[RELEASE] Released version 1.3.12 with the following main changes :

    - acl: smarter integer comparison support in ACLs
    - acl: specify the direction during fetches
    - acl: provide the argument length for fetch functions
    - acl: provide a reference to the expr to fetch()
    - acl: implement matching on header values
    - acl: support maching on 'path' component
    - acl: permit to return any header when no name specified
    - errorfile: use a local file to feed error messages
    - negation in ACL conds was not cleared between terms
    - fix segfault at exit when using captures
    - improve memory freeing upon exit
    - acl: support '-i' to ignore case when matching
    - str2net() must not change the const char *
    - provide default ACLs
    - acl: distinguish between request and response headers
    - added the 'use_backend' keyword for full content-switching
    - acl: added the TRUE and FALSE ACLs.
    - shut warnings 'is*' macros from ctype.h on solaris

diff --git a/CHANGELOG b/CHANGELOG
index b48265c2137e6adc52956ca8ef56bfed2be384e3..e09ddaee20a17bfa40419da6a555fc918d79a4fd 100644 (file)
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -1,6 +1,25 @@
 ChangeLog :
 ===========
 
+2007/06/17 : 1.3.12
+    - fix segfault at exit when using captures
+    - bug: negation in ACL conds was not cleared between terms
+    - errorfile: use a local file to feed error messages
+    - acl: support '-i' to ignore case when matching
+    - acl: smarter integer comparison with operators eq,lt,gt,le,ge
+    - acl: support maching on 'path' component
+    - acl: implement matching on header values
+    - acl: distinguish between request and response headers
+    - acl: permit to return any header when no name specified
+    - acl: provide default ACLs
+    - added the 'use_backend' keyword for full content-switching
+    - acl: specify the direction during fetches
+    - acl: provide the argument length for fetch functions
+    - acl: provide a reference to the expr to fetch()
+    - improve memory freeing upon exit
+    - str2net() must not change the const char *
+    - shut warnings 'is*' macros from ctype.h on solaris
+
 2007/06/03 : 1.3.11.4
     - do not re-arm read timeout in SHUTR state !
     - optimize I/O by detecting system starvation

diff --git a/Makefile b/Makefile
index 04fbd732fb9494c4e4429c7cd5eb1b049b93733d..39fa4d55dbc28dab70ba926d83f2865a0fb1dd63 100644 (file)
--- a/Makefile
+++ b/Makefile
@@ -120,9 +120,9 @@ VERDATE := $(shell date +%Y/%m/%d -d "`git-log HEAD^.. 2>/dev/null | grep -m 1 ^
 else
 # Otherwise, use the hard-coded version of last tag, number of changes
 # since last tag, and release date.
-VERSION := 1.3.11.4
+VERSION := 1.3.12
 SUBVERS := 
-VERDATE := 2007/06/03
+VERDATE := 2007/06/17
 endif
 
 #### build options

diff --git a/Makefile.bsd b/Makefile.bsd
index 3ace82672ff3b2fae24ea5a9defe70da4af42e84..14e70f463753c36cf97795798edd1b33c1898be3 100644 (file)
--- a/Makefile.bsd
+++ b/Makefile.bsd
@@ -2,7 +2,7 @@
 # You should use it this way :
 #   make TARGET=os CPU=cpu
 
-VERSION := 1.3.11.4
+VERSION := 1.3.12
 
 # Select target OS. TARGET must match a system for which COPTS and LIBS are
 # correctly defined below.

diff --git a/Makefile.osx b/Makefile.osx
index 3e91456c698ebe9711eab917ef8baae312b2af72..0a2aa74363b0cdb1762299277fc6b683d8ba7b1e 100644 (file)
--- a/Makefile.osx
+++ b/Makefile.osx
@@ -2,7 +2,7 @@
 # You should use it this way :
 #   make TARGET=os CPU=cpu
 
