pax_global_header00006660000000000000000000000064146126342030014513gustar00rootroot0000000000000052 comment=b107d630371830d632a205431b2c0bc4c1e5d2fd graygnuorg-pound-7eec563/000077500000000000000000000000001461263420300154455ustar00rootroot00000000000000graygnuorg-pound-7eec563/.github/000077500000000000000000000000001461263420300170055ustar00rootroot00000000000000graygnuorg-pound-7eec563/.github/workflows/000077500000000000000000000000001461263420300210425ustar00rootroot00000000000000graygnuorg-pound-7eec563/.github/workflows/testsuite.yml000066400000000000000000000023321461263420300236160ustar00rootroot00000000000000name: testsuite on: push: branches: - "**" tags-ignore: - "*" pull_request: jobs: linux: runs-on: ubuntu-latest timeout-minutes: 10 strategy: fail-fast: false steps: - name: Dump GitHub context env: GITHUB_CONTEXT: ${{ toJson(github) }} run: echo "$GITHUB_CONTEXT" - uses: actions/checkout@v3 - name: Install System dependencies run: | sudo apt-get update sudo apt-get install -y libssl-dev libio-fdpass-perl libio-socket-ssl-perl libnet-ssleay-perl - name: Bootstrap run: ./bootstrap - name: Configure run: ./configure - name: Build run: make - name: Check run: | if ! make check; then for dir in tests/testsuite.dir/* do echo "Test $(basename $dir)" for file in testsuite.log xscript.log pound.log pound.cfi pound.cfg input do if test -f $dir/$file; then echo "File $file" echo "File $file"|sed -e 's/./=/g' cat $dir/$file fi done done false fi graygnuorg-pound-7eec563/.gitignore000066400000000000000000000004461461263420300174410ustar00rootroot00000000000000.dir-locals.el .gdbinit ChangeLog Makefile Makefile.in *.orig *.rej core config.h config.h.in config.log config.status stamp-h1 .emacs* *.o *~ *.bak configure config.guess config.h.in config.sub aclocal.m4 autom4te.cache .deps/ /build-aux *.tar.gz *.patch *.diff TAGS \#* /tmp INSTALL README graygnuorg-pound-7eec563/AUTHORS000066400000000000000000000002331461263420300165130ustar00rootroot00000000000000Authors of pound Original version of pound was written by Robert Segall. Sergey Poznyakoff is currently developing and maintaining pound. graygnuorg-pound-7eec563/COPYING000066400000000000000000001045131461263420300165040ustar00rootroot00000000000000 GNU GENERAL PUBLIC LICENSE Version 3, 29 June 2007 Copyright (C) 2007 Free Software Foundation, Inc. Everyone is permitted to copy and distribute verbatim copies of this license document, but changing it is not allowed. Preamble The GNU General Public License is a free, copyleft license for software and other kinds of works. The licenses for most software and other practical works are designed to take away your freedom to share and change the works. By contrast, the GNU General Public License is intended to guarantee your freedom to share and change all versions of a program--to make sure it remains free software for all its users. We, the Free Software Foundation, use the GNU General Public License for most of our software; it applies also to any other work released this way by its authors. You can apply it to your programs, too. When we speak of free software, we are referring to freedom, not price. Our General Public Licenses are designed to make sure that you have the freedom to distribute copies of free software (and charge for them if you wish), that you receive source code or can get it if you want it, that you can change the software or use pieces of it in new free programs, and that you know you can do these things. To protect your rights, we need to prevent others from denying you these rights or asking you to surrender the rights. Therefore, you have certain responsibilities if you distribute copies of the software, or if you modify it: responsibilities to respect the freedom of others. For example, if you distribute copies of such a program, whether gratis or for a fee, you must pass on to the recipients the same freedoms that you received. You must make sure that they, too, receive or can get the source code. And you must show them these terms so they know their rights. Developers that use the GNU GPL protect your rights with two steps: (1) assert copyright on the software, and (2) offer you this License giving you legal permission to copy, distribute and/or modify it. For the developers' and authors' protection, the GPL clearly explains that there is no warranty for this free software. For both users' and authors' sake, the GPL requires that modified versions be marked as changed, so that their problems will not be attributed erroneously to authors of previous versions. Some devices are designed to deny users access to install or run modified versions of the software inside them, although the manufacturer can do so. This is fundamentally incompatible with the aim of protecting users' freedom to change the software. The systematic pattern of such abuse occurs in the area of products for individuals to use, which is precisely where it is most unacceptable. Therefore, we have designed this version of the GPL to prohibit the practice for those products. If such problems arise substantially in other domains, we stand ready to extend this provision to those domains in future versions of the GPL, as needed to protect the freedom of users. Finally, every program is threatened constantly by software patents. States should not allow patents to restrict development and use of software on general-purpose computers, but in those that do, we wish to avoid the special danger that patents applied to a free program could make it effectively proprietary. To prevent this, the GPL assures that patents cannot be used to render the program non-free. The precise terms and conditions for copying, distribution and modification follow. TERMS AND CONDITIONS 0. Definitions. "This License" refers to version 3 of the GNU General Public License. "Copyright" also means copyright-like laws that apply to other kinds of works, such as semiconductor masks. "The Program" refers to any copyrightable work licensed under this License. Each licensee is addressed as "you". "Licensees" and "recipients" may be individuals or organizations. To "modify" a work means to copy from or adapt all or part of the work in a fashion requiring copyright permission, other than the making of an exact copy. The resulting work is called a "modified version" of the earlier work or a work "based on" the earlier work. A "covered work" means either the unmodified Program or a work based on the Program. To "propagate" a work means to do anything with it that, without permission, would make you directly or secondarily liable for infringement under applicable copyright law, except executing it on a computer or modifying a private copy. Propagation includes copying, distribution (with or without modification), making available to the public, and in some countries other activities as well. To "convey" a work means any kind of propagation that enables other parties to make or receive copies. Mere interaction with a user through a computer network, with no transfer of a copy, is not conveying. An interactive user interface displays "Appropriate Legal Notices" to the extent that it includes a convenient and prominently visible feature that (1) displays an appropriate copyright notice, and (2) tells the user that there is no warranty for the work (except to the extent that warranties are provided), that licensees may convey the work under this License, and how to view a copy of this License. If the interface presents a list of user commands or options, such as a menu, a prominent item in the list meets this criterion. 1. Source Code. The "source code" for a work means the preferred form of the work for making modifications to it. "Object code" means any non-source form of a work. A "Standard Interface" means an interface that either is an official standard defined by a recognized standards body, or, in the case of interfaces specified for a particular programming language, one that is widely used among developers working in that language. The "System Libraries" of an executable work include anything, other than the work as a whole, that (a) is included in the normal form of packaging a Major Component, but which is not part of that Major Component, and (b) serves only to enable use of the work with that Major Component, or to implement a Standard Interface for which an implementation is available to the public in source code form. A "Major Component", in this context, means a major essential component (kernel, window system, and so on) of the specific operating system (if any) on which the executable work runs, or a compiler used to produce the work, or an object code interpreter used to run it. The "Corresponding Source" for a work in object code form means all the source code needed to generate, install, and (for an executable work) run the object code and to modify the work, including scripts to control those activities. However, it does not include the work's System Libraries, or general-purpose tools or generally available free programs which are used unmodified in performing those activities but which are not part of the work. For example, Corresponding Source includes interface definition files associated with source files for the work, and the source code for shared libraries and dynamically linked subprograms that the work is specifically designed to require, such as by intimate data communication or control flow between those subprograms and other parts of the work. The Corresponding Source need not include anything that users can regenerate automatically from other parts of the Corresponding Source. The Corresponding Source for a work in source code form is that same work. 2. Basic Permissions. All rights granted under this License are granted for the term of copyright on the Program, and are irrevocable provided the stated conditions are met. This License explicitly affirms your unlimited permission to run the unmodified Program. The output from running a covered work is covered by this License only if the output, given its content, constitutes a covered work. This License acknowledges your rights of fair use or other equivalent, as provided by copyright law. You may make, run and propagate covered works that you do not convey, without conditions so long as your license otherwise remains in force. You may convey covered works to others for the sole purpose of having them make modifications exclusively for you, or provide you with facilities for running those works, provided that you comply with the terms of this License in conveying all material for which you do not control copyright. Those thus making or running the covered works for you must do so exclusively on your behalf, under your direction and control, on terms that prohibit them from making any copies of your copyrighted material outside their relationship with you. Conveying under any other circumstances is permitted solely under the conditions stated below. Sublicensing is not allowed; section 10 makes it unnecessary. 3. Protecting Users' Legal Rights From Anti-Circumvention Law. No covered work shall be deemed part of an effective technological measure under any applicable law fulfilling obligations under article 11 of the WIPO copyright treaty adopted on 20 December 1996, or similar laws prohibiting or restricting circumvention of such measures. When you convey a covered work, you waive any legal power to forbid circumvention of technological measures to the extent such circumvention is effected by exercising rights under this License with respect to the covered work, and you disclaim any intention to limit operation or modification of the work as a means of enforcing, against the work's users, your or third parties' legal rights to forbid circumvention of technological measures. 4. Conveying Verbatim Copies. You may convey verbatim copies of the Program's source code as you receive it, in any medium, provided that you conspicuously and appropriately publish on each copy an appropriate copyright notice; keep intact all notices stating that this License and any non-permissive terms added in accord with section 7 apply to the code; keep intact all notices of the absence of any warranty; and give all recipients a copy of this License along with the Program. You may charge any price or no price for each copy that you convey, and you may offer support or warranty protection for a fee. 5. Conveying Modified Source Versions. You may convey a work based on the Program, or the modifications to produce it from the Program, in the form of source code under the terms of section 4, provided that you also meet all of these conditions: a) The work must carry prominent notices stating that you modified it, and giving a relevant date. b) The work must carry prominent notices stating that it is released under this License and any conditions added under section 7. This requirement modifies the requirement in section 4 to "keep intact all notices". c) You must license the entire work, as a whole, under this License to anyone who comes into possession of a copy. This License will therefore apply, along with any applicable section 7 additional terms, to the whole of the work, and all its parts, regardless of how they are packaged. This License gives no permission to license the work in any other way, but it does not invalidate such permission if you have separately received it. d) If the work has interactive user interfaces, each must display Appropriate Legal Notices; however, if the Program has interactive interfaces that do not display Appropriate Legal Notices, your work need not make them do so. A compilation of a covered work with other separate and independent works, which are not by their nature extensions of the covered work, and which are not combined with it such as to form a larger program, in or on a volume of a storage or distribution medium, is called an "aggregate" if the compilation and its resulting copyright are not used to limit the access or legal rights of the compilation's users beyond what the individual works permit. Inclusion of a covered work in an aggregate does not cause this License to apply to the other parts of the aggregate. 6. Conveying Non-Source Forms. You may convey a covered work in object code form under the terms of sections 4 and 5, provided that you also convey the machine-readable Corresponding Source under the terms of this License, in one of these ways: a) Convey the object code in, or embodied in, a physical product (including a physical distribution medium), accompanied by the Corresponding Source fixed on a durable physical medium customarily used for software interchange. b) Convey the object code in, or embodied in, a physical product (including a physical distribution medium), accompanied by a written offer, valid for at least three years and valid for as long as you offer spare parts or customer support for that product model, to give anyone who possesses the object code either (1) a copy of the Corresponding Source for all the software in the product that is covered by this License, on a durable physical medium customarily used for software interchange, for a price no more than your reasonable cost of physically performing this conveying of source, or (2) access to copy the Corresponding Source from a network server at no charge. c) Convey individual copies of the object code with a copy of the written offer to provide the Corresponding Source. This alternative is allowed only occasionally and noncommercially, and only if you received the object code with such an offer, in accord with subsection 6b. d) Convey the object code by offering access from a designated place (gratis or for a charge), and offer equivalent access to the Corresponding Source in the same way through the same place at no further charge. You need not require recipients to copy the Corresponding Source along with the object code. If the place to copy the object code is a network server, the Corresponding Source may be on a different server (operated by you or a third party) that supports equivalent copying facilities, provided you maintain clear directions next to the object code saying where to find the Corresponding Source. Regardless of what server hosts the Corresponding Source, you remain obligated to ensure that it is available for as long as needed to satisfy these requirements. e) Convey the object code using peer-to-peer transmission, provided you inform other peers where the object code and Corresponding Source of the work are being offered to the general public at no charge under subsection 6d. A separable portion of the object code, whose source code is excluded from the Corresponding Source as a System Library, need not be included in conveying the object code work. A "User Product" is either (1) a "consumer product", which means any tangible personal property which is normally used for personal, family, or household purposes, or (2) anything designed or sold for incorporation into a dwelling. In determining whether a product is a consumer product, doubtful cases shall be resolved in favor of coverage. For a particular product received by a particular user, "normally used" refers to a typical or common use of that class of product, regardless of the status of the particular user or of the way in which the particular user actually uses, or expects or is expected to use, the product. A product is a consumer product regardless of whether the product has substantial commercial, industrial or non-consumer uses, unless such uses represent the only significant mode of use of the product. "Installation Information" for a User Product means any methods, procedures, authorization keys, or other information required to install and execute modified versions of a covered work in that User Product from a modified version of its Corresponding Source. The information must suffice to ensure that the continued functioning of the modified object code is in no case prevented or interfered with solely because modification has been made. If you convey an object code work under this section in, or with, or specifically for use in, a User Product, and the conveying occurs as part of a transaction in which the right of possession and use of the User Product is transferred to the recipient in perpetuity or for a fixed term (regardless of how the transaction is characterized), the Corresponding Source conveyed under this section must be accompanied by the Installation Information. But this requirement does not apply if neither you nor any third party retains the ability to install modified object code on the User Product (for example, the work has been installed in ROM). The requirement to provide Installation Information does not include a requirement to continue to provide support service, warranty, or updates for a work that has been modified or installed by the recipient, or for the User Product in which it has been modified or installed. Access to a network may be denied when the modification itself materially and adversely affects the operation of the network or violates the rules and protocols for communication across the network. Corresponding Source conveyed, and Installation Information provided, in accord with this section must be in a format that is publicly documented (and with an implementation available to the public in source code form), and must require no special password or key for unpacking, reading or copying. 