mirror of
http://git.haproxy.org/git/haproxy.git/
synced 2024-12-12 14:35:14 +00:00
f08137c434
Released version 1.8-dev3 with the following main changes : - REORG: ssl: move defines and methodVersions table upper - MEDIUM: ssl: ctx_set_version/ssl_set_version func for methodVersions table - MINOR: ssl: support ssl-min-ver and ssl-max-ver with crt-list - MEDIUM: ssl: disable SSLv3 per default for bind - BUG/MAJOR: ssl: fix segfault on connection close using async engines. - BUG/MAJOR: ssl: buffer overflow using offloaded ciphering on async engine - BUG/MINOR: ssl: do not call directly the conn_fd_handler from async_fd_handler - BUG/MINOR: haproxy/cli : fix for solaris/illumos distros for CMSG* macros - BUG/MEDIUM: build without openssl broken - BUG/MINOR: warning: need_resend may be used uninitialized - BUG/MEDIUM: misplaced exit and wrong exit code - BUG/MINOR: Makefile: fix compile error with USE_LUA=1 in ubuntu16.04 - BUILD: scripts: make publish-release support bare repositories - BUILD: scripts: add an automatic mode for publish-release - BUILD: scripts: add a "quiet" mode to publish-release - BUG/MAJOR: http: call manage_client_side_cookies() before erasing the buffer - BUG/MINOR: buffers: Fix bi/bo_contig_space to handle full buffers - CONTRIB: plug qdiscs: Plug queuing disciplines mini HOWTO. - BUG/MINOR: acls: Set the right refflag when patterns are loaded from a map - BUG/MINOR: ssl: Be sure that SSLv3 connection methods exist for openssl < 1.1.0 - BUG/MINOR: http/filters: Be sure to wait if a filter loops in HTTP_MSG_ENDING - BUG/MEDIUM: peers: Peers CLOSE_WAIT issue. - BUG/MAJOR: server: Segfault after parsing server state file. - BUG/MEDIUM: unix: never unlink a unix socket from the file system - scripts: create-release pass -n to tail - SCRIPTS: create-release: enforce GIT_COMMITTER_{NAME|EMAIL} validity - BUG/MEDIUM: fix segfault when no argument to -x option - MINOR: warning on multiple -x - MINOR: mworker: don't copy -x argument anymore in copy_argv() - BUG/MEDIUM: mworker: don't reuse PIDs passed to the master - BUG/MINOR: Wrong peer task expiration handling during synchronization processing. - BUG/MINOR: cfgparse: Check if tune.http.maxhdr is in the range 1..32767 - BUG/MINOR: log: pin the front connection when front ip/ports are logged - DOC: fix references to the section about the unix socket - BUG/MINOR: stream: flag TASK_WOKEN_RES not set if task in runqueue - MAJOR: task: task scheduler rework. - MINOR: task/stream: tasks related to a stream must be init by the caller. - MINOR: queue: Change pendconn_get_next_strm into private function - MINOR: backends: Change get_server_sh/get_server_uh into private function - MINOR: queue: Change pendconn_from_srv/pendconn_from_px into private functions - MEDIUM: stream: make stream_new() always set the target and analysers - MINOR: frontend: initialize HTTP layer after the debugging code - MINOR: connection: add a .get_alpn() method to xprt_ops - MINOR: ssl: add a get_alpn() method to ssl_sock - MINOR: frontend: retrieve the ALPN name when available - MINOR: frontend: report the connection's ALPN in the debug output - MINOR: stream: don't set backend's nor response analysers on SF_TUNNEL - MINOR: connection: send data before receiving - MAJOR: applet: applet scheduler rework. - BUG/MAJOR: frontend: don't dereference a null conn on outgoing connections - BUG/MAJOR: cli: fix custom io_release was crushed by NULL. - BUG/MAJOR: map: fix segfault during 'show map/acl' on cli. - BUG/MAJOR: compression: Be sure to release the compression state in all cases - MINOR: compression: Use a memory pool to allocate compression states - BUG/MAJOR: applet: fix a freeze if data is immedately forwarded. - DOC: fix references to the section about time format. - BUG/MEDIUM: map/acl: fix unwanted flags inheritance. - BUG/MAJOR: http: fix buffer overflow on loguri buffer. - MINOR: ssl: compare server certificate names to the SNI on outgoing connections - BUG/MINOR: stream: Don't forget to remove CF_WAKE_ONCE flag on response channel - BUG/MINOR: http: Don't reset the transaction if there are still data to send - BUG/MEDIUM: filters: Be sure to call flt_end_analyze for both channels - MINOR: peers: Add additional information to stick-table definition messages. - BUG/MINOR: http: properly handle all 1xx informational responses - OPTIM: ssl: don't consider a small ssl_read() as an indication of end of buffer - BUG/MINOR: peers: peer synchronization issue (with several peers sections). - CLEANUP: hdr_idx: make some function