diff options
| author | Alexey Dokuchaev <danfe@FreeBSD.org> | 2019-03-30 15:47:42 +0000 |
|---|---|---|
| committer | Alexey Dokuchaev <danfe@FreeBSD.org> | 2019-03-30 15:47:42 +0000 |
| commit | c7369f228e3ff9eeebd6198e7f1c119a6528e57b (patch) | |
| tree | 53e4407f3cb9e45288d6597d604ac30a71bc1eea /www | |
| parent | 11fc921520053896afd2204cd442959580028955 (diff) | |
| download | ports-c7369f228e3ff9eeebd6198e7f1c119a6528e57b.tar.gz ports-c7369f228e3ff9eeebd6198e7f1c119a6528e57b.zip | |
Notes
Diffstat (limited to 'www')
| -rw-r--r-- | www/pound/Makefile | 37 | ||||
| -rw-r--r-- | www/pound/distinfo | 5 | ||||
| -rw-r--r-- | www/pound/files/0001-Add-MKCALENDAR-to-xHTTP-2-and-above.patch | 39 | ||||
| -rw-r--r-- | www/pound/files/0002-add-support-openssl1.1-dhparam.patch | 54 | ||||
| -rw-r--r-- | www/pound/files/a2c9dde4d055ea8942afb150b7fc3a807d4e5d60.patch | 323 | ||||
| -rw-r--r-- | www/pound/files/c5a95780e2233a05ab3fb8b4eb8a9550f0c3b53c.patch | 41 | ||||
| -rw-r--r-- | www/pound/files/patch-Makefile.in | 18 | ||||
| -rw-r--r-- | www/pound/files/patch-svc.c | 29 | ||||
| -rw-r--r-- | www/pound/files/pound-2.8-fallback_scsv.diff | 12 | ||||
| -rw-r--r-- | www/pound/files/pound-2.8-websocket.diff | 328 | ||||
| -rw-r--r-- | www/pound/files/pound.cfg.in | 50 |
11 files changed, 917 insertions, 19 deletions
diff --git a/www/pound/Makefile b/www/pound/Makefile index b05852296082..17f0ed70420d 100644 --- a/www/pound/Makefile +++ b/www/pound/Makefile @@ -2,15 +2,22 @@ # $FreeBSD$ PORTNAME= pound -PORTVERSION= 2.7 -PORTREVISION= 1 +PORTVERSION= 2.8 CATEGORIES= www net MASTER_SITES= http://www.apsis.ch/pound/ \ ftp://ftp.nuug.no/pub/anders/distfiles/ DISTNAME= Pound-${PORTVERSION} -MAINTAINER= ports@FreeBSD.org -COMMENT= Reverse proxy, load balancer and HTTP(S) frontend for web servers +EXTRA_PATCHES= \ + ${FILESDIR}/0001-Add-MKCALENDAR-to-xHTTP-2-and-above.patch:-p1 \ + ${FILESDIR}/0002-add-support-openssl1.1-dhparam.patch:-p1 \ + ${FILESDIR}/c5a95780e2233a05ab3fb8b4eb8a9550f0c3b53c.patch:-p1 \ + ${FILESDIR}/pound-2.8-websocket.diff:-p1 \ + ${FILESDIR}/pound-2.8-fallback_scsv.diff:-p0 \ + ${FILESDIR}/a2c9dde4d055ea8942afb150b7fc3a807d4e5d60.patch:-p1 + +MAINTAINER= zeus@gnu.org.ua +COMMENT= HTTP/HTTPS reverse-proxy and load-balancer LICENSE= GPLv3 LICENSE_FILE= ${WRKSRC}/GPL.txt @@ -20,9 +27,11 @@ GNU_CONFIGURE= yes CONFIGURE_ARGS= --disable-tcmalloc --disable-hoard USE_RC_SUBR= ${PORTNAME} +SUB_FILES= ${PORTNAME}.cfg SUB_LIST= NAME=${PORTNAME} -PLIST_FILES= sbin/pound \ +PLIST_FILES= @sample\ etc/pound.cfg.sample \ + sbin/pound \ sbin/poundctl \ man/man8/pound.8.gz \ man/man8/poundctl.8.gz @@ -31,21 +40,15 @@ PORTDOCS= README FAQ CHANGELOG OPTIONS_DEFINE= DOCS PCRE OPTIONS_DEFAULT=PCRE +PCRE_LIB_DEPENDS= libpcre.so:devel/pcre +PCRE_USES= localbase PCRE_CONFIGURE_ENABLE= pcreposix -.include <bsd.port.options.mk> - -.if ${PORT_OPTIONS:MPCRE} -LIB_DEPENDS+= libpcre.so:devel/pcre -CPPFLAGS+= -I${LOCALBASE}/include -LDFLAGS+= -L${LOCALBASE}/lib -.endif +post-install: + ${INSTALL_DATA} ${WRKDIR}/${PORTNAME}.cfg \ + ${STAGEDIR}${PREFIX}/etc/${PORTNAME}.cfg.sample -do-install: - ${INSTALL_PROGRAM} ${WRKSRC}/pound ${WRKSRC}/poundctl \ - ${STAGEDIR}${PREFIX}/sbin - ${INSTALL_MAN} ${WRKSRC}/pound.8 ${WRKSRC}/poundctl.8 \ - ${STAGEDIR}${MANPREFIX}/man/man8 +post-install-DOCS-on: ${MKDIR} ${STAGEDIR}${DOCSDIR} cd ${WRKSRC} && ${INSTALL_DATA} ${PORTDOCS} ${STAGEDIR}${DOCSDIR} diff --git a/www/pound/distinfo b/www/pound/distinfo index 4aac787ad291..e7daeb0f36e7 100644 --- a/www/pound/distinfo +++ b/www/pound/distinfo @@ -1,2 +1,3 @@ -SHA256 (Pound-2.7.tgz) = cdfbf5a7e8dc8fbbe0d6c1e83cd3bd3f2472160aac65684bb01ef661c626a8e4 -SIZE (Pound-2.7.tgz) = 186887 +TIMESTAMP = 1526033851 +SHA256 (Pound-2.8.tgz) = a7fd8690de0fd390615e79fd0f4bfd56a544b8ef97dd6659c07ecd3207480c25 +SIZE (Pound-2.8.tgz) = 186124 diff --git a/www/pound/files/0001-Add-MKCALENDAR-to-xHTTP-2-and-above.patch b/www/pound/files/0001-Add-MKCALENDAR-to-xHTTP-2-and-above.patch new file mode 100644 index 000000000000..cb2b880c2cf5 --- /dev/null +++ b/www/pound/files/0001-Add-MKCALENDAR-to-xHTTP-2-and-above.patch @@ -0,0 +1,39 @@ +From: Brett Parker <iDunno@sommitrealweird.co.uk> +Date: Sat, 30 Jul 2016 21:47:14 +0100 +Subject: Add MKCALENDAR to xHTTP 2 and above + +--- + config.c | 6 +++--- + pound.8 | 2 +- + 2 files changed, 4 insertions(+), 4 deletions(-) + +diff --git a/config.c b/config.c +index de1e163..68e2d2f 100644 +--- a/config.c ++++ b/config.c +@@ -87,9 +87,9 @@ static regmatch_t matches[5]; + static char *xhttp[] = { + "^(GET|POST|HEAD) ([^ ]+) HTTP/1.