7. Additional Terms. "Additional permissions" are terms that supplement the terms of this License by making exceptions from one or more of its conditions. Additional permissions that are applicable to the entire Program shall be treated as though they were included in this License, to the extent that they are valid under applicable law. If additional permissions apply only to part of the Program, that part may be used separately under those permissions, but the entire Program remains governed by this License without regard to the additional permissions. When you convey a copy of a covered work, you may at your option remove any additional permissions from that copy, or from any part of it. (Additional permissions may be written to require their own removal in certain cases when you modify the work.) You may place additional permissions on material, added by you to a covered work, for which you have or can give appropriate copyright permission. Notwithstanding any other provision of this License, for material you add to a covered work, you may (if authorized by the copyright holders of that material) supplement the terms of this License with terms: a) Disclaiming warranty or limiting liability differently from the terms of sections 15 and 16 of this License; or b) Requiring preservation of specified reasonable legal notices or author attributions in that material or in the Appropriate Legal Notices displayed by works containing it; or c) Prohibiting misrepresentation of the origin of that material, or requiring that modified versions of such material be marked in reasonable ways as different from the original version; or d) Limiting the use for publicity purposes of names of licensors or authors of the material; or e) Declining to grant rights under trademark law for use of some trade names, trademarks, or service marks; or f) Requiring indemnification of licensors and authors of that material by anyone who conveys the material (or modified versions of it) with contractual assumptions of liability to the recipient, for any liability that these contractual assumptions directly impose on those licensors and authors. All other non-permissive additional terms are considered "further restrictions" within the meaning of section 10. If the Program as you received it, or any part of it, contains a notice stating that it is governed by this License along with a term that is a further restriction, you may remove that term. If a license document contains a further restriction but permits relicensing or conveying under this License, you may add to a covered work material governed by the terms of that license document, provided that the further restriction does not survive such relicensing or conveying. If you add terms to a covered work in accord with this section, you must place, in the relevant source files, a statement of the additional terms that apply to those files, or a notice indicating where to find the applicable terms. Additional terms, permissive or non-permissive, may be stated in the form of a separately written license, or stated as exceptions; the above requirements apply either way. 8. Termination. You may not propagate or modify a covered work except as expressly provided under this License. Any attempt otherwise to propagate or modify it is void, and will automatically terminate your rights under this License (including any patent licenses granted under the third paragraph of section 11). However, if you cease all violation of this License, then your license from a particular copyright holder is reinstated (a) provisionally, unless and until the copyright holder explicitly and finally terminates your license, and (b) permanently, if the copyright holder fails to notify you of the violation by some reasonable means prior to 60 days after the cessation. Moreover, your license from a particular copyright holder is reinstated permanently if the copyright holder notifies you of the violation by some reasonable means, this is the first time you have received notice of violation of this License (for any work) from that copyright holder, and you cure the violation prior to 30 days after your receipt of the notice. Termination of your rights under this section does not terminate the licenses of parties who have received copies or rights from you under this License. If your rights have been terminated and not permanently reinstated, you do not qualify to receive new licenses for the same material under section 10. 9. Acceptance Not Required for Having Copies. You are not required to accept this License in order to receive or run a copy of the Program. Ancillary propagation of a covered work occurring solely as a consequence of using peer-to-peer transmission to receive a copy likewise does not require acceptance. However, nothing other than this License grants you permission to propagate or modify any covered work. These actions infringe copyright if you do not accept this License. Therefore, by modifying or propagating a covered work, you indicate your acceptance of this License to do so. 10. Automatic Licensing of Downstream Recipients. Each time you convey a covered work, the recipient automatically receives a license from the original licensors, to run, modify and propagate that work, subject to this License. You are not responsible for enforcing compliance by third parties with this License. An "entity transaction" is a transaction transferring control of an organization, or substantially all assets of one, or subdividing an organization, or merging organizations. If propagation of a covered work results from an entity transaction, each party to that transaction who receives a copy of the work also receives whatever licenses to the work the party's predecessor in interest had or could give under the previous paragraph, plus a right to possession of the Corresponding Source of the work from the predecessor in interest, if the predecessor has it or can get it with reasonable efforts. You may not impose any further restrictions on the exercise of the rights granted or affirmed under this License. For example, you may not impose a license fee, royalty, or other charge for exercise of rights granted under this License, and you may not initiate litigation (including a cross-claim or counterclaim in a lawsuit) alleging that any patent claim is infringed by making, using, selling, offering for sale, or importing the Program or any portion of it. 11. Patents. A "contributor" is a copyright holder who authorizes use under this License of the Program or a work on which the Program is based. The work thus licensed is called the contributor's "contributor version". A contributor's "essential patent claims" are all patent claims owned or controlled by the contributor, whether already acquired or hereafter acquired, that would be infringed by some manner, permitted by this License, of making, using, or selling its contributor version, but do not include claims that would be infringed only as a consequence of further modification of the contributor version. For purposes of this definition, "control" includes the right to grant patent sublicenses in a manner consistent with the requirements of this License. Each contributor grants you a non-exclusive, worldwide, royalty-free patent license under the contributor's essential patent claims, to make, use, sell, offer for sale, import and otherwise run, modify and propagate the contents of its contributor version. In the following three paragraphs, a "patent license" is any express agreement or commitment, however denominated, not to enforce a patent (such as an express permission to practice a patent or covenant not to sue for patent infringement). To "grant" such a patent license to a party means to make such an agreement or commitment not to enforce a patent against the party. If you convey a covered work, knowingly relying on a patent license, and the Corresponding Source of the work is not available for anyone to copy, free of charge and under the terms of this License, through a publicly available network server or other readily accessible means, then you must either (1) cause the Corresponding Source to be so available, or (2) arrange to deprive yourself of the benefit of the patent license for this particular work, or (3) arrange, in a manner consistent with the requirements of this License, to extend the patent license to downstream recipients. "Knowingly relying" means you have actual knowledge that, but for the patent license, your conveying the covered work in a country, or your recipient's use of the covered work in a country, would infringe one or more identifiable patents in that country that you have reason to believe are valid. If, pursuant to or in connection with a single transaction or arrangement, you convey, or propagate by procuring conveyance of, a covered work, and grant a patent license to some of the parties receiving the covered work authorizing them to use, propagate, modify or convey a specific copy of the covered work, then the patent license you grant is automatically extended to all recipients of the covered work and works based on it. A patent license is "discriminatory" if it does not include within the scope of its coverage, prohibits the exercise of, or is conditioned on the non-exercise of one or more of the rights that are specifically granted under this License. You may not convey a covered work if you are a party to an arrangement with a third party that is in the business of distributing software, under which you make payment to the third party based on the extent of your activity of conveying the work, and under which the third party grants, to any of the parties who would receive the covered work from you, a discriminatory patent license (a) in connection with copies of the covered work conveyed by you (or copies made from those copies), or (b) primarily for and in connection with specific products or compilations that contain the covered work, unless you entered into that arrangement, or that patent license was granted, prior to 28 March 2007. Nothing in this License shall be construed as excluding or limiting any implied license or other defenses to infringement that may otherwise be available to you under applicable patent law. 12. No Surrender of Others' Freedom. If conditions are imposed on you (whether by court order, agreement or otherwise) that contradict the conditions of this License, they do not excuse you from the conditions of this License. If you cannot convey a covered work so as to satisfy simultaneously your obligations under this License and any other pertinent obligations, then as a consequence you may not convey it at all. For example, if you agree to terms that obligate you to collect a royalty for further conveying from those to whom you convey the Program, the only way you could satisfy both those terms and this License would be to refrain entirely from conveying the Program. 13. Use with the GNU Affero General Public License. Notwithstanding any other provision of this License, you have permission to link or combine any covered work with a work licensed under version 3 of the GNU Affero General Public License into a single combined work, and to convey the resulting work. The terms of this License will continue to apply to the part which is the covered work, but the special requirements of the GNU Affero General Public License, section 13, concerning interaction through a network will apply to the combination as such. 14. Revised Versions of this License. The Free Software Foundation may publish revised and/or new versions of the GNU General Public License from time to time. Such new versions will be similar in spirit to the present version, but may differ in detail to address new problems or concerns. Each version is given a distinguishing version number. If the Program specifies that a certain numbered version of the GNU General Public License "or any later version" applies to it, you have the option of following the terms and conditions either of that numbered version or of any later version published by the Free Software Foundation. If the Program does not specify a version number of the GNU General Public License, you may choose any version ever published by the Free Software Foundation. If the Program specifies that a proxy can decide which future versions of the GNU General Public License can be used, that proxy's public statement of acceptance of a version permanently authorizes you to choose that version for the Program. Later license versions may give you additional or different permissions. However, no additional obligations are imposed on any author or copyright holder as a result of your choosing to follow a later version. 15. Disclaimer of Warranty. THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, REPAIR OR CORRECTION. 16. Limitation of Liability. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MODIFIES AND/OR CONVEYS THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. 17. Interpretation of Sections 15 and 16. If the disclaimer of warranty and limitation of liability provided above cannot be given local legal effect according to their terms, reviewing courts shall apply local law that most closely approximates an absolute waiver of all civil liability in connection with the Program, unless a warranty or assumption of liability accompanies a copy of the Program in return for a fee. END OF TERMS AND CONDITIONS How to Apply These Terms to Your New Programs If you develop a new program, and you want it to be of the greatest possible use to the public, the best way to achieve this is to make it free software which everyone can redistribute and change under these terms. To do so, attach the following notices to the program. It is safest to attach them to the start of each source file to most effectively state the exclusion of warranty; and each file should have at least the "copyright" line and a pointer to where the full notice is found. Copyright (C) This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program. If not, see . Also add information on how to contact you by electronic and paper mail. If the program does terminal interaction, make it output a short notice like this when it starts in an interactive mode: Copyright (C) This program comes with ABSOLUTELY NO WARRANTY; for details type `show w'. This is free software, and you are welcome to redistribute it under certain conditions; type `show c' for details. The hypothetical commands `show w' and `show c' should show the appropriate parts of the General Public License. Of course, your program's commands might be different; for a GUI interface, you would use an "about box". You should also get your employer (if you work as a programmer) or school, if any, to sign a "copyright disclaimer" for the program, if necessary. For more information on this, and how to apply and follow the GNU GPL, see . The GNU General Public License does not permit incorporating your program into proprietary programs. If your program is a subroutine library, you may consider it more useful to permit linking proprietary applications with the library. If this is what you want to do, use the GNU Lesser General Public License instead of this License. But first, please read . graygnuorg-pound-7eec563/ChangeLog.apsis000066400000000000000000000773611461263420300203530ustar00rootroot00000000000000------------------------------------------------------------------------ r83 | roseg | 2018-05-11 12:16:05 +0200 (Fri, 11 May 2018) | 9 lines Release 2.8 Enhancements: - removed DynScale flag and support - removed support for multi-line headers (both input and output) Bug fixes: - fixed potential request smuggling via fudged headers ------------------------------------------------------------------------ r82 | roseg | 2016-10-23 16:59:47 +0200 (Sun, 23 Oct 2016) | 8 lines Release 2.8a Enhancements: - removed DynScale flag and support Bug fixes: - fixed potential request smuggling via fudged headers ------------------------------------------------------------------------ r81 | roseg | 2015-01-26 17:47:53 +0100 (Mon, 26 Jan 2015) | 30 lines Release 2.7 Enhancements: - added support for larger DH keys + compile-time parameter for DH bits (workaround for OpenSSL limitation) - added support for elliptical curve encryption - added protocol version in X-SSL-cipher (Tom Fitzhenry) - added "Disable PROTO" directives (fix for Poodle vulnerability) - added Cert, Disable and Cipher directives for HTTPS back-ends. The directive HTTPS "cert" no longer supported. - added filtering of "Expect: 100-continue" headers - Add support for PATCH HTTP method - Anonymise configuration option - show last client address byte as 0 (based on an idea by Christian Doering) - SSLAllowClientRenegotiation (based on a patch from Joe Gooch) - SSLHonorCipherOrder (based on a patch from Joe Gooch) - Certificate alternate names support (based on a patch from Jonas Pasche) - poundctl shows the length of the request queue (based on a request from Leo) Bug fixes: - fixed lh_retrieve warning - fixed potential memory leak on client certificates - fixed alt names problem (Joe Gooch) - removed debugging messages - fixed address comparison for RewriteLocation (IPv4/IPv6 problem - Christopher Bartz) - re-patched the redirect patch (Frank Schmierler) - fixed RPC handling (Frank Schmierler) - sanitize URLs for redirection (prevent CSRF) - SSL disable empty fragments + SSL disable compression (CRIME attack prevention) - fixed bug in configuration of DISABLED directive - changed the log level from WARNING to NOTICE if the thread arg is NULL - fixed testing of gcc options ------------------------------------------------------------------------ r80 | roseg | 2014-12-29 11:47:54 +0100 (Mon, 29 Dec 2014) | 10 lines Release 2.7f Enhancements: - compile-time parameter for DH bits (workaround for OpenSSL limitation) Bug fixes: - allow '-' and '=' again in URLs (redirect) - fixed lh_retrieve warning - fixed "Disable" regex typo ------------------------------------------------------------------------ r79 | roseg | 2014-12-08 14:39:00 +0100 (Mon, 08 Dec 2014) | 12 lines Release 2.7e Enhancements: - added support for elliptical curve encryption - added support for larger DH keys - added protocol version in X-SSL-cipher (Tom Fitzhenry) Bug fixes: - fixed potential memory leak on client certificates - fixed alt names problem (Joe Gooch) - removed debugging messages ------------------------------------------------------------------------ r78 | roseg | 2014-10-18 12:36:28 +0200 (Sat, 18 Oct 2014) | 10 lines Release 2.7d Enhancements: - added "Disable PROTO" directives (fix for Poodle vulnerability) - added Cert, Disable and Cipher directives for HTTPS back-ends. The directive HTTPS "cert" no longer supported. Bug fixes: - fixed address comparison for RewriteLocation (IPv4/IPv6 problem - Christopher Bartz) ------------------------------------------------------------------------ r77 | roseg | 2014-04-21 13:16:07 +0200 (Mon, 21 Apr 2014) | 9 lines Release 2.7c Enhancements: - added filtering of "Expect: 100-continue" headers Bug fixes: - re-patched the redirect patch (Frank Schmierler) - fixed RPC handling (Frank Schmierler) ------------------------------------------------------------------------ r76 | roseg | 2013-09-26 14:33:21 +0200 (Thu, 26 Sep 2013) | 12 lines Release 2.7b Enhancements: - Add support for PATCH HTTP method Bug fixes: - sanitize URLs for redirection (prevent CSRF) - SSL disable empty fragments - SSL disable compression (CRIME attack prevention) - fixed bug in configuration of DISABLED directive - changed the log level from WARNING to NOTICE if the thread arg is NULL ------------------------------------------------------------------------ r75 | roseg | 2012-04-09 15:37:26 +0200 (Mon, 09 Apr 2012) | 12 lines Release 2.7a Enhancements: - Anonymise configuration option - show last client address byte as 0 (based on an idea by Christian Doering) - SSLAllowClientRenegotiation (based on a patch from Joe Gooch) - SSLHonorCipherOrder (based on a patch from Joe Gooch) - Certificate alternate names support (based on a patch from Jonas Pasche) - poundctl shows the length of the request queue (based