Download raw body.
WIP UPDATE net/haproxy 3.0.0
On Thu, May 30, 2024 at 08:48:29PM GMT, Theo Buehler wrote:
> Does this still happen if you apply this on top (which will be a noop
> once we bump the libressl version to 4.0)?
>
> Index: include/haproxy/quic_tls.h
> --- include/haproxy/quic_tls.h.orig
> +++ include/haproxy/quic_tls.h
> @@ -140,7 +140,7 @@ static inline const EVP_CIPHER *tls_aead(const SSL_CIP
> return EVP_aes_128_gcm();
> case TLS1_3_CK_AES_256_GCM_SHA384:
> return EVP_aes_256_gcm();
> -#if !defined(OPENSSL_IS_AWSLC) && (!defined(LIBRESSL_VERSION_NUMBER) || LIBRESSL_VERSION_NUMBER >= 0x4000000fL)
> +#if !defined(OPENSSL_IS_AWSLC)
> /* WT: LibreSSL has an issue with CHACHA20 running in-place till 3.9.2
> * included, but the fix is already identified and will be merged
> * into next major version. Given that on machines without AES-NI
>
Indeed, this gets HTTP/3 rolling. (Took quite some time testing because
I don't understand how desktop browsers do HTTP/3. I'm p sure I still
don't, but hey--my Grafana now loads over HTTP/3... *some times*).
Thanks for the prompt reply, Theo!
Diff updated with this patch. Better / correct patch comment suggestions
are more than welcome.
diff 74dcff6cd6dd2e62a28d3ab1da574df080129e8e 0b0ecc870da4ee36832bc2fff07632a8d7861299
commit - 74dcff6cd6dd2e62a28d3ab1da574df080129e8e
commit + 0b0ecc870da4ee36832bc2fff07632a8d7861299
blob - b5cddc3eeab11bb6bf999bb5911687342fb8b1e4
blob + 4b2fc6d50a696cd7f95e51c2ced4bdc76533d65a
--- net/haproxy/Makefile
+++ net/haproxy/Makefile
@@ -1,6 +1,6 @@
COMMENT = reliable, high performance TCP/HTTP load balancer
-DISTNAME = haproxy-2.8.9
+DISTNAME = haproxy-3.0.0
CATEGORIES = net www
HOMEPAGE = https://www.haproxy.org/
MAINTAINER = Daniel Jakots <obsd@chown.me>
@@ -12,19 +12,12 @@ WANTLIB += c crypto pcre2-8 pcre2-posix pthread ssl z
DEBUG_PACKAGES = ${BUILD_PACKAGES}
-SITES = ${HOMEPAGE}/download/2.8/src/
+SITES = ${HOMEPAGE}/download/3.0/src/
-HAPROXYCONF = ${SYSCONFDIR}/haproxy
-HAPROXYSTATE = /var/haproxy
-HAPROXYUID = 604
-HAPROXYGID = 604
-SUBST_VARS = HAPROXYCONF HAPROXYSTATE \
- HAPROXYUID HAPROXYGID
-
USE_GMAKE = Yes
MAKE_FLAGS += CPU_CFLAGS="${CFLAGS}" LDFLAGS="${LDFLAGS}"
MAKE_FLAGS += CC="${CC}" LD="${CC}" TARGET="openbsd"
-MAKE_FLAGS += USE_OPENSSL=1 USE_PCRE2=1 USE_QUIC=1 USE_ZLIB=1 V=1
+MAKE_FLAGS += USE_OPENSSL=1 USE_PCRE2=1 USE_PROMEX=1 USE_QUIC=1 USE_ZLIB=1 V=1
MAKE_FLAGS += USE_LIBATOMIC=
FAKE_FLAGS += DOCDIR="${PREFIX}/share/doc/haproxy"
blob - f9c70c08d84f0653a75d3a3d505c893f4b840e9c
blob + a1b3a2860f26f5acca317db26709004389ab6e51
--- net/haproxy/distinfo
+++ net/haproxy/distinfo
@@ -1,2 +1,2 @@
-SHA256 (haproxy-2.8.9.tar.gz) = eoIUePNvhHYH9RpR6A9PiQw3r0gR1gQ45/Y3g/Z1kv8=
-SIZE (haproxy-2.8.9.tar.gz) = 4383096
+SHA256 (haproxy-3.0.0.tar.gz) = Wq2XQWIW0s2d0hLrZ0g5xAzTh/YPvEsT1+o/HlZkqBQ=
+SIZE (haproxy-3.0.0.tar.gz) = 4677659
blob - a43fe95d947d035d59d2a49a4d8fbc888a10bc4d
blob + 99030a2bb355b7a75851937ff393f07179241d9b
--- net/haproxy/files/haproxy.cfg
+++ net/haproxy/files/haproxy.cfg
@@ -2,8 +2,8 @@ global
log 127.0.0.1 local0 debug
maxconn 1024
chroot /var/haproxy
- uid 604
- gid 604
+ user _haproxy
+ group _haproxy
daemon
pidfile /var/run/haproxy.pid
blob - /dev/null
blob + 248415d196379cd4cd6dfb260f12422c8a2aa45b (mode 644)
--- /dev/null
+++ net/haproxy/patches/patch-include_haproxy_quic_tls_h
@@ -0,0 +1,17 @@
+-current works correctly with in-place ChaCha20-Poly1305. Without this,
+some clients may receive ChaCha20-Poly1305 in the handshake but won't
+be able to use it: at least curl returns "Weird server reply". To be
+dropped after LibreSSL 4.