[01]$", + "^(GET|POST|HEAD|PUT|PATCH|DELETE) ([^ ]+) HTTP/1.[01]$", +- "^(GET|POST|HEAD|PUT|PATCH|DELETE|LOCK|UNLOCK|PROPFIND|PROPPATCH|SEARCH|MKCOL|MOVE|COPY|OPTIONS|TRACE|MKACTIVITY|CHECKOUT|MERGE|REPORT) ([^ ]+) HTTP/1.[01]$", +- "^(GET|POST|HEAD|PUT|PATCH|DELETE|LOCK|UNLOCK|PROPFIND|PROPPATCH|SEARCH|MKCOL|MOVE|COPY|OPTIONS|TRACE|MKACTIVITY|CHECKOUT|MERGE|REPORT|SUBSCRIBE|UNSUBSCRIBE|BPROPPATCH|POLL|BMOVE|BCOPY|BDELETE|BPROPFIND|NOTIFY|CONNECT) ([^ ]+) HTTP/1.[01]$", +- "^(GET|POST|HEAD|PUT|PATCH|DELETE|LOCK|UNLOCK|PROPFIND|PROPPATCH|SEARCH|MKCOL|MOVE|COPY|OPTIONS|TRACE|MKACTIVITY|CHECKOUT|MERGE|REPORT|SUBSCRIBE|UNSUBSCRIBE|BPROPPATCH|POLL|BMOVE|BCOPY|BDELETE|BPROPFIND|NOTIFY|CONNECT|RPC_IN_DATA|RPC_OUT_DATA) ([^ ]+) HTTP/1.[01]$", ++ "^(GET|POST|HEAD|PUT|PATCH|DELETE|LOCK|UNLOCK|PROPFIND|PROPPATCH|SEARCH|MKCOL|MOVE|COPY|OPTIONS|TRACE|MKACTIVITY|CHECKOUT|MERGE|REPORT|MKCALENDAR) ([^ ]+) HTTP/1.[01]$", ++ "^(GET|POST|HEAD|PUT|PATCH|DELETE|LOCK|UNLOCK|PROPFIND|PROPPATCH|SEARCH|MKCOL|MOVE|COPY|OPTIONS|TRACE|MKACTIVITY|CHECKOUT|MERGE|REPORT|MKCALENDAR|SUBSCRIBE|UNSUBSCRIBE|BPROPPATCH|POLL|BMOVE|BCOPY|BDELETE|BPROPFIND|NOTIFY|CONNECT) ([^ ]+) HTTP/1.[01]$", ++ "^(GET|POST|HEAD|PUT|PATCH|DELETE|LOCK|UNLOCK|PROPFIND|PROPPATCH|SEARCH|MKCOL|MOVE|COPY|OPTIONS|TRACE|MKACTIVITY|CHECKOUT|MERGE|REPORT|MKCALENDAR|SUBSCRIBE|UNSUBSCRIBE|BPROPPATCH|POLL|BMOVE|BCOPY|BDELETE|BPROPFIND|NOTIFY|CONNECT|RPC_IN_DATA|RPC_OUT_DATA) ([^ ]+) HTTP/1.[01]$", + }; + + static int log_level = 1; +diff --git a/pound.8 b/pound.8 +index ceddf48..235d829 100644 +--- a/pound.8 ++++ b/pound.8 +@@ -368,7 +368,7 @@ additionally allow extended HTTP requests (PUT, PATCH, DELETE). + .I 2 + additionally allow standard WebDAV verbs (LOCK, UNLOCK, PROPFIND, + PROPPATCH, SEARCH, MKCOL, MOVE, COPY, OPTIONS, TRACE, MKACTIVITY, +-CHECKOUT, MERGE, REPORT). ++CHECKOUT, MERGE, REPORT, MKCALENDAR). + .IP + .I 3 + additionally allow MS extensions WebDAV verbs (SUBSCRIBE, UNSUBSCRIBE, diff --git a/www/pound/files/0002-add-support-openssl1.1-dhparam.patch b/www/pound/files/0002-add-support-openssl1.1-dhparam.patch new file mode 100644 index 000000000000..8edd3436dc34 --- /dev/null +++ b/www/pound/files/0002-add-support-openssl1.1-dhparam.patch @@ -0,0 +1,54 @@ +From: Sebastian Andrzej Siewior <sebastian@breakpoint.cc> +Date: Sun, 19 Feb 2017 14:34:38 +0100 +Subject: [PATCH] pound: Add support for openssl 1.1 + +This patch adds support for "openssl dhparam -C" created header files where +openssl binary itself is 1.1 but the code using the file is linked against +1.0.2. +This will not let the pound as compile against openssl 1.1. + +Signed-off-by: Sebastian Andrzej Siewior <sebastian@breakpoint.cc> +--- + svc.c | 31 +++++++++++++++++++++++++++++++ + 1 file changed, 31 insertions(+) + +--- a/svc.c ++++ b/svc.c +@@ -1448,6 +1448,37 @@ do_RSAgen(void) + return; + } + ++#if OPENSSL_VERSION_NUMBER < 0x10100000 ++static inline int DH_set0_pqg(DH *dh, BIGNUM *p, BIGNUM *q, BIGNUM *g) ++{ ++ /* If the fields p and g in d are NULL, the corresponding input ++ * parameters MUST be non-NULL. q may remain NULL. ++ */ ++ if ((dh->p == NULL && p == NULL) ++ || (dh->g == NULL && g == NULL)) ++ return 0; ++ ++ if (p != NULL) { ++ BN_free(dh->p); ++ dh->p = p; ++ } ++ if (q != NULL) { ++ BN_free(dh->q); ++ dh->q = q; ++ } ++ if (g != NULL) { ++ BN_free(dh->g); ++ dh->g = g; ++ } ++ ++ if (q != NULL) { ++ dh->length = BN_num_bits(q); ++ } ++ ++ return 1; ++} ++#endif ++ + #include "dh512.h" + + #if DH_LEN == 1024 diff --git a/www/pound/files/a2c9dde4d055ea8942afb150b7fc3a807d4e5d60.patch b/www/pound/files/a2c9dde4d055ea8942afb150b7fc3a807d4e5d60.patch new file mode 100644 index 000000000000..ad85913e8ae4 --- /dev/null +++ b/www/pound/files/a2c9dde4d055ea8942afb150b7fc3a807d4e5d60.patch @@ -0,0 +1,323 @@ +From a2c9dde4d055ea8942afb150b7fc3a807d4e5d60 Mon Sep 17 00:00:00 2001 +From: Sergey Poznyakoff <gray@gnu.org> +Date: Wed, 28 Feb 2018 13:44:01 +0000 +Subject: [PATCH] Support for Openssl 1.1 + +--- + config.c | 17 +++++++-- + http.c | 12 ++++++- + pound.h | 4 ++- + svc.c | 101 +++++++++++++++++++++++++++++++++++++++++++---------- + 5 files changed, 125 insertions(+), 24 deletions(-) + create mode 100644 .gitignore + +diff --git a/config.c b/config.c +index d41a3ee..e8fec0f 100644 +--- a/config.c ++++ b/config.c +@@ -174,6 +174,16 @@ conf_fgets(char *buf, const int max) + } + } + ++#if OPENSSL_VERSION_NUMBER >= 0x10100000L ++# define general_name_string(n) \ ++ strndup(ASN1_STRING_get0_data(n->d.dNSName), \ ++ ASN1_STRING_length(n->d.dNSName) + 1) ++#else ++# define general_name_string(n) \ ++ strndup(ASN1_STRING_data(n->d.dNSName), \ ++ ASN1_STRING_length(n->d.dNSName) + 1) ++#endif ++ + unsigned char ** + get_subjectaltnames(X509 *x509, unsigned int *count) + { +@@ -194,8 +204,7 @@ get_subjectaltnames(X509 *x509, unsigned int *count) + name = sk_GENERAL_NAME_pop(san_stack); + switch(name->type) { + case GEN_DNS: +- temp[local_count] = strndup(ASN1_STRING_data(name->d.dNSName), ASN1_STRING_length(name->d.dNSName) +- + 1); ++ temp[local_count] = general_name_string(name); + if(temp[local_count] == NULL) + conf_err("out of memory"); + local_count++; +@@ -565,7 +574,9 @@ parse_service(const char *svc_name) + pthread_mutex_init(&res->mut, NULL); + if(svc_name) + strncpy(res->name, svc_name, KEY_SIZE); +-#if OPENSSL_VERSION_NUMBER >= 0x10000000L ++#if OPENSSL_VERSION_NUMBER >= 0x10100000L ++ if((res->sessions = lh_TABNODE_new(t_hash, t_cmp)) == NULL) ++#elif OPENSSL_VERSION_NUMBER >= 0x10000000L + if((res->sessions = LHM_lh_new(TABNODE, t)) == NULL) + #else + if((res->sessions = lh_new(LHASH_HASH_FN(t_hash), LHASH_COMP_FN(t_cmp))) == NULL) +diff --git a/http.c b/http.c +index dd211e4..c8e756a 100644 +--- a/http.c ++++ b/http.c +@@ -527,12 +527,22 @@ log_bytes(char *res, const LONG cnt) + + /* Cleanup code. This should really be in the pthread_cleanup_push, except for bugs in some implementations */ + ++#if OPENSSL_VERSION_NUMBER >= 0x10100000L ++# define clear_error() ++#elif OPENSSL_VERSION_NUMBER >= 0x10000000L ++# define clear_error() \ ++ if(ssl != NULL) { ERR_clear_error(); ERR_remove_thread_state(NULL); } ++#else ++# define clear_error() \ ++ if(ssl != NULL) { ERR_clear_error(); ERR_remove_state(0); } ++#endif ++ + #define clean_all() { \ + if(ssl != NULL) { BIO_ssl_shutdown(cl); } \ + if(be != NULL) { BIO_flush(be); BIO_reset(be); BIO_free_all(be); be = NULL; } \ + if(cl != NULL) { BIO_flush(cl); BIO_reset(cl); BIO_free_all(cl); cl = NULL; } \ + if(x509 != NULL) { X509_free(x509); x509 = NULL; } \ +- if(ssl != NULL) { ERR_clear_error(); ERR_remove_state(0); } \ ++ clear_error(); \ + } + + /* +diff --git a/pound.h b/pound.h +index fa22c36..9603b91 100644 +--- a/pound.h ++++ b/pound.h +@@ -344,7 +344,9 @@ typedef struct _tn { + /* maximal session key size */ + #define KEY_SIZE 127 + +-#if OPENSSL_VERSION_NUMBER >= 0x10000000L ++#if OPENSSL_VERSION_NUMBER >= 0x10100000L ++ DEFINE_LHASH_OF(TABNODE); ++#elif OPENSSL_VERSION_NUMBER >= 0x10000000L + DECLARE_LHASH_OF(TABNODE); + #endif + +diff --git a/svc.c b/svc.c +index 60ba488..063b92c 100644 +--- a/svc.c ++++ b/svc.c +@@ -27,10 +27,17 @@ + + #include "pound.h" + ++#if OPENSSL_VERSION_NUMBER >= 0x10100000L ++# define TABNODE_GET_DOWN_LOAD(t) lh_TABNODE_get_down_load(t) ++# define TABNODE_SET_DOWN_LOAD(t,n) lh_TABNODE_set_down_load(t,n) ++#else + #ifndef LHASH_OF + #define LHASH_OF(x) LHASH + #define CHECKED_LHASH_OF(type, h) h + #endif ++# define TABNODE_GET_DOWN_LOAD(t) (CHECKED_LHASH_OF(TABNODE, t)->down_load) ++# define TABNODE_SET_DOWN_LOAD(t,n) (CHECKED_LHASH_OF(TABNODE, t)->down_load = n) ++#endif + + /* + * Add a new key/content pair to a hash table +@@ -58,7 +65,9 @@ t_add(LHASH_OF(TABNODE) *const tab, const char *key, const void *content, const + } + memcpy(t->content, content, cont_len); + t->last_acc = time(NULL); +-#if OPENSSL_VERSION_NUMBER >= 0x10000000L ++#if OPENSSL_VERSION_NUMBER >= 0x10100000L ++ if((old = lh_TABNODE_insert(tab, t)) != NULL) { ++#elif OPENSSL_VERSION_NUMBER >= 0x10000000L + if((old = LHM_lh_insert(TABNODE, tab, t)) != NULL) { + #else + if((old = (TABNODE *)lh_insert(tab, t)) != NULL) { +@@ -82,7 +91,9 @@ t_find(LHASH_OF(TABNODE) *const tab, char *const key) + TABNODE t, *res; + + t.key = key; +-#if OPENSSL_VERSION_NUMBER >= 0x10000000L ++#if OPENSSL_VERSION_NUMBER >= 0x10100000L ++ if((res = lh_TABNODE_retrieve(tab, &t)) != NULL) { ++#elif OPENSSL_VERSION_NUMBER >= 0x10000000L + if((res = (TABNODE *)LHM_lh_retrieve(TABNODE, tab, &t)) != NULL) { + #else + if((res = (TABNODE *)lh_retrieve(tab, &t)) != NULL) { +@@ -102,7 +113,9 @@ t_remove(LHASH_OF(TABNODE) *const tab, char *const key) + TABNODE t, *res; + + t.key = key; +-#if OPENSSL_VERSION_NUMBER >= 0x10000000L ++#if OPENSSL_VERSION_NUMBER >= 0x10100000L ++ if((res = lh_TABNODE_delete(tab, &t)) != NULL) { ++#elif OPENSSL_VERSION_NUMBER >= 0x10000000L + if((res = LHM_lh_delete(TABNODE, tab, &t)) != NULL) { + #else + if((res = (TABNODE *)lh_delete(tab, &t)) != NULL) { +@@ -127,7 +140,9 @@ t_old_doall_arg(TABNODE *t, ALL_ARG *a) + TABNODE *res; + + if(t->last_acc < a->lim) +-#if OPENSSL_VERSION_NUMBER >= 0x10000000L ++#if OPENSSL_VERSION_NUMBER >= 0x10100000L ++ if((res = lh_TABNODE_delete(a->tab, t)) != NULL) { ++#elif OPENSSL_VERSION_NUMBER >= 0x10000000L + if((res = LHM_lh_delete(TABNODE, a->tab, t)) != NULL) { + #else + if((res = lh_delete(a->tab, t)) != NULL) { +@@ -145,6 +160,10 @@ IMPLEMENT_LHASH_DOALL_ARG_FN(t_old, TABNODE, ALL_ARG) + IMPLEMENT_LHASH_DOALL_ARG_FN(t_old, TABNODE *, ALL_ARG *) + #endif + ++#if OPENSSL_VERSION_NUMBER >= 0x10100000L ++IMPLEMENT_LHASH_DOALL_ARG(TABNODE,ALL_ARG); ++#endif ++ + /* + * Expire all old nodes + */ +@@ -156,14 +175,16 @@ t_expire(LHASH_OF(TABNODE) *const tab, const time_t lim) + + a.tab = tab; + a.lim = lim; +- down_load = CHECKED_LHASH_OF(TABNODE, tab)->down_load; +- CHECKED_LHASH_OF(TABNODE, tab)->down_load = 0; +-#if OPENSSL_VERSION_NUMBER >= 0x10000000L ++ down_load = TABNODE_GET_DOWN_LOAD(tab); ++ TABNODE_SET_DOWN_LOAD(tab, 0); ++#if OPENSSL_VERSION_NUMBER >= 0x10100000L ++ lh_TABNODE_doall_ALL_ARG(tab, t_old_doall_arg, &a); ++#elif OPENSSL_VERSION_NUMBER >= 0x10000000L + LHM_lh_doall_arg(TABNODE, tab, LHASH_DOALL_ARG_FN(t_old), ALL_ARG, &a); + #else + lh_doall_arg(tab, LHASH_DOALL_ARG_FN(t_old), &a); + #endif +- CHECKED_LHASH_OF(TABNODE, tab)->down_load = down_load; ++ TABNODE_SET_DOWN_LOAD(tab, down_load); + return; + } + +@@ -173,7 +194,9 @@ t_cont_doall_arg(TABNODE *t, ALL_ARG *arg) + TABNODE *res; + + if(memcmp(t->content, arg->content, arg->cont_len) == 0) +-#if OPENSSL_VERSION_NUMBER >= 0x10000000L ++#if OPENSSL_VERSION_NUMBER >= 0x10100000L ++ if((res = lh_TABNODE_delete(arg->tab, t)) != NULL) { ++#elif OPENSSL_VERSION_NUMBER >= 0x10000000L + if((res = LHM_lh_delete(TABNODE, arg->tab, t)) != NULL) { + #else + if((res = lh_delete(arg->tab, t)) != NULL) { +@@ -203,15 +226,16 @@ t_clean(LHASH_OF(TABNODE) *const tab, void *const content, const size_t cont_len + a.tab = tab; + a.content = content; + a.cont_len = cont_len; +- down_load = CHECKED_LHASH_OF(TABNODE, tab)->down_load; +- CHECKED_LHASH_OF(TABNODE, tab)->down_load = 0; +-#if OPENSSL_VERSION_NUMBER >= 0x10000000L ++ down_load = TABNODE_GET_DOWN_LOAD(tab); ++ TABNODE_SET_DOWN_LOAD(tab, 0); ++#if OPENSSL_VERSION_NUMBER >= 0x10100000L ++ lh_TABNODE_doall_ALL_ARG(tab, t_cont_doall_arg, &a); ++#elif OPENSSL_VERSION_NUMBER >= 0x10000000L + LHM_lh_doall_arg(TABNODE, tab, LHASH_DOALL_ARG_FN(t_cont), ALL_ARG, &a); + #else + lh_doall_arg(tab, LHASH_DOALL_ARG_FN(t_cont), &a); + #endif +- CHECKED_LHASH_OF(TABNODE, tab)->down_load = down_load; +- return; ++ TABNODE_SET_DOWN_LOAD(tab, down_load); + } + + /* +@@ -1262,6 +1286,31 @@ RSA_tmp_callback(/* not used */SSL *ssl, /* not used */int is_export, int keylen + return res; + } + ++static int ++generate_key(RSA **ret_rsa, unsigned long bits) ++{ ++#if OPENSSL_VERSION_NUMBER > 0x00908000L ++ int rc = 0; ++ RSA *rsa; ++ ++ rsa = RSA_new(); ++ if (rsa) { ++ BIGNUM *bne = BN_new(); ++ if (BN_set_word(bne, RSA_F4)) ++ rc = RSA_generate_key_ex(rsa, bits, bne, NULL); ++ BN_free(bne); ++ if (rc) ++ *ret_rsa = rsa; ++ else ++ RSA_free(rsa); ++ } ++ return rc; ++#else ++ *ret_rsa = RSA_generate_key(bits, RSA_F4, NULL, NULL); ++ return *ret_rsa != NULL; ++#endif ++} ++ + /* + * Periodically regenerate ephemeral RSA keys + * runs every T_RSA_KEYS seconds +@@ -1274,8 +1323,9 @@ do_RSAgen(void) + RSA *t_RSA1024_keys[N_RSA_KEYS]; + + for(n = 0; n < N_RSA_KEYS; n++) { +- t_RSA512_keys[n] = RSA_generate_key(512, RSA_F4, NULL, NULL); +- t_RSA1024_keys[n] = RSA_generate_key(1024, RSA_F4, NULL, NULL); ++ /* FIXME: Error handling */ ++ generate_key(&t_RSA512_keys[n], 512); ++ generate_key(&t_RSA1024_keys[n], 1024); + } + if(ret_val = pthread_mutex_lock(&RSA_mut)) + logmsg(LOG_WARNING, "thr_RSAgen() lock: %s", strerror(ret_val)); +@@ -1329,11 +1379,11 @@ init_timer(void) + * Pre-generate ephemeral RSA keys + */ + for(n = 0; n < N_RSA_KEYS; n++) { +- if((RSA512_keys[n] = RSA_generate_key(512, RSA_F4, NULL, NULL)) == NULL) { ++ if(!generate_key(&RSA512_keys[n], 512)) { + logmsg(LOG_WARNING,"RSA_generate(%d, 512) failed", n); + return; + } +- if((RSA1024_keys[n] = RSA_generate_key(1024, RSA_F4, NULL, NULL)) == NULL) { ++ if(!generate_key(&RSA1024_keys[n], 