on a request from Leo) Bug fixes: - fixed testing of gcc options ------------------------------------------------------------------------ r74 | roseg | 2011-12-28 14:57:45 +0100 (Wed, 28 Dec 2011) | 10 lines Release 2.6 Enhancements: - allow multiple AddHeader directives Bug fixes: - fixed memory leak in config/AddHeader - removed call to AC_FUNC_MALLOC for AIX compatability - workaround for AIX getaddrinfo() bug ------------------------------------------------------------------------ r73 | roseg | 2011-06-24 17:59:41 +0200 (Fri, 24 Jun 2011) | 7 lines Release 2.6f Enhancements: Bug fixes: - fixed memory leak in DH (patch by Edvin Torok via Patrizio Tassone) ------------------------------------------------------------------------ r72 | roseg | 2011-04-25 11:10:45 +0200 (Mon, 25 Apr 2011) | 8 lines Release 2.6e Enhancements: Bug fixes: - fixed problem in SNI certificate storage - changed long to long long for support of requests larger than 2GB ------------------------------------------------------------------------ r71 | roseg | 2011-04-11 15:59:05 +0200 (Mon, 11 Apr 2011) | 9 lines Release 2.6d Enhancements: - added parsing for certificate CN Bug fixes: - fixed problem in task enqueing - fixed small problem in Makefile ------------------------------------------------------------------------ r70 | roseg | 2010-12-27 17:54:18 +0100 (Mon, 27 Dec 2010) | 14 lines Release 2.6c Enhancements: - added support for OpenSSL 1.0 - added some more detailed error logging Bug fixes: - fix for RewriteLocation - fix for HTTPS back-ends - fix for RPC support - fix for possible request smuggling by using multiple headers Many thanks to Frank Schmirler and Ruben Kerkhof for the contributed patches ------------------------------------------------------------------------ r69 | roseg | 2010-09-25 16:49:49 +0200 (Sat, 25 Sep 2010) | 7 lines Release 2.6b Enhancements: - pre-defined number of threads for better performance on small hardware Bug fixes: ------------------------------------------------------------------------ r68 | roseg | 2010-06-23 19:18:39 +0200 (Wed, 23 Jun 2010) | 15 lines Release 2.6a Stable release 2.5.1 Enhancements: - support for SNI via multiple Cert directives (thanks to Joe Gooch) - translate hexadecimal characters in URL for pattern matching - added support for a "Disabled" directive in the configuration Bug fixes: - keep sessions for disabled back-ends, continue using them until the time-out - fixed memory leak in session removal - user IgnoreCase for CheckURL too - fixed some issues with OpenSolaris build (thanks to Spradling Cloyce) ------------------------------------------------------------------------ r67 | roseg | 2010-02-02 12:49:00 +0100 (Tue, 02 Feb 2010) | 9 lines Release 2.5 Enhancements: Bug fixes: - fixed XML format to avoid problems with brain-dead parsers - fixed Redirect to accept "/" as a path, so that "Redirect http://x/" is considered an absolute path, but "Redirect http://x" is not ------------------------------------------------------------------------ r66 | roseg | 2010-01-04 17:20:55 +0100 (Mon, 04 Jan 2010) | 7 lines Release 2.5e Enhancements: - added support for symbolic host names in poundctl Bug fixes: ------------------------------------------------------------------------ r65 | roseg | 2009-12-07 17:01:21 +0100 (Mon, 07 Dec 2009) | 9 lines Release 2.5d Enhancements: - added support for --disable-pcreposix, --disable--tcmalloc, --disable-hoard in configuration script Bug fixes: - fixed problem with long input lines in http.c - if libpcreposix is present, then pcreposix.h must also be present ------------------------------------------------------------------------ r64 | roseg | 2009-09-21 13:16:57 +0200 (Mon, 21 Sep 2009) | 8 lines Release 2.5c Enhancements: - added support for HTTPS backends Bug fixes: - fixed problem with sub-patterns in session parameters ------------------------------------------------------------------------ r63 | roseg | 2009-08-19 17:44:07 +0200 (Wed, 19 Aug 2009) | 10 lines Release 2.5b Enhancements: - support for ConnTO directive - support for IgnoreCase directive Bug fixes: - fixed problem in conf_fgets (\n confuses the regexp) - changed RSA ephemeral keys regeneration default time (every 30 minutes) ------------------------------------------------------------------------ r62 | roseg | 2009-08-06 17:23:30 +0200 (Thu, 06 Aug 2009) | 9 lines Release 2.5a Enhancements: - support for include directive Bug fixes: - fixed generation of ephemeral RSA keys (avoid premature locking) - added pre-generated DH parameters ------------------------------------------------------------------------ r61 | roseg | 2009-06-29 17:53:55 +0200 (Mon, 29 Jun 2009) | 13 lines Release 2.4.5 Stable release 2.4.5 Enhancements: - log back-end killed/disabled/enabled (thanks to Joe Gooch and Jon Garvin) - kill a BE on connection failure only if it has no HAport defined (thanks to Albert); the request may still fail! Bug fixes: - fixed parantheses problems in need_rewrite (thanks to SBR) - added call to free_headers in http.c (thanks to SBR) - fixed maximal path length in UNIX domain sockets (thanks to Ricardo Gameiro) ------------------------------------------------------------------------ r60 | roseg | 2009-01-14 17:39:52 +0100 (Wed, 14 Jan 2009) | 18 lines Release 2.4.4 Stable release 2.4.4 Enhancements: - added support for UNSUBSCRIBE and NOTIFY in xHTTP 3 and 4 - added support for BPROPFIND in xHTTP 4 - on SSL connections always pass the cipher used to the back-end (thanks to Magnus Sandin) Bug fixes: - save and restore errno value in cur_time() (thanks to Albert) - fixed problem in timer thread (thanks to Albert) - added shutdown for failed socket connection (thanks to Albert) - fixed problem with CC containing spaces in Makefile.in (thanks to Elan Ruusamäe) - increased MAXBUF to default 4096 - increased T_RSA default to 30 minutes - fixed a problem with Unix sockets back-ends (thanks to Ricardo Gameiro) ------------------------------------------------------------------------ r59 | roseg | 2008-05-31 12:25:41 +0200 (Sat, 31 May 2008) | 11 lines Release 2.4.3 Stable release 2.4.3 Enhancements: Bug fixes: - fixed problem in session access time updating (thanks to Piotr Jakubowski) - fixed problem in session removal (thanks to Doriam Mori) - fixed problem in Redirect logging (thanks to Albert) ------------------------------------------------------------------------ r58 | roseg | 2008-04-24 16:31:28 +0200 (Thu, 24 Apr 2008) | 13 lines Release 2.4.2 Stable release 2.4.2 Enhancements: Bug fixes: - fixed problem with session TTL -1 (thanks to Scott Royston for pointing it out) - fixed problem with back-end killing on failed connect - fixed a small problem in the poundctl XML output (thanks to johnlr for the fix) - added hints in call to getaddrinfo() (for Solaris 10 support) - fixed redirection problem (missing slash in Location/Content-location) ------------------------------------------------------------------------ r57 | roseg | 2008-04-05 11:45:41 +0200 (Sat, 05 Apr 2008) | 12 lines Release 2.4.1 Stable release 2.4.1 Enhancements: - added cache control for errors (thanks to Pavel Merdin for the suggestion) Bug fixes: - fixed problem with double slash in header rewriting (thanks to Cédric P.) - remove sched_policy to avoid problems on systems with poor support for it - fixed memory corruption problem with HAport ------------------------------------------------------------------------ r56 | roseg | 2008-02-11 12:53:51 +0100 (Mon, 11 Feb 2008) | 4 lines Release 2.4 Stable release 2.4 ------------------------------------------------------------------------ r55 | roseg | 2007-12-27 12:54:32 +0100 (Thu, 27 Dec 2007) | 7 lines Release 2.4f Enhancements: Bug fixes: - fixed back-end enable/disable (priority computing) ------------------------------------------------------------------------ r54 | roseg | 2007-11-29 18:16:36 +0100 (Thu, 29 Nov 2007) | 12 lines Enhancements: - added PARM session type. Old PARM is now URL - allow AddHeader for HTTP listeners as well - allow -1 for session (all types) TTL. Will hash the key to a fixed value - Redirect takes an optional code parameter (301, 302/default or 307) - new config param to allow printing the SSL certificate in a single line - new config param to control the maximal size of the input line - added better error messages for SSL loading problems Bug fixes: - if the same cookie is defined more than once use LAST definition ------------------------------------------------------------------------ r53 | roseg | 2007-08-15 18:26:58 +0200 (Wed, 15 Aug 2007) | 10 lines Release 2.4d Enhancements: - moved to GPLv3 - now using lh_hash for the session tables Bug fixes: - allow case-sensitive matching for URLs - fixed memory leak in DNS searches ------------------------------------------------------------------------ r52 | roseg | 2007-07-04 15:29:27 +0200 (Wed, 04 Jul 2007) | 10 lines Release 2.4c Enhancements: - added XML output for poundctl - added more detailed error messages Bug fixes: - fixed problems with extra-long lines - fixed problems with chunked encoding ------------------------------------------------------------------------ r51 | roseg | 2007-05-18 10:35:02 +0200 (Fri, 18 May 2007) | 11 lines Release 2.4b Enhancements: - cleaned resurrection code - added RR threads scheduling Bug fixes: - fixed problem long lines (thanks to Rune Saetre) - fixed pcreposix autoconf for systems that also require pcre - fixed problem with IP session handling ------------------------------------------------------------------------ r49 | roseg | 2007-04-30 15:01:17 +0200 (Mon, 30 Apr 2007) | 11 lines Release 2.4a Enhancements: - added display of configuration switches - added grace period for shutdown (based on an idea from Rune Saetre) - added support for IPv6 (but host caching was removed) Bug fixes: - fixed test for owner/group (BSD portability) - fixed problem with premature opening of control socket ------------------------------------------------------------------------ r46 | roseg | 2007-04-11 15:00:11 +0200 (Wed, 11 Apr 2007) | 8 lines Release 2.3 Enhancements: - added display of configuration switches - added grace period for shutdown (based on an idea from Rune Saetre) Bug fixes: ------------------------------------------------------------------------ r45 | roseg | 2007-04-04 18:15:53 +0200 (Wed, 04 Apr 2007) | 8 lines Release 2.2.8 Enhancements: - more tweaking of the dynamic rescaling code - more information in poundctl printout Bug fixes: ------------------------------------------------------------------------ r44 | roseg | 2007-03-12 18:12:14 +0100 (Mon, 12 Mar 2007) | 8 lines Release 2.2.7 Enhancements: - dynamic scaling is now a configuration directive (DynScale) - added vhost to LogLevel 5 Bug fixes: ------------------------------------------------------------------------ r43 | roseg | 2007-03-02 10:30:01 +0100 (Fri, 02 Mar 2007) | 11 lines Release 2.2.6 Enhancements: - added transaction time to LogLevel 5 - added priority display for poundctl Bug fixes: - fixed problem when adding session via poundctl - fixed problem in session dump to poundctl - fixed problem in kill_be call to t_clean ------------------------------------------------------------------------ r42 | roseg | 2007-02-19 18:19:22 +0100 (Mon, 19 Feb 2007) | 7 lines Release 2.2.5 Enhancements: Bug fixes: - fixed problem with sessions (BACKEND copying) ------------------------------------------------------------------------ r41 | roseg | 2007-02-10 15:26:42 +0100 (Sat, 10 Feb 2007) | 14 lines Release 2.2.4 Enhancements: - modular tree library - consolidated all timed functions into a single thread - added gethostbyname cache - added LogLevel 5 - same as 4 but with service name and back-end information (thanks to Joe Gooch for the suggestion) - added session creation and removal to poundctl Bug fixes: - added LOG_NDELAY to openlog() - accept and immediately close connections to disabled listeners (thanks to Joe Gooch for the suggestion) - fixed problem with -1 values in poundctl ------------------------------------------------------------------------ r40 | roseg | 2007-01-19 21:29:07 +0100 (Fri, 19 Jan 2007) | 5 lines Release 2.2.3 Bug fixes: - fixed problems in bad 2.2 release ------------------------------------------------------------------------ r39 | roseg | 2007-01-15 18:17:48 +0100 (Mon, 15 Jan 2007) | 13 lines Release 2.2.2 Enhancements: - changes in the dynamic rescaling - doubled the session key size (for those people with insanely long cookies) - added LogFacility - for logging to stdout/stderr - added optional Service names Bug fixes: - fixed bug in multiple HeadRemove matching - fixed problem with extra large session keys - fixed problem for OpenBSD accept (blocks all threads) ------------------------------------------------------------------------ r38 | roseg | 2007-01-03 18:25:30 +0100 (Wed, 03 Jan 2007) | 13 lines Release 2.2.1 Enhancements: - allow specific Listeners to override the gloabl LogLevel value - allow a default Client value to be defined at the global level - allow a default TimeOut value to be defined at the global level - added compile-time flags for file owner and group Bug fixes: - fixed some problems in the installation procedure - fixed problem in SSL session string - added protocol check in need_rewrite ------------------------------------------------------------------------ r37 | roseg | 2006-12-16 10:18:38 +0100 (Sat, 16 Dec 2006) | 45 lines Release 2.2 Enhancements: - added the host to LogLevel 2 (if available) - added support for tcmalloc (from the Google perftools package) Bug fixes: - fixed problem with the initialisation of host_mut ***************************** Cumulative changes since 2.1: ***************************** Enhancements: - added dynamic rescaling of back-end priorities, compile-time flag to enable/disable it - added support for emergency back-ends - the program poundctl(8) is now available, added the Control configuration directive - SESS_IP now behaves like other session types (no longer sticky) - added RewriteLocation 2: rewrite location if it points to same address, but ignore port - Redirect uses the original request path - added RewriteDestination configuration flag to enable rewriting the Destination header - removed msdav compile-time configuration flag and MSDAV configuration flag, extended xHTTP to allow for WebDAV, MS-DAV and MS-RPC - added CRLlist directive, split CRL from CA - Error replies are sent as pure HTML - split error messages into: - LOG_ERR: errors (mostly fatal) - LOG_WARNING: errors (non-fatal) - LOG_NOTICE: problems - LOG_INFO: extra information - time to serve the requests is logged in LogLevel 2 - added the (virtual) host to LogLevel 2 (if available) - added line numbers to config error messages - added TCP_NODELAY for faster response times - added support for tcmalloc (from the Google perftools package) Bug fixes: - fixed problem in str_be (evident mostly in LogLevel 2) - added 'const' wherever necessary - check for errors in mutex handling - fixed the verb pattern in HTTPS listeners - content is now ignored only on HEAD requests - fixed problems with autoconf on some systems - fixed problem with the initialisation of host_mut ------------------------------------------------------------------------ r36 | roseg | 2006-12-09 09:39:23 +0100 (Sat, 09 Dec 2006) | 6 lines Release 2.1.8 Bug fixes: - fixed another small problem with autoconf on some systems - added support for systems that don't define SOL_TCP ------------------------------------------------------------------------ r35 | roseg | 2006-12-06 18:32:16 +0100 (Wed, 06 Dec 2006) | 10 lines Release 2.1.7 Enhancements: - added TCP_NODELAY for faster response times - added compile-time flag to enable/disable dynamic priorities rescaling Bug fixes: - fixed problems with autoconf on some systems - fixed error in control function (be instead of svc) ------------------------------------------------------------------------ r34 | roseg | 2006-11-04 11:28:53 +0100 (Sat, 04 Nov 2006) | 9 lines Release 2.1.6 Enhancements: - Redirect uses the original request path Bug fixes: - improved dynamic priorities calculation - fixed problem with Emergency back-ends ------------------------------------------------------------------------ r33 | roseg | 2006-10-23 09:24:28 +0200 (Mon, 23 Oct 2006) | 12 lines Release 2.1.5 Enhancements: - added line numbers to config error messages - added dynamic rescaling of back-end priorities - added support for emergency back-ends - the program poundctl(8) is now available - added the Control configuration directive Bug fixes: - improved owner/group detection for install ------------------------------------------------------------------------ r32 | roseg | 2006-10-14 16:39:29 +0200 (Sat, 14 Oct 2006) | 6 lines Release 2.1.4 Bug fixes: - content is now ignored only on HEAD requests - added CRLlist directive, split CRL from CA ------------------------------------------------------------------------ r31 | roseg | 2006-09-21 18:41:15 +0200 (Thu, 21 Sep 2006) | 6 lines Release 2.1.3 Bug fixes: - fixed the verb pattern in HTTPS listeners - removed the spurious printf in cur_time ------------------------------------------------------------------------ r30 | roseg | 2006-09-18 18:12:16 +0200 (Mon, 18 Sep 2006) | 18 lines Release 2.1.2 Enhancements: - Error replies are sent as pure HTML - split error messages into: - LOG_ERR: errors (mostly fatal) - LOG_WARNING: errors (non-fatal) - LOG_NOTICE: problems - LOG_INFO: extra information - removed msdav compile-time configuration flag - removed MSDAV configuration flag - extended xHTTP to allow for WebDAV, MS-DAV and MS-RPC - added RewriteDestination configuration flag to enable rewriting the Destination header - time to serve the requests is logged in LogLevel 2 Bug fixes: - fixed (again) the RewriteRedirect 2 mode ------------------------------------------------------------------------ r29 | roseg | 2006-09-11 18:35:22 +0200 (Mon, 11 Sep 2006) | 11 lines Release 2.1.1 Enhancements: - SESS_IP now behaves like other session types (no longer sticky) - added RewriteLocation 2: rewrite location if it points to same address, but ignore port Bug fixes: - fixed problem in str_be (evident mostly in LogLevel 2) - added 'const' wherever necessary - check for errors in mutex handling ------------------------------------------------------------------------ r27 | roseg | 2006-08-05 11:35:52 +0200 (Sat, 05 Aug 2006) | 24 lines Release 2.1 Enhancements: - support for pcre library (if available) for much better performance - support for hoard library (if available) for much better performance - rewrite Location and Content-location headers for all responses - improved detection of when is a rewrite necessary - renamed Change30x to RewriteLocation. Default: on Bug fixes: - fixed small problem in the upd_session() code - declared init_RSAgen() as void everywhere - moved to SESS_xxx tokens to avoid Solaris name conflict - added #ifdef's for LOG_FTP and LOG_AUTHPRIV - fixed problem in URL checking - fixed problem in session tracking-code and session updating - fixed LogLevel 3 to show that the v_host is unknown - fixed headers checking in match_service - fixed problem in ClientCert directive handling - fixed potential memory leak in AUTH decoding - allow OPTIONS WebDAV request to have content - replaced inet_ntoa with inet_ntop where available - removed all static buffers ------------------------------------------------------------------------ r25 | roseg | 2006-02-01 10:00:42 +0100 (Wed, 01 Feb 2006) | 14 lines Release 2.0 Enhancements: - new configuration file syntax, offering significant improvements. - the ability to define listener-specific back-ends. In most cases this should eliminate the need for multiple Pound instances. - a new type of back-end: the redirector allows you to respond with a redirect without