+
+Index: include/haproxy/quic_tls.h
+--- include/haproxy/quic_tls.h.orig
++++ include/haproxy/quic_tls.h
+@@ -140,7 +140,7 @@ static inline const EVP_CIPHER *tls_aead(const SSL_CIP
+ return EVP_aes_128_gcm();
+ case TLS1_3_CK_AES_256_GCM_SHA384:
+ return EVP_aes_256_gcm();
+-#if !defined(OPENSSL_IS_AWSLC) && (!defined(LIBRESSL_VERSION_NUMBER) || LIBRESSL_VERSION_NUMBER >= 0x4000000fL)
++#if !defined(OPENSSL_IS_AWSLC)
+ /* WT: LibreSSL has an issue with CHACHA20 running in-place till 3.9.2
+ * included, but the fix is already identified and will be merged
+ * into next major version. Given that on machines without AES-NI
blob - 16e125964bb7859239dcd70c42d51055fa8d313e
blob + 80afa917bba6891b62364c489a3583bd15a841e4
--- net/haproxy/pkg/PLIST
+++ net/haproxy/pkg/PLIST
@@ -1,10 +1,10 @@
-@newgroup _haproxy:${HAPROXYGID}
-@newuser _haproxy:${HAPROXYUID}:_haproxy::HAProxy Daemon:/var/haproxy:/sbin/nologin
+@newgroup _haproxy:604
+@newuser _haproxy:604:_haproxy::HAProxy Daemon:${LOCALSTATEDIR}/haproxy:/sbin/nologin
@rcscript ${RCDIR}/haproxy
@man man/man1/haproxy.1
@bin sbin/haproxy
-@sample ${HAPROXYCONF}/
-@sample ${HAPROXYSTATE}/
+@sample ${SYSCONFDIR}/haproxy/
+@sample ${LOCALSTATEDIR}/haproxy/
share/doc/haproxy/
share/doc/haproxy/51Degrees-device-detection.txt
share/doc/haproxy/DeviceAtlas-device-detection.txt
@@ -29,7 +29,7 @@ share/examples/haproxy/
share/examples/haproxy/basic-config-edge.cfg
share/examples/haproxy/content-sw-sample.cfg
share/examples/haproxy/haproxy.cfg
-@sample ${HAPROXYCONF}/haproxy.cfg
+@sample ${SYSCONFDIR}/haproxy/haproxy.cfg
share/examples/haproxy/option-http_proxy.cfg
share/examples/haproxy/quick-test.cfg
share/examples/haproxy/socks4.cfg
blob - a12dbcca94f88c66db215d8691031ece620e5dfb
blob + 7552730c88bf774e6cf73e3503887d62b69f5fea
--- net/haproxy/pkg/haproxy.rc
+++ net/haproxy/pkg/haproxy.rc
@@ -1,7 +1,7 @@
#!/bin/ksh
daemon="${TRUEPREFIX}/sbin/haproxy"
-daemon_flags="-f ${HAPROXYCONF}/haproxy.cfg"
+daemon_flags="-f ${SYSCONFDIR}/haproxy/haproxy.cfg"
. /etc/rc.d/rc.subr
WIP UPDATE net/haproxy 3.0.0