Relocate haproxy to stx-integ/base/haproxy
Move content from stx-gplv2 into stx-integ Packages will be relocated to stx-integ: base/ bash cgcs-users cluster-resource-agents dpkg haproxy libfdt netpbm rpm database/ mariadb filesystem/ iscsi-initiator-utils filesystem/drbd/ drbd-tools kernel/kernel-modules/ drbd integrity intel-e1000e intel-i40e intel-i40evf intel-ixgbe intel-ixgbevf qat17 tpmdd ldap/ ldapscripts networking/ iptables net-tools Change-Id: Id89339f3ed454f14998a1ef39e353ecedad05470 Story: 2002801 Task: 22687 Signed-off-by: Scott Little <scott.little@windriver.com>
This commit is contained in:
parent
bf8146a073
commit
8ea05fd14a
|
@ -1,4 +1,3 @@
|
||||||
haproxy
|
|
||||||
iptables
|
iptables
|
||||||
iscsi-initiator-utils
|
iscsi-initiator-utils
|
||||||
ldapscripts
|
ldapscripts
|
||||||
|
|
|
@ -1,15 +0,0 @@
|
||||||
Metadata-Version: 1.1
|
|
||||||
Name: haproxy
|
|
||||||
Version: 1.5.18
|
|
||||||
Summary: Abstract asynchronous event notification library
|
|
||||||
Home-page:
|
|
||||||
Author:
|
|
||||||
Author-email:
|
|
||||||
License: GPLv2+
|
|
||||||
|
|
||||||
Description:
|
|
||||||
HAProxy is a TCP/HTTP reverse proxy which is particularly suited for high
|
|
||||||
availability environments.
|
|
||||||
|
|
||||||
|
|
||||||
Platform: UNKNOWN
|
|
|
@ -1,2 +0,0 @@
|
||||||
COPY_LIST="haproxy/*"
|
|
||||||
TIS_PATCH_VER=7
|
|
|
@ -1,27 +0,0 @@
|
||||||
From 79f025b91d461a948ca6449eb25a11a6c89144b5 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Scott Little <scott.little@windriver.com>
|
|
||||||
Date: Mon, 2 Oct 2017 16:12:36 -0400
|
|
||||||
Subject: [PATCH 7/7] WRS: 0001-Update-package-versioning-for-TIS-format.patch
|
|
||||||
|
|
||||||
Conflicts:
|
|
||||||
SPECS/haproxy.spec
|
|
||||||
---
|
|
||||||
SPECS/haproxy.spec | 2 +-
|
|
||||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
|
||||||
|
|
||||||
diff --git a/SPECS/haproxy.spec b/SPECS/haproxy.spec
|
|
||||||
index c1547ef..097aa79 100644
|
|
||||||
--- a/SPECS/haproxy.spec
|
|
||||||
+++ b/SPECS/haproxy.spec
|
|
||||||
@@ -8,7 +8,7 @@
|
|
||||||
|
|
||||||
Name: haproxy
|
|
||||||
Version: 1.5.18
|
|
||||||
-Release: 6%{?dist}
|
|
||||||
+Release: 6.el7%{?_tis_dist}.%{tis_patch_ver}
|
|
||||||
Summary: TCP/HTTP proxy and load balancer for high availability environments
|
|
||||||
|
|
||||||
Group: System Environment/Daemons
|
|
||||||
--
|
|
||||||
1.9.1
|
|
||||||
|
|
|
@ -1,7 +0,0 @@
|
||||||
spec-include-TiS-config.patch
|
|
||||||
haproxy-spec-add-init-script.patch
|
|
||||||
spec-add-haproxy-env-var-patch.patch
|
|
||||||
meta_remove_bad_logrotate.patch
|
|
||||||
haproxy-service-file.patch
|
|
||||||
meta_add_support_for_tpm.patch
|
|
||||||
0001-Update-package-versioning-for-TIS-format.patch
|
|
|
@ -1,26 +0,0 @@
|
||||||
From c4d74c67ee001af849e7a30e824cc0f8e38ef948 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Scott Little <scott.little@windriver.com>
|
|
||||||
Date: Mon, 2 Oct 2017 16:12:36 -0400
|
|
||||||
Subject: [PATCH 5/7] WRS: haproxy-service-file.patch
|
|
||||||
|
|
||||||
---
|
|
||||||
SOURCES/haproxy.service | 3 ++-
|
|
||||||
1 file changed, 2 insertions(+), 1 deletion(-)
|
|
||||||
|
|
||||||
diff --git a/SOURCES/haproxy.service b/SOURCES/haproxy.service
|
|
||||||
index 2d4c954..c2f1086 100644
|
|
||||||
--- a/SOURCES/haproxy.service
|
|
||||||
+++ b/SOURCES/haproxy.service
|
|
||||||
@@ -4,7 +4,8 @@ After=syslog.target network.target
|
|
||||||
|
|
||||||
[Service]
|
|
||||||
EnvironmentFile=/etc/sysconfig/haproxy
|
|
||||||
-ExecStart=/usr/sbin/haproxy-systemd-wrapper -f /etc/haproxy/haproxy.cfg -p /run/haproxy.pid $OPTIONS
|
|
||||||
+ExecStart=/etc/init.d/haproxy start
|
|
||||||
+ExecStop=/etc/init.d/haproxy stop
|
|
||||||
ExecReload=/bin/kill -USR2 $MAINPID
|
|
||||||
KillMode=mixed
|
|
||||||
|
|
||||||
--
|
|
||||||
1.9.1
|
|
||||||
|
|
|
@ -1,47 +0,0 @@
|
||||||
From 959767df3285a81f1c5650018ed846fe90a68c9d Mon Sep 17 00:00:00 2001
|
|
||||||
From: Scott Little <scott.little@windriver.com>
|
|
||||||
Date: Mon, 2 Oct 2017 16:12:36 -0400
|
|
||||||
Subject: [PATCH 2/7] WRS: haproxy-spec-add-init-script.patch
|
|
||||||
|
|
||||||
---
|
|
||||||
SPECS/haproxy.spec | 5 +++++
|
|
||||||
1 file changed, 5 insertions(+)
|
|
||||||
|
|
||||||
diff --git a/SPECS/haproxy.spec b/SPECS/haproxy.spec
|
|
||||||
index 42ddeb0..cbd9161 100644
|
|
||||||
--- a/SPECS/haproxy.spec
|
|
||||||
+++ b/SPECS/haproxy.spec
|
|
||||||
@@ -21,6 +21,7 @@ Source2: %{name}.cfg
|
|
||||||
Source3: %{name}.logrotate
|
|
||||||
Source4: %{name}.sysconfig
|
|
||||||
Source5: halog.1
|
|
||||||
+Source10: %{name}.sh
|
|
||||||
|
|
||||||
# WRS
|
|
||||||
Source6: 503.http
|
|
||||||
@@ -81,11 +82,14 @@ popd
|
|
||||||
%{__make} install-bin DESTDIR=%{buildroot} PREFIX=%{_prefix} TARGET="linux2628"
|
|
||||||
%{__make} install-man DESTDIR=%{buildroot} PREFIX=%{_prefix}
|
|
||||||
|
|
||||||
+mkdir -p /etc/init.d
|
|
||||||
+
|
|
||||||
%{__install} -p -D -m 0644 %{SOURCE1} %{buildroot}%{_unitdir}/%{name}.service
|
|
||||||
%{__install} -p -D -m 0640 %{SOURCE2} %{buildroot}%{haproxy_confdir}/%{name}.cfg