involving any back-end server. - most "secondary" properties (such as error messages, client time-out, etc.) are now private to listeners. - HAport has an optional address, different from the main back-end - added a -V flag for version - session keeping on a specific Header ------------------------------------------------------------------------ r21 | roseg | 2006-02-01 14:27:19 +0100 (Wed, 01 Feb 2006) | 15 lines Release 1.10 Enhancements: added NoDaemon configuration directive (replaces compile-time switch) added LogFacility configuration directive (replaces compile-time switch) added user name logging Bug fixes: fixed problem with the poll() code fixed problem with empty list in gethostbyname() added call to setsid() if daemon conflicting headers are removed (Content-length - Transfer-encoding) Last release in the 1.x series. ------------------------------------------------------------------------ r19 | roseg | 2005-06-01 15:27:19 +0200 (Wed, 01 Jun 2005) | 18 lines Release 1.9 Enhancements: - Added the VerifyList configuration flag (CA root certs + CRL) - CRL checking code - RewriteRedirect 2 - ignores port value for host matching - Added -c flag (check-only mode) - Added -v flag (verbose mode) - Added -p flag for pid file name Bug fixes: - fixed a potential buffer overflow problem (in checking the Host header) - added call to SSL_library_init - added a check for MSIE before forcing SSL shutdown - X-SSL-Cipher header is added only if HTTPSHeaders is non-zero - added code for shorter linger on badly closed connections (IE work-around) - fixed the locking for session checking (mutex_lock/unlock) ------------------------------------------------------------------------ r17 | roseg | 2004-11-04 14:27:19 +0100 (Thu, 04 Nov 2004) | 23 lines Release 1.8 Changes: - added support for non-blocking connect(2) - added support for 414 - Request URI too long - added RedirectRewrite directive - to prevent redirect changes - added support for NoHTTPS11 value 2 (for MSIE clients only) - added support for HTTPSHeaders 3 (no verify) Problems fixed: - fixed bug if multiple listening ports/addresses - fixed memory leak in SSL - flush stdout (if used) after each log message - assumes only 304, 305 and 306 codes to have no content - fixed problem with delays in 302 without content - fixed problem with time-outs in HTTPS Enhancements: - improved threads detection code in autoconf - added supervisor process disable configuration flag - tweak for the Location rewriting code (only look at current GROUP) - improved print-out for client certificate information ------------------------------------------------------------------------ r15 | roseg | 2004-03-24 14:27:19 +0100 (Wed, 24 Mar 2004) | 12 lines Release 1.7 Fixed bug in X-SSL-CIPHER description Changed README to stx format for consistency Addedd X-SSL-certificate with full client certificate Improved the response times on HTTP/0.9 (content without Content-length) Improved response granularity on above - using unbuffered BIO now Fixed problem with IE/SSL (SSL_set_shutdown) Avoid error messages on premature EOF from client Fixed HeadRemove code so all headers are checked without exception Improved autoconf detection ------------------------------------------------------------------------ r13 | roseg | 2003-11-30 14:27:19 +0100 (Sun, 30 Nov 2003) | 15 lines Release 1.6 Callback for RSA ephemeral keys: - generated in a separate thread - used if required (IE 5.0?) New X-SSL-cipher header encryption level/method Added CheckURL parameter in config file - perform syntax check only if value 1 (default 0) Allow for empty query/param strings in URL syntax Additional SSL engine loading code Added parameter for CA certificates - CA list is sent to client Verify client certificates up to given depth Fixed vulnerability in syslog handling ------------------------------------------------------------------------ r11 | roseg | 2003-10-14 15:27:19 +0200 (Tue, 14 Oct 2003) | 19 lines Release 1.5 Session by Basic Authentication: Session BASIC parameter added Syntax checking of request. User-defined request character set(s): Parameters CSsegment, CSparameter, CSqid, CSqval Request size limit: Parameter MaxRequest Single log function rather than #ifdefs. Added LogLevel 4 (same as 3 but without the virtual host info). Added HeadRemove directive (allows to delete a header from requests). Location rewriting on redirect: if the request contains a Header directive and the response is codes 301, 302, 303, 307 and the Location in the response is to a known host then the Location header in the response will be rewritten to point to the Pound protocol/port itself ------------------------------------------------------------------------ r9 | roseg | 2003-04-24 15:27:19 +0200 (Thu, 24 Apr 2003) | 12 lines Release 1.4 Added 'Server' configuration directive Fixed problem with HTTPSHeaders 0 "..." - the desired header is written even if HTTPSHeaders is 0 Added the ability of loading a certificate chain. Added compatability with OpenSSL 0.9.7 Added user-definable error pages. Added compile-time flags to run in foreground and to log to stderr. Opens separate pid files per-process. Improved autoconf. Some SSL speed optimisations. ------------------------------------------------------------------------ r7 | roseg | 2003-02-19 14:27:19 +0100 (Wed, 19 Feb 2003) | 10 lines Release 1.3 Added support for OpenSSL Engine (crypto hardware) Added support for Subversion WebDAV Added support for mandatory client certificates Added X-SSL-serial header for SSL connections Fixed problem with BIO_pending in is_readable Fixed problem with multi-threading in OpenSSL Improved autoconf ------------------------------------------------------------------------ r5 | roseg | 2003-01-20 14:27:19 +0100 (Mon, 20 Jan 2003) | 5 lines Release 1.2 Better handling of "100 Continue" responses Fixed problem with allowed character set for requests ------------------------------------------------------------------------ r3 | roseg | 2003-01-09 14:27:19 +0100 (Thu, 09 Jan 2003) | 9 lines Better auto-conf detection LogLevel 3 for Apache-like log (Combined Log Format) Don't ask client for certificate if no SSL headers required Added handling for 'Connection: closed' header Added monitor process to restart worker process if crashed Added possibility to listen on all interfaces Fixed HeadDeny code Fixed problem with threads on *BSD ------------------------------------------------------------------------ r1 | roseg | 2002-10-31 14:27:19 +0100 (Thu, 31 Oct 2002) | 1 line Initial import ------------------------------------------------------------------------ graygnuorg-pound-7eec563/ChangeLog.sed000066400000000000000000000024141461263420300177720ustar00rootroot00000000000000# Spell-fixes and other amendments to ChangeLog. -*- fundamental -*- # At input, each ChangeLog entry is prefixed with the commit hash followed # by the # sign. /^2e5e7beef935b7c68ca073f80092a6443a1b4b37#/,/^[[:xdigit:]]{40}#/s/conbinable/combinable/ /^959c0e43d4df73150e0a49e993a24ca94a28ec2f#/,/^[[:xdigit:]]{40}#/s/arguent/argument/ /^cfee6266ac3467d6e946211d143df504e4750995#/,/^[[:xdigit:]]{40}#/s/handleb/handled/ /^6a87e134c57b94ebbd83d7131422006caa082139#/,/^[[:xdigit:]]{40}#/s/gratiously/graciously/ /^4a53008f99876897a61d6569faf371b637c81b69#/,/^[[:xdigit:]]{40}#/s/stdandard/standard/ /^4c527cc78321b69d8693b60a969fa133f505f1c4#/,/^[[:xdigit:]]{40}#/s/finction/function/ /^f1161a30c5080b464247d8558c1c0b5d159d1786#/,/^[[:xdigit:]]{40}#/s/quaifiers/qualifiers/ /^e3d299b12e118dbf430a46186c26242c4d9d7d2b#/,/^[[:xdigit:]]{40}#/s/parethesized/parenthesized/ /^2536a200d897e3150447445c5ab21b23b532a276#/,/^[[:xdigit:]]{40}#/s/resonse/response/ /^892b9f76f3d23b2d999511df3a468786f08a822d#/,/^[[:xdigit:]]{40}#/s/bakend/backend/ /^eb5d7c041da62581d675f92f6ec3c68784a2e9aa#/,/^[[:xdigit:]]{40}#/s/Decreas\b/Decrease/ /^82eae3a57cf5d9696e56d91a445a776383ba943a#/,/^[[:xdigit:]]{40}#/s/testsing/testing/ # Remove commit hashes. The file must end with this rule. s/^[[:xdigit:]]{40}#// graygnuorg-pound-7eec563/Makefile.am000066400000000000000000000027751461263420300175140ustar00rootroot00000000000000# Pound - the reverse-proxy load-balancer -*- automake -*- # Copyright (C) 2002-2010 Apsis GmbH # Copyright (C) 2018-2024 Sergey Poznyakoff # # Pound is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 3 of the License, or # (at your option) any later version. # # Pound is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with pound. If not, see . SUBDIRS = src tests doc EXTRA_DIST = ChangeLog.apsis ACLOCAL_AMFLAGS = -I am if FROM_GIT README: README.md perl md2txt.pl -o README -l 4 README.md .PHONY: ChangeLog ChangeLog: @echo "Creating ChangeLog"; \ (git log --pretty='format:%H#%ad %cn <%ae>%n%n%w(72,8,8)%s%n%n%b' \ --date=short | sed -r -f ChangeLog.sed; \ echo ""; \ echo "Local Variables:"; \ echo "mode: change-log"; \ echo "version-control: never"; \ echo "buffer-read-only: t"; \ echo "End:") > ChangeLog endif graygnuorg-pound-7eec563/NEWS000066400000000000000000000740601461263420300161530ustar00rootroot00000000000000Pound -- history of user-visible changes. 2024-04-26 See the end of file for copying conditions. Pound is a continuation of the software originally developed by Robert Segall at Apsis GmbH, which was officially discontinued on 2022-09-19. See the README file for details. Please send pound bug reports to Version 4.12, 2024-04-26 * Includes manual in texinfo format * Change in the order of applying rewrites to responses When rewriting a response, rules defined in the service section are applied first, followed by the ones defined in the listener. When rewriting incoming requests, the order is opposite: first the rules in the listener, then the ones in the service. * Requests with unrecognized Transfer-Encoding are rejected * Requests containing both Transfer-Encoding and Content-Length are rejected * Deprecated configuration statements Pound issues a warning for each deprecated statement used in the configuration file. The warning message contains a suggestion on what to use instead of the offending statement. You are advised to replace each occurrence of deprecated statements in accordance with these suggestions, since such statements will be removed in future releases. If it is not feasible to do so for a while, you can suppress these messages by using the "-W no-warn-deprecated" command line option. * ServerName directive is allowed in the Emergency section * New statement: ErrorFile ErrorFile NNN "FILENAME" This statement defines content of the response page returned with the HTTP status NNN from the file FILENAME. It obsoletes the Err400 - Err503 statements used in previous versions. These statements are still supported for backward compatibility, although their use is discouraged. * New statement: MaxURI This statement sets the maximum allowed length of the request URI. It can be used in ListenHTTP and ListenHTTPS sections. * Bugfixes ** Don't try to access the include directory, unless needed by configuration. ** Fix handling of session deletion/addition on request from poundctl. Version 4.11, 2024-01-03 * Combining multi-value headers HTTP protocol allows for certain headers to appear in the message multiple times. Namely, multiple headers with the same header name are permitted if that header field is defined as a comma-separated list. The standard specifies that such fields can be combined in a single "header: value" pair, by appending each subsequent field value to the previous one, each separated by a comma. Pound is able to perform such combining on incoming requests as well as on responses. To enable this feature, declare names of headers that can be combined using the CombineHeader statement, e.g.: CombineHeaders "Accept" "Allow" "Forwarded" End Pound distribution includes file "mvh.inc" which declares all multiple-value headers in a form suitable for inclusion to the main pound configuration file. This file is installed in the package data directory, which is normally /usr/local/share/pound or /usr/share/pound, depending on the installation prefix used. * SNI in HTTPS backends New directive ServerName is provided for use in Backend section after HTTPS statement. This directive sets the host name to be used in server name identification (SNI). Its argument is a quoted string specifying the host name. This directive also rewrites the Host: header accordingly. Example usage: Backend HTTPS Address 192.0.2.1 Port 443 ServerName "www.example.org" End * "Cert" statement in "ListenHTTPS" section Argument to the "Cert" statement in "ListenHTTPS" section can be the name of a directory containing certificate files. All files from that directory will be loaded. Version 4.10, 2023-10-13 * Global "Backend" definitions A "Backend" statement is allowed to appear in global scope. In this case it must be followed by a symbolic name, as in: Backend "name" ... End The "name" must uniquely identify this backend among other backends defined in global scope. Global backend definitions can be used in services using the "UseBackend" statement: UseBackend "name" A single globally defined backend can be used in multiple services. Its actual global definition may appear before as well as after the service or services it is used in. A named form of Backend statement is also allowed for use in Service sections. In this case it acts as "UseBackend" statement, except that statements between "Backend" and "End" modify the parameters of the backend for use in this particular service. Only two statements are allowed in such named form: "Priority" and "Disabled". The following example attaches the globally defined backend "assets" to the service and modifies its priority: Backend "assets" Priority 8 End * Response header modification The "Rewrite" statement accepts optional argument specifying whether it applies to the incoming request, or to the response. The following statement applies to requests and is exactly equivalent to "Rewrite" without argument: Rewrite request ... End In contrast, the following statement: Rewrite response ... End applies to the response (received from the regular backend or generated by error backend). In this form, the set of statements that can appear inside the section (denoted by ellipsis above) is limited to the following: "Not", "Match", "Header", "StringMatch", "SetHeader", and "DeleteHeader". For example: Rewrite response Match Header "Content-Type: text/(.*)" End SetHeader "X-Text-Type: $1" End The same applies to "Else" branches. * Basic authentication New request matching statement "BasicAuth" is implemented. Its syntax is: BasicAuth "FILE" It evaluates to true, if the incoming request contains Authorization header with scheme "Basic", such that user name and password obtained from it match a line in the given disk file. FILE must be a plain-text file created with htpasswd(1) or similar utility, i.e. each non-empty line of it must contain username and password hash separated by a colon. Password hash can be one of: . Password in plain text. . Hash created by the system crypt(3) function. . Password hashed using SHA1 algorithm and encoded in base64. This hash must be prefixed by {SHA} . Apache-style "APR1" hash. Combined with the response rewriting described above, this can be used to implement basic HTTP authentication in Pound as shown in the following example: Service "auth" Not BasicAuth "/etc/pound/htpass" Rewrite response SetHeader "WWW-Authenticate: Basic realm=\"Restricted access\"" End Error 401 End Unless the file name starts with a slash, it is taken relative to the "IncludeDir" directory. The file is cached in the memory on the first authorization attempt, so that further authorizations do not result in disk i/o operations. It will be rescanned if Pound notices that the file's modification time has changed. * Bugfixes ** The Host statement assumes exact match by default. ** Fix detection of duplicate Transfer-Encoding headers. Version 4.9, 2023-08-22 * HTTP request logging In addition to six built-in log formats, you can define your own "named" formats and use them in the LogLevel directive. Log format is defined using the following statement: LogFormat "name" "format_string" The "name" argument specifies a string uniquely identifying this format. "Format_string" is the format specification. It is modelled after Apache's mod_log_config LogFormat string. For example, the built-in format 3 is defined as: "%a - %u %t \"%r\" %s %b \"%{Referer}i\" \"%{User-Agent}i\"" The LogLevel directive has been extended to take symbolic format name as argument. For example: LogLevel "my_format" The traditional built-in formats are assigned the following symbolic names: 0 - "null" 1 - "regular" 2 - "extended" 3 - "vhost_combined" 4 - "combined" 5 - "detailed" So, instead of LogLevel 3 one may write LogLevel "vhost_combined" * New statements: ForwardedHeader and TrustedIP These statements control how the %a log format conversion specifier determines the originator IP address: ForwardedHeader "name" Defines the name of HTTP header that carries the list of proxies the request has passed through. It is used to report the originator IP address when logging. The default is "X-Forwarded-For". This statement can be used in global, listener, and service scope. TrustedIP Defines a list of trusted proxy IP addresses, which is used to determine the originator IP. This is a special form of the ACL statement and, as the latter, it can appear in two forms: directive and section. In directive form, it takes a single argument referring to a named access control list, which must have been defined previously using the ACL statement. In section form, it is followed by a list of one or more CIDRs each appearing on a separate line. The End directive on a separate line terminates the statement. This statement can be used in global, listener, and service scope. * New service statement: LogSuppress Suppresses HTTP logs for requests that resulted in response status codes from a particular group or groups. The statement takes one or more arguments specifying status code groups to suppress log messages for: info or 1 1xx status codes success or 2 2xx status codes redirect or 3 3xx status codes clterr or 4 4xx status codes srverr or 5 5xx status codes all all status codes Suggested usage is for special services that are likely to accept large numbers of similar requests, such as Openmetrics services. For example: Service "metrics" URL "/metrics" Metrics LogSuppress success End * New request matching directive: StringMatch The syntax is: StringMatch "SUBJECT" [OPTIONS] "PATTERN" OPTIONS are usual matcher options. The directive matches if SUBJECT, after backreference expansion and accessor interpretation, matches PATTERN. This directive allows you to build complex service selection criteria. For example: Service Host "^foobar\.(.+)$" StringMatch "$1" -file "domain.list" ... End The service above will be used for requests whose Host header value is "foobar." followed by a domain name from the file "domain.list". * New request accessors: host and port The %[host] accessor returns the hostname part of the Host header value. The %[port] accessor returns port number with leading column character. If no explicit port number is given in the Host value, %[port] returns empty string. * Bugfixes ** Fix the QueryParam statement. ** Improve testsuite and documentation. Version 4.8, 2023-05-28 * Support for libpcre2-posix * Fix coredump on -c -v * poundctl: ignore empty lines in pound.cfg Version 4.7, 2023-04-17 * Default include directory Configuration directives that take filenames as their argument, search for files in the include directory (unless the filename is absolute). Initial value of the include directory is set to the system configuration directory, as configured at compile time. It can be changed: 1. from the command line, using the -Winclude-dir=DIR or -Wno-include-dir options. The latter form resets it to the current working directory. 