konevsa/haproxy
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

[RELEASE] Released version 1.3.12 with the following main changes :

Browse Source 
- acl: smarter integer comparison support in ACLs
    - acl: specify the direction during fetches
    - acl: provide the argument length for fetch functions
    - acl: provide a reference to the expr to fetch()
    - acl: implement matching on header values
    - acl: support maching on 'path' component
    - acl: permit to return any header when no name specified
    - errorfile: use a local file to feed error messages
    - negation in ACL conds was not cleared between terms
    - fix segfault at exit when using captures
    - improve memory freeing upon exit
    - acl: support '-i' to ignore case when matching
    - str2net() must not change the const char *
    - provide default ACLs
    - acl: distinguish between request and response headers
    - added the 'use_backend' keyword for full content-switching
    - acl: added the TRUE and FALSE ACLs.
    - shut warnings 'is*' macros from ctype.h on solaris
This commit is contained in:
Willy Tarreau 2007-06-17 23:41:40 +02:00
parent 8f8e645066
commit b21152be7a
8 changed files with 163 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

19
CHANGELOG
View File

@ -1,6 +1,25 @@
ChangeLog :
===========
2007/06/17 : 1.3.12
- fix segfault at exit when using captures
- bug: negation in ACL conds was not cleared between terms
- errorfile: use a local file to feed error messages
- acl: support '-i' to ignore case when matching
- acl: smarter integer comparison with operators eq,lt,gt,le,ge
- acl: support maching on 'path' component
- acl: implement matching on header values
- acl: distinguish between request and response headers
- acl: permit to return any header when no name specified
- acl: provide default ACLs
- added the 'use_backend' keyword for full content-switching
- acl: specify the direction during fetches
- acl: provide the argument length for fetch functions
- acl: provide a reference to the expr to fetch()
- improve memory freeing upon exit
- str2net() must not change the const char *
- shut warnings 'is*' macros from ctype.h on solaris
2007/06/03 : 1.3.11.4
- do not re-arm read timeout in SHUTR state !
- optimize I/O by detecting system starvation

4
Makefile
View File

@ -120,9 +120,9 @@ VERDATE := $(shell date +%Y/%m/%d -d "`git-log HEAD^.. 2>/dev/null | grep -m 1 ^
else
# Otherwise, use the hard-coded version of last tag, number of changes
# since last tag, and release date.
VERSION := 1.3.11.4
VERSION := 1.3.12
SUBVERS :=
VERDATE := 2007/06/03
VERDATE := 2007/06/17
endif
#### build options

2
Makefile.bsd
View File

@ -2,7 +2,7 @@
# You should use it this way :
# make TARGET=os CPU=cpu
VERSION := 1.3.11.4
VERSION := 1.3.12
# Select target OS. TARGET must match a system for which COPTS and LIBS are
# correctly defined below.

2
Makefile.osx
View File

@ -2,7 +2,7 @@
# You should use it this way :
# make TARGET=os CPU=cpu
VERSION := 1.3.11.4
VERSION := 1.3.12
# Select target OS. TARGET must match a system for which COPTS and LIBS are
# correctly defined below.