|
|
||||||
%{__install} -p -D -m 0644 %{SOURCE3} %{buildroot}%{_sysconfdir}/logrotate.d/%{name}
|
|
||||||
%{__install} -p -D -m 0644 %{SOURCE4} %{buildroot}%{_sysconfdir}/sysconfig/%{name}
|
|
||||||
%{__install} -p -D -m 0644 %{SOURCE5} %{buildroot}%{_mandir}/man1/halog.1
|
|
||||||
+%{__install} -p -D -m 0755 %{SOURCE10} %{buildroot}/etc/init.d/%{name}
|
|
||||||
%{__install} -d -m 0755 %{buildroot}%{haproxy_home}
|
|
||||||
%{__install} -d -m 0755 %{buildroot}%{haproxy_datadir}
|
|
||||||
%{__install} -d -m 0755 %{buildroot}%{_bindir}
|
|
||||||
@@ -149,6 +153,7 @@ fi
|
|
||||||
%{_bindir}/halog
|
|
||||||
%{_bindir}/iprange
|
|
||||||
%{_mandir}/man1/*
|
|
||||||
+/etc/init.d/%{name}
|
|
||||||
%attr(-,%{haproxy_user},%{haproxy_group}) %dir %{haproxy_home}
|
|
||||||
|
|
||||||
# WRS
|
|
||||||
--
|
|
||||||
1.9.1
|
|
||||||
|
|
|
@ -1,42 +0,0 @@
|
||||||
From a5329bf1468f55c8d6b983e5999c12139dc7479d Mon Sep 17 00:00:00 2001
|
|
||||||
From: Scott Little <scott.little@windriver.com>
|
|
||||||
Date: Mon, 2 Oct 2017 16:12:36 -0400
|
|
||||||
Subject: [PATCH 6/7] WRS: meta_add_support_for_tpm.patch
|
|
||||||
|
|
||||||
---
|
|
||||||
SPECS/haproxy.spec | 5 +++++
|
|
||||||
1 file changed, 5 insertions(+)
|
|
||||||
|
|
||||||
diff --git a/SPECS/haproxy.spec b/SPECS/haproxy.spec
|
|
||||||
index 3d112e0..c1547ef 100644
|
|
||||||
--- a/SPECS/haproxy.spec
|
|
||||||
+++ b/SPECS/haproxy.spec
|
|
||||||
@@ -30,6 +30,7 @@ Patch1: iprange-return-type.patch
|
|
||||||
Patch2: haproxy-tcp-user-timeout.patch
|
|
||||||
Patch3: haproxy-systemd-wrapper-exit-code.patch
|
|
||||||
Patch4: haproxy-env-var.patch
|
|
||||||
+Patch5: haproxy-tpm-support.patch
|
|
||||||
|
|
||||||
BuildRequires: pcre-devel
|
|
||||||
BuildRequires: zlib-devel
|
|
||||||
@@ -41,6 +42,9 @@ Requires(post): systemd
|
|
||||||
Requires(preun): systemd
|
|
||||||
Requires(postun): systemd
|
|
||||||
|
|
||||||
+Requires: tpm2-openssl-engine
|
|
||||||
+
|
|
||||||
+
|
|
||||||
%description
|
|
||||||
HAProxy is a TCP/HTTP reverse proxy which is particularly suited for high
|
|
||||||
availability environments. Indeed, it can:
|
|
||||||
@@ -62,6 +66,7 @@ availability environments. Indeed, it can:
|
|
||||||
%patch2 -p1
|
|
||||||
%patch3 -p1
|
|
||||||
%patch4 -p1
|
|
||||||
+%patch5 -p1
|
|
||||||
|
|
||||||
%build
|
|
||||||
regparm_opts=
|
|
||||||
--
|
|
||||||
1.9.1
|
|
||||||
|
|
|
@ -1,40 +0,0 @@
|
||||||
From 3eac39ba534b92dbcb3a898442b09be7acc389bb Mon Sep 17 00:00:00 2001
|
|
||||||
From: Scott Little <scott.little@windriver.com>
|
|
||||||
Date: Mon, 2 Oct 2017 16:12:36 -0400
|
|
||||||
Subject: [PATCH 4/7] WRS: meta_remove_bad_logrotate.patch
|
|
||||||
|
|
||||||
---
|
|
||||||
SPECS/haproxy.spec | 3 ---
|
|
||||||
1 file changed, 3 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/SPECS/haproxy.spec b/SPECS/haproxy.spec
|
|
||||||
index af94d46..3d112e0 100644
|
|
||||||
--- a/SPECS/haproxy.spec
|
|
||||||
+++ b/SPECS/haproxy.spec
|
|
||||||
@@ -18,7 +18,6 @@ URL: http://www.haproxy.org/
|
|
||||||
Source0: http://www.haproxy.org/download/1.5/src/haproxy-%{version}.tar.gz
|
|
||||||
Source1: %{name}.service
|
|
||||||
Source2: %{name}.cfg
|
|
||||||
-Source3: %{name}.logrotate
|
|
||||||
Source4: %{name}.sysconfig
|
|
||||||
Source5: halog.1
|
|
||||||
Source10: %{name}.sh
|
|
||||||
@@ -88,7 +87,6 @@ mkdir -p /etc/init.d
|
|
||||||
|
|
||||||
%{__install} -p -D -m 0644 %{SOURCE1} %{buildroot}%{_unitdir}/%{name}.service
|
|
||||||
%{__install} -p -D -m 0640 %{SOURCE2} %{buildroot}%{haproxy_confdir}/%{name}.cfg
|
|
||||||
-%{__install} -p -D -m 0644 %{SOURCE3} %{buildroot}%{_sysconfdir}/logrotate.d/%{name}
|
|
||||||
%{__install} -p -D -m 0644 %{SOURCE4} %{buildroot}%{_sysconfdir}/sysconfig/%{name}
|
|
||||||
%{__install} -p -D -m 0644 %{SOURCE5} %{buildroot}%{_mandir}/man1/halog.1
|
|
||||||
%{__install} -p -D -m 0755 %{SOURCE10} %{buildroot}/etc/init.d/%{name}
|
|
||||||
@@ -147,7 +145,6 @@ fi
|
|
||||||
%dir %{haproxy_datadir}
|
|
||||||
%{haproxy_datadir}/*
|
|
||||||
%config(noreplace) %{haproxy_confdir}/%{name}.cfg
|
|
||||||
-%config(noreplace) %{_sysconfdir}/logrotate.d/%{name}
|
|
||||||
%config(noreplace) %{_sysconfdir}/sysconfig/%{name}
|
|
||||||
%{_unitdir}/%{name}.service
|
|
||||||
%{_sbindir}/%{name}
|
|
||||||
--
|
|
||||||
1.9.1
|
|
||||||
|
|
|
@ -1,32 +0,0 @@
|
||||||
From 2e37207c026047e2ce1bc9a5278faddfea81c011 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Scott Little <scott.little@windriver.com>
|
|
||||||
Date: Mon, 2 Oct 2017 16:12:36 -0400
|
|
||||||
Subject: [PATCH 3/7] WRS: spec-add-haproxy-env-var-patch.patch
|
|
||||||
|
|
||||||
---
|
|
||||||
SPECS/haproxy.spec | 2 ++
|
|
||||||
1 file changed, 2 insertions(+)
|
|
||||||
|
|
||||||
diff --git a/SPECS/haproxy.spec b/SPECS/haproxy.spec
|
|
||||||
index cbd9161..af94d46 100644
|
|
||||||
--- a/SPECS/haproxy.spec
|
|
||||||
+++ b/SPECS/haproxy.spec
|
|
||||||
@@ -30,6 +30,7 @@ Patch0: halog-unused-variables.patch
|
|
||||||
Patch1: iprange-return-type.patch
|
|
||||||
Patch2: haproxy-tcp-user-timeout.patch