2. in the global scope of the configuration file, using the IncludeDir configuration statement. * The "Include" directive The "Include" directive can appear not only at the topmost level, but also in any sections (ListenHTTP, Service, ACL, etc.). In short - anyplace where a statement is allowed. * Reading patterns from file All request matching directives (Header, Host, URL, etc.) take an additional option "-file". When this option is specified, the argument to the directive is treated as the name of a file to read patterns from. If the filename is relative, it is looked up in the include directory (see above). Patterns are read from the file line by line, empty lines and comments are ignored. For example: Service Host -file "pound/webhosts" ... End * Early pthread_cancel probe Pound calls pthread_cancel(3p) during its shutdown sequence. In GNU libc, a call to this function involves loading the libgcc_s.so.1 shared library. In previous versions, this would fail if pound was running in chrooted environment (RootJail), unless that library had previously been copied to the chroot directory. The following diagnostics would be printed libgcc_s.so.1 must be installed for pthread_cancel to work and the program would abort. That means that normal pound shutdown sequence was not performed properly. Starting with this version, pound will create and cancel a dummy thread right before doing chroot. This ensures that libgcc_s.so.1 is loaded early, so that pthread_cancel is run successfully even when chrooted later. This early probe is enabled if pound is linked with GNU libc. The --enable-pthread-cancel-probe configure option is available to forcefully enable or disable it, if the need be. * PID file and control socket are properly removed when in RootJail mode. This doesn't cover the case where the privileges of the user the program runs at (as set by the "User" and "Group" configuration statements) forbid to remove the file. * Control socket ownership and mode The "Control" configuration directive has two forms: inline and section. The inline form is the same as in previous versions. The block "Control" statement allows you to manage the file mode and ownership of the socket file. Its syntax is: Control Socket "FILE" Mode OCTAL ChangeOwner BOOL End The Socket statement sets the name of the UNIX socket file. This is the only mandatory statement in the Control block. The Mode statement sets mode of the socket file (default is 600). Finally, if ChangeOwner is true, the ownership of the socket file will be changed to the user defined by the User and/or Group statements in global scope. Version 4.6, 2023-03-07 * Load-balancing strategies A load balancing strategy defines algorithm used to distribute incoming requests between multiple regular backends. This version of pound implements two such strategies: ** Weighted Random Balancing This is the default strategy and the one implemented by prior versions of pound. Each backend is assigned a numeric priority between 0 and 9 (inclusive). The backend to use for each request is determined at random taking into account backend priorities, so that backends with numerically greater priorities have proportionally greater chances of being selected than the ones with lesser priorities. ** Interleaved Weighted Round Robin Balancing Requests are assigned to each backend in turn. Backend priorities, or weights, are used to control the share of requests handled by each backend. The greater the weight, the more requests will be sent to this backend. * New statement: Balancer The Balancer statement can appear in global and in Service scope. It defines the load balancer to use. Possible arguments are: random, to use weighted random balancing (default), and iwrr to use interleaved weighted round robin balancing. * Backreferences Up to eight most recent matches are saved. They can be referenced as $N(M), where N is number of the parenthesized subexpression, and M is number of the match. Matches are numbered in reverse chronological order with the most recent one being at index 0. The (0) can be omitted ($1 is the same as $1(0)). For example, given the following statements: Host -re "www\\.(.+)" Header -re -icase "^Content-Type: *(.*)" Path "^/static(/.*)?" "$1" refers to the subgroup of Path, "$1(1)" - to that of Header, and "$1(2)" - to that of Host. Curly braces may be used to delimit reference from the text that follows it. This is useful if the reference is immediately followed by a decimal digit or opening parenthesis, as in: "${1}(text)". * Request matching directives In addition to "URL" and "Header", the following matching directives are provided Path [options] "value" Match path. Query [options] "value" Match query. QueryParam "name" [options] "value" Match query parameter. * Request modification directives Request modification directives apply changes to the incoming request before passing it on to the service or backend. They can be used both in ListenHTTP (ListenHTTPS) and Service sections. The following directives are provided: DeleteHeader "header: pattern" Remove matching headers from the incoming requests. SetHeader "header: to add" Add the defined header to the request passed. If the header already exists, change its value. SetURL "value" Sets the URL part of the request. SetPath "value" Sets the path part. SetQuery "value" Sets the query part. SetQueryParam "name" "value" Sets the query parameter "name" to "value". Rewrite ... [ Else ... ] End Conditionally apply request modification depending on whether request matches certain conditions, e.g.: Rewrite Path "\\.(jpg|gif)$" SetPath "/images$0" Else Match AND Host "example.org" Path "\\.[^.]+$" End SetPath "/static$0" Else Path "\\.[^.]+$" SetPath "/assets$0" End * Request accessors These are special constructs that, when used in string values, are replaced with the corresponding parts of the incoming request. The supported accessors are: %[url] The URL of the request. %[path] The path part of the request. %[query] The query part of the request. %[param NAME] The value of the query parameter NAME. %[header NAME] The value of the request header NAME. Request accessor can be used in all strings where the use of backreferences is allowed: i.e. arguments to Redirect, ACME, Error directives, and to all request modification directives described above. * Listener labels Listeners can be assigned symbolic labels. The syntax is: ListenHTTP "name" or ListenHTTPS "name" The "name" must be unique among all listeners defined in the configuration. This symbolic name can be used to identify listener in poundctl requests (see below). * Service labels Service labels must be unique among all services within the listener (or in the configuration file, for global ones). * Use of listener and service labels in poundctl Listeners and services can be identified both by their numbers and labels. For example: poundctl list /main/static/1 * Use of multiple redirects in single service Use of multiple redirect backends in single service, as well as mixing them with regular backends is deprecated and causes a warning message. Version 4.5, 2023-02-12 * RPC over HTTP support withdrawn It has been officially discontinued by Microsoft on 2017-10-31. It's no use trying to support it five years after. * Support for 303 and 308 redirection codes * Improved default error responses * New special backend: Error The Error statement defines a special backend that returns the HTTP error page. It takes one to two arguments: Error STATUS [FILE] The STATUS argument supplies HTTP status code. Optional FILE argument is the name of a disk file with the error page content (HTML). If not supplied, the text is determined as usual: first the Err statement for the enclosing listener is consulted. If it is not present, the default error page is used. * New special backend: Metrics This backend type implements openmetrics telemetry endpoint. The minimal configuration is: Service URL "/metrics" Metrics End Enabling backend statistics (see below) is strongly suggested when using the Metrics backend. * Backend statistics Backend usage statistics is enabled by the BackendStats configuration directive: BackendStats true When enabled, the "stats" object will be added to the JSON output for each backend. This object holds the following fields: request_count Number of requests processed by this backend. request_time_avg Average request processing time. request_time_stddev Standard deviation of the above. The Metrics backend, if declared, will then include the following metric families in its output pound_backend_requests pound_backend_request_time_avg_nanoseconds pound_backend_request_stddev_nanoseconds These three families are labeled by the corresponding backend index, e.g. (output split in two lines for readability): pound_backend_request_time_avg_nanoseconds {listener="1",service="1",backend="1"} 17232220 * Core statistics The default output returned by pound control thread now includes additional core statistics: pound version, PID, worker subsystem configuration and state. The default poundctl template has been changed to reflect it. * New options: -F and -e The -F option forces the foreground mode: the program won't detach itself from the controlling terminal and will remain in foreground even if configuration settings require otherwise. The -e option directs error diagnostics to stderr (stdout for LOG_DEBUG and LOG_INFO facilities). It implies foreground mode. * Changes in verbose mode (-v) Error messages emitted to stderr (stdout) are duplicated in the syslog, if the configuration settings require so. * Arithmetic operations in poundctl templates The four new functions are provided to implement basic arithmetic operations in templates: add, sub, mul, and div. * Fixed the LogFacility configuration statement Version 4.4, 2023-01-19 * New directive: HeaderOption The HeaderOption directive controls what kind of "canned" headers pound adds to the HTTP request before passing it on to the backend. By default, it adds "forwarded" headers (X-Forwarded-For, X-Forwarded-Proto, and X-Forwarded-Port) and, if serving a HTTPS session, X-SSL-* headers. The arguments to the HeaderOption directive enable or disable these canned headers. The default corresponds to HeaderOption forwarded ssl To disable any kind of headers, precede its name with a "no-": HeaderOption no-forwarded The special keywords "none" and "all", can be used to disable or enable all canned headers. The HeaderOption directive can appear in the global scope or within a ListenerHTTP (or ListenerHTTPS) section. * Header modification and service matching Header modification directives are applied after service matching directives (such as Header or HeadRequire). This is a disruptive change: in previous pound version header removal was done prior to service selection. * Header modification order Header modification directives are applied in the following order: HeaderOptions, HeaderRemove, HeaderAdd. In other words, built-in headers are added first. Then, header removal directives are applied. Finally, headers requested by the user are added. Added headers overwrite headers with the same name that may already be present in the request. Thus, you can use HeaderRemove and HeaderAdd to trim down headers added by HeaderOptions. * Back-references in Redirect and ACME statements Arguments to Redirect and ACME statements can contain references to parenthesized subexpressions in the most recently matched URL, Header, or Host statements. Syntactically, $N refers to URL subexpression and %N refers to subexpression of Header (or Host). $0 and %0 are expanded to the entire URL or header (host). For example, to redirect all requests to https: Service Host -re ".+" URL ".*" Redirect "https://%0$0" End Version 4.3, 2023-01-13 * Template support in poundctl The output of poundctl is controlled by a template. Templates are read from a template file, which is looked up in template search path (normally ~/.poundctl.tmpl:/usr/share/pound/poundctl.tmpl). The poundctl.tmpl file shipped with the distribution defines templates for the traditional (plain-text) and XML output. The option "-t FILE" instructs poundctl to use FILE instead of the default template file. The option "-T NAME" supplies the name of the template to be used. * Fix parsing of Subject in X509 certificates Version 4.2, 2022-12-31 * Rewrite periodic tasks The timer thread is rewritten completely in order to do periodic operations (such as backend probing and session expiration) precisely when needed, instead of waking up in fixed intervals and checking what should be done. Among others, this helps reduce the CPU load. Whenever a backend is marked as dead, a periodic job is scheduled for "alive_to" seconds from the current time, which will probe the backend and either mark it as alive (if it responds) or reschedule itself for a later time (if it does not). Thus, no unnecessary iterations over listeners/servers/backends occur. Sessions are kept on per-service basis in a combined structure consisting of a hash table (to quickly look-up a session) and a doubly-linked list (to provide for session expiration). Sessions within the latter are sorted by their expiration time. A periodic job is scheduled to the expiration time of the first session in the list, i.e. the least recently used one. After removing the expired session, the job reschedules itself to the expiration time of the next session (which becomes first in the list), if any. * The "haport" feature has been removed. * Control interface rewritten The new control interface uses REST API. * Poundctl rewritten Version 4.1, 2022-12-10 * Worker Model Each incoming request is processed by a specific worker, i.e. a thread in the running program. The number of running workers is controlled by three configuration parameters. WorkerMinCount defines the minimum number of workers that should always be running (5, by default). Another parameter, WorkerMaxCount sets the upper limit on the number of running workers (defaults to 128). At each given moment, a worker can be in one of two states: idle or active (processing a request). If an incoming request arrives when all running workers are active, and total number of workers is less than maximum, a new thread is started and the new request is handed to it. If the number of active workers has already reached maximum, the new request is added to the request queue, where it will wait for a worker to become available to process it. The third parameter, WorkerIdleTimeout, specifies maximum time a thread is allowed to spend in the idle state. If a worker remains idle longer than that and total number of workers is greater than the allotted minimum, the idle worker is terminated. The default value for WorkerIdleTimeout is 30 seconds. * URL expansion in Redirect statement URL argument to the Redirect statement can contain references to parethesized subexpressions in the most recently matched URL statement of the enclosing Service. References are of the form $N, where N is the number of the parenthesized subgroup. To insert literal $ sign, use $$. * New statement: PIDFile Defines the name of the PID file. The -p command line option overrides this setting. * New statement: ACME The ACME statement creates a service specially crafted for answering ACME HTTP-01 challenge requests. It takes a single argument, specifying a directory where ACME challenges are stored. It is supposed that another program is started periodically, which checks for certificates approaching their expiration, issues renewal requests and stores the obtained ACME challenges in that directory. The statement can appear in ListenHTTP block. Example usage: ListenHTTP ACME "/var/www/acme" ... End * New statement: Host The "Host" statement is provided to facilitate handling of virtual services. The statement: Host "example.com" is equivalent to: HeadRequire "Host:[[:space:]]*example\\.com" * ACLs Access control lists (ACLs) allow you to make some services available for users coming from certain IP ranges. There are two kinds of ACLs: named and unnamed. Named ACLs are defined in the global scope, using the following syntax: ACL "name" "CIDR" ... End where ... denotes more CIDR lines. A CIDR is an IPv4 or IPv6 address, optionally followed by a slash and network mask length. Named ACLs can be referred to in Service sections using the following syntax: Service ACL "name" ... End This service will be used only if the request comes from IP address that matches the given ACL. Unnamed ACLs are defined within the service itself, as shown in the following example Service ACL "127.0.0.1" "192.0.2.0/26" "203.0.113.0/24" End ... End Semantically they are entirely equivalent to named ACLs. * Boolean operations over request matching directives By default, request matching directives are joined with an implicit boolean "AND". This can be changed using the new "Match" directive, e.g.: Match OR HeadRequire "Host:[[:space:]]*example\\.org" HeadRequire "Host:[[:space:]]*example\\.net" End Match directives can be nested to any depth. Any request matching directive (including "Match") can be prefixed with "not", to invert its result (boolean negation). * Alternative spelling for header matching/manipulation directives For consistency, the following configuration directives have been provided as alternatives for existing header manipulation directives: Old name New name Comment -------- -------- ------- HeadRequire Header Service section HeadDeny Not Header Service section. See "Boolean operations". HeadRemove HeaderRemove ListenHTTP and ListenHTTPS sections AddHeader HeaderAdd ListenHTTP and ListenHTTPS sections The use of new names is preferred. Version 4.0, 2022-12-02 * Support for OpenSSL 3.0 * Added testsuite. * Fixes in configuration parsing. ========================================================================= Copyright information: Copyright (C) 2018-2024 Sergey Poznyakoff Permission is granted to anyone to make or distribute verbatim copies of this document as received, in any medium, provided that the copyright notice and this permission notice are preserved, thus giving the recipient permission to redistribute in turn. Permission is granted to distribute modified versions of this document, or of portions of it, under the above conditions, provided also that they carry prominent notices stating who last changed them. Local variables: mode: outline paragraph-separate: "[ ]*$" eval: (add-hook 'write-file-hooks 'time-stamp) time-stamp-start: "changes. " time-stamp-format: "%:y-%02m-%02d" time-stamp-end: "\n" end: graygnuorg-pound-7eec563/README.md000066400000000000000000000575731461263420300167450ustar00rootroot00000000000000# Pound __Pound__ is a reverse proxy, load balancer and HTTPS front-end for Web servers. It was developed to enable distributing the load among several Web-servers and to allow for a convenient SSL wrapper for those Web servers that do not offer it natively. __Pound__ is distributed under the GNU General Public License, Version 3, or (at your option) any later version. The original version of __pound__ was written by Robert Segall at [Apsis GmbH](https://web.archive.org/web/20221202094441/https://apsis.ch/). In 2018, Sergey Poznyakoff added support for OpenSSL 1.x to the then current version of the program (2.8). This version of __pound__, hosted on *github* was further modified by Rick O'Sullivan and Frank Schmirler, who added WebSocket support. On April 2020, Apsis started development of __pound__ 3.0 - essentially an attempt to rewrite __pound__ from scratch, introducing dependencies on some third-party software. On 2022-09-19, Robert announced that he stops further development and maintenance of __pound__. Following that, Sergey decided to continue development of the program starting from his fork. ## What Pound Is 1. a *reverse-proxy*: it passes requests from client browsers to one or more backend servers. 