arguments const where possible - BUG/MINOR: Prevent a use-after-free on error scenario on option "-x". - BUG/MINOR: lua: In error case, the safe mode is not removed - BUG/MINOR: lua: executes the function destroying the Lua session in safe mode - BUG/MAJOR: lua/socket: resources not detroyed when the socket is aborted - BUG/MEDIUM: lua: bad memory access - BUG/MINOR: Lua: variable already initialized - DOC: update CONTRIBUTING regarding optional parts and message format - DOC: update the list of OpenSSL versions in the README - BUG/MINOR: http: Set the response error state in http_sync_res_state - MINOR: http: Reorder/rewrite checks in http_resync_states - MINOR: http: Switch requests/responses in TUNNEL mode only by checking txn flags - BUG/MEDIUM: http: Switch HTTP responses in TUNNEL mode when body length is undefined - MINOR: http: Rely on analyzers mask to end processing in forward_body functions - BUG/MINOR: http: Fix bug introduced in previous patch in http_resync_states - BUG/MINOR: contrib/modsecurity: BSD build fix - BUG/MINOR: contrib/mod_defender: build fix - BUG/MINOR: ssl: remove haproxy SSLv3 support when ssl lib have no SSLv3 - MINOR: ssl: remove an unecessary SSL_OP_NO_* dependancy - BUILD: ssl: fix compatibility with openssl without TLSEXT_signature_* - MINOR: tools: add a portable timegm() alternative - BUILD: lua: replace timegm() with my_timegm() to fix build on Solaris 10 - DOC: Updated 51Degrees git URL to point to a stable version. - BUG/MAJOR: http: Fix possible infinity loop in http_sync_(req|res)_state - MINOR: memory: remove macros - BUG/MINOR: lua: Fix Server.get_addr() port values - BUG/MINOR: lua: Correctly use INET6_ADDRSTRLEN in Server.get_addr() - MINOR: samples: Handle the type SMP_T_METH when we duplicate a sample in smp_dup - MINOR: samples: Handle the type SMP_T_METH in smp_is_safe and smp_is_rw - MINOR: samples: Don't allocate memory for SMP_T_METH sample when method is known - BUG/MINOR: lua: always detach the tcp/http tasks before freeing them - MINOR: task: always preinitialize the task's timeout in task_init() - CLEANUP: task: remove all initializations to TICK_ETERNITY after task_new() - BUG/MAJOR: lua: properly dequeue hlua_applet_wakeup() for new scheduler - MINOR: lua: Add proxy as member of proxy object. - DOC: lua: Proxy class doc update - MINOR: lua: Add lists of frontends and backends - BUG/MINOR: ssl: Fix check against SNI during server certificate verification - BUG/MINOR: ssl: make use of the name in SNI before verifyhost - MINOR: ssl: add a new error codes for wrong server certificates - BUG/MEDIUM: stream: don't retry SSL connections which fail the SNI name check - MINOR: ssl: add "no-ca-names" parameter for bind - BUG/MINOR: lua: Fix bitwise logic for hlua_server_check_* functions. - DOC: fix alphabetical order of "show commands" in management.txt - MINOR: listener: add a function to return a listener's state as a string - MINOR: cli: add a new "show fd" command - BUG/MEDIUM: ssl: Fix regression about certificates generation - MINOR: Add server port field to server state file. - MINOR: ssl: allow to start without certificate if strict-sni is set - MINOR: dns: Cache previous DNS answers. - MINOR: obj: Add a new type of object, OBJ_TYPE_SRVRQ. - Add a few functions to do unaligned access. - MINOR: dns: Handle SRV records. - MINOR: check: Fix checks when using SRV records. - MINOR: doc: Document SRV label usage. - BUILD/MINOR: cli: shut a minor gcc warning in "show fd" - BUILD: ssl: replace SSL_CTX_get0_privatekey for openssl < 1.0.2 - BUILD/MINOR: build without openssl still broken - BUG/MAJOR: stream: in stream_free(), close the front endpoint and not the origin - CLEANUP: raw_sock: Use a better name for the constructor than __ssl_sock_deinit() - MINOR: init: Fix CPU affinity setting on FreeBSD. - MINOR: dns: Update analysis of TRUNCATED response for SRV records - MINOR: dns: update record dname matching for SRV query types - MINOR: dns: update dns response buffer reading pointer due to SRV record - MINOR: dns: duplicate entries in resolution wait queue for SRV records - MINOR: dns: make debugging function dump_dns_config() compatible with SRV records - MINOR: dns: ability to use a SRV resolution for multiple backends - MINOR: dns: enable caching of responses for server set by a SRV record - MINOR: dns: new dns record type (RTYPE) for OPT - MINOR: dns: enabled edns0 extension and make accpeted payload size tunable - MINOR: dns: default "hold obsolete" timeout set to 0 - MINOR: chunks: add chunk_memcpy() and