|
|
||||||
Patch3: haproxy-systemd-wrapper-exit-code.patch
|
|
||||||
+Patch4: haproxy-env-var.patch
|
|
||||||
|
|
||||||
BuildRequires: pcre-devel
|
|
||||||
BuildRequires: zlib-devel
|
|
||||||
@@ -61,6 +62,7 @@ availability environments. Indeed, it can:
|
|
||||||
%patch1 -p0
|
|
||||||
%patch2 -p1
|
|
||||||
%patch3 -p1
|
|
||||||
+%patch4 -p1
|
|
||||||
|
|
||||||
%build
|
|
||||||
regparm_opts=
|
|
||||||
--
|
|
||||||
1.9.1
|
|
||||||
|
|
|
@ -1,58 +0,0 @@
|
||||||
From 419d06285552bc31dce214d37edb925b4a82c68b Mon Sep 17 00:00:00 2001
|
|
||||||
From: Scott Little <scott.little@windriver.com>
|
|
||||||
Date: Mon, 2 Oct 2017 16:12:36 -0400
|
|
||||||
Subject: [PATCH 1/7] WRS: spec-include-TiS-config.patch
|
|
||||||
|
|
||||||
---
|
|
||||||
SPECS/haproxy.spec | 14 +++++++++++++-
|
|
||||||
1 file changed, 13 insertions(+), 1 deletion(-)
|
|
||||||
|
|
||||||
diff --git a/SPECS/haproxy.spec b/SPECS/haproxy.spec
|
|
||||||
index b4dde9e..42ddeb0 100644
|
|
||||||
--- a/SPECS/haproxy.spec
|
|
||||||
+++ b/SPECS/haproxy.spec
|
|
||||||
@@ -22,6 +22,9 @@ Source3: %{name}.logrotate
|
|
||||||
Source4: %{name}.sysconfig
|
|
||||||
Source5: halog.1
|
|
||||||
|
|
||||||
+# WRS
|
|
||||||
+Source6: 503.http
|
|
||||||
+
|
|
||||||
Patch0: halog-unused-variables.patch
|
|
||||||
Patch1: iprange-return-type.patch
|
|
||||||
Patch2: haproxy-tcp-user-timeout.patch
|
|
||||||
@@ -79,7 +82,7 @@ popd
|
|
||||||
%{__make} install-man DESTDIR=%{buildroot} PREFIX=%{_prefix}
|
|
||||||
|
|
||||||
%{__install} -p -D -m 0644 %{SOURCE1} %{buildroot}%{_unitdir}/%{name}.service
|
|
||||||
-%{__install} -p -D -m 0644 %{SOURCE2} %{buildroot}%{haproxy_confdir}/%{name}.cfg
|
|
||||||
+%{__install} -p -D -m 0640 %{SOURCE2} %{buildroot}%{haproxy_confdir}/%{name}.cfg
|
|
||||||
%{__install} -p -D -m 0644 %{SOURCE3} %{buildroot}%{_sysconfdir}/logrotate.d/%{name}
|
|
||||||
%{__install} -p -D -m 0644 %{SOURCE4} %{buildroot}%{_sysconfdir}/sysconfig/%{name}
|
|
||||||
%{__install} -p -D -m 0644 %{SOURCE5} %{buildroot}%{_mandir}/man1/halog.1
|
|
||||||
@@ -106,6 +109,11 @@ do
|
|
||||||
%{__rm} -f $textfile.old
|
|
||||||
done
|
|
||||||
|
|
||||||
+# WRS
|
|
||||||
+%{__install} -d 755 %{buildroot}/etc/haproxy/errors/
|
|
||||||
+%{__install} -m 755 %{SOURCE6} %{buildroot}/etc/haproxy/errors/503.http
|
|
||||||
+
|
|
||||||
+
|
|
||||||
%pre
|
|
||||||
getent group %{haproxy_group} >/dev/null || groupadd -f -g 188 -r %{haproxy_group}
|
|
||||||
if ! getent passwd %{haproxy_user} >/dev/null ; then
|
|
||||||
@@ -143,6 +151,10 @@ fi
|
|
||||||
%{_mandir}/man1/*
|
|
||||||
%attr(-,%{haproxy_user},%{haproxy_group}) %dir %{haproxy_home}
|
|
||||||
|
|
||||||
+# WRS
|
|
||||||
+%dir /etc/haproxy/errors/
|
|
||||||
+/etc/haproxy/errors/*
|
|
||||||
+
|
|
||||||
%changelog
|
|
||||||
* Mon May 01 2017 Ryan O'Hara <rohara@redhat.com> - 1.5.18-6
|
|
||||||
- Use KillMode=mixed in systemd service file (#1444709)
|
|
||||||
--
|
|
||||||
1.9.1
|
|
||||||
|
|
|
@ -1 +0,0 @@
|
||||||
mirror:Source/haproxy-1.5.18-6.el7.src.rpm
|
|
|
@ -1,9 +0,0 @@
|
||||||
HTTP/1.0 503 Service Unavailable
|
|
||||||
Cache-Control: no-cache
|
|
||||||
Connection: close
|
|
||||||
Content-Type: text/html
|
|
||||||
|
|
||||||
<html><body><h1>503 Service Unavailable</h1>
|
|
||||||
No server is available to handle this request.
|
|
||||||
</body></html>
|
|
||||||
|
|
|
@ -1,245 +0,0 @@
|
||||||
Index: haproxy-1.5.11/src/cfgparse.c
|
|
||||||
===================================================================
|
|
||||||
--- haproxy-1.5.11.orig/src/cfgparse.c
|
|
||||||
+++ haproxy-1.5.11/src/cfgparse.c
|
|
||||||
@@ -5789,12 +5789,19 @@ out:
|
|
||||||
*/
|
|
||||||
int readcfgfile(const char *file)
|
|
||||||
{
|
|
||||||
- char thisline[LINESIZE];
|
|
||||||
+ char *thisline;
|
|
||||||
+ int linesize = LINESIZE;
|
|
||||||
FILE *f;
|
|
||||||
int linenum = 0;
|
|
||||||
int err_code = 0;
|
|
||||||
struct cfg_section *cs = NULL;
|
|
||||||
struct cfg_section *ics;
|
|
||||||
+ int readbytes = 0;
|
|
||||||
+
|
|
||||||
+ if ((thisline = malloc(sizeof(*thisline) * linesize)) == NULL) {
|
|
||||||
+ Alert("parsing [%s] : out of memory.\n", file);
|
|
||||||
+ return -1;
|
|
||||||
+ }
|
|
||||||
|
|
||||||
/* Register internal sections */
|
|
||||||
if (!cfg_register_section("listen", cfg_parse_listen) ||
|
|
||||||
@@ -5810,11 +5817,14 @@ int readcfgfile(const char *file)
|
|
||||||
if ((f=fopen(file,"r")) == NULL)
|
|
||||||
return -1;
|
|
||||||
|
|
||||||
- while (fgets(thisline, sizeof(thisline), f) != NULL) {
|
|
||||||
+next_line:
|
|
||||||
+ while (fgets(thisline + readbytes, linesize - readbytes, f) != NULL) {
|
|
||||||
int arg, kwm = KWM_STD;
|
|
||||||
char *end;
|
|
||||||
char *args[MAX_LINE_ARGS + 1];
|
|
||||||
char *line = thisline;
|
|
||||||
+ int dquote = 0; /* double quote */
|
|
||||||
+ int squote = 0; /* simple quote */
|
|
||||||
|
|
||||||
linenum++;
|
|
||||||
|
|
||||||
@@ -5824,11 +5834,25 @@ int readcfgfile(const char *file)
|
|
||||||
/* Check if we reached the limit and the last char is not \n.