2. a *load balancer*: it distributes requests from client browsers among several backend servers, while keeping session information. 3. an *SSL wrapper*: it decrypts HTTPS requests from client browsers and passes them as plain HTTP to the backend servers. 4. an *HTTP/HTTPS sanitizer*: it verifies requests for correctness and accepts only well-formed ones. 5. a *fail-over server*: should a backend server fail, *pound* will take note of the fact and stop passing requests to it until it recovers. 6. a *request redirector*: requests may be distributed among servers according to the requested URL. *Pound* is a very small program, easily audited for security problems. It can run as setuid/setgid and/or in a chroot jail. *Pound* does not access the hard-disk at all (except for reading certificate files on start, if required) and should thus pose no security threat to any machine. ## What Pound Is Not 1. __Pound__ is not a Web server: it serves no content itself, it only passes requests and responses back and forth between clients and actual web servers (*backends*). 2. __Pound__ is not a Web accelerator: no caching is done -- every request is passed to a backend server "as is". ## Notice On Project Versioning I took over __pound__ development at its 2.x branch. The branch 3.x, which emerged for a short time before the original project was abandoned, I consider to be a failed experiment. To ensure consistent versioning and avoid confusion, my versioning of __pound__ starts with 4.0. ## Documentation Documentation in texinfo and manpage formats is available in the distribution. A copy of the documentation is [available online](https://www.gnu.org.ua/software/pound/pound.html). ## Build requirements To build, __pound__ needs [OpenSSL](https://www.openssl.org/) version 1.1.x or 3.0.x. As of current release, __pound__ still supports OpenSSL 1.0, but this support will soon be discontinued. If you compile it on a Debian-based system, you need to install the `libssl-dev` package prior to building __pound__. ## Compilation If you cloned __pound__ from the repository, you will need the following tools in order to build it: * [GNU Autoconf](http://www.gnu.org/software/automake), version 2.71 or later. * [GNU Automake](http://www.gnu.org/software/autoconf), version 1.16.5 or later. First, run ```sh ./bootstrap ``` This will prepare the necessary infrastructure files (`Makefile.in`'s etc.) If you are building __pound__ from a tarball, the above step is not needed, since all the necessary files are already included in it. To prepare __pound__ for compilation, run `./configure`. Its command line options will decide where on the filesystem the binary will be installed, where it will look for its configuration file, etc. When run without options, the binary will be installed at `/usr/local/sbin` and it will look for its configuration in file `/usr/local/etc/pound.cfg`. If you run it as: ```sh ./configure --prefix=/usr --sysconfdir=/etc ``` then the binary will be installed at `/usr/sbin/pound` and it will read its configuration from `/etc/pound.cfg`. For a detailed discussion of `--prefix`, `--sysconfdir`, and other generic configure options, refer to [Autoconf documentation](https://www.gnu.org/savannah-checkouts/gnu/autoconf/manual/autoconf-2.71/html_node/Running-configure-Scripts.html). Apart from the generic ones, there are also several *pound-specific* configuration options: * `--enable-pcreposix` or `--disable-pcreposix` Enable or disable the use of the `libpcreposix2` or `libpcreposix` library. This is a library that makes it possible to use both POSIX extended and Perl-compatible regular expressions in __pound__ configuration file. By default, its presence is determined automatically; `libpcreposix2` is preferred over `libpcreposix`. To force compiling with the older `libpcreposix`, use `--enable-pcreposix=pcre1`. * `--enable-pthread-cancel-probe` or `--disable-pthread-cancel-probe` __Pound__ calls the `pthread_cancel` function as part of its shutdown sequence. In GNU libc, this function tries to load shared library `libgcc_s.so.1`. It will fail to do so, if the program is running in chroot (the `RootJail` statement is given), unless the library has previously been copied to the chroot directory. To avoid this, __pound__ will do a temptative call to `pthread_cancel` early, before chrooting, so that the necessary library will be loaded and remain available after `chroot`. To determine whether to do this _pthread_cancel probe_ hack, `configure` checks if the program is going to be linked with GNU libc. These two options allow you to forcefully enable or disable this probe. For instance, you may wish to enable it, if another _libc_ implementation exhibits a similar behavior. * `--with-maxbuf=`*n* Sets the value of `MAXBUF` parameter - the size of a generic buffer used internally by __pound__ for various needs. The default is 4096. You will probably not want to change it. * `--with-owner=`*user* Name of the system user who will own the __pound__ executable file. When not supplied, the first name from the following list that exists in the `/etc/passwd` file will be used: `proxy`, `www`, `daemon`, `bin`, `sys`, `root`. * `--with-group=`*group* Name of the system group who will own the __pound__ executable. When not supplied, the first name from the following list that exists in the `/etc/passwd` file will be used: `proxy`, `www`, `daemon`, `bin`, `sys`, `root`. * `--with-dh=`*n* Default DH parameter length. Allowed values for *n* are 2048 (the default) and 1024. This option has no effect when compiling with OpenSSL 1.1 or later. * `--with-ssl=`*directory* Directory under which OpenSSL is installed. You will seldom need this option. Most of the time `configure` is able to detect that location automatically. * `--with-t_rsa=`*n* Sets default time interval for regeneration of RSA ephemeral keys. This option has no effect when compiling with OpenSSL 1.1 or later. When configuration is finished, run ```sh make ``` When building from a git clone, the first run of this command can take considerable time, if you are compiling with `OpenSSL` 1.0. That's because it involves generating DH parameters. ## Testing Testing a reverse proxy in general, and __pound__ in particular, is not a trivial task. Testsuite in __pound__ was implemented quite recently and is still somewhat experimental. Notwithstanding that, it has already helped to discover several important bugs that lurked in the code. To test __pound__ you will need [Perl](https://www.perl.org) version 5.26.3 or later, and the [IO::FDPass](https://metacpan.org/pod/IO::FDPass) module. To install the latter on a reasonably recent debian-based system, run ```sh apt-get install libio-fdpass-perl ``` On other systems you may need to install it directly from *cpan* by running ```sh cpan -i IO::FDPass ``` Testing HTTPS requires additionally Perl modules `IO::Socket::SSL` and `Net::SSLeay`. If these are not installed, HTTPS tests will be skipped. To install these on a debian-based system, run: ```sh apt-get install libio-socket-ssl-perl libnet-ssleay-perl ``` To run tests, type ```sh make check ``` from the top-level source directory. On success, you will see something like that (ellipsis indicating output omitted for brevity): ``` ## -------------------------- ## ## pound 4.8 test suite. ## ## -------------------------- ## 1: Configuration file syntax ok 2: Basic request processing ok 3: xHTTP ok 4: CheckURL ok 5: Custom Error Response ok 6: MaxRequest ok 7: RewriteLocation ok Listener request modification 8: Basic set directives ok ... ## ------------- ## ## Test results. ## ## ------------- ## All 46 tests were successful. ``` If a test results in something other than `ok`, it leaves detailed diagnostics in directory `tests/testsuite.dir/NN`, where *NN* is the ordinal number of the test. If you encounter such failed tests, please tar the contents of `tests/testsuite.dir` and send the resulting tarball over to for investigation. See also section [Bug Reporting](#user-content-bug-reporting) below. ## Installation If both building and testing succeeded, it's time to install __pound__. To do so, run the following command as root: ```sh make install ``` ## Configuration __Pound__ looks for its configuration file in a location defined at [compile time](#user-content-compilation), normally `/etc/pound.cfg`, or `/usr/local/etc/pound.cfg`. The configuration file syntax is discussed in detail in the [manual](https://www.gnu.org.ua/software/pound/pound.html). Here we will describe some example configurations. Any __pound__ configuration must contain at least two parts: a `ListenHTTP` (or `ListenHTTPS`) section, that declares a *frontend*, i.e. the end of the proxy that is responsible for connection with the outside world, and `Service` section with one or more `Backend` sections within, which declares where the incoming requests should go. The `Service` section can be global or it can be located within the `ListenHTTP` block. Global `Service` sections can be shared between two or more `ListenHTTP` sections. Multiple `Service` sections can be supplied, in which case the `Service` to use when handling a particular HTTP request will be selected using the supplied criteria, such as source IP address, URL, request header or the like. ### Simplest configuration The following configuration instructs __pound__ to listen for incoming HTTP requests on 192.0.2.1:80 and pass them to single backend on 10.10.0.1:8080. ``` ListenHTTP Address 192.0.2.1 Port 80 Service Backend Address 10.10.0.1 Port 8080 End End End ``` Notice, that the two statements `Address`, and `Port` are in general mandatory both in `ListenHTTP` and in `Backend`. There are two exceptions, however: if `Address` is a file name of a UNIX socket file, or if an already opened socket is passed to __pound__ via the `SocketFrom` statement. These two cases are discussed below. Argument to the `Address` statement can be an IPv4 or IPv6 address, a hostname, that will be resolved at program startup, or a full pathname of a UNIX socket file. ### HTTPS frontend This example shows how to configure HTTPS frontend and redirect all plain HTTP requests to it. It assumes the domain name of the site is `www.example.org` and its IP address is 192.0.2.1. ``` # Declare HTTP frontend ListenHTTP Address 192.0.2.1 Port 80 Service # Redirect all requests to HTTPS. The redirection # target has no path component, which means that the # path (and query parameters, if any) from the request # will be preserved. Redirect 301 https://www.example.org End End # Declare HTTPS frontend. ListenHTTPS Address 192.0.2.1 Port 443 # Certificate file must contain the certificate, optional # certificate chain and the signature, in that order. Cert "/etc/ssl/priv/example.pem" # List of certificate authority certificates. CAlist /etc/ssl/acme/lets-encrypt-root.pem" # Disable obsolete protocols (SSLv2, SSLv3 and TLSv1). Disable TLSv1 Service Backend Address 10.10.0.1 Port 8080 End End End ``` ### Virtual Hosts To implement virtual hosts, one needs to instruct __pound__ to route requests to different services depending on the values of their `Host:` headers. To do so, use the `Host` statement in the `Service` section. The argument to `Host` specifies the host name. When an incoming request arrives, it is compared with this value. The `Service` section will be used only if the value of the `Host:` header from the request matched the argument to the `Host` statement. By default, exact case-insensitive comparison is used. Let's assume that you have internal server 192.168.0.10 that is supposed to serve the needs of virtual host *www.server0.com* and 192.168.0.11 that serves *www.server1.com*. You want __pound__ to listen on address 192.0.2.1. The configuration file would look like this: ``` ListenHTTP Address 192.0.2.1 Port 80 Service Host "www.server0.com" Backend Address 192.168.0.10 Port 80 End End Service Host "www.server1.com" Backend Address 192.168.0.11 Port 80 End End End ``` The same can be done using `ListenHTTPS`. If you want to use the same service for both the hostname and the hostname prefixed with `www.`, you can either use the `Match` statement, or a regular expression. A `Match` statement groups several conditions using boolean shortcut evaluation. In the following example, boolean __or__ is used to group two `Host` statements: ``` Service Match OR Host "server0.com" Host "www.server0.com" End Backend Address 192.168.0.10 Port 80 End End ``` When this service is considered, the value of the `Host:` header from the incoming request is matched against each host listed in the `Match OR` statement. If any value compares equal, the match succeeds and the service is selected for processing the request. By default, the `Host` directive uses exact case-insensitive string match. This can be altered by supplying one or more options to it. In the example below, we use regular expression matching to achieve the same result as in the configuration above: ``` Service Host -re "^(www\\.)?server0\\.com$" Backend Address 192.168.0.10 Port 80 End End ``` Notice double-slashes: a slash is an escape character and must be escaped if intended to be used literally. ### Sessions __Pound__ is able to keep track of sessions between a client browser and a backend server. Unfortunately, HTTP is defined as a stateless protocol, which complicates matters: many schemes have been invented to allow keeping track of sessions, and none of them works perfectly. What's worse, sessions are critical in order to allow web-based applications to function correctly - it is vital that once a session is established all subsequent requests from the same browser be directed to the same backend server. Six possible ways of detecting a session have been implemented in __pound__ (hopefully the most useful ones): by client address, by Basic authentication (user id/password), by URL parameter, by cookie, by HTTP parameter and by header value. Session tracking is declared using the `Session` block in `Service` section. Only one `Session` can be used per `Service`. The type of session tracking is declared with the `Type` statement. * `Type IP`: Session tracking by address In this scheme __pound__ directs all requests from the same client IP address to the same backend server. Put the lines ``` Session Type IP TTL 300 End ``` in the configuration file to achieve this effect. The value indicates what period of inactivity is allowed before the session is discarded. * `Type Basic`: by Basic Authentication In this scheme __pound__ directs all requests from the same user (as identified in the Basic Authentication header) to the same backend server. Put the lines ``` Session Type Basic TTL 300 End ``` in configuration file to achieve this effect. The value indicates what period of inactivity is allowed before the session is discarded. This type is a special case of the `Type Header`, described below. WARNING: given the constraints of the HTTP protocol it may very well be that the authenticated request will go to a different backend server than the one originally requesting it. Make sure all your servers support the same authentication scheme! * `Type URL`: by URL parameter Quite often session information is passed through URL parameters (the browser is pointed to something like `http://xxx?id=123`). Put the lines ``` Session Type URL ID "id" TTL 300 End ``` to support this scheme and the sessions will be tracked based on the value of the `id` parameter. * `Type Cookie`: by cookie value Applications that use this method pass a certain cookie back and forth. Add the lines ``` Session Type Cookie ID "sess" TTL 300 End ``` to your configuration file - the sessions will be tracked by the value of the `sess` cookie. * `Type Parm`: by HTTP parameter value Applications that use this method pass an HTTP parameter (`http://x.y/z;parameter`) back and forth. Add the lines ``` Session Type PARM TTL 300 End ``` To your configuration file - sessions will be tracked by the value of the parameter. * `Type Header`: by header value Applications that use this method pass a certain header back and forth. Add the lines ``` Session Type Header ID "X-sess" TTL 300 End ``` to your configuration file - the sessions will be tracked by the value of the `X-sess` header. Please note the following restrictions on session tracking: * Session tracking is always associated with a certain `Service`. Thus, each group may have other methods and parameters. * There is no default session: if you have not defined any sessions, no session tracking will be done. * Only one session definition is allowed per `Service`. If your application has alternative methods for sessions you will have to define a separate `Service` for each method. A note on cookie injection: some applications have no session-tracking mechanism at all but would still like to have the client always directed to the same backend time after time. Some reverse proxies use a mechanism called *cookie injection* in order to achieve this: a cookie is added to backend responses and tracked by the reverse proxy. __Pound__ was designed to be as transparent as possible, therefore this mechanism is not supported. If you really need this sort of persistent mapping use the client address session mechanism (`Type IP`), which achieves the same result without changing the contents in any way. ### Logging If __pound__ operates in daemon mode (the default), all diagnostics goes to the syslog facility `daemon`. __Pound__ switches to syslog right before it disconnects from the controlling terminal. Until then, it sends its messages to the standard error. By default only error and informative messages are logged. The amount of information logged is controlled by the `LogLevel` configuration statement. Possible settings are: * `0` No logging. * `1` Regular logging: only error conditions and important informative messages are logged. * `2` Extended logging: show chosen backend servers as well. * `3` Log requests using Apache-style Combined Log format. * `4` Same as 3, but without the virtual host information. * `5` Same as 4 but with information about the `Service` and `Backend` used. The `LogLevel` statement can be global (effective for all listeners), as well as per-listener. ## Socket Passing __Pound__ can obtain socket to listen on from another program via a UNIX socket. This mode of operation is requested by the following statement in `ListenHTTP` section: ``` SocketFrom "/path/to/socket" ``` When this statement is present, neither `Address` nor `Port` may be used in this listener. __Pound__ will connect to the named socket and obtain the socket descriptor from it. Then it will start listening for incoming requests on that socket. This can be used both in `ListenHTTP` and `ListenHTTPS` sections. Currently it is used in __pound__ testsuite. ## Request Modification Normally, __pound__ passes all incoming requests to backends verbatim. Several request modification directives are provided, that allow you to add or remove headers from the request. The following two groups of headers are added by default. Each of them can be turned off using the `HeaderOption` directive. 