chunk_memcat() - MINOR: session: add a streams field to the session struct - MINOR: stream: link the stream to its session - MEDIUM: session: do not free a session until no stream references it - MINOR: ist: implement very simple indirect strings - TESTS: ist: add a test file for the functions - MINOR: http: export some of the HTTP parser macros - BUG/MINOR: Wrong type used as argument for spoe_decode_buffer(). - BUG/MINOR: dns: server set by SRV records stay in "no resolution" status - MINOR: dns: Maximum DNS udp payload set to 8192 - MINOR: dns: automatic reduction of DNS accpeted payload size - MINOR: dns: make SRV record processing more verbose - CLEANUP: dns: remove duplicated code in dns_resolve_recv() - CLEANUP: dns: remove duplicated code in dns_validate_dns_response() - BUG/MINOR: dns: wrong resolution interval lead to 100% CPU - BUG/MEDIUM: dns: fix accepted_payload_size parser to avoid integer overflow - BUG/MAJOR: lua: fix the impact of the scheduler changes again - BUG/MEDIUM: lua: HTTP services must take care of body-less status codes - MINOR: lua: properly process the contents of the content-length field - BUG/MEDIUM: stream: properly set the required HTTP analysers on use-service - OPTIM: lua: don't use expensive functions to parse headers in the HTTP applet - OPTIM: lua: don't add "Connection: close" on the response - REORG/MEDIUM: connection: introduce the notion of connection handle - BUG/MINOR: stream-int: don't check the CO_FL_CURR_WR_ENA flag - MEDIUM: connection: get rid of data->init() which was not for data - MEDIUM: stream: make stream_new() allocate its own task - CLEANUP: listener: remove the unused handler field - MEDIUM: session: add a pointer to a struct task in the session - MINOR: stream: provide a new stream creation function for connections - MEDIUM: connection: remove useless flag CO_FL_DATA_RD_SH - CLEANUP: connection: remove the unused conn_sock_shutw_pending() - MEDIUM: connection: remove useless flag CO_FL_DATA_WR_SH - DOC: add CLI info on privilege levels - DOC: Refer to Mozilla TLS info / config generator - MINOR: ssl: remove duplicate ssl_methods in struct bind_conf - BUG/MEDIUM: http: Fix a regression bug when a HTTP response is in TUNNEL mode - DOC: Add note about "* " prefix in CSV stats - CLEANUP: memory: Remove unused function pool_destroy - MINOR: listeners: Change listener_full and limit_listener into private functions - MINOR: listeners: Change enable_listener and disable_listener into private functions - MINOR: fd: Don't forget to reset fdtab[fd].update when a fd is added/removed - MINOR: fd: Set owner and iocb field before inserting a new fd in the fdtab - MINOR: backends: Make get_server_* functions explicitly static - MINOR: applet: Check applets_active_queue before processing applets queue - MINOR: chunks: Use dedicated function to init/deinit trash buffers - MEDIUM: chunks: Realloc trash buffers only after the config is parsed and checked - MINOR: logs: Use dedicated function to init/deinit log buffers - MINOR: logs: Realloc log buffers only after the config is parsed and checked - MINOR: buffers: Move swap_buffer into buffer.c and add deinit_buffer function - MINOR: stick-tables: Make static_table_key a struct variable instead of a pointer - MINOR: http: Use a trash chunk to store decoded string of the HTTP auth header - MINOR: fd: Add fd_active function - MINOR: fd: Use inlined functions to check fd state in fd_*_send/recv functions - MINOR: fd: Move (de)allocation of fdtab and fdinfo in (de)init_pollers - MINOR: freq_ctr: Return the new value after an update - MEDIUM: check: server states and weight propagation re-work - BUG/MEDIUM: epoll: ensure we always consider HUP and ERR - MINOR: fd: Add fd_update_events function - MINOR: polling: Use fd_update_events to update events seen for a fd - BUG/MINOR: server: Remove FQDN requirement for using init-addr and state file - Revert "BUG/MINOR: server: Remove FQDN requirement for using init-addr and state file" - MINOR: ssl: rework smp_fetch_ssl_fc_cl_str without internal ssl use - BUG/MEDIUM: http: Close streams for connections closed before a redirect - BUG/MINOR: Lua: The socket may be destroyed when we try to access. - MINOR: xref: Add a new xref system - MEDIUM: xref/lua: Use xref for referencing cosocket relation between stream and lua - MINOR: tasks: Move Lua notification from Lua to tasks - MINOR: net_helper: Inline functions meant to be inlined. - MINOR: cli: add socket commands and config to prepend informational messages with severity - MINOR: add severity information to cli feedback messages - BUILD: Makefile: add a function to detect support by the compiler of certain options - BUILD: Makefile: shut certain gcc/clang stupid warnings - BUILD: Makefile: improve detection of support for compiler warnings - MINOR: peers: don't reference the incoming listener on outgoing connections - MINOR: frontend: don't retrieve ALPN on the critical path - MINOR: protocols: always pass a "port" argument to the listener creation - MINOR: protocols: register the ->add function and stop calling them directly - MINOR: unix: remove the now unused proto_uxst.h file - MINOR: listeners: new function create_listeners - MINOR: listeners: make listeners count consistent with reality - MEDIUM: session: take care of incrementing/decrementing jobs - MINOR: listener: new function listener_release - MINOR: session: small cleanup of conn_complete_session() - MEDIUM: session: factor out duplicated code for conn_complete_session - MEDIUM: session: count the frontend's connections at a single place - BUG/MEDIUM: compression: Fix check on txn in smp_fetch_res_comp_algo - BUG/MINOR: compression: Check response headers before http-response rules eval - BUG/MINOR: spoe: Don't rely on SPOE ctx in debug message when its creation failed - BUG/MINOR: dns: Fix check on nameserver in snr_resolution_cb - MINOR: ssl: Remove useless checks on bind_conf or bind_conf->is_ssl - BUG/MINOR: contrib/mod_defender: close the va_list argp before return - BUG/MINOR: contrib/modsecurity: close the va_list ap before return - MINOR: tools: make my_htonll() more efficient on x86_64 - MINOR: buffer: add b_del() to delete a number of characters - MINOR: buffer: add b_end() and b_to_end() - MINOR: net_helper: add functions to read from vectors - MINOR: net_helper: add write functions - MINOR: net_helper: add 64-bit read/write functions - MINOR: connection: adjust CO_FL_NOTIFY_DATA after removal of flags - MINOR: ist: add a macro to ease const array initialization - BUG/MEDIUM: server: unwanted behavior leaving maintenance mode on tracked stopping server - BUG/MEDIUM: server: unwanted behavior leaving maintenance mode on tracked stopping server (take2) - BUG/MINOR: log: fixing small memory leak in error code path. - BUG/MINOR: contrib/halog: fixing small memory leak - BUG/MEDIUM: tcp/http: set-dst-port action broken - CLEANUUP: checks: don't set conn->handle.fd to -1 - BUG/MEDIUM: tcp-check: properly indicate polling state before performing I/O - BUG/MINOR: tcp-check: don't quit with pending data in the send buffer - BUG/MEDIUM: tcp-check: don't call tcpcheck_main() from the I/O handlers! - BUG/MINOR: unix: properly check for octal digits in the "mode" argument - MINOR: checks: make chk_report_conn_err() take a check, not a connection - CLEANUP: checks: remove misleading comments and statuses for external process - CLEANUP: checks: don't report report the fork() error twice - CLEANUP: checks: do not allocate a connection for process checks - TESTS: checks: add a simple test config for external checks - BUG/MINOR: tcp-check: don't initialize then break a connection starting with a comment - TESTS: checks: add a simple test config for tcp-checks - MINOR: tcp-check: make tcpcheck_main() take a check, not a connection - MINOR: checks: don't create then kill a dummy connection before tcp-checks - MEDIUM: checks: make tcpcheck_main() indicate if it recycled a connection - MEDIUM: checks: do not allocate a permanent connection anymore - BUG/MEDIUM: cli: fix "show fd" crash when dumping closed FDs - BUG/MEDIUM: http: Return an error when url_dec sample converter failed - BUG/MAJOR: stream-int: don't re-arm recv if send fails - BUILD/MINOR: 51d: fix warning when building with 51Degrees release version 3.2.12.12 - DOC: 51d: add 51Degrees git URL that points to release version 3.2.12.12 - DOC: 51d: Updated git URL and instructions for getting Hash Trie data files. - MINOR: compiler: restore the likely() wrapper for gcc 5.x - MINOR: session: remove the list of streams from struct session - DOC: fix some typos - MINOR: server: add the srv_queue() sample fetch method - MINOR: payload: add new sample fetch functions to process distcc protocol - MAJOR: servers: propagate server status changes asynchronously. - BUG/MEDIUM: ssl: fix OCSP expiry calculation - BUG/MINOR: stream-int: don't set MSG_MORE on SHUTW_NOW without AUTO_CLOSE - MINOR: server: Handle weight increase in consistent hash. - MINOR: checks: Add a new keyword to specify a SNI when doing SSL checks. - BUG/MINOR: tools: fix my_htonll() on x86_64 - BUG/MINOR: stats: Clear a bit more counters with in cli_parse_clear_counters(). - BUG/MAJOR: lua: scheduled task is freezing. - MINOR: buffer: add bo_del() to delete a number of characters from output - MINOR: buffer: add a function to match against string patterns - MINOR: buffer: add two functions to inject data into buffers - MINOR: buffer: add buffer_space_wraps() - REORG: channel: finally rename the last bi_* / bo_* functions - MINOR: buffer: add bo_getblk() and bo_getblk_nc() - MINOR: channel: make use of bo_getblk{,_nc} for their channel equivalents - MINOR: channel: make the channel be a const in all {ci,co}_get* functions - MINOR: ist: add ist0() to add a trailing zero to a string. - BUG/MEDIUM: log: check result details truncated. - MINOR: buffer: make bo_getblk_nc() not return 2 for a full buffer - REORG: http: move some very http1-specific parts to h1.{c,h} - REORG: http: move the HTTP/1 chunk parser to h1.{c,h} - REORG: http: move the HTTP/1 header block parser to h1.c - MEDIUM: http: make the chunk size parser only depend on the buffer - MEDIUM: http: make the chunk crlf parser only depend on the buffer - MINOR: h1: add struct h1m for basic HTTP/1 messages - MINOR: http: add very simple header management based on double strings - MEDIUM: h1: reimplement the http/1 response parser for the gateway - REORG: connection: rename CO_FL_DATA_* -> CO_FL_XPRT_* - MEDIUM: connection: make conn_sock_shutw() aware of lingering - MINOR: connection: ensure conn_ctrl_close() also resets the fd - MINOR: connection: add conn_stop_tracking() to disable tracking - MINOR: tcp: use conn_full_close() instead of conn_force_close() - MINOR: unix: use conn_full_close() instead of conn_force_close() - MINOR: checks: use conn_full_close() instead of conn_force_close() - MINOR: session: use conn_full_close() instead of conn_force_close() - MINOR: stream: use conn_full_close() instead of conn_force_close() - MINOR: stream: use conn_full_close() instead of conn_force_close() - MINOR: backend: use conn_full_close() instead of conn_force_close() - MINOR: stream-int: use conn_full_close() instead of conn_force_close() - MINOR: connection: remove conn_force_close() - BUG/MINOR: ssl: ocsp response with 'revoked' status is correct
329 lines
15 KiB
Plaintext
329 lines
15 KiB
Plaintext
----------------------
|
||
HAProxy how-to
|
||
----------------------
|
||
version 1.8
|
||
willy tarreau
|
||
2017/10/22
|
||
|
||
|
||
1) How to build it
|
||
------------------
|
||
|
||
This is a development version, so it is expected to break from time to time,
|
||
to add and remove features without prior notification and it should not be used
|
||
in production. If you are not used to build from sources or if you are not used
|
||
to follow updates then it is recommended that instead you use the packages provided
|
||
by your software vendor or Linux distribution. Most of them are taking this task
|
||
seriously and are doing a good job at backporting important fixes. If for any
|
||
reason you'd prefer a different version than the one packaged for your system,
|
||
you want to be certain to have all the fixes or to get some commercial support,
|
||
other choices are available at :
|
||
|
||
http://www.haproxy.com/
|
||
|
||
To build haproxy, you will need :
|
||
- GNU make. Neither Solaris nor OpenBSD's make work with the GNU Makefile.
|
||
If you get many syntax errors when running "make", you may want to retry
|
||
with "gmake" which is the name commonly used for GNU make on BSD systems.
|
||
- GCC between 2.95 and 4.8. Others may work, but not tested.
|
||
- GNU ld
|
||
|
||
Also, you might want to build with libpcre support, which will provide a very
|
||
efficient regex implementation and will also fix some badness on Solaris' one.
|
||
|
||
To build haproxy, you have to choose your target OS amongst the following ones
|
||
and assign it to the TARGET variable :
|
||
|
||
- linux22 for Linux 2.2
|
||
- linux24 for Linux 2.4 and above (default)
|
||
- linux24e for Linux 2.4 with support for a working epoll (> 0.21)
|
||
- linux26 for Linux 2.6 and above
|
||
- linux2628 for Linux 2.6.28, 3.x, and above (enables splice and tproxy)
|
||
- solaris for Solaris 8 or 10 (others untested)
|
||
- freebsd for FreeBSD 5 to 10 (others untested)
|
||
- netbsd for NetBSD
|
||
- osx for Mac OS/X
|
||
- openbsd for OpenBSD 5.7 and above
|
||
- aix51 for AIX 5.1
|
||
- aix52 for AIX 5.2
|
||
- cygwin for Cygwin
|
||
- haiku for Haiku
|
||
- generic for any other OS or version.
