that a bug in one branch
may just be a cleanup in the other one because the code cannot be triggered.


For a more efficient interaction between the mainline code and your code, I can
only strongly encourage you to try the Git version control system :

                        http://git-scm.com/

It's very fast, lightweight and lets you undo/redo your work as often as you
want, without making your mistakes visible to the rest of the world. It will
definitely help you contribute quality code and take other people's feedback
in consideration. In order to clone the HAProxy Git repository :

    $ git clone http://git.1wt.eu/git/haproxy-1.4.git    (stable 1.4)
    $ git clone http://git.1wt.eu/git/haproxy.git/       (development)

If you decide to use Git for your developments, then your commit messages will
have the subject line in the format described above, then the whole description
of your work (mainly why you did it) will be in the body. You can directly send
your commits to the mailing list, the format is convenient to read and process.

-- end