|
|
||||||
* Watch out for the last line without the terminating '\n'!
|
|
||||||
*/
|
|
||||||
- Alert("parsing [%s:%d]: line too long, limit: %d.\n",
|
|
||||||
- file, linenum, (int)sizeof(thisline)-1);
|
|
||||||
- err_code |= ERR_ALERT | ERR_FATAL;
|
|
||||||
+ char *newline;
|
|
||||||
+ int newlinesize = linesize * 2;
|
|
||||||
+
|
|
||||||
+ newline = realloc(thisline, sizeof(*thisline) * newlinesize);
|
|
||||||
+ if (newline == NULL) {
|
|
||||||
+ Alert("parsing [%s:%d]: line too long, cannot allocate memory.\n",
|
|
||||||
+ file, linenum);
|
|
||||||
+ err_code |= ERR_ALERT | ERR_FATAL;
|
|
||||||
+ continue;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ readbytes = linesize - 1;
|
|
||||||
+ linesize = newlinesize;
|
|
||||||
+ thisline = newline;
|
|
||||||
+ continue;
|
|
||||||
}
|
|
||||||
|
|
||||||
+ readbytes = 0;
|
|
||||||
+
|
|
||||||
/* skip leading spaces */
|
|
||||||
while (isspace((unsigned char)*line))
|
|
||||||
line++;
|
|
||||||
@@ -5837,10 +5861,26 @@ int readcfgfile(const char *file)
|
|
||||||
args[arg] = line;
|
|
||||||
|
|
||||||
while (*line && arg < MAX_LINE_ARGS) {
|
|
||||||
- /* first, we'll replace \\, \<space>, \#, \r, \n, \t, \xXX with their
|
|
||||||
- * C equivalent value. Other combinations left unchanged (eg: \1).
|
|
||||||
- */
|
|
||||||
- if (*line == '\\') {
|
|
||||||
+ if (*line == '"' && !squote) { /* double quote outside single quotes */
|
|
||||||
+ if (dquote)
|
|
||||||
+ dquote = 0;
|
|
||||||
+ else
|
|
||||||
+ dquote = 1;
|
|
||||||
+ memmove(line, line + 1, end - line);
|
|
||||||
+ end--;
|
|
||||||
+ }
|
|
||||||
+ else if (*line == '\'' && !dquote) { /* single quote outside double quotes */
|
|
||||||
+ if (squote)
|
|
||||||
+ squote = 0;
|
|
||||||
+ else
|
|
||||||
+ squote = 1;
|
|
||||||
+ memmove(line, line + 1, end - line);
|
|
||||||
+ end--;
|
|
||||||
+ }
|
|
||||||
+ else if (*line == '\\' && !squote) {
|
|
||||||
+ /* first, we'll replace \\, \<space>, \#, \r, \n, \t, \xXX with their
|
|
||||||
+ * C equivalent value. Other combinations left unchanged (eg: \1).
|
|
||||||
+ */
|
|
||||||
int skip = 0;
|
|
||||||
if (line[1] == ' ' || line[1] == '\\' || line[1] == '#') {
|
|
||||||
*line = line[1];
|
|
||||||
@@ -5872,6 +5912,15 @@ int readcfgfile(const char *file)
|
|
||||||
Alert("parsing [%s:%d] : invalid or incomplete '\\x' sequence in '%s'.\n", file, linenum, args[0]);
|
|
||||||
err_code |= ERR_ALERT | ERR_FATAL;
|
|
||||||
}
|
|
||||||
+ } else if (line[1] == '"') {
|
|
||||||
+ *line = '"';
|
|
||||||
+ skip = 1;
|
|
||||||
+ } else if (line[1] == '\'') {
|
|
||||||
+ *line = '\'';
|
|
||||||
+ skip = 1;
|
|
||||||
+ } else if (line[1] == '$' && dquote) { /* escaping of $ only inside double quotes */
|
|
||||||
+ *line = '$';
|
|
||||||
+ skip = 1;
|
|
||||||
}
|
|
||||||
if (skip) {
|
|
||||||
memmove(line + 1, line + 1 + skip, end - (line + skip));
|
|
||||||
@@ -5879,23 +5928,117 @@ int readcfgfile(const char *file)
|
|
||||||
}
|
|
||||||
line++;
|
|
||||||
}
|
|
||||||
- else if (*line == '#' || *line == '\n' || *line == '\r') {
|
|
||||||
+ else if ((!squote && !dquote && *line == '#') || *line == '\n' || *line == '\r') {
|
|
||||||
/* end of string, end of loop */
|
|
||||||
*line = 0;
|
|
||||||
break;
|
|
||||||
}
|
|
||||||
- else if (isspace((unsigned char)*line)) {
|
|
||||||
+ else if (!squote && !dquote && isspace((unsigned char)*line)) {
|
|
||||||
/* a non-escaped space is an argument separator */
|
|
||||||
*line++ = '\0';
|
|
||||||
while (isspace((unsigned char)*line))
|
|
||||||
line++;
|
|
||||||
args[++arg] = line;
|
|
||||||
}
|
|
||||||
+ else if (dquote && *line == '$') {
|
|
||||||
+ /* environment variables are evaluated inside double quotes */
|
|
||||||
+ char *var_beg;
|
|
||||||
+ char *var_end;
|
|
||||||
+ char save_char;
|
|
||||||
+ char *value;
|
|
||||||
+ int val_len;
|
|
||||||
+ int newlinesize;
|
|
||||||
+ int braces = 0;
|
|
||||||
+
|
|
||||||
+ var_beg = line + 1;
|
|
||||||
+ var_end = var_beg;
|
|
||||||
+
|
|
||||||
+ if (*var_beg == '{') {
|
|
||||||
+ var_beg++;
|
|
||||||
+ var_end++;
|
|
||||||
+ braces = 1;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ if (!isalpha((int)(unsigned char)*var_beg) && *var_beg != '_') {
|
|
||||||
+ Alert("parsing [%s:%d] : Variable expansion: Unrecognized character '%c' in variable name.\n", file, linenum, *var_beg);
|
|
||||||
+ err_code |= ERR_ALERT | ERR_FATAL;
|
|
||||||
+ goto next_line; /* skip current line */
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ while (isalnum((int)(unsigned char)*var_end) || *var_end == '_')
|
|
||||||
+ var_end++;
|
|
||||||
+
|
|
||||||
+ save_char = *var_end;
|
|
||||||
+ *var_end = '\0';
|
|
||||||
+ value = getenv(var_beg);
|
|
||||||
+ *var_end = save_char;
|
|
||||||
+ val_len = value ? strlen(value) : 0;
|
|
||||||
+
|
|
||||||
+ if (braces) {
|
|
||||||
+ if (*var_end == '}') {
|
|
||||||
+ var_end++;
|
|
||||||
+ braces = 0;
|
|
||||||
+ } else {
|
|
||||||
+ Alert("parsing [%s:%d] : Variable expansion: Mismatched braces.\n", file, linenum);
|
|
||||||
+ err_code |= ERR_ALERT | ERR_FATAL;
|
|
||||||
+ goto next_line; /* skip current line */
|
|
||||||
+ }
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ newlinesize = (end - thisline) - (var_end - line) + val_len + 1;
|
|
||||||
+
|
|
||||||
+ /* if not enough space in thisline */
|
|
||||||
+ if (newlinesize > linesize) {
|
|
||||||
+ char *newline;
|
|
||||||
+
|
|
||||||
+ newline = realloc(thisline, newlinesize * sizeof(*thisline));
|
|
||||||
+ if (newline == NULL) {
|
|
||||||
+ Alert("parsing [%s:%d] : Variable expansion: Not enough memory.\n", file, linenum);
|
|
||||||
+ err_code |= ERR_ALERT | ERR_FATAL;
|
|
||||||
+ goto next_line; /* slip current line */
|
|
||||||
+ }
|
|
||||||
+ /* recompute pointers if realloc returns a new pointer */
|
|
||||||
+ if (newline != thisline) {
|
|
||||||
+ int i;
|
|
||||||
+ int diff;
|
|
||||||
+
|
|
||||||
+ for (i = 0; i <= arg; i++) {
|
|
||||||
+ diff = args[i] - thisline;
|
|
||||||