|
||
- custom to manually adjust every setting
|
||
|
||
You may also choose your CPU to benefit from some optimizations. This is
|
||
particularly important on UltraSparc machines. For this, you can assign
|
||
one of the following choices to the CPU variable :
|
||
|
||
- i686 for intel PentiumPro, Pentium 2 and above, AMD Athlon
|
||
- i586 for intel Pentium, AMD K6, VIA C3.
|
||
- ultrasparc : Sun UltraSparc I/II/III/IV processor
|
||
- native : use the build machine's specific processor optimizations. Use with
|
||
extreme care, and never in virtualized environments (known to break).
|
||
- generic : any other processor or no CPU-specific optimization. (default)
|
||
|
||
Alternatively, you may just set the CPU_CFLAGS value to the optimal GCC options
|
||
for your platform.
|
||
|
||
You may want to build specific target binaries which do not match your native
|
||
compiler's target. This is particularly true on 64-bit systems when you want
|
||
to build a 32-bit binary. Use the ARCH variable for this purpose. Right now
|
||
it only knows about a few x86 variants (i386,i486,i586,i686,x86_64), two
|
||
generic ones (32,64) and sets -m32/-m64 as well as -march=<arch> accordingly.
|
||
|
||
If your system supports PCRE (Perl Compatible Regular Expressions), then you
|
||
really should build with libpcre which is between 2 and 10 times faster than
|
||
other libc implementations. Regex are used for header processing (deletion,
|
||
rewriting, allow, deny). The only inconvenient of libpcre is that it is not
|
||
yet widely spread, so if you build for other systems, you might get into
|
||
trouble if they don't have the dynamic library. In this situation, you should
|
||
statically link libpcre into haproxy so that it will not be necessary to
|
||
install it on target systems. Available build options for PCRE are :
|
||
|
||
- USE_PCRE=1 to use libpcre, in whatever form is available on your system
|
||
(shared or static)
|
||
|
||
- USE_STATIC_PCRE=1 to use a static version of libpcre even if the dynamic
|
||
one is available. This will enhance portability.
|
||
|
||
- with no option, use your OS libc's standard regex implementation (default).
|
||
Warning! group references on Solaris seem broken. Use static-pcre whenever
|
||
possible.
|
||
|
||
If your system doesn't provide PCRE, you are encouraged to download it from
|
||
http://www.pcre.org/ and build it yourself, it's fast and easy.
|
||
|
||
Recent systems can resolve IPv6 host names using getaddrinfo(). This primitive
|
||
is not present in all libcs and does not work in all of them either. Support in
|
||
glibc was broken before 2.3. Some embedded libs may not properly work either,
|
||
thus, support is disabled by default, meaning that some host names which only
|
||
resolve as IPv6 addresses will not resolve and configs might emit an error
|
||
during parsing. If you know that your OS libc has reliable support for
|
||
getaddrinfo(), you can add USE_GETADDRINFO=1 on the make command line to enable
|
||
it. This is the recommended option for most Linux distro packagers since it's
|
||
working fine on all recent mainstream distros. It is automatically enabled on
|
||
Solaris 8 and above, as it's known to work.
|
||
|
||
It is possible to add native support for SSL using the GNU makefile, by passing
|
||
"USE_OPENSSL=1" on the make command line. The libssl and libcrypto will
|
||
automatically be linked with haproxy. Some systems also require libz, so if the
|
||
build fails due to missing symbols such as deflateInit(), then try again with
|
||
"ADDLIB=-lz".
|
||
|
||
Your are strongly encouraged to always use an up-to-date version of OpenSSL, as
|
||
found on https://www.openssl.org/ as vulnerabilities are occasionally found and
|
||
you don't want them on your systems. HAProxy is known to build correctly on all
|
||
currently supported branches (0.9.8, 1.0.0, 1.0.1, 1.0.2 and 1.1.0 at the time
|
||
of writing). Branch 1.0.2 is currently recommended for the best combination of
|
||
features and stability. Asynchronous engines require OpenSSL 1.1.0 though. It's
|
||
worth mentionning that some OpenSSL derivatives are also reported to work but
|
||
may occasionally break. Patches to fix them are welcome but please read the
|
||
CONTRIBUTING file first.