-VERSION := 1.3.11.4
+VERSION := 1.3.12
 
 # Select target OS. TARGET must match a system for which COPTS and LIBS are
 # correctly defined below.

diff --git a/examples/acl-content-sw.cfg b/examples/acl-content-sw.cfg
new file mode 100644 (file)
index 0000000..1872789
--- /dev/null
+++ b/examples/acl-content-sw.cfg
@@ -0,0 +1,130 @@
+# This sample configuration makes extensive use of the ACLs. It requires
+# HAProxy version 1.3.12 minimum.
+
+global
+       log        loghost   local0
+       log        localhost local0 err
+       maxconn    250
+       uid        71
+       gid        71
+       chroot     /var/empty
+       pidfile    /var/run/haproxy.pid
+       daemon
+       quiet
+
+frontend http-in
+       bind       :80
+       mode       http
+       log        global
+       clitimeout 30000
+       option     httplog
+       option     dontlognull
+       #option    logasap
+       option     httpclose
+       maxconn    100
+
+       capture request  header Host           len 20
+       capture request  header User-Agent     len 16
+       capture request  header Content-Length len 10
+       capture request  header Referer        len 20
+       capture response header Content-Length len 10
+
+       # block any unwanted source IP addresses or networks
+       acl forbidden_src src      0.0.0.0/7 224.0.0.0/3
+       acl forbidden_src src_port 0:1023
+       block if forbidden_src
+
+       # block requests beginning with http:// on wrong domains
+       acl dangerous_pfx  url_beg -i  http://
+       acl valid_pfx      url_reg -i ^http://[^/]*1wt\.eu/
+       block if dangerous_pfx !valid_pfx
+
+       # block apache chunk exploit, ...
+       acl forbidden_hdrs hdr_sub(transfer-encoding) -i chunked
+       acl forbidden_hdrs hdr_beg(host)              -i apache- localhost
+
+       # ... some HTTP content smugling and other various things
+       acl forbidden_hdrs hdr_cnt(host) gt 1
+       acl forbidden_hdrs hdr_cnt(content-length) gt 1
+       acl forbidden_hdrs hdr_val(content-length) lt 0
+       acl forbidden_hdrs hdr_cnt(proxy-authorization) gt 0
+       block if forbidden_hdrs
+
+       # block annoying worms that fill the logs...
+       acl forbidden_uris url_reg -i .*(\.|%2e)(\.|%2e)(%2f|%5c|/|\\\\)
+       acl forbidden_uris url_sub -i %00 <script xmlrpc.php
+       acl forbidden_uris path_end -i /root.exe /cmd.exe /default.ida /awstats.pl .asp .dll
+
+       # block other common attacks (awstats, manual discovery...)
+       acl forbidden_uris path_dir -i chat main.php read_dump.php viewtopic.php phpbb sumthin horde _vti_bin MSOffice
+       acl forbidden_uris url_reg -i (\.php\?temppath=|\.php\?setmodules=|[=:]http://)
+       block if forbidden_uris
+
+       # we rewrite the "options" request so that it only tries '*', and we
+       # only report GET, HEAD, POST and OPTIONS as valid methods
+       reqirep         ^OPTIONS\ /.*HTTP/1\.[01]$ OPTIONS\ \\*\ HTTP/1.0
+       rspirep         ^Allow:\ .* Allow:\ GET,\ HEAD,\ POST,\ OPTIONS
+
+       acl host_demo   hdr_beg(host) -i demo.
+       acl host_www2   hdr_beg(host) -i www2.
+
+       use_backend     demo   if host_demo
+       use_backend     www2   if host_www2
+       default_backend www
+
+backend www
+       mode    http
+       source  192.168.21.2:0
+       balance roundrobin
+       cookie SERVERID
+       server www1 192.168.12.2:80 check inter 30000 rise 2 fall 3 maxconn 10
+       server back 192.168.11.2:80 check inter 30000 rise 2 fall 5 backup cookie back maxconn 8
+
+       # long timeout to support connection queueing
+       contimeout      20000
+       srvtimeout      20000
+       fullconn 100
+       redispatch
+       retries 3
+
+       option httpchk HEAD /
+       option forwardfor
+       option checkcache
+       option httpclose
+
+       # allow other syntactically valid requests, and block any other method
+        acl valid_method method GET HEAD POST OPTIONS
+        block if !valid_method
+        block if HTTP_URL_STAR !METH_OPTIONS
+        block if !HTTP_URL_SLASH !HTTP_URL_STAR !HTTP_URL_ABS
+
+       # remove unnecessary precisions on the server version. Let's say
+       # it's an apache under Unix on the Formilux Distro.
+       rspidel         ^Server:\ 
+       rspadd          Server:\ Apache\ (Unix;\ Formilux/0.1.8)
+
+defaults non_standard_bck
+       mode    http
+       source  192.168.21.2:0
+       option forwardfor
+       option httpclose
+       balance roundrobin
+       fullconn 100
+       contimeout      20000
+       srvtimeout      20000
+       retries 2
+
+backend www2
+       server www2 192.168.22.2:80 maxconn 10
+
+# end of defaults
+defaults none
+
+backend demo
+       mode http
+       balance roundrobin
+       stats enable
+       stats uri /
+       stats scope http-in
+       stats scope www
+       stats scope demo