+ args[i] = newline + diff;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ diff = var_end - thisline;
|
|
||||||
+ var_end = newline + diff;
|
|
||||||
+ diff = end - thisline;
|
|
||||||
+ end = newline + diff;
|
|
||||||
+ diff = line - thisline;
|
|
||||||
+ line = newline + diff;
|
|
||||||
+ thisline = newline;
|
|
||||||
+ }
|
|
||||||
+ linesize = newlinesize;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ /* insert value inside the line */
|
|
||||||
+ memmove(line + val_len, var_end, end - var_end + 1);
|
|
||||||
+ memcpy(line, value, val_len);
|
|
||||||
+ end += val_len - (var_end - line);
|
|
||||||
+ line += val_len;
|
|
||||||
+ }
|
|
||||||
else {
|
|
||||||
line++;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
+ if (dquote) {
|
|
||||||
+ Alert("parsing [%s:%d] : Mismatched double quotes.\n", file, linenum);
|
|
||||||
+ err_code |= ERR_ALERT | ERR_FATAL;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ if (squote) {
|
|
||||||
+ Alert("parsing [%s:%d] : Mismatched simple quotes.\n", file, linenum);
|
|
||||||
+ err_code |= ERR_ALERT | ERR_FATAL;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
/* empty line */
|
|
||||||
if (!**args)
|
|
||||||
continue;
|
|
||||||
@@ -5966,6 +6109,7 @@ int readcfgfile(const char *file)
|
|
||||||
break;
|
|
||||||
}
|
|
||||||
cursection = NULL;
|
|
||||||
+ free(thisline);
|
|
||||||
fclose(f);
|
|
||||||
return err_code;
|
|
||||||
}
|
|
|
@ -1,319 +0,0 @@
|
||||||
From a2a25214f6f4913b774bdd6c0b80d3ea424d3a1b Mon Sep 17 00:00:00 2001
|
|
||||||
From: Kam Nasim <kam.nasim@windriver.com>
|
|
||||||
Date: Wed, 22 Mar 2017 12:07:24 -0400
|
|
||||||
Subject: [PATCH] haproxy tpm support
|
|
||||||
|
|
||||||
---
|
|
||||||
include/types/global.h | 13 +++++
|
|
||||||
src/cfgparse.c | 28 ++++++++++
|
|
||||||
src/haproxy.c | 26 ++++++++-
|
|
||||||
src/ssl_sock.c | 147 +++++++++++++++++++++++++++++++++++++++++++------
|
|
||||||
4 files changed, 197 insertions(+), 17 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/include/types/global.h b/include/types/global.h
|
|
||||||
index f1525ae..2e9c077 100644
|
|
||||||
--- a/include/types/global.h
|
|
||||||
+++ b/include/types/global.h
|
|
||||||
@@ -30,6 +30,10 @@
|
|
||||||
#include <types/proxy.h>
|
|
||||||
#include <types/task.h>
|
|
||||||
|
|
||||||
+#ifdef USE_OPENSSL
|
|
||||||
+#include <openssl/engine.h>
|
|
||||||
+#endif
|
|
||||||
+
|
|
||||||
#ifndef UNIX_MAX_PATH
|
|
||||||
#define UNIX_MAX_PATH 108
|
|
||||||
#endif
|
|
||||||
@@ -71,6 +75,14 @@ enum {
|
|
||||||
SSL_SERVER_VERIFY_REQUIRED = 1,
|
|
||||||
};
|
|
||||||
|
|
||||||
+// WRS: Define a new TPM configuration structure
|
|
||||||
+struct tpm_conf {
|
|
||||||
+ char *tpm_object;
|
|
||||||
+ char *tpm_engine;
|
|
||||||
+ EVP_PKEY *tpm_key;
|
|
||||||
+ ENGINE *tpm_engine_ref;
|
|
||||||
+};
|
|
||||||
+
|
|
||||||
/* FIXME : this will have to be redefined correctly */
|
|
||||||
struct global {
|
|
||||||
#ifdef USE_OPENSSL
|
|
||||||
@@ -87,6 +99,7 @@ struct global {
|
|
||||||
char *connect_default_ciphers;
|
|
||||||
int listen_default_ssloptions;
|
|
||||||
int connect_default_ssloptions;
|
|
||||||
+ struct tpm_conf tpm; // tpm configuration
|
|
||||||
#endif
|
|
||||||
unsigned int ssl_server_verify; /* default verify mode on servers side */
|
|
||||||
struct freq_ctr conn_per_sec;
|
|
||||||
diff --git a/src/cfgparse.c b/src/cfgparse.c
|
|
||||||
index 6a7f80c..3bc6e79 100644
|
|
||||||
--- a/src/cfgparse.c
|
|
||||||
+++ b/src/cfgparse.c
|
|
||||||
@@ -1541,6 +1541,34 @@ int cfg_parse_global(const char *file, int linenum, char **args, int kwm)
|
|
||||||
goto out;
|
|
||||||
#endif
|
|
||||||
}
|
|
||||||
+ else if (!strcmp(args[0], "tpm-object")) {
|
|
||||||
+ if (global.tpm.tpm_object) {
|
|
||||||
+ free(global.tpm.tpm_object);
|
|
||||||
+ }
|
|
||||||
+#ifdef USE_OPENSSL
|
|
||||||
+ if (*(args[1]) && (access(args[1], F_OK) != -1)) {
|
|
||||||
+ global.tpm.tpm_object = strdup(args[1]);
|
|
||||||
+ }
|
|
||||||
+#else
|
|
||||||
+ Alert("parsing [%s:%d] : '%s' is not implemented.\n", file, linenum, args[0]);
|
|
||||||
+ err_code |= ERR_ALERT | ERR_FATAL;
|
|
||||||
+ goto out;
|
|
||||||
+#endif
|
|
||||||
+ }
|
|
||||||
+ else if (!strcmp(args[0], "tpm-engine")) {
|
|
||||||
+ if (global.tpm.tpm_engine) {
|
|
||||||
+ free(global.tpm.tpm_engine);
|
|
||||||
+ }
|
|
||||||
+#ifdef USE_OPENSSL
|
|
||||||
+ if (*(args[1]) && (access(args[1], F_OK) != -1)) {
|
|
||||||
+ global.tpm.tpm_engine = strdup(args[1]);
|
|
||||||
+ }
|
|
||||||
+#else
|
|
||||||
+ Alert("parsing [%s:%d] : '%s' is not implemented.\n", file, linenum, args[0]);
|
|
||||||
+ err_code |= ERR_ALERT | ERR_FATAL;
|
|
||||||
+ goto out;
|
|
||||||
+#endif
|
|
||||||
+ }
|
|
||||||
else {
|
|
||||||
struct cfg_kw_list *kwl;
|
|
||||||
int index;
|
|
||||||
diff --git a/src/haproxy.c b/src/haproxy.c
|
|
||||||
index 862697d..2a1a0dc 100644
|
|
||||||
--- a/src/haproxy.c
|
|
||||||
+++ b/src/haproxy.c
|
|
||||||
@@ -959,6 +959,24 @@ static void deinit_stick_rules(struct list *rules)
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
+static void deinit_tpm_engine()
|
|
||||||
+{
|
|
||||||
+ /*
|
|
||||||
+ * if the tpm engine is present then
|
|
||||||
+ * deinit it, this is needed to
|
|
||||||
+ * flush the TPM key handle from TPM memory
|
|
||||||
+ */
|
|
||||||
+ if (global.tpm.tpm_engine_ref) {
|
|
||||||
+ ENGINE_finish(global.tpm.tpm_engine_ref);
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ if (global.tpm.tpm_key) {
|
|
||||||
+ EVP_PKEY_free(global.tpm.tpm_key);
|
|
||||||
+ }
|
|
||||||
+ free(global.tpm.tpm_engine); global.tpm.tpm_engine = NULL;
|
|
||||||
+ free(global.tpm.tpm_object); global.tpm.tpm_object = NULL;
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
void deinit(void)
|
|
||||||
{
|
|
||||||
struct proxy *p = proxy, *p0;
|
|
||||||
@@ -1218,7 +1236,13 @@ void deinit(void)
|
|
||||||
|
|
||||||
free(uap);
|
|
||||||
}
|
|
||||||
-
|
|
||||||
+
|
|
||||||
+ /* if HAProxy was in TPM mode then deinit
|
|
||||||
+ * that configuration as well.
