[RELEASE] Released version 1.3.12 with the following main changes :
- acl: smarter integer comparison support in ACLs
- acl: specify the direction during fetches
- acl: provide the argument length for fetch functions
- acl: provide a reference to the expr to fetch()
- acl: implement matching on header values
- acl: support maching on 'path' component
- acl: permit to return any header when no name specified
- errorfile: use a local file to feed error messages
- negation in ACL conds was not cleared between terms
- fix segfault at exit when using captures
- improve memory freeing upon exit
- acl: support '-i' to ignore case when matching
- str2net() must not change the const char *
- provide default ACLs
- acl: distinguish between request and response headers
- added the 'use_backend' keyword for full content-switching
- acl: added the TRUE and FALSE ACLs.
- shut warnings 'is*' macros from ctype.h on solaris
diff --git a/CHANGELOG b/CHANGELOG
index b48265c..e09ddae 100644
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -1,6 +1,25 @@
ChangeLog :
===========
+2007/06/17 : 1.3.12
+ - fix segfault at exit when using captures
+ - bug: negation in ACL conds was not cleared between terms
+ - errorfile: use a local file to feed error messages
+ - acl: support '-i' to ignore case when matching
+ - acl: smarter integer comparison with operators eq,lt,gt,le,ge
+ - acl: support maching on 'path' component
+ - acl: implement matching on header values
+ - acl: distinguish between request and response headers
+ - acl: permit to return any header when no name specified
+ - acl: provide default ACLs
+ - added the 'use_backend' keyword for full content-switching
+ - acl: specify the direction during fetches
+ - acl: provide the argument length for fetch functions
+ - acl: provide a reference to the expr to fetch()
+ - improve memory freeing upon exit
+ - str2net() must not change the const char *
+ - shut warnings 'is*' macros from ctype.h on solaris
+
2007/06/03 : 1.3.11.4
- do not re-arm read timeout in SHUTR state !
- optimize I/O by detecting system starvation
diff --git a/Makefile b/Makefile
index 04fbd73..39fa4d5 100644
--- a/Makefile
+++ b/Makefile
@@ -120,9 +120,9 @@
else
# Otherwise, use the hard-coded version of last tag, number of changes
# since last tag, and release date.
-VERSION := 1.3.11.4
+VERSION := 1.3.12
SUBVERS :=
-VERDATE := 2007/06/03
+VERDATE := 2007/06/17
endif
#### build options
diff --git a/Makefile.bsd b/Makefile.bsd
index 3ace826..14e70f4 100644
--- a/Makefile.bsd
+++ b/Makefile.bsd
@@ -2,7 +2,7 @@
# You should use it this way :
# make TARGET=os CPU=cpu
-VERSION := 1.3.11.4
+VERSION := 1.3.12
# Select target OS. TARGET must match a system for which COPTS and LIBS are
# correctly defined below.
diff --git a/Makefile.osx b/Makefile.osx
index 3e91456..0a2aa74 100644
--- a/Makefile.osx
+++ b/Makefile.osx
@@ -2,7 +2,7 @@
# You should use it this way :
# make TARGET=os CPU=cpu
-VERSION := 1.3.11.4
+VERSION := 1.3.12
# Select target OS. TARGET must match a system for which COPTS and LIBS are
# correctly defined below.
diff --git a/examples/acl-content-sw.cfg b/examples/acl-content-sw.cfg
new file mode 100644
index 0000000..1872789
--- /dev/null
+++ b/examples/acl-content-sw.cfg
@@ -0,0 +1,130 @@
+# This sample configuration makes extensive use of the ACLs. It requires
+# HAProxy version 1.3.12 minimum.
+
+global
+ log loghost local0
+ log localhost local0 err
+ maxconn 250
+ uid 71
+ gid 71
+ chroot /var/empty
+ pidfile /var/run/haproxy.pid
+ daemon
+ quiet
+
+frontend http-in
+ bind :80
+ mode http
+ log global
+ clitimeout 30000
+ option httplog
+ option dontlognull
+ #option logasap
+ option httpclose
+ maxconn 100
+
+ capture request header Host len 20
+ capture request header User-Agent len 16
+ capture request header Content-Length len 10
+ capture request header Referer len 20
+ capture response header Content-Length len 10
+
+ # block any unwanted source IP addresses or networks
+ acl forbidden_src src 0.0.0.0/7 224.0.0.0/3
+ acl forbidden_src src_port 0:1023
+ block if forbidden_src
+
+ # block requests beginning with http:// on wrong domains
+ acl dangerous_pfx url_beg -i http://
+ acl valid_pfx url_reg -i ^http://[^/]*1wt\.eu/
+ block if dangerous_pfx !valid_pfx
+
+ # block apache chunk exploit, ...
+ acl forbidden_hdrs hdr_sub(transfer-encoding) -i chunked
+ acl forbidden_hdrs hdr_beg(host) -i apache- localhost
+
+ # ... some HTTP content smugling and other various things
+ acl forbidden_hdrs hdr_cnt(host) gt 1
+ acl forbidden_hdrs hdr_cnt(content-length) gt 1
+ acl forbidden_hdrs hdr_val(content-length) lt 0
+ acl forbidden_hdrs hdr_cnt(proxy-authorization) gt 0
+ block if forbidden_hdrs
+
+ # block annoying worms that fill the logs...