1024)) { + logmsg(LOG_WARNING,"RSA_generate(%d, 1024) failed", n); + return; + } +@@ -1420,6 +1470,10 @@ IMPLEMENT_LHASH_DOALL_ARG_FN(t_dump, TABNODE, DUMP_ARG) + IMPLEMENT_LHASH_DOALL_ARG_FN(t_dump, TABNODE *, DUMP_ARG *) + #endif + ++#if OPENSSL_VERSION_NUMBER >= 0x10100000L ++IMPLEMENT_LHASH_DOALL_ARG(TABNODE,DUMP_ARG); ++#endif ++ + /* + * write sessions to the control socket + */ +@@ -1430,7 +1484,9 @@ dump_sess(const int control_sock, LHASH_OF(TABNODE) *const sess, BACKEND *const + + a.control_sock = control_sock; + a.backends = backends; +-#if OPENSSL_VERSION_NUMBER >= 0x10000000L ++#if OPENSSL_VERSION_NUMBER >= 0x10100000L ++ lh_TABNODE_doall_DUMP_ARG(sess, t_dump_doall_arg, &a); ++#elif OPENSSL_VERSION_NUMBER >= 0x10000000L + LHM_lh_doall_arg(TABNODE, sess, LHASH_DOALL_ARG_FN(t_dump), DUMP_ARG, &a); + #else + lh_doall_arg(sess, LHASH_DOALL_ARG_FN(t_dump), &a); +@@ -1664,6 +1720,13 @@ thr_control(void *arg) + } + } + ++#ifndef SSL3_ST_SR_CLNT_HELLO_A ++# define SSL3_ST_SR_CLNT_HELLO_A (0x110|SSL_ST_ACCEPT) ++#endif ++#ifndef SSL23_ST_SR_CLNT_HELLO_A ++# define SSL23_ST_SR_CLNT_HELLO_A (0x210|SSL_ST_ACCEPT) ++#endif ++ + void + SSLINFO_callback(const SSL *ssl, int where, int rc) + { diff --git a/www/pound/files/c5a95780e2233a05ab3fb8b4eb8a9550f0c3b53c.patch b/www/pound/files/c5a95780e2233a05ab3fb8b4eb8a9550f0c3b53c.patch new file mode 100644 index 000000000000..366c82e0270d --- /dev/null +++ b/www/pound/files/c5a95780e2233a05ab3fb8b4eb8a9550f0c3b53c.patch @@ -0,0 +1,41 @@ +From c5a95780e2233a05ab3fb8b4eb8a9550f0c3b53c Mon Sep 17 00:00:00 2001 +From: Sergey Poznyakoff <gray@gnu.org> +Date: Mon, 19 Mar 2018 18:11:59 +0200 +Subject: [PATCH] Bugfix + +* http.c: Stop if BIO_read returns <= 0 +--- + http.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/http.c b/http.c +index 496a84e..c461489 100644 +--- a/http.c ++++ b/http.c +@@ -142,7 +142,7 @@ get_line(BIO *const in, char *const buf, const int bufsize) + if(tmp != '\n') { + /* we have CR not followed by NL */ + do { +- if(BIO_read(in, &tmp, 1) < 0) ++ if(BIO_read(in, &tmp, 1) <= 0) + return 1; + } while(tmp != '\n'); + return 1; +@@ -169,7 +169,7 @@ get_line(BIO *const in, char *const buf, const int bufsize) + + /* all other control characters cause an error */ + do { +- if(BIO_read(in, &tmp, 1) < 0) ++ if(BIO_read(in, &tmp, 1) <= 0) + return 1; + } while(tmp != '\n'); + return 1; +@@ -177,7 +177,7 @@ get_line(BIO *const in, char *const buf, const int bufsize) + + /* line too long */ + do { +- if(BIO_read(in, &tmp, 1) < 0) ++ if(BIO_read(in, &tmp, 1) <= 0) + return 1; + } while(tmp != '\n'); + return 1; diff --git a/www/pound/files/patch-Makefile.in b/www/pound/files/patch-Makefile.in new file mode 100644 index 000000000000..4a0fc420b138 --- /dev/null +++ b/www/pound/files/patch-Makefile.in @@ -0,0 +1,18 @@ +--- Makefile.in.orig 2018-05-11 10:16:05 UTC ++++ Makefile.in +@@ -58,11 +58,11 @@ $(OBJS) poundctl.o: pound.h config.h + + install: all + @INSTALL@ -d ${DESTDIR}@sbindir@ +- @INSTALL@ -o @I_OWNER@ -g @I_GRP@ -m 555 pound ${DESTDIR}@sbindir@/pound +- @INSTALL@ -o @I_OWNER@ -g @I_GRP@ -m 555 poundctl ${DESTDIR}@sbindir@/poundctl ++ @INSTALL@ -p -m 755 pound ${DESTDIR}@sbindir@/pound ++ @INSTALL@ -p -m 755 poundctl ${DESTDIR}@sbindir@/poundctl + @INSTALL@ -d ${DESTDIR}@mandir@/man8 +- @INSTALL@ -o @I_OWNER@ -g @I_GRP@ -m 644 pound.8 ${DESTDIR}@mandir@/man8/pound.8 +- @INSTALL@ -o @I_OWNER@ -g @I_GRP@ -m 644 poundctl.8 ${DESTDIR}@mandir@/man8/poundctl.8 ++ @INSTALL@ -p -m 644 pound.8 ${DESTDIR}@mandir@/man8/pound.8 ++ @INSTALL@ -p -m 644 poundctl.8 ${DESTDIR}@mandir@/man8/poundctl.8 + + clean: + rm -f pound $(OBJS) poundctl poundctl.o diff --git a/www/pound/files/patch-svc.c b/www/pound/files/patch-svc.c new file mode 100644 index 000000000000..876e5fd9e640 --- /dev/null +++ b/www/pound/files/patch-svc.c @@ -0,0 +1,29 @@ +--- svc.c.orig 2018-05-11 10:16:05 UTC ++++ svc.c +@@ -273,6 +273,7 @@ addr2str(char *const res, const int res_len, const str + char buf[MAXBUF]; + int port; + void *src; ++ char *p = buf; + + memset(res, 0, res_len); + #ifdef HAVE_INET_NTOP +@@ -298,10 +299,15 @@ addr2str(char *const res, const int res_len, const str + port = 0; + break; + } +- if(no_port) +- snprintf(res, res_len, "%s", buf); ++ // Strip off the IPv6 prefix ++ if (strncmp(buf, "::ffff:", 7) == 0) ++ { ++ p = buf + 7; ++ } ++ if (no_port) ++ snprintf(res, res_len, "%s", p); + else +- snprintf(res, res_len, "%s:%d", buf, port); ++ snprintf(res, res_len, "%s:%d", p, port); + #else + #error "Pound needs inet_ntop()" + #endif diff --git a/www/pound/files/pound-2.8-fallback_scsv.diff b/www/pound/files/pound-2.8-fallback_scsv.diff new file mode 100644 index 000000000000..b3e27f66d0b9 --- /dev/null +++ b/www/pound/files/pound-2.8-fallback_scsv.diff @@ -0,0 +1,12 @@ +--- config.c.orig 2018-05-11 12:16:05.000000000 +0200 ++++ config.c 2018-12-22 23:19:53.912203188 +0100 +@@ -347,9 +347,6 @@ + SSL_CTX_set_app_data(res->ctx, res); + SSL_CTX_set_verify(res->ctx, SSL_VERIFY_NONE, NULL); + SSL_CTX_set_mode(res->ctx, SSL_MODE_AUTO_RETRY); +-#ifdef SSL_MODE_SEND_FALLBACK_SCSV +- SSL_CTX_set_mode(res->ctx, SSL_MODE_SEND_FALLBACK_SCSV); +-#endif + SSL_CTX_set_options(res->ctx, SSL_OP_ALL); + #ifdef SSL_OP_NO_COMPRESSION + SSL_CTX_set_options(res->ctx, SSL_OP_NO_COMPRESSION); diff --git a/www/pound/files/pound-2.8-websocket.diff b/www/pound/files/pound-2.8-websocket.diff new file mode 100644 index 000000000000..5d5ddfd537b1 --- /dev/null +++ b/www/pound/files/pound-2.8-websocket.diff @@ -0,0 +1,328 @@ +diff -Nur Pound-2.8.orig/config.c Pound-2.8/config.c +--- Pound-2.8.orig/config.c 2018-05-11 12:16:05.000000000 +0200 ++++ Pound-2.8/config.c 2018-07-30 14:10:01.693667854 +0200 +@@ -77,7 +77,7 @@ + static regex_t ListenHTTP, ListenHTTPS, End, Address, Port, Cert, xHTTP, Client, CheckURL; + static regex_t Err414, Err500, Err501, Err503, MaxRequest, HeadRemove, RewriteLocation, RewriteDestination; + static regex_t Service, ServiceName, URL, HeadRequire, HeadDeny, BackEnd, Emergency, Priority, HAport, HAportAddr; +-static regex_t Redirect, RedirectN, TimeOut, Session, Type, TTL, ID; ++static regex_t Redirect, RedirectN, TimeOut, WSTimeOut, Session, Type, TTL, ID; + static regex_t ClientCert, AddHeader, DisableProto, SSLAllowClientRenegotiation, SSLHonorCipherOrder, Ciphers; + static regex_t CAlist, VerifyList, CRLlist, NoHTTPS11, Grace, Include, ConnTO, IgnoreCase, HTTPS; + static regex_t Disabled, Threads, CNName, Anonymise, ECDHCurve; +@@ -96,6 +96,7 @@ + static int def_facility = LOG_DAEMON; + static int clnt_to = 10; + static int be_to = 15; ++static int ws_to = 600; + static int be_connto = 15; + static int ignore_case = 0; + #if OPENSSL_VERSION_NUMBER >= 0x0090800fL +@@ -242,6 +243,7 @@ + res->addr.ai_socktype = SOCK_STREAM; + res->to = is_emergency? 120: be_to; + res->conn_to = is_emergency? 120: be_connto; ++ res->ws_to = is_emergency? 120: ws_to; + res->alive = 1; + memset(&res->addr, 0, sizeof(res->addr)); + res->priority = 5; +@@ -292,6 +294,8 @@ + res->priority = atoi(lin + matches[1].rm_so); + } else if(!regexec(&TimeOut, lin, 4, matches, 0)) { + res->to = atoi(lin + matches[1].rm_so); ++ } else if(!regexec(&WSTimeOut, lin, 4, matches, 0)) { ++ res->ws_to = atoi(lin + matches[1].rm_so); + } else if(!regexec(&ConnTO, lin, 4, matches, 0)) { + res->conn_to = atoi(lin + matches[1].rm_so); + } else if(!regexec(&HAport, lin, 4, matches, 0)) { +@@ -1340,6 +1344,8 @@ + alive_to = atoi(lin + matches[1].rm_so); + } else if(!regexec(&TimeOut, lin, 4, matches, 0)) { + be_to = atoi(lin + matches[1].rm_so); ++ } else if(!regexec(&WSTimeOut, lin, 4, matches, 0)) { ++ ws_to = atoi(lin + matches[1].rm_so); + } else if(!regexec(&ConnTO, lin, 4, matches, 0)) { + be_connto = atoi(lin + matches[1].rm_so); + } else if(!regexec(&IgnoreCase, lin, 4, matches, 0)) { +@@ -1467,6 +1473,7 @@ + || regcomp(&Emergency, "^[ \t]*Emergency[ \t]*$", REG_ICASE | REG_NEWLINE | REG_EXTENDED) + || regcomp(&Priority, "^[ \t]*Priority[ \t]+([1-9])[ \t]*$", REG_ICASE | REG_NEWLINE | REG_EXTENDED) + || regcomp(&TimeOut, "^[ \t]*TimeOut[ \t]+([1-9][0-9]*)[ \t]*$", REG_ICASE | REG_NEWLINE | REG_EXTENDED) ++ || regcomp(&WSTimeOut, "^[ \t]*WSTimeOut[ \t]+([1-9][0-9]*)[ \t]*$", REG_ICASE | REG_NEWLINE | REG_EXTENDED) + || regcomp(&HAport, "^[ \t]*HAport[ \t]+([1-9][0-9]*)[ \t]*$", REG_ICASE | REG_NEWLINE | REG_EXTENDED) + || regcomp(&HAportAddr, "^[ \t]*HAport[ \t]+([^ \t]+)[ \t]+([1-9][0-9]*)[ \t]*$", REG_ICASE | REG_NEWLINE | REG_EXTENDED) + || regcomp(&Redirect, "^[ \t]*Redirect[ \t]+\"(.