|
|
||||||
+ */
|
|
||||||
+ if (global.tpm.tpm_object && global.tpm.tpm_object != '\0')
|
|
||||||
+ deinit_tpm_engine();
|
|
||||||
+
|
|
||||||
userlist_free(userlist);
|
|
||||||
|
|
||||||
protocol_unbind_all();
|
|
||||||
diff --git a/src/ssl_sock.c b/src/ssl_sock.c
|
|
||||||
index ead4c7b..4e16026 100644
|
|
||||||
--- a/src/ssl_sock.c
|
|
||||||
+++ b/src/ssl_sock.c
|
|
||||||
@@ -50,6 +50,7 @@
|
|
||||||
#ifndef OPENSSL_NO_DH
|
|
||||||
#include <openssl/dh.h>
|
|
||||||
#endif
|
|
||||||
+#include <openssl/engine.h>
|
|
||||||
|
|
||||||
#include <common/buffer.h>
|
|
||||||
#include <common/compat.h>
|
|
||||||
@@ -1115,6 +1116,80 @@ end:
|
|
||||||
return ret;
|
|
||||||
}
|
|
||||||
|
|
||||||
+/*
|
|
||||||
+ * initialize the TPM engine and load the
|
|
||||||
+ * TPM object as private key within the Engine.
|
|
||||||
+ * Only do this for the first bind since TPM can
|
|
||||||
+ * only load 3-4 contexes before it runs out of memory
|
|
||||||
+ */
|
|
||||||
+static int ssl_sock_load_tpm_key(SSL_CTX *ctx, char **err) {
|
|
||||||
+ if (!global.tpm.tpm_object || global.tpm.tpm_object[0] == '\0') {
|
|
||||||
+ /* not in TPM mode */
|
|
||||||
+ return -1;
|
|
||||||
+ }
|
|
||||||
+ if (!global.tpm.tpm_key) {
|
|
||||||
+ Warning ("Could not find tpm_key; initializing engine\n");
|
|
||||||
+ /* no key present; load the dynamic TPM engine */
|
|
||||||
+ if (global.tpm.tpm_engine && global.tpm.tpm_engine[0]) {
|
|
||||||
+ ENGINE_load_dynamic();
|
|
||||||
+ ENGINE *engine = ENGINE_by_id("dynamic");
|
|
||||||
+ if (!engine) {
|
|
||||||
+ memprintf(err, "%s Unable to load the dynamic engine "
|
|
||||||
+ "(needed for loading custom TPM engine)\n",
|
|
||||||
+ err && *err ? *err : "");
|
|
||||||
+ return 1;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ ENGINE_ctrl_cmd_string(engine, "SO_PATH", global.tpm.tpm_engine, 0);
|
|
||||||
+ ENGINE_ctrl_cmd_string(engine, "LOAD", NULL, 0);
|
|
||||||
+ /* stow away for ENGINE cleanup */
|
|
||||||
+ global.tpm.tpm_engine_ref = engine;
|
|
||||||
+
|
|
||||||
+ if (ENGINE_init(engine) != 1) {
|
|
||||||
+ const char *error_str = ERR_error_string(ERR_get_error(), NULL);
|
|
||||||
+ memprintf(err, "%s Unable to init the TPM engine (%s). Err: %s\n",
|
|
||||||
+ err && *err ? *err : "",
|
|
||||||
+ global.tpm.tpm_engine, error_str);
|
|
||||||
+ goto tpm_err;
|
|
||||||
+ }
|
|
||||||
+ EVP_PKEY *pkey = ENGINE_load_private_key(engine,
|
|
||||||
+ global.tpm.tpm_object,
|
|
||||||
+ NULL, NULL);
|
|
||||||
+ if (!pkey) {
|
|
||||||
+ const char *error_str = ERR_error_string(ERR_get_error(), NULL);
|
|
||||||
+ memprintf(err, "%s Unable to load TPM object (%s). Err: %s\n",
|
|
||||||
+ err && *err ? *err : "",
|
|
||||||
+ global.tpm.tpm_object, error_str);
|
|
||||||
+ goto tpm_err;
|
|
||||||
+ }
|
|
||||||
+ global.tpm.tpm_key = pkey;
|
|
||||||
+ }
|
|
||||||
+ else { /* no TPM engine found */
|
|
||||||
+ memprintf(err, "%s TPM engine option not set when TPM mode expected\n",
|
|
||||||
+ err && *err ? *err : "");
|
|
||||||
+ goto tpm_err;
|
|
||||||
+ }
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ if (SSL_CTX_use_PrivateKey(ctx, global.tpm.tpm_key) <= 0){
|
|
||||||
+ const char *error_str = ERR_error_string(ERR_get_error(),
|
|
||||||
+ NULL);
|
|
||||||
+ memprintf(err, "%s Invalid private key provided from TPM engine(%s). Err: %s\n",
|
|
||||||
+ err && *err ? *err : "",
|
|
||||||
+ global.tpm.tpm_object, error_str);
|
|
||||||
+ goto tpm_err;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ return 0;
|
|
||||||
+
|
|
||||||
+tpm_err:
|
|
||||||
+ ENGINE_finish(global.tpm.tpm_engine_ref);
|
|
||||||
+ global.tpm.tpm_engine_ref = NULL;
|
|
||||||
+ EVP_PKEY_free(global.tpm.tpm_key);
|
|
||||||
+ global.tpm.tpm_key = NULL;
|
|
||||||
+ return 1;
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
static int ssl_sock_load_cert_file(const char *path, struct bind_conf *bind_conf, struct proxy *curproxy, char **sni_filter, int fcount, char **err)
|
|
||||||
{
|
|
||||||
int ret;
|
|
||||||
@@ -1127,26 +1202,54 @@ static int ssl_sock_load_cert_file(const char *path, struct bind_conf *bind_conf
|
|
||||||
return 1;
|
|
||||||
}
|
|
||||||
|
|
||||||
- if (SSL_CTX_use_PrivateKey_file(ctx, path, SSL_FILETYPE_PEM) <= 0) {
|
|
||||||
- memprintf(err, "%sunable to load SSL private key from PEM file '%s'.\n",
|
|
||||||
- err && *err ? *err : "", path);
|
|
||||||
- SSL_CTX_free(ctx);
|
|
||||||
- return 1;
|
|
||||||
+ /* NOTE (knasim-wrs): US93721: TPM support
|
|
||||||
+ * This SSL context applies to SSL frontends only.