130
examples/acl-content-sw.cfg Normal file
View File

@ -0,0 +1,130 @@
# This sample configuration makes extensive use of the ACLs. It requires
# HAProxy version 1.3.12 minimum.
global
log loghost local0
log localhost local0 err
maxconn 250
uid 71
gid 71
chroot /var/empty
pidfile /var/run/haproxy.pid
daemon
quiet
frontend http-in
bind :80
mode http
log global
clitimeout 30000
option httplog
option dontlognull
#option logasap
option httpclose
maxconn 100
capture request header Host len 20
capture request header User-Agent len 16
capture request header Content-Length len 10
capture request header Referer len 20
capture response header Content-Length len 10
# block any unwanted source IP addresses or networks
acl forbidden_src src 0.0.0.0/7 224.0.0.0/3
acl forbidden_src src_port 0:1023
block if forbidden_src
# block requests beginning with http:// on wrong domains
acl dangerous_pfx url_beg -i http://
acl valid_pfx url_reg -i ^http://[^/]*1wt\.eu/
block if dangerous_pfx !valid_pfx
# block apache chunk exploit, ...
acl forbidden_hdrs hdr_sub(transfer-encoding) -i chunked
acl forbidden_hdrs hdr_beg(host) -i apache- localhost
# ... some HTTP content smugling and other various things
acl forbidden_hdrs hdr_cnt(host) gt 1
acl forbidden_hdrs hdr_cnt(content-length) gt 1
acl forbidden_hdrs hdr_val(content-length) lt 0
acl forbidden_hdrs hdr_cnt(proxy-authorization) gt 0
block if forbidden_hdrs
# block annoying worms that fill the logs...
acl forbidden_uris url_reg -i .*(\.|%2e)(\.|%2e)(%2f|%5c|/|\\\\)
acl forbidden_uris url_sub -i %00 <script xmlrpc.php
acl forbidden_uris path_end -i /root.exe /cmd.exe /default.ida /awstats.pl .asp .dll
# block other common attacks (awstats, manual discovery...)
acl forbidden_uris path_dir -i chat main.php read_dump.php viewtopic.php phpbb sumthin horde _vti_bin MSOffice
acl forbidden_uris url_reg -i (\.php\?temppath=|\.php\?setmodules=|[=:]http://)
block if forbidden_uris
# we rewrite the "options" request so that it only tries '*', and we
# only report GET, HEAD, POST and OPTIONS as valid methods
reqirep ^OPTIONS\ /.*HTTP/1\.[01]$ OPTIONS\ \\*\ HTTP/1.0
rspirep ^Allow:\ .* Allow:\ GET,\ HEAD,\ POST,\ OPTIONS
acl host_demo hdr_beg(host) -i demo.
acl host_www2 hdr_beg(host) -i www2.
use_backend demo if host_demo
use_backend www2 if host_www2
default_backend www
backend www
mode http
source 192.168.21.2:0
balance roundrobin
cookie SERVERID
server www1 192.168.12.2:80 check inter 30000 rise 2 fall 3 maxconn 10
server back 192.168.11.2:80 check inter 30000 rise 2 fall 5 backup cookie back maxconn 8
# long timeout to support connection queueing
contimeout 20000
srvtimeout 20000
fullconn 100
redispatch
retries 3
option httpchk HEAD /
option forwardfor
option checkcache
option httpclose
# allow other syntactically valid requests, and block any other method
acl valid_method method GET HEAD POST OPTIONS
block if !valid_method
block if HTTP_URL_STAR !METH_OPTIONS
block if !HTTP_URL_SLASH !HTTP_URL_STAR !HTTP_URL_ABS
# remove unnecessary precisions on the server version. Let's say
# it's an apache under Unix on the Formilux Distro.
rspidel ^Server:\
rspadd Server:\ Apache\ (Unix;\ Formilux/0.1.8)
defaults non_standard_bck
mode http
source 192.168.21.2:0
option forwardfor
option httpclose
balance roundrobin
fullconn 100
contimeout 20000
srvtimeout 20000
retries 2
backend www2
server www2 192.168.22.2:80 maxconn 10
# end of defaults
defaults none
backend demo
mode http
balance roundrobin
stats enable
stats uri /
stats scope http-in
stats scope www
stats scope demo

5
examples/haproxy-small.spec
View File

@ -1,6 +1,6 @@
Summary: HA-Proxy is a TCP/HTTP reverse proxy for high availability environments
Name: haproxy
Version: 1.3.11.4
Version: 1.3.12
Release: 1
License: GPL
Group: System Environment/Daemons
@ -69,6 +69,9 @@ fi
%attr(0755,root,root) %config %{_sysconfdir}/rc.d/init.d/%{name}
%changelog
* Sun Jun 17 2007 Willy Tarreau <w@1wt.eu>
- updated to 1.3.12
* Sun Jun 3 2007 Willy Tarreau <w@1wt.eu>
- updated to 1.3.11.4

5
examples/haproxy.spec
View File

@ -1,6 +1,6 @@
Summary: HA-Proxy is a TCP/HTTP reverse proxy for high availability environments
Name: haproxy
Version: 1.3.11.4
Version: 1.3.12
Release: 1
License: GPL
Group: System Environment/Daemons
@ -71,6 +71,9 @@ fi
%attr(0755,root,root) %config %{_sysconfdir}/rc.d/init.d/%{name}
%changelog
* Sun Jun 17 2007 Willy Tarreau <w@1wt.eu>
- updated to 1.3.12
* Sun Jun 3 2007 Willy Tarreau <w@1wt.eu>
- updated to 1.3.11.4

4
include/common/version.h
View File

@ -57,13 +57,13 @@
#ifdef CONFIG_HAPROXY_VERSION
#define HAPROXY_VERSION CONFIG_HAPROXY_VERSION
#else
#define HAPROXY_VERSION "1.3.11.4"
#define HAPROXY_VERSION "1.3.12"
#endif
#ifdef CONFIG_HAPROXY_DATE
#define HAPROXY_DATE CONFIG_HAPROXY_DATE
#else
#define HAPROXY_DATE "2007/06/03"
#define HAPROXY_DATE "2007/06/17"
#endif
#endif /* _COMMON_VERSION_H */