diff --git a/examples/haproxy-small.spec b/examples/haproxy-small.spec
index 00cfd282e4b2dd240b3bf2bb323891fc434b91c3..08c859532bd88838d33ee97f80ae9a675ed62ef2 100644 (file)
--- a/examples/haproxy-small.spec
+++ b/examples/haproxy-small.spec
@@ -1,6 +1,6 @@
 Summary: HA-Proxy is a TCP/HTTP reverse proxy for high availability environments
 Name: haproxy
-Version: 1.3.11.4
+Version: 1.3.12
 Release: 1
 License: GPL
 Group: System Environment/Daemons
@@ -69,6 +69,9 @@ fi
 %attr(0755,root,root) %config %{_sysconfdir}/rc.d/init.d/%{name}
 
 %changelog
+* Sun Jun 17 2007 Willy Tarreau <w@1wt.eu>
+- updated to 1.3.12
+
 * Sun Jun  3 2007 Willy Tarreau <w@1wt.eu>
 - updated to 1.3.11.4
 

diff --git a/examples/haproxy.spec b/examples/haproxy.spec
index 25aee208f7500c4d9f93f03c24f2d7a279ce4b8f..85c96fc0a6ec78e38ac4de58f66515efc169514a 100644 (file)
--- a/examples/haproxy.spec
+++ b/examples/haproxy.spec
@@ -1,6 +1,6 @@
 Summary: HA-Proxy is a TCP/HTTP reverse proxy for high availability environments
 Name: haproxy
-Version: 1.3.11.4
+Version: 1.3.12
 Release: 1
 License: GPL
 Group: System Environment/Daemons
@@ -71,6 +71,9 @@ fi
 %attr(0755,root,root) %config %{_sysconfdir}/rc.d/init.d/%{name}
 
 %changelog
+* Sun Jun 17 2007 Willy Tarreau <w@1wt.eu>
+- updated to 1.3.12
+
 * Sun Jun  3 2007 Willy Tarreau <w@1wt.eu>
 - updated to 1.3.11.4
 

diff --git a/include/common/version.h b/include/common/version.h
index ad987fc3a2e8088b8b479e54d21d42e17bebac16..8022244bae412294e6403f19299c2a3c7cd73915 100644 (file)
--- a/include/common/version.h
+++ b/include/common/version.h
@@ -57,13 +57,13 @@
 #ifdef CONFIG_HAPROXY_VERSION
 #define HAPROXY_VERSION CONFIG_HAPROXY_VERSION
 #else
-#define HAPROXY_VERSION "1.3.11.4"
+#define HAPROXY_VERSION "1.3.12"
 #endif
 
 #ifdef CONFIG_HAPROXY_DATE
 #define HAPROXY_DATE    CONFIG_HAPROXY_DATE
 #else
-#define HAPROXY_DATE    "2007/06/03"
+#define HAPROXY_DATE    "2007/06/17"
 #endif
 
 #endif /* _COMMON_VERSION_H */