|
|
||||||
+ * If the TPM option is set then the Private key
|
|
||||||
+ * is stored in TPM.
|
|
||||||
+ *
|
|
||||||
+ * Launch the OpenSSL TPM engine and load the TPM
|
|
||||||
+ * Private Key. The Public key will still be located
|
|
||||||
+ * at the provided path and needs to be loaded as
|
|
||||||
+ * per usual.
|
|
||||||
+ */
|
|
||||||
+ if (global.tpm.tpm_object) {
|
|
||||||
+ ret = ssl_sock_load_tpm_key(ctx, err);
|
|
||||||
+ if (ret > 0) {
|
|
||||||
+ /* tpm configuration failed */
|
|
||||||
+ SSL_CTX_free(ctx);
|
|
||||||
+ return 1;
|
|
||||||
+ }
|
|
||||||
}
|
|
||||||
-
|
|
||||||
- ret = ssl_sock_load_cert_chain_file(ctx, path, bind_conf, sni_filter, fcount);
|
|
||||||
- if (ret <= 0) {
|
|
||||||
- memprintf(err, "%sunable to load SSL certificate from PEM file '%s'.\n",
|
|
||||||
- err && *err ? *err : "", path);
|
|
||||||
- if (ret < 0) /* serious error, must do that ourselves */
|
|
||||||
+ else { /* non TPM mode */
|
|
||||||
+ if (SSL_CTX_use_PrivateKey_file(ctx, path, SSL_FILETYPE_PEM) <= 0) {
|
|
||||||
+ memprintf(err, "%sunable to load SSL private key from PEM file '%s'.\n",
|
|
||||||
+ err && *err ? *err : "", path);
|
|
||||||
SSL_CTX_free(ctx);
|
|
||||||
- return 1;
|
|
||||||
+ return 1;
|
|
||||||
+ }
|
|
||||||
}
|
|
||||||
|
|
||||||
- if (SSL_CTX_check_private_key(ctx) <= 0) {
|
|
||||||
- memprintf(err, "%sinconsistencies between private key and certificate loaded from PEM file '%s'.\n",
|
|
||||||
- err && *err ? *err : "", path);
|
|
||||||
- return 1;
|
|
||||||
+ ret = ssl_sock_load_cert_chain_file(ctx, path, bind_conf, sni_filter, fcount);
|
|
||||||
+ if (ret <= 0) {
|
|
||||||
+ memprintf(err, "%sunable to load SSL certificate from PEM file '%s'.\n",
|
|
||||||
+ err && *err ? *err : "", path);
|
|
||||||
+ if (ret < 0) /* serious error, must do that ourselves */
|
|
||||||
+ SSL_CTX_free(ctx);
|
|
||||||
+ return 1;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ /*
|
|
||||||
+ * only match the private key to the public key
|
|
||||||
+ * for non TPM mode. This op would never work for
|
|
||||||
+ * TPM since the private key has been wrapped, whereas
|
|
||||||
+ * the public key is still the original one.
|
|
||||||
+ */
|
|
||||||
+ if (!global.tpm.tpm_object) {
|
|
||||||
+ if (SSL_CTX_check_private_key(ctx) <= 0) {
|
|
||||||
+ memprintf(err, "%sinconsistencies between private key and certificate loaded from PEM file '%s'.\n",
|
|
||||||
+ err && *err ? *err : "", path);
|
|
||||||
+ return 1;
|
|
||||||
+ }
|
|
||||||
}
|
|
||||||
|
|
||||||
/* we must not free the SSL_CTX anymore below, since it's already in
|
|
||||||
@@ -1725,6 +1828,18 @@ int ssl_sock_prepare_srv_ctx(struct server *srv, struct proxy *curproxy)
|
|
||||||
cfgerr++;
|
|
||||||
return cfgerr;
|
|
||||||
}
|
|
||||||
+
|
|
||||||
+ /* NOTE (knasim-wrs): US93721: TPM support
|
|
||||||
+ * This SSL context applies to SSL backends only.
|
|
||||||
+ * Since Titanium backends don't support SSL, there
|
|
||||||
+ * is no need to offload these keys in TPM or reuse the
|
|
||||||
+ * same TPM key for the frontend engine.
|
|
||||||
+ *
|
|
||||||
+ * If SSL backends are to be supported in the future,
|
|
||||||
+ * over TPM, then create a new TPM Engine context and
|
|
||||||
+ * load the backend key in TPM, in a similar fashion to
|
|
||||||
+ * the frontend key.
|
|
||||||
+ */
|
|
||||||
if (srv->ssl_ctx.client_crt) {
|
|
||||||
if (SSL_CTX_use_PrivateKey_file(srv->ssl_ctx.ctx, srv->ssl_ctx.client_crt, SSL_FILETYPE_PEM) <= 0) {
|
|
||||||
Alert("config : %s '%s', server '%s': unable to load SSL private key from PEM file '%s'.\n",
|
|
||||||
--
|
|
||||||
1.8.3.1
|
|
||||||
|
|
|
@ -1,80 +0,0 @@
|
||||||
# this config needs haproxy-1.1.28 or haproxy-1.2.1
|
|
||||||
|
|
||||||
global
|
|
||||||
log 127.0.0.1 local0
|
|
||||||
log 127.0.0.1 local1 notice
|
|
||||||
#log loghost local0 info
|
|
||||||
maxconn 4096
|
|
||||||
chroot /usr/share/haproxy
|
|
||||||
uid 99
|
|
||||||
gid 99
|
|
||||||
daemon
|
|
||||||
#debug
|
|
||||||
#quiet
|
|
||||||
|
|
||||||
defaults
|
|
||||||
log global
|
|
||||||
mode http
|
|
||||||
option httplog
|
|
||||||
option dontlognull
|
|
||||||
retries 3
|
|
||||||
option redispatch
|
|
||||||
maxconn 2000
|
|
||||||
timeout connect 5000
|
|
||||||
timeout client 50000
|
|
||||||
timeout server 50000
|
|
||||||
|
|
||||||
listen appli1-rewrite 0.0.0.0:10001
|
|
||||||
cookie SERVERID rewrite
|
|
||||||
balance roundrobin
|
|
||||||
server app1_1 192.168.34.23:8080 cookie app1inst1 check inter 2000 rise 2 fall 5
|
|
||||||
server app1_2 192.168.34.32:8080 cookie app1inst2 check inter 2000 rise 2 fall 5
|
|
||||||
server app1_3 192.168.34.27:8080 cookie app1inst3 check inter 2000 rise 2 fall 5
|
|
||||||
server app1_4 192.168.34.42:8080 cookie app1inst4 check inter 2000 rise 2 fall 5
|
|
||||||
|
|
||||||
listen appli2-insert 0.0.0.0:10002
|
|
||||||
option httpchk
|
|
||||||
balance roundrobin
|
|
||||||
cookie SERVERID insert indirect nocache
|
|
||||||
server inst1 192.168.114.56:80 cookie server01 check inter 2000 fall 3
|
|
||||||
server inst2 192.168.114.56:81 cookie server02 check inter 2000 fall 3
|
|
||||||
capture cookie vgnvisitor= len 32
|
|
||||||