1. The _forwarded_ headers: * `X-Forwarded-For:` header passes the actual IP address of the client machine that sent the request. * `X-Forwarded-Proto:` header contains the original protocol (`http` or `https`). * `X-Forwarded-Port:` header contains the port on the server that the client connected to. 2. Second group contains _ssl_ headers that are added only if the client connected using HTTPS. The `X-SSL-Cipher` header is always present if this header group is enabled. The rest of headers below is added only if the client certificate was supplied: * `X-SSL-Cipher`: SSL version followed by a slash and active cipher algorithm. * `X-SSL-Certificate`: the full client certificate (multi-line). * `X-SSL-Issuer`: information about the certificate issuer (CA). * `X-SSL-Subject`: information about the certificate owner. * `X-SSL-notAfter`: end od validity date for the certificate. * `X-SSL-notBefore`: start of validity date for the certificate. * `X-SSL-serial`: certificate serial number (in decimal). The `HeaderOption` directive can be used (either globally or in listener block) to disable any or both of these groups, e.g.: ``` HeaderOption no-ssl forwarded ``` Any number of headers can be added or removed using the `HeaderAdd` and `HeaderRemove` directives in the listener section. The order in which these directives are applied is: 1. Headers controlled by the `HeaderOption` directive are added. 2. Headers requested by `HeaderRemove` directives are removed. 3. Headers from `HeaderAdd` directives are added. ## ACME __Pound__ offers built-in support for ACME (a.k.a. _LetsEncrypt_) [HTTP-01](https://letsencrypt.org/docs/challenge-types/#http-01-challenge) challenge type. Thus, it can be used with any certificate controller to obtain SSL certificates on the fly. Assuming your certificate controller is configured to store challenges in directory `/var/lib/pound/acme`, all you need to do is add the `ACME` statement to the `ListenHTTP` block, for example: ``` ListenHTTP ACME "/var/lib/pound/acme" . . . End ``` Now, each request whose URL ends in `/.well-known/acme-challenge/NAME` will be served by directly by __pound__: it will send the content of the file `/var/lib/pound/acme/NAME` as a reply. ## Using `RootJail` The `RootJail` configuration directive instructs __pound__ to chroot to the given directory at startup. Normally, its use should be quite straightforward: ``` RootJail "/var/pound" ``` __Pound__ tries to open all files and devices it needs before chrooting. There might be cases, however, when it is not enough and you would need to copy certain system files to the chroot directory. ## Bug-reporting If you think you found a bug in __pound__ or in its documentation, please send a mail to Sergey Poznyakoff (or ), or use the [github issue tracker](https://github.com/graygnuorg/pound/issues). When reporing failed tests, please make an archive of the `tests/testsuite.dir` subdirectory and attach it to your report. graygnuorg-pound-7eec563/THANKS000066400000000000000000000041321461263420300163600ustar00rootroot00000000000000Pound THANKS file Please see the AUTHORS file for the list of principal authors. Many people further contributed to pound by reporting problems, suggesting various improvements or submitting actual code. Here is a list of these people. Help me keep it complete and exempt of errors. Abner G. Jacobsen did a lot of testing in a production environment and contributed some very nice ideas. Akira Higuchi found a significant security issue in Pound and contributed the code to fix it. Albert (of Alacra) for investigating and writing the TCP_NODELAY code. Alession Cervellin packages and makes available Solaris packages for various Pound versions. Andreas Roedl for testing and some ideas about logging in root jails. David Couture found some nasty, lurking bugs, as well as contributing some serious testing on big hardware. Dmitriy Dvoinikov makes available a live-CD FreeBSD distribution that includes a Pound binary. Frank Denis contributed a few excellent code patches and some good ideas. Frank Schmirler wrote WebSocket support Gurkan Sengun tested Pound on Solaris, contributed the Solaris cc flags and makes a Solaris pre-compiled version available on his Web-site (www.linuks.mine.nu) Jan-Piet Mens raised some interesting security points about the HTTPS implementation and brought the original idea for SSL header filtering. Jim Washington contributed the code for WebDAV and tested it. Ken Lalonde contributed very useful remarks and suggestions, as well as correcting a few code errors. Luuk de Boer did some serious testing and debugging of the WebDAV code for Microsoft servers. Maxime Yve discovered a nasty bug in the session tracking code and contributed the patch to fix it. Phil Lodwick contributed essential parts of the high-availability code and came up with some good ideas. In addition, did some serious testing under heavy loads. Rick O'Sullivan did lots of useful improvements Shinji Tanaka contributed a patch for controlling logging to disk files. This is available at http://www.hatena-inc.co.jp/~stanaka/pound/ Simon Matter packages and makes available RPMs for various Pound versions. graygnuorg-pound-7eec563/am/000077500000000000000000000000001461263420300160425ustar00rootroot00000000000000graygnuorg-pound-7eec563/am/ax_pthread.m4000066400000000000000000000540341461263420300204310ustar00rootroot00000000000000# =========================================================================== # https://www.gnu.org/software/autoconf-archive/ax_pthread.html # =========================================================================== # # SYNOPSIS # # AX_PTHREAD([ACTION-IF-FOUND[, ACTION-IF-NOT-FOUND]]) # # DESCRIPTION # # This macro figures out how to build C programs using POSIX threads. It # sets the PTHREAD_LIBS output variable to the threads library and linker # flags, and the PTHREAD_CFLAGS output variable to any special C compiler # flags that are needed. (The user can also force certain compiler # flags/libs to be tested by setting these environment variables.) # # Also sets PTHREAD_CC and PTHREAD_CXX to any special C compiler that is # needed for multi-threaded programs (defaults to the value of CC # respectively CXX otherwise). (This is necessary on e.g. AIX to use the # special cc_r/CC_r compiler alias.) # # NOTE: You are assumed to not only compile your program with these flags, # but also to link with them as well. For example, you might link with # $PTHREAD_CC $CFLAGS $PTHREAD_CFLAGS $LDFLAGS ... $PTHREAD_LIBS $LIBS # $PTHREAD_CXX $CXXFLAGS $PTHREAD_CFLAGS $LDFLAGS ... $PTHREAD_LIBS $LIBS # # If you are only building threaded programs, you may wish to use these # variables in your default LIBS, CFLAGS, and CC: # # LIBS="$PTHREAD_LIBS $LIBS" # CFLAGS="$CFLAGS $PTHREAD_CFLAGS" # CXXFLAGS="$CXXFLAGS $PTHREAD_CFLAGS" # CC="$PTHREAD_CC" # CXX="$PTHREAD_CXX" # # In addition, if the PTHREAD_CREATE_JOINABLE thread-attribute constant # has a nonstandard name, this macro defines PTHREAD_CREATE_JOINABLE to # that name (e.g. PTHREAD_CREATE_UNDETACHED on AIX). # # Also HAVE_PTHREAD_PRIO_INHERIT is defined if pthread is found and the # PTHREAD_PRIO_INHERIT symbol is defined when compiling with # PTHREAD_CFLAGS. # # ACTION-IF-FOUND is a list of shell commands to run if a threads library # is found, and ACTION-IF-NOT-FOUND is a list of commands to run it if it # is not found. If ACTION-IF-FOUND is not specified, the default action # will define HAVE_PTHREAD. # # Please let the authors know if this macro fails on any platform, or if # you have any other suggestions or comments. This macro was based on work # by SGJ on autoconf scripts for FFTW (http://www.fftw.org/) (with help # from M. Frigo), as well as ac_pthread and hb_pthread macros posted by # Alejandro Forero Cuervo to the autoconf macro repository. We are also # grateful for the helpful feedback of numerous users. # # Updated for Autoconf 2.68 by Daniel Richard G. # # LICENSE # # Copyright (c) 2008 Steven G. Johnson # Copyright (c) 2011 Daniel Richard G. # Copyright (c) 2019 Marc Stevens # # This program is free software: you can redistribute it and/or modify it # under the terms of the GNU General Public License as published by the # Free Software Foundation, either version 3 of the License, or (at your # option) any later version. # # This program is distributed in the hope that it will be useful, but # WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General # Public License for more details. # # You should have received a copy of the GNU General Public License along # with this program. If not, see . # # As a special exception, the respective Autoconf Macro's copyright owner # gives unlimited permission to copy, distribute and modify the configure # scripts that are the output of Autoconf when processing the Macro. You # need not follow the terms of the GNU General Public License when using # or distributing such scripts, even though portions of the text of the # Macro appear in them. The GNU General Public License (GPL) does govern # all other use of the material that constitutes the Autoconf Macro. # # This special exception to the GPL applies to versions of the Autoconf # Macro released by the Autoconf Archive. When you make and distribute a # modified version of the Autoconf Macro, you may extend this special # exception to the GPL to apply to your modified version as well. #serial 31 AU_ALIAS([ACX_PTHREAD], [AX_PTHREAD]) AC_DEFUN([AX_PTHREAD], [ AC_REQUIRE([AC_CANONICAL_HOST]) AC_REQUIRE([AC_PROG_CC]) AC_REQUIRE([AC_PROG_SED]) AC_LANG_PUSH([C]) ax_pthread_ok=no # We used to check for pthread.h first, but this fails if pthread.h # requires special compiler flags (e.g. on Tru64 or Sequent). # It gets checked for in the link test anyway. # First of all, check if the user has set any of the PTHREAD_LIBS, # etcetera environment variables, and if threads linking works using # them: if test "x$PTHREAD_CFLAGS$PTHREAD_LIBS" != "x"; then ax_pthread_save_CC="$CC" ax_pthread_save_CFLAGS="$CFLAGS" ax_pthread_save_LIBS="$LIBS" AS_IF([test "x$PTHREAD_CC" != "x"], [CC="$PTHREAD_CC"]) AS_IF([test "x$PTHREAD_CXX" != "x"], [CXX="$PTHREAD_CXX"]) CFLAGS="$CFLAGS $PTHREAD_CFLAGS" LIBS="$PTHREAD_LIBS $LIBS" AC_MSG_CHECKING([for pthread_join using $CC $PTHREAD_CFLAGS $PTHREAD_LIBS]) AC_LINK_IFELSE([AC_LANG_CALL([], [pthread_join])], [ax_pthread_ok=yes]) AC_MSG_RESULT([$ax_pthread_ok]) if test "x$ax_pthread_ok" = "xno"; then PTHREAD_LIBS="" PTHREAD_CFLAGS="" fi CC="$ax_pthread_save_CC" CFLAGS="$ax_pthread_save_CFLAGS" LIBS="$ax_pthread_save_LIBS" fi # We must check for the threads library under a number of different # names; the ordering is very important because some systems # (e.g. DEC) have both -lpthread and -lpthreads, where one of the # libraries is broken (non-POSIX). # Create a list of thread flags to try. Items with a "," contain both # C compiler flags (before ",") and linker flags (after ","). Other items # starting with a "-" are C compiler flags, and remaining items are # library names, except for "none" which indicates that we try without # any flags at all, and "pthread-config" which is a program returning # the flags for the Pth emulation library. ax_pthread_flags="pthreads none -Kthread -pthread -pthreads -mthreads pthread --thread-safe -mt pthread-config" # The ordering *is* (sometimes) important. Some notes on the # individual items follow: # pthreads: AIX (must check this before -lpthread) # none: in case threads are in libc; should be tried before -Kthread and # other compiler flags to prevent continual compiler warnings # -Kthread: Sequent (threads in libc, but -Kthread needed for pthread.h) # -pthread: Linux/gcc (kernel threads), BSD/gcc (userland threads), Tru64 # (Note: HP C rejects this with "bad form for `-t' option") # -pthreads: Solaris/gcc (Note: HP C also rejects) # -mt: Sun Workshop C (may only link SunOS threads [-lthread], but it # doesn't hurt to check since this sometimes defines pthreads and # -D_REENTRANT too), HP C (must be checked before -lpthread, which # is present but should not be used directly; and before -mthreads, # because the compiler interprets this as "-mt" + "-hreads") # -mthreads: Mingw32/gcc, Lynx/gcc # pthread: Linux, etcetera # --thread-safe: KAI C++ # pthread-config: use pthread-config program (for GNU Pth library) case $host_os in freebsd*) # -kthread: FreeBSD kernel threads (preferred to -pthread since SMP-able) # lthread: LinuxThreads port on FreeBSD (also preferred to -pthread) ax_pthread_flags="-kthread lthread $ax_pthread_flags" ;; hpux*) # From the cc(1) man page: "[-mt] Sets various -D flags to enable # multi-threading and also sets -lpthread." ax_pthread_flags="-mt -pthread pthread $ax_pthread_flags" ;; openedition*) # IBM z/OS requires a feature-test macro to be defined in order to # enable POSIX threads at all, so give the user a hint if this is # not set. (We don't define these ourselves, as they can affect # other portions of the system API in unpredictable ways.) AC_EGREP_CPP([AX_PTHREAD_ZOS_MISSING], [ # if !defined(_OPEN_THREADS) && !defined(_UNIX03_THREADS) AX_PTHREAD_ZOS_MISSING # endif ], [AC_MSG_WARN([IBM z/OS requires -D_OPEN_THREADS or -D_UNIX03_THREADS to enable pthreads support.])]) ;; solaris*) # On Solaris (at least, for some versions), libc contains stubbed # (non-functional) versions of the pthreads routines, so link-based # tests will erroneously succeed. (N.B.: The stubs are missing # pthread_cleanup_push, or rather a function called by this macro, # so we could check for that, but who knows whether they'll stub # that too in a future libc.) So we'll check first for the # standard Solaris way of linking pthreads (-mt -lpthread). ax_pthread_flags="-mt,-lpthread pthread $ax_pthread_flags" ;; esac # Are we compiling with Clang? AC_CACHE_CHECK([whether $CC is Clang], [ax_cv_PTHREAD_CLANG], [ax_cv_PTHREAD_CLANG=no # Note that Autoconf sets GCC=yes for Clang as well as GCC if test "x$GCC" = "xyes"; then AC_EGREP_CPP([AX_PTHREAD_CC_IS_CLANG], [/* Note: Clang 2.7 lacks __clang_[a-z]+__ */ # if defined(__clang__) && defined(__llvm__) AX_PTHREAD_CC_IS_CLANG # endif ], [ax_cv_PTHREAD_CLANG=yes]) fi ]) ax_pthread_clang="$ax_cv_PTHREAD_CLANG" # GCC generally uses -pthread, or -pthreads on some platforms (e.g. SPARC) # Note that for GCC and Clang -pthread generally implies -lpthread, # except when -nostdlib is passed. # This is problematic using libtool to build C++ shared libraries with pthread: # [1] https://gcc.gnu.org/bugzilla/show_bug.cgi?id=25460 # [2] https://bugzilla.redhat.com/show_bug.cgi?id=661333 # [3] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=468555 # To solve this, first try -pthread together with -lpthread for GCC AS_IF([test "x$GCC" = "xyes"], [ax_pthread_flags="-pthread,-lpthread -pthread -pthreads $ax_pthread_flags"]) # Clang takes -pthread (never supported any other flag), but we'll try with -lpthread first AS_IF([test "x$ax_pthread_clang" = "xyes"], [ax_pthread_flags="-pthread,-lpthread -pthread"]) # The presence of a feature test macro requesting re-entrant function # definitions is, on some systems, a strong hint that pthreads support is # correctly enabled case $host_os in darwin* | hpux* | linux* | osf* | solaris*) ax_pthread_check_macro="_REENTRANT" ;; aix*) ax_pthread_check_macro="_THREAD_SAFE" ;; *) ax_pthread_check_macro="--" ;; esac AS_IF([test "x$ax_pthread_check_macro" = "x--"], [ax_pthread_check_cond=0], [ax_pthread_check_cond="!defined($ax_pthread_check_macro)"]) if test "x$ax_pthread_ok" = "xno"; then for ax_pthread_try_flag in $ax_pthread_flags; do case $ax_pthread_try_flag in none) AC_MSG_CHECKING([whether pthreads work without any flags]) ;; *,*) PTHREAD_CFLAGS=`echo $ax_pthread_try_flag | sed "s/^\(.*\),\(.*\)$/\1/"` PTHREAD_LIBS=`echo $ax_pthread_try_flag | sed "s/^\(.*\),\(.*\)$/\2/"` AC_MSG_CHECKING([whether pthreads work with "$PTHREAD_CFLAGS" and "$PTHREAD_LIBS"]) ;; -*) AC_MSG_CHECKING([whether pthreads work with $ax_pthread_try_flag]) PTHREAD_CFLAGS="$ax_pthread_try_flag" ;; pthread-config) AC_CHECK_PROG([ax_pthread_config], [pthread-config], [yes], [no]) AS_IF([test "x$ax_pthread_config" = "xno"], [continue]) PTHREAD_CFLAGS="`pthread-config --cflags`" PTHREAD_LIBS="`pthread-config --ldflags` `pthread-config --libs`" ;; *) AC_MSG_CHECKING([for the pthreads library -l$ax_pthread_try_flag]) PTHREAD_LIBS="-l$ax_pthread_try_flag" ;; esac ax_pthread_save_CFLAGS="$CFLAGS" ax_pthread_save_LIBS="$LIBS" CFLAGS="$CFLAGS $PTHREAD_CFLAGS" LIBS="$PTHREAD_LIBS $LIBS" # Check for various functions. We must include pthread.h, # since some functions may be macros. (On the Sequent, we # need a special flag -Kthread to make this header compile.) # We check for pthread_join because it is in -lpthread on IRIX # while pthread_create is in libc. We check for pthread_attr_init # due to DEC craziness with -lpthreads. We check for # pthread_cleanup_push because it is one of the few pthread # functions on Solaris that doesn't have a non-functional libc stub. # We try pthread_create on general principles. AC_LINK_IFELSE([AC_LANG_PROGRAM([#include # if $ax_pthread_check_cond # error "$ax_pthread_check_macro must be defined" # endif static void *some_global = NULL; static void routine(void *a) { /* To avoid any unused-parameter or unused-but-set-parameter warning. */ some_global = a; } static void *start_routine(void *a) { return a; }], [pthread_t th; pthread_attr_t attr; pthread_create(&th, 0, start_routine, 0); pthread_join(th, 0); pthread_attr_init(&attr); pthread_cleanup_push(routine, 0); pthread_cleanup_pop(0) /* ; */])], [ax_pthread_ok=yes], []) CFLAGS="$ax_pthread_save_CFLAGS" LIBS="$ax_pthread_save_LIBS" AC_MSG_RESULT([$ax_pthread_ok]) AS_IF([test "x$ax_pthread_ok" = "xyes"], [break]) PTHREAD_LIBS="" PTHREAD_CFLAGS="" done fi # Clang needs special handling, because older versions handle the -pthread # option in a rather... idiosyncratic way if test "x$ax_pthread_clang" = "xyes"; then # Clang takes -pthread; it has never supported any other flag # (Note 1: This will need to be revisited if a system that Clang # supports has POSIX threads in a separate library. This tends not # to be the way of modern systems, but it's conceivable.) # (Note 2: On some systems, notably Darwin, -pthread is not needed # to get POSIX threads support; the API is always present and # active. We could reasonably leave PTHREAD_CFLAGS empty. But # -pthread does define _REENTRANT, and while the Darwin headers # ignore this macro, third-party headers might not.) # However, older versions of Clang make a point of warning the user # that, in an invocation where only linking and no compilation is # taking place, the -pthread option has no effect ("argument unused # during compilation"). They expect -pthread to be passed in only # when source code is being compiled. # # Problem is, this is at odds with the way Automake and most other # C build frameworks function, which is that the same flags used in # compilation (CFLAGS) are also used in linking. Many systems # supported by AX_PTHREAD require exactly this for POSIX threads # support, and in fact it is often not straightforward to specify a # flag that is used only in the compilation phase and not in # linking. Such a scenario is extremely rare in practice. # # Even though use of the -pthread flag in linking would only print # a warning, this can be a nuisance for well-run software projects # that build with -Werror. So if the active version of Clang has # this misfeature, we search for an option to squash it. AC_CACHE_CHECK([whether Clang needs flag to prevent "argument unused" warning when linking with -pthread], [ax_cv_PTHREAD_CLANG_NO_WARN_FLAG], [ax_cv_PTHREAD_CLANG_NO_WARN_FLAG=unknown # Create an alternate version of $ac_link that compiles and # links in two steps (.c -> .o, .o -> exe) instead of one # (.c -> exe), because the warning occurs only in the second # step ax_pthread_save_ac_link="$ac_link" ax_pthread_sed='s/conftest\.\$ac_ext/conftest.