|
||
|
||
To link OpenSSL statically against haproxy, build OpenSSL with the no-shared
|
||
keyword and install it to a local directory, so your system is not affected :
|
||
|
||
$ export STATICLIBSSL=/tmp/staticlibssl
|
||
$ ./config --prefix=$STATICLIBSSL no-shared
|
||
$ make && make install_sw
|
||
|
||
When building haproxy, pass that path via SSL_INC and SSL_LIB to make and
|
||
include additional libs with ADDLIB if needed (in this case for example libdl):
|
||
|
||
$ make TARGET=linux26 USE_OPENSSL=1 SSL_INC=$STATICLIBSSL/include SSL_LIB=$STATICLIBSSL/lib ADDLIB=-ldl
|
||
|
||
It is also possible to include native support for zlib to benefit from HTTP
|
||
compression. For this, pass "USE_ZLIB=1" on the "make" command line and ensure
|
||
that zlib is present on the system. Alternatively it is possible to use libslz
|
||
for a faster, memory less, but slightly less efficient compression, by passing
|
||
"USE_SLZ=1".
|
||
|
||
Zlib is commonly found on most systems, otherwise updates can be retrieved from
|
||
http://www.zlib.net/. It is easy and fast to build. Libslz can be downloaded
|
||
from http://1wt.eu/projects/libslz/ and is even easier to build.
|
||
|
||
By default, the DEBUG variable is set to '-g' to enable debug symbols. It is
|
||
not wise to disable it on uncommon systems, because it's often the only way to
|
||
get a complete core when you need one. Otherwise, you can set DEBUG to '-s' to
|
||
strip the binary.
|
||
|
||
For example, I use this to build for Solaris 8 :
|
||
|
||
$ make TARGET=solaris CPU=ultrasparc USE_STATIC_PCRE=1
|
||
|
||
And I build it this way on OpenBSD or FreeBSD :
|
||
|
||
$ gmake TARGET=freebsd USE_PCRE=1 USE_OPENSSL=1 USE_ZLIB=1
|
||
|
||
And on a classic Linux with SSL and ZLIB support (eg: Red Hat 5.x) :
|
||
|
||
$ make TARGET=linux26 USE_PCRE=1 USE_OPENSSL=1 USE_ZLIB=1
|
||
|
||
And on a recent Linux >= 2.6.28 with SSL and ZLIB support :
|
||
|
||
$ make TARGET=linux2628 USE_PCRE=1 USE_OPENSSL=1 USE_ZLIB=1
|
||
|
||
In order to build a 32-bit binary on an x86_64 Linux system with SSL support
|
||
without support for compression but when OpenSSL requires ZLIB anyway :
|
||
|
||
$ make TARGET=linux26 ARCH=i386 USE_OPENSSL=1 ADDLIB=-lz
|
||
|
||
The SSL stack supports session cache synchronization between all running
|
||
processes. This involves some atomic operations and synchronization operations
|
||
which come in multiple flavors depending on the system and architecture :
|
||
|
||
Atomic operations :
|
||
- internal assembler versions for x86/x86_64 architectures
|
||
|
||
- gcc builtins for other architectures. Some architectures might not
|
||
be fully supported or might require a more recent version of gcc.
|
||
If your architecture is not supported, you willy have to either use
|
||
pthread if supported, or to disable the shared cache.
|
||
|
||
- pthread (posix threads). Pthreads are very common but inter-process
|
||
support is not that common, and some older operating systems did not
|
||
report an error when enabling multi-process mode, so they used to
|
||
silently fail, possibly causing crashes. Linux's implementation is
|
||
fine. OpenBSD doesn't support them and doesn't build. FreeBSD 9 builds
|
||
and reports an error at runtime, while certain older versions might
|
||
silently fail. Pthreads are enabled using USE_PTHREAD_PSHARED=1.
|
||
|
||
Synchronization operations :
|
||
- internal spinlock : this mode is OS-independant, light but will not
|
||
scale well to many processes. However, accesses to the session cache
|
||
are rare enough that this mode could certainly always be used. This
|
||
is the default mode.
|
||
|
||
- Futexes, which are Linux-specific highly scalable light weight mutexes
|
||
implemented in user-space with some limited assistance from the kernel.
|
||
This is the default on Linux 2.6 and above and is enabled by passing
|
||
USE_FUTEX=1
|
||
|
||
- pthread (posix threads). See above.
|
||
|
||
If none of these mechanisms is supported by your platform, you may need to
|
||
build with USE_PRIVATE_CACHE=1 to totally disable SSL cache sharing. Then
|
||
it is better not to run SSL on multiple processes.
|
||
|
||
If you need to pass other defines, includes, libraries, etc... then please
|
||
check the Makefile to see which ones will be available in your case, and
|
||
use the USE_* variables in the Makefile.
|
||
|
||
AIX 5.3 is known to work with the generic target. However, for the binary to
|
||
also run on 5.2 or earlier, you need to build with DEFINE="-D_MSGQSUPPORT",
|
||
otherwise __fd_select() will be used while not being present in the libc, but
|
||
this is easily addressed using the "aix52" target. If you get build errors
|
||
because of strange symbols or section mismatches, simply remove -g from
|
||
DEBUG_CFLAGS.