+)\"[ \t]*$", REG_ICASE | REG_NEWLINE | REG_EXTENDED) +@@ -1632,6 +1639,7 @@ + regfree(&Emergency); + regfree(&Priority); + regfree(&TimeOut); ++ regfree(&WSTimeOut); + regfree(&HAport); + regfree(&HAportAddr); + regfree(&Redirect); +diff -Nur Pound-2.8.orig/http.c Pound-2.8/http.c +--- Pound-2.8.orig/http.c 2018-05-11 12:16:05.000000000 +0200 ++++ Pound-2.8/http.c 2018-07-30 14:10:01.693667854 +0200 +@@ -541,7 +541,7 @@ + void + do_http(thr_arg *arg) + { +- int cl_11, be_11, res, chunked, n, sock, no_cont, skip, conn_closed, force_10, sock_proto, is_rpc; ++ int cl_11, be_11, res, chunked, n, sock, no_cont, skip, conn_closed, force_10, sock_proto, is_rpc, is_ws; + LISTENER *lstn; + SERVICE *svc; + BACKEND *backend, *cur_backend, *old_backend; +@@ -662,6 +662,7 @@ + for(cl_11 = be_11 = 0;;) { + res_bytes = L0; + is_rpc = -1; ++ is_ws = 0; + v_host[0] = referer[0] = u_agent[0] = u_name[0] = '\0'; + conn_closed = 0; + for(n = 0; n < MAXHEADERS; n++) +@@ -689,6 +690,8 @@ + is_rpc = 1; + else if(!strncasecmp(request + matches[1].rm_so, "RPC_OUT_DATA", matches[1].rm_eo - matches[1].rm_so)) + is_rpc = 0; ++ else if(!strncasecmp(request + matches[1].rm_so, "GET", matches[1].rm_eo - matches[1].rm_so)) ++ is_ws |= 0x1; + } else { + addr2str(caddr, MAXBUF - 1, &from_host, 1); + logmsg(LOG_WARNING, "(%lx) e501 bad request \"%s\" from %s", pthread_self(), request, caddr); +@@ -733,6 +736,13 @@ + case HEADER_CONNECTION: + if(!strcasecmp("close", buf)) + conn_closed = 1; ++ /* Connection: upgrade */ ++ else if(!regexec(&CONN_UPGRD, buf, 0, NULL, 0)) ++ is_ws |= 0x2; ++ break; ++ case HEADER_UPGRADE: ++ if(!strcasecmp("websocket", buf)) ++ is_ws |= 0x4; + break; + case HEADER_TRANSFER_ENCODING: + if(!strcasecmp("chunked", buf)) +@@ -1402,12 +1412,21 @@ + /* some response codes (1xx, 204, 304) have no content */ + if(!no_cont && !regexec(&RESP_IGN, response, 0, NULL, 0)) + no_cont = 1; ++ if(!strncasecmp("101", response + 9, 3)) ++ is_ws |= 0x10; + + for(chunked = 0, cont = -1L, n = 1; n < MAXHEADERS && headers[n]; n++) { + switch(check_header(headers[n], buf)) { + case HEADER_CONNECTION: + if(!strcasecmp("close", buf)) + conn_closed = 1; ++ /* Connection: upgrade */ ++ else if(!regexec(&CONN_UPGRD, buf, 0, NULL, 0)) ++ is_ws |= 0x20; ++ break; ++ case HEADER_UPGRADE: ++ if(!strcasecmp("websocket", buf)) ++ is_ws |= 0x40; + break; + case HEADER_TRANSFER_ENCODING: + if(!strcasecmp("chunked", buf)) { +@@ -1571,6 +1590,114 @@ + clean_all(); + return; + } ++ } else if(is_ws == 0x77) { ++ /* ++ * special mode for Websockets - content until EOF ++ */ ++ char one; ++ BIO *cl_unbuf; ++ BIO *be_unbuf; ++ struct pollfd p[2]; ++ ++ cl_11 = be_11 = 0; ++ ++ memset(p, 0, sizeof(p)); ++ BIO_get_fd(cl, &p[0].fd); ++ p[0].events = POLLIN | POLLPRI; ++ BIO_get_fd(be, &p[1].fd); ++ p[1].events = POLLIN | POLLPRI; ++ ++ while (BIO_pending(cl) || BIO_pending(be) || poll(p, 2, cur_backend->ws_to * 1000) > 0) { ++ ++ /* ++ * first read whatever is already in the input buffer ++ */ ++ while(BIO_pending(cl)) { ++ if(BIO_read(cl, &one, 1) != 1) { ++ logmsg(LOG_NOTICE, "(%lx) error read ws request pending: %s", ++ pthread_self(), strerror(errno)); ++ clean_all(); ++ return; ++ } ++ if(BIO_write(be, &one, 1) != 1) { ++ if(errno) ++ logmsg(LOG_NOTICE, "(%lx) error write ws request pending: %s", ++ pthread_self(), strerror(errno)); ++ clean_all(); ++ return; ++ } ++ } ++ BIO_flush(be); ++ ++ while(BIO_pending(be)) { ++ if(BIO_read(be, &one, 1) != 1) { ++ logmsg(LOG_NOTICE, "(%lx) error read ws response pending: %s", ++ pthread_self(), strerror(errno)); ++ clean_all(); ++ return; ++ } ++ if(BIO_write(cl, &one, 1) != 1) { ++ if(errno) ++ logmsg(LOG_NOTICE, "(%lx) error write ws response pending: %s", ++ pthread_self(), strerror(errno)); ++ clean_all(); ++ return; ++ } ++ res_bytes++; ++ } ++ BIO_flush(cl); ++ ++ /* ++ * find the socket BIO in the chain ++ */ ++ if ((cl_unbuf = BIO_find_type(cl, lstn->ctx? BIO_TYPE_SSL : BIO_TYPE_SOCKET)) == NULL) { ++ logmsg(LOG_WARNING, "(%lx) error get unbuffered: %s", pthread_self(), strerror(errno)); ++ clean_all(); ++ return; ++ } ++ if((be_unbuf = BIO_find_type(be, cur_backend->ctx? BIO_TYPE_SSL : BIO_TYPE_SOCKET)) == NULL) { ++ logmsg(LOG_WARNING, "(%lx) error get unbuffered: %s", pthread_self(), strerror(errno)); ++ clean_all(); ++ return; ++ } ++ ++ /* ++ * copy till EOF ++ */ ++ if(p[0].revents) { ++ res = BIO_read(cl_unbuf, buf, MAXBUF); ++ if(res <= 0) { ++ break; ++ } ++ if(BIO_write(be, buf, res) != res) { ++ if(errno) ++ logmsg(LOG_NOTICE, "(%lx) error copy ws request body: %s", ++ pthread_self(), strerror(errno)); ++ clean_all(); ++ return; ++ } else { ++ BIO_flush(be); ++ } ++ p[0].revents = 0; ++ } ++ if(p[1].revents) { ++ res = BIO_read(be_unbuf, buf, MAXBUF); ++ if(res <= 0) { ++ break; ++ } ++ if(BIO_write(cl, buf, res) != res) { ++ if(errno) ++ logmsg(LOG_NOTICE, "(%lx) error copy ws response body: %s", ++ pthread_self(), strerror(errno)); ++ clean_all(); ++ return; ++ } else { ++ res_bytes += res; ++ BIO_flush(cl); ++ } ++ p[1].revents = 0; ++ } ++ } + } + } + end_req = cur_time(); +diff -Nur Pound-2.8.orig/pound.8 Pound-2.8/pound.8 +--- Pound-2.8.orig/pound.8 2018-05-11 12:16:05.000000000 +0200 ++++ Pound-2.8/pound.8 2018-07-30 14:10:01.693667854 +0200 +@@ -289,6 +289,13 @@ + .B TimeOut + value. This value can be overridden for specific back-ends. + .TP ++\fBWSTimeOut\fR value ++How long should ++.B Pound ++wait for data from either back-end or client in a connection upgraded to ++a WebSocket (in seconds). Default: 600 seconds. ++This value can be overridden for specific back-ends. ++.TP + \fBGrace\fR value + How long should + .B Pound +@@ -762,6 +769,11 @@ + .I ConnTO + value. + .TP ++\fBWSTimeOut\fR val ++Override the global ++.I WSTimeOut ++value. ++.TP + \fBHAport\fR [ address ] port + A port (and optional address) to be used for server function checks. See below + the "High Availability" section for a more detailed discussion. By default +diff -Nur Pound-2.8.orig/pound.c Pound-2.8/pound.c +--- Pound-2.8.orig/pound.c 2018-05-11 12:16:05.000000000 +0200 ++++ Pound-2.8/pound.c 2018-07-30 14:10:01.693667854 +0200 +@@ -47,6 +47,7 @@ + LISTENER *listeners; /* all available listeners */ + + regex_t HEADER, /* Allowed header */ ++ CONN_UPGRD, /* upgrade in connection header */ + CHUNK_HEAD, /* chunk header line */ + RESP_SKIP, /* responses for which we skip response */ + RESP_IGN, /* responses for which we ignore content */ +@@ -287,6 +288,7 @@ + + /* prepare regular expressions */ + if(regcomp(&HEADER, "^([a-z0-9!#$%&'*+.^_`|~-]+):[ \t]*(.*)[ \t]*$", REG_ICASE | REG_NEWLINE | REG_EXTENDED) ++ || regcomp(&CONN_UPGRD, "(^|[ \t,])upgrade([ \t,]|$)", REG_ICASE | REG_NEWLINE | REG_EXTENDED) + || regcomp(&CHUNK_HEAD, "^([0-9a-f]+).*$", REG_ICASE | REG_NEWLINE | REG_EXTENDED) + || regcomp(&RESP_SKIP, "^HTTP/1.1 100.*$", REG_ICASE | REG_NEWLINE | REG_EXTENDED) + || regcomp(&RESP_IGN, "^HTTP/1.[01] (10[1-9]|1[1-9][0-9]|204|30[456]).*$", REG_ICASE | REG_NEWLINE | REG_EXTENDED) +diff -Nur Pound-2.8.orig/pound.h Pound-2.8/pound.h +--- Pound-2.8.orig/pound.h 2018-05-11 12:16:05.000000000 +0200 ++++ Pound-2.8/pound.h 2018-07-30 14:10:01.697667855 +0200 +@@ -276,6 +276,7 @@ + control_sock; /* control socket */ + + extern regex_t HEADER, /* Allowed header */ ++ CONN_UPGRD, /* upgrade in connection header */ + CHUNK_HEAD, /* chunk header line */ + RESP_SKIP, /* responses for which we skip response */ + RESP_IGN, /* responses for which we ignore content */ +@@ -319,6 +320,7 @@ + int priority; /* priority */ + int to; /* read/write time-out */ + int conn_to; /* connection time-out */ ++ int ws_to; /* websocket time-out */ + struct addrinfo ha_addr; /* HA address/port */ + char *url; /* for redirectors */ + int redir_req; /* the redirect should include the request path */ +@@ -440,6 +442,7 @@ + #define HEADER_URI 9 + #define HEADER_DESTINATION 10 + #define HEADER_EXPECT 11 ++#define HEADER_UPGRADE 13 + + /* control request stuff */ + typedef enum { +diff -Nur Pound-2.8.orig/svc.c Pound-2.8/svc.c +--- Pound-2.8.orig/svc.c 2018-05-11 12:16:05.000000000 +0200 ++++ Pound-2.8/svc.c 2018-07-30 14:10:01.697667855 +0200 +@@ -395,6 +395,7 @@ + { "User-agent", 10, HEADER_USER_AGENT }, + { "Destination", 11, HEADER_DESTINATION }, + { "Expect", 6, HEADER_EXPECT }, ++ { "Upgrade", 7, HEADER_UPGRADE }, + { "", 0, HEADER_OTHER }, + }; + int i; diff --git a/www/pound/files/pound.cfg.in b/www/pound/files/pound.cfg.in new file mode 100644 index 000000000000..445997ef6d8c --- /dev/null +++ b/www/pound/files/pound.cfg.in @@ -0,0 +1,50 @@ +#User "pound" +#Group "pound" +RootJail "/var/empty/pound" +Control "/var/run/pound/ctl_socket" + +# Main listening ports +ListenHTTP + Address 0.0.0.0 + Port 81 + xHTTP 1 +End +ListenHTTPS + Address 0.0.0.0 + Port 444 + Cert "%%PREFIX%%/share/certs/pound.pem" + Disable SSLv3 + Ciphers "ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:-LOW" + xHTTP 1 +End + +# Images server(s) +Service + URL ".*.(jpg|gif)" + BackEnd + Address 127.0.0.1 + Port 80 + End +End + +# Redirect all requests for /forbidden +Service + Url "/forbidden.*" + Redirect "https://localhost/" +End + +# Catch-all server(s) +Service + BackEnd + Address 127.0.0.1 + Port 80 + End + BackEnd + Address 127.0.0.1 + Port 80 + End + Session + Type BASIC + TTL 300 + End +End |