|
|
||||||
option httpclose # disable keep-alive
|
|
||||||
rspidel ^Set-cookie:\ IP= # do not let this cookie tell our internal IP address
|
|
||||||
|
|
||||||
listen appli3-relais 0.0.0.0:10003
|
|
||||||
dispatch 192.168.135.17:80
|
|
||||||
|
|
||||||
listen appli4-backup 0.0.0.0:10004
|
|
||||||
option httpchk /index.html
|
|
||||||
option persist
|
|
||||||
balance roundrobin
|
|
||||||
server inst1 192.168.114.56:80 check inter 2000 fall 3
|
|
||||||
server inst2 192.168.114.56:81 check inter 2000 fall 3 backup
|
|
||||||
|
|
||||||
listen ssl-relay 0.0.0.0:8443
|
|
||||||
option ssl-hello-chk
|
|
||||||
balance source
|
|
||||||
server inst1 192.168.110.56:443 check inter 2000 fall 3
|
|
||||||
server inst2 192.168.110.57:443 check inter 2000 fall 3
|
|
||||||
server back1 192.168.120.58:443 backup
|
|
||||||
|
|
||||||
listen appli5-backup 0.0.0.0:10005
|
|
||||||
option httpchk *
|
|
||||||
balance roundrobin
|
|
||||||
cookie SERVERID insert indirect nocache
|
|
||||||
server inst1 192.168.114.56:80 cookie server01 check inter 2000 fall 3
|
|
||||||
server inst2 192.168.114.56:81 cookie server02 check inter 2000 fall 3
|
|
||||||
server inst3 192.168.114.57:80 backup check inter 2000 fall 3
|
|
||||||
capture cookie ASPSESSION len 32
|
|
||||||
timeout server 20000
|
|
||||||
|
|
||||||
option httpclose # disable keep-alive
|
|
||||||
option checkcache # block response if set-cookie & cacheable
|
|
||||||
|
|
||||||
rspidel ^Set-cookie:\ IP= # do not let this cookie tell our internal IP address
|
|
||||||
|
|
||||||
errorloc 502 http://192.168.114.58/error502.html
|
|
||||||
errorfile 503 /etc/haproxy/errors/503.http
|
|
||||||
|
|
|
@ -1,120 +0,0 @@
|
||||||
#!/bin/sh
|
|
||||||
|
|
||||||
### BEGIN INIT INFO
|
|
||||||
# Provides: HA-Proxy
|
|
||||||
# Required-Start: networking
|
|
||||||
# Required-Stop: networking
|
|
||||||
# Default-Start: 2 3 4 5
|
|
||||||
# Default-Stop: 0 1 6
|
|
||||||
# Short-Description: HA-Proxy TCP/HTTP reverse proxy
|
|
||||||
# Description: HA-Proxy is a TCP/HTTP reverse proxy
|
|
||||||
### END INIT INFO
|
|
||||||
|
|
||||||
PATH=/sbin:/bin:/usr/sbin:/usr/bin
|
|
||||||
DAEMON=/usr/sbin/haproxy
|
|
||||||
NAME=haproxy
|
|
||||||
DESC="HA-Proxy TCP/HTTP reverse proxy"
|
|
||||||
PIDFILE="/var/run/$NAME.pid"
|
|
||||||
TPM_DATA_DIR="/var/run/TPM_haproxy/"
|
|
||||||
OPTS="-D -f /etc/haproxy/haproxy.cfg -p $PIDFILE"
|
|
||||||
RETVAL=0
|
|
||||||
|
|
||||||
# This is only needed till TPM In-Kernel
|
|
||||||
# ResourceMgr comes in
|
|
||||||
remove_TPM_transients () {
|
|
||||||
_HANDLES=`find $TPM_DATA_DIR -type f -name "hp*.bin" -printf "%f "`
|
|
||||||
for handle in $_HANDLES; do
|
|
||||||
handle_addr=`echo $handle | sed 's/hp\([0-9]*\)\.bin/\1/g'`
|
|
||||||
tss2_flushcontext -ha $handle_addr &> /dev/null
|
|
||||||
done
|
|
||||||
rm -f $TPM_DATA_DIR/*
|
|
||||||
}
|
|
||||||
|
|
||||||
start() {
|
|
||||||
if [ -e $PIDFILE ]; then
|
|
||||||
PIDDIR=/proc/$(cat $PIDFILE)
|
|
||||||
if [ -d $PIDDIR ]; then
|
|
||||||
echo "$DESC already running."
|
|
||||||
return
|
|
||||||
else
|
|
||||||
echo "Removing stale PID file $PIDFILE"
|
|
||||||
rm -f $PIDFILE
|
|
||||||
fi
|
|
||||||
fi
|
|
||||||
|
|
||||||
# TODO: This is a temporary workaround till
|
|
||||||
# we eventually add a resource manager for TPM
|
|
||||||
mkdir -p $TPM_DATA_DIR
|
|
||||||
|
|
||||||
echo -n "Starting $NAME: "
|
|
||||||
|
|
||||||
TPM_DATA_DIR=$TPM_DATA_DIR start-stop-daemon --start --pidfile $PIDFILE -x "$DAEMON" -- $OPTS
|
|
||||||
RETVAL=$?
|
|
||||||
if [ $RETVAL -eq 0 ]; then
|
|
||||||
echo "done."
|
|
||||||
else
|
|
||||||
remove_TPM_transients
|
|
||||||
echo "failed."
|
|
||||||
fi
|
|
||||||
}
|
|
||||||
|
|
||||||
stop() {
|
|
||||||
if [ ! -e $PIDFILE ]; then return; fi
|
|
||||||
|
|
||||||
echo -n "Stopping $DESC..."
|
|
||||||
|
|
||||||
start-stop-daemon --stop --quiet --retry 3 --oknodo --pidfile $PIDFILE -x "$DAEMON"
|
|
||||||
if [ -n "`pidof $DAEMON`" ] ; then
|
|
||||||
pkill -KILL -f $DAEMON
|
|
||||||
fi
|
|
||||||
echo "done."
|
|
||||||
rm -f $PIDFILE
|
|
||||||
rm -f /var/lock/subsys/$NAME
|
|
||||||
remove_TPM_transients
|
|
||||||
}
|
|
||||||
|
|
||||||
status()
|
|
||||||
{
|
|
||||||
pid=`cat $PIDFILE 2>/dev/null`
|
|
||||||
if [ -n "$pid" ]; then
|
|
||||||
if ps -p $pid &>/dev/null ; then
|
|
||||||
echo "$DESC is running"
|
|
||||||
RETVAL=0
|
|
||||||
return
|
|
||||||
else
|
|
||||||
RETVAL=1
|
|
||||||
fi
|
|
||||||
fi
|
|
||||||
echo "$DESC is not running"
|
|
||||||
RETVAL=1
|
|
||||||
}
|
|
||||||
|
|
||||||
check() {
|
|
||||||
/usr/sbin/$NAME -c -q -V -f /etc/$NAME/$NAME.cfg
|
|
||||||
}
|
|
||||||
|
|
||||||
# See how we were called.
|
|
||||||
case "$1" in
|
|
||||||
start)
|
|
||||||
start
|
|
||||||
;;
|
|
||||||
stop)
|
|
||||||
stop
|
|
||||||
;;
|
|
||||||
restart|force-reload|reload)
|
|
||||||
stop
|
|
||||||
start
|
|
||||||
;;
|
|
||||||
status)
|
|
||||||
status
|
|
||||||
;;
|
|
||||||
check)
|
|
||||||
check
|
|
||||||
;;
|
|
||||||
*)
|
|
||||||
echo "Usage: $0 {start|stop|force-reload|restart|reload|status|check}"
|
|
||||||
RETVAL=1
|
|
||||||
;;
|
|
||||||
esac
|
|
||||||
|
|
||||||
exit $RETVAL
|
|
Loading…
Reference in New Issue