|
||
|
||
You can easily define your own target with the GNU Makefile. Unknown targets
|
||
are processed with no default option except USE_POLL=default. So you can very
|
||
well use that property to define your own set of options. USE_POLL can even be
|
||
disabled by setting USE_POLL="". For example :
|
||
|
||
$ gmake TARGET=tiny USE_POLL="" TARGET_CFLAGS=-fomit-frame-pointer
|
||
|
||
|
||
1.1) Device Detection
|
||
---------------------
|
||
|
||
HAProxy supports several device detection modules relying on third party
|
||
products. Some of them may provide free code, others free libs, others free
|
||
evaluation licenses. Please read about their respective details in the
|
||
following files :
|
||
|
||
doc/DeviceAtlas-device-detection.txt for DeviceAtlas
|
||
doc/51Degrees-device-detection.txt for 51Degrees
|
||
doc/WURFL-device-detection.txt for Scientiamobile WURFL
|
||
|
||
|
||
2) How to install it
|
||
--------------------
|
||
|
||
To install haproxy, you can either copy the single resulting binary to the
|
||
place you want, or run :
|
||
|
||
$ sudo make install
|
||
|
||
If you're packaging it for another system, you can specify its root directory
|
||
in the usual DESTDIR variable.
|
||
|
||
|
||
3) How to set it up
|
||
-------------------
|
||
|
||
There is some documentation in the doc/ directory :
|
||
|
||
- intro.txt : this is an introduction to haproxy, it explains what it is
|
||
what it is not. Useful for beginners or to re-discover it when planning
|
||
for an upgrade.
|
||
|
||
- architecture.txt : this is the architecture manual. It is quite old and
|
||
does not tell about the nice new features, but it's still a good starting
|
||
point when you know what you want but don't know how to do it.
|
||
|
||
- configuration.txt : this is the configuration manual. It recalls a few
|
||
essential HTTP basic concepts, and details all the configuration file
|
||
syntax (keywords, units). It also describes the log and stats format. It
|
||
is normally always up to date. If you see that something is missing from
|
||
it, please report it as this is a bug. Please note that this file is
|
||
huge and that it's generally more convenient to review Cyril Bont<6E>'s
|
||
HTML translation online here :
|
||
|
||
http://cbonte.github.io/haproxy-dconv/configuration-1.6.html
|
||
|
||
- management.txt : it explains how to start haproxy, how to manage it at
|
||
runtime, how to manage it on multiple nodes, how to proceed with seamless
|
||
upgrades.
|
||
|
||
- gpl.txt / lgpl.txt : the copy of the licenses covering the software. See
|
||
the 'LICENSE' file at the top for more information.
|
||
|
||
- the rest is mainly for developers.
|
||
|
||
There are also a number of nice configuration examples in the "examples"
|
||
directory as well as on several sites and articles on the net which are linked
|
||
to from the haproxy web site.
|
||
|
||
|
||
4) How to report a bug
|
||
----------------------
|
||
|
||
It is possible that from time to time you'll find a bug. A bug is a case where
|
||
what you see is not what is documented. Otherwise it can be a misdesign. If you
|
||
find that something is stupidly design, please discuss it on the list (see the
|
||
"how to contribute" section below). If you feel like you're proceeding right
|
||
and haproxy doesn't obey, then first ask yourself if it is possible that nobody
|
||
before you has even encountered this issue. If it's unlikely, the you probably
|
||
have an issue in your setup. Just in case of doubt, please consult the mailing
|
||
list archives :
|
||
|
||
http://marc.info/?l=haproxy
|
||
|
||
Otherwise, please try to gather the maximum amount of information to help
|
||
reproduce the issue and send that to the mailing list :
|
||
|
||
haproxy@formilux.org
|
||
|
||
Please include your configuration and logs. You can mask your IP addresses and
|
||
passwords, we don't need them. But it's essential that you post your config if
|
||
you want people to guess what is happening.
|
||
|
||
Also, keep in mind that haproxy is designed to NEVER CRASH. If you see it die
|
||
without any reason, then it definitely is a critical bug that must be reported
|
||
and urgently fixed. It has happened a couple of times in the past, essentially
|
||
on development versions running on new architectures. If you think your setup
|
||
is fairly common, then it is possible that the issue is totally unrelated.
|
||
Anyway, if that happens, feel free to contact me directly, as I will give you
|
||
instructions on how to collect a usable core file, and will probably ask for
|
||
other captures that you'll not want to share with the list.
|
||
|
||
|
||
5) How to contribute
|
||
--------------------
|
||
|
||
Please carefully read the CONTRIBUTING file that comes with the sources. It is
|
||
mandatory.
|
||
|
||
-- end
|