$ac_objext/g' ax_pthread_link_step=`AS_ECHO(["$ac_link"]) | sed "$ax_pthread_sed"` ax_pthread_2step_ac_link="($ac_compile) && (echo ==== >&5) && ($ax_pthread_link_step)" ax_pthread_save_CFLAGS="$CFLAGS" for ax_pthread_try in '' -Qunused-arguments -Wno-unused-command-line-argument unknown; do AS_IF([test "x$ax_pthread_try" = "xunknown"], [break]) CFLAGS="-Werror -Wunknown-warning-option $ax_pthread_try -pthread $ax_pthread_save_CFLAGS" ac_link="$ax_pthread_save_ac_link" AC_LINK_IFELSE([AC_LANG_SOURCE([[int main(void){return 0;}]])], [ac_link="$ax_pthread_2step_ac_link" AC_LINK_IFELSE([AC_LANG_SOURCE([[int main(void){return 0;}]])], [break]) ]) done ac_link="$ax_pthread_save_ac_link" CFLAGS="$ax_pthread_save_CFLAGS" AS_IF([test "x$ax_pthread_try" = "x"], [ax_pthread_try=no]) ax_cv_PTHREAD_CLANG_NO_WARN_FLAG="$ax_pthread_try" ]) case "$ax_cv_PTHREAD_CLANG_NO_WARN_FLAG" in no | unknown) ;; *) PTHREAD_CFLAGS="$ax_cv_PTHREAD_CLANG_NO_WARN_FLAG $PTHREAD_CFLAGS" ;; esac fi # $ax_pthread_clang = yes # Various other checks: if test "x$ax_pthread_ok" = "xyes"; then ax_pthread_save_CFLAGS="$CFLAGS" ax_pthread_save_LIBS="$LIBS" CFLAGS="$CFLAGS $PTHREAD_CFLAGS" LIBS="$PTHREAD_LIBS $LIBS" # Detect AIX lossage: JOINABLE attribute is called UNDETACHED. AC_CACHE_CHECK([for joinable pthread attribute], [ax_cv_PTHREAD_JOINABLE_ATTR], [ax_cv_PTHREAD_JOINABLE_ATTR=unknown for ax_pthread_attr in PTHREAD_CREATE_JOINABLE PTHREAD_CREATE_UNDETACHED; do AC_LINK_IFELSE([AC_LANG_PROGRAM([#include ], [int attr = $ax_pthread_attr; return attr /* ; */])], [ax_cv_PTHREAD_JOINABLE_ATTR=$ax_pthread_attr; break], []) done ]) AS_IF([test "x$ax_cv_PTHREAD_JOINABLE_ATTR" != "xunknown" && \ test "x$ax_cv_PTHREAD_JOINABLE_ATTR" != "xPTHREAD_CREATE_JOINABLE" && \ test "x$ax_pthread_joinable_attr_defined" != "xyes"], [AC_DEFINE_UNQUOTED([PTHREAD_CREATE_JOINABLE], [$ax_cv_PTHREAD_JOINABLE_ATTR], [Define to necessary symbol if this constant uses a non-standard name on your system.]) ax_pthread_joinable_attr_defined=yes ]) AC_CACHE_CHECK([whether more special flags are required for pthreads], [ax_cv_PTHREAD_SPECIAL_FLAGS], [ax_cv_PTHREAD_SPECIAL_FLAGS=no case $host_os in solaris*) ax_cv_PTHREAD_SPECIAL_FLAGS="-D_POSIX_PTHREAD_SEMANTICS" ;; esac ]) AS_IF([test "x$ax_cv_PTHREAD_SPECIAL_FLAGS" != "xno" && \ test "x$ax_pthread_special_flags_added" != "xyes"], [PTHREAD_CFLAGS="$ax_cv_PTHREAD_SPECIAL_FLAGS $PTHREAD_CFLAGS" ax_pthread_special_flags_added=yes]) AC_CACHE_CHECK([for PTHREAD_PRIO_INHERIT], [ax_cv_PTHREAD_PRIO_INHERIT], [AC_LINK_IFELSE([AC_LANG_PROGRAM([[#include ]], [[int i = PTHREAD_PRIO_INHERIT; return i;]])], [ax_cv_PTHREAD_PRIO_INHERIT=yes], [ax_cv_PTHREAD_PRIO_INHERIT=no]) ]) AS_IF([test "x$ax_cv_PTHREAD_PRIO_INHERIT" = "xyes" && \ test "x$ax_pthread_prio_inherit_defined" != "xyes"], [AC_DEFINE([HAVE_PTHREAD_PRIO_INHERIT], [1], [Have PTHREAD_PRIO_INHERIT.]) ax_pthread_prio_inherit_defined=yes ]) CFLAGS="$ax_pthread_save_CFLAGS" LIBS="$ax_pthread_save_LIBS" # More AIX lossage: compile with *_r variant if test "x$GCC" != "xyes"; then case $host_os in aix*) AS_CASE(["x/$CC"], [x*/c89|x*/c89_128|x*/c99|x*/c99_128|x*/cc|x*/cc128|x*/xlc|x*/xlc_v6|x*/xlc128|x*/xlc128_v6], [#handle absolute path differently from PATH based program lookup AS_CASE(["x$CC"], [x/*], [ AS_IF([AS_EXECUTABLE_P([${CC}_r])],[PTHREAD_CC="${CC}_r"]) AS_IF([test "x${CXX}" != "x"], [AS_IF([AS_EXECUTABLE_P([${CXX}_r])],[PTHREAD_CXX="${CXX}_r"])]) ], [ AC_CHECK_PROGS([PTHREAD_CC],[${CC}_r],[$CC]) AS_IF([test "x${CXX}" != "x"], [AC_CHECK_PROGS([PTHREAD_CXX],[${CXX}_r],[$CXX])]) ] ) ]) ;; esac fi fi test -n "$PTHREAD_CC" || PTHREAD_CC="$CC" test -n "$PTHREAD_CXX" || PTHREAD_CXX="$CXX" AC_SUBST([PTHREAD_LIBS]) AC_SUBST([PTHREAD_CFLAGS]) AC_SUBST([PTHREAD_CC]) AC_SUBST([PTHREAD_CXX]) # Finally, execute ACTION-IF-FOUND/ACTION-IF-NOT-FOUND: if test "x$ax_pthread_ok" = "xyes"; then ifelse([$1],,[AC_DEFINE([HAVE_PTHREAD],[1],[Define if you have POSIX threads libraries and header files.])],[$1]) : else ax_pthread_ok=no $2 fi AC_LANG_POP ])dnl AX_PTHREAD graygnuorg-pound-7eec563/am/pcreposix.m4000066400000000000000000000073101461263420300203210ustar00rootroot00000000000000# SYNOPSIS # # PND_PCREPOSIX # # DESCRIPTION # # Checks whether the pcreposix library and its headers are available. # Prefers libpcre2 over libpcre. The --enable-pcreposix option can # be used to enable, disable, or force the use of libpcre verison 1 # (--enable-pcreposix=pcre1). Upon return, the status_pcreposix shell # variable is set to indicate the result: # # . no - neither library has been found # . 1 - libpcre is found # . 2 - libpcre2 is found # # On success, the HAVE_LIBPCREPOSIX m4 macro is defined to the version # of the library used (1 or 2). # # Substitution variables PCREPOSIX_CFLAGS and PCREPOSIX_LIBS are defined # to compiler and loader flags needed in order to build with the version # of the library located. # # LICENSE # # Copyright (C) 2023-2024 Sergey Poznyakoff # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 3 of the License, or # (at your option) any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program. If not, see . AC_DEFUN([PND_PCREPOSIX], [AC_ARG_ENABLE([pcreposix], [AS_HELP_STRING([--enable-pcreposix],[enable or disable using the pcreposix library (default: enabled if available)])], [status_pcreposix=${enableval}], [status_pcreposix=yes]) AH_TEMPLATE([HAVE_LIBPCREPOSIX],[Define to the version of libpcreposix to use]) AC_SUBST([PCREPOSIX_CFLAGS]) AC_SUBST([PCREPOSIX_LIBS]) if test "$status_pcreposix" != no; then AC_PATH_PROG([PCRE2_CONFIG],[pcre2-config],[]) if test "$status_pcreposix" != pcre1 && test -n "$PCRE2_CONFIG"; then PCREPOSIX_CFLAGS=$($PCRE2_CONFIG --cflags-posix) PCREPOSIX_LIBS=$($PCRE2_CONFIG --libs-posix) status_pcreposix=2 # Debian build of pcre2posix is badly broken. For some obscure # reason its maintainer decided to rename reg* functions by # prefixing them with PCRE2, which defeats the main purpose of the # library. To make matters even worse, he didn't do the same to the # regex_t type, which means that linking with Debian build of # libpcre2posix results in memory overrruns when regcomp is called # (pcre2posix definition of regex_t is smaller than the one in libc). # # The code below attempts to detect the deficiency and install a # workaround. saved_CFLAGS=$CFLAGS CFLAGS="$CFLAGS $PCREPOSIX_CFLAGS" saved_LIBS=$LIBS LIBS="$LIBS $PCREPOSIX_LIBS" AC_LINK_IFELSE( [AC_LANG_PROGRAM([], [PCRE2regcomp()])], [AC_DEFINE([regcomp],[PCRE2regcomp], [Compensate for Debian deficiency]) AC_DEFINE([regexec],[PCRE2regexec], [Compensate for Debian deficiency]) AC_DEFINE([regerror],[PCRE2regerror], [Compensate for Debian deficiency]) AC_DEFINE([regfree],[PCRE2regfree], [Compensate for Debian deficiency])]) LIBS=$saved_LIBS CFLAGS=$saved_CFLAGS else AC_CHECK_HEADERS([pcreposix.h pcre/pcreposix.h]) AC_CHECK_LIB([pcre],[pcre_compile], [PCREPOSIX_LIBS=-lpcre AC_CHECK_LIB([pcreposix],[regcomp], [PCREPOSIX_LIBS="$PCREPOSIX_LIBS -lpcreposix" status_pcreposix=1], [status_pcreposix=no], [$PCREPOSIX_LIBS])], [status_pcreposix=no]) fi case "$status_pcreposix" in 1|2) AC_DEFINE_UNQUOTED([HAVE_LIBPCREPOSIX],[$status_pcreposix]) esac fi ]) graygnuorg-pound-7eec563/bootstrap000077500000000000000000000001531461263420300174070ustar00rootroot00000000000000#! /bin/sh test -d build-aux || mkdir build-aux perl md2txt.pl -l 4 README.md > README autoreconf -f -i -s graygnuorg-pound-7eec563/configure.ac000066400000000000000000000163751461263420300177470ustar00rootroot00000000000000# Pound - the reverse-proxy load-balancer -*- autoconf -*- # Copyright (C) 2002-2010 Apsis GmbH # Copyright (C) 2018-2024 Sergey Poznyakoff # # Pound is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 3 of the License, or # (at your option) any later version. # # Pound is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with pound. If not, see . AC_PREREQ([2.71]) AC_INIT([pound],[4.12],[gray@gnu.org], [pound],[https://github.com/graygnuorg/pound]) AC_CONFIG_AUX_DIR([build-aux]) AC_CONFIG_SRCDIR([src/pound.c]) AC_CONFIG_HEADERS([config.h]) AM_INIT_AUTOMAKE([1.16.5 gnu tar-ustar]) AC_CANONICAL_HOST # Checks for programs. AC_PROG_CC AC_PROG_RANLIB # Checks for libraries. AX_PTHREAD([CC="$PTHREAD_CC"], [AC_MSG_ERROR([No suitable pthread library found])]) AC_CHECK_LIB(crypt, crypt) AC_SUBST(SSL_CPPFLAGS) AC_SUBST(SSL_LDFLAGS) AC_ARG_WITH([ssl], [AS_HELP_STRING([--with-ssl=directory],[location of OpenSSL package])], [SSL_CPPFLAGS="-I${withval}/include" SSL_LDFLAGS="-L${withval}/lib ${LDFLAGS}" C_SSL="${withval}"], [C_SSL=""]) saved_CPPFLAGS=$CFLAGS CPPFLAGS=$SSL_CPPFLAGS saved_LDFLAGS=$LDFLAGS LDFLAGS=$SSL_LDFLAGS AC_MSG_CHECKING([for OpenSSL version 3]) AC_COMPILE_IFELSE([AC_LANG_PROGRAM([#include ], [#if OPENSSL_VERSION_MAJOR >= 3 #error "OpenSSL v3" #endif ])],[openssl_v3=no],[openssl_v3=yes]) AC_MSG_RESULT([$openssl_v3]) CPPFLAGS=$saved_CPPFLAGS LDFLAGS=$saved_LDFLAGS AM_CONDITIONAL([OPENSSL_V3],[test "$openssl_v3" = "yes"]) # Check for structures AC_CHECK_MEMBERS([struct stat.st_mtim],[],[], [#include #include ]) AC_ARG_WITH([t_rsa], [AS_HELP_STRING([--with-t_rsa=nnn],[Timeout for RSA ephemeral keys generation])], [T_RSA_KEYS=${withval}], [T_RSA_KEYS=7200]) AC_DEFINE_UNQUOTED([T_RSA_KEYS],[$T_RSA_KEYS], [Timeout for RSA ephemeral keys generation]) AC_ARG_WITH([dh], [AS_HELP_STRING([--with-dh=nnn],[DH key length parameter (default: 2048, can set to 1024)])], [case ${withval} in 1024|2048) DH_LEN=${withval};; *) AC_MSG_FAILURE([invalid value for DH key length]) esac], [DH_LEN=2048]) AC_SUBST(DH_LEN) AC_DEFINE_UNQUOTED([DH_LEN],[$DH_LEN], [DH key length]) AC_ARG_WITH([maxbuf], [AS_HELP_STRING([--with-maxbuf=nnn],[Value of the MAXBUF parameter (default: 4096)])], [MAXBUF=${withval}], [MAXBUF=4096]) AC_DEFINE_UNQUOTED([MAXBUF],[$MAXBUF], [Max. buffer size]) AC_SUBST(I_OWNER) AC_ARG_WITH([owner], [AS_HELP_STRING([--with-owner=name],[The account that will own the files installed by Pound])], [I_OWNER="${with_owner}"]) AC_SUBST(I_GRP) AC_ARG_WITH([group], [AS_HELP_STRING([--with-group=name],[The group that will own the files installed by Pound])], [I_GRP="${with_group}"]) AC_ARG_ENABLE([tcmalloc], [AS_HELP_STRING([--enable-tcmalloc],[enable or disable using the tcmalloc library (default: enabled if available)])], [status_tcmalloc=${enableval}], [status_tcmalloc=probe]) AC_ARG_ENABLE([hoard], [AS_HELP_STRING([--enable-hoard],[enable or disable using the hoard library (default: enabled if available and tcmalloc NOT available)])], [status_hoard=${enableval}], [status_hoard=probe]) memory_allocator=libc if test $status_tcmalloc != no; then AC_CHECK_LIB([tcmalloc],[malloc]) if test $ac_cv_lib_tcmalloc_malloc = yes; then memory_allocator=tcmalloc fi elif test $status_hoard != no; then AC_CHECK_LIB([hoard],[malloc]) if test $ac_cv_lib_hoard_malloc = yes; then memory_allocator=hoard fi fi AC_CHECK_LIB([rt], [clock_gettime]) AC_CHECK_LIB([dl], [dlopen]) AC_CHECK_LIB([nsl], [gethostbyaddr]) AC_CHECK_LIB([socket], [socket]) AC_CHECK_LIB([resolv], [hstrerror]) AC_ARG_ENABLE([pthread-cancel-probe], [AS_HELP_STRING([--enable-pthread-cancel-probe], [enable early probe of the pthread_cancel function])], [case ${enableval} in yes) early_pthread_cancel_probe=1;; no) early_pthread_cancel_probe=0;; *) early_pthread_cancel_probe=0;; esac], [case $host_os in *-gnu|*-gnulibc1|*-gnueabi|*-gnueabihf) early_pthread_cancel_probe=1;; *) early_pthread_cancel_probe=0;; esac]) AC_DEFINE_UNQUOTED([EARLY_PTHREAD_CANCEL_PROBE],[$early_pthread_cancel_probe], [Define to try pthread_cancel before chroot, to force loading necessary libraries]) AC_CHECK_LIB([crypto],[BIO_new],[], [AC_MSG_FAILURE([Missing OpenSSL (-lcrypto) - aborted],[1])]) AC_CHECK_LIB([ssl],[SSL_CTX_new],[], [AC_MSG_FAILURE([Missing OpenSSL (-lssl) - aborted])]) AC_LINK_IFELSE([AC_LANG_PROGRAM([#include ], [SSL_CTX *ctx = NULL; SSL_CTX_set_dh_auto (ctx, 1); ])], [SET_DH_AUTO=1],[SET_DH_AUTO=0]) AM_CONDITIONAL([SET_DH_AUTO],[test "$SET_DH_AUTO" = 1]) AC_DEFINE_UNQUOTED([SET_DH_AUTO],[$SET_DH_AUTO], [Define to 1 of *set_dh_auto macros are available]) PND_PCREPOSIX AC_CHECK_HEADERS([getopt.h pthread.h crypt.h openssl/ssl.h openssl/engine.h]) AC_TYPE_UID_T AC_TYPE_PID_T AC_TYPE_UNSIGNED_LONG_LONG_INT AC_TYPE_LONG_LONG_INT AC_MSG_CHECKING([for default pound owner user name]) if test -z "${I_OWNER}"; then for u in proxy www daemon bin sys root do if id $u >/dev/null 2>&1; then I_OWNER=$u break fi done fi AC_MSG_RESULT([$I_OWNER]) AC_MSG_CHECKING([for default pound owner group name]) if test -z "${I_GRP}"; then I_GRP=$(id -n -g $I_OWNER) if test -z $I_GRP; then for g in proxy www daemon bin sys root do if grep "^$g:" /etc/group >/dev/null 2>&1; then I_GRP=$g break fi done fi fi AC_MSG_RESULT([$I_GRP]) AC_MSG_CHECKING([if building from git clone]) if test -d .git; then build_from_git=yes else build_from_git=no fi AC_MSG_RESULT([$build_from_git]) AM_CONDITIONAL([FROM_GIT],[test "$build_from_git" = yes]) # Documentation AC_ARG_VAR([MAKEINFO_INIT_FILE], [Initialization file for generation of the html manual]) AM_CONDITIONAL([COND_MAKEINFO_INIT_FILE],[test -n "$MAKEINFO_INIT_FILE"]) AC_CONFIG_COMMANDS([status],[ cat <. use strict; use warnings; use Getopt::Long qw(:config gnu_getopt no_ignore_case); use File::Basename; use File::Spec; use File::Path qw(make_path); use Pod::Usage; my $dirname = '.'; my $pkgname; my $srcname; my $output_name; my @includes; GetOptions("h" => sub { pod2usage(-message => "$0: generate docs", -exitstatus => 0); }, "help" => sub { pod2usage(-exitstatus => 0, -verbose => 2); }, "usage" => sub { pod2usage(-exitstatus => 0, -verbose => 0); }, 'source|s=s' => \$srcname, 'directory|C=s' => \$dirname, 'output|o=s' => \$output_name, 'include|I=s@' => \@includes ) or exit(1); $pkgname = shift @ARGV or pod2usage(-exitstatus => 1, -verbose => 0); $srcname //= "${pkgname}.texi"; my $template_name = shift @ARGV or pod2usage(-exitstatus => 1, -verbose => 0); unless (-d $dirname) { make_path($dirname); } unless ($output_name) { $output_name = File::Spec->catfile($dirname, (fileparse($template_name, qr/\.[^.]*/))[0]); } if (@includes) { @includes = map { '-I '.$_} @includes; # FIXME: Not used yet } sub template_scan { my $file = shift; open(FH, '<', $file) or die "can't open $file: $!\n"; my $line = 0; while () { chomp; ++$line; s{ \$ ((?:BASE)?FILE|SIZE) \( ([a-z_]+) \) }{ eval { Gendocs->instance($2, $pkgname, $srcname) }; if ($@) { if ($@ =~ m{Can't locate object method "new"}) { die "$file:$line: unknown format: $2\n"; } else { die $@; } } }gex; } close FH } sub template_expand { my ($infile, $outfile) = @_; open(IFH, '<', $infile) or die "can't open $infile: $!\n"; open(OFH, '>', $outfile) or die "can't open $outfile: $!\n"; while () { chomp; s{ \$ ((?:BASE)?FILE|SIZE) \( ([a-z_]+) \) }{ if ($1 eq 'FILE') { Gendocs->instance($2)->output; } elsif ($1 eq 'BASEFILE') { basename(Gendocs->instance($2)->output); } else { Gendocs->instance($2)->size; } }gex; print OFH "$_\n"; } } template_scan $template_name; Gendocs->generate(); template_expand($template_name, $output_name); Gendocs->sweep(); package Gendocs; use strict; use warnings; my %registry; sub generate { my ($class) = @_; my @keys = keys %registry; foreach my $k (@keys) { $registry{$k}->build(); $registry{$k}->mark(); } } sub sweep { my ($class) = @_; my @keys = keys %registry; foreach my $k (@keys) { unless ($registry{$k}->has_mark) { $registry{$k}->remove; delete $registry{$k}; } } } sub new { my ($class, $pkgname, $name) = @_; unless (exists($registry{$class})){ $registry{$class} = bless { pkgname => $pkgname, input => $name }, $class; } return $registry{$class} } sub instance { my ($class, $fmt, @args) = @_; my $subclass = "Gendocs::".ucfirst($fmt); unless (exists($registry{$subclass})) { $registry{$subclass} = $subclass->new(@args); } return $registry{$subclass}; } sub runcom { my $self = shift; system @_; if ($? == -1) { die "failed to execute $_[0]: $!"; } elsif ($? & 127) { die sprintf("$_[0] died with signal %d\n", $? & 127); } elsif ($? >> 8) { warn sprintf("$_[0] exited with value %d\n", $? >> 8); } } sub mark { shift->{mark} = 1 } sub has_mark { shift->{mark} } sub remove { my ($self) = @_; if ($self->{output}) { unlink $self->{output}; delete $self->{output}; } } sub size { my ($self) = @_; my $s = (stat($self->output))[7]; if ($s > 1048576) { $s = int($s / 1048576) . 'M'; } elsif ($s > 1024) { $s = int($s / 1024) . 'K'; } return $s; } sub pkgname { shift->{pkgname} } sub input { shift->{input} } sub output { shift->{output} } package Gendocs::Makeinfo; use strict; use warnings; use base 'Gendocs'; sub new { my $class = shift; my $self = $class->SUPER::new(@_); $self->{makeinfo} = $ENV{'MAKEINFO'} || 'makeinfo'; return $self; } package Gendocs::Info; use strict; use warnings; use base 'Gendocs::Makeinfo'; sub build { my ($self) = @_; unless ($self->{output}) { my $output = File::Spec->catfile($dirname, $self->pkgname . '.info'); print "Generating info file: " . $self->input . " -> $output\n"; $self->runcom("$self->{makeinfo} -o $output " . $self->input); $self->{output} = $output; } return $self->{output}; } package Gendocs::Info_gz; use strict; use warnings; use base 'Gendocs'; sub build { my ($self) = @_; unless ($self->{output}) { my $input = Gendocs->instance('info', $self->pkgname, $self->input)->build(); my $output = "$input.gz"; print "Compressing info file: $input -> $output\n"; $self->runcom("gzip -f -9 -c $input > $output"); $self->{output} = $output; } return $self->{output}; } package Gendocs::Ascii; use strict; use warnings; use base 'Gendocs::Makeinfo'; sub build { my ($self) = @_; unless ($self->{output}) { my $output = File::Spec->catfile($dirname, $self->pkgname . '.txt'); print "Generating ascii file: " . $self->input . " -> $output\n"; $self->runcom("$self->{makeinfo} -o $output --no-split --no-headers " . $self->input); $self->{output} = $output; } return $self->{output}; } package Gendocs::Ascii_gz; use strict; use warnings; use base 'Gendocs'; sub build { my ($self) = @_; unless ($self->{output}) { my $input = Gendocs->instance('ascii', $self->pkgname, $self->input)->build(); my $output = "$input.gz"; print "Compressing ascii file: $input -> $output\n"; $self->runcom("gzip -f -9 -c $input > $output"); $self->{output} = $output; } return $self->{output}; } package Gendocs::Texinfo_gz; use strict; use warnings; use base 'Gendocs'; sub build { my ($self) = @_; unless ($self->{output}) { my $output = File::Spec->catfile($dirname, $self->pkgname . '.tar.gz'); print "Creating compressed sources: $output\n"; $self->runcom("tar czfh $output *.texinfo *.texi *.txi *.eps 2>/dev/null || /bin/true"); $self->{output} = $output; } return $self->{output}; } package Gendocs::Dvi; use strict; use warnings; use base 'Gendocs'; use File::Temp qw(tempdir); sub new { my $class = shift; my $self = $class->SUPER::new(@_); $ENV{TEXI2DVI_BUILD_DIRECTORY} = tempdir(CLEANUP => 1); $self->{texi2dvi} = $ENV{'TEXI2DVI'} || 'texi2dvi --build=tidy -t @finalout'; return $self; } sub build { my ($self) = @_; unless ($self->{output}) { my $output = File::Spec->catfile($dirname, $self->pkgname . '.dvi'); my $cmd = "$self->{texi2dvi} -o $output $self->{input}"; print "Creating dvi: $cmd\n"; $self->runcom($cmd); $self->{output} = $output; } return $self->{output}; } package Gendocs::Dvi_gz; use strict; use warnings; use base 'Gendocs'; sub build { my ($self) = @_; unless ($self->{output}) { my $input = Gendocs->instance('dvi', $self->pkgname, $self->input)->build(); my $output = "$input.gz"; print "Compressing dvi file: $input -> $output\n"; $self->runcom("gzip -f -9 -c $input > $output"); $self->{output} = $output; } return $self->{output}; } package Gendocs::Pdf; use strict; use warnings; use base 'Gendocs::Dvi'; sub build { my ($self) = @_; unless ($self->{output}) { my $output = File::Spec->catfile($dirname, $self->pkgname . '.pdf'); my $cmd = "$self->{texi2dvi} -o $output --pdf $self->{input}"; print "Creating pdf: $cmd\n"; $self->runcom($cmd); $self->{output} = $output; } return $self->{output}; } __END__ =head1 NAME gendocs.pl - generate documentation in various formats =head1 SYNOPSIS B [B<-C> I] [B<-s> I] [B<-o> I] [B<-I> I] [B<--directory=>I] [B<--include=>I] [B<--output=>I] [B<--source=>I] I I