+ acl forbidden_uris url_reg -i .*(\.|%2e)(\.|%2e)(%2f|%5c|/|\\\\)
+ acl forbidden_uris url_sub -i %00 <script xmlrpc.php
+ acl forbidden_uris path_end -i /root.exe /cmd.exe /default.ida /awstats.pl .asp .dll
+
+ # block other common attacks (awstats, manual discovery...)
+ acl forbidden_uris path_dir -i chat main.php read_dump.php viewtopic.php phpbb sumthin horde _vti_bin MSOffice
+ acl forbidden_uris url_reg -i (\.php\?temppath=|\.php\?setmodules=|[=:]http://)
+ block if forbidden_uris
+
+ # we rewrite the "options" request so that it only tries '*', and we
+ # only report GET, HEAD, POST and OPTIONS as valid methods
+ reqirep ^OPTIONS\ /.*HTTP/1\.[01]$ OPTIONS\ \\*\ HTTP/1.0
+ rspirep ^Allow:\ .* Allow:\ GET,\ HEAD,\ POST,\ OPTIONS
+
+ acl host_demo hdr_beg(host) -i demo.
+ acl host_www2 hdr_beg(host) -i www2.
+
+ use_backend demo if host_demo
+ use_backend www2 if host_www2
+ default_backend www
+
+backend www
+ mode http
+ source 192.168.21.2:0
+ balance roundrobin
+ cookie SERVERID
+ server www1 192.168.12.2:80 check inter 30000 rise 2 fall 3 maxconn 10
+ server back 192.168.11.2:80 check inter 30000 rise 2 fall 5 backup cookie back maxconn 8
+
+ # long timeout to support connection queueing
+ contimeout 20000
+ srvtimeout 20000
+ fullconn 100
+ redispatch
+ retries 3
+
+ option httpchk HEAD /
+ option forwardfor
+ option checkcache
+ option httpclose
+
+ # allow other syntactically valid requests, and block any other method
+ acl valid_method method GET HEAD POST OPTIONS
+ block if !valid_method
+ block if HTTP_URL_STAR !METH_OPTIONS
+ block if !HTTP_URL_SLASH !HTTP_URL_STAR !HTTP_URL_ABS
+
+ # remove unnecessary precisions on the server version. Let's say
+ # it's an apache under Unix on the Formilux Distro.
+ rspidel ^Server:\
+ rspadd Server:\ Apache\ (Unix;\ Formilux/0.1.8)
+
+defaults non_standard_bck
+ mode http
+ source 192.168.21.2:0
+ option forwardfor
+ option httpclose
+ balance roundrobin
+ fullconn 100
+ contimeout 20000
+ srvtimeout 20000
+ retries 2
+
+backend www2
+ server www2 192.168.22.2:80 maxconn 10
+
+# end of defaults
+defaults none
+
+backend demo
+ mode http
+ balance roundrobin
+ stats enable
+ stats uri /
+ stats scope http-in
+ stats scope www
+ stats scope demo
diff --git a/examples/haproxy-small.spec b/examples/haproxy-small.spec
index 00cfd28..08c8595 100644
--- a/examples/haproxy-small.spec
+++ b/examples/haproxy-small.spec
@@ -1,6 +1,6 @@
Summary: HA-Proxy is a TCP/HTTP reverse proxy for high availability environments
Name: haproxy
-Version: 1.3.11.4
+Version: 1.3.12
Release: 1
License: GPL
Group: System Environment/Daemons
@@ -69,6 +69,9 @@
%attr(0755,root,root) %config %{_sysconfdir}/rc.d/init.d/%{name}
%changelog
+* Sun Jun 17 2007 Willy Tarreau <w@1wt.eu>
+- updated to 1.3.12
+
* Sun Jun 3 2007 Willy Tarreau <w@1wt.eu>
- updated to 1.3.11.4
diff --git a/examples/haproxy.spec b/examples/haproxy.spec
index 25aee20..85c96fc 100644
--- a/examples/haproxy.spec
+++ b/examples/haproxy.spec
@@ -1,6 +1,6 @@
Summary: HA-Proxy is a TCP/HTTP reverse proxy for high availability environments
Name: haproxy
-Version: 1.3.11.4
+Version: 1.3.12
Release: 1
License: GPL
Group: System Environment/Daemons
@@ -71,6 +71,9 @@
%attr(0755,root,root) %config %{_sysconfdir}/rc.d/init.d/%{name}
%changelog
+* Sun Jun 17 2007 Willy Tarreau <w@1wt.eu>
+- updated to 1.3.12
+
* Sun Jun 3 2007 Willy Tarreau <w@1wt.eu>
- updated to 1.3.11.4
diff --git a/include/common/version.h b/include/common/version.h
index ad987fc..8022244 100644
--- a/include/common/version.h
+++ b/include/common/version.h
@@ -57,13 +57,13 @@
#ifdef CONFIG_HAPROXY_VERSION
#define HAPROXY_VERSION CONFIG_HAPROXY_VERSION
#else
-#define HAPROXY_VERSION "1.3.11.4"
+#define HAPROXY_VERSION "1.3.12"
#endif
#ifdef CONFIG_HAPROXY_DATE
#define HAPROXY_DATE CONFIG_HAPROXY_DATE
#else
-#define HAPROXY_DATE "2007/06/03"
+#define HAPROXY_DATE "2007/06/17"
#endif
#endif /* _COMMON_VERSION_H */